|
@@ -3,6 +3,1093 @@ This document summarizes new features and bugfixes in each stable release
|
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
+Changes in version 0.2.3.25 - 2012-11-19
|
|
|
+ The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi"
|
|
|
+ Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher,
|
|
|
+ Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer,
|
|
|
+ programmer, and friend. Unstinting in his dedication to the cause of
|
|
|
+ freedom, he inspired and helped many of us as we began our work on
|
|
|
+ anonymity, and inspires us still. Please honor his memory by writing
|
|
|
+ software to protect people's freedoms, and by helping others to do so.
|
|
|
+
|
|
|
+ Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
|
|
|
+ significantly reduced directory overhead (via microdescriptors),
|
|
|
+ enormous crypto performance improvements for fast relays on new
|
|
|
+ enough hardware, a new v3 TLS handshake protocol that can better
|
|
|
+ resist fingerprinting, support for protocol obfuscation plugins (aka
|
|
|
+ pluggable transports), better scalability for hidden services, IPv6
|
|
|
+ support for bridges, performance improvements like allowing clients
|
|
|
+ to skip the first round-trip on the circuit ("optimistic data") and
|
|
|
+ refilling token buckets more often, a new "stream isolation" design
|
|
|
+ to isolate different applications on different circuits, and many
|
|
|
+ stability, security, and privacy fixes.
|
|
|
+
|
|
|
+ Major features (v3 directory protocol):
|
|
|
+ - Clients now use microdescriptors instead of regular descriptors
|
|
|
+ to build circuits. Microdescriptors are authority-generated
|
|
|
+ summaries of regular descriptors' contents, designed to change very
|
|
|
+ rarely (see proposal 158 for details). This feature is designed
|
|
|
+ to save bandwidth, especially for clients on slow internet
|
|
|
+ connections. Use "UseMicrodescriptors 0" to disable it.
|
|
|
+ - Caches now download, cache, and serve microdescriptors, as well
|
|
|
+ as multiple "flavors" of the consensus, including a flavor that
|
|
|
+ describes microdescriptors.
|
|
|
+
|
|
|
+ o Major features (build hardening):
|
|
|
+ - Enable gcc and ld hardening by default. Resolves ticket 5210.
|
|
|
+
|
|
|
+ o Major features (relay scaling):
|
|
|
+ - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64
|
|
|
+ instruction set, take advantage of OpenSSL's AESNI, bitsliced, or
|
|
|
+ vectorized AES implementations as appropriate. These can be much,
|
|
|
+ much faster than other AES implementations.
|
|
|
+ - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode
|
|
|
+ implementation. It makes AES_CTR about 7% faster than our old one
|
|
|
+ (which was about 10% faster than the one OpenSSL used to provide).
|
|
|
+ Resolves ticket 4526.
|
|
|
+ - Use OpenSSL's EVP interface for AES encryption, so that all AES
|
|
|
+ operations can use hardware acceleration (if present). Resolves
|
|
|
+ ticket 4442.
|
|
|
+ - Unconditionally use OpenSSL's AES implementation instead of our
|
|
|
+ old built-in one. OpenSSL's AES has been better for a while, and
|
|
|
+ relatively few servers should still be on any version of OpenSSL
|
|
|
+ that doesn't have good optimized assembly AES.
|
|
|
+
|
|
|
+ o Major features (blocking resistance):
|
|
|
+ - Update TLS cipher list to match Firefox 8 and later. Resolves
|
|
|
+ ticket 4744.
|
|
|
+ - Remove support for clients falsely claiming to support standard
|
|
|
+ ciphersuites that they can actually provide. As of modern OpenSSL
|
|
|
+ versions, it's not necessary to fake any standard ciphersuite,
|
|
|
+ and doing so prevents us from using better ciphersuites in the
|
|
|
+ future, since servers can't know whether an advertised ciphersuite
|
|
|
+ is really supported or not. Some hosts -- notably, ones with very
|
|
|
+ old versions of OpenSSL or where OpenSSL has been built with ECC
|
|
|
+ disabled -- will stand out because of this change; TBB users should
|
|
|
+ not be affected. Implements the client side of proposal 198.
|
|
|
+ - Implement a new handshake protocol (v3) for authenticating Tors to
|
|
|
+ each other over TLS. It should be more resistant to fingerprinting
|
|
|
+ than previous protocols, and should require less TLS hacking for
|
|
|
+ future Tor implementations. Implements proposal 176.
|
|
|
+ - Allow variable-length padding cells, to disguise the length of
|
|
|
+ Tor's TLS records. Implements part of proposal 184.
|
|
|
+ - While we're trying to bootstrap, record how many TLS connections
|
|
|
+ fail in each state, and report which states saw the most failures
|
|
|
+ in response to any bootstrap failures. This feature may speed up
|
|
|
+ diagnosis of censorship events. Implements ticket 3116.
|
|
|
+
|
|
|
+ o Major features (pluggable transports):
|
|
|
+ - Clients and bridges can now be configured to use a separate
|
|
|
+ "transport" proxy. This approach makes the censorship arms race
|
|
|
+ easier by allowing bridges to use protocol obfuscation plugins.
|
|
|
+ Implements proposal 180 (tickets 2841 and 3472).
|
|
|
+
|
|
|
+ o Major features (DoS resistance):
|
|
|
+ - Now that Tor 0.2.0.x is completely deprecated, enable the final
|
|
|
+ part of "Proposal 110: Avoiding infinite length circuits" by
|
|
|
+ refusing all circuit-extend requests that do not use a relay_early
|
|
|
+ cell. This change helps Tor resist a class of denial-of-service
|
|
|
+ attacks by limiting the maximum circuit length.
|
|
|
+ - Tear down the circuit if we get an unexpected SENDME cell. Clients
|
|
|
+ could use this trick to make their circuits receive cells faster
|
|
|
+ than our flow control would have allowed, or to gum up the network,
|
|
|
+ or possibly to do targeted memory denial-of-service attacks on
|
|
|
+ entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
|
|
|
+ from July 2002, before the release of Tor 0.0.0.
|
|
|
+
|
|
|
+ o Major features (hidden services):
|
|
|
+ - Adjust the number of introduction points that a hidden service
|
|
|
+ will try to maintain based on how long its introduction points
|
|
|
+ remain in use and how many introductions they handle. Fixes
|
|
|
+ part of bug 3825.
|
|
|
+ - Add a "tor2web mode" for clients that want to connect to hidden
|
|
|
+ services non-anonymously (and possibly more quickly). As a safety
|
|
|
+ measure to try to keep users from turning this on without knowing
|
|
|
+ what they are doing, tor2web mode must be explicitly enabled at
|
|
|
+ compile time, and a copy of Tor compiled to run in tor2web mode
|
|
|
+ cannot be used as a normal Tor client. Implements feature 2553.
|
|
|
+
|
|
|
+ o Major features (IPv6):
|
|
|
+ - Clients can now connect to private bridges over IPv6. Bridges
|
|
|
+ still need at least one IPv4 address in order to connect to
|
|
|
+ other relays. Note that we don't yet handle the case where the
|
|
|
+ user has two bridge lines for the same bridge (one IPv4, one
|
|
|
+ IPv6). Implements parts of proposal 186.
|
|
|
+
|
|
|
+ o Major features (directory authorities):
|
|
|
+ - Use a more secure consensus parameter voting algorithm. Now at
|
|
|
+ least three directory authorities or a majority of them must
|
|
|
+ vote on a given parameter before it will be included in the
|
|
|
+ consensus. Implements proposal 178.
|
|
|
+ - Remove the artificially low cutoff of 20KB to guarantee the Fast
|
|
|
+ flag. In the past few years the average relay speed has picked
|
|
|
+ up, and while the "top 7/8 of the network get the Fast flag" and
|
|
|
+ "all relays with 20KB or more of capacity get the Fast flag" rules
|
|
|
+ used to have the same result, now the top 7/8 of the network has
|
|
|
+ a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489.
|
|
|
+
|
|
|
+ o Major features (performance):
|
|
|
+ - Exit nodes now accept and queue data on not-yet-connected streams.
|
|
|
+ Previously, the client wasn't allowed to send data until the
|
|
|
+ stream was connected, which slowed down all connections. This
|
|
|
+ change will enable clients to perform a "fast-start" on streams
|
|
|
+ and send data without having to wait for a confirmation that the
|
|
|
+ stream has opened. Patch from Ian Goldberg; implements the server
|
|
|
+ side of Proposal 174.
|
|
|
+ - When using an exit relay running 0.2.3.x, clients can now
|
|
|
+ "optimistically" send data before the exit relay reports that
|
|
|
+ the stream has opened. This saves a round trip when starting
|
|
|
+ connections where the client speaks first (such as web browsing).
