diff --git a/ReleaseNotes b/ReleaseNotes index 131d015ce2..029dd61eb4 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -6,6 +6,24 @@ each development snapshot, see the ChangeLog file. Changes in version 0.2.7.5- 2015-11-?? XXXX WRITE A BLURB XXXX + o New system requirements: + - Tor no longer includes workarounds to support Libevent versions + before 1.3e. Libevent 2.0 or later is recommended. Closes + ticket 15248. + - Tor no longer supports copies of OpenSSL that are missing support + for Elliptic Curve Cryptography. (We began using ECC when + available in 0.2.4.8-alpha, for more safe and efficient key + negotiation.) In particular, support for at least one of P256 or + P224 is now required, with manual configuration needed if only + P224 is available. Resolves ticket 16140. + - Tor no longer supports versions of OpenSSL before 1.0. (If you are + on an operating system that has not upgraded to OpenSSL 1.0 or + later, and you compile Tor from source, you will need to install a + more recent OpenSSL to link Tor against.) These versions of + OpenSSL are still supported by the OpenSSL, but the numerous + cryptographic improvements in later OpenSSL releases makes them a + clear choice. Resolves ticket 16034. + o Major features (controller): - Add the ADD_ONION and DEL_ONION commands that allow the creation and management of hidden services via the controller. Closes @@ -36,24 +54,43 @@ Changes in version 0.2.7.5- 2015-11-?? vary freely. Implements part of ticket 12498. - Microdescriptors now include Ed25519 identity keys. Implements part of ticket 12498. + - Add a --newpass option to allow changing or removing the + passphrase of an encrypted key with tor --keygen. Implements part + of ticket 16769. + - Add a new OfflineMasterKey option to tell Tor never to try loading + or generating a secret Ed25519 identity key. You can use this in + combination with tor --keygen to manage offline and/or encrypted + Ed25519 keys. Implements ticket 16944. + - On receiving a HUP signal, check to see whether the Ed25519 + signing key has changed, and reload it if so. Closes ticket 16790. + - Significant usability improvements for Ed25519 key management. Log + messages are better, and the code can recover from far more + failure conditions. Thanks to "s7r" for reporting and diagnosing + so many of these! - o Major features (Ed25519 keys, keypinning): - - The key-pinning option on directory authorities is now advisory- - only by default. In a future version, or when the AuthDirPinKeys - option is set, pins are enforced again. Disabling key-pinning - seemed like a good idea so that we can survive the fallout of any - usability problems associated with Ed25519 keys. Closes - ticket 17135. - - o Major features (Ed25519 performance): + o Major features (ECC performance): - Improve the runtime speed of Ed25519 signature verification by using Ed25519-donna's batch verification support. Implements ticket 16533. - Improve the speed of Ed25519 operations and Curve25519 keypair generation when built targeting 32 bit x86 platforms with SSE2 available. Implements ticket 16535. + - Improve the runtime speed of Ed25519 operations by using the + public-domain Ed25519-donna by Andrew M. ("floodyberry"). + Implements ticket 16467. + - Improve the runtime speed of the ntor handshake by using an + optimized curve25519 basepoint scalarmult implementation from the + public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on + ideas by Adam Langley. Implements ticket 9663. o Major features (Hidden services): + - Hidden services, if using the EntryNodes option, are required to + use more than one EntryNode, in order to avoid a guard discovery + attack. (This would only affect people who had configured hidden + services and manually specified the EntryNodes option with a + single entry-node. The impact was that it would be easy to + remotely identify the guard node used by such a hidden service. + See ticket for more information.) Fixes ticket 14917. - Add the torrc option HiddenServiceNumIntroductionPoints, to specify a fixed number of introduction points. Its maximum value is 10 and default is 3. Using this option can increase a hidden @@ -72,44 +109,6 @@ Changes in version 0.2.7.5- 2015-11-?? of this change, microdescriptors will no longer need to include RSA identity keys. Implements proposal 228; closes ticket 12499. - o Major features (performance testing): - - The test-network.sh script now supports performance testing. - Requires corresponding chutney performance testing changes. Patch - by "teor". Closes ticket 14175. - - o Major features (performance): - - Improve the runtime speed of Ed25519 operations by using the - public-domain Ed25519-donna by Andrew M. ("floodyberry"). - Implements