mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-23 20:03:31 +01:00
Forward-port changelog and release notes for 0.2.5.10
This commit is contained in:
parent
ac4dd248e1
commit
9116f49c77
23
ChangeLog
23
ChangeLog
@ -1,6 +1,29 @@
|
|||||||
Changes in version 0.2.6.1-alpha - 2014-??-??
|
Changes in version 0.2.6.1-alpha - 2014-??-??
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.2.5.10 - 2014-10-24
|
||||||
|
Tor 0.2.5.10 is the first stable release in the 0.2.5 series.
|
||||||
|
|
||||||
|
It adds several new security features, including improved
|
||||||
|
denial-of-service resistance for relays, new compiler hardening
|
||||||
|
options, and a system-call sandbox for hardened installations on Linux
|
||||||
|
(requires seccomp2). The controller protocol has several new features,
|
||||||
|
resolving IPv6 addresses should work better than before, and relays
|
||||||
|
should be a little more CPU-efficient. We've added support for more
|
||||||
|
OpenBSD and FreeBSD transparent proxy types. We've improved the build
|
||||||
|
system and testing infrastructure to allow unit testing of more parts
|
||||||
|
of the Tor codebase. Finally, we've addressed several nagging pluggable
|
||||||
|
transport usability issues, and included numerous other small bugfixes
|
||||||
|
and features mentioned below.
|
||||||
|
|
||||||
|
This release marks end-of-life for Tor 0.2.3.x; those Tor versions
|
||||||
|
have accumulated many known flaws; everyone should upgrade.
|
||||||
|
|
||||||
|
o Deprecated versions:
|
||||||
|
- Tor 0.2.3.x has reached end-of-life; it has received no patches or
|
||||||
|
attention for some while.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.5.9-rc - 2014-10-20
|
Changes in version 0.2.5.9-rc - 2014-10-20
|
||||||
Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x
|
Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x
|
||||||
series. It disables SSL3 in response to the recent "POODLE" attack
|
series. It disables SSL3 in response to the recent "POODLE" attack
|
||||||
|
883
ReleaseNotes
883
ReleaseNotes
@ -3,6 +3,889 @@ This document summarizes new features and bugfixes in each stable release
|
|||||||
of Tor. If you want to see more detailed descriptions of the changes in
|
of Tor. If you want to see more detailed descriptions of the changes in
|
||||||
each development snapshot, see the ChangeLog file.
|
each development snapshot, see the ChangeLog file.
|
||||||
|
|
||||||
|
Changes in version 0.2.5.10 - 2014-10-24
|
||||||
|
Tor 0.2.5.10 is the first stable release in the 0.2.5 series.
|
||||||
|
|
||||||
|
It adds several new security features, including improved
|
||||||
|
denial-of-service resistance for relays, new compiler hardening
|
||||||
|
options, and a system-call sandbox for hardened installations on Linux
|
||||||
|
(requires seccomp2). The controller protocol has several new features,
|
||||||
|
resolving IPv6 addresses should work better than before, and relays
|
||||||
|
should be a little more CPU-efficient. We've added support for more
|
||||||
|
OpenBSD and FreeBSD transparent proxy types. We've improved the build
|
||||||
|
system and testing infrastructure to allow unit testing of more parts
|
||||||
|
of the Tor codebase. Finally, we've addressed several nagging pluggable
|
||||||
|
transport usability issues, and included numerous other small bugfixes
|
||||||
|
and features mentioned below.
|
||||||
|
|
||||||
|
This release marks end-of-life for Tor 0.2.3.x; those Tor versions
|
||||||
|
have accumulated many known flaws; everyone should upgrade.
|
||||||
|
|
||||||
|
o Major features (security):
|
||||||
|
- The ntor handshake is now on-by-default, no matter what the
|
||||||
|
directory authorities recommend. Implements ticket 8561.
|
||||||
|
- Make the "tor-gencert" tool used by directory authority operators
|
||||||
|
create 2048-bit signing keys by default (rather than 1024-bit, since
|
||||||
|
1024-bit is uncomfortably small these days). Addresses ticket 10324.
|
||||||
|
- Warn about attempts to run hidden services and relays in the same
|
||||||
|
process: that's probably not a good idea. Closes ticket 12908.
|
||||||
|
- Disable support for SSLv3. All versions of OpenSSL in use with Tor
|
||||||
|
today support TLS 1.0 or later, so we can safely turn off support
|
||||||
|
for this old (and insecure) protocol. Fixes bug 13426.
|
||||||
|
|
||||||
|
o Major features (relay security, DoS-resistance):
|
||||||
|
- When deciding whether we have run out of memory and we need to
|
||||||
|
close circuits, also consider memory allocated in buffers for
|
||||||
|
streams attached to each circuit.
|
||||||
|
|
||||||
|
This change, which extends an anti-DoS feature introduced in
|
||||||
|
0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays
|
||||||
|
better resist more memory-based DoS attacks than before. Since the
|
||||||
|
MaxMemInCellQueues option now applies to all queues, it is renamed
|
||||||
|
to MaxMemInQueues. This feature fixes bug 10169.
|
||||||
|
- Avoid hash-flooding denial-of-service attacks by using the secure
|
||||||
|
SipHash-2-4 hash function for our hashtables. Without this
|
||||||
|
feature, an attacker could degrade performance of a targeted
|
||||||
|
client or server by flooding their data structures with a large
|
||||||
|
number of entries to be stored at the same hash table position,
|
||||||
|
thereby slowing down the Tor instance. With this feature, hash
|
||||||
|
table positions are derived from a randomized cryptographic key,
|
||||||
|
and an attacker cannot predict which entries will collide. Closes
|
||||||
|
ticket 4900.
|
||||||
|
- If you don't specify MaxMemInQueues yourself, Tor now tries to
|
||||||
|
pick a good value based on your total system memory. Previously,
|
||||||
|
the default was always 8 GB. You can still override the default by
|
||||||
|
setting MaxMemInQueues yourself. Resolves ticket 11396.
|
||||||
|
|
||||||
|
o Major features (bridges and pluggable transports):
|
||||||
|
- Add support for passing arguments to managed pluggable transport
|
||||||
|
proxies. Implements ticket 3594.
|
||||||
|
- Bridges now track GeoIP information and the number of their users
|
||||||
|
even when pluggable transports are in use, and report usage
|
||||||
|
statistics in their extra-info descriptors. Resolves tickets 4773
|
||||||
|
and 5040.
|
||||||
|
- Don't launch pluggable transport proxies if we don't have any
|
||||||
|
bridges configured that would use them. Now we can list many
|
||||||
|
pluggable transports, and Tor will dynamically start one when it
|
||||||
|
hears a bridge address that needs it. Resolves ticket 5018.
|
||||||
|
- The bridge directory authority now assigns status flags (Stable,
|
||||||
|
Guard, etc) to bridges based on thresholds calculated over all
|
||||||
|
Running bridges. Now bridgedb can finally make use of its features
|
||||||
|
to e.g. include at least one Stable bridge in its answers. Fixes
|
||||||
|
bug 9859.
