|
|
@@ -2,6 +2,731 @@ This document summarizes new features and bugfixes in each stable release
|
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
+
|
|
|
+Changes in version 0.2.8.6 - 2016-08-02
|
|
|
+
|
|
|
+ Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.
|
|
|
+
|
|
|
+ The Tor 0.2.8 series improves client bootstrapping performance,
|
|
|
+ completes the authority-side implementation of improved identity
|
|
|
+ keys for relays, and includes numerous bugfixes and performance
|
|
|
+ improvements throughout the program. This release continues to
|
|
|
+ improve the coverage of Tor's test suite. For a full list of
|
|
|
+ changes since Tor 0.2.7, see the ReleaseNotes file.
|
|
|
+
|
|
|
+ Below is a list of the changes since Tor 0.2.7.
|
|
|
+
|
|
|
+ o New system requirements:
|
|
|
+ - Tor no longer attempts to support platforms where the "time_t"
|
|
|
+ type is unsigned. (To the best of our knowledge, only OpenVMS does
|
|
|
+ this, and Tor has never actually built on OpenVMS.) Closes
|
|
|
+ ticket 18184.
|
|
|
+ - Tor no longer supports versions of OpenSSL with a broken
|
|
|
+ implementation of counter mode. (This bug was present in OpenSSL
|
|
|
+ 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no
|
|
|
+ longer runs with, these versions.
|
|
|
+ - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or
|
|
|
+ later (released in 2008 and 2009 respectively). If you are
|
|
|
+ building Tor from the git repository instead of from the source
|
|
|
+ distribution, and your tools are older than this, you will need to
|
|
|
+ upgrade. Closes ticket 17732.
|
|
|
+
|
|
|
+ o Directory authority changes:
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
+ by teor.
|
|
|
+ - Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
+
|
|
|
+ o Major features (directory system):
|
|
|
+ - Include a trial list of default fallback directories, based on an
|
|
|
+ opt-in survey of suitable relays. Doing this should make clients
|
|
|
+ bootstrap more quickly and reliably, and reduce the load on the
|
|
|
+ directory authorities. Closes ticket 15775. Patch by teor.
|
|
|
+ Candidates identified using an OnionOO script by weasel, teor,
|
|
|
+ gsathya, and karsten.
|
|
|
+ - Previously only relays that explicitly opened a directory port
|
|
|
+ (DirPort) accepted directory requests from clients. Now all
|
|
|
+ relays, with and without a DirPort, accept and serve tunneled
|
|
|
+ directory requests that they receive through their ORPort. You can
|
|
|
+ disable this behavior using the new DirCache option. Closes
|
|
|
+ ticket 12538.
|
|
|
+ - When bootstrapping multiple consensus downloads at a time, use the
|
|
|
+ first one that starts downloading, and close the rest. This
|
|
|
+ reduces failures when authorities or fallback directories are slow
|
|
|
+ or down. Together with the code for feature 15775, this feature
|
|
|
+ should reduces failures due to fallback churn. Implements ticket
|
|
|
+ 4483. Patch by teor. Implements IPv4 portions of proposal 210 by
|
|
|
+ mikeperry and teor.
|
|
|
+
|
|
|
+ o Major features (security, Linux):
|
|
|
+ - When Tor starts as root on Linux and is told to switch user ID, it
|
|
|
+ can now retain the capability to bind to low ports. By default,
|
|
|
+ Tor will do this only when it's switching user ID and some low
|
|
|
+ ports have been configured. You can change this behavior with the
|
|
|
+ new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
+
|
|
|
+ o Major bugfixes (client, bootstrapping):
|
|
|
+ - Check if bootstrap consensus downloads are still needed when the
|
|
|
+ linked connection attaches. This prevents tor making unnecessary
|
|
|
+ begindir-style connections, which are the only directory
|
|
|
+ connections tor clients make since the fix for 18483 was merged.
|
|
|
+ - Fix some edge cases where consensus download connections may not
|
|
|
+ have been closed, even though they were not needed. Related to fix
|
|
|
+ for 18809.
|
|
|
+ - Make relays retry consensus downloads the correct number of times,
|
|
|
+ rather than the more aggressive client retry count. Fixes part of
|
|
|
+ ticket 18809.
|
|
|
+
|
|
|
+ o Major bugfixes (dns proxy mode, crash):
|
|
|
+ - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
|
+ bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
+
|
|
|
+ o Major bugfixes (ed25519, voting):
|
|
|
+ - Actually enable support for authorities to match routers by their
|
|
|
+ Ed25519 identities. Previously, the code had been written, but
|
|
|
+ some debugging code that had accidentally been left in the
|
|
|
+ codebase made it stay turned off. Fixes bug 17702; bugfix
|
|
|
+ on 0.2.7.2-alpha.
|
|
|
+ - When collating votes by Ed25519 identities, authorities now
|
|
|
+ include a "NoEdConsensus" flag if the ed25519 value (or lack
|
|
|
+ thereof) for a server does not reflect the majority consensus.
|
|
|
+ Related to bug 17668; bugfix on 0.2.7.2-alpha.
