| blob | cb5b2aa71353120ae04f9c648def0a0b5a4a3531 |
2 Legend:
3 SPEC!! - Not specified
4 SPEC - Spec not finalized
5 NICK - nick claims
6 ARMA - arma claims
7 - Not done
8 * Top priority
9 . Partially done
10 o Done
11 D Deferred
12 X Abandoned
14 Flag-day changes: (things which are backward incompatible)
15 o remove link key from directories, from connection_t.
16 (just get it from the tls cert)
17 o Generate link keys on startup; don't store them to disk.
18 o make onion keys include oaep padding, so you can tell
19 if you decrypted it correctly
20 o Rotate onion keys as needed
21 - Rotate TLS connections [arma]
22 o Set expiration times on X509 certs [nickm]
23 o add bandwidthrate and bandwidthburst to server descriptor [nickm]
24 o directories need to say who signed them. [nickm]
25 - what other pieces of the descriptors need to change?
26 maybe add a section for who's connected to a given router?
27 add a flexible section for reputation info?
29 Bugs:
30 o we call signal(), but we should be calling sigaction()
31 o send socks rejects when things go bad ?
32 o on solaris, need to build with
33 LDFLAGS="-lsocket -lnsl" ./configure
34 o on solaris, we HAVE_UNAME but the uname() call fails?
35 . should maybe make clients exit(1) when bad things happen?
36 e.g. clock skew.
37 o client-side dns cache doesn't appear to be getting populated
38 by 'connected' cells. In fact, the 'connected' cells don't even
39 include the IP.
40 o When it can't resolve any dirservers, it is useless from then on.
41 We should make it reload the RouterFile if it has no dirservers.
42 o Sometimes it picks a middleman node as the exit for a circuit.
43 o if you specify a non-dirserver as exitnode or entrynode, when it
44 makes the first few circuits it hasn't yet fetched the directory,
45 so it warns that it doesn't know the node.
46 o make 'make test' exit(1) if a test fails.
47 . fix buffer unit test so it passes
49 Short-term:
50 - should retry exitpolicy end streams even if the end cell didn't
51 resolve the address for you
52 o add in 'notice' log level
53 X make recommendedversions different for clients and servers.
54 e.g. C0.0.3 vs S0.0.3?
55 o put IP into the descriptor, so clients don't need to resolve things
56 o when you hup, rewrite the router.desc file (and maybe others)
57 - consider handling broken socks4 implementations
58 o improve how it behaves when i remove a line from the approved-routers files
59 - Make tls connections tls_close intentionally
60 - Add '[...truncated]' or similar to truncated log entries (like the directory
61 in connection_dir_process_inbuf()).
62 . Make logs handle it better when writing to them fails.
63 o leave server descriptor out of directory if it's too old
64 o Rename ACI to circID
65 o integrate rep_ok functions, see what breaks
66 - update tor faq
67 o obey SocksBindAddress, ORBindAddress
68 o warn if we're running as root
69 o make connection_flush_buf() more obviously obsolete
70 o let hup reread the config file, eg so we can get new exit
71 policies without restarting
72 o Put recommended_versions in a config entry
73 X use times(2) rather than gettimeofday to measure how long it
74 takes to process a cell
75 o Separate trying to rebuild a circuit because you have none from trying
76 to rebuild a circuit because the current one is stale
77 X Continue reading from socks port even while waiting for connect.
78 o Exit policies
79 o Spec how to write the exit policies
80 o Path selection algorithms
81 o Choose path more incrementally
82 o Let user request first/last node
83 o And disallow certain nodes
84 D Choose path by jurisdiction, etc?
85 o Make relay end cells have failure status and payload attached
86 X let non-approved routers handshake.
87 X Dirserver shouldn't put you in running-routers list if you haven't
88 uploaded a descriptor recently
89 X migrate to using nickname rather than addr:port for routers
90 - migrate to using IPv6 sizes everywhere
91 o Move from onions to ephemeral DH
92 o incremental path building
93 o transition circuit-level sendmes to hop-level sendmes
94 o implement truncate, truncated
95 o move from 192byte DH to 128byte DH, so it isn't so damn slow
96 X exiting from not-last hop
97 X OP logic to decide to extend/truncate a path
98 X make sure exiting from the not-last hop works
99 X logic to find last *open* hop, not last hop, in cpath
100 o Remember address and port when beginning.