|
||||||
|
|
||||||
|
o Major features (controller):
|
||||||
|
- Extend ORCONN controller event to include an "ID" parameter,
|
||||||
|
and add four new controller event types CONN_BW, CIRC_BW,
|
||||||
|
CELL_STATS, and TB_EMPTY that show connection and circuit usage.
|
||||||
|
The new events are emitted in private Tor networks only, with the
|
||||||
|
goal of being able to better track performance and load during
|
||||||
|
full-network simulations. Implements proposal 218 and ticket 7359.
|
||||||
|
|
||||||
|
o Major features (relay performance):
|
||||||
|
- Speed up server-side lookups of rendezvous and introduction point
|
||||||
|
circuits by using hashtables instead of linear searches. These
|
||||||
|
functions previously accounted between 3 and 7% of CPU usage on
|
||||||
|
some busy relays. Resolves ticket 9841.
|
||||||
|
- Avoid wasting CPU when extending a circuit over a channel that is
|
||||||
|
nearly out of circuit IDs. Previously, we would do a linear scan
|
||||||
|
over possible circuit IDs before finding one or deciding that we
|
||||||
|
had exhausted our possibilities. Now, we try at most 64 random
|
||||||
|
circuit IDs before deciding that we probably won't succeed. Fixes
|
||||||
|
a possible root cause of ticket 11553.
|
||||||
|
|
||||||
|
o Major features (seccomp2 sandbox, Linux only):
|
||||||
|
- Use the seccomp2 syscall filtering facility on Linux to limit
|
||||||
|
which system calls Tor can invoke. This is an experimental,
|
||||||
|
Linux-only feature to provide defense-in-depth against unknown
|
||||||
|
attacks. To try turning it on, set "Sandbox 1" in your torrc
|
||||||
|
file. Please be ready to report bugs. We hope to add support
|
||||||
|
for better sandboxing in the future, including more fine-grained
|
||||||
|
filters, better division of responsibility, and support for more
|
||||||
|
platforms. This work has been done by Cristian-Matei Toader for
|
||||||
|
Google Summer of Code. Resolves tickets 11351 and 11465.
|
||||||
|
|
||||||
|
o Major features (testing networks):
|
||||||
|
- Make testing Tor networks bootstrap better: lower directory fetch
|
||||||
|
retry schedules and maximum interval without directory requests,
|
||||||
|
and raise maximum download tries. Implements ticket 6752.
|
||||||
|
- Add make target 'test-network' to run tests on a Chutney network.
|
||||||
|
Implements ticket 8530.
|
||||||
|
|
||||||
|
o Major features (other):
|
||||||
|
- On some platforms (currently: recent OSX versions, glibc-based
|
||||||
|
platforms that support the ELF format, and a few other
|
||||||
|
Unix-like operating systems), Tor can now dump stack traces
|
||||||
|
when a crash occurs or an assertion fails. By default, traces
|
||||||
|
are dumped to stderr (if possible) and to any logs that are
|
||||||
|
reporting errors. Implements ticket 9299.
|
||||||
|
|
||||||
|
o Deprecated versions:
|
||||||
|
- Tor 0.2.3.x has reached end-of-life; it has received no patches or
|
||||||
|
attention for some while.
|
||||||
|
|
||||||
|
o Major bugfixes (security, directory authorities):
|
||||||
|
- Directory authorities now include a digest of each relay's
|
||||||
|
identity key as a part of its microdescriptor.
|
||||||
|
|
||||||
|
This is a workaround for bug 11743 (reported by "cypherpunks"),
|
||||||
|
where Tor clients do not support receiving multiple
|
||||||
|
microdescriptors with the same SHA256 digest in the same
|
||||||
|
consensus. When clients receive a consensus like this, they only
|
||||||
|
use one of the relays. Without this fix, a hostile relay could
|
||||||
|
selectively disable some client use of target relays by
|
||||||
|
constructing a router descriptor with a different identity and the
|
||||||
|
same microdescriptor parameters and getting the authorities to
|
||||||
|
list it in a microdescriptor consensus. This fix prevents an
|
||||||
|
attacker from causing a microdescriptor collision, because the
|
||||||
|
router's identity is not forgeable.
|
||||||
|
|
||||||
|
o Major bugfixes (openssl bug workaround):
|
||||||
|
- Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
|
||||||
|
1.0.1j, built with the 'no-ssl3' configuration option. Fixes
|
||||||
|
bug 13471. This is a workaround for an OpenSSL bug.
|
||||||
|
|
||||||
|
o Major bugfixes (client):
|
||||||
|
- Perform circuit cleanup operations even when circuit
|
||||||
|
construction operations are disabled (because the network is
|
||||||
|
disabled, or because there isn't enough directory information).
|
||||||
|
Previously, when we were not building predictive circuits, we
|
||||||
|
were not closing expired circuits either. Fixes bug 8387; bugfix on
|
||||||
|
0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we
|
||||||
|
became more strict about when we have "enough directory information
|
||||||
|
to build circuits".
|
||||||
|
|
||||||
|
o Major bugfixes (client, pluggable transports):
|
||||||
|
- When managing pluggable transports, use OS notification facilities
|
||||||
|
to learn if they have crashed, and don't attempt to kill any
|
||||||
|
process that has already exited. Fixes bug 8746; bugfix
|
||||||
|
on 0.2.3.6-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (relay denial of service):
|
||||||
|
- Instead of writing destroy cells directly to outgoing connection
|
||||||
|
buffers, queue them and intersperse them with other outgoing cells.
|
||||||
|
This can prevent a set of resource starvation conditions where too
|
||||||
|
many pending destroy cells prevent data cells from actually getting
|
||||||
|
delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
|
||||||
|
bugfix on 0.2.0.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (relay):
|
||||||
|
- Avoid queuing or sending destroy cells for circuit ID zero when we
|
||||||
|
fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1.
|
||||||
|
Found and fixed by "cypherpunks".
|
||||||
|
- Fix ORPort reachability detection on relays running behind a
|
||||||
|
proxy, by correctly updating the "local" mark on the controlling
|
||||||
|
channel when changing the address of an or_connection_t after the
|
||||||
|
handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha.
|
||||||
|
- Use a direct dirport connection when uploading non-anonymous
|
||||||
|
descriptors to the directory authorities. Previously, relays would
|
||||||
|
incorrectly use tunnel connections under a fairly wide variety of
|
||||||
|
circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha.
|
||||||
|
- When a circuit accidentally has the same circuit ID for its
|
||||||
|
forward and reverse direction, correctly detect the direction of
|
||||||
|
cells using that circuit. Previously, this bug made roughly one
|
||||||
|
circuit in a million non-functional. Fixes bug 12195; this is a
|
||||||
|
bugfix on every version of Tor.
|
||||||
|
|
||||||
|
o Minor features (security):
|
||||||
|
- New --enable-expensive-hardening option to enable security
|
||||||
|
hardening options that consume nontrivial amounts of CPU and
|
||||||
|
memory. Right now, this includes AddressSanitizer and UbSan, which
|
||||||
|
are supported in newer versions of GCC and Clang. Closes ticket
|
||||||
|
11477.
|
||||||
|
- Authorities now assign the Guard flag to the fastest 25% of the
|
||||||
|
network (it used to be the fastest 50%). Also raise the consensus
|
||||||
|
weight that guarantees the Guard flag from 250 to 2000. For the
|
||||||
|
current network, this results in about 1100 guards, down from 2500.
