1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998899990009001900290039004900590069007900890099010901190129013901490159016901790189019902090219022902390249025902690279028902990309031903290339034903590369037903890399040904190429043904490459046904790489049905090519052905390549055905690579058905990609061906290639064906590669067906890699070907190729073907490759076907790789079908090819082908390849085908690879088908990909091909290939094909590969097909890999100910191029103910491059106910791089109911091119112911391149115911691179118911991209121912291239124912591269127912891299130913191329133913491359136913791389139914091419142914391449145914691479148914991509151915291539154915591569157915891599160916191629163916491659166916791689169917091719172917391749175917691779178917991809181918291839184918591869187918891899190919191929193919491959196919791989199920092019202920392049205920692079208920992109211921292139214921592169217921892199220922192229223922492259226922792289229923092319232923392349235923692379238923992409241924292439244924592469247924892499250925192529253925492559256925792589259926092619262926392649265926692679268926992709271927292739274927592769277927892799280928192829283928492859286928792889289929092919292929392949295929692979298929993009301930293039304930593069307930893099310931193129313931493159316931793189319932093219322932393249325932693279328932993309331933293339334933593369337933893399340934193429343934493459346934793489349935093519352935393549355935693579358935993609361936293639364936593669367936893699370937193729373937493759376937793789379938093819382938393849385938693879388938993909391939293939394939593969397939893999400940194029403940494059406940794089409941094119412941394149415941694179418941994209421942294239424942594269427942894299430943194329433943494359436943794389439944094419442944394449445944694479448944994509451945294539454945594569457945894599460946194629463946494659466946794689469947094719472947394749475947694779478947994809481948294839484948594869487948894899490949194929493949494959496949794989499950095019502950395049505950695079508950995109511951295139514951595169517951895199520952195229523952495259526952795289529953095319532953395349535953695379538953995409541954295439544954595469547954895499550955195529553955495559556955795589559956095619562956395649565956695679568956995709571957295739574957595769577957895799580958195829583958495859586958795889589959095919592959395949595959695979598959996009601960296039604960596069607960896099610961196129613961496159616961796189619962096219622962396249625962696279628962996309631963296339634963596369637963896399640964196429643964496459646964796489649965096519652965396549655965696579658965996609661966296639664966596669667966896699670967196729673967496759676967796789679968096819682968396849685968696879688968996909691969296939694969596969697969896999700970197029703970497059706970797089709971097119712971397149715971697179718971997209721972297239724972597269727972897299730973197329733973497359736973797389739974097419742974397449745974697479748974997509751975297539754975597569757975897599760976197629763976497659766976797689769977097719772977397749775977697779778977997809781978297839784978597869787978897899790979197929793979497959796979797989799980098019802980398049805980698079808980998109811981298139814981598169817981898199820982198229823982498259826982798289829983098319832983398349835983698379838983998409841984298439844984598469847984898499850985198529853985498559856985798589859986098619862986398649865986698679868986998709871987298739874987598769877987898799880988198829883988498859886988798889889989098919892989398949895989698979898989999009901990299039904990599069907990899099910991199129913991499159916991799189919992099219922992399249925992699279928992999309931993299339934993599369937993899399940994199429943994499459946994799489949995099519952995399549955995699579958995999609961996299639964996599669967996899699970997199729973997499759976997799789979998099819982998399849985998699879988998999909991999299939994999599969997999899991000010001100021000310004100051000610007100081000910010100111001210013100141001510016100171001810019100201002110022100231002410025100261002710028100291003010031100321003310034100351003610037100381003910040100411004210043100441004510046100471004810049100501005110052100531005410055100561005710058100591006010061100621006310064100651006610067100681006910070100711007210073100741007510076100771007810079100801008110082100831008410085100861008710088100891009010091100921009310094100951009610097100981009910100101011010210103101041010510106101071010810109101101011110112101131011410115101161011710118101191012010121101221012310124101251012610127101281012910130101311013210133101341013510136101371013810139101401014110142101431014410145101461014710148101491015010151101521015310154101551015610157101581015910160101611016210163101641016510166101671016810169101701017110172101731017410175101761017710178101791018010181101821018310184101851018610187101881018910190101911019210193101941019510196101971019810199102001020110202102031020410205102061020710208102091021010211102121021310214102151021610217102181021910220102211022210223102241022510226102271022810229102301023110232102331023410235102361023710238102391024010241102421024310244102451024610247102481024910250102511025210253102541025510256102571025810259102601026110262102631026410265102661026710268102691027010271102721027310274102751027610277102781027910280102811028210283102841028510286102871028810289102901029110292102931029410295102961029710298102991030010301103021030310304103051030610307103081030910310103111031210313103141031510316103171031810319103201032110322103231032410325103261032710328103291033010331103321033310334103351033610337103381033910340103411034210343103441034510346103471034810349103501035110352103531035410355103561035710358103591036010361103621036310364103651036610367103681036910370103711037210373103741037510376103771037810379103801038110382103831038410385103861038710388103891039010391103921039310394103951039610397103981039910400104011040210403104041040510406104071040810409104101041110412104131041410415104161041710418104191042010421104221042310424104251042610427104281042910430104311043210433104341043510436104371043810439104401044110442104431044410445104461044710448104491045010451104521045310454104551045610457104581045910460104611046210463104641046510466104671046810469104701047110472104731047410475104761047710478104791048010481104821048310484104851048610487104881048910490104911049210493104941049510496104971049810499105001050110502105031050410505105061050710508105091051010511105121051310514105151051610517105181051910520105211052210523105241052510526105271052810529105301053110532105331053410535105361053710538105391054010541105421054310544105451054610547105481054910550105511055210553105541055510556105571055810559105601056110562105631056410565105661056710568105691057010571105721057310574105751057610577105781057910580105811058210583105841058510586105871058810589105901059110592105931059410595105961059710598105991060010601106021060310604106051060610607106081060910610106111061210613106141061510616106171061810619106201062110622106231062410625106261062710628106291063010631106321063310634106351063610637106381063910640106411064210643106441064510646106471064810649106501065110652106531065410655106561065710658106591066010661106621066310664106651066610667106681066910670106711067210673106741067510676106771067810679106801068110682106831068410685106861068710688106891069010691106921069310694106951069610697106981069910700107011070210703107041070510706107071070810709107101071110712107131071410715107161071710718107191072010721107221072310724107251072610727107281072910730107311073210733107341073510736107371073810739107401074110742107431074410745107461074710748107491075010751107521075310754107551075610757107581075910760107611076210763107641076510766107671076810769107701077110772107731077410775107761077710778107791078010781107821078310784107851078610787107881078910790107911079210793107941079510796107971079810799108001080110802108031080410805108061080710808108091081010811108121081310814108151081610817108181081910820108211082210823108241082510826108271082810829108301083110832108331083410835108361083710838108391084010841108421084310844108451084610847108481084910850108511085210853108541085510856108571085810859108601086110862108631086410865108661086710868108691087010871108721087310874108751087610877108781087910880108811088210883108841088510886108871088810889108901089110892108931089410895108961089710898108991090010901109021090310904109051090610907109081090910910109111091210913109141091510916109171091810919109201092110922109231092410925109261092710928109291093010931109321093310934109351093610937109381093910940109411094210943109441094510946109471094810949109501095110952109531095410955109561095710958109591096010961109621096310964109651096610967109681096910970109711097210973109741097510976109771097810979109801098110982109831098410985109861098710988109891099010991109921099310994109951099610997109981099911000110011100211003110041100511006110071100811009110101101111012110131101411015110161101711018110191102011021110221102311024110251102611027110281102911030110311103211033110341103511036110371103811039110401104111042110431104411045110461104711048110491105011051110521105311054110551105611057110581105911060110611106211063110641106511066110671106811069110701107111072110731107411075110761107711078110791108011081110821108311084110851108611087110881108911090110911109211093110941109511096110971109811099111001110111102111031110411105111061110711108111091111011111111121111311114111151111611117111181111911120111211112211123111241112511126111271112811129111301113111132111331113411135111361113711138111391114011141111421114311144111451114611147111481114911150111511115211153111541115511156111571115811159111601116111162111631116411165111661116711168111691117011171111721117311174111751117611177111781117911180111811118211183111841118511186111871118811189111901119111192111931119411195111961119711198111991120011201112021120311204112051120611207112081120911210112111121211213112141121511216112171121811219112201122111222112231122411225112261122711228112291123011231112321123311234112351123611237112381123911240112411124211243112441124511246112471124811249112501125111252112531125411255112561125711258112591126011261112621126311264112651126611267112681126911270112711127211273112741127511276112771127811279112801128111282112831128411285112861128711288112891129011291112921129311294112951129611297112981129911300113011130211303113041130511306113071130811309113101131111312113131131411315113161131711318113191132011321113221132311324113251132611327113281132911330113311133211333113341133511336113371133811339113401134111342113431134411345113461134711348113491135011351113521135311354113551135611357113581135911360113611136211363113641136511366113671136811369113701137111372113731137411375113761137711378113791138011381113821138311384113851138611387113881138911390113911139211393113941139511396113971139811399114001140111402114031140411405114061140711408114091141011411114121141311414114151141611417114181141911420114211142211423114241142511426114271142811429114301143111432114331143411435114361143711438114391144011441114421144311444114451144611447114481144911450114511145211453114541145511456114571145811459114601146111462114631146411465114661146711468114691147011471114721147311474114751147611477114781147911480114811148211483114841148511486114871148811489114901149111492114931149411495114961149711498114991150011501115021150311504115051150611507115081150911510115111151211513115141151511516115171151811519115201152111522115231152411525115261152711528115291153011531115321153311534115351153611537115381153911540115411154211543115441154511546115471154811549115501155111552115531155411555115561155711558115591156011561115621156311564115651156611567115681156911570115711157211573115741157511576115771157811579115801158111582115831158411585115861158711588115891159011591115921159311594115951159611597115981159911600116011160211603116041160511606116071160811609116101161111612116131161411615116161161711618116191162011621116221162311624116251162611627116281162911630116311163211633116341163511636116371163811639116401164111642116431164411645116461164711648116491165011651116521165311654116551165611657116581165911660116611166211663116641166511666116671166811669116701167111672116731167411675116761167711678116791168011681116821168311684116851168611687116881168911690116911169211693116941169511696116971169811699117001170111702117031170411705117061170711708117091171011711117121171311714117151171611717117181171911720117211172211723117241172511726117271172811729117301173111732117331173411735117361173711738117391174011741117421174311744117451174611747117481174911750117511175211753117541175511756117571175811759117601176111762117631176411765117661176711768117691177011771117721177311774117751177611777117781177911780117811178211783117841178511786117871178811789117901179111792117931179411795117961179711798117991180011801118021180311804118051180611807118081180911810118111181211813118141181511816118171181811819118201182111822118231182411825118261182711828118291183011831118321183311834118351183611837118381183911840118411184211843118441184511846118471184811849118501185111852118531185411855118561185711858118591186011861118621186311864118651186611867118681186911870118711187211873118741187511876118771187811879118801188111882118831188411885118861188711888118891189011891118921189311894118951189611897118981189911900119011190211903119041190511906119071190811909119101191111912119131191411915119161191711918119191192011921119221192311924119251192611927119281192911930119311193211933119341193511936119371193811939119401194111942119431194411945119461194711948119491195011951119521195311954119551195611957119581195911960119611196211963119641196511966119671196811969119701197111972119731197411975119761197711978119791198011981119821198311984119851198611987119881198911990119911199211993119941199511996119971199811999120001200112002120031200412005120061200712008120091201012011120121201312014120151201612017120181201912020120211202212023120241202512026120271202812029120301203112032120331203412035120361203712038120391204012041120421204312044120451204612047120481204912050120511205212053120541205512056120571205812059120601206112062120631206412065120661206712068120691207012071120721207312074120751207612077120781207912080120811208212083120841208512086120871208812089120901209112092120931209412095120961209712098120991210012101121021210312104121051210612107121081210912110121111211212113121141211512116121171211812119121201212112122121231212412125121261212712128121291213012131121321213312134121351213612137121381213912140121411214212143121441214512146121471214812149121501215112152121531215412155121561215712158121591216012161121621216312164121651216612167121681216912170121711217212173121741217512176121771217812179121801218112182121831218412185121861218712188121891219012191121921219312194121951219612197121981219912200122011220212203122041220512206122071220812209122101221112212122131221412215122161221712218122191222012221122221222312224122251222612227122281222912230122311223212233122341223512236122371223812239122401224112242122431224412245122461224712248122491225012251122521225312254122551225612257122581225912260122611226212263122641226512266122671226812269122701227112272122731227412275122761227712278122791228012281122821228312284122851228612287122881228912290122911229212293122941229512296122971229812299123001230112302123031230412305123061230712308123091231012311123121231312314123151231612317123181231912320123211232212323123241232512326123271232812329123301233112332123331233412335123361233712338123391234012341123421234312344123451234612347123481234912350123511235212353123541235512356123571235812359123601236112362123631236412365123661236712368123691237012371123721237312374123751237612377123781237912380123811238212383123841238512386123871238812389123901239112392123931239412395123961239712398123991240012401124021240312404124051240612407124081240912410124111241212413124141241512416124171241812419124201242112422124231242412425124261242712428124291243012431124321243312434124351243612437124381243912440124411244212443124441244512446124471244812449124501245112452124531245412455124561245712458124591246012461124621246312464124651246612467124681246912470124711247212473124741247512476124771247812479124801248112482124831248412485124861248712488124891249012491124921249312494124951249612497124981249912500125011250212503125041250512506125071250812509125101251112512125131251412515125161251712518125191252012521125221252312524125251252612527125281252912530125311253212533125341253512536125371253812539125401254112542125431254412545125461254712548125491255012551125521255312554125551255612557125581255912560125611256212563125641256512566125671256812569125701257112572125731257412575125761257712578125791258012581125821258312584125851258612587125881258912590125911259212593125941259512596125971259812599126001260112602126031260412605126061260712608126091261012611126121261312614126151261612617126181261912620126211262212623126241262512626126271262812629126301263112632126331263412635126361263712638126391264012641126421264312644126451264612647126481264912650126511265212653126541265512656126571265812659126601266112662126631266412665126661266712668126691267012671126721267312674126751267612677126781267912680126811268212683126841268512686126871268812689126901269112692126931269412695126961269712698126991270012701127021270312704127051270612707127081270912710127111271212713127141271512716127171271812719127201272112722127231272412725127261272712728127291273012731127321273312734127351273612737127381273912740127411274212743127441274512746127471274812749127501275112752127531275412755127561275712758127591276012761127621276312764127651276612767127681276912770127711277212773127741277512776127771277812779127801278112782127831278412785127861278712788127891279012791127921279312794127951279612797127981279912800128011280212803128041280512806128071280812809128101281112812128131281412815128161281712818128191282012821128221282312824128251282612827128281282912830128311283212833128341283512836128371283812839128401284112842128431284412845128461284712848128491285012851128521285312854128551285612857128581285912860128611286212863128641286512866128671286812869128701287112872128731287412875128761287712878128791288012881128821288312884128851288612887128881288912890128911289212893128941289512896128971289812899129001290112902129031290412905129061290712908129091291012911129121291312914129151291612917129181291912920129211292212923129241292512926129271292812929129301293112932129331293412935129361293712938129391294012941129421294312944129451294612947129481294912950129511295212953129541295512956129571295812959129601296112962129631296412965129661296712968129691297012971129721297312974129751297612977129781297912980129811298212983129841298512986129871298812989129901299112992129931299412995129961299712998129991300013001130021300313004130051300613007130081300913010130111301213013130141301513016130171301813019130201302113022130231302413025130261302713028130291303013031130321303313034130351303613037130381303913040130411304213043130441304513046130471304813049130501305113052130531305413055130561305713058130591306013061130621306313064130651306613067130681306913070130711307213073130741307513076130771307813079130801308113082130831308413085130861308713088130891309013091130921309313094130951309613097130981309913100131011310213103131041310513106131071310813109131101311113112131131311413115131161311713118131191312013121131221312313124131251312613127131281312913130131311313213133131341313513136131371313813139131401314113142131431314413145131461314713148131491315013151131521315313154131551315613157131581315913160131611316213163131641316513166131671316813169131701317113172131731317413175131761317713178131791318013181131821318313184131851318613187131881318913190131911319213193131941319513196131971319813199 |
- This document summarizes new features and bugfixes in each stable release
- of Tor. If you want to see more detailed descriptions of the changes in
- each development snapshot, see the ChangeLog file.
- Changes in version 0.2.8.9 - 2016-10-17
- Tor 0.2.8.9 backports a fix for a security hole in previous versions
- of Tor that would allow a remote attacker to crash a Tor client,
- hidden service, relay, or authority. All Tor users should upgrade to
- this version, or to 0.2.9.4-alpha. Patches will be released for older
- versions of Tor.
- o Major features (security fixes, also in 0.2.9.4-alpha):
- - Prevent a class of security bugs caused by treating the contents
- of a buffer chunk as if they were a NUL-terminated string. At
- least one such bug seems to be present in all currently used
- versions of Tor, and would allow an attacker to remotely crash
- most Tor instances, especially those compiled with extra compiler
- hardening. With this defense in place, such bugs can't crash Tor,
- though we should still fix them as they occur. Closes ticket
- 20384 (TROVE-2016-10-001).
- o Minor features (geoip):
- - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
- Country database.
- Changes in version 0.2.8.8 - 2016-09-23
- Tor 0.2.8.8 fixes two crash bugs present in previous versions of the
- 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users
- who select public relays as their bridges.
- o Major bugfixes (crash):
- - Fix a complicated crash bug that could affect Tor clients
- configured to use bridges when replacing a networkstatus consensus
- in which one of their bridges was mentioned. OpenBSD users saw
- more crashes here, but all platforms were potentially affected.
- Fixes bug 20103; bugfix on 0.2.8.2-alpha.
- o Major bugfixes (relay, OOM handler):
- - Fix a timing-dependent assertion failure that could occur when we
- tried to flush from a circuit after having freed its cells because
- of an out-of-memory condition. Fixes bug 20203; bugfix on
- 0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
- this one.
- o Minor feature (fallback directories):
- - Remove broken fallbacks from the hard-coded fallback directory
- list. Closes ticket 20190; patch by teor.
- o Minor features (geoip):
- - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
- Country database.
- Changes in version 0.2.8.7 - 2016-08-24
- Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses
- option in 0.2.8.6, and replaces a retiring bridge authority. Everyone
- who sets the ReachableAddresses option, and all bridges, are strongly
- encouraged to upgrade.
- o Directory authority changes:
- - The "Tonga" bridge authority has been retired; the new bridge
- authority is "Bifroest". Closes tickets 19728 and 19690.
- o Major bugfixes (client, security):
- - Only use the ReachableAddresses option to restrict the first hop
- in a path. In earlier versions of 0.2.8.x, it would apply to
- every hop in the path, with a possible degradation in anonymity
- for anyone using an uncommon ReachableAddress setting. Fixes bug
- 19973; bugfix on 0.2.8.2-alpha.