|
|
|
+ This behavior is controlled by a consensus parameter (currently
|
|
|
+ disabled). To turn it on or off manually, use the "OptimisticData"
|
|
|
+ torrc option. Implements proposal 181; code by Ian Goldberg.
|
|
|
+ - Add a new TokenBucketRefillInterval option to refill token buckets
|
|
|
+ more frequently than once per second. This should improve network
|
|
|
+ performance, alleviate queueing problems, and make traffic less
|
|
|
+ bursty. Implements proposal 183; closes ticket 3630. Design by
|
|
|
+ Florian Tschorsch and Björn Scheuermann; implementation by
|
|
|
+ Florian Tschorsch.
|
|
|
+ - Raise the threshold of server descriptors needed (75%) and exit
|
|
|
+ server descriptors needed (50%) before we will declare ourselves
|
|
|
+ bootstrapped. This will make clients start building circuits a
|
|
|
+ little later, but makes the initially constructed circuits less
|
|
|
+ skewed and less in conflict with further directory fetches. Fixes
|
|
|
+ ticket 3196.
|
|
|
+
|
|
|
+ o Major features (relays):
|
|
|
+ - Relays now try regenerating and uploading their descriptor more
|
|
|
+ frequently if they are not listed in the consensus, or if the
|
|
|
+ version of their descriptor listed in the consensus is too
|
|
|
+ old. This fix should prevent situations where a server declines
|
|
|
+ to re-publish itself because it has done so too recently, even
|
|
|
+ though the authorities decided not to list its recent-enough
|
|
|
+ descriptor. Fix for bug 3327.
|
|
|
+
|
|
|
+ o Major features (stream isolation):
|
|
|
+ - You can now configure Tor so that streams from different
|
|
|
+ applications are isolated on different circuits, to prevent an
|
|
|
+ attacker who sees your streams as they leave an exit node from
|
|
|
+ linking your sessions to one another. To do this, choose some way
|
|
|
+ to distinguish the applications: have them connect to different
|
|
|
+ SocksPorts, or have one of them use SOCKS4 while the other uses
|
|
|
+ SOCKS5, or have them pass different authentication strings to the
|
|
|
+ SOCKS proxy. Then, use the new SocksPort syntax to configure the
|
|
|
+ degree of isolation you need. This implements Proposal 171.
|
|
|
+ - There's a new syntax for specifying multiple client ports (such as
|
|
|
+ SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare
|
|
|
+ multiple *Port entries with full addr:port syntax on each.
|
|
|
+ The old *ListenAddress format is still supported, but you can't
|
|
|
+ mix it with the new *Port syntax.
|
|
|
+
|
|
|
+ o Major features (bufferevents):
|
|
|
+ - Tor can now optionally build with the "bufferevents" buffered IO
|
|
|
+ backend provided by Libevent 2. To use this feature, make sure you
|
|
|
+ have the latest possible version of Libevent, and pass the
|
|
|
+ --enable-bufferevents flag to configure when building Tor from
|
|
|
+ source. This feature will make our networking code more flexible,
|
|
|
+ let us stack layers on each other, and let us use more efficient
|
|
|
+ zero-copy transports where available.
|
|
|
+ - Add experimental support for running on Windows with IOCP and no
|
|
|
+ kernel-space socket buffers. This feature is controlled by a new
|
|
|
+ "UserspaceIOCPBuffers" config option (off by default), which has
|
|
|
+ no effect unless Tor has been built with bufferevents enabled,
|
|
|
+ you're running on Windows, and you've set "DisableIOCP 0". In the
|
|
|
+ long run, this may help solve or mitigate bug 98.
|
|
|
+
|
|
|
+ o Major features (path selection):
|
|
|
+ - The EntryNodes option can now include country codes like {de} or IP
|
|
|
+ addresses or network masks. Previously we had disallowed these
|
|
|
+ options because we didn't have an efficient way to keep the list up
|
|
|
+ to date. Addresses ticket 1982, but see bug 2798 for an unresolved
|
|
|
+ issue here.
|
|
|
+
|
|
|
+ o Major features (port forwarding):
|
|
|
+ - Add support for automatic port mapping on the many home routers
|
|
|
+ that support NAT-PMP or UPnP. To build the support code, you'll
|
|
|
+ need to have the libnatpnp library and/or the libminiupnpc library,
|
|
|
+ and you'll need to enable the feature specifically by passing
|
|
|
+ "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn
|
|
|
+ it on, use the new PortForwarding option.
|
|
|
+
|
|
|
+ o Major features (logging):
|
|
|
+ - Add a new 'Heartbeat' log message type to periodically log a message
|
|
|
+ describing Tor's status at level Notice. This feature is meant for
|
|
|
+ operators who log at notice, and want to make sure that their Tor
|
|
|
+ server is still working. Implementation by George Kadianakis.
|
|
|
+ - Make logging resolution configurable with a new LogTimeGranularity
|
|
|
+ option, and change the default from 1 millisecond to 1 second.
|
|
|
+ Implements enhancement 1668.
|
|
|
+
|
|
|
+ o Major features (other):
|
|
|
+ - New "DisableNetwork" config option to prevent Tor from launching any
|
|
|
+ connections or accepting any connections except on a control port.
|
|
|
+ Bundles and controllers can set this option before letting Tor talk
|
|
|
+ to the rest of the network, for example to prevent any connections
|
|
|
+ to a non-bridge address. Packages like Orbot can also use this
|
|
|
+ option to instruct Tor to save power when the network is off.
|
|
|
+ - Try to use system facilities for enumerating local interface
|
|
|
+ addresses, before falling back to our old approach (which was
|
|
|
+ binding a UDP socket, and calling getsockname() on it). That
|
|
|
+ approach was scaring OS X users whose draconian firewall
|
|
|
+ software warned about binding to UDP sockets regardless of
|
|
|
+ whether packets were sent. Now we try to use getifaddrs(),
|
|
|
+ SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
|
|
|
+ system supports. Resolves ticket 1827.
|
|
|
+ - Add experimental support for a "defaults" torrc file to be parsed
|
|
|
+ before the regular torrc. Torrc options override the defaults file's
|
|
|
+ options in the same way that the command line overrides the torrc.
|
|
|
+ The SAVECONF controller command saves only those options which
|
|
|
+ differ between the current configuration and the defaults file. HUP
|
|
|
+ reloads both files. Implements task 4552.
|
|
|
+
|
|
|
+ o New directory authorities:
|
|
|
+ - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
|
|
|
+ authority. Closes ticket 5749.
|
|
|
+
|
|
|
+ o Security/privacy fixes:
|
|
|
+ - Avoid read-from-freed-memory and double-free bugs that could occur
|
|
|
+ when a DNS request fails while launching it. Fixes bug 6480;
|
|
|
+ bugfix on 0.2.0.1-alpha.
|
|
|
+ - Reject any attempt to extend to an internal address. Without
|
|
|
+ this fix, a router could be used to probe addresses on an internal
|
|
|
+ network to see whether they were accepting connections. Fixes bug
|
|
|
+ 6710; bugfix on 0.0.8pre1.
|
|
|
+ - Close any connection that sends unrecognized junk before the TLS
|
|
|
+ handshake. Solves an issue noted in bug 4369.
|
|
|
+ - The advertised platform of a relay now includes only its operating
|
|
|
+ system's name (e.g., "Linux", "Darwin", "Windows 7"), and not
|
|
|
+ its service pack level (for Windows) or its CPU architecture
|
|
|
+ (for Unix). Also drop the "git-XYZ" tag in the version. Packagers
|
|
|
+ can insert an extra string in the platform line by setting the
|
|
|
+ preprocessor variable TOR_BUILD_TAG. Resolves bug 2988.
|
|
|
+ - Disable TLS session tickets. OpenSSL's implementation was giving
|
|
|
+ our TLS session keys the lifetime of our TLS context objects, when
|
|
|
+ perfect forward secrecy would want us to discard anything that
|
|
|
+ could decrypt a link connection as soon as the link connection
|
|
|
+ was closed. Fixes bug 7139; bugfix on all versions of Tor linked
|
|
|
+ against OpenSSL 1.0.0 or later. Found by Florent Daignière.
|
|
|
+ - Tor tries to wipe potentially sensitive data after using it, so
|
|
|
+ that if some subsequent security failure exposes Tor's memory,
|
|
|
+ the damage will be limited. But we had a bug where the compiler
|
|
|
+ was eliminating these wipe operations when it decided that the
|
|
|
+ memory was no longer visible to a (correctly running) program,
|
|
|
+ hence defeating our attempt at defense in depth. We fix that
|
|
|
+ by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
|
|
|
+ is unlikely to optimize away. Future versions of Tor may use
|
|
|
+ a less ridiculously heavy approach for this. Fixes bug 7352.