|
||||||
|
This step paves the way for moving the number of entry guards
|
||||||
|
down to 1 (proposal 236) while still providing reasonable expected
|
||||||
|
performance for most users. Implements ticket 12690.
|
||||||
|
|
||||||
|
o Minor features (security, memory management):
|
||||||
|
- Memory allocation tricks (mempools and buffer freelists) are now
|
||||||
|
disabled by default. You can turn them back on with
|
||||||
|
--enable-mempools and --enable-buf-freelists respectively. We're
|
||||||
|
disabling these features because malloc performance is good enough
|
||||||
|
on most platforms, and a similar feature in OpenSSL exacerbated
|
||||||
|
exploitation of the Heartbleed attack. Resolves ticket 11476.
|
||||||
|
|
||||||
|
o Minor features (bridge client):
|
||||||
|
- Report a more useful failure message when we can't connect to a
|
||||||
|
bridge because we don't have the right pluggable transport
|
||||||
|
configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
|
||||||
|
|
||||||
|
o Minor features (bridge):
|
||||||
|
- Add an ExtORPortCookieAuthFileGroupReadable option to make the
|
||||||
|
cookie file for the ExtORPort g+r by default.
|
||||||
|
|
||||||
|
o Minor features (bridges, pluggable transports):
|
||||||
|
- Bridges now write the SHA1 digest of their identity key
|
||||||
|
fingerprint (that is, a hash of a hash of their public key) to
|
||||||
|
notice-level logs, and to a new hashed-fingerprint file. This
|
||||||
|
information will help bridge operators look up their bridge in
|
||||||
|
Globe and similar tools. Resolves ticket 10884.
|
||||||
|
- Improve the message that Tor displays when running as a bridge
|
||||||
|
using pluggable transports without an Extended ORPort listener.
|
||||||
|
Also, log the message in the log file too. Resolves ticket 11043.
|
||||||
|
- Add threshold cutoffs to the networkstatus document created by
|
||||||
|
the Bridge Authority. Fixes bug 1117.
|
||||||
|
- On Windows, spawn background processes using the CREATE_NO_WINDOW
|
||||||
|
flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled
|
||||||
|
doesn't pop up a blank console window. (In Tor Browser Bundle 2.x,
|
||||||
|
Vidalia set this option for us.) Implements ticket 10297.
|
||||||
|
|
||||||
|
o Minor features (build):
|
||||||
|
- The configure script has a --disable-seccomp option to turn off
|
||||||
|
support for libseccomp on systems that have it, in case it (or
|
||||||
|
Tor's use of it) is broken. Resolves ticket 11628.
|
||||||
|
- Assume that a user using ./configure --host wants to cross-compile,
|
||||||
|
and give an error if we cannot find a properly named
|
||||||
|
tool-chain. Add a --disable-tool-name-check option to proceed
|
||||||
|
nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz.
|
||||||
|
- If we run ./configure and the compiler recognizes -fstack-protector
|
||||||
|
but the linker rejects it, warn the user about a potentially missing
|
||||||
|
libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz.
|
||||||
|
- Add support for `--library-versions` flag. Implements ticket 6384.
|
||||||
|
- Return the "unexpected sendme" warnings to a warn severity, but make
|
||||||
|
them rate limited, to help diagnose ticket 8093.
|
||||||
|
- Detect a missing asciidoc, and warn the user about it, during
|
||||||
|
configure rather than at build time. Fixes issue 6506. Patch from
|
||||||
|
Arlo Breault.
|
||||||
|
|
||||||
|
o Minor features (client):
|
||||||
|
- Add a new option, PredictedPortsRelevanceTime, to control how long
|
||||||
|
after having received a request to connect to a given port Tor
|
||||||
|
will try to keep circuits ready in anticipation of future requests
|
||||||
|
for that port. Patch from "unixninja92"; implements ticket 9176.
|
||||||
|
|
||||||
|
o Minor features (config options and command line):
|
||||||
|
- Add an --allow-missing-torrc commandline option that tells Tor to
|
||||||
|
run even if the configuration file specified by -f is not available.
|
||||||
|
Implements ticket 10060.
|
||||||
|
- Add support for the TPROXY transparent proxying facility on Linux.
|
||||||
|
See documentation for the new TransProxyType option for more
|
||||||
|
details. Implementation by "thomo". Closes ticket 10582.
|
||||||
|
|
||||||
|
o Minor features (config options):
|
||||||
|
- Config (torrc) lines now handle fingerprints which are missing
|
||||||
|
their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
|
||||||
|
- Support a --dump-config option to print some or all of the
|
||||||
|
configured options. Mainly useful for debugging the command-line
|
||||||
|
option parsing code. Helps resolve ticket 4647.
|
||||||
|
- Raise awareness of safer logging: notify user of potentially
|
||||||
|
unsafe config options, like logging more verbosely than severity
|
||||||
|
"notice" or setting SafeLogging to 0. Resolves ticket 5584.
|
||||||
|
- Add a new configuration option TestingV3AuthVotingStartOffset
|
||||||
|
that bootstraps a network faster by changing the timing for
|
||||||
|
consensus votes. Addresses ticket 8532.
|
||||||
|
- Add a new torrc option "ServerTransportOptions" that allows
|
||||||
|
bridge operators to pass configuration parameters to their
|
||||||
|
pluggable transports. Resolves ticket 8929.
|
||||||
|
- The config (torrc) file now accepts bandwidth and space limits in
|
||||||
|
bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
|
||||||
|
you can now say "16 kilobits", and so on.) Resolves ticket 9214.
|
||||||
|
Patch by CharlieB.
|
||||||
|
|
||||||
|
o Minor features (controller):
|
||||||
|
- Make the entire exit policy available from the control port via
|
||||||
|
GETINFO exit-policy/*. Implements enhancement 7952. Patch from
|
||||||
|
"rl1987".
|
||||||
|
- Because of the fix for ticket 11396, the real limit for memory
|
||||||
|
usage may no longer match the configured MaxMemInQueues value. The
|
||||||
|
real limit is now exposed via GETINFO limits/max-mem-in-queues.
|
||||||
|
- Add a new "HS_DESC" controller event that reports activities
|
||||||
|
related to hidden service descriptors. Resolves ticket 8510.
|
||||||
|
- New "DROPGUARDS" controller command to forget all current entry
|
||||||
|
guards. Not recommended for ordinary use, since replacing guards
|
||||||
|
too frequently makes several attacks easier. Resolves ticket 9934;
|
||||||
|
patch from "ra".
|
||||||
|
- Implement the TRANSPORT_LAUNCHED control port event that
|
||||||
|
notifies controllers about new launched pluggable
|
||||||
|
transports. Resolves ticket 5609.
|
||||||
|
|
||||||
|
o Minor features (diagnostic):
|
||||||
|
- When logging a warning because of bug 7164, additionally check the
|
||||||
|
hash table for consistency (as proposed on ticket 11737). This may
|
||||||
|
help diagnose bug 7164.
|
||||||
|
- When we log a heartbeat, log how many one-hop circuits we have
|
||||||
|
that are at least 30 minutes old, and log status information about
|
||||||
|
a few of them. This is an attempt to track down bug 8387.
