|
|
@@ -3,6 +3,1004 @@ This document summarizes new features and bugfixes in each stable release
|
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
+
|
|
|
+Changes in version 0.2.6.6 - 2015-03-24
|
|
|
+ Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
|
|
|
+
|
|
|
+ It adds numerous safety, security, correctness, and performance
|
|
|
+ improvements. Client programs can be configured to use more kinds of
|
|
|
+ sockets, AutomapHosts works better, the multithreading backend is
|
|
|
+ improved, cell transmission is refactored, test coverage is much
|
|
|
+ higher, more denial-of-service attacks are handled, guard selection is
|
|
|
+ improved to handle long-term guards better, pluggable transports
|
|
|
+ should work a bit better, and some annoying hidden service performance
|
|
|
+ bugs should be addressed.
|
|
|
+
|
|
|
+ o New compiler and system requirements:
|
|
|
+ - Tor 0.2.6.x requires that your compiler support more of the C99
|
|
|
+ language standard than before. The 'configure' script now detects
|
|
|
+ whether your compiler supports C99 mid-block declarations and
|
|
|
+ designated initializers. If it does not, Tor will not compile.
|
|
|
+
|
|
|
+ We may revisit this requirement if it turns out that a significant
|
|
|
+ number of people need to build Tor with compilers that don't
|
|
|
+ bother implementing a 15-year-old standard. Closes ticket 13233.
|
|
|
+ - Tor no longer supports systems without threading support. When we
|
|
|
+ began working on Tor, there were several systems that didn't have
|
|
|
+ threads, or where the thread support wasn't able to run the
|
|
|
+ threads of a single process on multiple CPUs. That no longer
|
|
|
+ holds: every system where Tor needs to run well now has threading
|
|
|
+ support. Resolves ticket 12439.
|
|
|
+
|
|
|
+ o Deprecated versions and removed support:
|
|
|
+ - Tor relays older than 0.2.4.18-rc are no longer allowed to
|
|
|
+ advertise themselves on the network. Closes ticket 13555.
|
|
|
+ - Tor clients no longer support connecting to hidden services
|
|
|
+ running on Tor 0.2.2.x and earlier; the Support022HiddenServices
|
|
|
+ option has been removed. (There shouldn't be any hidden services
|
|
|
+ running these versions on the network.) Closes ticket 7803.
|
|
|
+
|
|
|
+ o Directory authority changes:
|
|
|
+ - The directory authority Faravahar has a new IP address. This
|
|
|
+ closes ticket 14487.
|
|
|
+ - Remove turtles as a directory authority.
|
|
|
+ - Add longclaw as a new (v3) directory authority. This implements
|
|
|
+ ticket 13296. This keeps the directory authority count at 9.
|
|
|
+
|
|
|
+ o Major features (bridges):
|
|
|
+ - Expose the outgoing upstream HTTP/SOCKS proxy to pluggable
|
|
|
+ transports if they are configured via the "TOR_PT_PROXY"
|
|
|
+ environment variable. Implements proposal 232. Resolves
|
|
|
+ ticket 8402.
|
|
|
+
|
|
|
+ o Major features (changed defaults):
|
|
|
+ - Prevent relay operators from unintentionally running exits: When a
|
|
|
+ relay is configured as an exit node, we now warn the user unless
|
|
|
+ the "ExitRelay" option is set to 1. We warn even more loudly if
|
|
|
+ the relay is configured with the default exit policy, since this
|
|
|
+ can indicate accidental misconfiguration. Setting "ExitRelay 0"
|
|
|
+ stops Tor from running as an exit relay. Closes ticket 10067.
|
|
|
+
|
|
|
+ o Major features (client performance, hidden services):
|
|
|
+ - Allow clients to use optimistic data when connecting to a hidden
|
|
|
+ service, which should remove a round-trip from hidden service
|
|
|
+ initialization. See proposal 181 for details. Implements
|
|
|
+ ticket 13211.
|
|
|
+
|
|
|
+ o Major features (directory system):
|
|
|
+ - Upon receiving an unparseable directory object, if its digest
|
|
|
+ matches what we expected, then don't try to download it again.
|
|
|
+ Previously, when we got a descriptor we didn't like, we would keep
|
|
|
+ trying to download it over and over. Closes ticket 11243.
|
|
|
+ - When downloading server- or microdescriptors from a directory
|
|
|
+ server, we no longer launch multiple simultaneous requests to the
|
|
|
+ same server. This reduces load on the directory servers,
|
|
|
+ especially when directory guards are in use. Closes ticket 9969.
|
|
|
+ - When downloading server- or microdescriptors over a tunneled
|
|
|
+ connection, do not limit the length of our requests to what the
|
|
|
+ Squid proxy is willing to handle. Part of ticket 9969.
|
|
|
+ - Authorities can now vote on the correct digests and latest
|
|
|
+ versions for different software packages. This allows packages
|
|
|
+ that include Tor to use the Tor authority system as a way to get
|
|
|
+ notified of updates and their correct digests. Implements proposal
|
|
|
+ 227. Closes ticket 10395.
|
|
|
+
|
|
|
+ o Major features (guards):
|
|
|
+ - Introduce the Guardfraction feature to improves load balancing on
|
|
|
+ guard nodes. Specifically, it aims to reduce the traffic gap that
|
|
|
+ guard nodes experience when they first get the Guard flag. This is
|
|
|
+ a required step if we want to increase the guard lifetime to 9
|
|
|
+ months or greater. Closes ticket 9321.
|
|
|
+
|
|
|
+ o Major features (hidden services):
|
|
|
+ - Make HS port scanning more difficult by immediately closing the
|
|
|
+ circuit when a user attempts to connect to a nonexistent port.
|
|
|
+ Closes ticket 13667.
|
|
|
+ - Add a HiddenServiceStatistics option that allows Tor relays to
|
|
|
+ gather and publish statistics about the overall size and volume of
|
|
|
+ hidden service usage. Specifically, when this option is turned on,
|
|
|
+ an HSDir will publish an approximate number of hidden services
|
|
|
+ that have published descriptors to it the past 24 hours. Also, if
|
|
|
+ a relay has acted as a hidden service rendezvous point, it will
|
|
|
+ publish the approximate amount of rendezvous cells it has relayed
|
|
|
+ the past 24 hours. The statistics themselves are obfuscated so
|
|
|
+ that the exact values cannot be derived. For more details see
|
|
|
+ proposal 238, "Better hidden service stats from Tor relays". This
|
|
|
+ feature is currently disabled by default. Implements feature 13192.
|
|
|
+
|
|
|
+ o Major features (performance):
|
|
|
+ - Make the CPU worker implementation more efficient by avoiding the
|
|
|
+ kernel and lengthening pipelines. The original implementation used
|
|
|
+ sockets to transfer data from the main thread to the workers, and
|
|
|
+ didn't allow any thread to be assigned more than a single piece of
|
|
|
+ work at once. The new implementation avoids communications
|
|
|
+ overhead by making requests in shared memory, avoiding kernel IO
|
|
|
+ where possible, and keeping more requests in flight at once.
|
|
|
+ Implements ticket 9682.
|
|
|
+
|
|
|
+ o Major features (relay):
|
|
|
+ - Raise the minimum acceptable configured bandwidth rate for bridges
|
|
|
+ to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were
|
|
|
+ 20 KiB/sec.) Closes ticket 13822.
|
|
|
+ - Complete revision of the code that relays use to decide which cell
|
|
|
+ to send next. Formerly, we selected the best circuit to write on
|
|
|
+ each channel, but we didn't select among channels in any
|
|
|
+ sophisticated way. Now, we choose the best circuits globally from
|
|
|
+ among those whose channels are ready to deliver traffic.