101 - Extend by nickname/hostname/something, not by IP.
102 - Need a relay teardown cell, separate from one-way ends.
103 X remove per-connection rate limiting
104 - Make it harder to circumvent bandwidth caps: look at number of bytes
105 sent across sockets, not number sent inside TLS stream.
106 o Audit users of connnection_remove and connection_free outside of
107 main.c; many should use mark_for_close instead.
109 Rendezvous service:
110 o Design and specify protocol
111 o Possible preliminary refactoring:
112 o Should we break circuits up into "circuit-with-cpath" and
113 "circuit-without-cpath"?
114 o We need a way to tag circuits as special-purpose circuits for:
115 o Connecting from Bob's OP to the introduction point
116 o Sending introduction requests from the IPoint to Bob
117 o Connecting from Alice to the rendezvous point for Bob
118 o Connecting from Bob to the rendezvous point for Alice
119 o Waiting at a rendezvous point to be joined
120 o Joined to another circuit at the rendezvous point.
121 (We should also enumerate all the states that these operations
122 can be in.) [NM]
123 o Add circuit metadata [NM]
124 o Code to configure hidden services [NM] 4 hours
125 o Service descriptors
126 o OPs need to maintain identity keys for hidden services [NM]
127 o Code to generate and parse service descriptors [NM]
128 o Advertisement
129 o Generate y.onion hostnames [NM]
130 o Store y.onion hostnames to disk. [NM]
131 o Code to do an HTTP connection over Tor from within Tor [RD]
132 o Publish service descriptors to directory [RD]
133 o Directory accepts and remembers service descriptors, and
134 delivers them as requested
135 o Frontend [RD]
136 o Backend [NM]
137 o Code for OPs to retrieve (and cache?) service descriptors [RD]
138 o Rendezvous
139 o Code as needed to generate and parse all rendezvous-related
140 cell types, and do all handshaking [NM]
141 o ORs implement introduction points
142 o OPs with hidden services establish introduction points
143 o ORs implement rendezvous points
144 o OPs notice y.onion URLs, and:
145 o Retrieve service descriptors
146 o Establish rendezvous points
147 o Send introduction requests to introduction points
148 o Communication
149 o OPs remember which circuits are used for which rendezvous
150 points, and can look up circuits by location-hidden service
151 o OPs send/handle BEGIN cells for location-hidden services
152 o End-to-end communication for location-hidden services
153 o a section in the man pages: how to configure hidden services
154 o let bob use himself as a rendezvous point
155 o let bob choose himself as intro point
156 o let bob replenish his intro points and republish
157 o alice retries introduction and rendezvous a few times?
158 o ORs should not pick themselves while building general circs
159 o should alice ever try to refresh her service desc cache entries?
160 should she expire them after e.g. 15 mins?
161 o race condition: alice has the serverdesc in her cache, she opens
162 the circs, serverdesc expires and is flushed, then she goes
163 to send the intro cell. should serverdesc cache have a
164 last-touched field? are there better fixes?
165 o backward compatibility: when only certain nodes know about rend
166 protocol, how do we deal? have nodes parse the tor version field?
167 force an upgrade? simply be more robust against useless nodes?
168 o should expire rend streams when too much time has passed
169 o should make failed rend/intro circs count toward alice's
170 num_failed circs, to prevent madness when we're offline (But
171 don't count failed rend circs toward Bob's total, or Alice
172 can bork him.)
173 o deal with edge_type in connection_edge.c
174 o retry end for certain reasons (resolvefailed, policyfailed)
175 - preemptively build and start rendezvous circs
176 - preemptively build n-1 hops of intro circs?
177 o (n)ack introduction requests?
178 - cannibalize general circs?
179 D how to set up multiple locations for a hidden service?
180 o make bob publish only established intro circs?
181 o when bob tries to connect to alice's chosen rend point, but
182 can't, but it's not the fault of the last hop in the rend
183 circ, then he should retry?
184 - fix router_get_by_* functions so they can get ourselves too,
185 and audit everything to make sure rend and intro points are
186 just as likely to be us as not.
188 On-going
189 . Better comments for functions!
190 . Go through log messages, reduce confusing error messages.
