From 3d80246a4e1e2d56e0d4b6a61e7fc416332a4f12 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 17 Sep 2018 16:04:30 -0400 Subject: [PATCH] Write a blurb, pull UI changes to the front, edit --- ChangeLog | 210 ++++++++++++++++++++++++++---------------------------- 1 file changed, 100 insertions(+), 110 deletions(-) diff --git a/ChangeLog b/ChangeLog index ad05b16fbd..1a597e85f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,12 +1,28 @@ -Changes in version 0.3.5.1-alpha-2018-09-?? - BLURB HERE. NOTE ABOUT NSS. +Changes in version 0.3.5.1-alpha-2018-09-18 + Tor 0.3.5.1-alpha is the first release of the 0.3.5.x series. It adds + client authorization for modern (v3) onion services, improves + bootstrap reporting, begins reorganizing Tor's codebase, adds optional + support for NSS in place of OpenSSL, and much more. + + o Major features (onion services, UI change): + - For a newly created onion service, the default version is now 3. + Tor still supports existing version 2 services, but the operator + now needs to set "HiddenServiceVersion 2" in order to create a new + version 2 service. For existing services, Tor now learns the + version by reading the key file. Closes ticket 27215. + + o Major features (relay, UI change): + - Relays no longer run as exits by default. If the "ExitRelay" + option is auto (or unset), and no exit policy is specified with + ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0. + Previously in this case, we allowed exit traffic and logged a + warning message. Closes ticket 21530. Patch by Neel Chauhan. o Major features (bootstrap): - - Improve user experience by deferring directory progress reporting - until after a connection to a relay or bridge has succeeded. This - avoids reporting 80% progress based on cached directory - information when we can't even connect to a bridge or relay. - Closes ticket 27169. + - Don't report directory progress until after a connection to a + relay or bridge has succeeded. Previously, we'd report 80% + progress based on cached directory information when we couldn't + even connect to the network. Closes ticket 27169. o Major features (new code layout): - Nearly all of Tor's source code has been moved around into more @@ -22,59 +38,37 @@ Changes in version 0.3.5.1-alpha-2018-09-?? interconnected. We will attempt to improve this in the future. o Major features (onion services v3): - - Implement client authorization at the descriptor level. A new - torrc option was added to control this client side: - ClientOnionAuthDir . On the service side, if the - "authorized_clients/" directory exists in the onion service - directory path, client configuration are read from the files - within. See the manpage for more details. Closes ticket 27547. - Patch done by Suphanat Chunhapanya (haxxpop). + - Implement onion service client authorization at the descriptor + level: only authorized clients can decrypt a service's descriptor + to find out how to contact it. A new torrc option was added to + control this client side: ClientOnionAuthDir . On the + service side, if the "authorized_clients/" directory exists in the + onion service directory path, client configuration are read from + the files within. See the manpage for more details. Closes ticket + 27547. Patch done by Suphanat Chunhapanya (haxxpop). - Improve revision counter generation in next-gen onion services. Onion services can now scale by hosting multiple instances on different hosts without synchronization between them, which was previously impossible because descriptors would get rejected by HSDirs. Addresses ticket 25552. - o Major features (onion services): - - For a newly created onion service, the default version is now 3. - Tor still supports version 2 service but the operator now needs to - specifically set "HiddenServiceVersion 2" in order to create a new - service. For existing services, tor now learns the version by - reading the key file so the HiddenServiceVersion is not mandatory - in that case. Closes ticket 27215. - o Major features (portability, cryptography, experimental, TLS): - Tor now has the option to compile with the NSS library instead of OpenSSL. This feature is experimental, and we expect that bugs may remain. It is mainly intended for environments where Tor's performance is not CPU-bound, and where NSS is already known to be installed. To try it out, configure Tor with the --enable-nss - flag. Closes ticket 26631. - - Tor now has _partial_ support for using the NSS cryptography and - TLS library in place of OpenSSL. When Tor is configured with - --enable-nss, it will use NSS for several (but not yet all) of its - cryptography. (It still relies on OpenSSL for the rest.) - Eventually, if all goes as planned, "--enable-nss" will produce a - version of Tor that does not depend on OpenSSL. Implements - ticket 