|
|
|
+
|
|
|
+ This patch implements a new inter-cmux comparison API, a global
|
|
|
+ high/low watermark mechanism and a global scheduler loop for
|
|
|
+ transmission prioritization across all channels as well as among
|
|
|
+ circuits on one channel. This schedule is currently tuned to
|
|
|
+ (tolerantly) avoid making changes in network performance, but it
|
|
|
+ should form the basis for major circuit performance increases in
|
|
|
+ the future. Code by Andrea; tuning by Rob Jansen; implements
|
|
|
+ ticket 9262.
|
|
|
+
|
|
|
+ o Major features (sample torrc):
|
|
|
+ - Add a new, infrequently-changed "torrc.minimal". This file is
|
|
|
+ similar to torrc.sample, but it will change as infrequently as
|
|
|
+ possible, for the benefit of users whose systems prompt them for
|
|
|
+ intervention whenever a default configuration file is changed.
|
|
|
+ Making this change allows us to update torrc.sample to be a more
|
|
|
+ generally useful "sample torrc".
|
|
|
+
|
|
|
+ o Major features (security, unix domain sockets):
|
|
|
+ - Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk
|
|
|
+ applications can reach Tor without having to create AF_INET or
|
|
|
+ AF_INET6 sockets, meaning they can completely disable their
|
|
|
+ ability to make non-Tor network connections. To create a socket of
|
|
|
+ this type, use "SocksPort unix:/path/to/socket". Implements
|
|
|
+ ticket 12585.
|
|
|
+ - Support mapping hidden service virtual ports to AF_UNIX sockets.
|
|
|
+ The syntax is "HiddenServicePort 80 unix:/path/to/socket".
|
|
|
+ Implements ticket 11485.
|
|
|
+
|
|
|
+ o Major bugfixes (client, automap):
|
|
|
+ - Repair automapping with IPv6 addresses. This automapping should
|
|
|
+ have worked previously, but one piece of debugging code that we
|
|
|
+ inserted to detect a regression actually caused the regression to
|
|
|
+ manifest itself again. Fixes bug 13811 and bug 12831; bugfix on
|
|
|
+ 0.2.4.7-alpha. Diagnosed and fixed by Francisco Blas
|
|
|
+ Izquierdo Riera.
|
|
|
+
|
|
|
+ o Major bugfixes (crash, OSX, security):
|
|
|
+ - Fix a remote denial-of-service opportunity caused by a bug in
|
|
|
+ OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
|
|
|
+ in OSX 10.9.
|
|
|
+
|
|
|
+ o Major bugfixes (directory authorities):
|
|
|
+ - Do not assign the HSDir flag to relays if they are not Valid, or
|
|
|
+ currently hibernating. Fixes 12573; bugfix on 0.2.0.10-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (directory bandwidth performance):
|
|
|
+ - Don't flush the zlib buffer aggressively when compressing
|
|
|
+ directory information for clients. This should save about 7% of
|
|
|
+ the bandwidth currently used for compressed descriptors and
|
|
|
+ microdescriptors. Fixes bug 11787; bugfix on 0.1.1.23.
|
|
|
+
|
|
|
+ o Major bugfixes (exit node stability):
|
|
|
+ - Fix an assertion failure that could occur under high DNS load.
|
|
|
+ Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
|
|
|
+ diagnosed and fixed by "cypherpunks".
|
|
|
+
|
|
|
+ o Major bugfixes (FreeBSD IPFW transparent proxy):
|
|
|
+ - Fix address detection with FreeBSD transparent proxies, when
|
|
|
+ "TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
|
|
|
+ on 0.2.5.4-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (hidden services):
|
|
|
+ - When closing an introduction circuit that was opened in parallel
|
|
|
+ with others, don't mark the introduction point as unreachable.
|
|
|
+ Previously, the first successful connection to an introduction
|
|
|
+ point would make the other introduction points get marked as
|
|
|
+ having timed out. Fixes bug 13698; bugfix on 0.0.6rc2.
|
|
|
+
|
|
|
+ o Major bugfixes (Linux seccomp2 sandbox):
|
|
|
+ - Upon receiving sighup with the seccomp2 sandbox enabled, do not
|
|
|
+ crash during attempts to call wait4. Fixes bug 15088; bugfix on
|
|
|
+ 0.2.5.1-alpha. Patch from "sanic".
|
|
|
+
|
|
|
+ o Major bugfixes (mixed relay-client operation):
|
|
|
+ - When running as a relay and client at the same time (not
|
|
|
+ recommended), if we decide not to use a new guard because we want
|
|
|
+ to retry older guards, only close the locally-originating circuits
|
|
|
+ passing through that guard. Previously we would close all the
|
|
|
+ circuits through that guard. Fixes bug 9819; bugfix on
|
|
|
+ 0.2.1.1-alpha. Reported by "skruffy".
|
|
|
+
|
|
|
+ o Major bugfixes (pluggable transports):
|
|
|
+ - Initialize the extended OR Port authentication cookie before
|
|
|
+ launching pluggable transports. This prevents a race condition
|
|
|
+ that occured when server-side pluggable transports would cache the
|
|
|
+ authentication cookie before it has been (re)generated. Fixes bug
|
|
|
+ 15240; bugfix on 0.2.5.1-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (relay, stability, possible security):
|
|
|
+ - Fix a bug that could lead to a relay crashing with an assertion
|
|
|
+ failure if a buffer of exactly the wrong layout is passed to
|
|
|
+ buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
|
|
|
+ 0.2.0.10-alpha. Patch from "cypherpunks".
|
|
|
+ - Do not assert if the 'data' pointer on a buffer is advanced to the
|
|
|
+ very end of the buffer; log a BUG message instead. Only assert if
|
|
|
+ it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
|
|
|
+
|
|
|
+ o Minor features (build):
|
|
|
+ - New --disable-system-torrc compile-time option to prevent Tor from
|
|
|
+ looking for the system-wide torrc or torrc-defaults files.
|
|
|
+ Resolves ticket 13037.
|
|
|
+
|
|
|
+ o Minor features (client):
|
|
|
+ - Clients are now willing to send optimistic data (before they
|
|
|
+ receive a 'connected' cell) to relays of any version. (Relays
|
|
|
+ without support for optimistic data are no longer supported on the
|
|
|
+ Tor network.) Resolves ticket 13153.
|
|
|
+
|
|
|
+ o Minor features (client):
|
|
|
+ - Validate hostnames in SOCKS5 requests more strictly. If SafeSocks
|
|
|
+ is enabled, reject requests with IP addresses as hostnames.
|
|
|
+ Resolves ticket 13315.
|
|
|
+
|
|
|
+ o Minor features (controller):
|
|
|
+ - Add a "SIGNAL HEARTBEAT" controller command that tells Tor to
|
|
|
+ write an unscheduled heartbeat message to the log. Implements
|
|
|
+ feature 9503.
|
|
|
+ - Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller
|
|
|
+ events so controllers can observe circuit isolation inputs. Closes
|
|
|
+ ticket 8405.
|
|
|
+ - ControlPort now supports the unix:/path/to/socket syntax as an
|
|
|
+ alternative to the ControlSocket option, for consistency with
|
|
|
+ SocksPort and HiddenServicePort. Closes ticket 14451.
|
|
|
+ - New "GETINFO bw-event-cache" to get information about recent
|
|
|
+ bandwidth events. Closes ticket 14128. Useful for controllers to
|
|
|
+ get recent bandwidth history after the fix for ticket 13988.
|
|
|
+ - Messages about problems in the bootstrap process now include
|
|
|
+ information about the server we were trying to connect to when we
|
|
|
+ noticed the problem. Closes ticket 15006.
|
|
|
+
|
|
|
+ o Minor features (Denial of service resistance):
|
|
|
+ - Count the total number of bytes used storing hidden service
|
|
|
+ descriptors against the value of MaxMemInQueues. If we're low on
|
|
|
+ memory, and more than 20% of our memory is used holding hidden
|
|
|
+ service descriptors, free them until no more than 10% of our
|
|
|
+ memory holds hidden service descriptors. Free the least recently
|
|
|
+ fetched descriptors first. Resolves ticket 13806.
