|
@@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
This release includes several security and performance improvements
|
|
|
for clients and relays, including XXX
|
|
|
|
|
|
- This release marks end-of-line for Tor 0.2.2.x; those Tor versions have
|
|
|
- accumulated many known flaws; everyone should upgrade.
|
|
|
+ This release marks end-of-line for Tor 0.2.2.x; those Tor versions
|
|
|
+ have accumulated many known flaws; everyone should upgrade.
|
|
|
|
|
|
o Major features (security):
|
|
|
- - Block authority signing keys that were used on an authorities
|
|
|
- vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We
|
|
|
+ - Block authority signing keys that were used on authorities
|
|
|
+ vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
|
|
|
don't have any evidence that these keys _were_ compromised; we're
|
|
|
doing this to be prudent.) Resolves ticket 11464.
|
|
|
|
|
|
o Major features (relay performance):
|
|
|
- - Faster server-side lookups of rendezvous and introduction point
|
|
|
- circuits by using hashtables instead of linear searches over all
|
|
|
- the circuits. These functions previously accounted between 3 and
|
|
|
- 7% of CPU usage on some busy relays.
|
|
|
- - Avoid wasting cycles looking for usable circuit IDs. Previously,
|
|
|
- when allocating a new circuit ID, we would in the worst case do a
|
|
|
- linear scan over the entire possible range of circuit IDs before
|
|
|
- deciding that we had exhausted our possibilities. Now, we try 64
|
|
|
- circuit IDs at random before deciding that we probably won't
|
|
|
- succeed. Fix for a possible root cause of ticket #11553.
|
|
|
-
|
|
|
- o Major features (seccomp2 sandbox):
|
|
|
- - Refinements and improvements to the Linux seccomp2 sandbox code:
|
|
|
- the sandbox can now run a test network for multiple hours without
|
|
|
- crashing. (Previous crash reasons included: reseeding the OpenSSL
|
|
|
- PRNG, seeding the Libevent PRNG, using the wrong combination of
|
|
|
- CLOEXEC and NONBLOCK at the same place and time, having onion
|
|
|
- keys, being an authority, receiving a HUP, or using IPv6.) The
|
|
|
- sandbox is still experimental, and more bugs will probably turn
|
|
|
- up. To try it, enable "Sandbox 1" on a Linux host.
|
|
|
- - Strengthen the Linux seccomp2 sandbox code: the sandbox can now
|
|
|
- test the arguments for rename(), and blocks _sysctl() entirely.
|
|
|
- - When the Linux syscall sandbox finds an illegal system call, it
|
|
|
- now tries to log a stack trace before exiting. Resolves ticket
|
|
|
- 11465.
|
|
|
+ - Speed up server-side lookups of rendezvous and introduction point
|
|
|
+ circuits by using hashtables instead of linear searches. These
|
|
|
+ functions previously accounted between 3 and 7% of CPU usage on
|
|
|
+ some busy relays. Resolves ticket 9841.
|
|
|
+ - Avoid wasting CPU when extending a circuit over a channel that is
|
|
|
+ nearly out of circuit IDs. Previously, we would in the worst case
|
|
|
+ do a linear scan over all possible circuit IDs before deciding
|
|
|
+ that we had exhausted our possibilities. Now, we try at most 64
|
|
|
+ random circuit IDs before deciding that we probably won't succeed.
|
|
|
+ Fix for a possible root cause of ticket #11553.
|
|
|
+
|
|
|
+ o Major features (seccomp2 sandbox, Linux only):
|
|
|
+ - The seccomp2 sandbox can now run a test network for multiple hours
|
|
|
+ without crashing. The sandbox is still experimental, and more bugs
|
|
|
+ will probably turn up. To try it, enable "Sandbox 1" on a Linux
|
|
|
+ host.
|
|
|
+ - Strengthen sandbox code: the sandbox can now test the arguments
|
|
|
+ for rename(), and blocks _sysctl() entirely.
|
|
|
+ - When the sandbox blocks a system call, it now tries to log a stack
|
|
|
+ trace before exiting. Resolves ticket 11465.
