|
@@ -2,76 +2,68 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
Tor 0.2.8.1-alpha is the first alpha release in its series. It
|
|
|
includes numerous small features and bugfixes against previous Tor
|
|
|
versions, and numerous small infrastructure improvements. The most
|
|
|
- notable features are a set of improvements to the directory
|
|
|
- subsystem.
|
|
|
-
|
|
|
- o Major key updates:
|
|
|
- - Update the V3 identity key for the dannenberg directory authority:
|
|
|
- it was changed on 18 November 2015. Closes task 17906. Patch by
|
|
|
- "teor".
|
|
|
-
|
|
|
- o Removed features:
|
|
|
- - Remove client-side support for connecting to Tor servers running
|
|
|
- versions of Tor before 0.2.3.6-alpha. These servers didn't support
|
|
|
- the v3 TLS handshake protocol, and are no longer allowed on the
|
|
|
- Tor network. Implements the client side of ticket 11150. Based on
|
|
|
- patches by Tom van der Woerdt.
|
|
|
+ notable features are a set of improvements to the directory subsystem.
|
|
|
|
|
|
o Major features (security, Linux):
|
|
|
- - When Tor starts as root on Linux and is told to switch user ID,
|
|
|
- it can now retain the capability to bind to low ports. By
|
|
|
- default, Tor will do this only when it's switching user ID and
|
|
|
- some low ports have been configured. You can change this behavior
|
|
|
- with the new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
+ - When Tor starts as root on Linux and is told to switch user ID, it
|
|
|
+ can now retain the capability to bind to low ports. By default,
|
|
|
+ Tor will do this only when it's switching user ID and some low
|
|
|
+ ports have been configured. You can change this behavior with the
|
|
|
+ new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
|
|
|
o Major features (directory system):
|
|
|
- - When bootstrapping we not launch multiple consensus downloads
|
|
|
- at a time, use the first one that starts downloading, and close the
|
|
|
- rest. This reduces failures when authorities or fallback directories are slow or down.
|
|
|
- Together with the code for feature 15775, this feature should reduces failures due
|
|
|
- to fallback churn. Implements ticket 4483.
|
|
|
- Patch by "teor". Implements IPv4 portions
|
|
|
+ - When bootstrapping we not launch multiple consensus downloads at a
|
|
|
+ time, use the first one that starts downloading, and close the
|
|
|
+ rest. This reduces failures when authorities or fallback
|
|
|
+ directories are slow or down. Together with the code for feature
|
|
|
+ 15775, this feature should reduces failures due to fallback churn.
|
|
|
+ Implements ticket 4483. Patch by "teor". Implements IPv4 portions
|
|
|
of proposal 210 by "mikeperry" and "teor".
|
|
|
- - Include a trial list of default fallback directories, based
|
|
|
- on an opt-in survey of suitable relays. Doing this should make
|
|
|
- clients bootstrap more quickly and reliably, and reduce the
|
|
|
- load on the directory authorities. Closes ticket 15775. Patch by
|
|
|
- "teor". Candidates identified using an OnionOO script by "weasel", "teor", "gsathya",
|
|
|
- and "karsten".
|
|
|
+ - Include a trial list of default fallback directories, based on an
|
|
|
+ opt-in survey of suitable relays. Doing this should make clients
|
|
|
+ bootstrap more quickly and reliably, and reduce the load on the
|
|
|
+ directory authorities. Closes ticket 15775. Patch by "teor".
|
|
|
+ Candidates identified using an OnionOO script by "weasel", "teor",
|
|
|
+ "gsathya", and "karsten".
|
|
|
- Previously only relays that explicitly opened a directory port
|
|
|
(DirPort) accepted directory requests from clients. Now all
|
|
|
- relays, with and without a DirPort,
|
|
|
- accept and serve tunneled directory requests that they
|
|
|
- receive through their ORPort. You can disable this behavior using
|
|
|
- the new DirCache option.
|
|
|
- Closes ticket 12538.
|
|
|
+ relays, with and without a DirPort, accept and serve tunneled
|
|
|
+ directory requests that they receive through their ORPort. You can
|
|
|
+ disable this behavior using the new DirCache option. Closes
|
|
|
+ ticket 12538.
|
|
|
+
|
|
|
+ o Major key updates:
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
+ by "teor".
|
|
|
|
|
|
o Minor features (security, clock):
|
|
|
- - Warn when the system clock appears to move back in time (when the state
|
|
|
- file was last written in the future). Tor doesn't know that
|
|
|
+ - Warn when the system clock appears to move back in time (when the
|
|
|
+ state file was last written in the future). Tor doesn't know that
|
|
|
consensuses have expired if the clock is in the past. Patch by
|
|
|
"teor". Implements ticket 17188.
|
|
|
|
|
|
o Minor features (security, exit policies):
|
|
|
- - ExitPolicyRejectPrivate now rejects more private addresses by default.