|
|
|
+ - When we have recently been under memory pressure (over 3/4 of
|
|
|
+ MaxMemInQueues is allocated), then allocate smaller zlib objects
|
|
|
+ for small requests. Closes ticket 11791.
|
|
|
+
|
|
|
+ o Minor features (directory authorities):
|
|
|
+ - Don't list relays with a bandwidth estimate of 0 in the consensus.
|
|
|
+ Implements a feature proposed during discussion of bug 13000.
|
|
|
+ - In tor-gencert, report an error if the user provides the same
|
|
|
+ argument more than once.
|
|
|
+ - If a directory authority can't find a best consensus method in the
|
|
|
+ votes that it holds, it now falls back to its favorite consensus
|
|
|
+ method. Previously, it fell back to method 1. Neither of these is
|
|
|
+ likely to get enough signatures, but "fall back to favorite"
|
|
|
+ doesn't require us to maintain support an obsolete consensus
|
|
|
+ method. Implements part of proposal 215.
|
|
|
+
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
|
|
|
+ - Update geoip6 to the March 3 2015 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor features (guard nodes):
|
|
|
+ - Reduce the time delay before saving guard status to disk from 10
|
|
|
+ minutes to 30 seconds (or from one hour to 10 minutes if
|
|
|
+ AvoidDiskWrites is set). Closes ticket 12485.
|
|
|
+
|
|
|
+ o Minor features (heartbeat):
|
|
|
+ - On relays, report how many connections we negotiated using each
|
|
|
+ version of the Tor link protocols. This information will let us
|
|
|
+ know if removing support for very old versions of the Tor
|
|
|
+ protocols is harming the network. Closes ticket 15212.
|
|
|
+
|
|
|
+ o Minor features (hidden service):
|
|
|
+ - Make Sybil attacks against hidden services harder by changing the
|
|
|
+ minimum time required to get the HSDir flag from 25 hours up to 96
|
|
|
+ hours. Addresses ticket 14149.
|
|
|
+ - New option "HiddenServiceAllowUnknownPorts" to allow hidden
|
|
|
+ services to disable the anti-scanning feature introduced in
|
|
|
+ 0.2.6.2-alpha. With this option not set, a connection to an
|
|
|
+ unlisted port closes the circuit. With this option set, only a
|
|
|
+ RELAY_DONE cell is sent. Closes ticket 14084.
|
|
|
+ - When re-enabling the network, don't try to build introduction
|
|
|
+ circuits until we have successfully built a circuit. This makes
|
|
|
+ hidden services come up faster when the network is re-enabled.
|
|
|
+ Patch from "akwizgran". Closes ticket 13447.
|
|
|
+ - When we fail to retrieve a hidden service descriptor, send the
|
|
|
+ controller an "HS_DESC FAILED" controller event. Implements
|
|
|
+ feature 13212.
|
|
|
+ - New HiddenServiceDirGroupReadable option to cause hidden service
|
|
|
+ directories and hostname files to be created group-readable. Patch
|
|
|
+ from "anon", David Stainton, and "meejah". Closes ticket 11291.
|
|
|
+
|
|
|
+ o Minor features (interface):
|
|
|
+ - Implement "-f -" command-line option to read torrc configuration
|
|
|
+ from standard input, if you don't want to store the torrc file in
|
|
|
+ the file system. Implements feature 13865.
|
|
|
+
|
|
|
+ o Minor features (logging):
|
|
|
+ - Add a count of unique clients to the bridge heartbeat message.
|
|
|
+ Resolves ticket 6852.
|
|
|
+ - Suppress "router info incompatible with extra info" message when
|
|
|
+ reading extrainfo documents from cache. (This message got loud
|
|
|
+ around when we closed bug 9812 in 0.2.6.2-alpha.) Closes
|
|
|
+ ticket 13762.
|
|
|
+ - Elevate hidden service authorized-client message from DEBUG to
|
|
|
+ INFO. Closes ticket 14015.
|
|
|
+ - On Unix-like systems, you can now use named pipes as the target of
|
|
|
+ the Log option, and other options that try to append to files.
|
|
|
+ Closes ticket 12061. Patch from "carlo von lynX".
|
|
|
+ - When opening a log file at startup, send it every log message that
|
|
|
+ we generated between startup and opening it. Previously, log
|
|
|
+ messages that were generated before opening the log file were only
|
|
|
+ logged to stdout. Closes ticket 6938.
|
|
|
+ - Add a TruncateLogFile option to overwrite logs instead of
|
|
|
+ appending to them. Closes ticket 5583.
|
|
|
+ - Quiet some log messages in the heartbeat and at startup. Closes
|
|
|
+ ticket 14950.
|
|
|
+
|
|
|
+ o Minor features (portability, Solaris):
|
|
|
+ - Threads are no longer disabled by default on Solaris; we believe
|
|
|
+ that the versions of Solaris with broken threading support are all
|
|
|
+ obsolete by now. Resolves ticket 9495.
|
|
|
+
|
|
|
+ o Minor features (relay):
|
|
|
+ - Re-check our address after we detect a changed IP address from
|
|
|
+ getsockname(). This ensures that the controller command "GETINFO
|
|
|
+ address" will report the correct value. Resolves ticket 11582.
|
|
|
+ Patch from "ra".
|
|
|
+ - A new AccountingRule option lets Relays set whether they'd like
|
|
|
+ AccountingMax to be applied separately to inbound and outbound
|
|
|
+ traffic, or applied to the sum of inbound and outbound traffic.
|
|
|
+ Resolves ticket 961. Patch by "chobe".
|
|
|
+ - When identity keypair is generated for first time, log a
|
|
|
+ congratulatory message that links to the new relay lifecycle
|
|
|
+ document. Implements feature 10427.
|
|
|
+
|
|
|
+ o Minor features (security, memory wiping):
|
|
|
+ - Ensure we securely wipe keys from memory after
|
|
|
+ crypto_digest_get_digest and init_curve25519_keypair_from_file
|
|
|
+ have finished using them. Resolves ticket 13477.
|
|
|
+
|
|
|
+ o Minor features (security, out-of-memory handling):
|
|
|
+ - When handling an out-of-memory condition, allocate less memory for
|
|
|
+ temporary data structures. Fixes issue 10115.
|
|
|
+ - When handling an out-of-memory condition, consider more types of
|
|
|
+ buffers, including those on directory connections, and zlib
|
|
|
+ buffers. Resolves ticket 11792.
|
|
|
+
|
|
|
+ o Minor features (stability):
|
|
|
+ - Add assertions in our hash-table iteration code to check for
|
|
|
+ corrupted values that could cause infinite loops. Closes
|
|
|
+ ticket 11737.
|
|
|
+
|
|
|
+ o Minor features (systemd):
|
|
|
+ - Various improvements and modernizations in systemd hardening
|
|
|
+ support. Closes ticket 13805. Patch from Craig Andrews.
|
|
|
+ - Where supported, when running with systemd, report successful
|
|
|
+ startup to systemd. Part of ticket 11016. Patch by Michael Scherer.
|
|
|
+ - When running with systemd, support systemd watchdog messages. Part
|
|
|
+ of ticket 11016. Patch by Michael Scherer.
|
|
|
+
|
|
|
+ o Minor features (testing networks):
|
|
|
+ - Add the TestingDirAuthVoteExit option, which lists nodes to assign
|
|
|
+ the "Exit" flag regardless of their uptime, bandwidth, or exit
|
|
|
+ policy. TestingTorNetwork must be set for this option to have any
|
|
|
+ effect. Previously, authorities would take up to 35 minutes to
|
|
|
+ give nodes the Exit flag in a test network. Partially implements
|
|
|
+ ticket 13161.