|
|
|
|
|
|
o Major bugfixes (TLS cipher selection):
|
|
|
- - Generate the relay's preference list for ciphersuites
|
|
|
- automatically based on uniform criteria, and considering all
|
|
|
- OpenSSL ciphersuites with acceptable strength and forward secrecy.
|
|
|
- (The sort order is: prefer AES to 3DES; break ties by preferring
|
|
|
- ECDHE to DHE; break ties by preferring GCM to CBC; break ties by
|
|
|
- preferring SHA384 to SHA256 to SHA1; and finally, break ties by
|
|
|
- preferring AES256 to AES128.) This resolves bugs #11513, #11492,
|
|
|
- #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
|
|
|
+ - The relay ciphersuite list is now generated automatically based on
|
|
|
+ uniform criteria, and includes all OpenSSL ciphersuites with
|
|
|
+ acceptable strength and forward secrecy. Previously, we had
|
|
|
+ omitted some perfectly fine ciphersuites. Resolves bugs #11513,
|
|
|
+ #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
|
|
|
0.2.4.8-alpha.
|
|
|
- Relays now trust themselves to have a better view than clients of
|
|
|
- which TLS ciphersuites to choose. (Thanks to #11513, the relay
|
|
|
- list is now well-considered, whereas the client list has been
|
|
|
- chosen mainly for anti-fingerprinting purposes.) Resolves ticket
|
|
|
- 11528.
|
|
|
- - Update the list of TLS ciphersuites that a client advertises to
|
|
|
- match those advertised by Firefox 28. This enables selection of
|
|
|
- (fast) GCM ciphersuites, disables some strange old ciphers, and
|
|
|
- disables the ECDH (not to be confused with ECDHE) ciphersuites.
|
|
|
- Resolves ticket 11438.
|
|
|
+ which TLS ciphersuites are better than others. (Thanks to #11513,
|
|
|
+ the relay list is now well-considered, whereas the client list has
|
|
|
+ been chosen mainly for anti-fingerprinting purposes.) Relays
|
|
|
+ prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC;
|
|
|
+ then SHA384 over SHA256 over SHA1; and last, AES256 over AES128.
|
|
|
+ Resolves ticket 11528.
|
|
|
+ - Clients now try to advertise the same list of ciphersuites as
|
|
|
+ Firefox 28. This change enables selection of (fast) GCM
|
|
|
+ ciphersuites, disables some strange old ciphers, and disables the
|
|
|
+ ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket
|
|
|
+ 11438.
|
|
|
|
|
|
o Major bugfixes (undefined behavior):
|
|
|
- - Fix two instances of possible undefined behavior in channeltls.c
|
|
|
- that could, under unlucky circumstances, have led to a pointer
|
|
|
- overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and
|
|
|
- 0.2.3.6-alpha. Reported by "bobnomnom".
|
|
|
- - Fix another possibly undefined pointer operations in tor_memmem
|
|
|
- fallback implementation. Another case of bug #10363; bugfix on
|
|
|
- 0.1.1.1-alpha.
|
|
|
- - Fix another possibly undefined pointer operations in the eventdns
|
|
|
- fallback implementation. Another case of bug #10363; bugfix on
|
|
|
- 0.1.2.1-alpha.
|
|
|
- - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix
|
|
|
- some miscellaneous errors in our tests and codebase. Fix for bug
|
|
|
- 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
|
|
|
+ - Fix various instances of undefined behavior in channeltls.c,
|
|
|
+ tor_memmem(), and eventdns.c, that would cause us to construct
|
|
|
+ pointers to memory outside an allocated object. (These invalid
|
|
|
+ pointers were not accessed, but C does not even allow them to
|
|
|
+ exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha,
|
|
|
+ 0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by
|
|
|
+ "bobnomnom".
|
|
|
+ - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
|
|
|
+ fix some miscellaneous errors in our tests and codebase. Fix for
|
|
|
+ bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
|
|
|
|
|
|
o Minor features (Transparent proxy, *BSD):
|
|
|
- - Support the ipfw firewall interface for transparent proxy support
|
|
|
- on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc.