|
|
|
+ - When generating a vote with keypinning disabled, never include two
|
|
|
+ entries for the same ed25519 identity. This bug was causing
|
|
|
+ authorities to generate votes that they could not parse when a
|
|
|
+ router violated key pinning by changing its RSA identity but
|
|
|
+ keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug
|
|
|
+ 18318. Bugfix on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (key management):
|
|
|
+ - If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
|
+ pointer to the previous (uninitialized) key value. The impact here
|
|
|
+ should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
|
+ running an engine that makes key generation failures possible, or
|
|
|
+ if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
|
+ 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
|
+ Baishakhi Ray.
|
|
|
+
|
|
|
+ o Major bugfixes (security, client, DNS proxy):
|
|
|
+ - Stop a crash that could occur when a client running with DNSPort
|
|
|
+ received a query with multiple address types, and the first
|
|
|
+ address type was not supported. Found and fixed by Scott Dial.
|
|
|
+ Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (security, compilation):
|
|
|
+ - Correctly detect compiler flags on systems where _FORTIFY_SOURCE
|
|
|
+ is predefined. Previously, our use of -D_FORTIFY_SOURCE would
|
|
|
+ cause a compiler warning, thereby making other checks fail, and
|
|
|
+ needlessly disabling compiler-hardening support. Fixes one case of
|
|
|
+ bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal".
|
|
|
+ - Repair hardened builds under the clang compiler. Previously, our
|
|
|
+ use of _FORTIFY_SOURCE would conflict with clang's address
|
|
|
+ sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (security, pointers):
|
|
|
+ - Avoid a difficult-to-trigger heap corruption attack when extending
|
|
|
+ a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
|
+ bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
|
+ Reported by Guido Vranken.
|
|
|
+
|
|
|
+ o Major bugfixes (testing):
|
|
|
+ - Fix a bug that would block 'make test-network-all' on systems where
|
|
|
+ IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc.
|
|
|
+
|
|
|
+ o Major bugfixes (user interface):
|
|
|
+ - Correctly give a warning in the cases where a relay is specified
|
|
|
+ by nickname, and one such relay is found, but it is not officially
|
|
|
+ Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha.
|
|
|
+
|
|
|
+ o Minor features (accounting):
|
|
|
+ - Added two modes to the AccountingRule option: One for limiting
|
|
|
+ only the number of bytes sent ("AccountingRule out"), and one for
|
|
|
+ limiting only the number of bytes received ("AccountingRule in").
|
|
|
+ Closes ticket 15989; patch from "unixninja92".
|
|
|
+
|
|
|
+ o Minor features (bug-resistance):
|
|
|
+ - Make Tor survive errors involving connections without a
|
|
|
+ corresponding event object. Previously we'd fail with an
|
|
|
+ assertion; now we produce a log message. Related to bug 16248.
|
|
|
+ - Use tor_snprintf() and tor_vsnprintf() even in external and low-
|
|
|
+ level code, to harden against accidental failures to NUL-
|
|
|
+ terminate. Part of ticket 17852. Patch from jsturgix. Found
|
|
|
+ with Flawfinder.
|
|
|
+
|
|
|
+ o Minor features (build):
|
|
|
+ - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD)
|
|
|
+ as having possible IPFW support. Closes ticket 18448. Patch from
|
|
|
+ Steven Chamberlain.
|
|
|
+ - Since our build process now uses "make distcheck", we no longer
|
|
|
+ force "make dist" to depend on "make check". Closes ticket 17893;
|
|
|
+ patch from "cypherpunks".
|
|
|
+ - Tor now builds once again with the recent OpenSSL 1.1 development
|
|
|
+ branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). We have been
|
|
|
+ tracking OpenSSL 1.1 development as it has progressed, and fixing
|
|
|
+ numerous compatibility issues as they arose. See tickets
|
|
|
+ 17549, 17921, 17984, 19499, and 18286.
|
|
|
+ - When building manual pages, set the timezone to "UTC", so that the
|
|
|
+ output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha.
|
|
|
+ Patch from intrigeri.
|
|
|
+
|
|
|
+ o Minor features (clients):
|
|
|
+ - Make clients, onion services, and bridge relays always use an
|
|
|
+ encrypted begindir connection for directory requests. Resolves
|
|
|
+ ticket 18483. Patch by teor.
|
|
|
+
|
|
|
+ o Minor features (controller):
|
|
|
+ - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
|
|
|
+ controllers can examine the the reject rules added by
|
|
|
+ ExitPolicyRejectPrivate. This makes it easier for stem to display
|
|
|
+ exit policies.
|
|
|
+ - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
|
|
|
+ tickets 16774 and 17817. Patch by George Tankersley.
|
|
|
+ - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
|
|
|
+ service descriptor from a service's local hidden service
|
|
|
+ descriptor cache. Closes ticket 14846.
|
|
|
+
|
|
|
+ o Minor features (crypto):
|
|
|
+ - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
|
|
|
+ - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
|
|
|
+ George Tankersley.
|
|
|
+ - Improve performance when hashing non-multiple of 8 sized buffers,
|
|
|
+ based on Andrew Moon's public domain SipHash-2-4 implementation.
|
|
|
+ Fixes bug 17544; bugfix on 0.2.5.3-alpha.