26816. + flag. Closes tickets 26631, 26815, and 26816. - WARNING: This feature is experimental. Don't use it for real - security yet, until the code has had much more review, and more - bugs have been shaken out. - - When built with --enable-nss, Tor now uses the NSS library for - digests, AES, and pseudorandom numbers. Closes ticket 26815. - - o Major features (relay): - - Relays no longer run as exits by default. If the "ExitRelay" - option is auto (or unset), and no exit policy is specified with - ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0. - Previously in this case, we allowed exit traffic and logged a - warning message. Closes ticket 21530. Patch by Neel Chauhan. + If you are experimenting with this option and using an old cached + consensus, Tor may fail to start. To solve this, delete your + "cached-microdesc-consensus" file, and restart Tor. o Major bugfixes (directory authority): - - Actually check that address we get from DirAuthority configuration - line is valid IPv4. Explicitly disallow DirAuthority adress to be - DNS hostname. Fixes bug 26488; bugfix on 0.1.2.10-rc. + - Actually check that the address we get from DirAuthority + configuration line is valid IPv4. Explicitly disallow DirAuthority + adress to be a DNS hostname. Fixes bug 26488; bugfix + on 0.1.2.10-rc. o Major bugfixes (restart-in-process): - Fix a use-after-free error that could be caused by passing Tor an @@ -82,14 +76,15 @@ Changes in version 0.3.5.1-alpha-2018-09-?? Fixes bug 27708; bugfix on 0.3.3.1-alpha. o Minor features (admin tools): - - Add new tool that prints expiration date of th signing cert in an - ed25519_signing_cert file. Resolves issue 19506. + - Add a new --key-expiration option to print the expiration date of + the signing cert in an ed25519_signing_cert file. Resolves + issue 19506. o Minor features (build): - If you pass the "--enable-pic" option to configure, Tor will try to tell the compiler to build position-independent code suitable - to link into a library. (The default remains -fPIE, for code - suitable for a relocatable executable.) Closes ticket 23846. + to link into a dynamic library. (The default remains -fPIE, for + code suitable for a relocatable executable.) Closes ticket 23846. o Minor features (code correctness, testing): - Tor's build process now includes a "check-includes" make target to @@ -98,10 +93,11 @@ Changes in version 0.3.5.1-alpha-2018-09-?? refactor our codebase. Closes ticket 26447. o Minor features (code layout): - - Make a new lowest-level error-handling API for use by code invoked - from within the logging module. This interface it makes it so the + - We have a new "lowest-level" error-handling API for use by code + invoked from within the logging module. With this interface, the logging code is no longer at risk of calling into itself if a - failure occurs while trying to log something. Closes ticket 26427. + failure occurs while it is trying to log something. Closes + ticket 26427. o Minor features (compilation): - Tor's configure script now supports a --with-malloc= option to @@ -111,7 +107,7 @@ Changes in version 0.3.5.1-alpha-2018-09-?? Alex Xu. o Minor features (config): - - The "auto" keyword in torrc is now case insensitive. Closes + - The "auto" keyword in torrc is now case-insensitive. Closes ticket 26663. o Minor features (continuous integration): @@ -122,10 +118,10 @@ Changes in version 0.3.5.1-alpha-2018-09-?? - Only run one online rust build in Travis, to reduce network errors. Skip offline rust builds on Travis for Linux gcc, because they're redundant. Implements ticket 27252. - - Skip gcc on OSX in Travis CI, it's rarely used. Skip a duplicate - hardening-off build in Travis on Tor 0.2.9. Skip gcc on Linux with - default settings, because all the non-default builds use gcc on - Linux. Implements ticket 27252. + - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a + duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on + Linux with default settings, because all the non-default builds + use gcc on Linux. Implements ticket 27252. o Minor features (controller): - Emit CIRC_BW events as soon as we detect that we processed an @@ -137,7 +133,7 @@ Changes in version 0.3.5.1-alpha-2018-09-?? bias check cells to arrive without counting it as dropped until either the END arrvies, or the windows are empty. Closes ticket 25573. - - Implement 'GETINFO md/all' controller command to enable getting + - Implement a 'GETINFO md/all' controller command to enable getting all known microdesriptors. Closes ticket 8323. - The GETINFO command now support an "uptime" argument, to return Tor's uptime in seconds. Closes ticket 25132. @@ -148,8 +144,6 @@ Changes in version 0.3.5.1-alpha-2018-09-?? subsystem. Closes ticket 18642. Patch by Neel Chauhan o Minor features (development): - - Copy paragraph and URL