|
|
|
- Resolves ticket 10267; patch from "yurivict".
|
|
|
- - Support OpenBSD's divert-to rules with the pf firewall, when
|
|
|
- "TransProxyType pf-divert" is specified. This allows Tor to run a
|
|
|
- TransPort transparent proxy port on OpenBSD 4.4 or later without
|
|
|
- root privileges. See the pf.conf(5) manual page for information on
|
|
|
- configuring pf to use divert-to rules. Closes ticket 10896; patch
|
|
|
- from Dana Koch.
|
|
|
+ - Support FreeBSD's ipfw firewall interface for TransPort ports. on
|
|
|
+ FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
|
|
|
+ 10267; patch from "yurivict".
|
|
|
+ - Support OpenBSD's divert-to rules with the pf firewall for
|
|
|
+ transparent proxy ports. To enable it, set "TransProxyType pf-
|
|
|
+ divert". This allows Tor to run a TransPort transparent proxy port
|
|
|
+ on OpenBSD 4.4 or later without root privileges. See the
|
|
|
+ pf.conf(5) manual page for information on configuring pf to use
|
|
|
+ divert-to rules. Closes ticket 10896; patch from Dana Koch.
|
|
|
|
|
|
o Minor features (security):
|
|
|
- - New --enable-expensive-hardening option to turn on security
|
|
|
+ - New --enable-expensive-hardening option to enable security
|
|
|
hardening options that consume nontrivial amounts of CPU and
|
|
|
- memory. Right now, this includes AddressSanitizer and UbSan.
|
|
|
- Closes ticket 11477.
|
|
|
+ memory. Right now, this includes AddressSanitizer and UbSan, which
|
|
|
+ are supported in newer versions of GCC and Clang. Closes ticket
|
|
|
+ 11477.
|
|
|
- If you don't specify MaxMemInQueues yourself, Tor now tries to
|
|
|
pick a good value based on your total system memory. Previously,
|
|
|
the default was always 8 GB. You can still override the default by
|
|
@@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
at every 5% of progress. Fixes bug 9963.
|
|
|
|
|
|
o Minor features (relay):
|
|
|
- - If a circuit timed out for at least 3 minutes check if we have a
|
|
|
- new external IP address the next time we run our routine checks.
|
|
|
- If our IP address has changed, then publish a new descriptor with
|
|
|
- the new IP address. Resolves ticket 2454.
|
|
|
+ - If a circuit timed out for at least 3 minutes, check if we have a
|
|
|
+ new external IP address, and publish a new descriptor with the new
|
|
|
+ IP address if it changed. Resolves ticket 2454.
|
|
|
- Warn less verbosely when receiving a malformed
|
|
|
ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
|
|
|
- When we run out of usable circuit IDs on a channel, log only one
|
|
|
- warning for the whole channel, and include a description of how
|
|
|
- many circuits there were on the channel. Fix for part of ticket
|
|
|
- #11553.
|
|
|
+ warning for the whole channel, and describe how many circuits
|
|
|
+ there were on the channel. Fix for part of ticket #11553.
|
|
|
|
|
|
o Minor features (controller):
|
|
|
- Make the entire exit policy available from the control port via
|
|
@@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
going unnoticed. Closes ticket 8787.
|
|
|
|
|
|
o Minor features (bridge client):
|
|
|
- - Report a failure to connect to a bridge because its transport type
|
|
|
- has no configured pluggable transport as a new type of bootstrap
|
|
|
- failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
|
|
|
+ - Report a more useful failure message when we can't connect to a
|
|
|
+ bridge because we don't have the right pluggable transport
|
|
|
+ configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
|
|
|
|
|
|
o Minor features (diagnostic):
|
|
|
- - Try harder to diagnose a possible cause of bug 7164, which causes
|
|
|
+ - Add more log messages to diagnose bug 7164, which causes
|
|
|
intermittent "microdesc_free() called but md was still referenced"
|
|
|
- warnings. We now log more information about the likely error case,
|
|
|
- to try to figure out why we might be cleaning a microdescriptor as
|
|
|
- old if it's still referenced by a live node_t object.