|
|
|
+ - Validate the hard-coded Diffie-Hellman parameters and ensure that
|
|
|
+ p is a safe prime, and g is a suitable generator. Closes
|
|
|
+ ticket 18221.
|
|
|
+ - When allocating a digest state object, allocate no more space than
|
|
|
+ we actually need. Previously, we would allocate as much space as
|
|
|
+ the state for the largest algorithm would need. This change saves
|
|
|
+ up to 672 bytes per circuit. Closes ticket 17796.
|
|
|
+
|
|
|
+ o Minor features (directory downloads):
|
|
|
+ - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
|
|
|
+ directory mirrors. The default is 1; set it to 0 to disable
|
|
|
+ fallbacks. Implements ticket 17576. Patch by teor.
|
|
|
+ - Wait for busy authorities and fallback directories to become non-
|
|
|
+ busy when bootstrapping. (A similar change was made in 6c443e987d
|
|
|
+ for directory caches chosen from the consensus.) Closes ticket
|
|
|
+ 17864; patch by teor.
|
|
|
+
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor features (hidden service directory):
|
|
|
+ - Streamline relay-side hsdir handling: when relays consider whether
|
|
|
+ to accept an uploaded hidden service descriptor, they no longer
|
|
|
+ check whether they are one of the relays in the network that is
|
|
|
+ "supposed" to handle that descriptor. Implements ticket 18332.
|
|
|
+
|
|
|
+ o Minor features (IPv6):
|
|
|
+ - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set
|
|
|
+ to 1, tor prefers IPv6 directory addresses.
|
|
|
+ - Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor
|
|
|
+ avoids using IPv4 for client OR and directory connections.
|
|
|
+ - Add address policy assume_action support for IPv6 addresses.
|
|
|
+ - Add an argument 'ipv6=address:orport' to the DirAuthority and
|
|
|
+ FallbackDir torrc options, to specify an IPv6 address for an
|
|
|
+ authority or fallback directory. Add hard-coded ipv6 addresses for
|
|
|
+ directory authorities that have them. Closes ticket 17327; patch
|
|
|
+ from Nick Mathewson and teor.
|
|
|
+ - Allow users to configure directory authorities and fallback
|
|
|
+ directory servers with IPv6 addresses and ORPorts. Resolves
|
|
|
+ ticket 6027.
|
|
|
+ - Limit IPv6 mask bits to 128.
|
|
|
+ - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug
|
|
|
+ 17638; bugfix on 0.0.2pre8. Patch by teor.
|
|
|
+ - Try harder to obey the IP version restrictions "ClientUseIPv4 0",
|
|
|
+ "ClientUseIPv6 0", "ClientPreferIPv6ORPort", and
|
|
|
+ "ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor.
|
|
|
+ - Warn when comparing against an AF_UNSPEC address in a policy, it's
|
|
|
+ almost always a bug. Closes ticket 17863; patch by teor.
|
|
|
+ - routerset_parse now accepts IPv6 literal addresses. Fixes bug
|
|
|
+ 17060; bugfix on 0.2.1.3-alpha. Patch by teor.
|
|
|
+
|
|
|
+ o Minor features (Linux seccomp2 sandbox):
|
|
|
+ - Reject attempts to change our Address with "Sandbox 1" enabled.
|
|
|
+ Changing Address with Sandbox turned on would never actually work,
|
|
|
+ but previously it would fail in strange and confusing ways. Found
|
|
|
+ while fixing 18548.
|
|
|
+
|
|
|
+ o Minor features (logging):
|
|
|
+ - When logging to syslog, allow a tag to be added to the syslog
|
|
|
+ identity (the string prepended to every log message). The tag can
|
|
|
+ be configured with SyslogIdentityTag and defaults to none. Setting
|
|
|
+ it to "foo" will cause logs to be tagged as "Tor-foo". Closes
|
|
|
+ ticket 17194.
|
|
|
+
|
|
|
+ o Minor features (portability):
|
|
|
+ - Use timingsafe_memcmp() where available. Closes ticket 17944;
|
|
|
+ patch from <logan@hackers.mu>.
|
|
|
+
|
|
|
+ o Minor features (relay, address discovery):
|
|
|
+ - Add a family argument to get_interface_addresses_raw() and
|
|
|
+ subfunctions to make network interface address interogation more
|
|
|
+ efficient. Now Tor can specifically ask for IPv4, IPv6 or both
|
|
|
+ types of interfaces from the operating system. Resolves
|
|
|
+ ticket 17950.
|
|
|
+ - When get_interface_address6_list(.,AF_UNSPEC,.) is called and
|
|
|
+ fails to enumerate interface addresses using the platform-specific
|
|
|
+ API, have it rely on the UDP socket fallback technique to try and
|
|
|
+ find out what IP addresses (both IPv4 and IPv6) our machine has.
|
|
|
+ Resolves ticket 17951.
|
|
|
+
|
|
|
+ o Minor features (replay cache):
|
|
|
+ - The replay cache now uses SHA256 instead of SHA1. Implements
|
|
|
+ feature 8961. Patch by teor, issue reported by rransom.
|
|
|
+
|
|
|
+ o Minor features (robustness):
|
|
|
+ - Exit immediately with an error message if the code attempts to use
|
|
|
+ Libevent without having initialized it. This should resolve some
|
|
|
+ frequently-made mistakes in our unit tests. Closes ticket 18241.