- o Minor features (geoip):
- - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
- Country database.
- o Minor bugfixes (compilation):
- - Remove an inappropriate "inline" in tortls.c that was causing
- warnings on older versions of GCC. Fixes bug 19903; bugfix
- on 0.2.8.1-alpha.
- o Minor bugfixes (fallback directories):
- - Avoid logging a NULL string pointer when loading fallback
- directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha
- and 0.2.8.1-alpha. Report and patch by "rubiate".
- Changes in version 0.2.8.6 - 2016-08-02
- Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.
- The Tor 0.2.8 series improves client bootstrapping performance,
- completes the authority-side implementation of improved identity
- keys for relays, and includes numerous bugfixes and performance
- improvements throughout the program. This release continues to
- improve the coverage of Tor's test suite. For a full list of
- changes since Tor 0.2.7, see the ReleaseNotes file.
- Below is a list of the changes since Tor 0.2.7.
- o New system requirements:
- - Tor no longer attempts to support platforms where the "time_t"
- type is unsigned. (To the best of our knowledge, only OpenVMS does
- this, and Tor has never actually built on OpenVMS.) Closes
- ticket 18184.
- - Tor no longer supports versions of OpenSSL with a broken
- implementation of counter mode. (This bug was present in OpenSSL
- 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no
- longer runs with, these versions.
- - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or
- later (released in 2008 and 2009 respectively). If you are
- building Tor from the git repository instead of from the source
- distribution, and your tools are older than this, you will need to
- upgrade. Closes ticket 17732.
- o Directory authority changes:
- - Update the V3 identity key for the dannenberg directory authority:
- it was changed on 18 November 2015. Closes task 17906. Patch
- by teor.
- - Urras is no longer a directory authority. Closes ticket 19271.
- o Major features (directory system):
- - Include a trial list of default fallback directories, based on an
- opt-in survey of suitable relays. Doing this should make clients
- bootstrap more quickly and reliably, and reduce the load on the
- directory authorities. Closes ticket 15775. Patch by teor.
- Candidates identified using an OnionOO script by weasel, teor,
- gsathya, and karsten.
- - Previously only relays that explicitly opened a directory port
- (DirPort) accepted directory requests from clients. Now all
- relays, with and without a DirPort, accept and serve tunneled
- directory requests that they receive through their ORPort. You can
- disable this behavior using the new DirCache option. Closes
- ticket 12538.
- - When bootstrapping multiple consensus downloads at a time, use the
- first one that starts downloading, and close the rest. This
- reduces failures when authorities or fallback directories are slow
- or down. Together with the code for feature 15775, this feature
- should reduces failures due to fallback churn. Implements ticket
- 4483. Patch by teor. Implements IPv4 portions of proposal 210 by
- mikeperry and teor.
- o Major features (security, Linux):
- - When Tor starts as root on Linux and is told to switch user ID, it
- can now retain the capability to bind to low ports. By default,
- Tor will do this only when it's switching user ID and some low
- ports have been configured. You can change this behavior with the
- new option KeepBindCapabilities. Closes ticket 8195.
- o Major bugfixes (client, bootstrapping):
- - Check if bootstrap consensus downloads are still needed when the
- linked connection attaches. This prevents tor making unnecessary
- begindir-style connections, which are the only directory
- connections tor clients make since the fix for 18483 was merged.
- - Fix some edge cases where consensus download connections may not
- have been closed, even though they were not needed. Related to fix
- for 18809.
- - Make relays retry consensus downloads the correct number of times,
- rather than the more aggressive client retry count. Fixes part of
- ticket 18809.
- o Major bugfixes (dns proxy mode, crash):
- - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
- bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
- o Major bugfixes (ed25519, voting):
- - Actually enable support for authorities to match routers by their
- Ed25519 identities. Previously, the code had been written, but
- some debugging code that had accidentally been left in the
- codebase made it stay turned off. Fixes bug 17702; bugfix
- on 0.2.7.2-alpha.
- - When collating votes by Ed25519 identities, authorities now
- include a "NoEdConsensus" flag if the ed25519 value (or lack
- thereof) for a server does not reflect the majority consensus.
- Related to bug 17668; bugfix on 0.2.7.2-alpha.
- - When generating a vote with keypinning disabled, never include two
- entries for the same ed25519 identity. This bug was causing
- authorities to generate votes that they could not parse when a
- router violated key pinning by changing its RSA identity but
- keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug
- 18318. Bugfix on 0.2.7.2-alpha.
- o Major bugfixes (key management):
- - If OpenSSL fails to generate an RSA key, do not retain a dangling
- pointer to the previous (uninitialized) key value. The impact here
- should be limited to a difficult-to-trigger crash, if OpenSSL is
- running an engine that makes key generation failures possible, or
- if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
- 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
- Baishakhi Ray.
- o Major bugfixes (security, client, DNS proxy):
- - Stop a crash that could occur when a client running with DNSPort
- received a query with multiple address types, and the first
- address type was not supported. Found and fixed by Scott Dial.
- Fixes bug 18710; bugfix on 0.2.5.4-alpha.
- o Major bugfixes (security, compilation):
- - Correctly detect compiler flags on systems where _FORTIFY_SOURCE
- is predefined. Previously, our use of -D_FORTIFY_SOURCE would
- cause a compiler warning, thereby making other checks fail, and
- needlessly disabling compiler-hardening support. Fixes one case of
- bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal".
- - Repair hardened builds under the clang compiler. Previously, our
- use of _FORTIFY_SOURCE would conflict with clang's address
- sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha.
- o Major bugfixes (security, pointers):
- - Avoid a difficult-to-trigger heap corruption attack when extending
- a smartlist to contain over 16GB of pointers. Fixes bug 18162;
- bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
- Reported by Guido Vranken.
- o Major bugfixes (testing):
- - Fix a bug that would block 'make test-network-all' on systems where
- IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc.
- o Major bugfixes (user interface):
- - Correctly give a warning in the cases where a relay is specified
- by nickname, and one such relay is found, but it is not officially
- Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha.
- o Minor features (accounting):
- - Added two modes to the AccountingRule option: One for limiting
- only the number of bytes sent ("AccountingRule out"), and one for
- limiting only the number of bytes received ("AccountingRule in").
- Closes ticket 15989; patch from "unixninja92".
- o Minor features (bug-resistance):
- - Make Tor survive errors involving connections without a
- corresponding event object. Previously we'd fail with an
- assertion; now we produce a log message. Related to bug 16248.
- - Use tor_snprintf() and tor_vsnprintf() even in external and low-
- level code, to harden against accidental failures to NUL-
- terminate. Part of ticket 17852. Patch from jsturgix. Found
- with Flawfinder.
- o Minor features (build):
- - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD)
- as having possible IPFW support. Closes ticket 18448. Patch from
- Steven Chamberlain.
- - Since our build process now uses "make distcheck", we no longer
- force "make dist" to depend on "make check". Closes ticket 17893;
- patch from "cypherpunks".
- - Tor now builds once again with the recent OpenSSL 1.1 development
- branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). We have been
- tracking OpenSSL 1.1 development as it has progressed, and fixing
- numerous compatibility issues as they arose. See tickets
- 17549, 17921, 17984, 19499, and 18286.
- - When building manual pages, set the timezone to "UTC", so that the
- output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha.
- Patch from intrigeri.
- o Minor features (clients):
- - Make clients, onion services, and bridge relays always use an
- encrypted begindir connection for directory requests. Resolves
- ticket 18483. Patch by teor.
- o Minor features (controller):
- - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
- controllers can examine the the reject rules added by
- ExitPolicyRejectPrivate. This makes it easier for stem to display
- exit policies.
- - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
- tickets 16774 and 17817. Patch by George Tankersley.
- - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
- service descriptor from a service's local hidden service
- descriptor cache. Closes ticket 14846.
- o Minor features (crypto):
- - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
- - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
- George Tankersley.
- - Improve performance when hashing non-multiple of 8 sized buffers,
- based on Andrew Moon's public domain SipHash-2-4 implementation.
- Fixes bug 17544; bugfix on 0.2.5.3-alpha.
- - Validate the hard-coded Diffie-Hellman parameters and ensure that
- p is a safe prime, and g is a suitable generator. Closes
- ticket 18221.
- - When allocating a digest state object, allocate no more space than
- we actually need. Previously, we would allocate as much space as
- the state for the largest algorithm would need. This change saves
- up to 672 bytes per circuit. Closes ticket 17796.
- o Minor features (directory downloads):
- - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
- directory mirrors. The default is 1; set it to 0 to disable
- fallbacks. Implements ticket 17576. Patch by teor.
- - Wait for busy authorities and fallback directories to become non-
- busy when bootstrapping. (A similar change was made in 6c443e987d
- for directory caches chosen from the consensus.) Closes ticket
- 17864; patch by teor.
- o Minor features (geoip):
- - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
- Country database.
- o Minor features (hidden service directory):
- - Streamline relay-side hsdir handling: when relays consider whether
- to accept an uploaded hidden service descriptor, they no longer
- check whether they are one of the relays in the network that is
- "supposed" to handle that descriptor. Implements ticket 18332.
- o Minor features (IPv6):
- - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set
- to 1, tor prefers IPv6 directory addresses.
- - Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor
- avoids using IPv4 for client OR and directory connections.
- - Add address policy assume_action support for IPv6 addresses.
- - Add an argument 'ipv6=address:orport' to the DirAuthority and
- FallbackDir torrc options, to specify an IPv6 address for an
- authority or fallback directory. Add hard-coded ipv6 addresses for
- directory authorities that have them. Closes ticket 17327; patch
- from Nick Mathewson and teor.
- - Allow users to configure directory authorities and fallback
- directory servers with IPv6 addresses and ORPorts. Resolves
- ticket 6027.
- - Limit IPv6 mask bits to 128.
- - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug
- 17638; bugfix on 0.0.2pre8. Patch by teor.
- - Try harder to obey the IP version restrictions "ClientUseIPv4 0",
- "ClientUseIPv6 0", "ClientPreferIPv6ORPort", and
- "ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor.
- - Warn when comparing against an AF_UNSPEC address in a policy, it's
- almost always a bug. Closes ticket 17863; patch by teor.
- - routerset_parse now accepts IPv6 literal addresses. Fixes bug
- 17060; bugfix on 0.2.1.3-alpha. Patch by teor.
- o Minor features (Linux seccomp2 sandbox):
- - Reject attempts to change our Address with "Sandbox 1" enabled.
- Changing Address with Sandbox turned on would never actually work,
- but previously it would fail in strange and confusing ways. Found
- while fixing 18548.
- o Minor features (logging):
- - When logging to syslog, allow a tag to be added to the syslog
- identity (the string prepended to every log message). The tag can
- be configured with SyslogIdentityTag and defaults to none. Setting
- it to "foo" will cause logs to be tagged as "Tor-foo". Closes
- ticket 17194.
- o Minor features (portability):
- - Use timingsafe_memcmp() where available. Closes ticket 17944;
- patch from <logan@hackers.mu>.
- o Minor features (relay, address discovery):
- - Add a family argument to get_interface_addresses_raw() and
- subfunctions to make network interface address interogation more
- efficient. Now Tor can specifically ask for IPv4, IPv6 or both
- types of interfaces from the operating system. Resolves
- ticket 17950.
- - When get_interface_address6_list(.,AF_UNSPEC,.) is called and
- fails to enumerate interface addresses using the platform-specific
- API, have it rely on the UDP socket fallback technique to try and
- find out what IP addresses (both IPv4 and IPv6) our machine has.
- Resolves ticket 17951.
- o Minor features (replay cache):
- - The replay cache now uses SHA256 instead of SHA1. Implements
- feature 8961. Patch by teor, issue reported by rransom.
- o Minor features (robustness):
- - Exit immediately with an error message if the code attempts to use
- Libevent without having initialized it. This should resolve some
- frequently-made mistakes in our unit tests. Closes ticket 18241.
- o Minor features (security, clock):
- - Warn when the system clock appears to move back in time (when the
- state file was last written in the future). Tor doesn't know that
- consensuses have expired if the clock is in the past. Patch by
- teor. Implements ticket 17188.
- o Minor features (security, exit policies):
- - ExitPolicyRejectPrivate now rejects more private addresses by
- default. Specifically, it now rejects the relay's outbound bind
- addresses (if configured), and the relay's configured port
- addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
- 0.2.0.11-alpha. Patch by teor.
- o Minor features (security, memory erasure):
- - Make memwipe() do nothing when passed a NULL pointer or buffer of
- zero size. Check size argument to memwipe() for underflow. Fixes
- bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
- patch by teor.
- - Set the unused entries in a smartlist to NULL. This helped catch
- a (harmless) bug, and shouldn't affect performance too much.
- Implements ticket 17026.
- - Use SecureMemoryWipe() function to securely clean memory on
- Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
- Implements feature 17986.
- - Use explicit_bzero or memset_s when present. Previously, we'd use
- OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
- from <logan@hackers.mu> and <selven@hackers.mu>.
- o Minor features (security, RNG):
- - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
- positively are not allowed to fail. Previously we depended on
- internal details of OpenSSL's behavior. Closes ticket 17686.
- - Never use the system entropy output directly for anything besides
- seeding the PRNG. When we want to generate important keys, instead
- of using system entropy directly, we now hash it with the PRNG
- stream. This may help resist certain attacks based on broken OS
- entropy implementations. Closes part of ticket 17694.
- - Use modern system calls (like getentropy() or getrandom()) to
- generate strong entropy on platforms that have them. Closes
- ticket 13696.
- o Minor features (security, win32):
- - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing
- attack. Fixes bug 18123; bugfix on all tor versions. Patch
- by teor.
- o Minor features (unix domain sockets):
- - Add a new per-socket option, RelaxDirModeCheck, to allow creating
- Unix domain sockets without checking the permissions on the parent
- directory. (Tor checks permissions by default because some
- operating systems only check permissions on the parent directory.
- However, some operating systems do look at permissions on the
- socket, and tor's default check is unneeded.) Closes ticket 18458.
- Patch by weasel.
- o Minor features (unix file permissions):
- - Defer creation of Unix sockets until after setuid. This avoids
- needing CAP_CHOWN and CAP_FOWNER when using systemd's
- CapabilityBoundingSet, or chown and fowner when using SELinux.
- Implements part of ticket 17562. Patch from Jamie Nguyen.
- - If any directory created by Tor is marked as group readable, the
- filesystem group is allowed to be either the default GID or the
- root user. Allowing root to read the DataDirectory prevents the
- need for CAP_READ_SEARCH when using systemd's
- CapabilityBoundingSet, or dac_read_search when using SELinux.
- Implements part of ticket 17562. Patch from Jamie Nguyen.
- - Introduce a new DataDirectoryGroupReadable option. If it is set to
- 1, the DataDirectory will be made readable by the default GID.
- Implements part of ticket 17562. Patch from Jamie Nguyen.
- o Minor bugfixes (accounting):
- - The max bandwidth when using 'AccountRule sum' is now correctly
- logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch
- from "unixninja92".
- o Minor bugfixes (assert, portability):
- - Fix an assertion failure in memarea.c on systems where "long" is
- shorter than the size of a pointer. Fixes bug 18716; bugfix
- on 0.2.1.1-alpha.
- o Minor bugfixes (bootstrap):
- - Consistently use the consensus download schedule for authority
- certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha.
- o Minor bugfixes (build):
- - Avoid spurious failures from configure files related to calling
- exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18625; bugfix on
- 0.2.0.1-alpha. Patch from "cypherpunks".
- - Do not link the unit tests against both the testing and non-
- testing versions of the static libraries. Fixes bug 18490; bugfix
- on 0.2.7.1-alpha.
- - Resolve warnings when building on systems that are concerned with
- signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha
- and 0.2.6.1-alpha.
- - Silence spurious clang-scan warnings in the ed25519_donna code by
- explicitly initializing some objects. Fixes bug 18384; bugfix on
- 0.2.7.2-alpha. Patch by teor.
- - When libscrypt.h is found, but no libscrypt library can be linked,
- treat libscrypt as absent. Fixes bug 19161; bugfix
- on 0.2.6.1-alpha.
- - Cause the unit tests to compile correctly on mingw64 versions that
- lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha.
- - Don't try to use the pthread_condattr_setclock() function unless
- it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
- 17819; bugfix on 0.2.6.3-alpha.
- - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
- on 0.2.5.2-alpha.
- - Fix search for libevent libraries on OpenBSD (and other systems
- that install libevent 1 and libevent 2 in parallel). Fixes bug
- 16651; bugfix on 0.1.0.7-rc. Patch from "rubiate".
- - Isolate environment variables meant for tests from the rest of the
- build system. Fixes bug 17818; bugfix on 0.2.7.3-rc.
- - Mark all object files that include micro-revision.i as depending
- on it, so as to make parallel builds more reliable. Fixes bug
- 17826; bugfix on 0.2.5.1-alpha.
- - Remove config.log only from make distclean, not from make clean.
- Fixes bug 17924; bugfix on 0.2.4.1-alpha.
- - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
- on 0.0.2pre8.
- - Remove an #endif from configure.ac so that we correctly detect the
- presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix
- on 0.2.0.13-alpha.
- o Minor bugfixes (client, bootstrap):
- - Count receipt of new microdescriptors as progress towards
- bootstrapping. Previously, with EntryNodes set, Tor might not
- successfully repopulate the guard set on bootstrapping. Fixes bug
- 16825; bugfix on 0.2.3.1-alpha.
- o Minor bugfixes (code correctness):
- - Fix a bad memory handling bug that would occur if we had queued a
- cell on a channel's incoming queue. Fortunately, we can't actually
- queue a cell like that as our code is constructed today, but it's
- best to avoid this kind of error, even if there isn't any code
- that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha.
- - Assert that allocated memory held by the reputation code is freed
- according to its internal counters. Fixes bug 17753; bugfix
- on 0.1.1.1-alpha.
- - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
- bugfix on 0.0.6.
- - Update to the latest version of Trunnel, which tries harder to
- avoid generating code that can invoke memcpy(p,NULL,0). Bug found
- by clang address sanitizer. Fixes bug 18373; bugfix
- on 0.2.7.2-alpha.
- - When closing an entry connection, generate a warning if we should
- have sent an end cell for it but we haven't. Fixes bug 17876;
- bugfix on 0.2.3.2-alpha.
- o Minor bugfixes (configuration):
- - Fix a tiny memory leak when parsing a port configuration ending in
- ":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha.
- o Minor bugfixes (containers):
- - If we somehow attempt to construct a heap with more than
- 1073741822 elements, avoid an integer overflow when maintaining
- the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha.
- o Minor bugfixes (controller, microdescriptors):
- - Make GETINFO dir/status-vote/current/consensus conform to the
- control specification by returning "551 Could not open cached
- consensus..." when not caching consensuses. Fixes bug 18920;
- bugfix on 0.2.2.6-alpha.