|
|
|
+ warnings. We now include more information, to figure out why we
|
|
|
+ might be cleaning a microdescriptor for being too old if it's
|
|
|
+ still referenced by a live node_t object.
|
|
|
|
|
|
o Minor bugfixes (logging):
|
|
|
- - Log only one message when we start logging in an unsafe way.
|
|
|
- Previously, we would log as many messages as we had problems. Fix
|
|
|
- for #9870; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Warn only once we start logging in an unsafe way. Previously, we
|
|
|
+ complain as many times we had problems. Fix for #9870; bugfix on
|
|
|
+ 0.2.5.1-alpha.
|
|
|
- Using the Linux seccomp2 sandbox no longer prevents stack-trace
|
|
|
logging on crashes or errors. Fixes part 11465; bugfix on
|
|
|
0.2.5.1-alpha.
|
|
|
- Only report the first fatal bootstrap error on a given OR
|
|
|
- connection. This prevents controllers from declaring that a
|
|
|
- connection has failed because of "DONE" or other junk reasons.
|
|
|
- Fixes bug 10431; bugfix on 0.2.1.1-alpha.
|
|
|
- - Improve the warning message when trying to enable the Linux
|
|
|
- sandbox code on a Tor built without libseccomp. Instead of saying
|
|
|
- "Sandbox is not implemented on this platform", we now explain that
|
|
|
- we to need be built with libseccomp. Fixes bug 11543; bugfix on
|
|
|
- 0.2.5.1-alpha.
|
|
|
- - Avoid generating spurious warnings and failure messages when
|
|
|
- starting with DisableNetwork enabled. Fixes bug 11200 and bug
|
|
|
- 10405; bugfix on 0.2.3.9-alpha.
|
|
|
+ connection. This stops us from telling the controller bogus error
|
|
|
+ messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
|
|
|
+ - Be more helpful when trying to run sandboxed on Linux without
|
|
|
+ libseccomp. Instead of saying "Sandbox is not implemented on this
|
|
|
+ platform", we now explain that we to need be built with
|
|
|
+ libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Avoid generating spurious warnings when starting with
|
|
|
+ DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
|
|
|
+ 0.2.3.9-alpha.
|
|
|
|
|
|
o Minor bugfixes (closing channels):
|
|
|
- If write_to_buf() in connection_write_to_buf_impl_() ever fails,
|
|
@@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
connection_mark_for_close() directly. Fixes bug #11304; bugfix on
|
|
|
0.2.4.4-alpha.
|
|
|
- When closing all connections on setting DisableNetwork to 1, use
|
|
|
- connection_or_close_normally() rather than closing OR connections out
|
|
|
- from under the channel layer. Fixes bug #11306; bugfix on
|
|
|
+ connection_or_close_normally() rather than closing OR connections
|
|
|
+ out from under the channel layer. Fixes bug #11306; bugfix on
|
|
|
0.2.4.4-alpha.
|
|
|
|
|
|
o Minor bugfixes (controller):
|
|
|
- - Avoid sending an garbage value to the controller when a circuit is
|
|
|
+ - Avoid sending a garbage value to the controller when a circuit is
|
|
|
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
|
|
|
|
|
|
o Minor bugfixes (tor-fw-helper):
|
|
@@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
Fixes bug 9650; bugfix on 0.2.3.16-alpha.
|
|
|
|
|
|
o Minor bugfixes (misc):
|
|
|
- - Don't re-initialize a second set of openssl mutexes when starting
|
|
|
- up. Fixes bug 11726; bugfix on 0.2.5.3-alpha.
|
|
|
-
|
|
|
- o Minor bugfixes (memory leaks):
|
|
|
- - Fix a minor memory leak that occurred when signing a directory
|
|
|
- object. Fixes bug 11275; bugfix on 0.2.4.13-alpha.