|
||||||
|
- When encountering an unexpected CR while writing text to a file on
|
||||||
|
Windows, log the name of the file. Should help diagnosing
|
||||||
|
bug 11233.
|
||||||
|
- Give more specific warnings when a client notices that an onion
|
||||||
|
handshake has failed. Fixes ticket 9635.
|
||||||
|
- Add significant new logging code to attempt to diagnose bug 12184,
|
||||||
|
where relays seem to run out of available circuit IDs.
|
||||||
|
- Improve the diagnostic log message for bug 8387 even further to
|
||||||
|
try to improve our odds of figuring out why one-hop directory
|
||||||
|
circuits sometimes do not get closed.
|
||||||
|
- Add more log messages to diagnose bug 7164, which causes
|
||||||
|
intermittent "microdesc_free() called but md was still referenced"
|
||||||
|
warnings. We now include more information, to figure out why we
|
||||||
|
might be cleaning a microdescriptor for being too old if it's
|
||||||
|
still referenced by a live node_t object.
|
||||||
|
- Log current accounting state (bytes sent and received + remaining
|
||||||
|
time for the current accounting period) in the relay's heartbeat
|
||||||
|
message. Implements ticket 5526; patch from Peter Retzlaff.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (interface):
|
||||||
|
- Generate a warning if any ports are listed in the SocksPolicy,
|
||||||
|
DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or
|
||||||
|
AuthDirBadExit options. (These options only support address
|
||||||
|
ranges.) Fixes part of ticket 11108.
|
||||||
|
|
||||||
|
o Minor features (kernel API usage):
|
||||||
|
- Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
|
||||||
|
sockets in a single system call. Implements ticket 5129.
|
||||||
|
|
||||||
|
o Minor features (log messages):
|
||||||
|
- When ServerTransportPlugin is set on a bridge, Tor can write more
|
||||||
|
useful statistics about bridge use in its extrainfo descriptors,
|
||||||
|
but only if the Extended ORPort ("ExtORPort") is set too. Add a
|
||||||
|
log message to inform the user in this case. Resolves ticket 9651.
|
||||||
|
- When receiving a new controller connection, log the origin address.
|
||||||
|
Resolves ticket 9698; patch from "sigpipe".
|
||||||
|
- When logging OpenSSL engine status at startup, log the status of
|
||||||
|
more engines. Fixes ticket 10043; patch from Joshua Datko.
|
||||||
|
|
||||||
|
o Minor features (log verbosity):
|
||||||
|
- Demote the message that we give when a flushing connection times
|
||||||
|
out for too long from NOTICE to INFO. It was usually meaningless.
|
||||||
|
Resolves ticket 5286.
|
||||||
|
- Don't log so many notice-level bootstrapping messages at startup
|
||||||
|
about downloading descriptors. Previously, we'd log a notice
|
||||||
|
whenever we learned about more routers. Now, we only log a notice
|
||||||
|
at every 5% of progress. Fixes bug 9963.
|
||||||
|
- Warn less verbosely when receiving a malformed
|
||||||
|
ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
|
||||||
|
|
||||||
|
o Minor features (performance):
|
||||||
|
- If we're using the pure-C 32-bit curve25519_donna implementation
|
||||||
|
of curve25519, build it with the -fomit-frame-pointer option to
|
||||||
|
make it go faster on register-starved hosts. This improves our
|
||||||
|
handshake performance by about 6% on i386 hosts without nacl.
|
||||||
|
Closes ticket 8109.
|
||||||
|
|
||||||
|
o Minor features (relay):
|
||||||
|
- If a circuit timed out for at least 3 minutes, check if we have a
|
||||||
|
new external IP address, and publish a new descriptor with the new
|
||||||
|
IP address if it changed. Resolves ticket 2454.
|
||||||
|
|
||||||
|
o Minor features (testing):
|
||||||
|
- If Python is installed, "make check" now runs extra tests beyond
|
||||||
|
the unit test scripts.
|
||||||
|
- When bootstrapping a test network, sometimes very few relays get
|
||||||
|
the Guard flag. Now a new option "TestingDirAuthVoteGuard" can
|
||||||
|
specify a set of relays which should be voted Guard regardless of
|
||||||
|
their uptime or bandwidth. Addresses ticket 9206.
|
||||||
|
|
||||||
|
o Minor features (transparent proxy, *BSD):
|
||||||
|
- Support FreeBSD's ipfw firewall interface for TransPort ports on
|
||||||
|
FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
|
||||||
|
10267; patch from "yurivict".
|
||||||
|
- Support OpenBSD's divert-to rules with the pf firewall for
|
||||||
|
transparent proxy ports. To enable it, set "TransProxyType
|
||||||
|
pf-divert". This allows Tor to run a TransPort transparent proxy
|
||||||
|
port on OpenBSD 4.4 or later without root privileges. See the
|
||||||
|
pf.conf(5) manual page for information on configuring pf to use
|
||||||
|
divert-to rules. Closes ticket 10896; patch from Dana Koch.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridge client):
|
||||||
|
- Stop accepting bridge lines containing hostnames. Doing so would
|
||||||
|
cause clients to perform DNS requests on the hostnames, which was
|
||||||
|
not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridges):
|
||||||
|
- Avoid potential crashes or bad behavior when launching a
|
||||||
|
server-side managed proxy with ORPort or ExtORPort temporarily
|
||||||
|
disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha.
|
||||||
|
- Fix a bug where the first connection works to a bridge that uses a
|
||||||
|
pluggable transport with client-side parameters, but we don't send
|
||||||
|
the client-side parameters on subsequent connections. (We don't
|
||||||
|
use any pluggable transports with client-side parameters yet,
|
||||||
|
but ScrambleSuit will soon become the first one.) Fixes bug 9162;
|
||||||
|
bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987".
|
||||||
|
|
||||||
|
o Minor bugfixes (build, auxiliary programs):
|
||||||
|
- Stop preprocessing the "torify" script with autoconf, since
|
||||||
|
it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
|
||||||
|
from Guilhem.
|
||||||
|
- The tor-fw-helper program now follows the standard convention and
|
||||||
|
exits with status code "0" on success. Fixes bug 9030; bugfix on
|
||||||
|
0.2.3.1-alpha. Patch by Arlo Breault.
|
||||||
|
- Corrected ./configure advice for what openssl dev package you should
|
||||||
|
install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (client):
|
||||||
|
- Avoid "Tried to open a socket with DisableNetwork set" warnings
|
||||||
|
when starting a client with bridges configured and DisableNetwork
|
||||||
|
set. (Tor launcher starts Tor with DisableNetwork set the first
|
||||||
|
time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha.
|
||||||
|
- Improve the log message when we can't connect to a hidden service
|
||||||
|
because all of the hidden service directory nodes hosting its
|
||||||
|
descriptor are excluded. Improves on our fix for bug 10722, which
|
||||||
|
was a bugfix on 0.2.0.10-alpha.
|
||||||
|
- Raise a control port warning when we fail to connect to all of
|
||||||
|
our bridges. Previously, we didn't inform the controller, and
|
||||||
|
the bootstrap process would stall. Fixes bug 11069; bugfix on
|
||||||
|
0.2.1.2-alpha.
