|
@@ -1,16 +1,12 @@
|
|
|
Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
XXXX Blurb goes here XXXX
|
|
|
|
|
|
- o Removed features:
|
|
|
- - Remove client-side support for connecting to Tor servers running
|
|
|
- versions of Tor before 0.2.3.6-alpha. These servers didn't support
|
|
|
- the v3 TLS handshake protocol, and are no longer allowed on the
|
|
|
- Tor network. Implements the client side of ticket 11150. Based on
|
|
|
- patches by Tom van der Woerdt.
|
|
|
-
|
|
|
- o Major key updates:
|
|
|
- - Update the V3 identity key for dannenberg: it was changed on 18
|
|
|
- November 2015. Closes task 17906. Patch by "teor".
|
|
|
+ o Major features (security, Linux):
|
|
|
+ - When Tor is started as root on Linux and told to switch user ID,
|
|
|
+ it can now retain the capabilitity to bind to low ports. By
|
|
|
+ default, Tor will do this only when it's switching user ID and
|
|
|
+ some low ports have been configured. You can change this behavior
|
|
|
+ with the new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
|
|
|
o Major features (consensus downloads):
|
|
|
- Schedule multiple in-progress consensus downloads during client
|
|
@@ -29,24 +25,29 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
"teor". OnionOO script by "weasel", "teor", "gsathya",
|
|
|
and "karsten".
|
|
|
|
|
|
- o Major features (security, Linux):
|
|
|
- - When Tor is started as root on Linux and told to switch user ID,
|
|
|
- it can now retain the capabilitity to bind to low ports. By
|
|
|
- default, Tor will do this only when it's switching user ID and
|
|
|
- some low ports have been configured. You can change this behavior
|
|
|
- with the new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
+ o Major features (directory system):
|
|
|
+ - Previously only relays who explicitly opened a directory port
|
|
|
+ (DirPort) accepted directory requests from clients. Now all
|
|
|
+ relays, with and without a DirPort, who do not disable the
|
|
|
+ DirCache option accept and serve directory requests sent
|
|
|
+ (tunnelled) through their ORPort. Closes ticket 12538.
|
|
|
|
|
|
- o Minor features (security, RNG):
|
|
|
- - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
|
|
|
- positively are not allowed to fail. Previously we depended on
|
|
|
- internals about OpenSSL behavior. Closes ticket 17686.
|
|
|
- - Never use the system entropy output directly for anything besides
|
|
|
- seeding the PRNG. When we want to generate important keys, instead
|
|
|
- of using system entropy directly, hash it with the PRNG stream.
|
|
|
- This may help resist certain attacks based on broken OS entropy
|
|
|
- implementations. Closes part of ticket 17694.
|
|
|
- - Use modern system calls to generate strong entropy on platforms
|
|
|
- that provide them. Closes ticket 13696.
|
|
|
+ o Major key updates:
|
|
|
+ - Update the V3 identity key for dannenberg: it was changed on 18
|
|
|
+ November 2015. Closes task 17906. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor features (security, clock):
|
|
|
+ - Warn when the system clock is set back in time (when the state
|
|
|
+ file was last written in the future). Tor doesn't know that
|
|
|
+ consensuses have expired if the clock is in the past. Patch by
|
|
|
+ "teor". Implements ticket 17188.
|
|
|
+
|
|
|
+ o Minor features (security, exit policies):
|
|
|
+ - ExitPolicyRejectPrivate rejects more private addresses by default.
|
|
|
+ Specifically, it rejects the relay's outbound bind addresses (if
|
|
|
+ configured), and the relay's configured port addresses (such as
|
|
|
+ ORPort and DirPort). Fixes bug 17027; bugfix on 0.2.0.11-alpha.
|
|
|
+ Patch by "teor".
|
|
|
|
|
|
o Minor features (security, memory erasure):
|
|
|
- Set unused entires in a smartlist to NULL. This helped catch
|
|
@@ -62,11 +63,38 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", patch
|
|
|
by "teor".
|
|
|
|
|
|
- o Minor features (security, clock):
|
|
|
- - Warn when the system clock is set back in time (when the state
|
|
|
- file was last written in the future). Tor doesn't know that
|
|
|
- consensuses have expired if the clock is in the past. Patch by
|
|
|
- "teor". Implements ticket 17188.
|
|
|
+ o Minor features (security, RNG):
|
|
|
+ - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
|
|
|
+ positively are not allowed to fail. Previously we depended on
|
|
|
+ internals about OpenSSL behavior. Closes ticket 17686.