|
|
|
+ Reported in an article by Andrey Karpov.
|
|
|
+
|
|
|
+ o Major bugfixes (crashes and asserts):
|
|
|
+ - Avoid a pair of double-free and use-after-mark bugs that can
|
|
|
+ occur with certain timings in canceled and re-received DNS
|
|
|
+ requests. Fixes bug 6472; bugfix on 0.0.7rc1.
|
|
|
+ - Fix a denial of service attack by which any directory authority
|
|
|
+ could crash all the others, or by which a single v2 directory
|
|
|
+ authority could crash everybody downloading v2 directory
|
|
|
+ information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
|
|
|
+ - Fix an assert that directory authorities could trigger on sighup
|
|
|
+ during some configuration state transitions. We now don't treat
|
|
|
+ it as a fatal error when the new descriptor we just generated in
|
|
|
+ init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha.
|
|
|
+ - Avoid segfault when starting up having run with an extremely old
|
|
|
+ version of Tor and parsing its state file. Fixes bug 6801; bugfix
|
|
|
+ on 0.2.2.23-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (clients):
|
|
|
+ - If we are unable to find any exit that supports our predicted ports,
|
|
|
+ stop calling them predicted, so that we don't loop and build
|
|
|
+ hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6,
|
|
|
+ which introduced predicted ports.
|
|
|
+ - Check at each new consensus whether our entry guards were picked
|
|
|
+ long enough ago that we should rotate them. Previously, we only
|
|
|
+ did this check at startup, which could lead to us holding a guard
|
|
|
+ indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc.
|
|
|
+ - When fetching a bridge descriptor from a bridge authority,
|
|
|
+ always do so anonymously, whether we have been able to open
|
|
|
+ circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha.
|
|
|
+ This behavior makes it *safer* to use UpdateBridgesFromAuthority,
|
|
|
+ but we'll need to wait for bug 6010 before it's actually usable.
|
|
|
+
|
|
|
+ o Major bugfixes (directory voting):
|
|
|
+ - Check more thoroughly to prevent a rogue authority from
|
|
|
+ double-voting on any consensus directory parameter. Previously,
|
|
|
+ authorities would crash in this case if the total number of
|
|
|
+ votes for any parameter exceeded the number of active voters,
|
|
|
+ but would let it pass otherwise. Partially fixes bug 5786; bugfix
|
|
|
+ on 0.2.2.2-alpha.
|
|
|
+ - When computing weight parameters, behave more robustly in the
|
|
|
+ presence of a bad bwweightscale value. Previously, the authorities
|
|
|
+ would crash if they agreed on a sufficiently broken weight_scale
|
|
|
+ value; now, they use a reasonable default and carry on. Fixes the
|
|
|
+ rest of bug 5786; bugfix on 0.2.2.17-alpha.
|
|
|
+ - If authorities are unable to get a v2 consensus document from other
|
|
|
+ directory authorities, they no longer fall back to fetching
|
|
|
+ them from regular directory caches. Fixes bug 5635; bugfix on
|
|
|
+ 0.2.2.26-beta, where routers stopped downloading v2 consensus
|
|
|
+ documents entirely.
|
|
|
+
|
|
|
+ o Major bugfixes (relays):
|
|
|
+ - Fix a bug handling SENDME cells on nonexistent streams that could
|
|
|
+ result in bizarre window values. Report and patch contributed
|
|
|
+ pseudonymously. Fixes part of bug 6271. This bug was introduced
|
|
|
+ before the first Tor release, in svn commit r152.
|
|
|
+ - Don't update the AccountingSoftLimitHitAt state file entry whenever
|
|
|
+ tor gets started. This prevents a wrong average bandwidth
|
|
|
+ estimate, which would cause relays to always start a new accounting
|
|
|
+ interval at the earliest possible moment. Fixes bug 2003; bugfix
|
|
|
+ on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped
|
|
|
+ immensely in tracking this bug down.
|
|
|
+ - Fix a possible crash bug when checking for deactivated circuits
|
|
|
+ in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
|
|
|
+ bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
|
|
|
+ - Set the SO_REUSEADDR socket option before we call bind() on outgoing
|
|
|
+ connections. This change should allow busy exit relays to stop
|
|
|
+ running out of available sockets as quickly. Fixes bug 4950;
|
|
|
+ bugfix on 0.2.2.26-beta.
|
|
|
+
|
|
|
+ o Major bugfixes (blocking resistance):
|
|
|
+ - Bridges no longer include their address in NETINFO cells on outgoing
|
|
|
+ OR connections, to allow them to blend in better with clients.
|
|
|
+ Removes another avenue for enumerating bridges. Reported by
|
|
|
+ "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO
|
|
|
+ cells were introduced.
|
|
|
+ - Warn the user when HTTPProxy, but no other proxy type, is
|
|
|
+ configured. This can cause surprising behavior: it doesn't send
|
|
|
+ all of Tor's traffic over the HTTPProxy -- it sends unencrypted
|
|
|
+ directory traffic only. Resolves ticket 4663.
|
|
|
+
|
|
|
+ o Major bugfixes (hidden services):
|
|
|
+ - Improve hidden service robustness: when an attempt to connect to
|
|
|
+ a hidden service ends, be willing to refetch its hidden service
|
|
|
+ descriptors from each of the HSDir relays responsible for them
|
|
|
+ immediately. Previously, we would not consider refetching the
|
|
|
+ service's descriptors from each HSDir for 15 minutes after the last
|
|
|
+ fetch, which was inconvenient if the hidden service was not running
|
|
|
+ during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335.
|
|
|
+ - Hidden services now ignore the timestamps on INTRODUCE2 cells.
|
|
|
+ They used to check that the timestamp was within 30 minutes
|
|
|
+ of their system clock, so they could cap the size of their
|
|
|
+ replay-detection cache, but that approach unnecessarily refused
|
|
|
+ service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when
|
|
|
+ the v3 intro-point protocol (the first one which sent a timestamp
|
|
|
+ field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
|
|
|
+ - When one of a hidden service's introduction points appears to be
|
|
|
+ unreachable, stop trying it. Previously, we would keep trying
|
|
|
+ to build circuits to the introduction point until we lost the
|
|
|
+ descriptor, usually because the user gave up and restarted Tor.
|
|
|
+ Fixes part of bug 3825.
|
|
|
+
|
|
|
+ o Changes to default torrc file:
|
|
|
+ - Stop listing "socksport 9050" in torrc.sample. We open a socks
|
|
|
+ port on 9050 by default anyway, so this should not change anything
|
|
|
+ in practice.
|
|
|
+ - Stop mentioning the deprecated *ListenAddress options in
|
|
|
+ torrc.sample. Fixes bug 5438.
|
|
|
+ - Document unit of bandwidth-related options in sample torrc.
|
|
|
+ Fixes bug 5621.
|
|
|
+ - Fix broken URLs in the sample torrc file, and tell readers about
|
|
|
+ the OutboundBindAddress, ExitPolicyRejectPrivate, and
|
|
|
+ PublishServerDescriptor options. Addresses bug 4652.
|
|
|
+
|
|
|
+ o Minor features (directory authorities):
|
|
|
+ - Consider new, removed or changed IPv6 OR ports a non-cosmetic
|
|
|
+ change when the authority is deciding whether to accept a newly
|
|
|
+ uploaded descriptor. Implements ticket 6423.
|
|
|
+ - Directory authorities are now a little more lenient at accepting
|
|
|
+ older router descriptors, or newer router descriptors that don't
|
|
|
+ make big changes. This should help ameliorate past and future
|
|
|
+ issues where routers think they have uploaded valid descriptors,
|
|
|
+ but the authorities don't think so. Fix for ticket 2479.
|
|
|
+ - Authority operators can now vote for all relays in a given
|
|
|
+ set of countries to be BadDir/BadExit/Invalid/Rejected.
|
|
|
+ - Provide two consensus parameters (FastFlagMinThreshold and
|
|
|
+ FastFlagMaxThreshold) to control the range of allowable bandwidths
|
|
|
+ for the Fast directory flag. These allow authorities to run
|
|
|
+ experiments on appropriate requirements for being a "Fast" node.
|
|
|
+ The AuthDirFastGuarantee config value still applies. Implements
|
|
|
+ ticket 3946.
|
|
|
+
|
|
|
+ o Minor features (bridges / bridge authorities):
|
|
|
+ - Make bridge SSL certificates a bit more stealthy by using random
|
|
|
+ serial numbers, in the same fashion as OpenSSL when generating
|
|
|
+ self-signed certificates. Implements ticket 4584.
