mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 05:03:43 +01:00
26841 lines
1.3 MiB
26841 lines
1.3 MiB
Changes in version 0.3.3.1-alpha - 2018-01-??:
|
|
Blurb goes here
|
|
|
|
o Major features (onion services, security):
|
|
- Provide torrc options to pin the second and third hops of onion
|
|
service circuits to a list of nodes. The option HSLayer2Guards
|
|
pins the second hop, and the option HSLayer3Guards pins the third
|
|
hop. Closes ticket 13837.
|
|
|
|
o Major features (embedding):
|
|
- There is now a documented stable API for programs that need to
|
|
embed Tor. See tor_api.h for full documentation and known bugs.
|
|
Closes ticket 23684.
|
|
- Tor now has support for restarting in the same process.
|
|
Controllers that run Tor using the "tor_api.h" interface can now
|
|
restart Tor after Tor has exited. This support is incomplete,
|
|
however: we have fixed the crash bugs that prevented it from
|
|
working at all before, but many bugs probably remain, including
|
|
the possibility of security issues. Implements ticket 24581.
|
|
|
|
o Major features (IPv6, directory documents):
|
|
- Add consensus method 27, which adds IPv6 ORPorts to the microdesc
|
|
consensus. This makes it easier for IPv6 clients to bootstrap and
|
|
choose reachable entry guards. Implements 23826.
|
|
- Add consensus method 28, which removes IPv6 ORPorts from
|
|
microdescriptors. Now that there are IPv6 ORPorts in the microdesc
|
|
consensus, they are redundant in microdescs. This change is
|
|
compatible with tor clients on 0.2.8.x and later. (0.2.8.x
|
|
introduced client IPv6 bootstrap and guard support.)
|
|
Implements 23828.
|
|
- Expand the documentation for AuthDirHasIPv6Connectivity when it is
|
|
set by different numbers of authorities. Fixes 23870
|
|
on 0.2.4.1-alpha.
|
|
|
|
o Major features (onion service v3, control port):
|
|
- Control port now supports command and events for v3 onion
|
|
services. See proposal 284 for more information on what has been
|
|
done exactly. Only the HSFETCH command hasn't been implemented at
|
|
this stage because of a lack of use case with v3.
|
|
|
|
It is now possible to create ephemeral v3 services using the
|
|
ADD_ONION command. Additionally, several events (HS_DESC,
|
|
HS_DESC_CONTENT, CIRC and CIRC_MINOR) and commands (GETINFO,
|
|
HSPOST, ADD_ONION and DEL_ONION) have been extended to support v3
|
|
onion services. Closes ticket 20699.
|
|
|
|
o Major features (rust, portability, experimental):
|
|
- Tor now ships with an optional implementation of one of its
|
|
smaller modules (protover.c) in the Rust programming language. To
|
|
try it out, install a Rust build environment, and configure Tor
|
|
with "--enable-rust --enable-cargo-online-mode". This should not
|
|
cause any user-visible changes, but should help us gain more
|
|
experience with Rust, and plan future Rust integration work.
|
|
Implementation by Chelsea Komlo. Closes ticket 22840.
|
|
|
|
o Major features (storage, configuration):
|
|
- Users can choose to store cached directory documents somewhere
|
|
other than the DataDirectory by using the CacheDirectory option.
|
|
Similarly, the storage location for relay's keys can be overridden
|
|
with the KeyDirectory option. Closes ticket 22703.
|
|
|
|
o Major features (v3 onion services, ipv6):
|
|
- When v3 onion service clients send introduce cells, include the
|
|
IPv6 address of the rendezvous point, if it has one. v3 onion
|
|
services running 0.3.2 ignore IPv6 addresses. In future Tor
|
|
versions, IPv6-only v3 single onion services can use IPv6
|
|
addresses to connect directly to the rendezvous point. Closes
|
|
ticket 23577. Patch by Neel Chauhan.
|
|
|
|
o Major bugfixes (onion services, retry behavior):
|
|
- Fix an "off by 2" error in counting rendezvous failures on the
|
|
onion service side. While we thought we would stop the rendezvous
|
|
attempt after one failed circuit, we were actually making three
|
|
circuit attempts before giving up. Now switch to a default of 2,
|
|
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
|
override. Fixes bug 24895; bugfix on 0.0.6.