|
|
|
+ - Drop the minimum RendPostPeriod on a testing network to 5 seconds,
|
|
|
+ and the default on a testing network to 2 minutes. Drop the
|
|
|
+ MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but
|
|
|
+ keep the default on a testing network at 30 seconds. This reduces
|
|
|
+ HS bootstrap time to around 25 seconds. Also, change the default
|
|
|
+ time in test-network.sh to match. Closes ticket 13401. Patch
|
|
|
+ by "teor".
|
|
|
+ - Create TestingDirAuthVoteHSDir to correspond to
|
|
|
+ TestingDirAuthVoteExit/Guard. Ensures that authorities vote the
|
|
|
+ HSDir flag for the listed relays regardless of uptime or ORPort
|
|
|
+ connectivity. Respects the value of VoteOnHidServDirectoriesV2.
|
|
|
+ Partial implementation for ticket 14067. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor features (tor2web mode):
|
|
|
+ - Introduce the config option Tor2webRendezvousPoints, which allows
|
|
|
+ clients in Tor2webMode to select a specific Rendezvous Point to be
|
|
|
+ used in HS circuits. This might allow better performance for
|
|
|
+ Tor2Web nodes. Implements ticket 12844.
|
|
|
+
|
|
|
+ o Minor features (transparent proxy):
|
|
|
+ - Update the transparent proxy option checks to allow for both ipfw
|
|
|
+ and pf on OS X. Closes ticket 14002.
|
|
|
+ - Use the correct option when using IPv6 with transparent proxy
|
|
|
+ support on Linux. Resolves 13808. Patch by Francisco Blas
|
|
|
+ Izquierdo Riera.
|
|
|
+
|
|
|
+ o Minor features (validation):
|
|
|
+ - Check all date/time values passed to tor_timegm and
|
|
|
+ parse_rfc1123_time for validity, taking leap years into account.
|
|
|
+ Improves HTTP header validation. Implemented with bug 13476.
|
|
|
+ - In correct_tm(), limit the range of values returned by system
|
|
|
+ localtime(_r) and gmtime(_r) to be between the years 1 and 8099.
|
|
|
+ This means we don't have to deal with negative or too large dates,
|
|
|
+ even if a clock is wrong. Otherwise we might fail to read a file
|
|
|
+ written by us which includes such a date. Fixes bug 13476.
|
|
|
+ - Stop allowing invalid address patterns like "*/24" that contain
|
|
|
+ both a wildcard address and a bit prefix length. This affects all
|
|
|
+ our address-range parsing code. Fixes bug 7484; bugfix
|
|
|
+ on 0.0.2pre14.
|
|
|
+
|
|
|
+ o Minor bugfixes (bridge clients):
|
|
|
+ - When configured to use a bridge without an identity digest (not
|
|
|
+ recommended), avoid launching an extra channel to it when
|
|
|
+ bootstrapping. Fixes bug 7733; bugfix on 0.2.4.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (bridges):
|
|
|
+ - When DisableNetwork is set, do not launch pluggable transport
|
|
|
+ plugins, and if any are running, terminate them. Fixes bug 13213;
|
|
|
+ bugfix on 0.2.3.6-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (C correctness):
|
|
|
+ - Fix several instances of possible integer overflow/underflow/NaN.
|
|
|
+ Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches
|
|
|
+ from "teor".
|
|
|
+ - In circuit_build_times_calculate_timeout() in circuitstats.c,
|
|
|
+ avoid dividing by zero in the pareto calculations. This traps
|
|
|
+ under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix
|
|
|
+ on 0.2.2.2-alpha.
|
|
|
+ - Fix an integer overflow in format_time_interval(). Fixes bug
|
|
|
+ 13393; bugfix on 0.2.0.10-alpha.
|
|
|
+ - Set the correct day of year value when the system's localtime(_r)
|
|
|
+ or gmtime(_r) functions fail to set struct tm. Not externally
|
|
|
+ visible. Fixes bug 13476; bugfix on 0.0.2pre14.
|
|
|
+ - Avoid unlikely signed integer overflow in tor_timegm on systems
|
|
|
+ with 32-bit time_t. Fixes bug 13476; bugfix on 0.0.2pre14.
|
|
|
+
|
|
|
+ o Minor bugfixes (certificate handling):
|
|
|
+ - If an authority operator accidentally makes a signing certificate
|
|
|
+ with a future publication time, do not discard its real signing
|
|
|
+ certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
|
|
|
+ - Remove any old authority certificates that have been superseded
|
|
|
+ for at least two days. Previously, we would keep superseded
|
|
|
+ certificates until they expired, if they were published close in
|
|
|
+ time to the certificate that superseded them. Fixes bug 11454;
|
|
|
+ bugfix on 0.2.1.8-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client):
|
|
|
+ - Fix smartlist_choose_node_by_bandwidth() so that relays with the
|
|
|
+ BadExit flag are not considered worthy candidates. Fixes bug
|
|
|
+ 13066; bugfix on 0.1.2.3-alpha.
|
|
|
+ - Use the consensus schedule for downloading consensuses, and not
|
|
|
+ the generic schedule. Fixes bug 11679; bugfix on 0.2.2.6-alpha.
|
|
|
+ - Handle unsupported or malformed SOCKS5 requests properly by
|
|
|
+ responding with the appropriate error message before closing the
|
|
|
+ connection. Fixes bugs 12971 and 13314; bugfix on 0.0.2pre13.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, automapping):
|
|
|
+ - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
|
|
|
+ no value follows the option. Fixes bug 14142; bugfix on
|
|
|
+ 0.2.4.7-alpha. Patch by "teor".
|
|
|
+ - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
|
|
|
+ 14195; bugfix on 0.1.0.1-rc.
|
|
|
+ - Prevent changes to other options from removing the wildcard value
|
|
|
+ "." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix
|
|
|
+ on 0.2.0.1-alpha.
|
|
|
+ - Allow MapAddress and AutomapHostsOnResolve to work together when
|
|
|
+ an address is mapped into another address type (like .onion) that
|
|
|
+ must be automapped at resolve time. Fixes bug 7555; bugfix
|
|
|
+ on 0.2.0.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, bridges):
|
|
|
+ - When we are using bridges and we had a network connectivity
|
|
|
+ problem, only retry connecting to our currently configured
|
|
|
+ bridges, not all bridges we know about and remember using. Fixes
|
|
|
+ bug 14216; bugfix on 0.2.2.17-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, DNS):
|
|
|
+ - Report the correct cached DNS expiration times on SOCKS port or in
|
|
|
+ DNS replies. Previously, we would report everything as "never
|
|
|
+ expires." Fixes bug 14193; bugfix on 0.2.3.17-beta.
|
|
|
+ - Avoid a small memory leak when we find a cached answer for a
|
|
|
+ reverse DNS lookup in a client-side DNS cache. (Remember, client-
|
|
|
+ side DNS caching is off by default, and is not recommended.) Fixes
|
|
|
+ bug 14259; bugfix on 0.2.0.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, IPv6):
|
|
|
+ - Reject socks requests to literal IPv6 addresses when IPv6Traffic
|
|
|
+ flag is not set; and not because the NoIPv4Traffic flag was set.
|
|
|
+ Previously we'd looked at the NoIPv4Traffic flag for both types of
|
|
|
+ literal addresses. Fixes bug 14280; bugfix on 0.2.4.7-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, microdescriptors):
|
|
|
+ - Use a full 256 bits of the SHA256 digest of a microdescriptor when
|
|
|
+ computing which microdescriptors to download. This keeps us from
|
|
|
+ erroneous download behavior if two microdescriptor digests ever
|
|
|
+ have the same first 160 bits. Fixes part of bug 13399; bugfix
|
|
|
+ on 0.2.3.1-alpha.