ticket 16467. - - Improve the runtime speed of the ntor handshake by using an - optimized curve25519 basepoint scalarmult implementation from the - public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on - ideas by Adam Langley. Implements ticket 9663. - - o Major features (relay, Ed25519): - - Add a --newpass option to allow changing or removing the - passphrase of an encrypted key with tor --keygen. Implements part - of ticket 16769. - - Add a new OfflineMasterKey option to tell Tor never to try loading - or generating a secret Ed25519 identity key. You can use this in - combination with tor --keygen to manage offline and/or encrypted - Ed25519 keys. Implements ticket 16944. - - On receiving a HUP signal, check to see whether the Ed25519 - signing key has changed, and reload it if so. Closes ticket 16790. - - Significant usability improvements for Ed25519 key management. Log - messages are better, and the code can recover from far more - failure conditions. Thanks to "s7r" for reporting and diagnosing - so many of these! - - o Major features (security, hidden services): - - Hidden services, if using the EntryNodes option, are required to - use more than one EntryNode, in order to avoid a guard discovery - attack. (This would only affect people who had configured hidden - services and manually specified the EntryNodes option with a - single entry-node. The impact was that it would be easy to - remotely identify the guard node used by such a hidden service. - See ticket for more information.) Fixes ticket 14917. - o Major bugfixes (client-side privacy, also in 0.2.6.9): - Properly separate out each SOCKSPort when applying stream isolation. The error occurred because each port's session group @@ -168,7 +167,7 @@ Changes in version 0.2.7.5- 2015-11-?? service while a NEWNYM is in progress. Fixes bug 16013; bugfix on 0.1.0.1-rc. - o Minor features (client): + o Minor features (client, SOCKS): - Add GroupWritable and WorldWritable options to unix-socket based SocksPort and ControlPort options. These options apply to a single socket, and override {Control,Socks}SocketsGroupWritable. Closes @@ -206,6 +205,9 @@ Changes in version 0.2.7.5- 2015-11-?? o Minor features (compilation): - Give a warning as early as possible when trying to build with an unsupported OpenSSL version. Closes ticket 16901. + - Use C99 variadic macros when the compiler is not GCC. This avoids + failing compilations on MSVC, and fixes a log-file-based race + condition in our old workarounds. Original patch from Gisle Vanem. o Minor features (control protocol): - Support network-liveness GETINFO key and NETWORK_LIVENESS event in @@ -242,18 +244,9 @@ Changes in version 0.2.7.5- 2015-11-?? introductions, by blocking multiple introduction requests on the same circuit. Resolves ticket 15515. - o Minor features (geoIP): + o Minor features (geoip): - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database. - - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 - Country database. - - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database. - - Update geoip6 to the April 8 2015 Maxmind GeoLite2 - Country database. - - o Minor features (geoip, also in 0.2.6.10): - - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database. - - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database. o Minor features (hidden services): - Add the new options "HiddenServiceMaxStreams" and @@ -274,8 +267,6 @@ Changes in version 0.2.7.5- 2015-11-?? track only of the fraction of traffic used by hidden services, and the total number of hidden services in existence.) Closes ticket 15254. - - o Minor features (HS popularity countermeasure): - To avoid leaking HS popularity, don't cycle the introduction point when we've handled a fixed number of INTRODUCE2 cells but instead cycle it when a random number of introductions is reached, thus @@ -299,34 +290,6 @@ Changes in version 0.2.7.5- 2015-11-?? can be used by implementations to detect this new behavior. Resolves ticket 15435. - o Minor features (portability): - - Use C99 variadic macros when the compiler is not GCC. This avoids - failing compilations on MSVC, and fixes a log-file-based race - condition in our old workarounds. Original patch from Gisle Vanem. - - o Minor features (testing): - - Add a test to verify that the compiler does not eliminate our - memwipe() implementation. Closes ticket 15377. - - Add make rule `check-changes` to verify the format of changes - files. Closes ticket 15180. - - Add unit tests for control_event_is_interesting(). Add a compile- - time check that the number of events doesn't exceed the capacity - of control_event_t.event_mask. Closes ticket 15431, checks for - bugs similar to 13085. Patch by "teor". - - Command-line argument tests moved to Stem. Resolves ticket 14806. - - Integrate the ntor, backtrace, and zero-length keys tests into the - automake test suite. Closes ticket 15344. - - Remove assertions during builds to determine Tor's test coverage. - We don't want to trigger these even in assertions, so including - them artificially makes our branch coverage look worse than it is. - This patch provides the new test-stem-full and coverage-html-full - configure options. Implements ticket 15400. - - o Minor features (testing, authorities, documentation): - - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to - explicitly manage consensus flags in testing networks. Patch by - "robgjansen", modified by "teor". Implements part of ticket 14882. - o Minor bugfixes (torrc exit policies): - In each instance above, usage advice is provided to avoid the message. Resolves ticket 16069. Patch by "teor". Fixes part of bug @@ -351,6 +314,10 @@ Changes in version 0.2.7.5- 2015-11-?? on 0.2.3.3-alpha. - When complaining about bad arguments to "--dump-config", use stderr, not stdout. + - Print usage information for --dump-config when it is used without + an argument. Also, fix the error message to use different wording + and add newline at the end. Fixes bug 15541; bugfix + on 0.2.5.1-alpha. o Minor bugfixes (compilation): - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; @@ -397,19 +364,6 @@ Changes in version 0.2.7.5- 2015-11-?? its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced when implementing ticket 4900. Patch by "teor". - o Minor bugfixes (documentation): - - Advise users on how to configure separate IPv4 and IPv6 exit - policies in the manpage and sample torrcs. Related to ticket 16069. - - Fix an error in the manual page and comments for - TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir - required "ORPort connectivity". While this is true, it is in no - way unique to the HSDir flag. Of all the flags, only HSDirs need a - DirPort configured in order for the authorities to assign that - particular flag. Patch by "teor". Fixed as part of 14882; bugfix - on 0.2.6.3-alpha. - - Fix the usage message of tor-resolve(1) so that it no longer lists - the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta. - o Minor bugfixes (hidden service): - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on a client authorized hidden service. Fixes bug 15823; bugfix @@ -417,17 +371,14 @@ Changes in version 0.2.7.5- 2015-11-?? - Remove an extraneous newline character from the end of hidden service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha. - o Minor bugfixes (interface): - - Print usage information for --dump-config when it is used without - an argument. Also, fix the error message to use different wording - and add newline at the end. Fixes bug 15541; bugfix - on 0.2.5.1-alpha. - o Minor bugfixes (Linux seccomp2 sandbox): - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha. - Allow bridge authorities to run correctly under the seccomp2 sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha. + - Add the "hidserv-stats" filename to our sandbox filter for the + HiddenServiceStatistics option to work properly. Fixes bug 17354; + bugfix on tor-0.2.6.2-alpha. Patch from David Goulet. o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10): - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need @@ -443,7 +394,7 @@ Changes in version 0.2.7.5- 2015-11-?? syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader. - o Minor bugfixes (logs): + o Minor bugfixes (logging): - When building Tor under Clang, do not include an extra set of parentheses in log messages that include function names. Fixes bug 15269; bugfix on every released version of Tor when compiled with @@ -481,11 +432,6 @@ Changes in version 0.2.7.5- 2015-11-?? predictable scheduling behavior. Fixes bug 16644; bugfix on 0.2.6.3-alpha. - o Minor bugfixes (sandbox): - - Add the "hidserv-stats" filename to our sandbox filter for the - HiddenServiceStatistics option to work properly. Fixes bug 17354; - bugfix on tor-0.2.6.2-alpha. Patch from David Goulet. - o Minor bugfixes (security, exit policies): - ExitPolicyRejectPrivate now also rejects the relay's published IPv6 address (if any), and any publicly routable IPv4 or IPv6 @@ -513,16 +459,6 @@ Changes in version 0.2.7.5- 2015-11-?? not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor", issue discovered by CJ Ess. - o Minor bugfixes (testing): - - Check for matching value in server response in ntor_ref.py. Fixes - bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed - by "joelanders". - - Set the severity correctly when testing - get_interface_addresses_ifaddrs() and - get_interface_addresses_win32(), so