|
|
- New-style (v3) onion services now obey the "max rendezvous circuit
|
|
attempts" logic. Previously they would make as many rendezvous
|
|
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
|
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Major bugfixes (relays):
|
|
- Fix a set of false positives where relays would consider
|
|
connections to other relays as being client-only connections (and
|
|
thus e.g. deserving different link padding schemes) if those
|
|
relays fell out of the consensus briefly. Now we look only at the
|
|
initial handshake and whether the connection authenticated as a
|
|
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor feature (IPv6):
|
|
- Make IPv6-only clients wait for microdescs for relays, even if we
|
|
were previously using descriptors (or were using them as a bridge)
|
|
and have a cached descriptor for them. Implements 23827.
|
|
- When a consensus has IPv6 ORPorts, make IPv6-only clients use
|
|
them, rather than waiting to download microdescriptors.
|
|
Implements 23827.
|
|
|
|
o Minor features (cleanup):
|
|
- Tor now deletes the CookieAuthFile and ExtORPortCookieAuthFile
|
|
when it stops. Closes ticket 23271.
|
|
|
|
o Minor features (code correctness, descriptors):
|
|
- Check that microdesc ed25519 ids are non-zero in
|
|
node_get_ed25519_id(), before returning them. Implements 24001,
|
|
patch by "aruna1234".
|
|
|
|
o Minor features (defensive programming):
|
|
- Most of the functions in Tor that free objects have been replaced
|
|
with macros that free the objects and set the corresponding
|
|
pointers to NULL. This change should help prevent a large class of
|
|
dangling pointer bugs. Closes ticket 24337.
|
|
- Where possible, the tor_free() macro now only evaluates its input
|
|
once. Part of ticket 24337.
|
|
|
|
o Minor features (directory authority):
|
|
- Make the "Exit" flag assignment only depend on whether the exit
|
|
policy allows connections to ports 80 and 443. Previously relays
|
|
would get the Exit flag if they allowed connections to one of
|
|
these ports and also port 6667. Resolves ticket 23637.
|
|
|
|
o Minor features (embedding):
|
|
- Tor can now start with a preauthenticated control connection
|
|
created by the process that launched it. This feature is meant for
|
|
use by programs that want to launch and manage a Tor process
|
|
without allowing other programs to manage it as well. For more
|
|
information, see the __OwningControllerFD option documented in
|
|
control-spec.txt. Closes ticket 23900.
|
|
- On most errors that would cause Tor to exit, it now tries to
|
|
return from the tor_main() function, rather than calling the
|
|
system exit() function. Most users won't notice a difference here,
|
|
but it should make a significant difference on platforms that try
|
|
to run Tor inside a separate thread: they should now be able to
|
|
survive Tor's exit conditions rather than having Tor shut down the
|
|
entire process. Closes ticket 23848.
|
|
- Applications that want to embed Tor can now tell Tor not to
|
|
register any of its own POSIX signal handlers, using the
|
|
__DisableSignalHandlers option. This option is not meant for
|
|
general use. Closes ticket 24588.
|
|
|
|
o Minor features (fallback directory list):
|
|
- Avoid selecting fallbacks that change their IP addresses too
|
|
often. Select more fallbacks by ignoring the Guard flag, and
|
|
allowing lower cutoffs for the Running and V2Dir flags. Also allow
|
|
a lower bandwidth, and a higher number of fallbacks per operator
|
|
(5% of the list). Implements ticket 24785.
|
|
- Update the fallback whitelist and blacklist based on opt-ins and
|
|
relay changes. Closes tickets 22321, 24678, 22527, 24135,
|
|
and 24695.
|
|
|
|
o Minor features (fallback directory mirror configuration):
|
|
- Add a nickname to each fallback in a C comment. This makes it
|
|
easier for operators to find their relays, and allows stem to use
|
|
nicknames to identify fallbacks. Implements ticket 24600.
|
|
- Add a type and version header to the fallback directory mirror
|
|
file. Also add a delimiter to the end of each fallback entry. This
|
|
helps external parsers like stem and Relay Search. Implements
|
|
ticket 24725.
|
|
- Add an extrainfo cache flag for each fallback in a C comment. This
|
|
allows stem to use fallbacks to fetch extra-info documents, rather
|
|
than using authorities. Implements ticket 22759.
|
|
- Add the generateFallbackDirLine.py script for automatically
|
|
generating fallback directory mirror lines from relay fingerprints.
|
|
No more typos! Add the lookupFallbackDirContact.py script for
|
|
automatically looking up operator contact info from relay
|
|
fingerprints. Implements ticket 24706, patch by teor and atagar.
|
|
- Reject any fallback directory mirror that serves an expired
|
|
consensus. Implements ticket 20942, patch by "minik".