|
|
|
+ - Don't re-initialize a second set of OpenSSL mutexes when starting
|
|
|
+ up. Previously, we'd make one set of mutexes, and then immediately
|
|
|
+ replace them with another. Fixes bug 11726; bugfix on
|
|
|
+ 0.2.5.3-alpha.
|
|
|
|
|
|
o Minor bugfixes (platform-specific):
|
|
|
- Fix compilation on Solaris, which does not have <endian.h>. Fixes
|
|
|
bug 11426; bugfix on 0.2.5.3-alpha.
|
|
|
- When dumping a malformed directory object to disk, save it in
|
|
|
- binary mode on windows, not text mode. Fixes bug 11342; bugfix on
|
|
|
+ binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
|
|
|
0.2.2.1-alpha.
|
|
|
- - When reporting a failure from make_socket_reuseable(), don't
|
|
|
- report a warning when we get a failure from an incoming socket on
|
|
|
- OSX. Fix for bug 10081.
|
|
|
+ - Don't report failures from make_socket_reuseable() on incoming
|
|
|
+ sockets on OSX: this can happen when incoming connections close
|
|
|
+ early. Fix for bug 10081.
|
|
|
|
|
|
o Minor bugfixes (trivial memory leaks):
|
|
|
+ - Fix a small memory leak when signing a directory object. Fixes bug
|
|
|
+ 11275; bugfix on 0.2.4.13-alpha.
|
|
|
- Free placeholder entries in our circuit table at exit; fixes a
|
|
|
harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha.
|
|
|
- Resolve some memory leaks found by coverity in the unit tests, on
|
|
@@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc.
|
|
|
|
|
|
o Minor bugfixes (bridge client):
|
|
|
- - Stop accepting bridge lines containing hostnames. Doing so allowed
|
|
|
- clients to perform DNS requests on the hostnames, which was not
|
|
|
- sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
|
|
|
- - Fix a bug where a client-side Tor with pluggable transports would
|
|
|
- take 60 seconds to bootstrap if a config re-read was triggered at
|
|
|
- just the right timing during bootstrap. Re-fixes bug 11156; bugfix
|
|
|
- on 0.2.5.3-alpha.
|
|
|
+ - Stop accepting bridge lines containing hostnames. Doing so would
|
|
|
+ cause clients to perform DNS requests on the hostnames, which was
|
|
|
+ not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
|
|
|
+ - Avoid a 60-second delay in the bootstrapping process when a Tor
|
|
|
+ client with pluggable transports re-reads its configuration at
|
|
|
+ just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha.
|
|
|
- Avoid 60-second delays in the bootstrapping process when Tor is
|
|
|
launching for a second time while using bridges. Fixes bug 9229;
|
|
|
bugfix on 0.2.0.3-alpha.
|
|
|
|
|
|
o Minor bugfixes (DNS):
|
|
|
- - When receiving a DNS query for an unsupported type, reply with no
|
|
|
- answer rather than with a NOTIMPL error. This behavior isn't
|
|
|
- correct either, but it will break fewer client programs, we hope.
|
|
|
- Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from
|
|
|
- "epoch".
|
|
|
+ - When receiving a DNS query for an unsupported record type, reply
|
|
|
+ with no answer rather than with a NOTIMPL error. This behavior
|
|
|
+ isn't correct either, but it will break fewer client programs, we
|
|
|
+ hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
|
|
|
+ from "epoch".
|
|
|
|
|
|
o Minor bugfixes (exit):
|
|
|
- Stop leaking memory when we successfully resolve a PTR record.
|
|
@@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
|
|
|
o Deprecated versions:
|
|
|
- Tor 0.2.2.x has reached end-of-life; it has received no patches or
|
|
|
attention for some while. Directory authorities no longer accept
|
|
|
- descriptors from relays running any version of Tor prior to
|
|
|
- Tor 0.2.3.16-alpha. Resolves ticket 11149.
|
|
|
+ descriptors from relays running any version of Tor prior to Tor
|
|
|
+ 0.2.3.16-alpha. Resolves ticket 11149.
|
|
|
|
|
|
o Testing:
|
|
|
- New macros in test.h to simplify writing mock-functions for unit
|