|
||||||
|
- Exit immediately when a process-owning controller exits.
|
||||||
|
Previously, tor relays would wait for a little while after their
|
||||||
|
controller exited, as if they had gotten an INT signal -- but this
|
||||||
|
was problematic, since there was no feedback for the user. To do a
|
||||||
|
clean shutdown, controllers should send an INT signal and give Tor
|
||||||
|
a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta.
|
||||||
|
- Stop attempting to connect to bridges before our pluggable
|
||||||
|
transports are configured (harmless but resulted in some erroneous
|
||||||
|
log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha.
|
||||||
|
- Fix connections to IPv6 addresses over SOCKS5. Previously, we were
|
||||||
|
generating incorrect SOCKS5 responses, and confusing client
|
||||||
|
applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (client, DNSPort):
|
||||||
|
- When using DNSPort, try to respond to AAAA requests with AAAA
|
||||||
|
answers. Previously, we hadn't looked at the request type when
|
||||||
|
deciding which answer type to prefer. Fixes bug 10468; bugfix on
|
||||||
|
0.2.4.7-alpha.
|
||||||
|
- When receiving a DNS query for an unsupported record type, reply
|
||||||
|
with no answer rather than with a NOTIMPL error. This behavior
|
||||||
|
isn't correct either, but it will break fewer client programs, we
|
||||||
|
hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
|
||||||
|
from "epoch".
|
||||||
|
|
||||||
|
o Minor bugfixes (client, logging during bootstrap):
|
||||||
|
- Only report the first fatal bootstrap error on a given OR
|
||||||
|
connection. This stops us from telling the controller bogus error
|
||||||
|
messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
|
||||||
|
- Avoid generating spurious warnings when starting with
|
||||||
|
DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
|
||||||
|
0.2.3.9-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (closing OR connections):
|
||||||
|
- If write_to_buf() in connection_write_to_buf_impl_() ever fails,
|
||||||
|
check if it's an or_connection_t and correctly call
|
||||||
|
connection_or_close_for_error() rather than
|
||||||
|
connection_mark_for_close() directly. Fixes bug 11304; bugfix on
|
||||||
|
0.2.4.4-alpha.
|
||||||
|
- When closing all connections on setting DisableNetwork to 1, use
|
||||||
|
connection_or_close_normally() rather than closing OR connections
|
||||||
|
out from under the channel layer. Fixes bug 11306; bugfix on
|
||||||
|
0.2.4.4-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (code correctness):
|
||||||
|
- Previously we used two temporary files when writing descriptors to
|
||||||
|
disk; now we only use one. Fixes bug 1376.
|
||||||
|
- Remove an erroneous (but impossible and thus harmless) pointer
|
||||||
|
comparison that would have allowed compilers to skip a bounds
|
||||||
|
check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on
|
||||||
|
0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield.
|
||||||
|
- Fix an always-true assertion in pluggable transports code so it
|
||||||
|
actually checks what it was trying to check. Fixes bug 10046;
|
||||||
|
bugfix on 0.2.3.9-alpha. Found by "dcb".
|
||||||
|
|
||||||
|
o Minor bugfixes (command line):
|
||||||
|
- Use a single command-line parser for parsing torrc options on the
|
||||||
|
command line and for finding special command-line options to avoid
|
||||||
|
inconsistent behavior for torrc option arguments that have the same
|
||||||
|
names as command-line options. Fixes bugs 4647 and 9578; bugfix on
|
||||||
|
0.0.9pre5.
|
||||||
|
- No longer allow 'tor --hash-password' with no arguments. Fixes bug
|
||||||
|
9573; bugfix on 0.0.9pre5.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Compile correctly with builds and forks of OpenSSL (such as
|
||||||
|
LibreSSL) that disable compression. Fixes bug 12602; bugfix on
|
||||||
|
0.2.1.1-alpha. Patch from "dhill".
|
||||||
|
- Restore the ability to compile Tor with V2_HANDSHAKE_SERVER
|
||||||
|
turned off (that is, without support for v2 link handshakes). Fixes
|
||||||
|
bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet".
|
||||||
|
- In routerlist_assert_ok(), don't take the address of a
|
||||||
|
routerinfo's cache_info member unless that routerinfo is non-NULL.
|
||||||
|
Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor".
|
||||||
|
- Fix a large number of false positive warnings from the clang
|
||||||
|
analyzer static analysis tool. This should make real warnings
|
||||||
|
easier for clang analyzer to find. Patch from "teor". Closes
|
||||||
|
ticket 13036.
|
||||||
|
- Resolve GCC complaints on OpenBSD about discarding constness in
|
||||||
|
TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix
|
||||||
|
on 0.1.1.23. Patch from Dana Koch.
|
||||||
|
- Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to
|
||||||
|
treatment of long and time_t as comparable types. Fixes part of
|
||||||
|
bug 11633. Patch from Dana Koch.
|
||||||
|
- When deciding whether to build the 64-bit curve25519
|
||||||
|
implementation, detect platforms where we can compile 128-bit
|
||||||
|
arithmetic but cannot link it. Fixes bug 11729; bugfix on
|
||||||
|
0.2.4.8-alpha. Patch from "conradev".
|
||||||
|
- Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761;
|
||||||
|
bugfix on 0.2.3.13-alpha. Found by "cypherpunks".
|
||||||
|
- Fix compilation with dmalloc. Fixes bug 11605; bugfix
|
||||||
|
on 0.2.4.10-alpha.
|
||||||
|
- Build and run correctly on systems like OpenBSD-current that have
|
||||||
|
patched OpenSSL to remove get_cipher_by_char and/or its
|
||||||
|
implementations. Fixes issue 13325.
|
||||||
|
|
||||||
|
o Minor bugfixes (controller and command-line):
|
||||||
|
- If changing a config option via "setconf" fails in a recoverable
|
||||||
|
way, we used to nonetheless write our new control ports to the
|
||||||
|
file described by the "ControlPortWriteToFile" option. Now we only
|
||||||
|
write out that file if we successfully switch to the new config
|
||||||
|
option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman".
|
||||||
|
|
||||||
|
o Minor bugfixes (directory server):
|
||||||
|
- No longer accept malformed http headers when parsing urls from
|
||||||
|
headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
|
||||||
|
bugfix on 0.0.6pre1.
|
||||||
|
- When sending a compressed set of descriptors or microdescriptors,
|
||||||
|
make sure to finalize the zlib stream. Previously, we would write
|
||||||
|
all the compressed data, but if the last descriptor we wanted to
|
||||||
|
send was missing or too old, we would not mark the stream as
|
||||||
|
finished. This caused problems for decompression tools. Fixes bug
|
||||||
|
11648; bugfix on 0.1.1.23.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service):
|
||||||
|
- Only retry attempts to connect to a chosen rendezvous point 8
|
||||||
|
times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc.
|
||||||
|
|
||||||
|
o Minor bugfixes (interface):
|
||||||
|
- Reject relative control socket paths and emit a warning. Previously,
|
||||||
|
single-component control socket paths would be rejected, but Tor
|
||||||
|
would not log why it could not validate the config. Fixes bug 9258;
|
||||||
|
bugfix on 0.2.3.16-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (log messages):
|
||||||
|
- Fix a bug where clients using bridges would report themselves
|
||||||
|
as 50% bootstrapped even without a live consensus document.