- o Minor bugfixes (crypto):
- - Check the return value of HMAC() and assert on failure. Fixes bug
- 17658; bugfix on 0.2.3.6-alpha. Patch by teor.
- o Minor bugfixes (directories):
- - When fetching extrainfo documents, compare their SHA256 digests
- and Ed25519 signing key certificates with the routerinfo that led
- us to fetch them, rather than with the most recent routerinfo.
- Otherwise we generate many spurious warnings about mismatches.
- Fixes bug 17150; bugfix on 0.2.7.2-alpha.
- - When generating a URL for a directory server on an IPv6 address,
- wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix
- on 0.2.3.9-alpha. Patch from Malek.
- o Minor bugfixes (downloading):
- - Predict more correctly whether we'll be downloading over HTTP when
- we determine the maximum length of a URL. This should avoid a
- "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes
- bug 19191.
- o Minor bugfixes (exit policies, security):
- - Refresh an exit relay's exit policy when interface addresses
- change. Previously, tor only refreshed the exit policy when the
- configured external address changed. Fixes bug 18208; bugfix on
- 0.2.7.3-rc. Patch by teor.
- o Minor bugfixes (fallback directories):
- - Mark fallbacks as "too busy" when they return a 503 response,
- rather than just marking authorities. Fixes bug 17572; bugfix on
- 0.2.4.7-alpha. Patch by teor.
- - When requesting extrainfo descriptors from a trusted directory
- server, check whether it is an authority or a fallback directory
- which supports extrainfo descriptors. Fixes bug 18489; bugfix on
- 0.2.4.7-alpha. Reported by atagar, patch by teor.
- o Minor bugfixes (hidden service, client):
- - Handle the case where the user makes several fast consecutive
- requests to the same .onion address. Previously, the first six
- requests would each trigger a descriptor fetch, each picking a
- directory (there are 6 overall) and the seventh one would fail
- because no directories were left, thereby triggering a close on
- all current directory connections asking for the hidden service.
- The solution here is to not close the connections if we have
- pending directory fetches. Fixes bug 15937; bugfix
- on 0.2.7.1-alpha.
- o Minor bugfixes (hidden service, control port):
- - Add the onion address to the HS_DESC event for the UPLOADED action
- both on success or failure. It was previously hardcoded with
- UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha.
- o Minor bugfixes (hidden service, directory):
- - Bridges now refuse "rendezvous2" (hidden service descriptor)
- publish attempts. Suggested by ticket 18332.
- o Minor bugfixes (IPv6):
- - Update the limits in max_dl_per_request for IPv6 address length.
- Fixes bug 17573; bugfix on 0.2.1.5-alpha.
- o Minor bugfixes (Linux seccomp2 sandbox):
- - Allow more syscalls when running with "Sandbox 1" enabled:
- sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On
- some systems, these are required for Tor to start. Fixes bug
- 18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto.
- - Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1",
- so that get_interface_address6_via_udp_socket_hack() can work.
- Fixes bug 19660; bugfix on 0.2.5.1-alpha.
- - Allow the setrlimit syscall, and the prlimit and prlimit64
- syscalls, which some libc implementations use under the hood.
- Fixes bug 15221; bugfix on 0.2.5.1-alpha.
- - Avoid a 10-second delay when starting as a client with "Sandbox 1"
- enabled and no DNS resolvers configured. This should help TAILS
- start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha.
- - Fix a crash when using offline master ed25519 keys with the Linux
- seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-rc.
- - Allow statistics to be written to disk when "Sandbox 1" is
- enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and
- 0.2.6.1-alpha respectively.
- o Minor bugfixes (logging):
- - In log messages that include a function name, use __FUNCTION__
- instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but
- with clang __PRETTY_FUNCTION__ has extra information we don't
- need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van
- der Woerdt.
- - Remove needless quotes from a log message about unparseable
- addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha.
- - Scrub service name in "unrecognized service ID" log messages.
- Fixes bug 18600; bugfix on 0.2.4.11-alpha.
- - When logging information about an unparsable networkstatus vote or
- consensus, do not say "vote" when we mean consensus. Fixes bug
- 18368; bugfix on 0.2.0.8-alpha.
- - When we can't generate a signing key because OfflineMasterKey is
- set, do not imply that we should have been able to load it. Fixes
- bug 18133; bugfix on 0.2.7.2-alpha.
- - When logging a malformed hostname received through socks4, scrub
- it if SafeLogging says we should. Fixes bug 17419; bugfix
- on 0.1.1.16-rc.
- o Minor bugfixes (memory safety):
- - Avoid freeing an uninitialized pointer when opening a socket fails
- in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on
- 0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch
- by teor.
- - Fix a memory leak in "tor --list-fingerprint". Fixes part of bug
- 18672; bugfix on 0.2.5.1-alpha.
- - Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix
- on 0.2.0.1-alpha.
- o Minor bugfixes (pluggable transports):
- - Avoid reporting a spurious error when we decide that we don't need
- to terminate a pluggable transport because it has already exited.
- Fixes bug 18686; bugfix on 0.2.5.5-alpha.
- o Minor bugfixes (pointer arithmetic):
- - Fix a bug in memarea_alloc() that could have resulted in remote
- heap write access, if Tor had ever passed an unchecked size to
- memarea_alloc(). Fortunately, all the sizes we pass to
- memarea_alloc() are pre-checked to be less than 128 kilobytes.
- Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by
- Guido Vranken.
- o Minor bugfixes (private directory):
- - Prevent a race condition when creating private directories. Fixes
- part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852.
- Patch from jsturgix. Found with Flawfinder.
- o Minor bugfixes (relays):
- - Check that both the ORPort and DirPort (if present) are reachable
- before publishing a relay descriptor. Otherwise, relays publish a
- descriptor with DirPort 0 when the DirPort reachability test takes
- longer than the ORPort reachability test. Fixes bug 18050; bugfix
- on 0.1.0.1-rc. Reported by "starlight", patch by teor.
- - Resolve some edge cases where we might launch an ORPort
- reachability check even when DisableNetwork is set. Noticed while
- fixing bug 18616; bugfix on 0.2.3.9-alpha.
- o Minor bugfixes (relays, hidden services):
- - Refuse connection requests to private OR addresses unless
- ExtendAllowPrivateAddresses is set. Previously, tor would connect,
- then refuse to send any cells to a private address. Fixes bugs
- 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by teor.
- o Minor bugfixes (security, hidden services):
- - Prevent hidden services connecting to client-supplied rendezvous
- addresses that are reserved as internal or multicast. Fixes bug
- 8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor.
- o Minor bugfixes (statistics):
- - Consistently check for overflow in round_*_to_next_multiple_of
- functions, and add unit tests with additional and maximal values.
- Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
- - Handle edge cases in the laplace functions: avoid division by
- zero, avoid taking the log of zero, and silence clang type
- conversion warnings using round and trunc. Add unit tests for edge
- cases with maximal values. Fixes part of bug 13192; bugfix
- on 0.2.6.2-alpha.
- - We now include consensus downloads via IPv6 in our directory-
- request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha.
- o Minor bugfixes (test networks, IPv6):
- - Allow internal IPv6 addresses in descriptors in test networks.
- Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported
- by karsten.
- o Minor bugfixes (testing):
- - Check the full results of SHA256 and SHA512 digests in the unit
- tests. Bugfix on 0.2.2.4-alpha. Patch by teor.
- - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
- on 0.2.4.8-alpha.
- - Fix a small memory leak that would occur when the
- TestingEnableCellStatsEvent option was turned on. Fixes bug 18673;
- bugfix on 0.2.5.2-alpha.
- - Make unit tests pass on IPv6-only systems, and systems without
- localhost addresses (like some FreeBSD jails). Fixes bug 17632;
- bugfix on 0.2.7.3-rc. Patch by teor.
- - The test for log_heartbeat was incorrectly failing in timezones
- with non-integer offsets. Instead of comparing the end of the time
- string against a constant, compare it to the output of
- format_local_iso_time when given the correct input. Fixes bug
- 18039; bugfix on 0.2.5.4-alpha.
- - We no longer disable assertions in the unit tests when coverage is
- enabled. Instead, we require you to say --disable-asserts-in-tests
- to the configure script if you need assertions disabled in the
- unit tests (for example, if you want to perform branch coverage).
- Fixes bug 18242; bugfix on 0.2.7.1-alpha.
- o Minor bugfixes (time handling):
- - When correcting a corrupt 'struct tm' value, fill in the tm_wday
- field. Otherwise, our unit tests crash on Windows. Fixes bug
- 18977; bugfix on 0.2.2.25-alpha.
- - Avoid overflow in tor_timegm when parsing dates in and after 2038
- on platforms with 32-bit time_t. Fixes bug 18479; bugfix on
- 0.0.2pre14. Patch by teor.
- o Minor bugfixes (tor-gencert):
- - Correctly handle the case where an authority operator enters a
- passphrase but sends an EOF before sending a newline. Fixes bug
- 17443; bugfix on 0.2.0.20-rc. Found by junglefowl.
- o Code simplification and refactoring:
- - Clean up a little duplicated code in
- crypto_expand_key_material_TAP(). Closes ticket 17587; patch
- from "pfrankw".
- - Decouple the list of streams waiting to be attached to circuits
- from the overall connection list. This change makes it possible to
- attach streams quickly while simplifying Tor's callgraph and
- avoiding O(N) scans of the entire connection list. Closes
- ticket 17590.
- - Extract the more complicated parts of circuit_mark_for_close()
- into a new function that we run periodically before circuits are
- freed. This change removes more than half of the functions
- currently in the "blob". Closes ticket 17218.
- - Move logging of redundant policy entries in
- policies_parse_exit_policy_internal into its own function. Closes
- ticket 17608; patch from "juce".
- - Quote all the string interpolations in configure.ac -- even those
- which we are pretty sure can't contain spaces. Closes ticket
- 17744. Patch from zerosion.
- - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
- use them. Closes ticket 17926.
- - Remove specialized code for non-inplace AES_CTR. 99% of our AES is
- inplace, so there's no need to have a separate implementation for
- the non-inplace code. Closes ticket 18258. Patch from Malek.
- - Simplify return types for some crypto functions that can't
- actually fail. Patch from Hassan Alsibyani. Closes ticket 18259.
- - When a direct directory request fails immediately on launch,
- instead of relaunching that request from inside the code that
- launches it, instead mark the connection for teardown. This change
- simplifies Tor's callback and prevents the directory-request
- launching code from invoking itself recursively. Closes
- ticket 17589.
- o Documentation:
- - Add a description of the correct use of the '--keygen' command-
- line option. Closes ticket 17583; based on text by 's7r'.
- - Change build messages to refer to "Fedora" instead of "Fedora
- Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426.
- Patches from "icanhasaccount" and "cypherpunks".
- - Document the contents of the 'datadir/keys' subdirectory in the
- manual page. Closes ticket 17621.
- - Document the minimum HeartbeatPeriod value. Closes ticket 15638.
- - Explain actual minima for BandwidthRate. Closes ticket 16382.
- - Fix a minor formatting typo in the manpage. Closes ticket 17791.
- - Mention torspec URL in the manpage and point the reader to it
- whenever we mention a document that belongs in torspce. Fixes
- issue 17392.
- - Stop recommending use of nicknames to identify relays in our
- MapAddress documentation. Closes ticket 18312.
- o Removed features:
- - Remove client-side support for connecting to Tor relays running
- versions of Tor before 0.2.3.6-alpha. These relays didn't support
- the v3 TLS handshake protocol, and are no longer allowed on the
- Tor network. Implements the client side of ticket 11150. Based on
- patches by Tom van der Woerdt.
- - We no longer maintain an internal freelist in memarea.c.
- Allocators should be good enough to make this code unnecessary,
- and it's doubtful that it ever had any performance benefit.
- o Testing:
- - Add unit tests to check for common RNG failure modes, such as
- returning all zeroes, identical values, or incrementing values
- (OpenSSL's rand_predictable feature). Patch by teor.
- - Always test both ed25519 backends, so that we can be sure that our
- batch-open replacement code works. Part of ticket 16794.
- - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
- portion of ticket 16831.
- - Fix several warnings from clang's address sanitizer produced in
- the unit tests.
- - Log more information when the backtrace tests fail. Closes ticket
- 17892. Patch from "cypherpunks."
- - More unit tests for compat_libevent.c, procmon.c, tortls.c,
- util_format.c, directory.c, and options_validate.c. Closes tickets
- 17075, 17082, 17084, 17003, and 17076 respectively. Patches from
- Ola Bini.
- - Treat backtrace test failures as expected on FreeBSD until we
- solve bug 17808. Closes ticket 18204.
- - Unit tests for directory_handle_command_get. Closes ticket 17004.
- Patch from Reinaldo de Souza Jr.
- Changes in version 0.2.7.6 - 2015-12-10
- Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
- well as a minor bug in hidden service reliability.
- o Major bugfixes (guard selection):
- - Actually look at the Guard flag when selecting a new directory
- guard. When we implemented the directory guard design, we
- accidentally started treating all relays as if they have the Guard
- flag during guard selection, leading to weaker anonymity and worse
- performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
- by Mohsen Imani.
- o Minor features (geoip):
- - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
- Country database.
- o Minor bugfixes (compilation):
- - When checking for net/pfvar.h, include netinet/in.h if possible.
- This fixes transparent proxy detection on OpenBSD. Fixes bug
- 17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- - Fix a compilation warning with Clang 3.6: Do not check the
- presence of an address which can never be NULL. Fixes bug 17781.
- o Minor bugfixes (correctness):
- - When displaying an IPv6 exit policy, include the mask bits
- correctly even when the number is greater than 31. Fixes bug
- 16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- - The wrong list was used when looking up expired intro points in a
- rend service object, causing what we think could be reachability
- issues for hidden services, and triggering a BUG log. Fixes bug
- 16702; bugfix on 0.2.7.2-alpha.
- - Fix undefined behavior in the tor_cert_checksig function. Fixes
- bug 17722; bugfix on 0.2.7.2-alpha.
- Changes in version 0.2.7.5 - 2015-11-20
- The Tor 0.2.7 release series is dedicated to the memory of Tor user
- and privacy advocate Caspar Bowden (1961-2015). Caspar worked
- tirelessly to advocate human rights regardless of national borders,
- and oppose the encroachments of mass surveillance. He opposed national
- exceptionalism, he brought clarity to legal and policy debates, he
- understood and predicted the impact of mass surveillance on the world,
- and he laid the groundwork for resisting it. While serving on the Tor
- Project's board of directors, he brought us his uncompromising focus
- on technical excellence in the service of humankind. Caspar was an
- inimitable force for good and a wonderful friend. He was kind,
- humorous, generous, gallant, and believed we should protect one
- another without exception. We honor him here for his ideals, his
- efforts, and his accomplishments. Please honor his memory with works
- that would make him proud.
- Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
- The 0.2.7 series adds a more secure identity key type for relays,
- improves cryptography performance, resolves several longstanding
- hidden-service performance issues, improves controller support for
- hidden services, and includes small bugfixes and performance
- improvements throughout the program. This release series also includes
- more tests than before, and significant simplifications to which parts
- of Tor invoke which others. For a full list of changes, see below.
- o New system requirements:
- - Tor no longer includes workarounds to support Libevent versions
- before 1.3e. Libevent 2.0 or later is recommended. Closes
- ticket 15248.
- - Tor no longer supports copies of OpenSSL that are missing support
- for Elliptic Curve Cryptography. (We began using ECC when
- available in 0.2.4.8-alpha, for more safe and efficient key
- negotiation.) In particular, support for at least one of P256 or
- P224 is now required, with manual configuration needed if only
- P224 is available. Resolves ticket 16140.
- - Tor no longer supports versions of OpenSSL before 1.0. (If you are
- on an operating system that has not upgraded to OpenSSL 1.0 or
- later, and you compile Tor from source, you will need to install a
- more recent OpenSSL to link Tor against.) These versions of
- OpenSSL are still supported by the OpenSSL, but the numerous
- cryptographic improvements in later OpenSSL releases makes them a
- clear choice. Resolves ticket 16034.
- o Major features (controller):
- - Add the ADD_ONION and DEL_ONION commands that allow the creation
- and management of hidden services via the controller. Closes
- ticket 6411.
- - New "GETINFO onions/current" and "GETINFO onions/detached"
- commands to get information about hidden services created via the
- controller. Part of ticket 6411.
- - New HSFETCH command to launch a request for a hidden service
- descriptor. Closes ticket 14847.
- - New HSPOST command to upload a hidden service descriptor. Closes
- ticket 3523. Patch by "DonnchaC".
- o Major features (Ed25519 identity keys, Proposal 220):
- - Add support for offline encrypted Ed25519 master keys. To use this
- feature on your tor relay, run "tor --keygen" to make a new master
- key (or to make a new signing key if you already have a master
- key). Closes ticket 13642.
- - All relays now maintain a stronger identity key, using the Ed25519
- elliptic curve signature format. This master key is designed so
- that it can be kept offline. Relays also generate an online
- signing key, and a set of other Ed25519 keys and certificates.
- These are all automatically regenerated and rotated as needed.
- Implements part of ticket 12498.
- - Directory authorities now vote on Ed25519 identity keys along with
- RSA1024 keys. Implements part of ticket 12498.
- - Directory authorities track which Ed25519 identity keys have been
- used with which RSA1024 identity keys, and do not allow them to
- vary freely. Implements part of ticket 12498.
- - Microdescriptors now include Ed25519 identity keys. Implements
- part of ticket 12498.
- - Add a --newpass option to allow changing or removing the
- passphrase of an encrypted key with tor --keygen. Implements part
- of ticket 16769.
- - Add a new OfflineMasterKey option to tell Tor never to try loading
- or generating a secret Ed25519 identity key. You can use this in
- combination with tor --keygen to manage offline and/or encrypted
- Ed25519 keys. Implements ticket 16944.
- - On receiving a HUP signal, check to see whether the Ed25519
- signing key has changed, and reload it if so. Closes ticket 16790.
- - Significant usability improvements for Ed25519 key management. Log
- messages are better, and the code can recover from far more
- failure conditions. Thanks to "s7r" for reporting and diagnosing
- so many of these!
- o Major features (ECC performance):
- - Improve the runtime speed of Ed25519 signature verification by
- using Ed25519-donna's batch verification support. Implements
- ticket 16533.
- - Improve the speed of Ed25519 operations and Curve25519 keypair
- generation when built targeting 32 bit x86 platforms with SSE2
- available. Implements ticket 16535.
- - Improve the runtime speed of Ed25519 operations by using the
- public-domain Ed25519-donna by Andrew M. ("floodyberry").
- Implements ticket 16467.
- - Improve the runtime speed of the ntor handshake by using an
- optimized curve25519 basepoint scalarmult implementation from the
- public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
- ideas by Adam Langley. Implements ticket 9663.
