|
@@ -1,7 +1,715 @@
|
|
|
-
|
|
|
This document summarizes new features and bugfixes in each stable release
|
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
+
|
|
|
+Changes in version 0.2.7.6 - 2015-12-10
|
|
|
+ Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
|
|
|
+ well as a minor bug in hidden service reliability.
|
|
|
+
|
|
|
+ o Major bugfixes (guard selection):
|
|
|
+ - Actually look at the Guard flag when selecting a new directory
|
|
|
+ guard. When we implemented the directory guard design, we
|
|
|
+ accidentally started treating all relays as if they have the Guard
|
|
|
+ flag during guard selection, leading to weaker anonymity and worse
|
|
|
+ performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
|
+ by Mohsen Imani.
|
|
|
+
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor bugfixes (compilation):
|
|
|
+ - When checking for net/pfvar.h, include netinet/in.h if possible.
|
|
|
+ This fixes transparent proxy detection on OpenBSD. Fixes bug
|
|
|
+ 17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
|
|
|
+ - Fix a compilation warning with Clang 3.6: Do not check the
|
|
|
+ presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
+
|
|
|
+ o Minor bugfixes (correctness):
|
|
|
+ - When displaying an IPv6 exit policy, include the mask bits
|
|
|
+ correctly even when the number is greater than 31. Fixes bug
|
|
|
+ 16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
|
|
|
+ - The wrong list was used when looking up expired intro points in a
|
|
|
+ rend service object, causing what we think could be reachability
|
|
|
+ issues for hidden services, and triggering a BUG log. Fixes bug
|
|
|
+ 16702; bugfix on 0.2.7.2-alpha.
|
|
|
+ - Fix undefined behavior in the tor_cert_checksig function. Fixes
|
|
|
+ bug 17722; bugfix on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+
|
|
|
+Changes in version 0.2.7.5 - 2015-11-20
|
|
|
+ The Tor 0.2.7 release series is dedicated to the memory of Tor user
|
|
|
+ and privacy advocate Caspar Bowden (1961-2015). Caspar worked
|
|
|
+ tirelessly to advocate human rights regardless of national borders,
|
|
|
+ and oppose the encroachments of mass surveillance. He opposed national
|
|
|
+ exceptionalism, he brought clarity to legal and policy debates, he
|
|
|
+ understood and predicted the impact of mass surveillance on the world,
|
|
|
+ and he laid the groundwork for resisting it. While serving on the Tor
|
|
|
+ Project's board of directors, he brought us his uncompromising focus
|
|
|
+ on technical excellence in the service of humankind. Caspar was an
|
|
|
+ inimitable force for good and a wonderful friend. He was kind,
|
|
|
+ humorous, generous, gallant, and believed we should protect one
|
|
|
+ another without exception. We honor him here for his ideals, his
|
|
|
+ efforts, and his accomplishments. Please honor his memory with works
|
|
|
+ that would make him proud.
|
|
|
+
|
|
|
+ Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
|
|
|
+
|
|
|
+ The 0.2.7 series adds a more secure identity key type for relays,
|
|
|
+ improves cryptography performance, resolves several longstanding
|
|
|
+ hidden-service performance issues, improves controller support for
|
|
|
+ hidden services, and includes small bugfixes and performance
|
|
|
+ improvements throughout the program. This release series also includes
|
|
|
+ more tests than before, and significant simplifications to which parts
|
|
|
+ of Tor invoke which others. For a full list of changes, see below.
|
|
|
+
|
|
|
+ o New system requirements:
|
|
|
+ - Tor no longer includes workarounds to support Libevent versions
|
|
|
+ before 1.3e. Libevent 2.0 or later is recommended. Closes
|
|
|
+ ticket 15248.
|
|
|
+ - Tor no longer supports copies of OpenSSL that are missing support
|
|
|
+ for Elliptic Curve Cryptography. (We began using ECC when
|
|
|
+ available in 0.2.4.8-alpha, for more safe and efficient key
|
|
|
+ negotiation.) In particular, support for at least one of P256 or
|
|
|
+ P224 is now required, with manual configuration needed if only
|
|
|
+ P224 is available. Resolves ticket 16140.
|
|
|
+ - Tor no longer supports versions of OpenSSL before 1.0. (If you are
|
|
|
+ on an operating system that has not upgraded to OpenSSL 1.0 or
|
|
|
+ later, and you compile Tor from source, you will need to install a
|
|
|
+ more recent OpenSSL to link Tor against.) These versions of
|
|
|
+ OpenSSL are still supported by the OpenSSL, but the numerous
|
|
|
+ cryptographic improvements in later OpenSSL releases makes them a
|
|
|
+ clear choice. Resolves ticket 16034.
|
|
|
+
|
|
|
+ o Major features (controller):
|
|
|
+ - Add the ADD_ONION and DEL_ONION commands that allow the creation
|
|
|
+ and management of hidden services via the controller. Closes
|
|
|
+ ticket 6411.
|
|
|
+ - New "GETINFO onions/current" and "GETINFO onions/detached"
|
|
|
+ commands to get information about hidden services created via the
|
|
|
+ controller. Part of ticket 6411.
|
|
|
+ - New HSFETCH command to launch a request for a hidden service
|
|
|
+ descriptor. Closes ticket 14847.
|
|
|
+ - New HSPOST command to upload a hidden service descriptor. Closes
|
|
|
+ ticket 3523. Patch by "DonnchaC".