to Tor's code of conduct document from - CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638. - Tor's makefile now supports running the "clippy" Rust style tool on our Rust code. Closes ticket 22156. @@ -168,17 +162,18 @@ Changes in version 0.3.5.1-alpha-2018-09-?? a preconstructed owning controller FD, so that embedding applications don't need to manage controller ports and authentication. Closes ticket 24204. - - The tor_api now has a function that returns the name and version - of the backend implementing the API. Closes ticket 26947. + - The Tor controller API now has a function that returns the name + and version of the backend implementing the API. Closes + ticket 26947. o Minor features (geoip): - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2 Country database. Closes ticket 27631. o Minor features (memory management): - - Get libevent code to use the same memory allocator that Tor code - is using by calling event_set_mem_functions() during - initialization. Resolves ticket 8415. + - Get Libevent to use the same memory allocator as Tor, by calling + event_set_mem_functions() during initialization. Resolves + ticket 8415. o Minor features (memory usage): - When not using them, store legacy TAP public onion keys in DER- @@ -189,7 +184,7 @@ Changes in version 0.3.5.1-alpha-2018-09-?? - When possible, use RFC5869 HKDF implementation from OpenSSL rather than own own. Resolves ticket 19979. - o Minor features (rust, code quality): + o Minor features (Rust, code quality): - Improve rust code quality in the rust protover implementation by making it more idiomatic. Includes changing an internal API to take &str instead of &String. Closes ticket 26492. @@ -206,6 +201,8 @@ Changes in version 0.3.5.1-alpha-2018-09-?? - Log each included configuration file or directory as we read it, to provide more visibility about where Tor is reading from. Patch from Unto Sten; closes ticket 27186. + - Low log level of "Scheduler type KIST has been enabled" to INFO. + Closes ticket 26703. o Minor bugfixes (bootstrap): - Try harder to get descriptors in non-exit test networks, by using @@ -224,7 +221,7 @@ Changes in version 0.3.5.1-alpha-2018-09-?? o Minor bugfixes (client, memory usage): - When not running as a directory cache, there is no need to store the text of the current consensus networkstatus in RAM. - Previously, however, clients would store this anyway, at a cost of + Previously, however, clients would store it anyway, at a cost of over 5 MB. Now, they do not. Fixes bug 27247; bugfix on 0.3.0.1-alpha. @@ -240,10 +237,6 @@ Changes in version 0.3.5.1-alpha-2018-09-?? misleadingly suggest that they are sandbox-only. Fixes bug 26525; bugfix on 0.2.7.1-alpha. - o Minor bugfixes (compilation): - - Use Windows-compatible format strings in tor-print-ed-signing- - cert.c. Fixes bug 26986; bugfix on master. - o Minor bugfixes (configuration, Onion Services): - In rend_service_parse_port_config(), disallow any input to remain after address-port pair was parsed. This will catch address and @@ -251,9 +244,6 @@ Changes in version 0.3.5.1-alpha-2018-09-?? 27044; bugfix on 0.2.9.10. o Minor bugfixes (continuous integration): - - Improve Appveyor CI IRC logging. Generate correct branches and - URLs for pull requests and tags. Use unambiguous short commits. - Fixes bug 26979; bugfix on master. - Stop reinstalling identical packages in our Windows CI. Fixes bug 27464; bugfix on 0.3.4.1-alpha. @@ -284,8 +274,8 @@ Changes in version 0.3.5.1-alpha-2018-09-?? Tor is running as client. Also, log a stack trace for debugging as this function should only be called when Tor runs as server. Fixes bug 26892; bugfix on 0.1.1.9-alpha. - - Refrain from mentioning bug 21018, as it is already fixed. Fixes - bug 25477; bugfix on 0.2.9.8. + - Refrain from mentioning bug 21018 in the logs, as it is already + fixed. Fixes bug 25477; bugfix on 0.2.9.8. o Minor bugfixes (logging, documentation): - When SafeLogging is enabled, scrub IP address in @@ -298,22 +288,21 @@ Changes in version 0.3.5.1-alpha-2018-09-?? padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha. o Minor bugfixes (onion service v2): - - Demote a log warning to info in case we do not have a consensus - when a .onion request comes in. This can happen while bootstrapping - for instance. The request will follow through after so we really - don't need to warn the user loudly. Fixes bug 27040; bugfix + - Log at level "info", not "warning", in the case that we do not + have a consensus when a .onion request comes in. This can happen + normally while bootstrapping. Fixes bug 27040; bugfix on 0.2.8.2-alpha. o Minor bugfixes (onion service v3): - - In case the onion service directory can't be created or has wrong - permissions, do not BUG() on it which lead to a non fatal - stacktrace. Fixes bug 27335; bugfix on 