|
||||||
|
Fixes bug 9922; bugfix on 0.2.1.1-alpha.
|
||||||
|
- Suppress a warning where, if there's only one directory authority
|
||||||
|
in the network, we would complain that votes and signatures cannot
|
||||||
|
be uploaded to other directory authorities. Fixes bug 10842;
|
||||||
|
bugfix on 0.2.2.26-beta.
|
||||||
|
- Report bootstrapping progress correctly when we're downloading
|
||||||
|
microdescriptors. We had updated our "do we have enough microdescs
|
||||||
|
to begin building circuits?" logic most recently in 0.2.4.10-alpha
|
||||||
|
(see bug 5956), but we left the bootstrap status event logic at
|
||||||
|
"how far through getting 1/4 of them are we?" Fixes bug 9958;
|
||||||
|
bugfix on 0.2.2.36, which is where they diverged (see bug 5343).
|
||||||
|
|
||||||
|
o Minor bugfixes (logging):
|
||||||
|
- Downgrade "Unexpected onionskin length after decryption" warning
|
||||||
|
to a protocol-warn, since there's nothing relay operators can do
|
||||||
|
about a client that sends them a malformed create cell. Resolves
|
||||||
|
bug 12996; bugfix on 0.0.6rc1.
|
||||||
|
- Log more specific warnings when we get an ESTABLISH_RENDEZVOUS
|
||||||
|
cell on a cannibalized or non-OR circuit. Resolves ticket 12997.
|
||||||
|
- When logging information about an EXTEND2 or EXTENDED2 cell, log
|
||||||
|
their names correctly. Fixes part of bug 12700; bugfix
|
||||||
|
on 0.2.4.8-alpha.
|
||||||
|
- When logging information about a relay cell whose command we don't
|
||||||
|
recognize, log its command as an integer. Fixes part of bug 12700;
|
||||||
|
bugfix on 0.2.1.10-alpha.
|
||||||
|
- Escape all strings from the directory connection before logging
|
||||||
|
them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor".
|
||||||
|
- Squelch a spurious LD_BUG message "No origin circuit for
|
||||||
|
successful SOCKS stream" in certain hidden service failure cases;
|
||||||
|
fixes bug 10616.
|
||||||
|
- Downgrade the severity of the 'unexpected sendme cell from client'
|
||||||
|
from 'warn' to 'protocol warning'. Closes ticket 8093.
|
||||||
|
|
||||||
|
o Minor bugfixes (misc code correctness):
|
||||||
|
- In munge_extrainfo_into_routerinfo(), check the return value of
|
||||||
|
memchr(). This would have been a serious issue if we ever passed
|
||||||
|
it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch
|
||||||
|
from Arlo Breault.
|
||||||
|
- On the chance that somebody manages to build Tor on a
|
||||||
|
platform where time_t is unsigned, correct the way that
|
||||||
|
microdesc_add_to_cache() handles negative time arguments.
|
||||||
|
Fixes bug 8042; bugfix on 0.2.3.1-alpha.
|
||||||
|
- Fix various instances of undefined behavior in channeltls.c,
|
||||||
|
tor_memmem(), and eventdns.c that would cause us to construct
|
||||||
|
pointers to memory outside an allocated object. (These invalid
|
||||||
|
pointers were not accessed, but C does not even allow them to
|
||||||
|
exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha,
|
||||||
|
0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom".
|
||||||
|
- Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
|
||||||
|
fix some miscellaneous errors in our tests and codebase. Fixes bug
|
||||||
|
11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
|
||||||
|
- Always check return values for unlink, munmap, UnmapViewOfFile;
|
||||||
|
check strftime return values more often. In some cases all we can
|
||||||
|
do is report a warning, but this may help prevent deeper bugs from
|
||||||
|
going unnoticed. Closes ticket 8787; bugfixes on many, many tor
|
||||||
|
versions.
|
||||||
|
- Fix numerous warnings from the clang "scan-build" static analyzer.
|
||||||
|
Some of these are programming style issues; some of them are false
|
||||||
|
positives that indicated awkward code; some are undefined behavior
|
||||||
|
cases related to constructing (but not using) invalid pointers;
|
||||||
|
some are assumptions about API behavior; some are (harmlessly)
|
||||||
|
logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be
|
||||||
|
correct; and one or two are genuine bugs that weren't reachable
|
||||||
|
from the rest of the program. Fixes bug 8793; bugfixes on many,
|
||||||
|
many tor versions.
|
||||||
|
|
||||||
|
o Minor bugfixes (node selection):
|
||||||
|
- If ExcludeNodes is set, consider non-excluded hidden service
|
||||||
|
directory servers before excluded ones. Do not consider excluded
|
||||||
|
hidden service directory servers at all if StrictNodes is
|
||||||
|
set. (Previously, we would sometimes decide to connect to those
|
||||||
|
servers, and then realize before we initiated a connection that
|
||||||
|
we had excluded them.) Fixes bug 10722; bugfix on 0.2.0.10-alpha.
|
||||||
|
Reported by "mr-4".
|
||||||
|
- If we set the ExitNodes option but it doesn't include any nodes
|
||||||
|
that have the Exit flag, we would choose not to bootstrap. Now we
|
||||||
|
bootstrap so long as ExitNodes includes nodes which can exit to
|
||||||
|
some port. Fixes bug 10543; bugfix on 0.2.4.10-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (performance):
|
||||||
|
- Avoid a bug where every successful connection made us recompute
|
||||||
|
the flag telling us whether we have sufficient information to
|
||||||
|
build circuits. Previously, we would forget our cached value
|
||||||
|
whenever we successfully opened a channel (or marked a router as
|
||||||
|
running or not running for any other reason), regardless of
|
||||||
|
whether we had previously believed the router to be running. This
|
||||||
|
forced us to run an expensive update operation far too often.
|
||||||
|
Fixes bug 12170; bugfix on 0.1.2.1-alpha.
|
||||||
|
- Avoid using tor_memeq() for checking relay cell integrity. This
|
||||||
|
removes a possible performance bottleneck. Fixes part of bug
|
||||||
|
12169; bugfix on 0.2.1.31.
|
||||||
|
|
||||||
|
o Minor bugfixes (platform-specific):
|
||||||
|
- When dumping a malformed directory object to disk, save it in
|
||||||
|
binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
|
||||||
|
0.2.2.1-alpha.
|
||||||
|
- Don't report failures from make_socket_reuseable() on incoming
|
||||||
|
sockets on OSX: this can happen when incoming connections close
|
||||||
|
early. Fixes bug 10081.
|
||||||
|
|
||||||
|
o Minor bugfixes (pluggable transports):
|
||||||
|
- Avoid another 60-second delay when starting Tor in a pluggable-
|
||||||
|
transport-using configuration when we already have cached
|
||||||
|
descriptors for our bridges. Fixes bug 11965; bugfix
|
||||||
|
on 0.2.3.6-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (protocol correctness):
|
||||||
|
- When receiving a VERSIONS cell with an odd number of bytes, close
|
||||||
|
the connection immediately since the cell is malformed. Fixes bug
|
||||||
|
10365; bugfix on 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by
|
||||||
|
"rl1987".