- o Major features (Hidden services):
- - Hidden services, if using the EntryNodes option, are required to
- use more than one EntryNode, in order to avoid a guard discovery
- attack. (This would only affect people who had configured hidden
- services and manually specified the EntryNodes option with a
- single entry-node. The impact was that it would be easy to
- remotely identify the guard node used by such a hidden service.
- See ticket for more information.) Fixes ticket 14917.
- - Add the torrc option HiddenServiceNumIntroductionPoints, to
- specify a fixed number of introduction points. Its maximum value
- is 10 and default is 3. Using this option can increase a hidden
- service's reliability under load, at the cost of making it more
- visible that the hidden service is facing extra load. Closes
- ticket 4862.
- - Remove the adaptive algorithm for choosing the number of
- introduction points, which used to change the number of
- introduction points (poorly) depending on the number of
- connections the HS sees. Closes ticket 4862.
- o Major features (onion key cross-certification):
- - Relay descriptors now include signatures of their own identity
- keys, made using the TAP and ntor onion keys. These signatures
- allow relays to prove ownership of their own onion keys. Because
- of this change, microdescriptors will no longer need to include
- RSA identity keys. Implements proposal 228; closes ticket 12499.
- o Major bugfixes (client-side privacy, also in 0.2.6.9):
- - Properly separate out each SOCKSPort when applying stream
- isolation. The error occurred because each port's session group
- was being overwritten by a default value when the listener
- connection was initialized. Fixes bug 16247; bugfix on
- 0.2.6.3-alpha. Patch by "jojelino".
- o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
- - Stop refusing to store updated hidden service descriptors on a
- client. This reverts commit 9407040c59218 (which indeed fixed bug
- 14219, but introduced a major hidden service reachability
- regression detailed in bug 16381). This is a temporary fix since
- we can live with the minor issue in bug 14219 (it just results in
- some load on the network) but the regression of 16381 is too much
- of a setback. First-round fix for bug 16381; bugfix
- on 0.2.6.3-alpha.
- o Major bugfixes (hidden services):
- - Revert commit that made directory authorities assign the HSDir
- flag to relay without a DirPort; this was bad because such relays
- can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
- on 0.2.6.3-alpha.
- - When cannibalizing a circuit for an introduction point, always
- extend to the chosen exit node (creating a 4 hop circuit).
- Previously Tor would use the current circuit exit node, which
- changed the original choice of introduction point, and could cause
- the hidden service to skip excluded introduction points or
- reconnect to a skipped introduction point. Fixes bug 16260; bugfix
- on 0.1.0.1-rc.
- o Major bugfixes (memory leaks):
- - Fix a memory leak in ed25519 batch signature checking. Fixes bug
- 17398; bugfix on 0.2.6.1-alpha.
- o Major bugfixes (open file limit):
- - The open file limit wasn't checked before calling
- tor_accept_socket_nonblocking(), which would make Tor exceed the
- limit. Now, before opening a new socket, Tor validates the open
- file limit just before, and if the max has been reached, return an
- error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
- o Major bugfixes (security, correctness):
- - Fix an error that could cause us to read 4 bytes before the
- beginning of an openssl string. This bug could be used to cause
- Tor to crash on systems with unusual malloc implementations, or
- systems with unusual hardening installed. Fixes bug 17404; bugfix
- on 0.2.3.6-alpha.
- o Major bugfixes (stability, also in 0.2.6.10):
- - Stop crashing with an assertion failure when parsing certain kinds
- of malformed or truncated microdescriptors. Fixes bug 16400;
- bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
- by "cypherpunks_backup".
- - Stop random client-side assertion failures that could occur when
- connecting to a busy hidden service, or connecting to a hidden
- service while a NEWNYM is in progress. Fixes bug 16013; bugfix
- on 0.1.0.1-rc.
- o Minor features (client, SOCKS):
- - Add GroupWritable and WorldWritable options to unix-socket based
- SocksPort and ControlPort options. These options apply to a single
- socket, and override {Control,Socks}SocketsGroupWritable. Closes
- ticket 15220.
- - Relax the validation done to hostnames in SOCKS5 requests, and
- allow a single trailing '.' to cope with clients that pass FQDNs
- using that syntax to explicitly indicate that the domain name is
- fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
- - Relax the validation of hostnames in SOCKS5 requests, allowing the
- character '_' to appear, in order to cope with domains observed in
- the wild that are serving non-RFC compliant records. Resolves
- ticket 16430.
- o Minor features (client-side privacy):
- - New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
- lifespan when IsolateSOCKSAuth and streams with SOCKS
- authentication are attached to the circuit. This allows
- applications like TorBrowser to manage circuit lifetime on their
- own. Implements feature 15482.
- - When logging malformed hostnames from SOCKS5 requests, respect
- SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
- o Minor features (clock-jump tolerance):
- - Recover better when our clock jumps back many hours, like might
- happen for Tails or Whonix users who start with a very wrong
- hardware clock, use Tor to discover a more accurate time, and then
- fix their clock. Resolves part of ticket 8766.
- o Minor features (command-line interface):
- - Make --hash-password imply --hush to prevent unnecessary noise.
- Closes ticket 15542. Patch from "cypherpunks".
- - Print a warning whenever we find a relative file path being used
- as torrc option. Resolves issue 14018.
- o Minor features (compilation):
- - Give a warning as early as possible when trying to build with an
- unsupported OpenSSL version. Closes ticket 16901.
- - Use C99 variadic macros when the compiler is not GCC. This avoids
- failing compilations on MSVC, and fixes a log-file-based race
- condition in our old workarounds. Original patch from Gisle Vanem.
- o Minor features (control protocol):
- - Support network-liveness GETINFO key and NETWORK_LIVENESS event in
- the control protocol. Resolves ticket 15358.
- o Minor features (controller):
- - Add DirAuthority lines for default directory authorities to the
- output of the "GETINFO config/defaults" command if not already
- present. Implements ticket 14840.
- - Controllers can now use "GETINFO hs/client/desc/id/..." to
- retrieve items from the client's hidden service descriptor cache.
- Closes ticket 14845.
- - Implement a new controller command "GETINFO status/fresh-relay-
- descs" to fetch a descriptor/extrainfo pair that was generated on
- demand just for the controller's use. Implements ticket 14784.
- o Minor features (directory authorities):
- - Directory authorities no longer vote against the "Fast", "Stable",
- and "HSDir" flags just because they were going to vote against
- "Running": if the consensus turns out to be that the router was
- running, then the authority's vote should count. Patch from Peter
- Retzlaff; closes issue 8712.
- o Minor features (directory authorities, security, also in 0.2.6.9):
- - The HSDir flag given by authorities now requires the Stable flag.
- For the current network, this results in going from 2887 to 2806
- HSDirs. Also, it makes it harder for an attacker to launch a sybil
- attack by raising the effort for a relay to become Stable to
- require at the very least 7 days, while maintaining the 96 hours
- uptime requirement for HSDir. Implements ticket 8243.
- o Minor features (DoS-resistance):
- - Make it harder for attackers to overload hidden services with
- introductions, by blocking multiple introduction requests on the
- same circuit. Resolves ticket 15515.
- o Minor features (geoip):
- - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
- Country database.
- o Minor features (hidden services):
- - Add the new options "HiddenServiceMaxStreams" and
- "HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
- limit the maximum number of simultaneous streams per circuit, and
- optionally tear down the circuit when the limit is exceeded. Part
- of ticket 16052.
- - Client now uses an introduction point failure cache to know when
- to fetch or keep a descriptor in their cache. Previously, failures
- were recorded implicitly, but not explicitly remembered. Closes
- ticket 16389.
- - Relays need to have the Fast flag to get the HSDir flag. As this
- is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
- drop. This change should make some attacks against the hidden
- service directory system harder. Fixes ticket 15963.
- - Turn on hidden service statistics collection by setting the torrc
- option HiddenServiceStatistics to "1" by default. (This keeps
- track only of the fraction of traffic used by hidden services, and
- the total number of hidden services in existence.) Closes
- ticket 15254.
- - To avoid leaking HS popularity, don't cycle the introduction point
- when we've handled a fixed number of INTRODUCE2 cells but instead
- cycle it when a random number of introductions is reached, thus
- making it more difficult for an attacker to find out the amount of
- clients that have used the introduction point for a specific HS.
- Closes ticket 15745.
- o Minor features (logging):
- - Include the Tor version in all LD_BUG log messages, since people
- tend to cut and paste those into the bugtracker. Implements
- ticket 15026.
- o Minor features (pluggable transports):
- - When launching managed pluggable transports on Linux systems,
- attempt to have the kernel deliver a SIGTERM on tor exit if the
- pluggable transport process is still running. Resolves
- ticket 15471.
- - When launching managed pluggable transports, setup a valid open
- stdin in the child process that can be used to detect if tor has
- terminated. The "TOR_PT_EXIT_ON_STDIN_CLOSE" environment variable
- can be used by implementations to detect this new behavior.
- Resolves ticket 15435.
- o Minor bugfixes (torrc exit policies):
- - In each instance above, usage advice is provided to avoid the
- message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
- 16069; bugfix on 0.2.4.7-alpha.
- - In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
- produce IPv6 wildcard addresses. Previously they would produce
- both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
- of bug 16069; bugfix on 0.2.4.7-alpha.
- - When parsing torrc ExitPolicies, we now issue an info-level
- message when expanding an "accept/reject *" line to include both
- IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
- - When parsing torrc ExitPolicies, we now warn for a number of cases
- where the user's intent is likely to differ from Tor's actual
- behavior. These include: using an IPv4 address with an accept6 or
- reject6 line; using "private" on an accept6 or reject6 line; and
- including any ExitPolicy lines after accept *:* or reject *:*.
- Related to ticket 16069.
- o Minor bugfixes (command-line interface):
- - When "--quiet" is provided along with "--validate-config", do not
- write anything to stdout on success. Fixes bug 14994; bugfix
- on 0.2.3.3-alpha.
- - When complaining about bad arguments to "--dump-config", use
- stderr, not stdout.
- - Print usage information for --dump-config when it is used without
- an argument. Also, fix the error message to use different wording
- and add newline at the end. Fixes bug 15541; bugfix
- on 0.2.5.1-alpha.
- o Minor bugfixes (compilation):
- - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
- bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
- - Repair compilation with the most recent (unreleased, alpha)
- vesions of OpenSSL 1.1. Fixes part of ticket 17237.
- o Minor bugfixes (compilation, also in 0.2.6.9):
- - Build with --enable-systemd correctly when libsystemd is
- installed, but systemd is not. Fixes bug 16164; bugfix on
- 0.2.6.3-alpha. Patch from Peter Palfrader.
- o Minor bugfixes (configuration, unit tests):
- - Only add the default fallback directories when the DirAuthorities,
- AlternateDirAuthority, and FallbackDir directory config options
- are set to their defaults. The default fallback directory list is
- currently empty, this fix will only change tor's behavior when it
- has default fallback directories. Includes unit tests for
- consider_adding_dir_servers(). Fixes bug 15642; bugfix on
- 90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor".
- o Minor bugfixes (controller):
- - Add the descriptor ID in each HS_DESC control event. It was
- missing, but specified in control-spec.txt. Fixes bug 15881;
- bugfix on 0.2.5.2-alpha.
- o Minor bugfixes (correctness):
- - For correctness, avoid modifying a constant string in
- handle_control_postdescriptor. Fixes bug 15546; bugfix
- on 0.1.1.16-rc.
- - Remove side-effects from tor_assert() calls. This was harmless,
- because we never disable assertions, but it is bad style and
- unnecessary. Fixes bug 15211; bugfix on 0.2.5.5, 0.2.2.36,
- and 0.2.0.10.
- - When calling channel_free_list(), avoid calling smartlist_remove()
- while inside a FOREACH loop. This partially reverts commit
- 17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
- incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
- o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
- - Check for failures from crypto_early_init, and refuse to continue.
- A previous typo meant that we could keep going with an
- uninitialized crypto library, and would have OpenSSL initialize
- its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
- when implementing ticket 4900. Patch by "teor".
- o Minor bugfixes (hidden service):
- - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
- a client authorized hidden service. Fixes bug 15823; bugfix
- on 0.2.1.6-alpha.
- - Remove an extraneous newline character from the end of hidden
- service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
- o Minor bugfixes (Linux seccomp2 sandbox):
- - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
- defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
- - Allow bridge authorities to run correctly under the seccomp2
- sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
- - Add the "hidserv-stats" filename to our sandbox filter for the
- HiddenServiceStatistics option to work properly. Fixes bug 17354;
- bugfix on 0.2.6.2-alpha. Patch from David Goulet.
- o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
- - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
- these when eventfd2() support is missing. Fixes bug 16363; bugfix
- on 0.2.6.3-alpha. Patch from "teor".
- o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
- - Allow systemd connections to work with the Linux seccomp2 sandbox
- code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
- Peter Palfrader.
- - Fix sandboxing to work when running as a relay, by allowing the
- renaming of secret_id_key, and allowing the eventfd2 and futex
- syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
- Peter Palfrader.
- o Minor bugfixes (logging):
- - When building Tor under Clang, do not include an extra set of
- parentheses in log messages that include function names. Fixes bug
- 15269; bugfix on every released version of Tor when compiled with
- recent enough Clang.
- o Minor bugfixes (network):
- - When attempting to use fallback technique for network interface
- lookup, disregard loopback and multicast addresses since they are
- unsuitable for public communications.
- o Minor bugfixes (open file limit):
- - Fix set_max_file_descriptors() to set by default the max open file
- limit to the current limit when setrlimit() fails. Fixes bug
- 16274; bugfix on tor- 0.2.0.10-alpha. Patch by dgoulet.
- o Minor bugfixes (portability):
- - Check correctly for Windows socket errors in the workqueue
- backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
- - Try harder to normalize the exit status of the Tor process to the
- standard-provided range. Fixes bug 16975; bugfix on every version
- of Tor ever.
- - Use libexecinfo on FreeBSD to enable backtrace support. Fixes part
- of bug 17151; bugfix on 0.2.5.2-alpha. Patch from Marcin Cieślak.
- o Minor bugfixes (relay):
- - Ensure that worker threads actually exit when a fatal error or
- shutdown is indicated. This fix doesn't currently affect the
- behavior of Tor, because Tor workers never indicates fatal error
- or shutdown except in the unit tests. Fixes bug 16868; bugfix
- on 0.2.6.3-alpha.
- - Fix a rarely-encountered memory leak when failing to initialize
- the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
- from "cypherpunks".
- - Unblock threads before releasing the work queue mutex to ensure
- predictable scheduling behavior. Fixes bug 16644; bugfix
- on 0.2.6.3-alpha.
- o Minor bugfixes (security, exit policies):
- - ExitPolicyRejectPrivate now also rejects the relay's published
- IPv6 address (if any), and any publicly routable IPv4 or IPv6
- addresses on any local interfaces. ticket 17027. Patch by "teor".
- Fixes bug 17027; bugfix on 0.2.0.11-alpha.
- o Minor bugfixes (statistics):
- - Disregard the ConnDirectionStatistics torrc options when Tor is
- not a relay since in that mode of operation no sensible data is
- being collected and because Tor might run into measurement hiccups
- when running as a client for some time, then becoming a relay.
- Fixes bug 15604; bugfix on 0.2.2.35.
- o Minor bugfixes (systemd):
- - Tor's systemd unit file no longer contains extraneous spaces.
- These spaces would sometimes confuse tools like deb-systemd-
- helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
- o Minor bugfixes (test networks):
- - When self-testing reachability, use ExtendAllowPrivateAddresses to
- determine if local/private addresses imply reachability. The
- previous fix used TestingTorNetwork, which implies
- ExtendAllowPrivateAddresses, but this excluded rare configurations
- where ExtendAllowPrivateAddresses is set but TestingTorNetwork is
- not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
- issue discovered by CJ Ess.
- o Minor bugfixes (tests, also in 0.2.6.9):
- - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
- 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
- o Code simplification and refactoring:
- - Change the function that's called when we need to retry all
- downloads so that it only reschedules the downloads to happen
- immediately, rather than launching them all at once itself. This
- further simplifies Tor's callgraph.
- - Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
- to ensure they remain consistent and visible everywhere.
- - Move some format-parsing functions out of crypto.c and
- crypto_curve25519.c into crypto_format.c and/or util_format.c.
- - Move the client-only parts of init_keys() into a separate
- function. Closes ticket 16763.
- - Move the hacky fallback code out of get_interface_address6() into
- separate function and get it covered with unit-tests. Resolves
- ticket 14710.
- - Refactor hidden service client-side cache lookup to intelligently
- report its various failure cases, and disentangle failure cases
- involving a lack of introduction points. Closes ticket 14391.
- - Remove some vestigial workarounds for the MSVC6 compiler. We
- haven't supported that in ages.
- - Remove the unused "nulterminate" argument from buf_pullup().
- - Simplify the microdesc_free() implementation so that it no longer
- appears (to code analysis tools) to potentially invoke a huge
- suite of other microdesc functions.
- - Simply the control graph further by deferring the inner body of
- directory_all_unreachable() into a callback. Closes ticket 16762.
- - The link authentication code has been refactored for better
- testability and reliability. It now uses code generated with the
- "trunnel" binary encoding generator, to reduce the risk of bugs
- due to programmer error. Done as part of ticket 12498.
- - Treat the loss of an owning controller as equivalent to a SIGTERM
- signal. This removes a tiny amount of duplicated code, and
- simplifies our callgraph. Closes ticket 16788.
- - Use our own Base64 encoder instead of OpenSSL's, to allow more
- control over the output. Part of ticket 15652.
- - When generating an event to send to the controller, we no longer
- put the event over the network immediately. Instead, we queue
- these events, and use a Libevent callback to deliver them. This
- change simplifies Tor's callgraph by reducing the number of
- functions from which all other Tor functions are reachable. Closes
- ticket 16695.
- - Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
- that try to scan or compile every file on Unix won't decide that
- they are broken.
- o Documentation:
- - Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
- - Improve the descriptions of statistics-related torrc options in
- the manpage to describe rationale and possible uses cases. Fixes
- issue 15550.
- - Improve the layout and formatting of ./configure --help messages.
- Closes ticket 15024. Patch from "cypherpunks".
- - Include a specific and (hopefully) accurate documentation of the
- torrc file's meta-format in doc/torrc_format.txt. This is mainly
- of interest to people writing programs to parse or generate torrc
- files. This document is not a commitment to long-term
- compatibility; some aspects of the current format are a bit
- ridiculous. Closes ticket 2325.
- - Include the TUNING document in our source tarball. It is referred
- to in the ChangeLog and an error message. Fixes bug 16929; bugfix
- on 0.2.6.1-alpha.
- - Note that HiddenServicePorts can take a unix domain socket. Closes
- ticket 17364.
- - Recommend a 40 GB example AccountingMax in torrc.sample rather
- than a 4 GB max. Closes ticket 16742.