|
|
|
+
|
|
|
+ o Major features (Ed25519 identity keys, Proposal 220):
|
|
|
+ - Add support for offline encrypted Ed25519 master keys. To use this
|
|
|
+ feature on your tor relay, run "tor --keygen" to make a new master
|
|
|
+ key (or to make a new signing key if you already have a master
|
|
|
+ key). Closes ticket 13642.
|
|
|
+ - All relays now maintain a stronger identity key, using the Ed25519
|
|
|
+ elliptic curve signature format. This master key is designed so
|
|
|
+ that it can be kept offline. Relays also generate an online
|
|
|
+ signing key, and a set of other Ed25519 keys and certificates.
|
|
|
+ These are all automatically regenerated and rotated as needed.
|
|
|
+ Implements part of ticket 12498.
|
|
|
+ - Directory authorities now vote on Ed25519 identity keys along with
|
|
|
+ RSA1024 keys. Implements part of ticket 12498.
|
|
|
+ - Directory authorities track which Ed25519 identity keys have been
|
|
|
+ used with which RSA1024 identity keys, and do not allow them to
|
|
|
+ vary freely. Implements part of ticket 12498.
|
|
|
+ - Microdescriptors now include Ed25519 identity keys. Implements
|
|
|
+ part of ticket 12498.
|
|
|
+ - Add a --newpass option to allow changing or removing the
|
|
|
+ passphrase of an encrypted key with tor --keygen. Implements part
|
|
|
+ of ticket 16769.
|
|
|
+ - Add a new OfflineMasterKey option to tell Tor never to try loading
|
|
|
+ or generating a secret Ed25519 identity key. You can use this in
|
|
|
+ combination with tor --keygen to manage offline and/or encrypted
|
|
|
+ Ed25519 keys. Implements ticket 16944.
|
|
|
+ - On receiving a HUP signal, check to see whether the Ed25519
|
|
|
+ signing key has changed, and reload it if so. Closes ticket 16790.
|
|
|
+ - Significant usability improvements for Ed25519 key management. Log
|
|
|
+ messages are better, and the code can recover from far more
|
|
|
+ failure conditions. Thanks to "s7r" for reporting and diagnosing
|
|
|
+ so many of these!
|
|
|
+
|
|
|
+ o Major features (ECC performance):
|
|
|
+ - Improve the runtime speed of Ed25519 signature verification by
|
|
|
+ using Ed25519-donna's batch verification support. Implements
|
|
|
+ ticket 16533.
|
|
|
+ - Improve the speed of Ed25519 operations and Curve25519 keypair
|
|
|
+ generation when built targeting 32 bit x86 platforms with SSE2
|
|
|
+ available. Implements ticket 16535.
|
|
|
+ - Improve the runtime speed of Ed25519 operations by using the
|
|
|
+ public-domain Ed25519-donna by Andrew M. ("floodyberry").
|
|
|
+ Implements ticket 16467.
|
|
|
+ - Improve the runtime speed of the ntor handshake by using an
|
|
|
+ optimized curve25519 basepoint scalarmult implementation from the
|
|
|
+ public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
|
|
|
+ ideas by Adam Langley. Implements ticket 9663.
|
|
|
+
|
|
|
+ o Major features (Hidden services):
|
|
|
+ - Hidden services, if using the EntryNodes option, are required to
|
|
|
+ use more than one EntryNode, in order to avoid a guard discovery
|
|
|
+ attack. (This would only affect people who had configured hidden
|
|
|
+ services and manually specified the EntryNodes option with a
|
|
|
+ single entry-node. The impact was that it would be easy to
|
|
|
+ remotely identify the guard node used by such a hidden service.
|
|
|
+ See ticket for more information.) Fixes ticket 14917.
|
|
|
+ - Add the torrc option HiddenServiceNumIntroductionPoints, to
|
|
|
+ specify a fixed number of introduction points. Its maximum value
|
|
|
+ is 10 and default is 3. Using this option can increase a hidden
|
|
|
+ service's reliability under load, at the cost of making it more
|
|
|
+ visible that the hidden service is facing extra load. Closes
|
|
|
+ ticket 4862.
|
|
|
+ - Remove the adaptive algorithm for choosing the number of
|
|
|
+ introduction points, which used to change the number of
|
|
|
+ introduction points (poorly) depending on the number of
|
|
|
+ connections the HS sees. Closes ticket 4862.
|
|
|
+
|
|
|
+ o Major features (onion key cross-certification):
|
|
|
+ - Relay descriptors now include signatures of their own identity
|
|
|
+ keys, made using the TAP and ntor onion keys. These signatures
|
|
|
+ allow relays to prove ownership of their own onion keys. Because
|
|
|
+ of this change, microdescriptors will no longer need to include
|
|
|
+ RSA identity keys. Implements proposal 228; closes ticket 12499.
|
|
|
+
|
|
|
+ o Major bugfixes (client-side privacy, also in 0.2.6.9):
|
|
|
+ - Properly separate out each SOCKSPort when applying stream
|
|
|
+ isolation. The error occurred because each port's session group
|
|
|
+ was being overwritten by a default value when the listener
|
|
|
+ connection was initialized. Fixes bug 16247; bugfix on
|
|
|
+ 0.2.6.3-alpha. Patch by "jojelino".