|
|
|
+ - Tag a bridge's descriptor as "never to be sent unencrypted".
|
|
|
+ This shouldn't matter, since bridges don't open non-anonymous
|
|
|
+ connections to the bridge authority and don't allow unencrypted
|
|
|
+ directory connections from clients, but we might as well make
|
|
|
+ sure. Closes bug 5139.
|
|
|
+ - The Bridge Authority now writes statistics on how many bridge
|
|
|
+ descriptors it gave out in total, and how many unique descriptors
|
|
|
+ it gave out. It also lists how often the most and least commonly
|
|
|
+ fetched descriptors were given out, as well as the median and
|
|
|
+ 25th/75th percentile. Implements tickets 4200 and 4294.
|
|
|
+
|
|
|
+ o Minor features (IPv6):
|
|
|
+ - Make the code that clients use to detect an address change be
|
|
|
+ IPv6-aware, so that it won't fill clients' logs with error
|
|
|
+ messages when trying to get the IPv4 address of an IPv6
|
|
|
+ connection. Implements ticket 5537.
|
|
|
+ - Relays now understand an IPv6 address when they get one from a
|
|
|
+ directory server. Resolves ticket 4875.
|
|
|
+
|
|
|
+ o Minor features (hidden services):
|
|
|
+ - Expire old or over-used hidden service introduction points.
|
|
|
+ Required by fix for bug 3460.
|
|
|
+ - Reduce the lifetime of elements of hidden services' Diffie-Hellman
|
|
|
+ public key replay-detection cache from 60 minutes to 5 minutes. This
|
|
|
+ replay-detection cache is now used only to detect multiple
|
|
|
+ INTRODUCE2 cells specifying the same rendezvous point, so we can
|
|
|
+ avoid launching multiple simultaneous attempts to connect to it.
|
|
|
+ - When a hidden service's introduction point times out, consider
|
|
|
+ trying it again during the next attempt to connect to the
|
|
|
+ HS. Previously, we would not try it again unless a newly fetched
|
|
|
+ descriptor contained it. Required by fixes for bugs 1297 and 3825.
|
|
|
+
|
|
|
+ o Minor features (relays):
|
|
|
+ - Relays now include a reason for regenerating their descriptors
|
|
|
+ in an HTTP header when uploading to the authorities. This will
|
|
|
+ make it easier to debug descriptor-upload issues in the future.
|
|
|
+ - Turn on directory request statistics by default and include them in
|
|
|
+ extra-info descriptors. Don't break if we have no GeoIP database.
|
|
|
+ - Replace files in stats/ rather than appending to them. Now that we
|
|
|
+ include statistics in extra-info descriptors, it makes no sense to
|
|
|
+ keep old statistics forever. Implements ticket 2930.
|
|
|
+ - Relays that set "ConnDirectionStatistics 1" write statistics on the
|
|
|
+ bidirectional use of connections to disk every 24 hours.
|
|
|
+ - Add a GeoIP file digest to the extra-info descriptor. Implements
|
|
|
+ ticket 1883.
|
|
|
+
|
|
|
+ o Minor features (new config options):
|
|
|
+ - New config option "DynamicDHGroups" (disabled by default) provides
|
|
|
+ each bridge with a unique prime DH modulus to be used during
|
|
|
+ SSL handshakes. This option attempts to help against censors
|
|
|
+ who might use the Apache DH modulus as a static identifier for
|
|
|
+ bridges. Addresses ticket 4548.
|
|
|
+ - New config option "DisableDebuggerAttachment" (on by default)
|
|
|
+ to prevent basic debugging attachment attempts by other processes.
|
|
|
+ Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
|
|
|
+ - Ordinarily, Tor does not count traffic from private addresses (like
|
|
|
+ 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting.
|
|
|
+ There is now a new option, CountPrivateBandwidth, to disable this
|
|
|
+ behavior. Patch from Daniel Cagara.
|
|
|
+
|
|
|
+ o Minor features (different behavior for old config options):
|
|
|
+ - Allow MapAddress directives to specify matches against super-domains,
|
|
|
+ as in "MapAddress *.torproject.org *.torproject.org.torserver.exit".
|
|
|
+ Implements issue 933.
|
|
|
+ - Don't disable the DirPort when we cannot exceed our AccountingMax
|
|
|
+ limit during this interval because the effective bandwidthrate is
|
|
|
+ low enough. This is useful in a situation where AccountMax is only
|
|
|
+ used as an additional safeguard or to provide statistics.
|
|
|
+ - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri;
|
|
|
+ implements ticket 3439.
|
|
|
+ - When configuring a large set of nodes in EntryNodes, and there are
|
|
|
+ enough of them listed as Guard so that we don't need to consider
|
|
|
+ the non-guard entries, prefer the ones listed with the Guard flag.
|
|
|
+ - If you set the NumCPUs option to 0, Tor will now try to detect how
|
|
|
+ many CPUs you have. This is the new default behavior.
|
|
|
+ - The NodeFamily option -- which let you declare that you want to
|
|
|
+ consider nodes to be part of a family whether they list themselves
|
|
|
+ that way or not -- now allows IP address ranges and country codes.
|
|
|
+
|
|
|
+ o Minor features (new command-line config behavior):
|
|
|
+ - Slightly change behavior of "list" options (that is, config
|
|
|
+ options that can appear more than once) when they appear both in
|
|
|
+ torrc and on the command line. Previously, the command-line options
|
|
|
+ would be appended to the ones from torrc. Now, the command-line
|
|
|
+ options override the torrc options entirely. This new behavior
|
|
|
+ allows the user to override list options (like exit policies and
|
|
|
+ ports to listen on) from the command line, rather than simply
|
|
|
+ appending to the list.
|
|
|
+ - You can get the old (appending) command-line behavior for "list"
|
|
|
+ options by prefixing the option name with a "+".
|
|
|
+ - You can remove all the values for a "list" option from the command
|
|
|
+ line without adding any new ones by prefixing the option name
|
|
|
+ with a "/".
|
|
|
+
|
|
|
+ o Minor features (controller, new events):
|
|
|
+ - Extend the control protocol to report flags that control a circuit's
|
|
|
+ path selection in CIRC events and in replies to 'GETINFO
|
|
|
+ circuit-status'. Implements part of ticket 2411.
|
|
|
+ - Extend the control protocol to report the hidden service address
|
|
|
+ and current state of a hidden-service-related circuit in CIRC
|
|
|
+ events and in replies to 'GETINFO circuit-status'. Implements part
|
|
|
+ of ticket 2411.
|
|
|
+ - Include the creation time of a circuit in CIRC and CIRC2
|
|
|
+ control-port events and the list produced by the 'GETINFO
|
|
|
+ circuit-status' control-port command.
|
|
|
+ - Add a new CONF_CHANGED event so that controllers can be notified
|
|
|
+ of any configuration changes made by other controllers, or by the
|
|
|
+ user. Implements ticket 1692.
|
|
|
+ - Add a new SIGNAL event to the controller interface so that
|
|
|
+ controllers can be notified when Tor handles a signal. Resolves
|
|
|
+ issue 1955. Patch by John Brooks.
|
|
|
+
|
|
|
+ o Minor features (controller, new getinfo options):
|
|
|
+ - Expose our view of whether we have gone dormant to the controller,
|
|
|
+ via a new "GETINFO dormant" value. Torbutton and other controllers
|
|
|
+ can use this to avoid doing periodic requests through Tor while
|
|
|
+ it's dormant (bug 4718). Resolves ticket 5954.
|
|
|
+ - Add a new GETINFO option to get total bytes read and written. Patch
|
|
|
+ from pipe, revised by atagar. Resolves ticket 2345.
|
|
|
+ - Implement new GETINFO controller fields to provide information about
|
|
|
+ the Tor process's pid, euid, username, and resource limits.
|
|
|
+
|
|
|
+ o Minor features (controller, other):
|
|
|
+ - Allow controllers to request an event notification whenever a
|
|
|
+ circuit is cannibalized or its purpose is changed. Implements
|
|
|
+ part of ticket 3457.
|
|
|
+ - Use absolute path names when reporting the torrc filename in the
|
|
|
+ control protocol, so a controller can more easily find the torrc
|
|
|
+ file. Resolves bug 1101.
|
|
|
+ - When reporting the path to the cookie file to the controller,
|
|
|
+ give an absolute path. Resolves ticket 4881.