191 . make the logs include more info (fd, etc)
192 . Unit tests
193 . Update the spec so it matches the code
195 Mid-term:
196 o Refactor: add own routerinfo to routerlist. Right now, only
197 router_get_by_nickname knows about 'this router', as a hack to
198 get circuit_launch_new to do the right thing.
199 - Rotate tls-level connections -- make new ones, expire old ones.
200 So we get actual key rotation, not just symmetric key rotation
201 - And learn to transfer a circuit from one conn to another, so we
202 can empty conns to expire them.
203 o Are there anonymity issues with sequential streamIDs? Sequential
204 circIDs? Eg an attacker can learn how many there have been.
205 The fix is to initialize them randomly rather than at 1.
206 - Look at having smallcells and largecells
207 . Redo scheduler
208 o fix SSL_read bug for buffered records
209 - make round-robining more fair
210 - What happens when a circuit's length is 1? What breaks?
211 . streams / circuits
212 o Implement streams
213 o Rotate circuits after N minutes?
214 X Circuits should expire when circuit->expire triggers
215 NICK . Handle half-open connections
216 o openssh is an application that uses half-open connections
217 o Figure out what causes connections to close, standardize
218 when we mark a connection vs when we tear it down
219 o Look at what ssl does to keep from mutating data streams
220 o Put CPU workers in separate processes
221 o Handle multiple cpu workers (one for each cpu, plus one)
222 o Queue for pending tasks if all workers full
223 o Support the 'process this onion' task
224 D Merge dnsworkers and cpuworkers to some extent
225 o Handle cpuworkers dying
226 . Scrubbing proxies
227 - Find an smtp proxy?
228 - Check the old smtp proxy code
229 o Find an ftp proxy? wget --passive
230 D Wait until there are packet redirectors for Linux
231 . Get socks4a support into Mozilla
232 . Tests
233 o Testing harness/infrastructure
234 D System tests (how?)
235 - Performance tests, so we know when we've improved
236 . webload infrastructure (Bruce)
237 . httperf infrastructure (easy to set up)
238 . oprofile (installed in RH >8.0)
239 NICK . Daemonize and package
240 o Teach it to fork and background
241 . Red Hat spec file
242 o Debian spec file equivalent
243 . Portability
244 . Which .h files are we actually using?
245 . Port to:
246 o Linux
247 o BSD
248 o Solaris
249 o Cygwin
250 . Win32
251 o OS X
252 - deal with pollhup / reached_eof on all platforms
253 o openssl randomness
254 o inet_ntoa
255 o stdint.h
256 - Make a script to set up a local network on your machine
257 o More flexibility in node addressing
258 D Support IPv6 rather than just 4
259 o Handle multihomed servers (config variable to set IP)
261 In the distant future:
262 D tunnel tor cell protocol over http, for people who need to
263 do http
264 D better transport than tcp: reliable is necessary, but
265 out-of-order delivery is fine (to some extent).
266 D Load balancing between router twins
267 D Keep track of load over links/nodes, to
268 know who's hosed
269 SPEC!! D Non-clique topologies
270 D Advanced directory servers
271 D Automated reputation management
272 SPEC!! D Figure out how to do threshold directory servers
273 D jurisdiction info in dirserver entries? other info?
275 Older (done) todo stuff:
277 For 0.0.2pre17:
278 o Put a H(K | handshake) into the onionskin response
279 o Make cells 512 bytes
280 o Reduce streamid footprint from 7 bytes to 2 bytes
281 X Check for collisions in streamid (now possible with
282 just 2 bytes), and back up & replace with padding if so
283 o Use the 4 reserved bytes in each cell header to keep 1/5
284 of a sha1 of the ongoing relay payload (move into stream header)
285 o Move length into the stream header too
286 o Make length 2 bytes
287 D increase DH key length
288 D increase RSA key length
289 D Spec the stream_id stuff. Clarify that nobody on the backward
290 stream should look at stream_id.
292 For 0.0.2pre15:
293 o don't pick exit nodes which will certainly reject all things.
294 o don't pick nodes that the directory says are down
295 o choose randomly from running dirservers, not just first one
296 o install the man page
297 o warn when client-side tries an address/port which no router in the dir accepts.