|
|
|
+
|
|
|
+ o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
|
|
|
+ - Stop refusing to store updated hidden service descriptors on a
|
|
|
+ client. This reverts commit 9407040c59218 (which indeed fixed bug
|
|
|
+ 14219, but introduced a major hidden service reachability
|
|
|
+ regression detailed in bug 16381). This is a temporary fix since
|
|
|
+ we can live with the minor issue in bug 14219 (it just results in
|
|
|
+ some load on the network) but the regression of 16381 is too much
|
|
|
+ of a setback. First-round fix for bug 16381; bugfix
|
|
|
+ on 0.2.6.3-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (hidden services):
|
|
|
+ - Revert commit that made directory authorities assign the HSDir
|
|
|
+ flag to relay without a DirPort; this was bad because such relays
|
|
|
+ can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
|
|
|
+ on tor-0.2.6.3-alpha.
|
|
|
+ - When cannibalizing a circuit for an introduction point, always
|
|
|
+ extend to the chosen exit node (creating a 4 hop circuit).
|
|
|
+ Previously Tor would use the current circuit exit node, which
|
|
|
+ changed the original choice of introduction point, and could cause
|
|
|
+ the hidden service to skip excluded introduction points or
|
|
|
+ reconnect to a skipped introduction point. Fixes bug 16260; bugfix
|
|
|
+ on 0.1.0.1-rc.
|
|
|
+
|
|
|
+ o Major bugfixes (memory leaks):
|
|
|
+ - Fix a memory leak in ed25519 batch signature checking. Fixes bug
|
|
|
+ 17398; bugfix on 0.2.6.1-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (open file limit):
|
|
|
+ - The open file limit wasn't checked before calling
|
|
|
+ tor_accept_socket_nonblocking(), which would make Tor exceed the
|
|
|
+ limit. Now, before opening a new socket, Tor validates the open
|
|
|
+ file limit just before, and if the max has been reached, return an
|
|
|
+ error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (security, correctness):
|
|
|
+ - Fix an error that could cause us to read 4 bytes before the
|
|
|
+ beginning of an openssl string. This bug could be used to cause
|
|
|
+ Tor to crash on systems with unusual malloc implementations, or
|
|
|
+ systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
|
+ on 0.2.3.6-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (stability, also in 0.2.6.10):
|
|
|
+ - Stop crashing with an assertion failure when parsing certain kinds
|
|
|
+ of malformed or truncated microdescriptors. Fixes bug 16400;
|
|
|
+ bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
|
|
|
+ by "cypherpunks_backup".
|
|
|
+ - Stop random client-side assertion failures that could occur when
|
|
|
+ connecting to a busy hidden service, or connecting to a hidden
|
|
|
+ service while a NEWNYM is in progress. Fixes bug 16013; bugfix
|
|
|
+ on 0.1.0.1-rc.
|
|
|
+
|
|
|
+ o Minor features (client, SOCKS):
|
|
|
+ - Add GroupWritable and WorldWritable options to unix-socket based
|
|
|
+ SocksPort and ControlPort options. These options apply to a single
|
|
|
+ socket, and override {Control,Socks}SocketsGroupWritable. Closes
|
|
|
+ ticket 15220.
|
|
|
+ - Relax the validation done to hostnames in SOCKS5 requests, and
|
|
|
+ allow a single trailing '.' to cope with clients that pass FQDNs
|
|
|
+ using that syntax to explicitly indicate that the domain name is
|
|
|
+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
|
|
|
+ - Relax the validation of hostnames in SOCKS5 requests, allowing the
|
|
|
+ character '_' to appear, in order to cope with domains observed in
|
|
|
+ the wild that are serving non-RFC compliant records. Resolves
|
|
|
+ ticket 16430.
|
|
|
+
|
|
|
+ o Minor features (client-side privacy):
|
|
|
+ - New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
|
|
|
+ lifespan when IsolateSOCKSAuth and streams with SOCKS
|
|
|
+ authentication are attached to the circuit. This allows
|
|
|
+ applications like TorBrowser to manage circuit lifetime on their
|
|
|
+ own. Implements feature 15482.
|
|
|
+ - When logging malformed hostnames from SOCKS5 requests, respect
|
|
|
+ SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
|
|
|
+
|
|
|
+ o Minor features (clock-jump tolerance):
|
|
|
+ - Recover better when our clock jumps back many hours, like might
|
|
|
+ happen for Tails or Whonix users who start with a very wrong
|
|
|
+ hardware clock, use Tor to discover a more accurate time, and then
|
|
|
+ fix their clock. Resolves part of ticket 8766.
|
|
|
+
|
|
|
+ o Minor features (command-line interface):
|
|
|
+ - Make --hash-password imply --hush to prevent unnecessary noise.
|
|
|
+ Closes ticket 15542. Patch from "cypherpunks".
|
|
|
+ - Print a warning whenever we find a relative file path being used
|
|
|
+ as torrc option. Resolves issue 14018.
|
|
|
+
|
|
|
+ o Minor features (compilation):
|
|
|
+ - Give a warning as early as possible when trying to build with an
|
|
|
+ unsupported OpenSSL version. Closes ticket 16901.
|
|
|
+ - Use C99 variadic macros when the compiler is not GCC. This avoids
|
|
|
+ failing compilations on MSVC, and fixes a log-file-based race
|
|
|
+ condition in our old workarounds. Original patch from Gisle Vanem.