|
|
|
+
|
|
|
+ o Minor features (security, clock):
|
|
|
+ - Warn when the system clock appears to move back in time (when the
|
|
|
+ state file was last written in the future). Tor doesn't know that
|
|
|
+ consensuses have expired if the clock is in the past. Patch by
|
|
|
+ teor. Implements ticket 17188.
|
|
|
+
|
|
|
+ o Minor features (security, exit policies):
|
|
|
+ - ExitPolicyRejectPrivate now rejects more private addresses by
|
|
|
+ default. Specifically, it now rejects the relay's outbound bind
|
|
|
+ addresses (if configured), and the relay's configured port
|
|
|
+ addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
|
|
|
+ 0.2.0.11-alpha. Patch by teor.
|
|
|
+
|
|
|
+ o Minor features (security, memory erasure):
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
+ patch by teor.
|
|
|
+ - Set the unused entries in a smartlist to NULL. This helped catch
|
|
|
+ a (harmless) bug, and shouldn't affect performance too much.
|
|
|
+ Implements ticket 17026.
|
|
|
+ - Use SecureMemoryWipe() function to securely clean memory on
|
|
|
+ Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
|
|
|
+ Implements feature 17986.
|
|
|
+ - Use explicit_bzero or memset_s when present. Previously, we'd use
|
|
|
+ OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
|
|
|
+ from <logan@hackers.mu> and <selven@hackers.mu>.
|
|
|
+
|
|
|
+ o Minor features (security, RNG):
|
|
|
+ - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
|
|
|
+ positively are not allowed to fail. Previously we depended on
|
|
|
+ internal details of OpenSSL's behavior. Closes ticket 17686.
|
|
|
+ - Never use the system entropy output directly for anything besides
|
|
|
+ seeding the PRNG. When we want to generate important keys, instead
|
|
|
+ of using system entropy directly, we now hash it with the PRNG
|
|
|
+ stream. This may help resist certain attacks based on broken OS
|
|
|
+ entropy implementations. Closes part of ticket 17694.
|
|
|
+ - Use modern system calls (like getentropy() or getrandom()) to
|
|
|
+ generate strong entropy on platforms that have them. Closes
|
|
|
+ ticket 13696.
|
|
|
+
|
|
|
+ o Minor features (security, win32):
|
|
|
+ - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing
|
|
|
+ attack. Fixes bug 18123; bugfix on all tor versions. Patch
|
|
|
+ by teor.
|
|
|
+
|
|
|
+ o Minor features (unix domain sockets):
|
|
|
+ - Add a new per-socket option, RelaxDirModeCheck, to allow creating
|
|
|
+ Unix domain sockets without checking the permissions on the parent
|
|
|
+ directory. (Tor checks permissions by default because some
|
|
|
+ operating systems only check permissions on the parent directory.
|
|
|
+ However, some operating systems do look at permissions on the
|
|
|
+ socket, and tor's default check is unneeded.) Closes ticket 18458.
|
|
|
+ Patch by weasel.
|
|
|
+
|
|
|
+ o Minor features (unix file permissions):
|
|
|
+ - Defer creation of Unix sockets until after setuid. This avoids
|
|
|
+ needing CAP_CHOWN and CAP_FOWNER when using systemd's
|
|
|
+ CapabilityBoundingSet, or chown and fowner when using SELinux.
|
|
|
+ Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
+ - If any directory created by Tor is marked as group readable, the
|
|
|
+ filesystem group is allowed to be either the default GID or the
|
|
|
+ root user. Allowing root to read the DataDirectory prevents the
|
|
|
+ need for CAP_READ_SEARCH when using systemd's
|
|
|
+ CapabilityBoundingSet, or dac_read_search when using SELinux.
|
|
|
+ Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
+ - Introduce a new DataDirectoryGroupReadable option. If it is set to
|
|
|
+ 1, the DataDirectory will be made readable by the default GID.
|
|
|
+ Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
+
|
|
|
+ o Minor bugfixes (accounting):
|
|
|
+ - The max bandwidth when using 'AccountRule sum' is now correctly
|
|
|
+ logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch
|
|
|
+ from "unixninja92".
|
|
|
+
|
|
|
+ o Minor bugfixes (assert, portability):
|
|
|
+ - Fix an assertion failure in memarea.c on systems where "long" is
|
|
|
+ shorter than the size of a pointer. Fixes bug 18716; bugfix
|
|
|
+ on 0.2.1.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (bootstrap):
|
|
|
+ - Consistently use the consensus download schedule for authority
|
|
|
+ certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (build):
|
|
|
+ - Avoid spurious failures from configure files related to calling
|
|
|
+ exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18625; bugfix on
|
|
|
+ 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
+ - Do not link the unit tests against both the testing and non-
|
|
|
+ testing versions of the static libraries. Fixes bug 18490; bugfix
|
|
|
+ on 0.2.7.1-alpha.
|
|
|
+ - Resolve warnings when building on systems that are concerned with
|
|
|
+ signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha
|
|
|
+ and 0.2.6.1-alpha.