|
|
|
+ - Reset a router's status if its microdescriptor digest changes,
|
|
|
+ even if the first 160 bits remain the same. Fixes part of bug
|
|
|
+ 13399; bugfix on 0.2.3.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, torrc):
|
|
|
+ - Stop modifying the value of our DirReqStatistics torrc option just
|
|
|
+ because we're not a bridge or relay. This bug was causing Tor
|
|
|
+ Browser users to write "DirReqStatistics 0" in their torrc files
|
|
|
+ as if they had chosen to change the config. Fixes bug 4244; bugfix
|
|
|
+ on 0.2.3.1-alpha.
|
|
|
+ - When GeoIPExcludeUnknown is enabled, do not incorrectly decide
|
|
|
+ that our options have changed every time we SIGHUP. Fixes bug
|
|
|
+ 9801; bugfix on 0.2.4.10-alpha. Patch from "qwerty1".
|
|
|
+
|
|
|
+ o Minor bugfixes (compilation):
|
|
|
+ - Fix a compilation warning on s390. Fixes bug 14988; bugfix
|
|
|
+ on 0.2.5.2-alpha.
|
|
|
+ - Silence clang warnings under --enable-expensive-hardening,
|
|
|
+ including implicit truncation of 64 bit values to 32 bit, const
|
|
|
+ char assignment to self, tautological compare, and additional
|
|
|
+ parentheses around equality tests. Fixes bug 13577; bugfix
|
|
|
+ on 0.2.5.4-alpha.
|
|
|
+ - Fix a clang warning about checking whether an address in the
|
|
|
+ middle of a structure is NULL. Fixes bug 14001; bugfix
|
|
|
+ on 0.2.1.2-alpha.
|
|
|
+ - The address of an array in the middle of a structure will always
|
|
|
+ be non-NULL. clang recognises this and complains. Disable the
|
|
|
+ tautologous and redundant check to silence this warning. Fixes bug
|
|
|
+ 14001; bugfix on 0.2.1.2-alpha.
|
|
|
+ - Compile correctly with (unreleased) OpenSSL 1.1.0 headers.
|
|
|
+ Addresses ticket 14188.
|
|
|
+ - Build without warnings with the stock OpenSSL srtp.h header, which
|
|
|
+ has a duplicate declaration of SSL_get_selected_srtp_profile().
|
|
|
+ Fixes bug 14220; this is OpenSSL's bug, not ours.
|
|
|
+ - Do not compile any code related to Tor2Web mode when Tor2Web mode
|
|
|
+ is not enabled at compile time. Previously, this code was included
|
|
|
+ in a disabled state. See discussion on ticket 12844.
|
|
|
+ - Allow our configure script to build correctly with autoconf 2.62
|
|
|
+ again. Fixes bug 12693; bugfix on 0.2.5.2-alpha.
|
|
|
+ - Improve the error message from ./configure to make it clear that
|
|
|
+ when asciidoc has not been found, the user will have to either add
|
|
|
+ --disable-asciidoc argument or install asciidoc. Resolves
|
|
|
+ ticket 13228.
|
|
|
+
|
|
|
+ o Minor bugfixes (controller):
|
|
|
+ - Report "down" in response to the "GETINFO entry-guards" command
|
|
|
+ when relays are down with an unreachable_since value. Previously,
|
|
|
+ we would report "up". Fixes bug 14184; bugfix on 0.1.2.2-alpha.
|
|
|
+ - Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug
|
|
|
+ 14116; bugfix on 0.2.2.9-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (controller):
|
|
|
+ - Return an error when the second or later arguments of the
|
|
|
+ "setevents" controller command are invalid events. Previously we
|
|
|
+ would return success while silently skipping invalid events. Fixes
|
|
|
+ bug 13205; bugfix on 0.2.3.2-alpha. Reported by "fpxnns".
|
|
|
+
|
|
|
+ o Minor bugfixes (directory authority):
|
|
|
+ - Allow directory authorities to fetch more data from one another if
|
|
|
+ they find themselves missing lots of votes. Previously, they had
|
|
|
+ been bumping against the 10 MB queued data limit. Fixes bug 14261;
|
|
|
+ bugfix on 0.1.2.5-alpha.
|
|
|
+ - Do not attempt to download extrainfo documents which we will be
|
|
|
+ unable to validate with a matching server descriptor. Fixes bug
|
|
|
+ 13762; bugfix on 0.2.0.1-alpha.
|
|
|
+ - Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the
|
|
|
+ control port. Fixes bug 14953; bugfix on 0.2.0.1-alpha.
|
|
|
+ - Enlarge the buffer to read bwauth generated files to avoid an
|
|
|
+ issue when parsing the file in dirserv_read_measured_bandwidths().
|
|
|
+ Fixes bug 14125; bugfix on 0.2.2.1-alpha.
|
|
|
+ - When running as a v3 directory authority, advertise that you serve
|
|
|
+ extra-info documents so that clients who want them can find them
|
|
|
+ from you too. Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (directory system):
|
|
|
+ - Always believe that v3 directory authorities serve extra-info
|
|
|
+ documents, whether they advertise "caches-extra-info" or not.
|
|
|
+ Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
|
|
|
+ - Check the BRIDGE_DIRINFO flag bitwise rather than using equality.
|
|
|
+ Previously, directories offering BRIDGE_DIRINFO and some other
|
|
|
+ flag (i.e. microdescriptors or extrainfo) would be ignored when
|
|
|
+ looking for bridges. Partially fixes bug 13163; bugfix
|
|
|
+ on 0.2.0.7-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (file handling):
|
|
|
+ - Stop failing when key files are zero-length. Instead, generate new
|
|
|
+ keys, and overwrite the empty key files. Fixes bug 13111; bugfix
|
|
|
+ on all versions of Tor. Patch by "teor".
|
|
|
+ - Stop generating a fresh .old RSA onion key file when the .old file
|
|
|
+ is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
|
|
|
+ - Avoid overwriting .old key files with empty key files.
|
|
|
+ - Skip loading zero-length extrainfo store, router store, stats,
|
|
|
+ state, and key files.
|
|
|
+ - Avoid crashing when trying to reload a torrc specified as a
|
|
|
+ relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix
|
|
|
+ on 0.2.3.11-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden services):
|
|
|
+ - Close the introduction circuit when we have no more usable intro
|
|
|
+ points, instead of waiting for it to time out. This also ensures
|
|
|
+ that no follow-up HS descriptor fetch is triggered when the
|
|
|
+ circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
|
|
|
+ - When fetching a hidden service descriptor for a down service that
|
|
|
+ was recently up, do not keep refetching until we try the same
|
|
|
+ replica twice in a row. Fixes bug 14219; bugfix on 0.2.0.10-alpha.
|
|
|
+ - Correctly send a controller event when we find that a rendezvous
|
|
|
+ circuit has finished. Fixes bug 13936; bugfix on 0.1.1.5-alpha.
|
|
|
+ - Pre-check directory permissions for new hidden-services to avoid
|
|
|
+ at least one case of "Bug: Acting on config options left us in a
|
|
|
+ broken state. Dying." Fixes bug 13942; bugfix on 0.0.6pre1.
|
|
|
+ - When fetching hidden service descriptors, we now check not only
|
|
|
+ for whether we got the hidden service we had in mind, but also
|
|
|
+ whether we got the particular descriptors we wanted. This prevents
|
|
|
+ a class of inefficient but annoying DoS attacks by hidden service
|
|
|
+ directories. Fixes bug 13214; bugfix on 0.2.1.6-alpha. Reported
|
|
|
+ by "special".
|
|
|
+
|
|
|
+ o Minor bugfixes (Linux seccomp2 sandbox):
|
|
|
+ - Make transparent proxy support work along with the seccomp2
|
|
|
+ sandbox. Fixes part of bug 13808; bugfix on 0.2.5.1-alpha. Patch
|
|
|
+ by Francisco Blas Izquierdo Riera.
|
|
|
+ - Fix a memory leak in tor-resolve when running with the sandbox
|
|
|
+ enabled. Fixes bug 14050; bugfix on 0.2.5.9-rc.