|
|
|
+
|
|
|
+ o Minor features (control protocol):
|
|
|
+ - Support network-liveness GETINFO key and NETWORK_LIVENESS event in
|
|
|
+ the control protocol. Resolves ticket 15358.
|
|
|
+
|
|
|
+ o Minor features (controller):
|
|
|
+ - Add DirAuthority lines for default directory authorities to the
|
|
|
+ output of the "GETINFO config/defaults" command if not already
|
|
|
+ present. Implements ticket 14840.
|
|
|
+ - Controllers can now use "GETINFO hs/client/desc/id/..." to
|
|
|
+ retrieve items from the client's hidden service descriptor cache.
|
|
|
+ Closes ticket 14845.
|
|
|
+ - Implement a new controller command "GETINFO status/fresh-relay-
|
|
|
+ descs" to fetch a descriptor/extrainfo pair that was generated on
|
|
|
+ demand just for the controller's use. Implements ticket 14784.
|
|
|
+
|
|
|
+ o Minor features (directory authorities):
|
|
|
+ - Directory authorities no longer vote against the "Fast", "Stable",
|
|
|
+ and "HSDir" flags just because they were going to vote against
|
|
|
+ "Running": if the consensus turns out to be that the router was
|
|
|
+ running, then the authority's vote should count. Patch from Peter
|
|
|
+ Retzlaff; closes issue 8712.
|
|
|
+
|
|
|
+ o Minor features (directory authorities, security, also in 0.2.6.9):
|
|
|
+ - The HSDir flag given by authorities now requires the Stable flag.
|
|
|
+ For the current network, this results in going from 2887 to 2806
|
|
|
+ HSDirs. Also, it makes it harder for an attacker to launch a sybil
|
|
|
+ attack by raising the effort for a relay to become Stable to
|
|
|
+ require at the very least 7 days, while maintaining the 96 hours
|
|
|
+ uptime requirement for HSDir. Implements ticket 8243.
|
|
|
+
|
|
|
+ o Minor features (DoS-resistance):
|
|
|
+ - Make it harder for attackers to overload hidden services with
|
|
|
+ introductions, by blocking multiple introduction requests on the
|
|
|
+ same circuit. Resolves ticket 15515.
|
|
|
+
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor features (hidden services):
|
|
|
+ - Add the new options "HiddenServiceMaxStreams" and
|
|
|
+ "HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
|
|
|
+ limit the maximum number of simultaneous streams per circuit, and
|
|
|
+ optionally tear down the circuit when the limit is exceeded. Part
|
|
|
+ of ticket 16052.
|
|
|
+ - Client now uses an introduction point failure cache to know when
|
|
|
+ to fetch or keep a descriptor in their cache. Previously, failures
|
|
|
+ were recorded implicitly, but not explicitly remembered. Closes
|
|
|
+ ticket 16389.
|
|
|
+ - Relays need to have the Fast flag to get the HSDir flag. As this
|
|
|
+ is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
|
|
|
+ drop. This change should make some attacks against the hidden
|
|
|
+ service directory system harder. Fixes ticket 15963.
|
|
|
+ - Turn on hidden service statistics collection by setting the torrc
|
|
|
+ option HiddenServiceStatistics to "1" by default. (This keeps
|
|
|
+ track only of the fraction of traffic used by hidden services, and
|
|
|
+ the total number of hidden services in existence.) Closes
|
|
|
+ ticket 15254.
|
|
|
+ - To avoid leaking HS popularity, don't cycle the introduction point
|
|
|
+ when we've handled a fixed number of INTRODUCE2 cells but instead
|
|
|
+ cycle it when a random number of introductions is reached, thus
|
|
|
+ making it more difficult for an attacker to find out the amount of
|
|
|
+ clients that have used the introduction point for a specific HS.
|
|
|
+ Closes ticket 15745.
|
|
|
+
|
|
|
+ o Minor features (logging):
|
|
|
+ - Include the Tor version in all LD_BUG log messages, since people
|
|
|
+ tend to cut and paste those into the bugtracker. Implements
|
|
|
+ ticket 15026.
|
|
|
+
|
|
|
+ o Minor features (pluggable transports):
|
|
|
+ - When launching managed pluggable transports on Linux systems,
|
|
|
+ attempt to have the kernel deliver a SIGTERM on tor exit if the
|
|
|
+ pluggable transport process is still running. Resolves
|
|
|
+ ticket 15471.
|
|
|
+ - When launching managed pluggable transports, setup a valid open
|
|
|
+ stdin in the child process that can be used to detect if tor has
|
|
|
+ terminated. The "TOR_PT_EXIT_ON_STDIN_CLOSE" environment variable
|
|
|
+ can be used by implementations to detect this new behavior.
|
|
|
+ Resolves ticket 15435.
|
|
|
+
|
|
|
+ o Minor bugfixes (torrc exit policies):
|
|
|
+ - In each instance above, usage advice is provided to avoid the
|
|
|
+ message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
|
|
|
+ 16069; bugfix on 0.2.4.7-alpha.
|
|
|
+ - In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
|
|
|
+ produce IPv6 wildcard addresses. Previously they would produce
|
|
|
+ both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
|
|
|
+ of bug 16069; bugfix on 0.2.4.7-alpha.