|
|
|
+ - Silence spurious clang-scan warnings in the ed25519_donna code by
|
|
|
+ explicitly initializing some objects. Fixes bug 18384; bugfix on
|
|
|
+ 0.2.7.2-alpha. Patch by teor.
|
|
|
+ - When libscrypt.h is found, but no libscrypt library can be linked,
|
|
|
+ treat libscrypt as absent. Fixes bug 19161; bugfix
|
|
|
+ on 0.2.6.1-alpha.
|
|
|
+ - Cause the unit tests to compile correctly on mingw64 versions that
|
|
|
+ lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha.
|
|
|
+ - Don't try to use the pthread_condattr_setclock() function unless
|
|
|
+ it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
|
|
|
+ 17819; bugfix on 0.2.6.3-alpha.
|
|
|
+ - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
|
|
|
+ on 0.2.5.2-alpha.
|
|
|
+ - Fix search for libevent libraries on OpenBSD (and other systems
|
|
|
+ that install libevent 1 and libevent 2 in parallel). Fixes bug
|
|
|
+ 16651; bugfix on 0.1.0.7-rc. Patch from "rubiate".
|
|
|
+ - Isolate environment variables meant for tests from the rest of the
|
|
|
+ build system. Fixes bug 17818; bugfix on 0.2.7.3-rc.
|
|
|
+ - Mark all object files that include micro-revision.i as depending
|
|
|
+ on it, so as to make parallel builds more reliable. Fixes bug
|
|
|
+ 17826; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Remove config.log only from make distclean, not from make clean.
|
|
|
+ Fixes bug 17924; bugfix on 0.2.4.1-alpha.
|
|
|
+ - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
|
|
|
+ on 0.0.2pre8.
|
|
|
+ - Remove an #endif from configure.ac so that we correctly detect the
|
|
|
+ presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix
|
|
|
+ on 0.2.0.13-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (client, bootstrap):
|
|
|
+ - Count receipt of new microdescriptors as progress towards
|
|
|
+ bootstrapping. Previously, with EntryNodes set, Tor might not
|
|
|
+ successfully repopulate the guard set on bootstrapping. Fixes bug
|
|
|
+ 16825; bugfix on 0.2.3.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (code correctness):
|
|
|
+ - Fix a bad memory handling bug that would occur if we had queued a
|
|
|
+ cell on a channel's incoming queue. Fortunately, we can't actually
|
|
|
+ queue a cell like that as our code is constructed today, but it's
|
|
|
+ best to avoid this kind of error, even if there isn't any code
|
|
|
+ that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha.
|
|
|
+ - Assert that allocated memory held by the reputation code is freed
|
|
|
+ according to its internal counters. Fixes bug 17753; bugfix
|
|
|
+ on 0.1.1.1-alpha.
|
|
|
+ - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
|
|
|
+ bugfix on 0.0.6.
|
|
|
+ - Update to the latest version of Trunnel, which tries harder to
|
|
|
+ avoid generating code that can invoke memcpy(p,NULL,0). Bug found
|
|
|
+ by clang address sanitizer. Fixes bug 18373; bugfix
|
|
|
+ on 0.2.7.2-alpha.
|
|
|
+ - When closing an entry connection, generate a warning if we should
|
|
|
+ have sent an end cell for it but we haven't. Fixes bug 17876;
|
|
|
+ bugfix on 0.2.3.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (configuration):
|
|
|
+ - Fix a tiny memory leak when parsing a port configuration ending in
|
|
|
+ ":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (containers):
|
|
|
+ - If we somehow attempt to construct a heap with more than
|
|
|
+ 1073741822 elements, avoid an integer overflow when maintaining
|
|
|
+ the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (controller, microdescriptors):
|
|
|
+ - Make GETINFO dir/status-vote/current/consensus conform to the
|
|
|
+ control specification by returning "551 Could not open cached
|
|
|
+ consensus..." when not caching consensuses. Fixes bug 18920;
|
|
|
+ bugfix on 0.2.2.6-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (crypto):
|
|
|
+ - Check the return value of HMAC() and assert on failure. Fixes bug
|
|
|
+ 17658; bugfix on 0.2.3.6-alpha. Patch by teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (directories):
|
|
|
+ - When fetching extrainfo documents, compare their SHA256 digests
|
|
|
+ and Ed25519 signing key certificates with the routerinfo that led
|
|
|
+ us to fetch them, rather than with the most recent routerinfo.
|
|
|
+ Otherwise we generate many spurious warnings about mismatches.
|
|
|
+ Fixes bug 17150; bugfix on 0.2.7.2-alpha.
|
|
|
+ - When generating a URL for a directory server on an IPv6 address,
|
|
|
+ wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix
|
|
|
+ on 0.2.3.9-alpha. Patch from Malek.
|
|
|
+
|
|
|
+ o Minor bugfixes (downloading):
|
|
|
+ - Predict more correctly whether we'll be downloading over HTTP when
|
|
|
+ we determine the maximum length of a URL. This should avoid a
|
|
|
+ "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes
|
|
|
+ bug 19191.