|
|
|
+
|
|
|
+ o Minor features (log messages):
|
|
|
+ - Add more information to a log statement that might help track down
|
|
|
+ bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a
|
|
|
+ non-IP address" messages (or any Bug messages, for that matter!),
|
|
|
+ please let us know about it.
|
|
|
+ - If EntryNodes are given, but UseEntryGuards is set to 0, warn that
|
|
|
+ EntryNodes will have no effect. Resolves issue 2571.
|
|
|
+ - Try to make the introductory warning message that Tor prints on
|
|
|
+ startup more useful for actually finding help and information.
|
|
|
+ Resolves ticket 2474.
|
|
|
+ - When the system call to create a listener socket fails, log the
|
|
|
+ error message explaining why. This may help diagnose bug 4027.
|
|
|
+
|
|
|
+ o Minor features (other):
|
|
|
+ - When we fail to initialize Libevent, retry with IOCP disabled so we
|
|
|
+ don't need to turn on multi-threading support in Libevent, which in
|
|
|
+ turn requires a working socketpair(). This is a workaround for bug
|
|
|
+ 4457, which affects Libevent versions from 2.0.1-alpha through
|
|
|
+ 2.0.15-stable.
|
|
|
+ - When starting as root and then changing our UID via the User
|
|
|
+ control option, and we have a ControlSocket configured, make sure
|
|
|
+ that the ControlSocket is owned by the same account that Tor will
|
|
|
+ run under. Implements ticket 3421; fix by Jérémy Bobbio.
|
|
|
+ - Accept attempts to include a password authenticator in the
|
|
|
+ handshake, as supported by SOCKS5. This handles SOCKS clients that
|
|
|
+ don't know how to omit a password when authenticating. Resolves
|
|
|
+ bug 1666.
|
|
|
+ - Check for and recover from inconsistency in the microdescriptor
|
|
|
+ cache. This will make it harder for us to accidentally free a
|
|
|
+ microdescriptor without removing it from the appropriate data
|
|
|
+ structures. Fixes issue 3135; issue noted by "wanoskarnet".
|
|
|
+ - Shorten links in the tor-exit-notice file. Patch by Christian Kujau.
|
|
|
+
|
|
|
+ o Minor bugfixes (code security):
|
|
|
+ - Prevent a null-pointer dereference when receiving a data cell
|
|
|
+ for a nonexistent stream when the circuit in question has an
|
|
|
+ empty deliver window. We don't believe this is triggerable,
|
|
|
+ since we don't currently allow deliver windows to become empty,
|
|
|
+ but the logic is tricky enough that it's better to make the code
|
|
|
+ robust. Fixes bug 5541; bugfix on 0.0.2pre14.
|
|
|
+ - Fix a (harmless) integer overflow in cell statistics reported by
|
|
|
+ some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha.
|
|
|
+ - Fix our implementation of crypto_random_hostname() so it can't
|
|
|
+ overflow on ridiculously large inputs. (No Tor version has ever
|
|
|
+ provided this kind of bad inputs, but let's be correct in depth.)
|
|
|
+ Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer.
|
|
|
+ - Add a (probably redundant) memory clear between iterations of
|
|
|
+ the router status voting loop, to prevent future coding errors
|
|
|
+ where data might leak between iterations of the loop. Resolves
|
|
|
+ ticket 6514.
|
|
|
+
|
|
|
+ o Minor bugfixes (wrapper functions):
|
|
|
+ - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a
|
|
|
+ utility function used in the control-port code). This shouldn't
|
|
|
+ ever happen unless Tor is completely out of memory, but if it did
|
|
|
+ happen and Tor somehow recovered from it, Tor could have sent a log
|
|
|
+ message to a control port in the middle of a reply to a controller
|
|
|
+ command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha.
|
|
|
+ - Fix some (not actually triggerable) buffer size checks in usage of
|
|
|
+ tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch
|
|
|
+ by Anders Sundman.
|
|
|
+ - Fix parsing of some corner-cases with tor_inet_pton(). Fixes
|
|
|
+ bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman.
|
|
|
+ - Enforce correct return behavior of tor_vsscanf() when the '%%'
|
|
|
+ pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13.
|
|
|
+ - Make our replacement implementation of strtok_r() compatible with
|
|
|
+ the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091;
|
|
|
+ bugfix on 0.2.2.1-alpha.
|
|
|
+ - Find more places in the code that should have been testing for
|
|
|
+ invalid sockets using the SOCKET_OK macro. Required for a fix
|
|
|
+ for bug 4533. Bugfix on 0.2.2.28-beta.
|
|
|
+
|
|
|
+ o Minor bugfixes (code correctness):
|
|
|
+ - Check return value of fputs() when writing authority certificate
|
|
|
+ file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
|
|
|
+ - When building Tor on Windows with -DUNICODE (not default), ensure
|
|
|
+ that error messages, filenames, and DNS server names are always
|
|
|
+ NUL-terminated when we convert them to a single-byte encoding.
|
|
|
+ Fixes bug 5909; bugfix on 0.2.2.16-alpha.
|
|
|
+ - Fix a memory leak when trying to launch a DNS request when the
|
|
|
+ nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor
|
|
|
+ 0.1.2.1-alpha.
|
|
|
+ - Correct file sizes when reading binary files on Cygwin, to avoid
|
|
|
+ a bug where Tor would fail to read its state file. Fixes bug 6844;
|
|
|
+ bugfix on 0.1.2.7-alpha.
|
|
|
+ - Make sure to set *socket_error in all error cases in
|
|
|
+ connection_connect(), so it can't produce a warning about
|
|
|
+ errno being zero from errno_to_orconn_end_reason(). Bugfix on
|
|
|
+ 0.2.1.1-alpha; resolves ticket 6028.
|
|
|
+ - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes
|
|
|
+ bug 4532; found by "troll_un".
|
|
|
+
|
|
|
+ o Minor bugfixes (clients):
|
|
|
+ - Allow one-hop directory-fetching circuits the full "circuit build
|
|
|
+ timeout" period, rather than just half of it, before failing them
|
|
|
+ and marking the relay down. This fix should help reduce cases where
|
|
|
+ clients declare relays (or worse, bridges) unreachable because
|
|
|
+ the TLS handshake takes a few seconds to complete. Fixes bug 6743;
|
|
|
+ bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
|
|
|
+ 30 seconds.
|
|
|
+ - Ensure we don't cannibalize circuits that are longer than three hops
|
|
|
+ already, so we don't end up making circuits with 5 or more
|
|
|
+ hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on
|
|
|
+ 0.1.0.1-rc which introduced cannibalization.
|
|
|
+
|
|
|
+ o Minor bugfixes (relays):
|
|
|
+ - Don't publish a new relay descriptor when we reload our onion key,
|
|
|
+ unless the onion key has actually changed. Fixes bug 3263 and
|
|
|
+ resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha.
|
|
|
+ - When relays refuse a "create" cell because their queue of pending
|
|
|
+ create cells is too big (typically because their cpu can't keep up
|
|
|
+ with the arrival rate), send back reason "resource limit" rather
|
|
|
+ than reason "internal", so network measurement scripts can get a
|
|
|
+ more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
|
|
|
+ - Exit nodes don't need to fetch certificates for authorities that
|
|
|
+ they don't recognize; only directory authorities, bridges,
|
|
|
+ and caches need to do that. Fixes part of bug 2297; bugfix on
|
|
|
+ 0.2.2.11-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (directory authority / mirrors):
|
|
|
+ - Avoid O(n^2) performance characteristics when parsing a large
|
|
|
+ extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha.
|
|
|
+ - Authorities no longer include any router in their microdescriptor
|
|
|
+ consensuses for which they couldn't generate or agree on a
|
|
|
+ microdescriptor. Fixes the second piece of bug 6404; fix on
|
|
|
+ 0.2.2.6-alpha.
|
|
|
+ - When checking for requested signatures on the latest consensus
|
|
|
+ before serving it to a client, make sure to check the right
|
|
|
+ consensus flavor. Bugfix on 0.2.2.6-alpha.
|
|
|
+ - Fix an edge case where TestingTorNetwork is set but the authorities
|
|
|
+ and relays all have an uptime of zero, so the private Tor network
|
|
|
+ could briefly lack support for hidden services. Fixes bug 3886;
|
|
|
+ bugfix on 0.2.2.18-alpha.
|
|
|
+ - Directory caches no longer refuse to clean out descriptors because
|
|
|
+ of missing v2 networkstatus documents, unless they're configured
|
|
|
+ to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on
|
|
|
+ 0.2.2.26-beta. Patch by Daniel Bryg.