|
|
|
+ - Never use the system entropy output directly for anything besides
|
|
|
+ seeding the PRNG. When we want to generate important keys, instead
|
|
|
+ of using system entropy directly, hash it with the PRNG stream.
|
|
|
+ This may help resist certain attacks based on broken OS entropy
|
|
|
+ implementations. Closes part of ticket 17694.
|
|
|
+ - Use modern system calls to generate strong entropy on platforms
|
|
|
+ that provide them. Closes ticket 13696.
|
|
|
+
|
|
|
+ o Minor features (accounting):
|
|
|
+ - Added two modes to AccountingRule in torrc for limiting just input
|
|
|
+ or just output. Closes ticket 15989; patch from "unixninja92".
|
|
|
+
|
|
|
+ o Minor features (build):
|
|
|
+ - Since our build process now uses 'make distcheck', we no longer
|
|
|
+ force "make dist" to depend on "make check". Closes ticket 17893;
|
|
|
+ patch from "cypherpunks."
|
|
|
+ - Repair some compilation issues with some recent (unreleased,
|
|
|
+ alpha) vesions of OpenSSL 1.1. Closes ticket 17549.
|
|
|
+
|
|
|
+ o Minor features (controller):
|
|
|
+ - Adds FallbackDir entries to 'GETINFO config/defaults'. Closes
|
|
|
+ tickets 16774 and 17817. Patch by George Tankersley.
|
|
|
+ - New "GETINFO hs/service/desc/id/" command to retrieve a hidden
|
|
|
+ service descriptor from a service's local hidden service
|
|
|
+ descriptor cache. Closes ticket 14846.
|
|
|
+ - Add controller getinfo exit-policy/reject-private/[default,relay]
|
|
|
+ for the reject rules added by ExitPolicyRejectPrivate. This makes
|
|
|
+ it easier for stem to display exit policies.
|
|
|
|
|
|
o Minor features (crypto):
|
|
|
- Add SHA512 support to crypto.c. Closes ticket 17663; patch from
|
|
@@ -86,6 +114,10 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
directory mirrors. Default is 1, set it to 0 to disable fallbacks.
|
|
|
Implements ticket 17576. Patch by "teor".
|
|
|
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
o Minor features (IPv6):
|
|
|
- Add a flag ipv6=address:orport to the DirAuthority and FallbackDir
|
|
|
torrc options. Add hard-coded ipv6 addresses for directory
|
|
@@ -105,42 +137,10 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
|
|
|
o Minor features (logging):
|
|
|
- When logging to syslog, allow a tag to be added to the syslog
|
|
|
- identity (the string prepended to every log message).
|
|
|
- The tag can be configured with SyslogIdentityTag and
|
|
|
- defaults to none. Setting it to "foo" will cause logs to be tagged
|
|
|
- as "Tor-foo". Closes ticket 17194.
|
|
|
-
|
|
|
- o Minor features (accounting):
|
|
|
- - Added two modes to AccountingRule in torrc for limiting just input
|
|
|
- or just output. Closes ticket 15989; patch from "unixninja92".
|
|
|
-
|
|
|
- o Minor features (build):
|
|
|
- - Since our build process now uses 'make distcheck', we no longer
|
|
|
- force "make dist" to depend on "make check". Closes ticket 17893;
|
|
|
- patch from "cypherpunks."
|
|
|
- - Repair some compilation issues with some recent (unreleased,
|
|
|
- alpha) vesions of OpenSSL 1.1. Closes ticket 17549.
|
|
|
-
|
|
|
- o Minor features (controller):
|
|
|
- - Adds FallbackDir entries to 'GETINFO config/defaults'. Closes
|
|
|
- tickets 16774 and 17817. Patch by George Tankersley.
|
|
|
- - New "GETINFO hs/service/desc/id/" command to retrieve a hidden
|
|
|
- service descriptor from a service's local hidden service
|
|
|
- descriptor cache. Closes ticket 14846.
|
|
|
- - Add controller getinfo exit-policy/reject-private/[default,relay]
|
|
|
- for the reject rules added by ExitPolicyRejectPrivate. This makes
|
|
|
- it easier for stem to display exit policies.
|
|
|
-
|
|
|
- o Major features (directory system):
|
|
|
- - Previously only relays who explicitly opened a directory port
|
|
|
- (DirPort) accepted directory requests from clients. Now all
|
|
|
- relays, with and without a DirPort, who do not disable the
|
|
|
- DirCache option accept and serve directory requests sent
|
|
|
- (tunnelled) through their ORPort. Closes ticket 12538.