|
|
|
+
|
|
|
+ o Minor bugfixes (exit policies, security):
|
|
|
+ - Refresh an exit relay's exit policy when interface addresses
|
|
|
+ change. Previously, tor only refreshed the exit policy when the
|
|
|
+ configured external address changed. Fixes bug 18208; bugfix on
|
|
|
+ 0.2.7.3-rc. Patch by teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (fallback directories):
|
|
|
+ - Mark fallbacks as "too busy" when they return a 503 response,
|
|
|
+ rather than just marking authorities. Fixes bug 17572; bugfix on
|
|
|
+ 0.2.4.7-alpha. Patch by teor.
|
|
|
+ - When requesting extrainfo descriptors from a trusted directory
|
|
|
+ server, check whether it is an authority or a fallback directory
|
|
|
+ which supports extrainfo descriptors. Fixes bug 18489; bugfix on
|
|
|
+ 0.2.4.7-alpha. Reported by atagar, patch by teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden service, client):
|
|
|
+ - Handle the case where the user makes several fast consecutive
|
|
|
+ requests to the same .onion address. Previously, the first six
|
|
|
+ requests would each trigger a descriptor fetch, each picking a
|
|
|
+ directory (there are 6 overall) and the seventh one would fail
|
|
|
+ because no directories were left, thereby triggering a close on
|
|
|
+ all current directory connections asking for the hidden service.
|
|
|
+ The solution here is to not close the connections if we have
|
|
|
+ pending directory fetches. Fixes bug 15937; bugfix
|
|
|
+ on 0.2.7.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden service, control port):
|
|
|
+ - Add the onion address to the HS_DESC event for the UPLOADED action
|
|
|
+ both on success or failure. It was previously hardcoded with
|
|
|
+ UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden service, directory):
|
|
|
+ - Bridges now refuse "rendezvous2" (hidden service descriptor)
|
|
|
+ publish attempts. Suggested by ticket 18332.
|
|
|
+
|
|
|
+ o Minor bugfixes (IPv6):
|
|
|
+ - Update the limits in max_dl_per_request for IPv6 address length.
|
|
|
+ Fixes bug 17573; bugfix on 0.2.1.5-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (Linux seccomp2 sandbox):
|
|
|
+ - Allow more syscalls when running with "Sandbox 1" enabled:
|
|
|
+ sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On
|
|
|
+ some systems, these are required for Tor to start. Fixes bug
|
|
|
+ 18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto.
|
|
|
+ - Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1",
|
|
|
+ so that get_interface_address6_via_udp_socket_hack() can work.
|
|
|
+ Fixes bug 19660; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Allow the setrlimit syscall, and the prlimit and prlimit64
|
|
|
+ syscalls, which some libc implementations use under the hood.
|
|
|
+ Fixes bug 15221; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Avoid a 10-second delay when starting as a client with "Sandbox 1"
|
|
|
+ enabled and no DNS resolvers configured. This should help TAILS
|
|
|
+ start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Fix a crash when using offline master ed25519 keys with the Linux
|
|
|
+ seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-rc.
|
|
|
+ - Allow statistics to be written to disk when "Sandbox 1" is
|
|
|
+ enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and
|
|
|
+ 0.2.6.1-alpha respectively.
|
|
|
+
|
|
|
+ o Minor bugfixes (logging):
|
|
|
+ - In log messages that include a function name, use __FUNCTION__
|
|
|
+ instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but
|
|
|
+ with clang __PRETTY_FUNCTION__ has extra information we don't
|
|
|
+ need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van
|
|
|
+ der Woerdt.
|
|
|
+ - Remove needless quotes from a log message about unparseable
|
|
|
+ addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha.
|
|
|
+ - Scrub service name in "unrecognized service ID" log messages.
|
|
|
+ Fixes bug 18600; bugfix on 0.2.4.11-alpha.
|
|
|
+ - When logging information about an unparsable networkstatus vote or
|
|
|
+ consensus, do not say "vote" when we mean consensus. Fixes bug
|
|
|
+ 18368; bugfix on 0.2.0.8-alpha.
|
|
|
+ - When we can't generate a signing key because OfflineMasterKey is
|
|
|
+ set, do not imply that we should have been able to load it. Fixes
|
|
|
+ bug 18133; bugfix on 0.2.7.2-alpha.
|
|
|
+ - When logging a malformed hostname received through socks4, scrub
|
|
|
+ it if SafeLogging says we should. Fixes bug 17419; bugfix
|
|
|
+ on 0.1.1.16-rc.
|
|
|
+
|
|
|
+ o Minor bugfixes (memory safety):
|
|
|
+ - Avoid freeing an uninitialized pointer when opening a socket fails
|
|
|
+ in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on
|
|
|
+ 0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch
|
|
|
+ by teor.
|
|
|
+ - Fix a memory leak in "tor --list-fingerprint". Fixes part of bug
|
|
|
+ 18672; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix
|
|
|
+ on 0.2.0.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (pluggable transports):
|
|
|
+ - Avoid reporting a spurious error when we decide that we don't need
|
|
|
+ to terminate a pluggable transport because it has already exited.
|
|
|
+ Fixes bug 18686; bugfix on 0.2.5.5-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (pointer arithmetic):
|
|
|
+ - Fix a bug in memarea_alloc() that could have resulted in remote
|
|
|
+ heap write access, if Tor had ever passed an unchecked size to
|
|
|
+ memarea_alloc(). Fortunately, all the sizes we pass to
|
|
|
+ memarea_alloc() are pre-checked to be less than 128 kilobytes.