|
|
|
- Specifically, it now rejects the relay's outbound bind addresses (if
|
|
|
- configured), and the relay's configured port addresses (such as
|
|
|
- ORPort and DirPort). Fixes bug 17027; bugfix on 0.2.0.11-alpha.
|
|
|
- Patch by "teor".
|
|
|
+ - ExitPolicyRejectPrivate now rejects more private addresses by
|
|
|
+ default. Specifically, it now rejects the relay's outbound bind
|
|
|
+ addresses (if configured), and the relay's configured port
|
|
|
+ addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
|
|
|
+ 0.2.0.11-alpha. Patch by "teor".
|
|
|
|
|
|
o Minor features (security, memory erasure):
|
|
|
- Set the unused entires in a smartlist to NULL. This helped catch
|
|
|
a (harmless) bug, and shouldn't affect performance too much.
|
|
|
Implements ticket 17026.
|
|
|
- Use SecureMemoryWipe() function to securely clean memory on
|
|
|
- Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function. Implements feature 17986.
|
|
|
+ Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
|
|
|
+ Implements feature 17986.
|
|
|
- Use explicit_bzero or memset_s when present. Previously, we'd use
|
|
|
OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
|
|
|
from <logan@hackers.mu> and <selven@hackers.mu>.
|
|
|
- - Make memwipe() do nothing when passed a NULL pointer or buffer of zero size.
|
|
|
- Check size argument to memwipe() for underflow. Fixes bug 18089;
|
|
|
- bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", patch
|
|
|
- by "teor".
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
+ patch by "teor".
|
|
|
|
|
|
o Minor features (security, RNG):
|
|
|
- Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
|
|
@@ -79,17 +71,17 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
internal details of OpenSSL's behavior. Closes ticket 17686.
|
|
|
- Never use the system entropy output directly for anything besides
|
|
|
seeding the PRNG. When we want to generate important keys, instead
|
|
|
- of using system entropy directly, we now hash it with the PRNG stream.
|
|
|
- This may help resist certain attacks based on broken OS entropy
|
|
|
- implementations. Closes part of ticket 17694.
|
|
|
- - Use modern system calls (like getentropy() or getrandom()) to generate strong entropy on platforms
|
|
|
- that have them. Closes ticket 13696.
|
|
|
+ of using system entropy directly, we now hash it with the PRNG
|
|
|
+ stream. This may help resist certain attacks based on broken OS
|
|
|
+ entropy implementations. Closes part of ticket 17694.
|
|
|
+ - Use modern system calls (like getentropy() or getrandom()) to
|
|
|
+ generate strong entropy on platforms that have them. Closes
|
|
|
+ ticket 13696.
|
|
|
|
|
|
o Minor features (accounting):
|
|
|
- - Added two modes to the AccountingRule option: One for limiting only
|
|
|
- the number of bytes sent ("AccountingRule out"), and one for
|
|
|
- limiting only the number of bytes
|
|
|
- received ("AccountingRule in").
|
|
|
+ - Added two modes to the AccountingRule option: One for limiting
|
|
|
+ only the number of bytes sent ("AccountingRule out"), and one for
|
|
|
+ limiting only the number of bytes received ("AccountingRule in").
|
|
|
Closes ticket 15989; patch from "unixninja92".
|
|
|
|
|
|
o Minor features (build):
|
|
@@ -106,10 +98,10 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
- New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
|
|
|
service descriptor from a service's local hidden service
|
|
|
descriptor cache. Closes ticket 14846.
|
|
|
- - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
|
|
|
- controllers can examine the
|
|
|
- the reject rules added by ExitPolicyRejectPrivate. This makes
|
|
|
- it easier for stem to display exit policies.
|
|
|
+ - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
|
|
|
+ controllers can examine the the reject rules added by
|
|
|
+ ExitPolicyRejectPrivate. This makes it easier for stem to display
|
|
|
+ exit policies.
|
|
|
|
|
|
o Minor features (crypto):
|
|
|
- Add SHA512 support to crypto.c. Closes ticket 17663; patch from
|
|
@@ -124,23 +116,24 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
Fixes bug 17544; bugfix on 0.2.5.3-alpha.
|
|
|
|
|
|
o Minor features (directory downloads):
|
|
|
- - Wait for busy authorities and fallback directories to become non-busy when
|
|
|
- bootstrapping. (A similar change was made in 6c443e987d for
|
|
|
- directory caches chosen from the consensus.) Closes ticket 17864;
|
|
|
- patch by "teor".
|
|
|
+ - Wait for busy authorities and fallback directories to become non-
|
|
|
+ busy when bootstrapping. (A similar change was made in 6c443e987d
|
|
|
+ for directory caches chosen from the consensus.) Closes ticket
|
|
|
+ 17864; patch by "teor".
|
|
|
- Add UseDefaultFallbackDirs, which enables any hard-coded fallback
|
|
|
- directory mirrors. The default is 1; set it to 0 to disable fallbacks.
|
|
|
- Implements ticket 17576. Patch by "teor".
|
|
|
+ directory mirrors. The default is 1; set it to 0 to disable
|
|
|
+ fallbacks. Implements ticket 17576. Patch by "teor".