|
||||||
|
|
||||||
|
o Minor bugfixes (relay, other):
|
||||||
|
- We now drop CREATE cells for already-existent circuit IDs and for
|
||||||
|
zero-valued circuit IDs, regardless of other factors that might
|
||||||
|
otherwise have called for DESTROY cells. Fixes bug 12191; bugfix
|
||||||
|
on 0.0.8pre1.
|
||||||
|
- When rejecting DATA cells for stream_id zero, still count them
|
||||||
|
against the circuit's deliver window so that we don't fail to send
|
||||||
|
a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay, threading):
|
||||||
|
- Check return code on spawn_func() in cpuworker code, so that we
|
||||||
|
don't think we've spawned a nonworking cpuworker and write junk to
|
||||||
|
it forever. Fix related to bug 4345; bugfix on all released Tor
|
||||||
|
versions. Found by "skruffy".
|
||||||
|
- Use a pthread_attr to make sure that spawn_func() cannot return an
|
||||||
|
error while at the same time launching a thread. Fix related to
|
||||||
|
bug 4345; bugfix on all released Tor versions. Reported
|
||||||
|
by "cypherpunks".
|
||||||
|
|
||||||
|
o Minor bugfixes (relays and bridges):
|
||||||
|
- Avoid crashing on a malformed resolv.conf file when running a
|
||||||
|
relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23.
|
||||||
|
- Non-exit relays no longer launch mock DNS requests to check for
|
||||||
|
DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when
|
||||||
|
non-exit relays stopped servicing DNS requests. Fixes bug 965;
|
||||||
|
bugfix on 0.2.1.7-alpha. Patch from Matt Pagan.
|
||||||
|
- Bridges now report complete directory request statistics. Related
|
||||||
|
to bug 5824; bugfix on 0.2.2.1-alpha.
|
||||||
|
- Bridges now never collect statistics that were designed for
|
||||||
|
relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing):
|
||||||
|
- Fix all valgrind warnings produced by the unit tests. There were
|
||||||
|
over a thousand memory leak warnings previously, mostly produced
|
||||||
|
by forgetting to free things in the unit test code. Fixes bug
|
||||||
|
11618, bugfixes on many versions of Tor.
|
||||||
|
|
||||||
|
o Minor bugfixes (tor-fw-helper):
|
||||||
|
- Give a correct log message when tor-fw-helper fails to launch.
|
||||||
|
(Previously, we would say something like "tor-fw-helper sent us a
|
||||||
|
string we could not parse".) Fixes bug 9781; bugfix
|
||||||
|
on 0.2.4.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (trivial memory leaks):
|
||||||
|
- Fix a small memory leak when signing a directory object. Fixes bug
|
||||||
|
11275; bugfix on 0.2.4.13-alpha.
|
||||||
|
- Resolve some memory leaks found by coverity in the unit tests, on
|
||||||
|
exit in tor-gencert, and on a failure to compute digests for our
|
||||||
|
own keys when generating a v3 networkstatus vote. These leaks
|
||||||
|
should never have affected anyone in practice.
|
||||||
|
|
||||||
|
o Code simplification and refactoring:
|
||||||
|
- Remove some old fallback code designed to keep Tor clients working
|
||||||
|
in a network with only two working relays. Elsewhere in the code we
|
||||||
|
have long since stopped supporting such networks, so there wasn't
|
||||||
|
much point in keeping it around. Addresses ticket 9926.
|
||||||
|
- Reject 0-length EXTEND2 cells more explicitly. Fixes bug 10536;
|
||||||
|
bugfix on 0.2.4.8-alpha. Reported by "cypherpunks".
|
||||||
|
- Extract the common duplicated code for creating a subdirectory
|
||||||
|
of the data directory and writing to a file in it. Fixes ticket
|
||||||
|
4282; patch from Peter Retzlaff.
|
||||||
|
- Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
|
||||||
|
buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
|
||||||
|
i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
|
||||||
|
- Add a set of accessor functions for the circuit timeout data
|
||||||
|
structure. Fixes ticket 6153; patch from "piet".
|
||||||
|
- Clean up exit paths from connection_listener_new(). Closes ticket
|
||||||
|
8789. Patch from Arlo Breault.
|
||||||
|
- Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
|
||||||
|
and drop our own custom pkey_eq() implementation. Fixes bug 9043.
|
||||||
|
- Use a doubly-linked list to implement the global circuit list.
|
||||||
|
Resolves ticket 9108. Patch from Marek Majkowski.
|
||||||
|
- Remove contrib/id_to_fp.c since it wasn't used anywhere.
|
||||||
|
- Remove constants and tests for PKCS1 padding; it's insecure and
|
||||||
|
shouldn't be used for anything new. Fixes bug 8792; patch
|
||||||
|
from Arlo Breault.
|
||||||
|
- Remove instances of strcpy() from the unit tests. They weren't
|
||||||
|
hurting anything, since they were only in the unit tests, but it's
|
||||||
|
embarassing to have strcpy() in the code at all, and some analysis
|
||||||
|
tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and
|
||||||
|
0.2.3.8-alpha. Patch from Arlo Breault.
|
||||||
|
- Remove is_internal_IP() function. Resolves ticket 4645.
|
||||||
|
- Remove unused function circuit_dump_by_chan from circuitlist.c.
|
||||||
|
Closes issue 9107; patch from "marek".
|
||||||
|
- Change our use of the ENUM_BF macro to avoid declarations that
|
||||||
|
confuse Doxygen.
|
||||||
|
- Get rid of router->address, since in all cases it was just the
|
||||||
|
string representation of router->addr. Resolves ticket 5528.
|
||||||
|
|
||||||
|
o Documentation:
|
||||||
|
- Adjust the URLs in the README to refer to the new locations of
|
||||||
|
several documents on the website. Fixes bug 12830. Patch from
|
||||||
|
Matt Pagan.
|
||||||
|
- Document 'reject6' and 'accept6' ExitPolicy entries. Resolves
|
||||||
|
ticket 12878.
|
||||||
|
- Update manpage to describe some of the files you can expect to
|
||||||
|
find in Tor's DataDirectory. Addresses ticket 9839.
|
||||||
|
- Clean up several option names in the manpage to match their real
|
||||||
|
names, add the missing documentation for a couple of testing and
|
||||||
|
directory authority options, remove the documentation for a
|
||||||
|
V2-directory fetching option that no longer exists. Resolves
|
||||||
|
ticket 11634.
|
||||||
|
- Correct the documenation so that it lists the correct directory
|
||||||
|
for the stats files. (They are in a subdirectory called "stats",
|
||||||
|
not "status".)
|
||||||
|
- In the manpage, move more authority-only options into the
|
||||||
|
directory authority section so that operators of regular directory
|
||||||
|
caches don't get confused.
|
||||||
|
- Fix the layout of the SOCKSPort flags in the manpage. Fixes bug
|
||||||
|
11061; bugfix on 0.2.4.7-alpha.
|
||||||
|
- Resolve warnings from Doxygen.