|
|
|
+ Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by
|
|
|
+ Guido Vranken.
|
|
|
+
|
|
|
+ o Minor bugfixes (private directory):
|
|
|
+ - Prevent a race condition when creating private directories. Fixes
|
|
|
+ part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852.
|
|
|
+ Patch from jsturgix. Found with Flawfinder.
|
|
|
+
|
|
|
+ o Minor bugfixes (relays):
|
|
|
+ - Check that both the ORPort and DirPort (if present) are reachable
|
|
|
+ before publishing a relay descriptor. Otherwise, relays publish a
|
|
|
+ descriptor with DirPort 0 when the DirPort reachability test takes
|
|
|
+ longer than the ORPort reachability test. Fixes bug 18050; bugfix
|
|
|
+ on 0.1.0.1-rc. Reported by "starlight", patch by teor.
|
|
|
+ - Resolve some edge cases where we might launch an ORPort
|
|
|
+ reachability check even when DisableNetwork is set. Noticed while
|
|
|
+ fixing bug 18616; bugfix on 0.2.3.9-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (relays, hidden services):
|
|
|
+ - Refuse connection requests to private OR addresses unless
|
|
|
+ ExtendAllowPrivateAddresses is set. Previously, tor would connect,
|
|
|
+ then refuse to send any cells to a private address. Fixes bugs
|
|
|
+ 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (security, hidden services):
|
|
|
+ - Prevent hidden services connecting to client-supplied rendezvous
|
|
|
+ addresses that are reserved as internal or multicast. Fixes bug
|
|
|
+ 8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (statistics):
|
|
|
+ - Consistently check for overflow in round_*_to_next_multiple_of
|
|
|
+ functions, and add unit tests with additional and maximal values.
|
|
|
+ Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
|
|
|
+ - Handle edge cases in the laplace functions: avoid division by
|
|
|
+ zero, avoid taking the log of zero, and silence clang type
|
|
|
+ conversion warnings using round and trunc. Add unit tests for edge
|
|
|
+ cases with maximal values. Fixes part of bug 13192; bugfix
|
|
|
+ on 0.2.6.2-alpha.
|
|
|
+ - We now include consensus downloads via IPv6 in our directory-
|
|
|
+ request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (test networks, IPv6):
|
|
|
+ - Allow internal IPv6 addresses in descriptors in test networks.
|
|
|
+ Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported
|
|
|
+ by karsten.
|
|
|
+
|
|
|
+ o Minor bugfixes (testing):
|
|
|
+ - Check the full results of SHA256 and SHA512 digests in the unit
|
|
|
+ tests. Bugfix on 0.2.2.4-alpha. Patch by teor.
|
|
|
+ - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
|
|
|
+ on 0.2.4.8-alpha.
|
|
|
+ - Fix a small memory leak that would occur when the
|
|
|
+ TestingEnableCellStatsEvent option was turned on. Fixes bug 18673;
|
|
|
+ bugfix on 0.2.5.2-alpha.
|
|
|
+ - Make unit tests pass on IPv6-only systems, and systems without
|
|
|
+ localhost addresses (like some FreeBSD jails). Fixes bug 17632;
|
|
|
+ bugfix on 0.2.7.3-rc. Patch by teor.
|
|
|
+ - The test for log_heartbeat was incorrectly failing in timezones
|
|
|
+ with non-integer offsets. Instead of comparing the end of the time
|
|
|
+ string against a constant, compare it to the output of
|
|
|
+ format_local_iso_time when given the correct input. Fixes bug
|
|
|
+ 18039; bugfix on 0.2.5.4-alpha.
|
|
|
+ - We no longer disable assertions in the unit tests when coverage is
|
|
|
+ enabled. Instead, we require you to say --disable-asserts-in-tests
|
|
|
+ to the configure script if you need assertions disabled in the
|
|
|
+ unit tests (for example, if you want to perform branch coverage).
|
|
|
+ Fixes bug 18242; bugfix on 0.2.7.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (time handling):
|
|
|
+ - When correcting a corrupt 'struct tm' value, fill in the tm_wday
|
|
|
+ field. Otherwise, our unit tests crash on Windows. Fixes bug
|
|
|
+ 18977; bugfix on 0.2.2.25-alpha.
|
|
|
+ - Avoid overflow in tor_timegm when parsing dates in and after 2038
|
|
|
+ on platforms with 32-bit time_t. Fixes bug 18479; bugfix on
|
|
|
+ 0.0.2pre14. Patch by teor.
|
|
|
+
|
|
|
+ o Minor bugfixes (tor-gencert):
|
|
|
+ - Correctly handle the case where an authority operator enters a
|
|
|
+ passphrase but sends an EOF before sending a newline. Fixes bug
|
|
|
+ 17443; bugfix on 0.2.0.20-rc. Found by junglefowl.
|
|
|
+
|
|
|
+ o Code simplification and refactoring:
|
|
|
+ - Clean up a little duplicated code in
|
|
|
+ crypto_expand_key_material_TAP(). Closes ticket 17587; patch
|
|
|
+ from "pfrankw".