|
|
|
+ - When parsing torrc ExitPolicies, we now issue an info-level
|
|
|
+ message when expanding an "accept/reject *" line to include both
|
|
|
+ IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
|
|
|
+ - When parsing torrc ExitPolicies, we now warn for a number of cases
|
|
|
+ where the user's intent is likely to differ from Tor's actual
|
|
|
+ behavior. These include: using an IPv4 address with an accept6 or
|
|
|
+ reject6 line; using "private" on an accept6 or reject6 line; and
|
|
|
+ including any ExitPolicy lines after accept *:* or reject *:*.
|
|
|
+ Related to ticket 16069.
|
|
|
+
|
|
|
+ o Minor bugfixes (command-line interface):
|
|
|
+ - When "--quiet" is provided along with "--validate-config", do not
|
|
|
+ write anything to stdout on success. Fixes bug 14994; bugfix
|
|
|
+ on 0.2.3.3-alpha.
|
|
|
+ - When complaining about bad arguments to "--dump-config", use
|
|
|
+ stderr, not stdout.
|
|
|
+ - Print usage information for --dump-config when it is used without
|
|
|
+ an argument. Also, fix the error message to use different wording
|
|
|
+ and add newline at the end. Fixes bug 15541; bugfix
|
|
|
+ on 0.2.5.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (compilation):
|
|
|
+ - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
|
|
|
+ bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
|
|
|
+ - Repair compilation with the most recent (unreleased, alpha)
|
|
|
+ vesions of OpenSSL 1.1. Fixes part of ticket 17237.
|
|
|
+
|
|
|
+ o Minor bugfixes (compilation, also in 0.2.6.9):
|
|
|
+ - Build with --enable-systemd correctly when libsystemd is
|
|
|
+ installed, but systemd is not. Fixes bug 16164; bugfix on
|
|
|
+ 0.2.6.3-alpha. Patch from Peter Palfrader.
|
|
|
+
|
|
|
+ o Minor bugfixes (configuration, unit tests):
|
|
|
+ - Only add the default fallback directories when the DirAuthorities,
|
|
|
+ AlternateDirAuthority, and FallbackDir directory config options
|
|
|
+ are set to their defaults. The default fallback directory list is
|
|
|
+ currently empty, this fix will only change tor's behavior when it
|
|
|
+ has default fallback directories. Includes unit tests for
|
|
|
+ consider_adding_dir_servers(). Fixes bug 15642; bugfix on
|
|
|
+ 90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor bugfixes (controller):
|
|
|
+ - Add the descriptor ID in each HS_DESC control event. It was
|
|
|
+ missing, but specified in control-spec.txt. Fixes bug 15881;
|
|
|
+ bugfix on 0.2.5.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (correctness):
|
|
|
+ - For correctness, avoid modifying a constant string in
|
|
|
+ handle_control_postdescriptor. Fixes bug 15546; bugfix
|
|
|
+ on 0.1.1.16-rc.
|
|
|
+ - Remove side-effects from tor_assert() calls. This was harmless,
|
|
|
+ because we never disable assertions, but it is bad style and
|
|
|
+ unnecessary. Fixes bug 15211; bugfix on 0.2.5.5, 0.2.2.36,
|
|
|
+ and 0.2.0.10.
|
|
|
+ - When calling channel_free_list(), avoid calling smartlist_remove()
|
|
|
+ while inside a FOREACH loop. This partially reverts commit
|
|
|
+ 17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
|
|
|
+ incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
|
|
|
+ - Check for failures from crypto_early_init, and refuse to continue.
|
|
|
+ A previous typo meant that we could keep going with an
|
|
|
+ uninitialized crypto library, and would have OpenSSL initialize
|
|
|
+ its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
|
|
+ when implementing ticket 4900. Patch by "teor".
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden service):
|
|
|
+ - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
|
+ a client authorized hidden service. Fixes bug 15823; bugfix
|
|
|
+ on 0.2.1.6-alpha.
|
|
|
+ - Remove an extraneous newline character from the end of hidden
|
|
|
+ service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (Linux seccomp2 sandbox):
|
|
|
+ - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
|
|
|
+ defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
|
|
|
+ - Allow bridge authorities to run correctly under the seccomp2
|
|
|
+ sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Add the "hidserv-stats" filename to our sandbox filter for the
|
|
|
+ HiddenServiceStatistics option to work properly. Fixes bug 17354;
|
|
|
+ bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
|
|
|
+
|
|
|
+ o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
|
|
|
+ - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
|
|
|
+ these when eventfd2() support is missing. Fixes bug 16363; bugfix
|
|
|
+ on 0.2.6.3-alpha. Patch from "teor".
|
|
|
+
|
|
|
+ o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
|
|
|
+ - Allow systemd connections to work with the Linux seccomp2 sandbox
|
|
|
+ code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
|
|
|
+ Peter Palfrader.
|
|
|
+ - Fix sandboxing to work when running as a relay, by allowing the
|
|
|
+ renaming of secret_id_key, and allowing the eventfd2 and futex
|
|
|
+ syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
|
|
|
+ Peter Palfrader.
|
|
|
+
|
|
|
+ o Minor bugfixes (logging):
|
|
|
+ - When building Tor under Clang, do not include an extra set of
|
|
|
+ parentheses in log messages that include function names. Fixes bug
|
|
|
+ 15269; bugfix on every released version of Tor when compiled with
|
|
|
+ recent enough Clang.