|
|
|
-
|
|
|
- o Minor features (geoip):
|
|
|
- - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
|
|
|
- Country database.
|
|
|
+ identity (the string prepended to every log message). The tag can
|
|
|
+ be configured with SyslogIdentityTag and defaults to none. Setting
|
|
|
+ it to "foo" will cause logs to be tagged as "Tor-foo". Closes
|
|
|
+ ticket 17194.
|
|
|
|
|
|
o Minor features (portability):
|
|
|
- Use timingsafe_memcmp() where available. Closes ticket 17944;
|
|
@@ -162,6 +162,11 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
- The replay cache now uses SHA256 instead of SHA1. Implements
|
|
|
feature 8961. Patch by "teor", issue reported by "rransom".
|
|
|
|
|
|
+ o Minor features (SipHash-2-4 performance):
|
|
|
+ - Improve performance when hashing non-multiple of 8 sized buffers,
|
|
|
+ based on Andrew Moon's Public Domain SipHash-2-4 implementation.
|
|
|
+ Fixes bug 17544; bugfix on 0.2.5.3-alpha.
|
|
|
+
|
|
|
o Minor features (unix file permissions):
|
|
|
- Defer creation of Unix sockets until after setuid. This avoids
|
|
|
needing CAP_CHOWN and CAP_FOWNER when using systemd's
|
|
@@ -177,47 +182,6 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
DataDirectory will be made readable by the default GID. Implements
|
|
|
part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
|
|
|
- o Minor features (security, exit policies):
|
|
|
- - ExitPolicyRejectPrivate rejects more private addresses by default.
|
|
|
- Specifically, it rejects the relay's outbound bind addresses (if
|
|
|
- configured), and the relay's configured port addresses (such as
|
|
|
- ORPort and DirPort). Fixes bug 17027; bugfix on 0.2.0.11-alpha.
|
|
|
- Patch by "teor".
|
|
|
-
|
|
|
- o Minor bugfixes (crypto):
|
|
|
- - Check the return value of HMAC() and assert on failure. Fixes bug
|
|
|
- 17658; bugfix on 0.2.3.6-alpha. Patch by "teor".
|
|
|
-
|
|
|
- o Minor bugfixes (fallback directories):
|
|
|
- - Mark fallbacks as "too busy" when they return a 503 response,
|
|
|
- rather than just marking authorities. Fixes bug 17572; bugfix on
|
|
|
- 0.2.4.7-alpha. Patch by "teor".
|
|
|
-
|
|
|
- o Minor bugfixes (relays, hidden services):
|
|
|
- - Refuse connection requests to private OR addresses unless
|
|
|
- ExtendAllowPrivateAddresses is set. Previously, tor would connect,
|
|
|
- then refuse to send any cells to a private address. Fixes bugs
|
|
|
- 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor".
|
|
|
-
|
|
|
- o Minor features (SipHash-2-4 performance):
|
|
|
- - Improve performance when hashing non-multiple of 8 sized buffers,
|
|
|
- based on Andrew Moon's Public Domain SipHash-2-4 implementation.
|
|
|
- Fixes bug 17544; bugfix on 0.2.5.3-alpha.
|
|
|
-
|
|
|
- o Minor bugfixes (testing):
|
|
|
- - The test for log_heartbeat was incorrectly failing in timezones
|
|
|
- with non-integer offsets. Instead of comparing the end of the time
|
|
|
- string against a constant, compare it to the output of
|
|
|
- format_local_iso_time when given the correct input. Fixes bug
|
|
|
- 18039; bugfix on 0.2.5.4-alpha.
|
|
|
- - Make unit tests pass on IPv6-only systems, and systems without
|
|
|
- localhost addresses (like some FreeBSD jails). Fixes bug 17632;
|
|
|
- bugfix on 0.2.7.3-rc. Patch by "teor".
|
|
|
- - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
|
|
|
- on 0.2.4.8-alpha.
|
|
|
- - Check the full results of SHA256 and SHA512 digests in the unit
|
|
|
- tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".
|
|
|
-
|
|
|
o Minor bugfixes (accounting):
|
|
|
- The max bandwidth when using 'AccountRule sum' is now correctly
|
|
|
logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch
|
|
@@ -254,6 +218,15 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
- Remove config.log only from make distclean, not from make clean.