- - Standardize on the term "server descriptor" in the manual page.
- Previously, we had used "router descriptor", "server descriptor",
- and "relay descriptor" interchangeably. Part of ticket 14987.
- - Advise users on how to configure separate IPv4 and IPv6 exit
- policies in the manpage and sample torrcs. Related to ticket 16069.
- - Fix an error in the manual page and comments for
- TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
- required "ORPort connectivity". While this is true, it is in no
- way unique to the HSDir flag. Of all the flags, only HSDirs need a
- DirPort configured in order for the authorities to assign that
- particular flag. Patch by "teor". Fixed as part of 14882; bugfix
- on 0.2.6.3-alpha.
- - Fix the usage message of tor-resolve(1) so that it no longer lists
- the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
- o Removed code:
- - Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
- and always use the internal Base64 decoder. The internal decoder
- has been part of tor since 0.2.0.10-alpha, and no one should
- be using the OpenSSL one. Part of ticket 15652.
- - Remove the 'tor_strclear()' function; use memwipe() instead.
- Closes ticket 14922.
- - Remove the code that would try to aggressively flush controller
- connections while writing to them. This code was introduced in
- 0.1.2.7-alpha, in order to keep output buffers from exceeding
- their limits. But there is no longer a maximum output buffer size,
- and flushing data in this way caused some undesirable recursions
- in our call graph. Closes ticket 16480.
- - The internal pure-C tor-fw-helper tool is now removed from the Tor
- distribution, in favor of the pure-Go clone available from
- https:
- used by the C tor-fw-helper are not, in our opinion, very
- confidence- inspiring in their secure-programming techniques.
- Closes ticket 13338.
- o Removed features:
- - Remove the (seldom-used) DynamicDHGroups feature. For anti-
- fingerprinting we now recommend pluggable transports; for forward-
- secrecy in TLS, we now use the P-256 group. Closes ticket 13736.
- - Remove the HidServDirectoryV2 option. Now all relays offer to
- store hidden service descriptors. Related to 16543.
- - Remove the VoteOnHidServDirectoriesV2 option, since all
- authorities have long set it to 1. Closes ticket 16543.
- - Remove the undocumented "--digests" command-line option. It
- complicated our build process, caused subtle build issues on
- multiple platforms, and is now redundant since we started
- including git version identifiers. Closes ticket 14742.
- - Tor no longer contains checks for ancient directory cache versions
- that didn't know about microdescriptors.
- - Tor no longer contains workarounds for stat files generated by
- super-old versions of Tor that didn't choose guards sensibly.
- o Testing:
- - The test-network.sh script now supports performance testing.
- Requires corresponding chutney performance testing changes. Patch
- by "teor". Closes ticket 14175.
- - Add a new set of callgraph analysis scripts that use clang to
- produce a list of which Tor functions are reachable from which
- other Tor functions. We're planning to use these to help simplify
- our code structure by identifying illogical dependencies.
- - Add new 'test-full' and 'test-full-online' targets to run all
- tests, including integration tests with stem and chutney.
- - Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
- by-side in the same parent directory. Closes ticket 16903. Patch
- by "teor".
- - Document use of coverity, clang static analyzer, and clang dynamic
- undefined behavior and address sanitizers in doc/HACKING. Include
- detailed usage instructions in the blacklist. Patch by "teor".
- Closes ticket 15817.
- - Make "bridges+hs" the default test network. This tests almost all
- tor functionality during make test-network, while allowing tests
- to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
- test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
- (chutney). Patches by "teor".
- - Make the test-workqueue test work on Windows by initializing the
- network before we begin.
- - New make target (make test-network-all) to run multiple applicable
- chutney test cases. Patch from Teor; closes 16953.
- - Now that OpenSSL has its own scrypt implementation, add an unit
- test that checks for interoperability between libscrypt_scrypt()
- and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
- and rely on EVP_PBE_scrypt() whenever possible. Resolves
- ticket 16189.
- - The link authentication protocol code now has extensive tests.
- - The relay descriptor signature testing code now has
- extensive tests.
- - The test_workqueue program now runs faster, and is enabled by
- default as a part of "make check".
- - Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
- functions in dns.c. Implements a portion of ticket 16831.
- - Use environment variables rather than autoconf substitutions to
- send variables from the build system to the test scripts. This
- change should be easier to maintain, and cause 'make distcheck' to
- work better than before. Fixes bug 17148.
- - When building Tor with testing coverage enabled, run Chutney tests
- (if any) using the 'tor-cov' coverage binary.
- - When running test-network or test-stem, check for the absence of
- stem/chutney before doing any build operations.
- - Add a test to verify that the compiler does not eliminate our
- memwipe() implementation. Closes ticket 15377.
- - Add make rule `check-changes` to verify the format of changes
- files. Closes ticket 15180.
- - Add unit tests for control_event_is_interesting(). Add a compile-
- time check that the number of events doesn't exceed the capacity
- of control_event_t.event_mask. Closes ticket 15431, checks for
- bugs similar to 13085. Patch by "teor".
- - Command-line argument tests moved to Stem. Resolves ticket 14806.
- - Integrate the ntor, backtrace, and zero-length keys tests into the
- automake test suite. Closes ticket 15344.
- - Remove assertions during builds to determine Tor's test coverage.
- We don't want to trigger these even in assertions, so including
- them artificially makes our branch coverage look worse than it is.
- This patch provides the new test-stem-full and coverage-html-full
- configure options. Implements ticket 15400.
- - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
- explicitly manage consensus flags in testing networks. Patch by
- "robgjansen", modified by "teor". Implements part of ticket 14882.
- - Check for matching value in server response in ntor_ref.py. Fixes
- bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
- by "joelanders".
- - Set the severity correctly when testing
- get_interface_addresses_ifaddrs() and
- get_interface_addresses_win32(), so that the tests fail gracefully
- instead of triggering an assertion. Fixes bug 15759; bugfix on
- 0.2.6.3-alpha. Reported by Nicolas Derive.
- Changes in version 0.2.6.10 - 2015-07-12
- Tor version 0.2.6.10 fixes some significant stability and hidden
- service client bugs, bulletproofs the cryptography init process, and
- fixes a bug when using the sandbox code with some older versions of
- Linux. Everyone running an older version, especially an older version
- of 0.2.6, should upgrade.
- o Major bugfixes (hidden service clients, stability):
- - Stop refusing to store updated hidden service descriptors on a
- client. This reverts commit 9407040c59218 (which indeed fixed bug
- 14219, but introduced a major hidden service reachability
- regression detailed in bug 16381). This is a temporary fix since
- we can live with the minor issue in bug 14219 (it just results in
- some load on the network) but the regression of 16381 is too much
- of a setback. First-round fix for bug 16381; bugfix
- on 0.2.6.3-alpha.
- o Major bugfixes (stability):
- - Stop crashing with an assertion failure when parsing certain kinds
- of malformed or truncated microdescriptors. Fixes bug 16400;
- bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
- by "cypherpunks_backup".
- - Stop random client-side assertion failures that could occur when
- connecting to a busy hidden service, or connecting to a hidden
- service while a NEWNYM is in progress. Fixes bug 16013; bugfix
- on 0.1.0.1-rc.
- o Minor features (geoip):
- - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
- o Minor bugfixes (crypto error-handling):
- - Check for failures from crypto_early_init, and refuse to continue.
- A previous typo meant that we could keep going with an
- uninitialized crypto library, and would have OpenSSL initialize
- its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
- when implementing ticket 4900. Patch by "teor".
- o Minor bugfixes (Linux seccomp2 sandbox):
- - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
- these when eventfd2() support is missing. Fixes bug 16363; bugfix
- on 0.2.6.3-alpha. Patch from "teor".
- Changes in version 0.2.6.9 - 2015-06-11
- Tor 0.2.6.9 fixes a regression in the circuit isolation code, increases the
- requirements for receiving an HSDir flag, and addresses some other small
- bugs in the systemd and sandbox code. Clients using circuit isolation
- should upgrade; all directory authorities should upgrade.
- o Major bugfixes (client-side privacy):
- - Properly separate out each SOCKSPort when applying stream
- isolation. The error occurred because each port's session group was
- being overwritten by a default value when the listener connection
- was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
- by "jojelino".
- o Minor feature (directory authorities, security):
- - The HSDir flag given by authorities now requires the Stable flag.
- For the current network, this results in going from 2887 to 2806
- HSDirs. Also, it makes it harder for an attacker to launch a sybil
- attack by raising the effort for a relay to become Stable which
- takes at the very least 7 days to do so and by keeping the 96
- hours uptime requirement for HSDir. Implements ticket 8243.
- o Minor bugfixes (compilation):
- - Build with --enable-systemd correctly when libsystemd is
- installed, but systemd is not. Fixes bug 16164; bugfix on
- 0.2.6.3-alpha. Patch from Peter Palfrader.
- o Minor bugfixes (Linux seccomp2 sandbox):
- - Fix sandboxing to work when running as a relaymby renaming of
- secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
- bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
- - Allow systemd connections to work with the Linux seccomp2 sandbox
- code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
- Peter Palfrader.
- o Minor bugfixes (tests):
- - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
- 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
- Changes in version 0.2.6.8 - 2015-05-21
- Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
- fixes an authority-side bug in assigning the HSDir flag. All directory
- authorities should upgrade.
- o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
- - Revert commit that made directory authorities assign the HSDir
- flag to relay without a DirPort; this was bad because such relays
- can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
- on 0.2.6.3-alpha.
- o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
- - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
- a client authorized hidden service. Fixes bug 15823; bugfix
- on 0.2.1.6-alpha.
- o Minor features (geoip):
- - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the April 8 2015 Maxmind GeoLite2
- Country database.
- Changes in version 0.2.6.7 - 2015-04-06
- Tor 0.2.6.7 fixes two security issues that could be used by an
- attacker to crash hidden services, or crash clients visiting hidden
- services. Hidden services should upgrade as soon as possible; clients
- should upgrade whenever packages become available.
- This release also contains two simple improvements to make hidden
- services a bit less vulnerable to denial-of-service attacks.
- o Major bugfixes (security, hidden service):
- - Fix an issue that would allow a malicious client to trigger an
- assertion failure and halt a hidden service. Fixes bug 15600;
- bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- - Fix a bug that could cause a client to crash with an assertion
- failure when parsing a malformed hidden service descriptor. Fixes
- bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
- o Minor features (DoS-resistance, hidden service):
- - Introduction points no longer allow multiple INTRODUCE1 cells to
- arrive on the same circuit. This should make it more expensive for
- attackers to overwhelm hidden services with introductions.
- Resolves ticket 15515.
- - Decrease the amount of reattempts that a hidden service performs
- when its rendezvous circuits fail. This reduces the computational
- cost for running a hidden service under heavy load. Resolves
- ticket 11447.
- Changes in version 0.2.5.12 - 2015-04-06
- Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
- could be used by an attacker to crash hidden services, or crash clients
- visiting hidden services. Hidden services should upgrade as soon as
- possible; clients should upgrade whenever packages become available.
- This release also backports a simple improvement to make hidden
- services a bit less vulnerable to denial-of-service attacks.
- o Major bugfixes (security, hidden service):
- - Fix an issue that would allow a malicious client to trigger an
- assertion failure and halt a hidden service. Fixes bug 15600;
- bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- - Fix a bug that could cause a client to crash with an assertion
- failure when parsing a malformed hidden service descriptor. Fixes
- bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
- o Minor features (DoS-resistance, hidden service):
- - Introduction points no longer allow multiple INTRODUCE1 cells to
- arrive on the same circuit. This should make it more expensive for
- attackers to overwhelm hidden services with introductions.
- Resolves ticket 15515.
- Changes in version 0.2.4.27 - 2015-04-06
- Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that
- could be used by an attacker to crash hidden services, or crash clients
- visiting hidden services. Hidden services should upgrade as soon as
- possible; clients should upgrade whenever packages become available.
- This release also backports a simple improvement to make hidden
- services a bit less vulnerable to denial-of-service attacks.
- o Major bugfixes (security, hidden service):
- - Fix an issue that would allow a malicious client to trigger an
- assertion failure and halt a hidden service. Fixes bug 15600;
- bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- - Fix a bug that could cause a client to crash with an assertion
- failure when parsing a malformed hidden service descriptor. Fixes
- bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
- o Minor features (DoS-resistance, hidden service):
- - Introduction points no longer allow multiple INTRODUCE1 cells to
- arrive on the same circuit. This should make it more expensive for
- attackers to overwhelm hidden services with introductions.
- Resolves ticket 15515.
- Changes in version 0.2.6.6 - 2015-03-24
- Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
- It adds numerous safety, security, correctness, and performance
- improvements. Client programs can be configured to use more kinds of
- sockets, AutomapHosts works better, the multithreading backend is
- improved, cell transmission is refactored, test coverage is much
- higher, more denial-of-service attacks are handled, guard selection is
- improved to handle long-term guards better, pluggable transports
- should work a bit better, and some annoying hidden service performance
- bugs should be addressed.
- o New compiler and system requirements:
- - Tor 0.2.6.x requires that your compiler support more of the C99
- language standard than before. The 'configure' script now detects
- whether your compiler supports C99 mid-block declarations and
- designated initializers. If it does not, Tor will not compile.
- We may revisit this requirement if it turns out that a significant
- number of people need to build Tor with compilers that don't
- bother implementing a 15-year-old standard. Closes ticket 13233.
- - Tor no longer supports systems without threading support. When we
- began working on Tor, there were several systems that didn't have
- threads, or where the thread support wasn't able to run the
- threads of a single process on multiple CPUs. That no longer
- holds: every system where Tor needs to run well now has threading
- support. Resolves ticket 12439.
- o Deprecated versions and removed support:
- - Tor relays older than 0.2.4.18-rc are no longer allowed to
- advertise themselves on the network. Closes ticket 13555.
- - Tor clients no longer support connecting to hidden services
- running on Tor 0.2.2.x and earlier; the Support022HiddenServices
- option has been removed. (There shouldn't be any hidden services
- running these versions on the network.) Closes ticket 7803.
- o Directory authority changes:
- - The directory authority Faravahar has a new IP address. This
- closes ticket 14487.
- - Remove turtles as a directory authority.
- - Add longclaw as a new (v3) directory authority. This implements
- ticket 13296. This keeps the directory authority count at 9.
- o Major features (bridges):
- - Expose the outgoing upstream HTTP/SOCKS proxy to pluggable
- transports if they are configured via the "TOR_PT_PROXY"
- environment variable. Implements proposal 232. Resolves
- ticket 8402.
- o Major features (changed defaults):
- - Prevent relay operators from unintentionally running exits: When a
- relay is configured as an exit node, we now warn the user unless
- the "ExitRelay" option is set to 1. We warn even more loudly if
- the relay is configured with the default exit policy, since this
- can indicate accidental misconfiguration. Setting "ExitRelay 0"
- stops Tor from running as an exit relay. Closes ticket 10067.
- o Major features (client performance, hidden services):
- - Allow clients to use optimistic data when connecting to a hidden
- service, which should remove a round-trip from hidden service
- initialization. See proposal 181 for details. Implements
- ticket 13211.
- o Major features (directory system):
- - Upon receiving an unparseable directory object, if its digest
- matches what we expected, then don't try to download it again.
- Previously, when we got a descriptor we didn't like, we would keep
- trying to download it over and over. Closes ticket 11243.
- - When downloading server- or microdescriptors from a directory
- server, we no longer launch multiple simultaneous requests to the
- same server. This reduces load on the directory servers,
- especially when directory guards are in use. Closes ticket 9969.
- - When downloading server- or microdescriptors over a tunneled
- connection, do not limit the length of our requests to what the
- Squid proxy is willing to handle. Part of ticket 9969.
- - Authorities can now vote on the correct digests and latest
- versions for different software packages. This allows packages
- that include Tor to use the Tor authority system as a way to get
- notified of updates and their correct digests. Implements proposal
- 227. Closes ticket 10395.
- o Major features (guards):
- - Introduce the Guardfraction feature to improves load balancing on
- guard nodes. Specifically, it aims to reduce the traffic gap that
- guard nodes experience when they first get the Guard flag. This is
- a required step if we want to increase the guard lifetime to 9
- months or greater. Closes ticket 9321.
- o Major features (hidden services):
- - Make HS port scanning more difficult by immediately closing the
- circuit when a user attempts to connect to a nonexistent port.
- Closes ticket 13667.
- - Add a HiddenServiceStatistics option that allows Tor relays to
- gather and publish statistics about the overall size and volume of
- hidden service usage. Specifically, when this option is turned on,
- an HSDir will publish an approximate number of hidden services
- that have published descriptors to it the past 24 hours. Also, if
- a relay has acted as a hidden service rendezvous point, it will
- publish the approximate amount of rendezvous cells it has relayed
- the past 24 hours. The statistics themselves are obfuscated so
- that the exact values cannot be derived. For more details see
- proposal 238, "Better hidden service stats from Tor relays". This
- feature is currently disabled by default. Implements feature 13192.
- o Major features (performance):
- - Make the CPU worker implementation more efficient by avoiding the
- kernel and lengthening pipelines. The original implementation used
- sockets to transfer data from the main thread to the workers, and
- didn't allow any thread to be assigned more than a single piece of
- work at once. The new implementation avoids communications
- overhead by making requests in shared memory, avoiding kernel IO
- where possible, and keeping more requests in flight at once.
- Implements ticket 9682.
- o Major features (relay):
- - Raise the minimum acceptable configured bandwidth rate for bridges
- to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were
- 20 KiB/sec.) Closes ticket 13822.
- - Complete revision of the code that relays use to decide which cell
- to send next. Formerly, we selected the best circuit to write on
- each channel, but we didn't select among channels in any
- sophisticated way. Now, we choose the best circuits globally from
- among those whose channels are ready to deliver traffic.
- This patch implements a new inter-cmux comparison API, a global
- high/low watermark mechanism and a global scheduler loop for
- transmission prioritization across all channels as well as among
- circuits on one channel. This schedule is currently tuned to
- (tolerantly) avoid making changes in network performance, but it
- should form the basis for major circuit performance increases in
- the future. Code by Andrea; tuning by Rob Jansen; implements
- ticket 9262.
- o Major features (sample torrc):
- - Add a new, infrequently-changed "torrc.minimal". This file is
- similar to torrc.sample, but it will change as infrequently as
- possible, for the benefit of users whose systems prompt them for
- intervention whenever a default configuration file is changed.
- Making this change allows us to update torrc.sample to be a more
- generally useful "sample torrc".
- o Major features (security, unix domain sockets):
- - Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk
- applications can reach Tor without having to create AF_INET or
- AF_INET6 sockets, meaning they can completely disable their
- ability to make non-Tor network connections. To create a socket of
- this type, use "SocksPort unix:/path/to/socket". Implements
- ticket 12585.
- - Support mapping hidden service virtual ports to AF_UNIX sockets.
- The syntax is "HiddenServicePort 80 unix:/path/to/socket".
- Implements ticket 11485.