that the tests fail gracefully - instead of triggering an assertion. Fixes bug 15759; bugfix on - 0.2.6.3-alpha. Reported by Nicolas Derive. - o Minor bugfixes (tests, also in 0.2.6.9): - Fix a crash in the unit tests when built with MSVC2013. Fixes bug 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker". @@ -594,11 +530,17 @@ Changes in version 0.2.7.5- 2015-11-?? - Standardize on the term "server descriptor" in the manual page. Previously, we had used "router descriptor", "server descriptor", and "relay descriptor" interchangeably. Part of ticket 14987. - - o New system requirements: - - Tor no longer includes workarounds to support Libevent versions - before 1.3e. Libevent 2.0 or later is recommended. Closes - ticket 15248. + - Advise users on how to configure separate IPv4 and IPv6 exit + policies in the manpage and sample torrcs. Related to ticket 16069. + - Fix an error in the manual page and comments for + TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir + required "ORPort connectivity". While this is true, it is in no + way unique to the HSDir flag. Of all the flags, only HSDirs need a + DirPort configured in order for the authorities to assign that + particular flag. Patch by "teor". Fixed as part of 14882; bugfix + on 0.2.6.3-alpha. + - Fix the usage message of tor-resolve(1) so that it no longer lists + the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta. o Removed code: - Remove `USE_OPENSSL_BASE64` and the corresponding fallback code @@ -636,21 +578,11 @@ Changes in version 0.2.7.5- 2015-11-?? that didn't know about microdescriptors. - Tor no longer contains workarounds for stat files generated by super-old versions of Tor that didn't choose guards sensibly. - - Tor no longer supports copies of OpenSSL that are missing support - for Elliptic Curve Cryptography. (We began using ECC when - available in 0.2.4.8-alpha, for more safe and efficient key - negotiation.) In particular, support for at least one of P256 or - P224 is now required, with manual configuration needed if only - P224 is available. Resolves ticket 16140. - - Tor no longer supports versions of OpenSSL before 1.0. (If you are - on an operating system that has not upgraded to OpenSSL 1.0 or - later, and you compile Tor from source, you will need to install a - more recent OpenSSL to link Tor against.) These versions of - OpenSSL are still supported by the OpenSSL, but the numerous - cryptographic improvements in later OpenSSL releases makes them a - clear choice. Resolves ticket 16034. o Testing: + - The test-network.sh script now supports performance testing. + Requires corresponding chutney performance testing changes. Patch + by "teor". Closes ticket 14175. - Add a new set of callgraph analysis scripts that use clang to produce a list of which Tor functions are reachable from which other Tor functions. We're planning to use these to help simplify @@ -693,8 +625,33 @@ Changes in version 0.2.7.5- 2015-11-?? (if any) using the 'tor-cov' coverage binary. - When running test-network or test-stem, check for the absence of stem/chutney before doing any build operations. - - + - Add a test to verify that the compiler does not eliminate our + memwipe() implementation. Closes ticket 15377. + - Add make rule `check-changes` to verify the format of changes + files. Closes ticket 15180. + - Add unit tests for control_event_is_interesting(). Add a compile- + time check that the number of events doesn't exceed the capacity + of control_event_t.event_mask. Closes ticket 15431, checks for + bugs similar to 13085. Patch by "teor". + - Command-line argument tests moved to Stem. Resolves ticket 14806. + - Integrate the ntor, backtrace, and zero-length keys tests into the + automake test suite. Closes ticket 15344. + - Remove assertions during builds to determine Tor's test coverage. + We don't want to trigger these even in assertions, so including + them artificially makes our branch coverage look worse than it is. + This patch provides the new test-stem-full and coverage-html-full + configure options. Implements ticket 15400. + - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to + explicitly manage consensus flags in testing networks. Patch by + "robgjansen", modified by "teor". Implements part of ticket 14882. + - Check for matching value in server response in ntor_ref.py. Fixes + bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed + by "joelanders". + - Set the severity correctly when testing + get_interface_addresses_ifaddrs() and + get_interface_addresses_win32(), so that the tests fail gracefully + instead of triggering an assertion. Fixes bug 15759; bugfix on + 0.2.6.3-alpha. Reported by Nicolas Derive. Changes in version 0.2.6.10 - 2015-07-12