|
|
|
+ - Don't serve or accept v2 hidden service descriptors over a relay's
|
|
|
+ DirPort. It's never correct to do so, and disabling it might
|
|
|
+ make it more annoying to exploit any bugs that turn up in the
|
|
|
+ descriptor-parsing code. Fixes bug 7149.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden services, client-side):
|
|
|
+ - Assert that hidden-service-related operations are not performed
|
|
|
+ using single-hop circuits. Previously, Tor would assert that
|
|
|
+ client-side streams are not attached to single-hop circuits,
|
|
|
+ but not that other sensitive operations on the client and service
|
|
|
+ side are not performed using single-hop circuits. Fixes bug 3332;
|
|
|
+ bugfix on 0.0.6.
|
|
|
+ - Avoid undefined behaviour when parsing the list of supported
|
|
|
+ rendezvous/introduction protocols in a hidden service descriptor.
|
|
|
+ Previously, Tor would have confused (as-yet-unused) protocol version
|
|
|
+ numbers greater than 32 with lower ones on many platforms. Fixes
|
|
|
+ bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
|
|
|
+ - Don't close hidden service client circuits which have almost
|
|
|
+ finished connecting to their destination when they reach
|
|
|
+ the normal circuit-build timeout. Previously, we would close
|
|
|
+ introduction circuits which are waiting for an acknowledgement
|
|
|
+ from the introduction point, and rendezvous circuits which have
|
|
|
+ been specified in an INTRODUCE1 cell sent to a hidden service,
|
|
|
+ after the normal CBT. Now, we mark them as 'timed out', and launch
|
|
|
+ another rendezvous attempt in parallel. This behavior change can
|
|
|
+ be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
|
|
|
+ option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden services, service-side):
|
|
|
+ - Don't close hidden-service-side rendezvous circuits when they
|
|
|
+ reach the normal circuit-build timeout. This behaviour change can
|
|
|
+ be disabled using the new
|
|
|
+ CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
|
|
|
+ remaining part of bug 1297; bugfix on 0.2.2.2-alpha.
|
|
|
+ - Don't launch more than 10 service-side introduction-point circuits
|
|
|
+ for a hidden service in five minutes. Previously, we would consider
|
|
|
+ launching more introduction-point circuits if at least one second
|
|
|
+ had passed without any introduction-point circuits failing. Fixes
|
|
|
+ bug 4607; bugfix on 0.0.7pre1.
|
|
|
+
|
|
|
+ o Minor bugfixes (config option behavior):
|
|
|
+ - If the user tries to set MyFamily on a bridge, refuse to
|
|
|
+ do so, and warn about the security implications. Fixes bug 4657;
|
|
|
+ bugfix on 0.2.0.3-alpha.
|
|
|
+ - The "--quiet" and "--hush" options now apply not only to Tor's
|
|
|
+ behavior before logs are configured, but also to Tor's behavior in
|
|
|
+ the absense of configured logs. Fixes bug 3550; bugfix on
|
|
|
+ 0.2.0.10-alpha.
|
|
|
+ - Change the AllowDotExit rules so they should actually work.
|
|
|
+ We now enforce AllowDotExit only immediately after receiving an
|
|
|
+ address via SOCKS or DNSPort: other sources are free to provide
|
|
|
+ .exit addresses after the resolution occurs. Fixes bug 3940;
|
|
|
+ bugfix on 0.2.2.1-alpha.
|
|
|
+ - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically,
|
|
|
+ don't depend on the consensus parameters or compute adaptive
|
|
|
+ timeouts when it is disabled. Fixes bug 5049; bugfix on
|
|
|
+ 0.2.2.14-alpha.
|
|
|
+ - After we pick a directory mirror, we would refuse to use it if
|
|
|
+ it's in our ExcludeExitNodes list, resulting in mysterious failures
|
|
|
+ to bootstrap for people who just wanted to avoid exiting from
|
|
|
+ certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha.
|
|
|
+ - When told to add a bridge with the same digest as a preexisting
|
|
|
+ bridge but a different addr:port, change the addr:port as
|
|
|
+ requested. Previously we would not notice the change. Fixes half
|
|
|
+ of bug 5603; fix on 0.2.2.26-beta.
|
|
|
+
|
|
|
+ o Minor bugfixes (controller):
|
|
|
+ - Allow manual 'authenticate' commands to the controller interface
|
|
|
+ from netcat (nc) as well as telnet. We were rejecting them because
|
|
|
+ they didn't come with the expected whitespace at the end of the
|
|
|
+ command. Bugfix on 0.1.1.1-alpha; fixes bug 2893.
|
|
|
+ - Report a real bootstrap problem to the controller on router
|
|
|
+ identity mismatch. Previously we just said "foo", which probably
|
|
|
+ made a lot of sense at the time. Fixes bug 4169; bugfix on
|
|
|
+ 0.2.1.1-alpha.
|
|
|
+ - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP
|
|
|
+ option is set to 0 (which Vidalia version 0.2.16 now does when
|
|
|
+ a SAVECONF attempt fails), perform other actions that SIGHUP
|
|
|
+ usually causes (like reopening the logs). Fixes bug 5095; bugfix
|
|
|
+ on 0.2.1.9-alpha.
|
|
|
+ - Correctly handle checking the permissions on the parent
|
|
|
+ directory of a control socket in the root directory. Bug found
|
|
|
+ by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor
|
|
|
+ 0.2.2.26-beta.
|
|
|
+ - End AUTHCHALLENGE error messages (in the control protocol) with
|
|
|
+ a CRLF. Fixes bug 5760; bugfix on 0.2.2.36.
|
|
|
+
|
|
|
+ o Minor bugfixes (network reading/writing):
|
|
|
+ - Disable writing on marked-for-close connections when they are
|
|
|
+ blocked on bandwidth, to prevent busy-looping in Libevent. Fixes
|
|
|
+ bug 5263; bugfix on 0.0.2pre13, where we first added a special
|
|
|
+ case for flushing marked connections.
|
|
|
+ - Make sure that there are no unhandled pending TLS errors before
|
|
|
+ reading from a TLS stream. We had checks in 0.1.0.3-rc, but
|
|
|
+ lost them in 0.1.0.5-rc when we refactored read_to_buf_tls().
|
|
|
+ Bugfix on 0.1.0.5-rc; fixes bug 4528.
|
|
|
+ - Detect SSL handshake even when the initial attempt to write the
|
|
|
+ server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha.
|
|
|
+ - If the client fails to set a reasonable set of ciphersuites
|
|
|
+ during its v2 handshake renegotiation, allow the renegotiation to
|
|
|
+ continue nevertheless (i.e. send all the required certificates).
|
|
|
+ Fixes bug 4591; bugfix on 0.2.0.20-rc.
|
|
|
+
|
|
|
+ o Minor bugfixes (other):
|
|
|
+ - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as
|
|
|
+ resource exhaustion, so that clients can adjust their load to
|
|
|
+ try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which
|
|
|
+ started using END_STREAM_REASON_RESOURCELIMIT.
|
|
|
+ - Don't check for whether the address we're using for outbound
|
|
|
+ connections has changed until after the outbound connection has
|
|
|
+ completed. On Windows, getsockname() doesn't succeed until the
|
|
|
+ connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha.
|
|
|
+ - Don't hold a Windows file handle open for every file mapping;
|
|
|
+ the file mapping handle is sufficient. Fixes bug 5951; bugfix on
|
|
|
+ 0.1.2.1-alpha.
|
|
|
+ - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
|
|
|
+ bugfix on 0.2.1.10-alpha.
|
|
|
+ - If we fail to write a microdescriptor to the disk cache, do not
|
|
|
+ continue replacing the old microdescriptor file. Fixes bug 2954;
|
|
|
+ bugfix on 0.2.2.6-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (log messages, path selection):
|
|
|
+ - Downgrade "set buildtimeout to low value" messages to "info"
|
|
|
+ severity; they were never an actual problem, there was never
|
|
|
+ anything reasonable to do about them, and they tended to spam logs
|
|
|
+ from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha.
|
|
|
+ - Rate-limit the "Weighted bandwidth is 0.000000" message, and add
|
|
|
+ more information to it, so that we can track it down in case it
|
|
|
+ returns again. Mitigates bug 5235.
|
|
|
+ - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
|
|
|
+ options_validate(); warn if LearnCircuitBuildTimeout is disabled and
|
|
|
+ CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452.
|
|
|
+ - Issue a log message if a guard completes less than 40% of your
|
|
|
+ circuits. Threshold is configurable by torrc option
|
|
|
+ PathBiasNoticeRate and consensus parameter pb_noticepct. There is
|
|
|
+ additional, off-by-default code to disable guards which fail too
|
|
|
+ many circuits. Addresses ticket 5458.