|
||||||
|
- Document in the manpage that "KBytes" may also be written as
|
||||||
|
"kilobytes" or "KB", that "Kbits" may also be written as
|
||||||
|
"kilobits", and so forth. Closes ticket 9222.
|
||||||
|
- Document that the ClientOnly config option overrides ORPort.
|
||||||
|
Our old explanation made ClientOnly sound as though it did
|
||||||
|
nothing at all. Resolves bug 9059.
|
||||||
|
- Explain that SocksPolicy, DirPolicy, and similar options don't
|
||||||
|
take port arguments. Fixes the other part of ticket 11108.
|
||||||
|
- Fix a comment about the rend_server_descriptor_t.protocols field
|
||||||
|
to more accurately describe its range. Also, make that field
|
||||||
|
unsigned, to more accurately reflect its usage. Fixes bug 9099;
|
||||||
|
bugfix on 0.2.1.5-alpha.
|
||||||
|
- Fix the manpage's description of HiddenServiceAuthorizeClient:
|
||||||
|
the maximum client name length is 16, not 19. Fixes bug 11118;
|
||||||
|
bugfix on 0.2.1.6-alpha.
|
||||||
|
|
||||||
|
o Package cleanup:
|
||||||
|
- The contrib directory has been sorted and tidied. Before, it was
|
||||||
|
an unsorted dumping ground for useful and not-so-useful things.
|
||||||
|
Now, it is divided based on functionality, and the items which
|
||||||
|
seemed to be nonfunctional or useless have been removed. Resolves
|
||||||
|
ticket 8966; based on patches from "rl1987".
|
||||||
|
|
||||||
|
o Removed code and features:
|
||||||
|
- Clients now reject any directory authority certificates lacking
|
||||||
|
a dir-key-crosscert element. These have been included since
|
||||||
|
0.2.1.9-alpha, so there's no real reason for them to be optional
|
||||||
|
any longer. Completes proposal 157. Resolves ticket 10162.
|
||||||
|
- Remove all code that existed to support the v2 directory system,
|
||||||
|
since there are no longer any v2 directory authorities. Resolves
|
||||||
|
ticket 10758.
|
||||||
|
- Remove the HSAuthoritativeDir and AlternateHSAuthority torrc
|
||||||
|
options, which were used for designating authorities as "Hidden
|
||||||
|
service authorities". There has been no use of hidden service
|
||||||
|
authorities since 0.2.2.1-alpha, when we stopped uploading or
|
||||||
|
downloading v0 hidden service descriptors. Fixes bug 10881; also
|
||||||
|
part of a fix for bug 10841.
|
||||||
|
- Remove /tor/dbg-stability.txt URL that was meant to help debug WFU
|
||||||
|
and MTBF calculations, but that nobody was using. Fixes bug 11742.
|
||||||
|
- The TunnelDirConns and PreferTunnelledDirConns options no longer
|
||||||
|
exist; tunneled directory connections have been available since
|
||||||
|
0.1.2.5-alpha, and turning them off is not a good idea. This is a
|
||||||
|
brute-force fix for 10849, where "TunnelDirConns 0" would break
|
||||||
|
hidden services.
|
||||||
|
- Remove all code for the long unused v1 directory protocol.
|
||||||
|
Resolves ticket 11070.
|
||||||
|
- Remove all remaining code related to version-0 hidden service
|
||||||
|
descriptors: they have not been in use since 0.2.2.1-alpha. Fixes
|
||||||
|
the rest of bug 10841.
|
||||||
|
- Remove migration code from when we renamed the "cached-routers"
|
||||||
|
file to "cached-descriptors" back in 0.2.0.8-alpha. This
|
||||||
|
incidentally resolves ticket 6502 by cleaning up the related code
|
||||||
|
a bit. Patch from Akshay Hebbar.
|
||||||
|
|
||||||
|
o Test infrastructure:
|
||||||
|
- Tor now builds each source file in two modes: a mode that avoids
|
||||||
|
exposing identifiers needlessly, and another mode that exposes
|
||||||
|
more identifiers for testing. This lets the compiler do better at
|
||||||
|
optimizing the production code, while enabling us to take more
|
||||||
|
radical measures to let the unit tests test things.
|
||||||
|
- The production builds no longer include functions used only in
|
||||||
|
the unit tests; all functions exposed from a module only for
|
||||||
|
unit-testing are now static in production builds.
|
||||||
|
- Add an --enable-coverage configuration option to make the unit
|
||||||
|
tests (and a new src/or/tor-cov target) to build with gcov test
|
||||||
|
coverage support.
|
||||||
|
- Update to the latest version of tinytest.
|
||||||
|
- Improve the tinytest implementation of string operation tests so
|
||||||
|
that comparisons with NULL strings no longer crash the tests; they
|
||||||
|
now just fail, normally. Fixes bug 9004; bugfix on 0.2.2.4-alpha.
|
||||||
|
- New macros in test.h to simplify writing mock-functions for unit
|
||||||
|
tests. Part of ticket 11507. Patch from Dana Koch.
|
||||||
|
- We now have rudimentary function mocking support that our unit
|
||||||
|
tests can use to test functions in isolation. Function mocking
|
||||||
|
lets the tests temporarily replace a function's dependencies with
|
||||||
|
stub functions, so that the tests can check the function without
|
||||||
|
invoking the other functions it calls.
|
||||||
|
|
||||||
|
o Testing:
|
||||||
|
- Complete tests for the status.c module. Resolves ticket 11507.
|
||||||
|
Patch from Dana Koch.
|
||||||
|
- Add more unit tests for the <circid,channel>->circuit map, and
|
||||||
|
the destroy-cell-tracking code to fix bug 7912.
|
||||||
|
- Unit tests for failing cases of the TAP onion handshake.
|
||||||
|
- More unit tests for address-manipulation functions.
|
||||||
|
|
||||||
|
o Distribution (systemd):
|
||||||
|
- Include a tor.service file in contrib/dist for use with systemd.
|
||||||
|
Some distributions will be able to use this file unmodified;
|
||||||
|
others will need to tweak it, or write their own. Patch from Jamie
|
||||||
|
Nguyen; resolves ticket 8368.
|
||||||
|
- Verify configuration file via ExecStartPre in the systemd unit
|
||||||
|
file. Patch from intrigeri; resolves ticket 12730.
|
||||||
|
- Explicitly disable RunAsDaemon in the systemd unit file. Our
|
||||||
|
current systemd unit uses "Type = simple", so systemd does not
|
||||||
|
expect tor to fork. If the user has "RunAsDaemon 1" in their
|
||||||
|
torrc, then things won't work as expected. This is e.g. the case
|
||||||
|
on Debian (and derivatives), since there we pass "--defaults-torrc
|
||||||
|
/usr/share/tor/tor-service-defaults-torrc" (that contains
|
||||||
|
"RunAsDaemon 1") by default. Patch by intrigeri; resolves
|
||||||
|
ticket 12731.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.4.25 - 2014-10-20
|
Changes in version 0.2.4.25 - 2014-10-20
|
||||||
Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
|
Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
|
||||||
(even though POODLE does not affect Tor). It also works around a crash
|
(even though POODLE does not affect Tor). It also works around a crash
|
||||||
|
Loading…
Reference in New Issue
Block a user