|
|
|
+ - Allow glibc fatal errors to be sent to stderr before Tor exits.
|
|
|
+ Previously, glibc would try to write them to /dev/tty, and the
|
|
|
+ sandbox would trap the call and make Tor exit prematurely. Fixes
|
|
|
+ bug 14759; bugfix on 0.2.5.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (logging):
|
|
|
+ - Avoid crashing when there are more log domains than entries in
|
|
|
+ domain_list. Bugfix on 0.2.3.1-alpha.
|
|
|
+ - Downgrade warnings about RSA signature failures to info log level.
|
|
|
+ Emit a warning when an extra info document is found incompatible
|
|
|
+ with a corresponding router descriptor. Fixes bug 9812; bugfix
|
|
|
+ on 0.0.6rc3.
|
|
|
+ - Make connection_ap_handshake_attach_circuit() log the circuit ID
|
|
|
+ correctly. Fixes bug 13701; bugfix on 0.0.6.
|
|
|
+
|
|
|
+ o Minor bugfixes (networking):
|
|
|
+ - Check for orconns and use connection_or_close_for_error() rather
|
|
|
+ than connection_mark_for_close() directly in the getsockopt()
|
|
|
+ failure case of connection_handle_write_impl(). Fixes bug 11302;
|
|
|
+ bugfix on 0.2.4.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (parsing):
|
|
|
+ - Stop accepting milliseconds (or other junk) at the end of
|
|
|
+ descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
|
|
|
+ - Support two-number and three-number version numbers correctly, in
|
|
|
+ case we change the Tor versioning system in the future. Fixes bug
|
|
|
+ 13661; bugfix on 0.0.8pre1.
|
|
|
+
|
|
|
+ o Minor bugfixes (portability):
|
|
|
+ - Fix the ioctl()-based network interface lookup code so that it
|
|
|
+ will work on systems that have variable-length struct ifreq, for
|
|
|
+ example Mac OS X.
|
|
|
+ - Use the correct datatype in the SipHash-2-4 function to prevent
|
|
|
+ compilers from assuming any sort of alignment. Fixes bug 15436;
|
|
|
+ bugfix on 0.2.5.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (preventative security, C safety):
|
|
|
+ - When reading a hexadecimal, base-32, or base-64 encoded value from
|
|
|
+ a string, always overwrite the whole output buffer. This prevents
|
|
|
+ some bugs where we would look at (but fortunately, not reveal)
|
|
|
+ uninitialized memory on the stack. Fixes bug 14013; bugfix on all
|
|
|
+ versions of Tor.
|
|
|
+ - Clear all memory targetted by tor_addr_{to,from}_sockaddr(), not
|
|
|
+ just the part that's used. This makes it harder for data leak bugs
|
|
|
+ to occur in the event of other programming failures. Resolves
|
|
|
+ ticket 14041.
|
|
|
+
|
|
|
+ o Minor bugfixes (relay):
|
|
|
+ - When generating our family list, remove spaces from around the
|
|
|
+ entries. Fixes bug 12728; bugfix on 0.2.1.7-alpha.
|
|
|
+ - If our previous bandwidth estimate was 0 bytes, allow publishing a
|
|
|
+ new relay descriptor immediately. Fixes bug 13000; bugfix
|
|
|
+ on 0.1.1.6-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (shutdown):
|
|
|
+ - When shutting down, always call event_del() on lingering read or
|
|
|
+ write events before freeing them. Otherwise, we risk double-frees
|
|
|
+ or read-after-frees in event_base_free(). Fixes bug 12985; bugfix
|
|
|
+ on 0.1.0.2-rc.
|
|
|
+
|
|
|
+ o Minor bugfixes (small memory leaks):
|
|
|
+ - Avoid leaking memory when using IPv6 virtual address mappings.
|
|
|
+ Fixes bug 14123; bugfix on 0.2.4.7-alpha. Patch by Tom van
|
|
|
+ der Woerdt.
|
|
|
+
|
|
|
+ o Minor bugfixes (statistics):
|
|
|
+ - Increase period over which bandwidth observations are aggregated
|
|
|
+ from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
|
|
|
+
|
|
|
+ o Minor bugfixes (systemd support):
|
|
|
+ - Run correctly under systemd with the RunAsDaemon option set. Fixes
|
|
|
+ part of bug 14141; bugfix on 0.2.5.7-rc. Patch from Tomasz Torcz.
|
|
|
+ - Inform the systemd supervisor about more changes in the Tor
|
|
|
+ process status. Implements part of ticket 14141. Patch from
|
|
|
+ Tomasz Torcz.
|
|
|
+
|
|
|
+ o Minor bugfixes (testing networks):
|
|
|
+ - Fix TestingDirAuthVoteGuard to properly give out Guard flags in a
|
|
|
+ testing network. Fixes bug 13064; bugfix on 0.2.5.2-alpha.
|
|
|
+ - Stop using the default authorities in networks which provide both
|
|
|
+ AlternateDirAuthority and AlternateBridgeAuthority. Partially
|
|
|
+ fixes bug 13163; bugfix on 0.2.0.13-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (testing networks, fast startup):
|
|
|
+ - Allow Tor to build circuits using a consensus with no exits. If
|
|
|
+ the consensus has no exits (typical of a bootstrapping test
|
|
|
+ network), allow Tor to build circuits once enough descriptors have
|
|
|
+ been downloaded. This assists in bootstrapping a testing Tor
|
|
|
+ network. Fixes bug 13718; bugfix on 0.2.4.10-alpha. Patch
|
|
|
+ by "teor".
|
|
|
+ - When V3AuthVotingInterval is low, give a lower If-Modified-Since
|
|
|
+ header to directory servers. This allows us to obtain consensuses
|
|
|
+ promptly when the consensus interval is very short. This assists
|
|
|
+ in bootstrapping a testing Tor network. Fixes parts of bugs 13718
|
|
|
+ and 13963; bugfix on 0.2.0.3-alpha. Patch by "teor".
|
|
|
+ - Stop assuming that private addresses are local when checking
|
|
|
+ reachability in a TestingTorNetwork. Instead, when testing, assume
|
|
|
+ all OR connections are remote. (This is necessary due to many test
|
|
|
+ scenarios running all relays on localhost.) This assists in
|
|
|
+ bootstrapping a testing Tor network. Fixes bug 13924; bugfix on
|
|
|
+ 0.1.0.1-rc. Patch by "teor".
|
|
|
+ - Avoid building exit circuits from a consensus with no exits. Now
|
|
|
+ thanks to our fix for 13718, we accept a no-exit network as not
|
|
|
+ wholly lost, but we need to remember not to try to build exit
|
|
|
+ circuits on it. Closes ticket 13814; patch by "teor".
|
|
|
+ - Stop requiring exits to have non-zero bandwithcapacity in a
|
|
|
+ TestingTorNetwork. Instead, when TestingMinExitFlagThreshold is 0,
|
|
|
+ ignore exit bandwidthcapacity. This assists in bootstrapping a
|
|
|
+ testing Tor network. Fixes parts of bugs 13718 and 13839; bugfix
|
|
|
+ on 0.2.0.3-alpha. Patch by "teor".
|
|
|
+ - Add "internal" to some bootstrap statuses when no exits are
|
|
|
+ available. If the consensus does not contain Exits, Tor will only
|
|
|
+ build internal circuits. In this case, relevant statuses will
|
|
|
+ contain the word "internal" as indicated in the Tor control-
|
|
|
+ spec.txt. When bootstrap completes, Tor will be ready to build
|
|
|
+ internal circuits. If a future consensus contains Exits, exit
|
|
|
+ circuits may become available. Fixes part of bug 13718; bugfix on
|
|
|
+ 0.2.4.10-alpha. Patch by "teor".
|
|
|
+ - Decrease minimum consensus interval to 10 seconds when
|
|
|
+ TestingTorNetwork is set, or 5 seconds for the first consensus.