- o Major bugfixes (client, automap):
- - Repair automapping with IPv6 addresses. This automapping should
- have worked previously, but one piece of debugging code that we
- inserted to detect a regression actually caused the regression to
- manifest itself again. Fixes bug 13811 and bug 12831; bugfix on
- 0.2.4.7-alpha. Diagnosed and fixed by Francisco Blas
- Izquierdo Riera.
- o Major bugfixes (crash, OSX, security):
- - Fix a remote denial-of-service opportunity caused by a bug in
- OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
- in OSX 10.9.
- o Major bugfixes (directory authorities):
- - Do not assign the HSDir flag to relays if they are not Valid, or
- currently hibernating. Fixes 12573; bugfix on 0.2.0.10-alpha.
- o Major bugfixes (directory bandwidth performance):
- - Don't flush the zlib buffer aggressively when compressing
- directory information for clients. This should save about 7% of
- the bandwidth currently used for compressed descriptors and
- microdescriptors. Fixes bug 11787; bugfix on 0.1.1.23.
- o Major bugfixes (exit node stability):
- - Fix an assertion failure that could occur under high DNS load.
- Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
- diagnosed and fixed by "cypherpunks".
- o Major bugfixes (FreeBSD IPFW transparent proxy):
- - Fix address detection with FreeBSD transparent proxies, when
- "TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
- on 0.2.5.4-alpha.
- o Major bugfixes (hidden services):
- - When closing an introduction circuit that was opened in parallel
- with others, don't mark the introduction point as unreachable.
- Previously, the first successful connection to an introduction
- point would make the other introduction points get marked as
- having timed out. Fixes bug 13698; bugfix on 0.0.6rc2.
- o Major bugfixes (Linux seccomp2 sandbox):
- - Upon receiving sighup with the seccomp2 sandbox enabled, do not
- crash during attempts to call wait4. Fixes bug 15088; bugfix on
- 0.2.5.1-alpha. Patch from "sanic".
- o Major bugfixes (mixed relay-client operation):
- - When running as a relay and client at the same time (not
- recommended), if we decide not to use a new guard because we want
- to retry older guards, only close the locally-originating circuits
- passing through that guard. Previously we would close all the
- circuits through that guard. Fixes bug 9819; bugfix on
- 0.2.1.1-alpha. Reported by "skruffy".
- o Major bugfixes (pluggable transports):
- - Initialize the extended OR Port authentication cookie before
- launching pluggable transports. This prevents a race condition
- that occured when server-side pluggable transports would cache the
- authentication cookie before it has been (re)generated. Fixes bug
- 15240; bugfix on 0.2.5.1-alpha.
- o Major bugfixes (relay, stability, possible security):
- - Fix a bug that could lead to a relay crashing with an assertion
- failure if a buffer of exactly the wrong layout is passed to
- buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
- 0.2.0.10-alpha. Patch from "cypherpunks".
- - Do not assert if the 'data' pointer on a buffer is advanced to the
- very end of the buffer; log a BUG message instead. Only assert if
- it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
- o Minor features (build):
- - New --disable-system-torrc compile-time option to prevent Tor from
- looking for the system-wide torrc or torrc-defaults files.
- Resolves ticket 13037.
- o Minor features (client):
- - Clients are now willing to send optimistic data (before they
- receive a 'connected' cell) to relays of any version. (Relays
- without support for optimistic data are no longer supported on the
- Tor network.) Resolves ticket 13153.
- o Minor features (client):
- - Validate hostnames in SOCKS5 requests more strictly. If SafeSocks
- is enabled, reject requests with IP addresses as hostnames.
- Resolves ticket 13315.
- o Minor features (controller):
- - Add a "SIGNAL HEARTBEAT" controller command that tells Tor to
- write an unscheduled heartbeat message to the log. Implements
- feature 9503.
- - Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller
- events so controllers can observe circuit isolation inputs. Closes
- ticket 8405.
- - ControlPort now supports the unix:/path/to/socket syntax as an
- alternative to the ControlSocket option, for consistency with
- SocksPort and HiddenServicePort. Closes ticket 14451.
- - New "GETINFO bw-event-cache" to get information about recent
- bandwidth events. Closes ticket 14128. Useful for controllers to
- get recent bandwidth history after the fix for ticket 13988.
- - Messages about problems in the bootstrap process now include
- information about the server we were trying to connect to when we
- noticed the problem. Closes ticket 15006.
- o Minor features (Denial of service resistance):
- - Count the total number of bytes used storing hidden service
- descriptors against the value of MaxMemInQueues. If we're low on
- memory, and more than 20% of our memory is used holding hidden
- service descriptors, free them until no more than 10% of our
- memory holds hidden service descriptors. Free the least recently
- fetched descriptors first. Resolves ticket 13806.
- - When we have recently been under memory pressure (over 3/4 of
- MaxMemInQueues is allocated), then allocate smaller zlib objects
- for small requests. Closes ticket 11791.
- o Minor features (directory authorities):
- - Don't list relays with a bandwidth estimate of 0 in the consensus.
- Implements a feature proposed during discussion of bug 13000.
- - In tor-gencert, report an error if the user provides the same
- argument more than once.
- - If a directory authority can't find a best consensus method in the
- votes that it holds, it now falls back to its favorite consensus
- method. Previously, it fell back to method 1. Neither of these is
- likely to get enough signatures, but "fall back to favorite"
- doesn't require us to maintain support an obsolete consensus
- method. Implements part of proposal 215.
- o Minor features (geoip):
- - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the March 3 2015 Maxmind GeoLite2
- Country database.
- o Minor features (guard nodes):
- - Reduce the time delay before saving guard status to disk from 10
- minutes to 30 seconds (or from one hour to 10 minutes if
- AvoidDiskWrites is set). Closes ticket 12485.
- o Minor features (heartbeat):
- - On relays, report how many connections we negotiated using each
- version of the Tor link protocols. This information will let us
- know if removing support for very old versions of the Tor
- protocols is harming the network. Closes ticket 15212.
- o Minor features (hidden service):
- - Make Sybil attacks against hidden services harder by changing the
- minimum time required to get the HSDir flag from 25 hours up to 96
- hours. Addresses ticket 14149.
- - New option "HiddenServiceAllowUnknownPorts" to allow hidden
- services to disable the anti-scanning feature introduced in
- 0.2.6.2-alpha. With this option not set, a connection to an
- unlisted port closes the circuit. With this option set, only a
- RELAY_DONE cell is sent. Closes ticket 14084.
- - When re-enabling the network, don't try to build introduction
- circuits until we have successfully built a circuit. This makes
- hidden services come up faster when the network is re-enabled.
- Patch from "akwizgran". Closes ticket 13447.
- - When we fail to retrieve a hidden service descriptor, send the
- controller an "HS_DESC FAILED" controller event. Implements
- feature 13212.
- - New HiddenServiceDirGroupReadable option to cause hidden service
- directories and hostname files to be created group-readable. Patch
- from "anon", David Stainton, and "meejah". Closes ticket 11291.
- o Minor features (interface):
- - Implement "-f -" command-line option to read torrc configuration
- from standard input, if you don't want to store the torrc file in
- the file system. Implements feature 13865.
- o Minor features (logging):
- - Add a count of unique clients to the bridge heartbeat message.
- Resolves ticket 6852.
- - Suppress "router info incompatible with extra info" message when
- reading extrainfo documents from cache. (This message got loud
- around when we closed bug 9812 in 0.2.6.2-alpha.) Closes
- ticket 13762.
- - Elevate hidden service authorized-client message from DEBUG to
- INFO. Closes ticket 14015.
- - On Unix-like systems, you can now use named pipes as the target of
- the Log option, and other options that try to append to files.
- Closes ticket 12061. Patch from "carlo von lynX".
- - When opening a log file at startup, send it every log message that
- we generated between startup and opening it. Previously, log
- messages that were generated before opening the log file were only
- logged to stdout. Closes ticket 6938.
- - Add a TruncateLogFile option to overwrite logs instead of
- appending to them. Closes ticket 5583.
- - Quiet some log messages in the heartbeat and at startup. Closes
- ticket 14950.
- o Minor features (portability, Solaris):
- - Threads are no longer disabled by default on Solaris; we believe
- that the versions of Solaris with broken threading support are all
- obsolete by now. Resolves ticket 9495.
- o Minor features (relay):
- - Re-check our address after we detect a changed IP address from
- getsockname(). This ensures that the controller command "GETINFO
- address" will report the correct value. Resolves ticket 11582.
- Patch from "ra".
- - A new AccountingRule option lets Relays set whether they'd like
- AccountingMax to be applied separately to inbound and outbound
- traffic, or applied to the sum of inbound and outbound traffic.
- Resolves ticket 961. Patch by "chobe".
- - When identity keypair is generated for first time, log a
- congratulatory message that links to the new relay lifecycle
- document. Implements feature 10427.
- o Minor features (security, memory wiping):
- - Ensure we securely wipe keys from memory after
- crypto_digest_get_digest and init_curve25519_keypair_from_file
- have finished using them. Resolves ticket 13477.
- o Minor features (security, out-of-memory handling):
- - When handling an out-of-memory condition, allocate less memory for
- temporary data structures. Fixes issue 10115.
- - When handling an out-of-memory condition, consider more types of
- buffers, including those on directory connections, and zlib
- buffers. Resolves ticket 11792.
- o Minor features (stability):
- - Add assertions in our hash-table iteration code to check for
- corrupted values that could cause infinite loops. Closes
- ticket 11737.
- o Minor features (systemd):
- - Various improvements and modernizations in systemd hardening
- support. Closes ticket 13805. Patch from Craig Andrews.
- - Where supported, when running with systemd, report successful
- startup to systemd. Part of ticket 11016. Patch by Michael Scherer.
- - When running with systemd, support systemd watchdog messages. Part
- of ticket 11016. Patch by Michael Scherer.
- o Minor features (testing networks):
- - Add the TestingDirAuthVoteExit option, which lists nodes to assign
- the "Exit" flag regardless of their uptime, bandwidth, or exit
- policy. TestingTorNetwork must be set for this option to have any
- effect. Previously, authorities would take up to 35 minutes to
- give nodes the Exit flag in a test network. Partially implements
- ticket 13161.
- - Drop the minimum RendPostPeriod on a testing network to 5 seconds,
- and the default on a testing network to 2 minutes. Drop the
- MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but
- keep the default on a testing network at 30 seconds. This reduces
- HS bootstrap time to around 25 seconds. Also, change the default
- time in test-network.sh to match. Closes ticket 13401. Patch
- by "teor".
- - Create TestingDirAuthVoteHSDir to correspond to
- TestingDirAuthVoteExit/Guard. Ensures that authorities vote the
- HSDir flag for the listed relays regardless of uptime or ORPort
- connectivity. Respects the value of VoteOnHidServDirectoriesV2.
- Partial implementation for ticket 14067. Patch by "teor".
- o Minor features (tor2web mode):
- - Introduce the config option Tor2webRendezvousPoints, which allows
- clients in Tor2webMode to select a specific Rendezvous Point to be
- used in HS circuits. This might allow better performance for
- Tor2Web nodes. Implements ticket 12844.
- o Minor features (transparent proxy):
- - Update the transparent proxy option checks to allow for both ipfw
- and pf on OS X. Closes ticket 14002.
- - Use the correct option when using IPv6 with transparent proxy
- support on Linux. Resolves 13808. Patch by Francisco Blas
- Izquierdo Riera.
- o Minor features (validation):
- - Check all date/time values passed to tor_timegm and
- parse_rfc1123_time for validity, taking leap years into account.
- Improves HTTP header validation. Implemented with bug 13476.
- - In correct_tm(), limit the range of values returned by system
- localtime(_r) and gmtime(_r) to be between the years 1 and 8099.
- This means we don't have to deal with negative or too large dates,
- even if a clock is wrong. Otherwise we might fail to read a file
- written by us which includes such a date. Fixes bug 13476.
- - Stop allowing invalid address patterns like "*/24" that contain
- both a wildcard address and a bit prefix length. This affects all
- our address-range parsing code. Fixes bug 7484; bugfix
- on 0.0.2pre14.
- o Minor bugfixes (bridge clients):
- - When configured to use a bridge without an identity digest (not
- recommended), avoid launching an extra channel to it when
- bootstrapping. Fixes bug 7733; bugfix on 0.2.4.4-alpha.
- o Minor bugfixes (bridges):
- - When DisableNetwork is set, do not launch pluggable transport
- plugins, and if any are running, terminate them. Fixes bug 13213;
- bugfix on 0.2.3.6-alpha.
- o Minor bugfixes (C correctness):
- - Fix several instances of possible integer overflow/underflow/NaN.
- Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches
- from "teor".
- - In circuit_build_times_calculate_timeout() in circuitstats.c,
- avoid dividing by zero in the pareto calculations. This traps
- under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix
- on 0.2.2.2-alpha.
- - Fix an integer overflow in format_time_interval(). Fixes bug
- 13393; bugfix on 0.2.0.10-alpha.
- - Set the correct day of year value when the system's localtime(_r)
- or gmtime(_r) functions fail to set struct tm. Not externally
- visible. Fixes bug 13476; bugfix on 0.0.2pre14.
- - Avoid unlikely signed integer overflow in tor_timegm on systems
- with 32-bit time_t. Fixes bug 13476; bugfix on 0.0.2pre14.
- o Minor bugfixes (certificate handling):
- - If an authority operator accidentally makes a signing certificate
- with a future publication time, do not discard its real signing
- certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
- - Remove any old authority certificates that have been superseded
- for at least two days. Previously, we would keep superseded
- certificates until they expired, if they were published close in
- time to the certificate that superseded them. Fixes bug 11454;
- bugfix on 0.2.1.8-alpha.
- o Minor bugfixes (client):
- - Fix smartlist_choose_node_by_bandwidth() so that relays with the
- BadExit flag are not considered worthy candidates. Fixes bug
- 13066; bugfix on 0.1.2.3-alpha.
- - Use the consensus schedule for downloading consensuses, and not
- the generic schedule. Fixes bug 11679; bugfix on 0.2.2.6-alpha.
- - Handle unsupported or malformed SOCKS5 requests properly by
- responding with the appropriate error message before closing the
- connection. Fixes bugs 12971 and 13314; bugfix on 0.0.2pre13.
- o Minor bugfixes (client, automapping):
- - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
- no value follows the option. Fixes bug 14142; bugfix on
- 0.2.4.7-alpha. Patch by "teor".
- - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
- 14195; bugfix on 0.1.0.1-rc.
- - Prevent changes to other options from removing the wildcard value
- "." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix
- on 0.2.0.1-alpha.
- - Allow MapAddress and AutomapHostsOnResolve to work together when
- an address is mapped into another address type (like .onion) that
- must be automapped at resolve time. Fixes bug 7555; bugfix
- on 0.2.0.1-alpha.
- o Minor bugfixes (client, bridges):
- - When we are using bridges and we had a network connectivity
- problem, only retry connecting to our currently configured
- bridges, not all bridges we know about and remember using. Fixes
- bug 14216; bugfix on 0.2.2.17-alpha.
- o Minor bugfixes (client, DNS):
- - Report the correct cached DNS expiration times on SOCKS port or in
- DNS replies. Previously, we would report everything as "never
- expires." Fixes bug 14193; bugfix on 0.2.3.17-beta.
- - Avoid a small memory leak when we find a cached answer for a
- reverse DNS lookup in a client-side DNS cache. (Remember, client-
- side DNS caching is off by default, and is not recommended.) Fixes
- bug 14259; bugfix on 0.2.0.1-alpha.
- o Minor bugfixes (client, IPv6):
- - Reject socks requests to literal IPv6 addresses when IPv6Traffic
- flag is not set; and not because the NoIPv4Traffic flag was set.
- Previously we'd looked at the NoIPv4Traffic flag for both types of
- literal addresses. Fixes bug 14280; bugfix on 0.2.4.7-alpha.
- o Minor bugfixes (client, microdescriptors):
- - Use a full 256 bits of the SHA256 digest of a microdescriptor when
- computing which microdescriptors to download. This keeps us from
- erroneous download behavior if two microdescriptor digests ever
- have the same first 160 bits. Fixes part of bug 13399; bugfix
- on 0.2.3.1-alpha.
- - Reset a router's status if its microdescriptor digest changes,
- even if the first 160 bits remain the same. Fixes part of bug
- 13399; bugfix on 0.2.3.1-alpha.
- o Minor bugfixes (client, torrc):
- - Stop modifying the value of our DirReqStatistics torrc option just
- because we're not a bridge or relay. This bug was causing Tor
- Browser users to write "DirReqStatistics 0" in their torrc files
- as if they had chosen to change the config. Fixes bug 4244; bugfix
- on 0.2.3.1-alpha.
- - When GeoIPExcludeUnknown is enabled, do not incorrectly decide
- that our options have changed every time we SIGHUP. Fixes bug
- 9801; bugfix on 0.2.4.10-alpha. Patch from "qwerty1".
- o Minor bugfixes (compilation):
- - Fix a compilation warning on s390. Fixes bug 14988; bugfix
- on 0.2.5.2-alpha.
- - Silence clang warnings under --enable-expensive-hardening,
- including implicit truncation of 64 bit values to 32 bit, const
- char assignment to self, tautological compare, and additional
- parentheses around equality tests. Fixes bug 13577; bugfix
- on 0.2.5.4-alpha.
- - Fix a clang warning about checking whether an address in the
- middle of a structure is NULL. Fixes bug 14001; bugfix
- on 0.2.1.2-alpha.
- - The address of an array in the middle of a structure will always
- be non-NULL. clang recognises this and complains. Disable the
- tautologous and redundant check to silence this warning. Fixes bug
- 14001; bugfix on 0.2.1.2-alpha.
- - Compile correctly with (unreleased) OpenSSL 1.1.0 headers.
- Addresses ticket 14188.
- - Build without warnings with the stock OpenSSL srtp.h header, which
- has a duplicate declaration of SSL_get_selected_srtp_profile().
- Fixes bug 14220; this is OpenSSL's bug, not ours.
- - Do not compile any code related to Tor2Web mode when Tor2Web mode
- is not enabled at compile time. Previously, this code was included
- in a disabled state. See discussion on ticket 12844.
- - Allow our configure script to build correctly with autoconf 2.62
- again. Fixes bug 12693; bugfix on 0.2.5.2-alpha.
- - Improve the error message from ./configure to make it clear that
- when asciidoc has not been found, the user will have to either add
- --disable-asciidoc argument or install asciidoc. Resolves
- ticket 13228.
- o Minor bugfixes (controller):
- - Report "down" in response to the "GETINFO entry-guards" command
- when relays are down with an unreachable_since value. Previously,
- we would report "up". Fixes bug 14184; bugfix on 0.1.2.2-alpha.
- - Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug
- 14116; bugfix on 0.2.2.9-alpha.