|
|
|
+
|
|
|
+ o Minor bugfixes (log messages, client):
|
|
|
+ - Downgrade "Got a certificate, but we already have it" log messages
|
|
|
+ from warning to info, except when we're a dirauth. Fixes bug 5238;
|
|
|
+ bugfix on 0.2.1.7-alpha.
|
|
|
+ - Fix the log message describing how we work around discovering
|
|
|
+ that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
|
|
|
+ 4837; bugfix on 0.2.2.9-alpha.
|
|
|
+ - When logging about a disallowed .exit name, do not also call it
|
|
|
+ an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha.
|
|
|
+ - Fix a log message suggesting that people contact a non-existent
|
|
|
+ email address. Fixes bug 3448.
|
|
|
+ - Rephrase the log message emitted if the TestSocks check is
|
|
|
+ successful. Patch from Fabian Keil; fixes bug 4094.
|
|
|
+ - Log (at debug level) whenever a circuit's purpose is changed.
|
|
|
+ - Log SSL state transitions at log level DEBUG, log domain
|
|
|
+ HANDSHAKE. This can be useful for debugging censorship events.
|
|
|
+ Implements ticket 3264.
|
|
|
+ - We now log which torrc file we're using on startup. Implements
|
|
|
+ ticket 2444.
|
|
|
+ - Rate-limit log messages when asked to connect anonymously to
|
|
|
+ a private address. When these hit, they tended to hit fast and
|
|
|
+ often. Also, don't bother trying to connect to addresses that we
|
|
|
+ are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory
|
|
|
+ reply makes us think we have been lied to, even when the address the
|
|
|
+ client tried to connect to was "localhost." Resolves ticket 2822.
|
|
|
+
|
|
|
+ o Minor bugfixes (log messages, non-client):
|
|
|
+ - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN.
|
|
|
+ Fixes bug 5932; bugfix on 0.2.2.7-alpha.
|
|
|
+ - Don't log that we have "decided to publish new relay descriptor"
|
|
|
+ unless we are actually publishing a descriptor. Fixes bug 3942;
|
|
|
+ bugfix on 0.2.2.28-beta.
|
|
|
+ - Log which authority we're missing votes from when we go to fetch
|
|
|
+ them from the other auths.
|
|
|
+ - Replace "Sending publish request" log messages with "Launching
|
|
|
+ upload", so that they no longer confusingly imply that we're
|
|
|
+ sending something to a directory we might not even be connected
|
|
|
+ to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha.
|
|
|
+ - Warn when Tor is configured to use accounting in a way that can
|
|
|
+ link a hidden service to some other hidden service or public
|
|
|
+ address. Resolves ticket 6490.
|
|
|
+ - Fix a minor formatting issue in one of tor-gencert's error messages.
|
|
|
+ Fixes bug 4574.
|
|
|
+
|
|
|
+ o Testing:
|
|
|
+ - Update to the latest version of the tinytest unit testing framework.
|
|
|
+ This includes a couple of bugfixes that can be relevant for
|
|
|
+ running forked unit tests on Windows, and removes all reserved
|
|
|
+ identifiers.
|
|
|
+ - Avoid a false positive in the util/threads unit test by increasing
|
|
|
+ the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha.
|
|
|
+ - Make it possible to set the TestingTorNetwork configuration
|
|
|
+ option using AlternateDirAuthority and AlternateBridgeAuthority
|
|
|
+ as an alternative to setting DirServer. Addresses ticket 6377.
|
|
|
+ - Add a unit test for the environment_variable_names_equal() function.
|
|
|
+ - A wide variety of new unit tests by Esteban Manchado Velázquez.
|
|
|
+ - Numerous new unit tests for functions in util.c and address.c by
|
|
|
+ Anders Sundman.
|
|
|
+ - The long-disabled benchmark tests are now split into their own
|
|
|
+ ./src/test/bench binary.
|
|
|
+ - The benchmark tests can now use more accurate timers than
|
|
|
+ gettimeofday() when such timers are available.
|
|
|
+ - Use tt_assert(), not tor_assert(), for checking for test failures.
|
|
|
+ This makes the unit tests more able to go on in the event that
|
|
|
+ one of them fails.
|
|
|
+
|
|
|
+ o Build improvements:
|
|
|
+ - Use the dead_strip option when building Tor on OS X. This reduces
|
|
|
+ binary size by almost 19% when linking openssl and libevent
|
|
|
+ statically, which we do for Tor Browser Bundle.
|
|
|
+ - Provide a better error message about possible OSX Asciidoc failure
|
|
|
+ reasons. Fixes bug 6436.
|
|
|
+ - Detect attempts to build Tor on (as yet hypothetical) versions
|
|
|
+ of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
|
|
|
+ fix for bug 4533. Bugfix on 0.2.2.28-beta.
|
|
|
+ - On Windows, we now define the _WIN32_WINNT macros only if they
|
|
|
+ are not already defined. This lets the person building Tor decide,
|
|
|
+ if they want, to require a later version of Windows.
|
|
|
+ - Our autogen.sh script now uses autoreconf to launch autoconf,
|
|
|
+ automake, and so on. This is more robust against some of the failure
|
|
|
+ modes associated with running the autotools pieces on their own.
|
|
|
+ - Running "make version" now displays the version of Tor that
|
|
|
+ we're about to build. Idea from katmagic; resolves issue 4400.
|
|
|
+ - Make 'tor --digests' list hashes of all Tor source files. Bugfix
|
|
|
+ on 0.2.2.4-alpha; fixes bug 3427.
|
|
|
+ - New --enable-static-tor configure option for building Tor as
|
|
|
+ statically as possible. Idea, general hackery and thoughts from
|
|
|
+ Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket
|
|
|
+ 2702.
|
|
|
+ - Limited, experimental support for building with nmake and MSVC.
|
|
|
+
|
|
|
+ o Build requirements:
|
|
|
+ - Building Tor with bufferevent support now requires Libevent
|
|
|
+ 2.0.13-stable or later. Previous versions of Libevent had bugs in
|
|
|
+ SSL-related bufferevents and related issues that would make Tor
|
|
|
+ work badly with bufferevents. Requiring 2.0.13-stable also allows
|
|
|
+ Tor with bufferevents to take advantage of Libevent APIs
|
|
|
+ introduced after 2.0.8-rc.
|
|
|
+ - Our build system requires automake 1.6 or later to create the
|
|
|
+ Makefile.in files. Previously, you could have used 1.4.
|
|
|
+ This only affects developers and people building Tor from git;
|
|
|
+ people who build Tor from the source distribution without changing
|
|
|
+ the Makefile.am files should be fine.
|
|
|
+ - Detect when we try to build on a platform that doesn't define
|
|
|
+ AF_UNSPEC to 0. We don't work there, so refuse to compile.
|
|
|
+
|
|
|
+ o Build fixes (compile/link):
|
|
|
+ - Format more doubles with %f, not %lf. Patch from grarpamp to make
|
|
|
+ Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on
|
|
|
+ Tor 0.2.0.8-alpha.
|
|
|
+ - When building with --enable-static-tor on OpenBSD, do not
|
|
|
+ erroneously attempt to link -lrt. Fixes bug 5103.
|
|
|
+ - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so
|
|
|
+ that IPv6 stuff will compile on MSVC, and compilation issues
|
|
|
+ will be easier to track down. Fixes bug 5861.
|
|
|
+ - Fix build and 64-bit compile warnings from --enable-openbsd-malloc.
|
|
|
+ Fixes bug 6379. Bugfix on 0.2.0.20-rc.
|
|
|
+ - Make Tor build correctly again with -DUNICODE -D_UNICODE defined.
|
|
|
+ Fixes bug 6097; bugfix on 0.2.2.16-alpha.
|
|
|
+
|
|
|
+ o Build fixes (other):
|
|
|
+ - Use the _WIN32 macro throughout our code to detect Windows.
|
|
|
+ (Previously we had used the obsolete 'WIN32' and the idiosyncratic
|
|
|
+ 'MS_WINDOWS'.)
|
|
|
+ - Properly handle the case where the build-tree is not the same
|
|
|
+ as the source tree when generating src/common/common_sha1.i,
|
|
|
+ src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953;
|
|
|
+ bugfix on 0.2.0.1-alpha.
|
|
|
+ - During configure, search for library containing cos function as
|
|
|
+ libm lives in libcore on some platforms (BeOS/Haiku). Linking
|
|
|
+ against libm was hard-coded before. Fixes the first part of bug
|
|
|
+ 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes
|
|
|
+ Pedersen.
|
|
|
+ - Prevent a false positive from the check-spaces script, by disabling
|
|
|
+ the "whitespace between function name and (" check for functions
|
|
|
+ named 'op()'.