|
|
|
+
|
|
|
+ o Minor bugfixes (network):
|
|
|
+ - When attempting to use fallback technique for network interface
|
|
|
+ lookup, disregard loopback and multicast addresses since they are
|
|
|
+ unsuitable for public communications.
|
|
|
+
|
|
|
+ o Minor bugfixes (open file limit):
|
|
|
+ - Fix set_max_file_descriptors() to set by default the max open file
|
|
|
+ limit to the current limit when setrlimit() fails. Fixes bug
|
|
|
+ 16274; bugfix on tor- 0.2.0.10-alpha. Patch by dgoulet.
|
|
|
+
|
|
|
+ o Minor bugfixes (portability):
|
|
|
+ - Check correctly for Windows socket errors in the workqueue
|
|
|
+ backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
|
|
|
+ - Try harder to normalize the exit status of the Tor process to the
|
|
|
+ standard-provided range. Fixes bug 16975; bugfix on every version
|
|
|
+ of Tor ever.
|
|
|
+ - Use libexecinfo on FreeBSD to enable backtrace support. Fixes part
|
|
|
+ of bug 17151; bugfix on 0.2.5.2-alpha. Patch from Marcin Cieślak.
|
|
|
+
|
|
|
+ o Minor bugfixes (relay):
|
|
|
+ - Ensure that worker threads actually exit when a fatal error or
|
|
|
+ shutdown is indicated. This fix doesn't currently affect the
|
|
|
+ behavior of Tor, because Tor workers never indicates fatal error
|
|
|
+ or shutdown except in the unit tests. Fixes bug 16868; bugfix
|
|
|
+ on 0.2.6.3-alpha.
|
|
|
+ - Fix a rarely-encountered memory leak when failing to initialize
|
|
|
+ the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
|
|
|
+ from "cypherpunks".
|
|
|
+ - Unblock threads before releasing the work queue mutex to ensure
|
|
|
+ predictable scheduling behavior. Fixes bug 16644; bugfix
|
|
|
+ on 0.2.6.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (security, exit policies):
|
|
|
+ - ExitPolicyRejectPrivate now also rejects the relay's published
|
|
|
+ IPv6 address (if any), and any publicly routable IPv4 or IPv6
|
|
|
+ addresses on any local interfaces. ticket 17027. Patch by "teor".
|
|
|
+ Fixes bug 17027; bugfix on 0.2.0.11-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (statistics):
|
|
|
+ - Disregard the ConnDirectionStatistics torrc options when Tor is
|
|
|
+ not a relay since in that mode of operation no sensible data is
|
|
|
+ being collected and because Tor might run into measurement hiccups
|
|
|
+ when running as a client for some time, then becoming a relay.
|
|
|
+ Fixes bug 15604; bugfix on 0.2.2.35.
|
|
|
+
|
|
|
+ o Minor bugfixes (systemd):
|
|
|
+ - Tor's systemd unit file no longer contains extraneous spaces.
|
|
|
+ These spaces would sometimes confuse tools like deb-systemd-
|
|
|
+ helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (test networks):
|
|
|
+ - When self-testing reachability, use ExtendAllowPrivateAddresses to
|
|
|
+ determine if local/private addresses imply reachability. The
|
|
|
+ previous fix used TestingTorNetwork, which implies
|
|
|
+ ExtendAllowPrivateAddresses, but this excluded rare configurations
|
|
|
+ where ExtendAllowPrivateAddresses is set but TestingTorNetwork is
|
|
|
+ not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
|
|
|
+ issue discovered by CJ Ess.
|
|
|
+
|
|
|
+ o Minor bugfixes (tests, also in 0.2.6.9):
|
|
|
+ - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
|
|
|
+ 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
|
|
|
+
|
|
|
+ o Code simplification and refactoring:
|
|
|
+ - Change the function that's called when we need to retry all
|
|
|
+ downloads so that it only reschedules the downloads to happen
|
|
|
+ immediately, rather than launching them all at once itself. This
|
|
|
+ further simplifies Tor's callgraph.
|
|
|
+ - Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
|
|
|
+ to ensure they remain consistent and visible everywhere.
|
|
|
+ - Move some format-parsing functions out of crypto.c and
|
|
|
+ crypto_curve25519.c into crypto_format.c and/or util_format.c.
|
|
|
+ - Move the client-only parts of init_keys() into a separate
|
|
|
+ function. Closes ticket 16763.
|
|
|
+ - Move the hacky fallback code out of get_interface_address6() into
|
|
|
+ separate function and get it covered with unit-tests. Resolves
|
|
|
+ ticket 14710.
|
|
|
+ - Refactor hidden service client-side cache lookup to intelligently
|
|
|
+ report its various failure cases, and disentangle failure cases
|
|
|
+ involving a lack of introduction points. Closes ticket 14391.
|
|
|
+ - Remove some vestigial workarounds for the MSVC6 compiler. We
|
|
|
+ haven't supported that in ages.
|
|
|
+ - Remove the unused "nulterminate" argument from buf_pullup().
|
|
|
+ - Simplify the microdesc_free() implementation so that it no longer
|
|
|
+ appears (to code analysis tools) to potentially invoke a huge
|
|
|
+ suite of other microdesc functions.
|
|
|
+ - Simply the control graph further by deferring the inner body of
|
|
|
+ directory_all_unreachable() into a callback. Closes ticket 16762.