299 For 0.0.2pre14:
300 o More flexible exit policies (18.*, 18.0.0.0/8)
301 o Work to succeed in the precense of exit policy violation
302 o Replace desired_path_len with opaque path-selection specifier
303 o Client-side DNS caching
304 o Add entries to client DNS cache based on END cells
305 o Remove port from END_REASON_EXITPOLICY cells
306 o Start building new circuits when we get an exit-policy
307 failure. (Defer exiting from the middle of existing
308 circuits or extending existing circuits for later.)
309 o Implement function to check whether a routerinfo_t
310 supports a given exit addr.
311 o Choose the exit node of an in-progress circuit based on
312 pending AP connections.
313 o Choose the exit node _first_, then beginning, then
314 middle nodes.
316 Previous:
317 o Get tor to act like a socks server
318 o socks4, socks4a
319 o socks5
320 o routers have identity key, link key, onion key.
321 o link key certs are
322 D signed by identity key
323 D not in descriptor
324 o not in config
325 D not on disk
326 o identity and onion keys are in descriptor (and disk)
327 o upon boot, if it doesn't find identity key, generate it and write it.
328 o also write a file with the identity key fingerprint in it
329 o router generates descriptor: flesh out router_get_my_descriptor()
330 o Routers sign descriptors with identity key
331 o routers put version number in descriptor
332 o routers should maybe have `uname -a` in descriptor?
333 o Give nicknames to routers
334 o in config
335 o in descriptors
336 o router posts descriptor
337 o when it boots
338 o every DirFetchPostPeriod seconds
339 D when it changes
340 o change tls stuff so certs don't get written to disk, or read from disk
341 o make directory.c 'thread'safe
342 o dirserver parses descriptor
343 o dirserver checks signature
344 D client checks signature?
345 o dirserver writes directory to file
346 o reads that file upon boot
347 o directory includes all routers, up and down
348 o add "up" line to directory, listing nicknames
349 o instruments ORs to report stats
350 o average cell fullness
351 o average bandwidth used
352 o configure log files. separate log file, separate severities.
353 o what assumptions break if we fclose(0) when we daemonize?
354 o make buffer struct elements opaque outside buffers.c
355 o add log convention to the HACKING file
356 o make 'make install' do the right thing
357 o change binary name to tor
358 o change config files so you look at commandline, else look in
359 /etc/torrc. no cascading.
360 o have an absolute datadir with fixed names for files, and fixed-name
361 keydir under that with fixed names
362 o Move (most of) the router/directory code out of main.c
363 o Simple directory servers
364 o Include key in source; sign directories
365 o Signed directory backend
366 o Document
367 o Integrate
368 o Add versions to code
369 o Have directories list recommended-versions
370 o Include line in directories
371 o Check for presence of line.
372 o Quit if running the wrong version
373 o Command-line option to override quit
374 o Add more information to directory server entries
375 o Exit policies
376 o Clearer bandwidth management
377 o Do we want to remove bandwidth from OR handshakes?
378 o What about OP handshakes?
379 X Move away from openssl
380 o Abstract out crypto calls
381 X Look at nss, others? Just include code?
382 o Use a stronger cipher
383 o aes now, by including the code ourselves
384 X On the fly compression of each stream
385 o Clean up the event loop (optimize and sanitize)
386 o Remove that awful concept of 'roles'
387 o Terminology
388 o Circuits, topics, cells stay named that
389 o 'Connection' gets divided, or renamed, or something?
390 o DNS farm
391 o Distribute queries onto the farm, get answers
392 o Preemptively grow a new worker before he's needed
393 o Prune workers when too many are idle
394 o DNS cache
395 o Clear DNS cache over time
396 D Honor DNS TTL info (how??)
397 o Have strategy when all workers are busy
398 o Keep track of which connections are in dns_wait
399 o Need to cache positives/negatives on the tor side
400 o Keep track of which queries have been asked
401 o Better error handling when
402 o An address doesn't resolve
403 o We have max workers running
404 o Consider taking the master out of the loop?
405 X Implement reply onions
406 o Total rate limiting
407 o Look at OR handshake in more detail
408 o Spec it
409 o Merge OR and OP handshakes
410 o rearrange connection_or so it doesn't suck so much to read
411 D Periodic link key rotation. Spec?
412 o wrap malloc with something that explodes when it fails
413 o Clean up the number of places that get to look at prkey