- o Minor bugfixes (controller):
- - Return an error when the second or later arguments of the
- "setevents" controller command are invalid events. Previously we
- would return success while silently skipping invalid events. Fixes
- bug 13205; bugfix on 0.2.3.2-alpha. Reported by "fpxnns".
- o Minor bugfixes (directory authority):
- - Allow directory authorities to fetch more data from one another if
- they find themselves missing lots of votes. Previously, they had
- been bumping against the 10 MB queued data limit. Fixes bug 14261;
- bugfix on 0.1.2.5-alpha.
- - Do not attempt to download extrainfo documents which we will be
- unable to validate with a matching server descriptor. Fixes bug
- 13762; bugfix on 0.2.0.1-alpha.
- - Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the
- control port. Fixes bug 14953; bugfix on 0.2.0.1-alpha.
- - Enlarge the buffer to read bwauth generated files to avoid an
- issue when parsing the file in dirserv_read_measured_bandwidths().
- Fixes bug 14125; bugfix on 0.2.2.1-alpha.
- - When running as a v3 directory authority, advertise that you serve
- extra-info documents so that clients who want them can find them
- from you too. Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
- o Minor bugfixes (directory system):
- - Always believe that v3 directory authorities serve extra-info
- documents, whether they advertise "caches-extra-info" or not.
- Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
- - Check the BRIDGE_DIRINFO flag bitwise rather than using equality.
- Previously, directories offering BRIDGE_DIRINFO and some other
- flag (i.e. microdescriptors or extrainfo) would be ignored when
- looking for bridges. Partially fixes bug 13163; bugfix
- on 0.2.0.7-alpha.
- o Minor bugfixes (file handling):
- - Stop failing when key files are zero-length. Instead, generate new
- keys, and overwrite the empty key files. Fixes bug 13111; bugfix
- on all versions of Tor. Patch by "teor".
- - Stop generating a fresh .old RSA onion key file when the .old file
- is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
- - Avoid overwriting .old key files with empty key files.
- - Skip loading zero-length extrainfo store, router store, stats,
- state, and key files.
- - Avoid crashing when trying to reload a torrc specified as a
- relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix
- on 0.2.3.11-alpha.
- o Minor bugfixes (hidden services):
- - Close the introduction circuit when we have no more usable intro
- points, instead of waiting for it to time out. This also ensures
- that no follow-up HS descriptor fetch is triggered when the
- circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
- - When fetching a hidden service descriptor for a down service that
- was recently up, do not keep refetching until we try the same
- replica twice in a row. Fixes bug 14219; bugfix on 0.2.0.10-alpha.
- - Correctly send a controller event when we find that a rendezvous
- circuit has finished. Fixes bug 13936; bugfix on 0.1.1.5-alpha.
- - Pre-check directory permissions for new hidden-services to avoid
- at least one case of "Bug: Acting on config options left us in a
- broken state. Dying." Fixes bug 13942; bugfix on 0.0.6pre1.
- - When fetching hidden service descriptors, we now check not only
- for whether we got the hidden service we had in mind, but also
- whether we got the particular descriptors we wanted. This prevents
- a class of inefficient but annoying DoS attacks by hidden service
- directories. Fixes bug 13214; bugfix on 0.2.1.6-alpha. Reported
- by "special".
- o Minor bugfixes (Linux seccomp2 sandbox):
- - Make transparent proxy support work along with the seccomp2
- sandbox. Fixes part of bug 13808; bugfix on 0.2.5.1-alpha. Patch
- by Francisco Blas Izquierdo Riera.
- - Fix a memory leak in tor-resolve when running with the sandbox
- enabled. Fixes bug 14050; bugfix on 0.2.5.9-rc.
- - Allow glibc fatal errors to be sent to stderr before Tor exits.
- Previously, glibc would try to write them to /dev/tty, and the
- sandbox would trap the call and make Tor exit prematurely. Fixes
- bug 14759; bugfix on 0.2.5.1-alpha.
- o Minor bugfixes (logging):
- - Avoid crashing when there are more log domains than entries in
- domain_list. Bugfix on 0.2.3.1-alpha.
- - Downgrade warnings about RSA signature failures to info log level.
- Emit a warning when an extra info document is found incompatible
- with a corresponding router descriptor. Fixes bug 9812; bugfix
- on 0.0.6rc3.
- - Make connection_ap_handshake_attach_circuit() log the circuit ID
- correctly. Fixes bug 13701; bugfix on 0.0.6.
- o Minor bugfixes (networking):
- - Check for orconns and use connection_or_close_for_error() rather
- than connection_mark_for_close() directly in the getsockopt()
- failure case of connection_handle_write_impl(). Fixes bug 11302;
- bugfix on 0.2.4.4-alpha.
- o Minor bugfixes (parsing):
- - Stop accepting milliseconds (or other junk) at the end of
- descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
- - Support two-number and three-number version numbers correctly, in
- case we change the Tor versioning system in the future. Fixes bug
- 13661; bugfix on 0.0.8pre1.
- o Minor bugfixes (portability):
- - Fix the ioctl()-based network interface lookup code so that it
- will work on systems that have variable-length struct ifreq, for
- example Mac OS X.
- - Use the correct datatype in the SipHash-2-4 function to prevent
- compilers from assuming any sort of alignment. Fixes bug 15436;
- bugfix on 0.2.5.3-alpha.
- o Minor bugfixes (preventative security, C safety):
- - When reading a hexadecimal, base-32, or base-64 encoded value from
- a string, always overwrite the whole output buffer. This prevents
- some bugs where we would look at (but fortunately, not reveal)
- uninitialized memory on the stack. Fixes bug 14013; bugfix on all
- versions of Tor.
- - Clear all memory targetted by tor_addr_{to,from}_sockaddr(), not
- just the part that's used. This makes it harder for data leak bugs
- to occur in the event of other programming failures. Resolves
- ticket 14041.
- o Minor bugfixes (relay):
- - When generating our family list, remove spaces from around the
- entries. Fixes bug 12728; bugfix on 0.2.1.7-alpha.
- - If our previous bandwidth estimate was 0 bytes, allow publishing a
- new relay descriptor immediately. Fixes bug 13000; bugfix
- on 0.1.1.6-alpha.
- o Minor bugfixes (shutdown):
- - When shutting down, always call event_del() on lingering read or
- write events before freeing them. Otherwise, we risk double-frees
- or read-after-frees in event_base_free(). Fixes bug 12985; bugfix
- on 0.1.0.2-rc.
- o Minor bugfixes (small memory leaks):
- - Avoid leaking memory when using IPv6 virtual address mappings.
- Fixes bug 14123; bugfix on 0.2.4.7-alpha. Patch by Tom van
- der Woerdt.
- o Minor bugfixes (statistics):
- - Increase period over which bandwidth observations are aggregated
- from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
- o Minor bugfixes (systemd support):
- - Run correctly under systemd with the RunAsDaemon option set. Fixes
- part of bug 14141; bugfix on 0.2.5.7-rc. Patch from Tomasz Torcz.
- - Inform the systemd supervisor about more changes in the Tor
- process status. Implements part of ticket 14141. Patch from
- Tomasz Torcz.
- o Minor bugfixes (testing networks):
- - Fix TestingDirAuthVoteGuard to properly give out Guard flags in a
- testing network. Fixes bug 13064; bugfix on 0.2.5.2-alpha.
- - Stop using the default authorities in networks which provide both
- AlternateDirAuthority and AlternateBridgeAuthority. Partially
- fixes bug 13163; bugfix on 0.2.0.13-alpha.
- o Minor bugfixes (testing networks, fast startup):
- - Allow Tor to build circuits using a consensus with no exits. If
- the consensus has no exits (typical of a bootstrapping test
- network), allow Tor to build circuits once enough descriptors have
- been downloaded. This assists in bootstrapping a testing Tor
- network. Fixes bug 13718; bugfix on 0.2.4.10-alpha. Patch
- by "teor".
- - When V3AuthVotingInterval is low, give a lower If-Modified-Since
- header to directory servers. This allows us to obtain consensuses
- promptly when the consensus interval is very short. This assists
- in bootstrapping a testing Tor network. Fixes parts of bugs 13718
- and 13963; bugfix on 0.2.0.3-alpha. Patch by "teor".
- - Stop assuming that private addresses are local when checking
- reachability in a TestingTorNetwork. Instead, when testing, assume
- all OR connections are remote. (This is necessary due to many test
- scenarios running all relays on localhost.) This assists in
- bootstrapping a testing Tor network. Fixes bug 13924; bugfix on
- 0.1.0.1-rc. Patch by "teor".
- - Avoid building exit circuits from a consensus with no exits. Now
- thanks to our fix for 13718, we accept a no-exit network as not
- wholly lost, but we need to remember not to try to build exit
- circuits on it. Closes ticket 13814; patch by "teor".
- - Stop requiring exits to have non-zero bandwithcapacity in a
- TestingTorNetwork. Instead, when TestingMinExitFlagThreshold is 0,
- ignore exit bandwidthcapacity. This assists in bootstrapping a
- testing Tor network. Fixes parts of bugs 13718 and 13839; bugfix
- on 0.2.0.3-alpha. Patch by "teor".
- - Add "internal" to some bootstrap statuses when no exits are
- available. If the consensus does not contain Exits, Tor will only
- build internal circuits. In this case, relevant statuses will
- contain the word "internal" as indicated in the Tor control-
- spec.txt. When bootstrap completes, Tor will be ready to build
- internal circuits. If a future consensus contains Exits, exit
- circuits may become available. Fixes part of bug 13718; bugfix on
- 0.2.4.10-alpha. Patch by "teor".
- - Decrease minimum consensus interval to 10 seconds when
- TestingTorNetwork is set, or 5 seconds for the first consensus.
- Fix assumptions throughout the code that assume larger intervals.
- Fixes bugs 13718 and 13823; bugfix on 0.2.0.3-alpha. Patch
- by "teor".
- - Avoid excluding guards from path building in minimal test
- networks, when we're in a test network and excluding guards would
- exclude all relays. This typically occurs in incredibly small tor
- networks, and those using "TestingAuthVoteGuard *". Fixes part of
- bug 13718; bugfix on 0.1.1.11-alpha. Patch by "teor".
- o Minor bugfixes (testing):
- - Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
- 15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
- - Stop spawn test failures due to a race condition between the
- SIGCHLD handler updating the process status, and the test reading
- it. Fixes bug 13291; bugfix on 0.2.3.3-alpha.
- - Avoid passing an extra backslash when creating a temporary
- directory for running the unit tests on Windows. Fixes bug 12392;
- bugfix on 0.2.2.25-alpha. Patch from Gisle Vanem.
- o Minor bugfixes (TLS):
- - Check more thoroughly throughout the TLS code for possible
- unlogged TLS errors. Possible diagnostic or fix for bug 13319.
- o Minor bugfixes (transparent proxy):
- - Use getsockname, not getsockopt, to retrieve the address for a
- TPROXY-redirected connection. Fixes bug 13796; bugfix
- on 0.2.5.2-alpha.
- o Minor bugfixes (windows):
- - Remove code to special-case handling of NTE_BAD_KEYSET when
- acquiring windows CryptoAPI context. This error can't actually
- occur for the parameters we're providing. Fixes bug 10816; bugfix
- on 0.0.2pre26.
- o Minor bugfixes (zlib):
- - Avoid truncating a zlib stream when trying to finalize it with an
- empty output buffer. Fixes bug 11824; bugfix on 0.1.1.23.
- o Code simplification and refactoring:
- - Change the entry_is_live() function to take named bitfield
- elements instead of an unnamed list of booleans. Closes
- ticket 12202.
- - Refactor and unit-test entry_is_time_to_retry() in entrynodes.c.
- Resolves ticket 12205.
- - Use calloc and reallocarray functions instead of multiply-
- then-malloc. This makes it less likely for us to fall victim to an
- integer overflow attack when allocating. Resolves ticket 12855.
- - Use the standard macro name SIZE_MAX, instead of our
- own SIZE_T_MAX.
- - Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in
- functions which take them as arguments. Replace 0 with NO_DIRINFO
- in a function call for clarity. Seeks to prevent future issues
- like 13163.
- - Avoid 4 null pointer errors under clang static analysis by using
- tor_assert() to prove that the pointers aren't null. Fixes
- bug 13284.
- - Rework the API of policies_parse_exit_policy() to use a bitmask to
- represent parsing options, instead of a confusing mess of
- booleans. Resolves ticket 8197.
- - Introduce a helper function to parse ExitPolicy in
- or_options_t structure.
- - Move fields related to isolating and configuring client ports into
- a shared structure. Previously, they were duplicated across
- port_cfg_t, listener_connection_t, and edge_connection_t. Failure
- to copy them correctly had been the cause of at least one bug in
- the past. Closes ticket 8546.
- - Refactor the get_interface_addresses_raw() doom-function into
- multiple smaller and simpler subfunctions. Cover the resulting
- subfunctions with unit-tests. Fixes a significant portion of
- issue 12376.
- - Remove workaround in dirserv_thinks_router_is_hs_dir() that was
- only for version <= 0.2.2.24 which is now deprecated. Closes
- ticket 14202.
- - Remove a test for a long-defunct broken version-one
- directory server.
- - Refactor main loop to extract the 'loop' part. This makes it
- easier to run Tor under Shadow. Closes ticket 15176.
- - Stop using can_complete_circuits as a global variable; access it
- with a function instead.
- - Avoid using operators directly as macro arguments: this lets us
- apply coccinelle transformations to our codebase more directly.
- Closes ticket 13172.
- - Combine the functions used to parse ClientTransportPlugin and
- ServerTransportPlugin into a single function. Closes ticket 6456.
- - Add inline functions and convenience macros for inspecting channel
- state. Refactor the code to use convenience macros instead of
- checking channel state directly. Fixes issue 7356.
- - Document all members of was_router_added_t and rename
- ROUTER_WAS_NOT_NEW to ROUTER_IS_ALREADY_KNOWN to make it less
- confusable with ROUTER_WAS_TOO_OLD. Fixes issue 13644.
- - In connection_exit_begin_conn(), use END_CIRC_REASON_TORPROTOCOL
- constant instead of hardcoded value. Fixes issue 13840.
- - Refactor our generic strmap and digestmap types into a single
- implementation, so that we can add a new digest256map
- type trivially.
- o Documentation:
- - Add a doc/TUNING document with tips for handling large numbers of
- TCP connections when running busy Tor relay. Update the warning
- message to point to this file when running out of sockets
- operating system is allowing to use simultaneously. Resolves
- ticket 9708.
- - Adding section on OpenBSD to our TUNING document. Thanks to mmcc
- for writing the OpenBSD-specific tips. Resolves ticket 13702.
- - Make the tor-resolve documentation match its help string and its
- options. Resolves part of ticket 14325.
- - Log a more useful error message from tor-resolve when failing to
- look up a hidden service address. Resolves part of ticket 14325.
- - Document the bridge-authority-only 'networkstatus-bridges' file.
- Closes ticket 13713; patch from "tom".
- - Fix typo in PredictedPortsRelevanceTime option description in
- manpage. Resolves issue 13707.
- - Stop suggesting that users specify relays by nickname: it isn't a
- good idea. Also, properly cross-reference how to specify relays in
- all parts of manual documenting options that take a list of
- relays. Closes ticket 13381.
- - Clarify the HiddenServiceDir option description in manpage to make
- it clear that relative paths are taken with respect to the current
- working directory. Also clarify that this behavior is not
- guaranteed to remain indefinitely. Fixes issue 13913.
- o Distribution (systemd):
- - systemd unit file: only allow tor to write to /var/lib/tor and
- /var/log/tor. The rest of the filesystem is accessible for reading
- only. Patch by intrigeri; resolves ticket 12751.
- - systemd unit file: ensure that the process and all its children
- can never gain new privileges. Patch by intrigeri; resolves
- ticket 12939.
- - systemd unit file: set up /var/run/tor as writable for the Tor
- service. Patch by intrigeri; resolves ticket 13196.
- o Downgraded warnings:
- - Don't warn when we've attempted to contact a relay using the wrong
- ntor onion key. Closes ticket 9635.
- o Removed code:
- - Remove some lingering dead code that once supported mempools.
- Mempools were disabled by default in 0.2.5, and removed entirely
- in 0.2.6.3-alpha. Closes more of ticket 14848; patch
- by "cypherpunks".
- o Removed features (directory authorities):
- - Remove code that prevented authorities from listing Tor relays
- affected by CVE-2011-2769 as guards. These relays are already
- rejected altogether due to the minimum version requirement of
- 0.2.3.16-alpha. Closes ticket 13152.
- - The "AuthDirRejectUnlisted" option no longer has any effect, as
- the fingerprints file (approved-routers) has been deprecated.
- - Directory authorities do not support being Naming dirauths anymore.
- The "NamingAuthoritativeDir" config option is now obsolete.
- - Directory authorities do not support giving out the BadDirectory
- flag anymore.
- - Directory authorities no longer advertise or support consensus
- methods 1 through 12 inclusive. These consensus methods were
- obsolete and/or insecure: maintaining the ability to support them
- served no good purpose. Implements part of proposal 215; closes
- ticket 10163.
- o Removed features:
- - To avoid confusion with the "ExitRelay" option, "ExitNode" is no
- longer silently accepted as an alias for "ExitNodes".
- - The --enable-mempool and --enable-buf-freelists options, which
- were originally created to work around bad malloc implementations,
- no longer exist. They were off-by-default in 0.2.5. Closes
- ticket 14848.
- - We no longer remind the user about configuration options that have
- been obsolete since 0.2.3.x or earlier. Patch by Adrien Bak.
- - Remove our old, non-weighted bandwidth-based node selection code.
- Previously, we used it as a fallback when we couldn't perform
- weighted bandwidth-based node selection. But that would only
- happen in the cases where we had no consensus, or when we had a
- consensus generated by buggy or ancient directory authorities. In
- either case, it's better to use the more modern, better maintained
- algorithm, with reasonable defaults for the weights. Closes
- ticket 13126.
- - Remove the --disable-curve25519 configure option. Relays and
- clients now are required to support curve25519 and the
- ntor handshake.
- - The old "StrictEntryNodes" and "StrictExitNodes" options, which
- used to be deprecated synonyms for "StrictNodes", are now marked
- obsolete. Resolves ticket 12226.
- - Clients don't understand the BadDirectory flag in the consensus
- anymore, and ignore it.
- o Removed platform support:
- - We no longer include special code to build on Windows CE; as far
- as we know, nobody has used Tor on Windows CE in a very long time.
- Closes ticket 11446.
- o Testing (test-network.sh):
- - Stop using "echo -n", as some shells' built-in echo doesn't
- support "-n". Instead, use "/bin/echo -n". Partially fixes
- bug 13161.
- - Stop an apparent test-network hang when used with make -j2. Fixes
- bug 13331.
- - Add a --delay option to test-network.sh, which configures the
- delay before the chutney network tests for data transmission.
- Partially implements ticket 13161.