|
|
|
+ - The link authentication code has been refactored for better
|
|
|
+ testability and reliability. It now uses code generated with the
|
|
|
+ "trunnel" binary encoding generator, to reduce the risk of bugs
|
|
|
+ due to programmer error. Done as part of ticket 12498.
|
|
|
+ - Treat the loss of an owning controller as equivalent to a SIGTERM
|
|
|
+ signal. This removes a tiny amount of duplicated code, and
|
|
|
+ simplifies our callgraph. Closes ticket 16788.
|
|
|
+ - Use our own Base64 encoder instead of OpenSSL's, to allow more
|
|
|
+ control over the output. Part of ticket 15652.
|
|
|
+ - When generating an event to send to the controller, we no longer
|
|
|
+ put the event over the network immediately. Instead, we queue
|
|
|
+ these events, and use a Libevent callback to deliver them. This
|
|
|
+ change simplifies Tor's callgraph by reducing the number of
|
|
|
+ functions from which all other Tor functions are reachable. Closes
|
|
|
+ ticket 16695.
|
|
|
+ - Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
|
|
|
+ that try to scan or compile every file on Unix won't decide that
|
|
|
+ they are broken.
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
|
|
|
+ - Improve the descriptions of statistics-related torrc options in
|
|
|
+ the manpage to describe rationale and possible uses cases. Fixes
|
|
|
+ issue 15550.
|
|
|
+ - Improve the layout and formatting of ./configure --help messages.
|
|
|
+ Closes ticket 15024. Patch from "cypherpunks".
|
|
|
+ - Include a specific and (hopefully) accurate documentation of the
|
|
|
+ torrc file's meta-format in doc/torrc_format.txt. This is mainly
|
|
|
+ of interest to people writing programs to parse or generate torrc
|
|
|
+ files. This document is not a commitment to long-term
|
|
|
+ compatibility; some aspects of the current format are a bit
|
|
|
+ ridiculous. Closes ticket 2325.
|
|
|
+ - Include the TUNING document in our source tarball. It is referred
|
|
|
+ to in the ChangeLog and an error message. Fixes bug 16929; bugfix
|
|
|
+ on 0.2.6.1-alpha.
|
|
|
+ - Note that HiddenServicePorts can take a unix domain socket. Closes
|
|
|
+ ticket 17364.
|
|
|
+ - Recommend a 40 GB example AccountingMax in torrc.sample rather
|
|
|
+ than a 4 GB max. Closes ticket 16742.
|
|
|
+ - Standardize on the term "server descriptor" in the manual page.
|
|
|
+ Previously, we had used "router descriptor", "server descriptor",
|
|
|
+ and "relay descriptor" interchangeably. Part of ticket 14987.
|
|
|
+ - Advise users on how to configure separate IPv4 and IPv6 exit
|
|
|
+ policies in the manpage and sample torrcs. Related to ticket 16069.
|
|
|
+ - Fix an error in the manual page and comments for
|
|
|
+ TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
|
|
|
+ required "ORPort connectivity". While this is true, it is in no
|
|
|
+ way unique to the HSDir flag. Of all the flags, only HSDirs need a
|
|
|
+ DirPort configured in order for the authorities to assign that
|
|
|
+ particular flag. Patch by "teor". Fixed as part of 14882; bugfix
|
|
|
+ on 0.2.6.3-alpha.
|
|
|
+ - Fix the usage message of tor-resolve(1) so that it no longer lists
|
|
|
+ the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
|
|
|
+
|
|
|
+ o Removed code:
|
|
|
+ - Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
|
|
|
+ and always use the internal Base64 decoder. The internal decoder
|
|
|
+ has been part of tor since tor-0.2.0.10-alpha, and no one should
|
|
|
+ be using the OpenSSL one. Part of ticket 15652.
|
|
|
+ - Remove the 'tor_strclear()' function; use memwipe() instead.
|
|
|
+ Closes ticket 14922.
|
|
|
+ - Remove the code that would try to aggressively flush controller
|
|
|
+ connections while writing to them. This code was introduced in
|
|
|
+ 0.1.2.7-alpha, in order to keep output buffers from exceeding
|
|
|
+ their limits. But there is no longer a maximum output buffer size,
|
|
|
+ and flushing data in this way caused some undesirable recursions
|
|
|
+ in our call graph. Closes ticket 16480.
|
|
|
+ - The internal pure-C tor-fw-helper tool is now removed from the Tor
|
|
|
+ distribution, in favor of the pure-Go clone available from
|
|
|
+ https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries
|
|
|
+ used by the C tor-fw-helper are not, in our opinion, very
|
|
|
+ confidence- inspiring in their secure-programming techniques.
|
|
|
+ Closes ticket 13338.
|
|
|
+
|
|
|
+ o Removed features:
|
|
|
+ - Remove the (seldom-used) DynamicDHGroups feature. For anti-
|
|
|
+ fingerprinting we now recommend pluggable transports; for forward-
|
|
|
+ secrecy in TLS, we now use the P-256 group. Closes ticket 13736.
|
|
|
+ - Remove the HidServDirectoryV2 option. Now all relays offer to
|
|
|
+ store hidden service descriptors. Related to 16543.
|
|
|
+ - Remove the VoteOnHidServDirectoriesV2 option, since all
|
|
|
+ authorities have long set it to 1. Closes ticket 16543.
|
|
|
+ - Remove the undocumented "--digests" command-line option. It
|
|
|
+ complicated our build process, caused subtle build issues on
|
|
|
+ multiple platforms, and is now redundant since we started
|
|
|
+ including git version identifiers. Closes ticket 14742.