|
|
|
Fixes bug 17924; bugfix on 0.2.4.1-alpha.
|
|
|
|
|
|
+ o Minor bugfixes (crypto):
|
|
|
+ - Check the return value of HMAC() and assert on failure. Fixes bug
|
|
|
+ 17658; bugfix on 0.2.3.6-alpha. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor bugfixes (fallback directories):
|
|
|
+ - Mark fallbacks as "too busy" when they return a 503 response,
|
|
|
+ rather than just marking authorities. Fixes bug 17572; bugfix on
|
|
|
+ 0.2.4.7-alpha. Patch by "teor".
|
|
|
+
|
|
|
o Minor bugfixes (IPv6):
|
|
|
- Update the limits in max_dl_per_request for IPv6 address length.
|
|
|
Fixes bug 17573; bugfix on 0.2.1.5-alpha.
|
|
@@ -283,6 +256,12 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
longer than the ORPort reachability test. Fixes bug 18050; bugfix
|
|
|
on 0.1.0.1-rc. Reported by "starlight", patch by "teor".
|
|
|
|
|
|
+ o Minor bugfixes (relays, hidden services):
|
|
|
+ - Refuse connection requests to private OR addresses unless
|
|
|
+ ExtendAllowPrivateAddresses is set. Previously, tor would connect,
|
|
|
+ then refuse to send any cells to a private address. Fixes bugs
|
|
|
+ 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor".
|
|
|
+
|
|
|
o Minor bugfixes (safe logging):
|
|
|
- When logging a malformed hostname received through socks4, scrub
|
|
|
it if SafeLogging says we should. Fixes bug 17419; bugfix
|
|
@@ -298,6 +277,20 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
cases with maximal values. Fixes part of bug 13192; bugfix
|
|
|
on 0.2.6.2-alpha.
|
|
|
|
|
|
+ o Minor bugfixes (testing):
|
|
|
+ - The test for log_heartbeat was incorrectly failing in timezones
|
|
|
+ with non-integer offsets. Instead of comparing the end of the time
|
|
|
+ string against a constant, compare it to the output of
|
|
|
+ format_local_iso_time when given the correct input. Fixes bug
|
|
|
+ 18039; bugfix on 0.2.5.4-alpha.
|
|
|
+ - Make unit tests pass on IPv6-only systems, and systems without
|
|
|
+ localhost addresses (like some FreeBSD jails). Fixes bug 17632;
|
|
|
+ bugfix on 0.2.7.3-rc. Patch by "teor".
|
|
|
+ - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
|
|
|
+ on 0.2.4.8-alpha.
|
|
|
+ - Check the full results of SHA256 and SHA512 digests in the unit
|
|
|
+ tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".
|
|
|
+
|
|
|
o Minor bugfixes (TLS context):
|
|
|
- Assert when the TLS contexts fail to initialize. Fixes bug 17683;
|
|
|
bugfix on 0.0.6.
|
|
@@ -337,6 +330,13 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
whenever we mention a document that belongs in torspce. Fixes
|
|
|
issue 17392.
|
|
|
|
|
|
+ o Removed features:
|
|
|
+ - Remove client-side support for connecting to Tor servers running
|
|
|
+ versions of Tor before 0.2.3.6-alpha. These servers didn't support
|
|
|
+ the v3 TLS handshake protocol, and are no longer allowed on the
|
|
|
+ Tor network. Implements the client side of ticket 11150. Based on
|
|
|
+ patches by Tom van der Woerdt.
|
|
|
+
|
|
|
o Testing:
|
|
|
- Add unit tests that check for common RNG failure modes, such as
|
|
|
returning all zeroes, identical values, or incrementing values
|
|
@@ -348,8 +348,9 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
- Cover dns_resolve_impl() in dns.c with unit tests. Implements a
|
|
|
portion of ticket 16831.
|
|
|
- More unit tests for compat_libevent.c, procmon.c, tortls.c,
|
|
|
- util_format.c, directory.c, and options_validate.c. Closes tickets 17075,
|
|
|
- 17082, 17084, 17003, and 17076 respectively. Patches from Ola Bini.
|
|
|
+ util_format.c, directory.c, and options_validate.c. Closes tickets
|
|
|
+ 17075, 17082, 17084, 17003, and 17076 respectively. Patches from
|
|
|
+ Ola Bini.
|
|
|
- Unit tests for directory_handle_command_get. Closes ticket 17004.
|
|
|
Patch from Reinaldo de Souza Jr.
|
|
|
|