|
|
|
+ - Decouple the list of streams waiting to be attached to circuits
|
|
|
+ from the overall connection list. This change makes it possible to
|
|
|
+ attach streams quickly while simplifying Tor's callgraph and
|
|
|
+ avoiding O(N) scans of the entire connection list. Closes
|
|
|
+ ticket 17590.
|
|
|
+ - Extract the more complicated parts of circuit_mark_for_close()
|
|
|
+ into a new function that we run periodically before circuits are
|
|
|
+ freed. This change removes more than half of the functions
|
|
|
+ currently in the "blob". Closes ticket 17218.
|
|
|
+ - Move logging of redundant policy entries in
|
|
|
+ policies_parse_exit_policy_internal into its own function. Closes
|
|
|
+ ticket 17608; patch from "juce".
|
|
|
+ - Quote all the string interpolations in configure.ac -- even those
|
|
|
+ which we are pretty sure can't contain spaces. Closes ticket
|
|
|
+ 17744. Patch from zerosion.
|
|
|
+ - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
|
|
|
+ use them. Closes ticket 17926.
|
|
|
+ - Remove specialized code for non-inplace AES_CTR. 99% of our AES is
|
|
|
+ inplace, so there's no need to have a separate implementation for
|
|
|
+ the non-inplace code. Closes ticket 18258. Patch from Malek.
|
|
|
+ - Simplify return types for some crypto functions that can't
|
|
|
+ actually fail. Patch from Hassan Alsibyani. Closes ticket 18259.
|
|
|
+ - When a direct directory request fails immediately on launch,
|
|
|
+ instead of relaunching that request from inside the code that
|
|
|
+ launches it, instead mark the connection for teardown. This change
|
|
|
+ simplifies Tor's callback and prevents the directory-request
|
|
|
+ launching code from invoking itself recursively. Closes
|
|
|
+ ticket 17589.
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Add a description of the correct use of the '--keygen' command-
|
|
|
+ line option. Closes ticket 17583; based on text by 's7r'.
|
|
|
+ - Change build messages to refer to "Fedora" instead of "Fedora
|
|
|
+ Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426.
|
|
|
+ Patches from "icanhasaccount" and "cypherpunks".
|
|
|
+ - Document the contents of the 'datadir/keys' subdirectory in the
|
|
|
+ manual page. Closes ticket 17621.
|
|
|
+ - Document the minimum HeartbeatPeriod value. Closes ticket 15638.
|
|
|
+ - Explain actual minima for BandwidthRate. Closes ticket 16382.
|
|
|
+ - Fix a minor formatting typo in the manpage. Closes ticket 17791.
|
|
|
+ - Mention torspec URL in the manpage and point the reader to it
|
|
|
+ whenever we mention a document that belongs in torspce. Fixes
|
|
|
+ issue 17392.
|
|
|
+ - Stop recommending use of nicknames to identify relays in our
|
|
|
+ MapAddress documentation. Closes ticket 18312.
|
|
|
+
|
|
|
+ o Removed features:
|
|
|
+ - Remove client-side support for connecting to Tor relays running
|
|
|
+ versions of Tor before 0.2.3.6-alpha. These relays didn't support
|
|
|
+ the v3 TLS handshake protocol, and are no longer allowed on the
|
|
|
+ Tor network. Implements the client side of ticket 11150. Based on
|
|
|
+ patches by Tom van der Woerdt.
|
|
|
+ - We no longer maintain an internal freelist in memarea.c.
|
|
|
+ Allocators should be good enough to make this code unnecessary,
|
|
|
+ and it's doubtful that it ever had any performance benefit.
|
|
|
+
|
|
|
+ o Testing:
|
|
|
+ - Add unit tests to check for common RNG failure modes, such as
|
|
|
+ returning all zeroes, identical values, or incrementing values
|
|
|
+ (OpenSSL's rand_predictable feature). Patch by teor.
|
|
|
+ - Always test both ed25519 backends, so that we can be sure that our
|
|
|
+ batch-open replacement code works. Part of ticket 16794.
|
|
|
+ - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
|
|
|
+ portion of ticket 16831.
|
|
|
+ - Fix several warnings from clang's address sanitizer produced in
|
|
|
+ the unit tests.
|
|
|
+ - Log more information when the backtrace tests fail. Closes ticket
|
|
|
+ 17892. Patch from "cypherpunks."
|
|
|
+ - More unit tests for compat_libevent.c, procmon.c, tortls.c,
|
|
|
+ util_format.c, directory.c, and options_validate.c. Closes tickets
|
|
|
+ 17075, 17082, 17084, 17003, and 17076 respectively. Patches from
|
|
|
+ Ola Bini.
|
|
|
+ - Treat backtrace test failures as expected on FreeBSD until we
|
|
|
+ solve bug 17808. Closes ticket 18204.
|
|
|
+ - Unit tests for directory_handle_command_get. Closes ticket 17004.
|
|
|
+ Patch from Reinaldo de Souza Jr.
|
|
|
+
|
|
|
+
|
|
|
Changes in version 0.2.7.6 - 2015-12-10
|
|
|
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
|
|
|
well as a minor bug in hidden service reliability.
|
Nick Mathewson