|
|
|
+ - Tor no longer contains checks for ancient directory cache versions
|
|
|
+ that didn't know about microdescriptors.
|
|
|
+ - Tor no longer contains workarounds for stat files generated by
|
|
|
+ super-old versions of Tor that didn't choose guards sensibly.
|
|
|
+
|
|
|
+ o Testing:
|
|
|
+ - The test-network.sh script now supports performance testing.
|
|
|
+ Requires corresponding chutney performance testing changes. Patch
|
|
|
+ by "teor". Closes ticket 14175.
|
|
|
+ - Add a new set of callgraph analysis scripts that use clang to
|
|
|
+ produce a list of which Tor functions are reachable from which
|
|
|
+ other Tor functions. We're planning to use these to help simplify
|
|
|
+ our code structure by identifying illogical dependencies.
|
|
|
+ - Add new 'test-full' and 'test-full-online' targets to run all
|
|
|
+ tests, including integration tests with stem and chutney.
|
|
|
+ - Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
|
|
|
+ by-side in the same parent directory. Closes ticket 16903. Patch
|
|
|
+ by "teor".
|
|
|
+ - Document use of coverity, clang static analyzer, and clang dynamic
|
|
|
+ undefined behavior and address sanitizers in doc/HACKING. Include
|
|
|
+ detailed usage instructions in the blacklist. Patch by "teor".
|
|
|
+ Closes ticket 15817.
|
|
|
+ - Make "bridges+hs" the default test network. This tests almost all
|
|
|
+ tor functionality during make test-network, while allowing tests
|
|
|
+ to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
|
|
|
+ test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
|
|
|
+ (chutney). Patches by "teor".
|
|
|
+ - Make the test-workqueue test work on Windows by initializing the
|
|
|
+ network before we begin.
|
|
|
+ - New make target (make test-network-all) to run multiple applicable
|
|
|
+ chutney test cases. Patch from Teor; closes 16953.
|
|
|
+ - Now that OpenSSL has its own scrypt implementation, add an unit
|
|
|
+ test that checks for interoperability between libscrypt_scrypt()
|
|
|
+ and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
|
|
|
+ and rely on EVP_PBE_scrypt() whenever possible. Resolves
|
|
|
+ ticket 16189.
|
|
|
+ - The link authentication protocol code now has extensive tests.
|
|
|
+ - The relay descriptor signature testing code now has
|
|
|
+ extensive tests.
|
|
|
+ - The test_workqueue program now runs faster, and is enabled by
|
|
|
+ default as a part of "make check".
|
|
|
+ - Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
|
|
|
+ functions in dns.c. Implements a portion of ticket 16831.
|
|
|
+ - Use environment variables rather than autoconf substitutions to
|
|
|
+ send variables from the build system to the test scripts. This
|
|
|
+ change should be easier to maintain, and cause 'make distcheck' to
|
|
|
+ work better than before. Fixes bug 17148.
|
|
|
+ - When building Tor with testing coverage enabled, run Chutney tests
|
|
|
+ (if any) using the 'tor-cov' coverage binary.
|
|
|
+ - When running test-network or test-stem, check for the absence of
|
|
|
+ stem/chutney before doing any build operations.
|
|
|
+ - Add a test to verify that the compiler does not eliminate our
|
|
|
+ memwipe() implementation. Closes ticket 15377.
|
|
|
+ - Add make rule `check-changes` to verify the format of changes
|
|
|
+ files. Closes ticket 15180.
|
|
|
+ - Add unit tests for control_event_is_interesting(). Add a compile-
|
|
|
+ time check that the number of events doesn't exceed the capacity
|
|
|
+ of control_event_t.event_mask. Closes ticket 15431, checks for
|
|
|
+ bugs similar to 13085. Patch by "teor".
|
|
|
+ - Command-line argument tests moved to Stem. Resolves ticket 14806.
|
|
|
+ - Integrate the ntor, backtrace, and zero-length keys tests into the
|
|
|
+ automake test suite. Closes ticket 15344.
|
|
|
+ - Remove assertions during builds to determine Tor's test coverage.
|
|
|
+ We don't want to trigger these even in assertions, so including
|
|
|
+ them artificially makes our branch coverage look worse than it is.
|
|
|
+ This patch provides the new test-stem-full and coverage-html-full
|
|
|
+ configure options. Implements ticket 15400.
|
|
|
+ - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
|
|
|
+ explicitly manage consensus flags in testing networks. Patch by
|
|
|
+ "robgjansen", modified by "teor". Implements part of ticket 14882.
|
|
|
+ - Check for matching value in server response in ntor_ref.py. Fixes
|
|
|
+ bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
|
|
|
+ by "joelanders".
|
|
|
+ - Set the severity correctly when testing
|
|
|
+ get_interface_addresses_ifaddrs() and
|
|
|
+ get_interface_addresses_win32(), so that the tests fail gracefully
|
|
|
+ instead of triggering an assertion. Fixes bug 15759; bugfix on
|
|
|
+ 0.2.6.3-alpha. Reported by Nicolas Derive.
|
|
|
+
|
|
|
Changes in version 0.2.6.10 - 2015-07-12
|
|
|
Tor version 0.2.6.10 fixes some significant stability and hidden
|
|
|
service client bugs, bulletproofs the cryptography init process, and
|