|
|
|
+ Fix assumptions throughout the code that assume larger intervals.
|
|
|
+ Fixes bugs 13718 and 13823; bugfix on 0.2.0.3-alpha. Patch
|
|
|
+ by "teor".
|
|
|
+ - Avoid excluding guards from path building in minimal test
|
|
|
+ networks, when we're in a test network and excluding guards would
|
|
|
+ exclude all relays. This typically occurs in incredibly small tor
|
|
|
+ networks, and those using "TestingAuthVoteGuard *". Fixes part of
|
|
|
+ bug 13718; bugfix on 0.1.1.11-alpha. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor bugfixes (testing):
|
|
|
+ - Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
|
|
|
+ 15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
|
|
|
+ - Stop spawn test failures due to a race condition between the
|
|
|
+ SIGCHLD handler updating the process status, and the test reading
|
|
|
+ it. Fixes bug 13291; bugfix on 0.2.3.3-alpha.
|
|
|
+ - Avoid passing an extra backslash when creating a temporary
|
|
|
+ directory for running the unit tests on Windows. Fixes bug 12392;
|
|
|
+ bugfix on 0.2.2.25-alpha. Patch from Gisle Vanem.
|
|
|
+
|
|
|
+ o Minor bugfixes (TLS):
|
|
|
+ - Check more thoroughly throughout the TLS code for possible
|
|
|
+ unlogged TLS errors. Possible diagnostic or fix for bug 13319.
|
|
|
+
|
|
|
+ o Minor bugfixes (transparent proxy):
|
|
|
+ - Use getsockname, not getsockopt, to retrieve the address for a
|
|
|
+ TPROXY-redirected connection. Fixes bug 13796; bugfix
|
|
|
+ on 0.2.5.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (windows):
|
|
|
+ - Remove code to special-case handling of NTE_BAD_KEYSET when
|
|
|
+ acquiring windows CryptoAPI context. This error can't actually
|
|
|
+ occur for the parameters we're providing. Fixes bug 10816; bugfix
|
|
|
+ on 0.0.2pre26.
|
|
|
+
|
|
|
+ o Minor bugfixes (zlib):
|
|
|
+ - Avoid truncating a zlib stream when trying to finalize it with an
|
|
|
+ empty output buffer. Fixes bug 11824; bugfix on 0.1.1.23.
|
|
|
+
|
|
|
+ o Code simplification and refactoring:
|
|
|
+ - Change the entry_is_live() function to take named bitfield
|
|
|
+ elements instead of an unnamed list of booleans. Closes
|
|
|
+ ticket 12202.
|
|
|
+ - Refactor and unit-test entry_is_time_to_retry() in entrynodes.c.
|
|
|
+ Resolves ticket 12205.
|
|
|
+ - Use calloc and reallocarray functions instead of multiply-
|
|
|
+ then-malloc. This makes it less likely for us to fall victim to an
|
|
|
+ integer overflow attack when allocating. Resolves ticket 12855.
|
|
|
+ - Use the standard macro name SIZE_MAX, instead of our
|
|
|
+ own SIZE_T_MAX.
|
|
|
+ - Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in
|
|
|
+ functions which take them as arguments. Replace 0 with NO_DIRINFO
|
|
|
+ in a function call for clarity. Seeks to prevent future issues
|
|
|
+ like 13163.
|
|
|
+ - Avoid 4 null pointer errors under clang static analysis by using
|
|
|
+ tor_assert() to prove that the pointers aren't null. Fixes
|
|
|
+ bug 13284.
|
|
|
+ - Rework the API of policies_parse_exit_policy() to use a bitmask to
|
|
|
+ represent parsing options, instead of a confusing mess of
|
|
|
+ booleans. Resolves ticket 8197.
|
|
|
+ - Introduce a helper function to parse ExitPolicy in
|
|
|
+ or_options_t structure.
|
|
|
+ - Move fields related to isolating and configuring client ports into
|
|
|
+ a shared structure. Previously, they were duplicated across
|
|
|
+ port_cfg_t, listener_connection_t, and edge_connection_t. Failure
|
|
|
+ to copy them correctly had been the cause of at least one bug in
|
|
|
+ the past. Closes ticket 8546.
|
|
|
+ - Refactor the get_interface_addresses_raw() doom-function into
|
|
|
+ multiple smaller and simpler subfunctions. Cover the resulting
|
|
|
+ subfunctions with unit-tests. Fixes a significant portion of
|
|
|
+ issue 12376.
|
|
|
+ - Remove workaround in dirserv_thinks_router_is_hs_dir() that was
|
|
|
+ only for version <= 0.2.2.24 which is now deprecated. Closes
|
|
|
+ ticket 14202.
|
|
|
+ - Remove a test for a long-defunct broken version-one
|
|
|
+ directory server.
|
|
|
+ - Refactor main loop to extract the 'loop' part. This makes it
|
|
|
+ easier to run Tor under Shadow. Closes ticket 15176.
|
|
|
+ - Stop using can_complete_circuits as a global variable; access it
|
|
|
+ with a function instead.
|
|
|
+ - Avoid using operators directly as macro arguments: this lets us
|
|
|
+ apply coccinelle transformations to our codebase more directly.
|
|
|
+ Closes ticket 13172.
|
|
|
+ - Combine the functions used to parse ClientTransportPlugin and
|
|
|
+ ServerTransportPlugin into a single function. Closes ticket 6456.
|
|
|
+ - Add inline functions and convenience macros for inspecting channel
|
|
|
+ state. Refactor the code to use convenience macros instead of
|
|
|
+ checking channel state directly. Fixes issue 7356.
|
|
|
+ - Document all members of was_router_added_t and rename
|
|
|
+ ROUTER_WAS_NOT_NEW to ROUTER_IS_ALREADY_KNOWN to make it less
|
|
|
+ confusable with ROUTER_WAS_TOO_OLD. Fixes issue 13644.
|
|
|
+ - In connection_exit_begin_conn(), use END_CIRC_REASON_TORPROTOCOL
|
|
|
+ constant instead of hardcoded value. Fixes issue 13840.
|
|
|
+ - Refactor our generic strmap and digestmap types into a single
|
|
|
+ implementation, so that we can add a new digest256map
|
|
|
+ type trivially.
|
|
|
+ - Add a doc/TUNING document with tips for handling large numbers of
|
|
|
+ TCP connections when running busy Tor relay. Update the warning
|
|
|
+ message to point to this file when running out of sockets
|
|
|
+ operating system is allowing to use simultaneously. Resolves
|
|
|
+ ticket 9708.
|
|
|
+ - Adding section on OpenBSD to our TUNING document. Thanks to mmcc
|
|
|
+ for writing the OpenBSD-specific tips. Resolves ticket 13702.
|
|
|
+ - Make the tor-resolve documentation match its help string and its
|
|
|
+ options. Resolves part of ticket 14325.
|
|
|
+ - Log a more useful error message from tor-resolve when failing to
|
|
|
+ look up a hidden service address. Resolves part of ticket 14325.
|
|
|
+ - Document the bridge-authority-only 'networkstatus-bridges' file.
|
|
|
+ Closes ticket 13713; patch from "tom".
|
|
|
+ - Fix typo in PredictedPortsRelevanceTime option description in
|
|
|
+ manpage. Resolves issue 13707.
|
|
|
+ - Stop suggesting that users specify relays by nickname: it isn't a
|
|
|
+ good idea. Also, properly cross-reference how to specify relays in
|
|
|
+ all parts of manual documenting options that take a list of
|
|
|
+ relays. Closes ticket 13381.
|
|
|
+ - Clarify the HiddenServiceDir option description in manpage to make
|
|
|
+ it clear that relative paths are taken with respect to the current
|
|
|
+ working directory. Also clarify that this behavior is not
|
|
|
+ guaranteed to remain indefinitely. Fixes issue 13913.