|
|
|
|
|
|
o Minor features (geoip):
|
|
|
- Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
|
|
|
Country database.
|
|
|
|
|
|
o Minor features (IPv6):
|
|
|
- - Add an argument 'ipv6=address:orport' to the DirAuthority and FallbackDir
|
|
|
- torrc options, to specify an IPv6 address for an authority or fallback directory. Add hard-coded ipv6 addresses for directory
|
|
|
- authorities that have them. Closes ticket
|
|
|
- 17327; patch from Nick Mathewson and "teor".
|
|
|
+ - Add an argument 'ipv6=address:orport' to the DirAuthority and
|
|
|
+ FallbackDir torrc options, to specify an IPv6 address for an
|
|
|
+ authority or fallback directory. Add hard-coded ipv6 addresses for
|
|
|
+ directory authorities that have them. Closes ticket 17327; patch
|
|
|
+ from Nick Mathewson and "teor".
|
|
|
- Add address policy assume_action support for IPv6 addresses.
|
|
|
- Limit IPv6 mask bits to 128.
|
|
|
- Warn when comparing against an AF_UNSPEC address in a policy, it's
|
|
@@ -191,9 +184,9 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
need for CAP_READ_SEARCH when using systemd's
|
|
|
CapabilityBoundingSet, or dac_read_search when using SELinux.
|
|
|
Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
- - Introduce a new DataDirectoryGroupReadable option. If it is set to 1, the
|
|
|
- DataDirectory will be made readable by the default GID. Implements
|
|
|
- part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
+ - Introduce a new DataDirectoryGroupReadable option. If it is set to
|
|
|
+ 1, the DataDirectory will be made readable by the default GID.
|
|
|
+ Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
|
|
|
o Minor bugfixes (accounting):
|
|
|
- The max bandwidth when using 'AccountRule sum' is now correctly
|
|
@@ -212,11 +205,11 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
|
|
|
o Minor bugfixes (compilation):
|
|
|
- Mark all object files that include micro-revision.i as depending
|
|
|
- on it, so as to make parallel builds more reliable.
|
|
|
- Fixes bug 17826; bugfix on 0.2.5.1-alpha.
|
|
|
- - Don't try to use the pthread_condattr_setclock() function unless it
|
|
|
- actually exists. Fixes compilation on NetBSD-6.x. Fixes bug 17819;
|
|
|
- bugfix on 0.2.6.3-alpha.
|
|
|
+ on it, so as to make parallel builds more reliable. Fixes bug
|
|
|
+ 17826; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Don't try to use the pthread_condattr_setclock() function unless
|
|
|
+ it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
|
|
|
+ 17819; bugfix on 0.2.6.3-alpha.
|
|
|
- Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
|
|
|
on tor-0.2.5.2-alpha.
|
|
|
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
|
|
@@ -308,10 +301,10 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
- Move logging of redundant policy entries in
|
|
|
policies_parse_exit_policy_internal into its own function. Closes
|
|
|
ticket 17608; patch from "juce".
|
|
|
- - Extract the more complicated parts of circuit_mark_for_close() into
|
|
|
- a new function that we run periodically before circuits are freed. This
|
|
|
- change removes more than half of the functions currently in the
|
|
|
- "blob". Closes ticket 17218.
|
|
|
+ - Extract the more complicated parts of circuit_mark_for_close()
|
|
|
+ into a new function that we run periodically before circuits are
|
|
|
+ freed. This change removes more than half of the functions
|
|
|
+ currently in the "blob". Closes ticket 17218.
|
|
|
- Clean up a little duplicated code in
|
|
|
crypto_expand_key_material_TAP(). Closes ticket 17587; patch
|
|
|
from "pfrankw".
|
|
@@ -326,8 +319,8 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
simplifies Tor's callback and prevents the directory-request
|
|
|
launching code from invoking itself recursively. Closes
|
|
|
ticket 17589
|
|
|
- - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't use them.
|
|
|
- Closes ticket 17926.
|
|
|
+ - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
|
|
|
+ use them. Closes ticket 17926.
|
|
|
|
|
|
o Documentation:
|
|
|
- Add a description of the correct use of the '--keygen' command-
|
|
@@ -339,6 +332,13 @@ Changes in version 0.2.8.1-alpha - 2016-02-0?
|
|
|
whenever we mention a document that belongs in torspce. Fixes
|
|
|
issue 17392.
|
|
|
|
|
|
+ o Removed features:
|
|
|
+ - Remove client-side support for connecting to Tor servers running
|
|
|
+ versions of Tor before 0.2.3.6-alpha. These servers didn't support
|
|
|
+ the v3 TLS handshake protocol, and are no longer allowed on the
|
|
|
+ Tor network. Implements the client side of ticket 11150. Based on
|
|
|
+ patches by Tom van der Woerdt.
|
|
|
+
|
|
|
o Testing:
|
|
|
- Add unit tests to check for common RNG failure modes, such as
|
|
|
returning all zeroes, identical values, or incrementing values
|