0.3.2.1. + - When the onion service directory can't be created or has the wrong + permissions, do not log a stack trace. Fixes bug 27335; bugfix + on 0.3.2.1-alpha. o Minor bugfixes (OS compatibility): - - On Linux and Windows properly handle configuration change that - moves a listener to/from wildcard IP address. In case first - attempt to bind a socket fails, close the old listener and try - binding a socket again. Fixes bug 17873; bugfix on 0.0.8pre-1. + - Properly handle configuration changes that move a listener to/from + wildcard IP address. If the first attempt to bind a socket fails, + close the old listener and try binding the socket again. Fixes bug + 17873; bugfix on 0.0.8pre-1. o Minor bugfixes (performance):: - Rework node_is_a_configured_bridge() to no longer call @@ -322,26 +311,27 @@ Changes in version 0.3.5.1-alpha-2018-09-?? o Minor bugfixes (relay statistics): - Update relay descriptor on bandwidth changes only when the uptime - is smaller than 24h in order to reduce the efficiency of guard + is smaller than 24h, in order to reduce the efficiency of guard discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha. o Minor bugfixes (relays): - - In frac_nodes_with_descriptors(), add for_direct_connect, and - replace node_has_any_descriptor() with - node_has_preferred_descriptor(). Also, if we are using bridges and - there is at least one bridge with a full descriptor, set f_guard - in compute_frac_paths_available() to 1.0. Fixes bug 25886; bugfix - on 0.3.5.1-alpha. Patch by Neel Chauhan. - - Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the - Guard flag. Update the message logged on relays when DirCache is - disabled. Fixes bug 24312; bugfix on 0.3.3.5-rc. + - Consider the fact that we'll be making direct connections to our + entry and guard nodes when computing the fraction of nodes that + have their descriptors. Also, if we are using bridges and there is + at least one bridge with a full descriptor, treat the fraction of + guards available as 100%. Fixes bug 25886; bugfix on 0.3.5.1-alpha. + Patch by Neel Chauhan. + - Update the message logged on relays when DirCache is disabled. + Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the + Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc. - o Minor bugfixes (rust): - - The protover rewrite in 24031 allowed repeated votes from the same - voter for the same protocol version to be counted multiple times - in protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc. - - protover parsed and accepted unknown protocol names containing - invalid characters outside the range [A-Za-z0-9-]. Fixes bug + o Minor bugfixes (rust, protover): + - Compute protover votes correctly in the rust version of the + protover code. Previously, the protover rewrite in 24031 allowed + repeated votes from the same voter for the same protocol version + to be counted multiple times in protover_compute_vote(). Fixes bug + 27649; bugfix on 0.3.3.5-rc. + - Reject protover names that contain invalid characters. Fixes bug 27687; bugfix on 0.3.3.1-alpha. o Minor bugfixes (testing): @@ -367,8 +357,6 @@ Changes in version 0.3.5.1-alpha-2018-09-?? longer needed Closes ticket 26502. - Include paths to header files within Tor are now qualified by directory within the top-level src directory. - - Low log level of "Scheduler type KIST has been enabled" to INFO. - Ticket 26703 - Many structures have been removed from the centralized "or.h" header, and moved into their own headers. This will allow us to reduce the number of places in the code that rely on each @@ -399,6 +387,8 @@ Changes in version 0.3.5.1-alpha-2018-09-?? modules. Closes ticket 26526. o Documentation: + - Copy paragraph and URL to Tor's code of conduct document from + CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638. - Remove old instructions from INSTALL document. Closes ticket 26588. - Warn users that they should not include MyFamily line(s) in their torrc when running Tor bridge. Closes ticket 26908. @@ -410,11 +400,11 @@ Changes in version 0.3.5.1-alpha-2018-09-?? - Tor no longer attempts to run on Windows environments without the GetAdaptersAddresses() function. This function has existed since Windows XP, which is itself already older than we support. - - Remove Tor2web functionalities. The Tor2webMode and - Tor2webRendezvousPoints options are now obsolete. Note that this - feature was never shipped in vanilla Tor and it was only possible - to use this feature by building the support at compile time. - Closes ticket 26367. + - Remove Tor2web functionality. The Tor2webMode and + Tor2webRendezvousPoints options are now obsolete. (This feature + was never shipped in vanilla Tor and it was only possible to use + this feature by building the support at compile time.) Closes + ticket 26367. Changes in version 0.2.9.17 - 2018-09-10