|
|
|
+
|
|
|
+ o Packaging (RPM) changes:
|
|
|
+ - Update our default RPM spec files to work with mock and rpmbuild
|
|
|
+ on RHEL/Fedora. They have an updated set of dependencies and
|
|
|
+ conflicts, a fix for an ancient typo when creating the "_tor"
|
|
|
+ user, and better instructions. Thanks to Ondrej Mikle for the
|
|
|
+ patch series. Fixes bug 6043.
|
|
|
+ - On OpenSUSE, create the /var/run/tor directory on startup if it
|
|
|
+ is not already created. Patch from Andreas Stieger. Fixes bug 2573.
|
|
|
+
|
|
|
+ o Code refactoring (safety):
|
|
|
+ - Do not use SMARTLIST_FOREACH for any loop whose body exceeds
|
|
|
+ 10 lines. Also, don't nest them. Doing so in the past has
|
|
|
+ led to hard-to-debug code. The new style is to use the
|
|
|
+ SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.
|
|
|
+ - Use macros to indicate OpenSSL versions, so we don't need to worry
|
|
|
+ about accidental hexadecimal bit shifts.
|
|
|
+ - Use tor_sscanf() in place of scanf() in more places through the
|
|
|
+ code. This makes us a little more locale-independent, and
|
|
|
+ should help shut up code-analysis tools that can't tell
|
|
|
+ a safe sscanf string from a dangerous one.
|
|
|
+ - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
|
|
|
+ - Use the smartlist_add_asprintf() alias more consistently.
|
|
|
+
|
|
|
+ o Code refactoring (consolidate):
|
|
|
+ - A major revision to our internal node-selecting and listing logic.
|
|
|
+ Tor already had at least two major ways to look at the question of
|
|
|
+ "which Tor servers do we know about": a list of router descriptors,
|
|
|
+ and a list of entries in the current consensus. With
|
|
|
+ microdescriptors, we're adding a third. Having so many systems
|
|
|
+ without an abstraction layer over them was hurting the codebase.
|
|
|
+ Now, we have a new "node_t" abstraction that presents a consistent
|
|
|
+ interface to a client's view of a Tor node, and holds (nearly) all
|
|
|
+ of the mutable state formerly in routerinfo_t and routerstatus_t.
|
|
|
+ - Move tor_gettimeofday_cached() into compat_libevent.c, and use
|
|
|
+ Libevent's notion of cached time when possible.
|
|
|
+ - Remove duplicate code for invoking getrlimit() from control.c.
|
|
|
+ - Use OpenSSL's built-in SSL_state_string_long() instead of our
|
|
|
+ own homebrewed ssl_state_to_string() replacement. Patch from
|
|
|
+ Emile Snyder. Fixes bug 4653.
|
|
|
+ - Change the symmetric cipher interface so that creating and
|
|
|
+ initializing a stream cipher are no longer separate functions.
|
|
|
+
|
|
|
+ o Code refactoring (separate):
|
|
|
+ - Make a new "entry connection" struct as an internal subtype of "edge
|
|
|
+ connection", to simplify the code and make exit connections smaller.
|
|
|
+ - Split connection_about_to_close() into separate functions for each
|
|
|
+ connection type.
|
|
|
+ - Rewrite the listener-selection logic so that parsing which ports
|
|
|
+ we want to listen on is now separate from binding to the ports
|
|
|
+ we want.
|
|
|
+
|
|
|
+ o Code refactoring (name changes):
|
|
|
+ - Rename a handful of old identifiers, mostly related to crypto
|
|
|
+ structures and crypto functions. By convention, our "create an
|
|
|
+ object" functions are called "type_new()", our "free an object"
|
|
|
+ functions are called "type_free()", and our types indicate that
|
|
|
+ they are types only with a final "_t". But a handful of older
|
|
|
+ types and functions broke these rules, with function names like
|
|
|
+ "type_create" or "subsystem_op_type", or with type names like
|
|
|
+ type_env_t.
|
|
|
+ - Rename Tor functions that turn strings into addresses, so that
|
|
|
+ "parse" indicates that no hostname resolution occurs, and
|
|
|
+ "lookup" indicates that hostname resolution may occur. This
|
|
|
+ should help prevent mistakes in the future. Fixes bug 3512.
|
|
|
+ - Use the name "CERTS" consistently to refer to the new cell type;
|
|
|
+ we were calling it CERT in some places and CERTS in others.
|
|
|
+ - Use a TOR_INVALID_SOCKET macro when initializing a socket to an
|
|
|
+ invalid value, rather than just -1.
|
|
|
+ - Rename the bench_{aes,dmap} functions to test_*, so that tinytest
|
|
|
+ can pick them up when the tests aren't disabled. Bugfix on
|
|
|
+ 0.2.2.4-alpha which introduced tinytest.
|
|
|
+
|
|
|
+ o Code refactoring (other):
|
|
|
+ - Defensively refactor rend_mid_rendezvous() so that protocol
|
|
|
+ violations and length checks happen in the beginning. Fixes
|
|
|
+ bug 5645.
|
|
|
+ - Remove the pure attribute from all functions that used it
|
|
|
+ previously. In many cases we assigned it incorrectly, because the
|
|
|
+ functions might assert or call impure functions, and we don't have
|
|
|
+ evidence that keeping the pure attribute is worthwhile. Implements
|
|
|
+ changes suggested in ticket 4421.
|
|
|
+ - Move the replay-detection cache for the RSA-encrypted parts of
|
|
|
+ INTRODUCE2 cells to the introduction point data structures.
|
|
|
+ Previously, we would use one replay-detection cache per hidden
|
|
|
+ service. Required by fix for bug 3460.
|
|
|
+ - The helper programs tor-gencert, tor-resolve, and tor-checkkey
|
|
|
+ no longer link against Libevent: they never used it, but
|
|
|
+ our library structure used to force them to link it.
|
|
|
+
|
|
|
+ o Removed features and files:
|
|
|
+ - Remove all internal support for unpadded RSA. We never used it, and
|
|
|
+ it would be a bad idea to start.
|
|
|
+ - Remove some workaround code for OpenSSL 0.9.6 (which is no longer
|
|
|
+ supported).
|
|
|
+ - Remove some redundant #include directives throughout the code.
|
|
|
+ Patch from Andrea Gelmini.
|
|
|
+ - Remove some old code to remember statistics about which descriptors
|
|
|
+ we've served as a directory mirror. The feature wasn't used and
|
|
|
+ is outdated now that microdescriptors are around.
|
|
|
+ - Remove some old code to work around even older versions of Tor that
|
|
|
+ used forked processes to handle DNS requests. Such versions of Tor
|
|
|
+ are no longer in use as relays.
|
|
|
+ - The "torify" script no longer supports the "tsocks" socksifier
|
|
|
+ tool, since tsocks doesn't support DNS and UDP right for Tor.
|
|
|
+ Everyone should be using torsocks instead. Fixes bugs 3530 and
|
|
|
+ 5180. Based on a patch by "ugh".
|
|
|
+ - Remove the torrc.bridge file: we don't use it for anything, and
|
|
|
+ it had become badly desynchronized from torrc.sample. Resolves
|
|
|
+ bug 5622.
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Begin a doc/state-contents.txt file to explain the contents of
|
|
|
+ the Tor state file. Fixes bug 2987.
|
|
|
+ - Clarify the documentation for the Alternate*Authority options.
|
|
|
+ Fixes bug 6387.
|
|
|
+ - Document the --defaults-torrc option, and the new semantics for
|
|
|
+ overriding, extending, and clearing lists of options. Closes
|
|
|
+ bug 4748.
|
|
|
+ - Add missing man page documentation for consensus and microdesc
|
|
|
+ files. Resolves ticket 6732.
|
|
|
+ - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.
|
|
|
+
|
|
|
+ o Documentation fixes:
|
|
|
+ - Improve the manual's documentation for the NT Service command-line
|
|
|
+ options. Addresses ticket 3964.
|
|
|
+ - Clarify SessionGroup documentation slightly; resolves ticket 5437.
|
|
|
+ - Document the changes to the ORPort and DirPort options, and the
|
|
|
+ fact that {OR/Dir}ListenAddress is now unnecessary (and
|
|
|
+ therefore deprecated). Resolves ticket 5597.
|
|
|
+ - Correct a broken faq link in the INSTALL file. Fixes bug 2307.
|
|
|
+ - Clarify that hidden services are TCP only. Fixes bug 6024.
|
|
|
+
|
|
|
+
|
|
|
Changes in version 0.2.2.39 - 2012-09-11
|
|
|
Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
|
|
|
assertions.
|