- o Testing:
- - Test that tor does not fail when key files are zero-length. Check
- that tor generates new keys, and overwrites the empty key files.
- - Test that tor generates new keys when keys are missing
- (existing behavior).
- - Test that tor does not overwrite key files that already contain
- data (existing behavior). Tests bug 13111. Patch by "teor".
- - New "make test-stem" target to run stem integration tests.
- Requires that the "STEM_SOURCE_DIR" environment variable be set.
- Closes ticket 14107.
- - Make the test_cmdline_args.py script work correctly on Windows.
- Patch from Gisle Vanem.
- - Move the slower unit tests into a new "./src/test/test-slow"
- binary that can be run independently of the other tests. Closes
- ticket 13243.
- - New tests for many parts of channel, relay, and circuitmux
- functionality. Code by Andrea; part of 9262.
- - New tests for parse_transport_line(). Part of ticket 6456.
- - In the unit tests, use chgrp() to change the group of the unit
- test temporary directory to the current user, so that the sticky
- bit doesn't interfere with tests that check directory groups.
- Closes 13678.
- - Add unit tests for resolve_my_addr(). Part of ticket 12376; patch
- by 'rl1987'.
- - Refactor the function that chooses guard nodes so that it can more
- easily be tested; write some tests for it.
- - Fix and re-enable the fgets_eagain unit test. Fixes bug 12503;
- bugfix on 0.2.3.1-alpha. Patch from "cypherpunks."
- - Create unit tests for format_time_interval(). With bug 13393.
- - Add unit tests for tor_timegm signed overflow, tor_timegm and
- parse_rfc1123_time validity checks, correct_tm year clamping. Unit
- tests (visible) fixes in bug 13476.
- - Add a "coverage-html" make target to generate HTML-visualized
- coverage results when building with --enable-coverage. (Requires
- lcov.) Patch from Kevin Murray.
- - Enable the backtrace handler (where supported) when running the
- unit tests.
- - Revise all unit tests that used the legacy test_* macros to
- instead use the recommended tt_* macros. This patch was generated
- with coccinelle, to avoid manual errors. Closes ticket 13119.
- Changes in version 0.2.5.11 - 2015-03-17
- Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
- It backports several bugfixes from the 0.2.6 branch, including a
- couple of medium-level security fixes for relays and exit nodes.
- It also updates the list of directory authorities.
- o Directory authority changes:
- - Remove turtles as a directory authority.
- - Add longclaw as a new (v3) directory authority. This implements
- ticket 13296. This keeps the directory authority count at 9.
- - The directory authority Faravahar has a new IP address. This
- closes ticket 14487.
- o Major bugfixes (crash, OSX, security):
- - Fix a remote denial-of-service opportunity caused by a bug in
- OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
- in OSX 10.9.
- o Major bugfixes (relay, stability, possible security):
- - Fix a bug that could lead to a relay crashing with an assertion
- failure if a buffer of exactly the wrong layout was passed to
- buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
- 0.2.0.10-alpha. Patch from 'cypherpunks'.
- - Do not assert if the 'data' pointer on a buffer is advanced to the
- very end of the buffer; log a BUG message instead. Only assert if
- it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
- o Major bugfixes (exit node stability):
- - Fix an assertion failure that could occur under high DNS load.
- Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
- diagnosed and fixed by "cypherpunks".
- o Major bugfixes (Linux seccomp2 sandbox):
- - Upon receiving sighup with the seccomp2 sandbox enabled, do not
- crash during attempts to call wait4. Fixes bug 15088; bugfix on
- 0.2.5.1-alpha. Patch from "sanic".
- o Minor features (controller):
- - New "GETINFO bw-event-cache" to get information about recent
- bandwidth events. Closes ticket 14128. Useful for controllers to
- get recent bandwidth history after the fix for ticket 13988.
- o Minor features (geoip):
- - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the March 3 2015 Maxmind GeoLite2
- Country database.
- o Minor bugfixes (client, automapping):
- - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
- no value follows the option. Fixes bug 14142; bugfix on
- 0.2.4.7-alpha. Patch by "teor".
- - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
- 14195; bugfix on 0.1.0.1-rc.
- o Minor bugfixes (compilation):
- - Build without warnings with the stock OpenSSL srtp.h header, which
- has a duplicate declaration of SSL_get_selected_srtp_profile().
- Fixes bug 14220; this is OpenSSL's bug, not ours.
- o Minor bugfixes (directory authority):
- - Allow directory authorities to fetch more data from one another if
- they find themselves missing lots of votes. Previously, they had
- been bumping against the 10 MB queued data limit. Fixes bug 14261;
- bugfix on 0.1.2.5-alpha.
- - Enlarge the buffer to read bwauth generated files to avoid an
- issue when parsing the file in dirserv_read_measured_bandwidths().
- Fixes bug 14125; bugfix on 0.2.2.1-alpha.
- o Minor bugfixes (statistics):
- - Increase period over which bandwidth observations are aggregated
- from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
- o Minor bugfixes (preventative security, C safety):
- - When reading a hexadecimal, base-32, or base-64 encoded value from
- a string, always overwrite the whole output buffer. This prevents
- some bugs where we would look at (but fortunately, not reveal)
- uninitialized memory on the stack. Fixes bug 14013; bugfix on all
- versions of Tor.
- Changes in version 0.2.4.26 - 2015-03-17
- Tor 0.2.4.26 includes an updated list of directory authorities. It
- also backports a couple of stability and security bugfixes from 0.2.5
- and beyond.
- o Directory authority changes:
- - Remove turtles as a directory authority.
- - Add longclaw as a new (v3) directory authority. This implements
- ticket 13296. This keeps the directory authority count at 9.
- - The directory authority Faravahar has a new IP address. This
- closes ticket 14487.
- o Major bugfixes (exit node stability, also in 0.2.6.3-alpha):
- - Fix an assertion failure that could occur under high DNS load.
- Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
- diagnosed and fixed by "cypherpunks".
- o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc):
- - Fix a bug that could lead to a relay crashing with an assertion
- failure if a buffer of exactly the wrong layout was passed to
- buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
- 0.2.0.10-alpha. Patch from 'cypherpunks'.
- - Do not assert if the 'data' pointer on a buffer is advanced to the
- very end of the buffer; log a BUG message instead. Only assert if
- it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
- o Minor features (geoip):
- - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the March 3 2015 Maxmind GeoLite2
- Country database.
- Changes in version 0.2.5.10 - 2014-10-24
- Tor 0.2.5.10 is the first stable release in the 0.2.5 series.
- It adds several new security features, including improved
- denial-of-service resistance for relays, new compiler hardening
- options, and a system-call sandbox for hardened installations on Linux
- (requires seccomp2). The controller protocol has several new features,
- resolving IPv6 addresses should work better than before, and relays
- should be a little more CPU-efficient. We've added support for more
- OpenBSD and FreeBSD transparent proxy types. We've improved the build
- system and testing infrastructure to allow unit testing of more parts
- of the Tor codebase. Finally, we've addressed several nagging pluggable
- transport usability issues, and included numerous other small bugfixes
- and features mentioned below.
- This release marks end-of-life for Tor 0.2.3.x; those Tor versions
- have accumulated many known flaws; everyone should upgrade.
- o Major features (security):
- - The ntor handshake is now on-by-default, no matter what the
- directory authorities recommend. Implements ticket 8561.
- - Make the "tor-gencert" tool used by directory authority operators
- create 2048-bit signing keys by default (rather than 1024-bit, since
- 1024-bit is uncomfortably small these days). Addresses ticket 10324.
- - Warn about attempts to run hidden services and relays in the same
- process: that's probably not a good idea. Closes ticket 12908.
- - Disable support for SSLv3. All versions of OpenSSL in use with Tor
- today support TLS 1.0 or later, so we can safely turn off support
- for this old (and insecure) protocol. Fixes bug 13426.
- o Major features (relay security, DoS-resistance):
- - When deciding whether we have run out of memory and we need to
- close circuits, also consider memory allocated in buffers for
- streams attached to each circuit.
- This change, which extends an anti-DoS feature introduced in
- 0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays
- better resist more memory-based DoS attacks than before. Since the
- MaxMemInCellQueues option now applies to all queues, it is renamed
- to MaxMemInQueues. This feature fixes bug 10169.
- - Avoid hash-flooding denial-of-service attacks by using the secure
- SipHash-2-4 hash function for our hashtables. Without this
- feature, an attacker could degrade performance of a targeted
- client or server by flooding their data structures with a large
- number of entries to be stored at the same hash table position,
- thereby slowing down the Tor instance. With this feature, hash
- table positions are derived from a randomized cryptographic key,
- and an attacker cannot predict which entries will collide. Closes
- ticket 4900.
- - If you don't specify MaxMemInQueues yourself, Tor now tries to
- pick a good value based on your total system memory. Previously,
- the default was always 8 GB. You can still override the default by
- setting MaxMemInQueues yourself. Resolves ticket 11396.
- o Major features (bridges and pluggable transports):
- - Add support for passing arguments to managed pluggable transport
- proxies. Implements ticket 3594.
- - Bridges now track GeoIP information and the number of their users
- even when pluggable transports are in use, and report usage
- statistics in their extra-info descriptors. Resolves tickets 4773
- and 5040.
- - Don't launch pluggable transport proxies if we don't have any
- bridges configured that would use them. Now we can list many
- pluggable transports, and Tor will dynamically start one when it
- hears a bridge address that needs it. Resolves ticket 5018.
- - The bridge directory authority now assigns status flags (Stable,
- Guard, etc) to bridges based on thresholds calculated over all
- Running bridges. Now bridgedb can finally make use of its features
- to e.g. include at least one Stable bridge in its answers. Fixes
- bug 9859.
- o Major features (controller):
- - Extend ORCONN controller event to include an "ID" parameter,
- and add four new controller event types CONN_BW, CIRC_BW,
- CELL_STATS, and TB_EMPTY that show connection and circuit usage.
- The new events are emitted in private Tor networks only, with the
- goal of being able to better track performance and load during
- full-network simulations. Implements proposal 218 and ticket 7359.
- o Major features (relay performance):
- - Speed up server-side lookups of rendezvous and introduction point
- circuits by using hashtables instead of linear searches. These
- functions previously accounted between 3 and 7% of CPU usage on
- some busy relays. Resolves ticket 9841.
- - Avoid wasting CPU when extending a circuit over a channel that is
- nearly out of circuit IDs. Previously, we would do a linear scan
- over possible circuit IDs before finding one or deciding that we
- had exhausted our possibilities. Now, we try at most 64 random
- circuit IDs before deciding that we probably won't succeed. Fixes
- a possible root cause of ticket 11553.
- o Major features (seccomp2 sandbox, Linux only):
- - Use the seccomp2 syscall filtering facility on Linux to limit
- which system calls Tor can invoke. This is an experimental,
- Linux-only feature to provide defense-in-depth against unknown
- attacks. To try turning it on, set "Sandbox 1" in your torrc
- file. Please be ready to report bugs. We hope to add support
- for better sandboxing in the future, including more fine-grained
- filters, better division of responsibility, and support for more
- platforms. This work has been done by Cristian-Matei Toader for
- Google Summer of Code. Resolves tickets 11351 and 11465.
- o Major features (testing networks):
- - Make testing Tor networks bootstrap better: lower directory fetch
- retry schedules and maximum interval without directory requests,
- and raise maximum download tries. Implements ticket 6752.
- - Add make target 'test-network' to run tests on a Chutney network.
- Implements ticket 8530.
- o Major features (other):
- - On some platforms (currently: recent OSX versions, glibc-based
- platforms that support the ELF format, and a few other
- Unix-like operating systems), Tor can now dump stack traces
- when a crash occurs or an assertion fails. By default, traces
- are dumped to stderr (if possible) and to any logs that are
- reporting errors. Implements ticket 9299.
- o Deprecated versions:
- - Tor 0.2.3.x has reached end-of-life; it has received no patches or
- attention for some while.
- o Major bugfixes (security, directory authorities):
- - Directory authorities now include a digest of each relay's
- identity key as a part of its microdescriptor.
- This is a workaround for bug 11743 (reported by "cypherpunks"),
- where Tor clients do not support receiving multiple
- microdescriptors with the same SHA256 digest in the same
- consensus. When clients receive a consensus like this, they only
- use one of the relays. Without this fix, a hostile relay could
- selectively disable some client use of target relays by
- constructing a router descriptor with a different identity and the
- same microdescriptor parameters and getting the authorities to
- list it in a microdescriptor consensus. This fix prevents an
- attacker from causing a microdescriptor collision, because the
- router's identity is not forgeable.
- o Major bugfixes (openssl bug workaround):
- - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
- 1.0.1j, built with the 'no-ssl3' configuration option. Fixes
- bug 13471. This is a workaround for an OpenSSL bug.
- o Major bugfixes (client):
- - Perform circuit cleanup operations even when circuit
- construction operations are disabled (because the network is
- disabled, or because there isn't enough directory information).
- Previously, when we were not building predictive circuits, we
- were not closing expired circuits either. Fixes bug 8387; bugfix on
- 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we
- became more strict about when we have "enough directory information
- to build circuits".
- o Major bugfixes (client, pluggable transports):
- - When managing pluggable transports, use OS notification facilities
- to learn if they have crashed, and don't attempt to kill any
- process that has already exited. Fixes bug 8746; bugfix
- on 0.2.3.6-alpha.
- o Major bugfixes (relay denial of service):
- - Instead of writing destroy cells directly to outgoing connection
- buffers, queue them and intersperse them with other outgoing cells.
- This can prevent a set of resource starvation conditions where too
- many pending destroy cells prevent data cells from actually getting
- delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
- bugfix on 0.2.0.1-alpha.
- o Major bugfixes (relay):
- - Avoid queuing or sending destroy cells for circuit ID zero when we
- fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1.
- Found and fixed by "cypherpunks".
- - Fix ORPort reachability detection on relays running behind a
- proxy, by correctly updating the "local" mark on the controlling
- channel when changing the address of an or_connection_t after the
- handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha.
- - Use a direct dirport connection when uploading non-anonymous
- descriptors to the directory authorities. Previously, relays would
- incorrectly use tunnel connections under a fairly wide variety of
- circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha.
- - When a circuit accidentally has the same circuit ID for its
- forward and reverse direction, correctly detect the direction of
- cells using that circuit. Previously, this bug made roughly one
- circuit in a million non-functional. Fixes bug 12195; this is a
- bugfix on every version of Tor.
- o Minor features (security):
- - New --enable-expensive-hardening option to enable security
- hardening options that consume nontrivial amounts of CPU and
- memory. Right now, this includes AddressSanitizer and UbSan, which
- are supported in newer versions of GCC and Clang. Closes ticket
- 11477.
- - Authorities now assign the Guard flag to the fastest 25% of the
- network (it used to be the fastest 50%). Also raise the consensus
- weight that guarantees the Guard flag from 250 to 2000. For the
- current network, this results in about 1100 guards, down from 2500.
- This step paves the way for moving the number of entry guards
- down to 1 (proposal 236) while still providing reasonable expected
- performance for most users. Implements ticket 12690.
- o Minor features (security, memory management):
- - Memory allocation tricks (mempools and buffer freelists) are now
- disabled by default. You can turn them back on with
- --enable-mempools and --enable-buf-freelists respectively. We're
- disabling these features because malloc performance is good enough
- on most platforms, and a similar feature in OpenSSL exacerbated
- exploitation of the Heartbleed attack. Resolves ticket 11476.
- o Minor features (bridge client):
- - Report a more useful failure message when we can't connect to a
- bridge because we don't have the right pluggable transport
- configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
- o Minor features (bridge):
- - Add an ExtORPortCookieAuthFileGroupReadable option to make the
- cookie file for the ExtORPort g+r by default.
- o Minor features (bridges, pluggable transports):
- - Bridges now write the SHA1 digest of their identity key
- fingerprint (that is, a hash of a hash of their public key) to
- notice-level logs, and to a new hashed-fingerprint file. This
- information will help bridge operators look up their bridge in
- Globe and similar tools. Resolves ticket 10884.
- - Improve the message that Tor displays when running as a bridge
- using pluggable transports without an Extended ORPort listener.
- Also, log the message in the log file too. Resolves ticket 11043.
- - Add threshold cutoffs to the networkstatus document created by
- the Bridge Authority. Fixes bug 1117.
- - On Windows, spawn background processes using the CREATE_NO_WINDOW
- flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled
- doesn't pop up a blank console window. (In Tor Browser Bundle 2.x,
- Vidalia set this option for us.) Implements ticket 10297.
- o Minor features (build):
- - The configure script has a --disable-seccomp option to turn off
- support for libseccomp on systems that have it, in case it (or
- Tor's use of it) is broken. Resolves ticket 11628.
- - Assume that a user using ./configure --host wants to cross-compile,
- and give an error if we cannot find a properly named
- tool-chain. Add a --disable-tool-name-check option to proceed
- nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz.
- - If we run ./configure and the compiler recognizes -fstack-protector
- but the linker rejects it, warn the user about a potentially missing
- libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz.
- - Add support for `--library-versions` flag. Implements ticket 6384.
- - Return the "unexpected sendme" warnings to a warn severity, but make
- them rate limited, to help diagnose ticket 8093.
- - Detect a missing asciidoc, and warn the user about it, during
- configure rather than at build time. Fixes issue 6506. Patch from
- Arlo Breault.
- o Minor features (client):
- - Add a new option, PredictedPortsRelevanceTime, to control how long
- after having received a request to connect to a given port Tor
- will try to keep circuits ready in anticipation of future requests
- for that port. Patch from "unixninja92"; implements ticket 9176.
- o Minor features (config options and command line):
- - Add an --allow-missing-torrc commandline option that tells Tor to
- run even if the configuration file specified by -f is not available.
- Implements ticket 10060.
- - Add support for the TPROXY transparent proxying facility on Linux.
- See documentation for the new TransProxyType option for more
- details. Implementation by "thomo". Closes ticket 10582.
- o Minor features (config options):
- - Config (torrc) lines now handle fingerprints which are missing
- their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
- - Support a --dump-config option to print some or all of the
- configured options. Mainly useful for debugging the command-line
- option parsing code. Helps resolve ticket 4647.
- - Raise awareness of safer logging: notify user of potentially
- unsafe config options, like logging more verbosely than severity
- "notice" or setting SafeLogging to 0. Resolves ticket 5584.
- - Add a new configuration option TestingV3AuthVotingStartOffset
- that bootstraps a network faster by changing the timing for
- consensus votes. Addresses ticket 8532.
- - Add a new torrc option "ServerTransportOptions" that allows
- bridge operators to pass configuration parameters to their
- pluggable transports. Resolves ticket 8929.
- - The config (torrc) file now accepts bandwidth and space limits in
- bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
- you can now say "16 kilobits", and so on.) Resolves ticket 9214.
- Patch by CharlieB.
- o Minor features (controller):
- - Make the entire exit policy available from the control port via
- GETINFO exit-policy
|