|
|
|
+
|
|
|
+ o Distribution (systemd):
|
|
|
+ - systemd unit file: only allow tor to write to /var/lib/tor and
|
|
|
+ /var/log/tor. The rest of the filesystem is accessible for reading
|
|
|
+ only. Patch by intrigeri; resolves ticket 12751.
|
|
|
+ - systemd unit file: ensure that the process and all its children
|
|
|
+ can never gain new privileges. Patch by intrigeri; resolves
|
|
|
+ ticket 12939.
|
|
|
+ - systemd unit file: set up /var/run/tor as writable for the Tor
|
|
|
+ service. Patch by intrigeri; resolves ticket 13196.
|
|
|
+
|
|
|
+ o Downgraded warnings:
|
|
|
+ - Don't warn when we've attempted to contact a relay using the wrong
|
|
|
+ ntor onion key. Closes ticket 9635.
|
|
|
+
|
|
|
+ o Removed code:
|
|
|
+ - Remove some lingering dead code that once supported mempools.
|
|
|
+ Mempools were disabled by default in 0.2.5, and removed entirely
|
|
|
+ in 0.2.6.3-alpha. Closes more of ticket 14848; patch
|
|
|
+ by "cypherpunks".
|
|
|
+
|
|
|
+ o Removed features (directory authorities):
|
|
|
+ - Remove code that prevented authorities from listing Tor relays
|
|
|
+ affected by CVE-2011-2769 as guards. These relays are already
|
|
|
+ rejected altogether due to the minimum version requirement of
|
|
|
+ 0.2.3.16-alpha. Closes ticket 13152.
|
|
|
+ - The "AuthDirRejectUnlisted" option no longer has any effect, as
|
|
|
+ the fingerprints file (approved-routers) has been deprecated.
|
|
|
+ - Directory authorities do not support being Naming dirauths anymore.
|
|
|
+ The "NamingAuthoritativeDir" config option is now obsolete.
|
|
|
+ - Directory authorities do not support giving out the BadDirectory
|
|
|
+ flag anymore.
|
|
|
+ - Directory authorities no longer advertise or support consensus
|
|
|
+ methods 1 through 12 inclusive. These consensus methods were
|
|
|
+ obsolete and/or insecure: maintaining the ability to support them
|
|
|
+ served no good purpose. Implements part of proposal 215; closes
|
|
|
+ ticket 10163.
|
|
|
+
|
|
|
+ o Removed features:
|
|
|
+ - To avoid confusion with the "ExitRelay" option, "ExitNode" is no
|
|
|
+ longer silently accepted as an alias for "ExitNodes".
|
|
|
+ - The --enable-mempool and --enable-buf-freelists options, which
|
|
|
+ were originally created to work around bad malloc implementations,
|
|
|
+ no longer exist. They were off-by-default in 0.2.5. Closes
|
|
|
+ ticket 14848.
|
|
|
+ - We no longer remind the user about configuration options that have
|
|
|
+ been obsolete since 0.2.3.x or earlier. Patch by Adrien Bak.
|
|
|
+ - Remove our old, non-weighted bandwidth-based node selection code.
|
|
|
+ Previously, we used it as a fallback when we couldn't perform
|
|
|
+ weighted bandwidth-based node selection. But that would only
|
|
|
+ happen in the cases where we had no consensus, or when we had a
|
|
|
+ consensus generated by buggy or ancient directory authorities. In
|
|
|
+ either case, it's better to use the more modern, better maintained
|
|
|
+ algorithm, with reasonable defaults for the weights. Closes
|
|
|
+ ticket 13126.
|
|
|
+ - Remove the --disable-curve25519 configure option. Relays and
|
|
|
+ clients now are required to support curve25519 and the
|
|
|
+ ntor handshake.
|
|
|
+ - The old "StrictEntryNodes" and "StrictExitNodes" options, which
|
|
|
+ used to be deprecated synonyms for "StrictNodes", are now marked
|
|
|
+ obsolete. Resolves ticket 12226.
|
|
|
+ - Clients don't understand the BadDirectory flag in the consensus
|
|
|
+ anymore, and ignore it.
|
|
|
+
|
|
|
+ o Removed platform support:
|
|
|
+ - We no longer include special code to build on Windows CE; as far
|
|
|
+ as we know, nobody has used Tor on Windows CE in a very long time.
|
|
|
+ Closes ticket 11446.
|
|
|
+
|
|
|
+ o Testing (test-network.sh):
|
|
|
+ - Stop using "echo -n", as some shells' built-in echo doesn't
|
|
|
+ support "-n". Instead, use "/bin/echo -n". Partially fixes
|
|
|
+ bug 13161.
|
|
|
+ - Stop an apparent test-network hang when used with make -j2. Fixes
|
|
|
+ bug 13331.
|
|
|
+ - Add a --delay option to test-network.sh, which configures the
|
|
|
+ delay before the chutney network tests for data transmission.
|
|
|
+ Partially implements ticket 13161.
|
|
|
+
|
|
|
+ o Testing:
|
|
|
+ - Test that tor does not fail when key files are zero-length. Check
|
|
|
+ that tor generates new keys, and overwrites the empty key files.
|
|
|
+ - Test that tor generates new keys when keys are missing
|
|
|
+ (existing behavior).
|
|
|
+ - Test that tor does not overwrite key files that already contain
|
|
|
+ data (existing behavior). Tests bug 13111. Patch by "teor".
|
|
|
+ - New "make test-stem" target to run stem integration tests.
|
|
|
+ Requires that the "STEM_SOURCE_DIR" environment variable be set.
|
|
|
+ Closes ticket 14107.
|
|
|
+ - Make the test_cmdline_args.py script work correctly on Windows.
|
|
|
+ Patch from Gisle Vanem.
|
|
|
+ - Move the slower unit tests into a new "./src/test/test-slow"
|
|
|
+ binary that can be run independently of the other tests. Closes
|
|
|
+ ticket 13243.
|
|
|
+ - New tests for many parts of channel, relay, and circuitmux
|
|
|
+ functionality. Code by Andrea; part of 9262.
|
|
|
+ - New tests for parse_transport_line(). Part of ticket 6456.
|
|
|
+ - In the unit tests, use chgrp() to change the group of the unit
|
|
|
+ test temporary directory to the current user, so that the sticky
|
|
|
+ bit doesn't interfere with tests that check directory groups.
|
|
|
+ Closes 13678.
|
|
|
+ - Add unit tests for resolve_my_addr(). Part of ticket 12376; patch
|
|
|
+ by 'rl1987'.
|
|
|
+ - Refactor the function that chooses guard nodes so that it can more
|
|
|
+ easily be tested; write some tests for it.
|
|
|
+ - Fix and re-enable the fgets_eagain unit test. Fixes bug 12503;
|
|
|
+ bugfix on 0.2.3.1-alpha. Patch from "cypherpunks."
|
|
|
+ - Create unit tests for format_time_interval(). With bug 13393.
|
|
|
+ - Add unit tests for tor_timegm signed overflow, tor_timegm and
|
|
|
+ parse_rfc1123_time validity checks, correct_tm year clamping. Unit
|
|
|
+ tests (visible) fixes in bug 13476.
|
|
|
+ - Add a "coverage-html" make target to generate HTML-visualized
|
|
|
+ coverage results when building with --enable-coverage. (Requires
|
|
|
+ lcov.) Patch from Kevin Murray.
|
|
|
+ - Enable the backtrace handler (where supported) when running the
|
|
|
+ unit tests.
|
|
|
+ - Revise all unit tests that used the legacy test_* macros to
|
|
|
+ instead use the recommended tt_* macros. This patch was generated
|
|
|
+ with coccinelle, to avoid manual errors. Closes ticket 13119.
|
|
|
+
|
|
|
Changes in version 0.2.5.11 - 2015-03-17
|
|
|
Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
|
|
|
|
Nick Mathewson