|
|
- Remove commas and equals signs from external string inputs to the
|
|
fallback list. This avoids format confusion attacks. Implements
|
|
ticket 24726.
|
|
- Remove the "weight=10" line from fallback directory mirror
|
|
entries. Ticket 24681 will maintain the current fallback weights
|
|
by changing Tor's default fallback weight to 10. Implements
|
|
ticket 24679.
|
|
|
|
o Minor features (forward-compatibility):
|
|
- If a relay supports some link authentication protocol that we do
|
|
not recognize, then include that relay's ed25519 key when telling
|
|
other relays to extend to it. Previously, we treated future
|
|
versions as if they were too old to support ed25519 link
|
|
authentication. Closes ticket 20895.
|
|
|
|
o Minor features (heartbeat):
|
|
- Add onion service information to our heartbeat logs, displaying
|
|
stats about the activity of configured onion services. Closes
|
|
ticket 24896.
|
|
|
|
o Minor features (instrumentation, development):
|
|
- Add the MainloopStats option to allow developers to get
|
|
instrumentation information from the main event loop via the
|
|
heartbeat messages. We hope to use this to improve Tor's behavior
|
|
when it's trying to sleep. Closes ticket 24605.
|
|
|
|
o Minor features (log messages):
|
|
- Improve a warning message that happens when we fail to re-parse an
|
|
old router because of an expired certificate. Closes ticket 20020.
|
|
- Make the log more quantitative when we hit MaxMemInQueues
|
|
threshold exposing some values. Closes ticket 24501.
|
|
|
|
o Minor features (logging, android):
|
|
- Added support for the Android logging subsystem. Closes
|
|
ticket 24362.
|
|
|
|
o Minor features (OSX, iOS, performance):
|
|
- Use the mach_approximate_time() function (when available) to
|
|
implement coarse monotonic time. Having a coarse time function
|
|
should avoid a large number of system calls, and improve
|
|
performance slightly, especially under load. Closes ticket 24427.
|
|
|
|
o Minor features (performance):
|
|
- Support predictive circuit building for onion service circuits
|
|
with multiple layers of guards. Closes ticket 23101.
|
|
- Use stdatomic.h where available, rather than mutexes, to implement
|
|
atomic_counter_t. Closes ticket 23953.
|
|
|
|
o Minor features (performance, 32-bit):
|
|
- Improve performance on 32-bit systems by avoiding 64-bit division
|
|
when calculating the timestamp in milliseconds for channel padding
|
|
computations. Implements ticket 24613.
|
|
- Improve performance on 32-bit systems by avoiding 64-bit division
|
|
when timestamping cells and buffer chunks for OOM calculations.
|
|
Implements ticket 24374.
|
|
|
|
o Minor features (performance, windows):
|
|
- Improve performance on Windows Vista and Windows 7 by adjusting
|
|
TCP send window size according to the recommendation from
|
|
SIO_IDEAL_SEND_BACKLOG_QUERY. Closes ticket 22798. Patch
|
|
from Vort.
|
|
|
|
o Minor features (relay):
|
|
- Implement an option, ReducedExitPolicy, to allow an Tor exit relay
|
|
operator to use a more reasonable ("reduced") exit policy, rather
|
|
than the default one. If you want to run an exit node without
|
|
thinking too hard about which ports to allow, this one is for you.
|
|
Closes ticket 13605. Patch from Neel Chauhan.
|
|
|
|
o Minor features (testing, debugging, embedding):
|
|
- For development purposes, Tor now has a mode in which it runs for
|
|
a few seconds, then stops, and starts again without exiting the
|
|
process. This mode is meant to help us debug various issues with
|
|
ticket 23847. To use this feature, compile with
|
|
--enable-restart-degbugging, and set the TOR_DEBUG_RESTART
|
|
environment variable. This is expected to crash a lot, and is
|
|
really meant for developers only. It will likely be removed in a
|
|
future release. Implements ticket 24583.
|
|
|
|
o Minor bugfix (network IPv6 test):
|
|
- Tor's test scripts now check if "ping -6 ::1" works when the user
|
|
runs "make test-network-all". Fixes bug 24677; bugfix on
|
|
0.2.9.3-alpha. Patch by "ffmancera".
|
|
|
|
o Minor bugfixes (build, rust):
|
|
- Fix output of autoconf checks to display success messages for Rust
|
|
dependencies and a suitable rustc compiler version. Fixes bug
|
|
24612; bugfix on 0.3.1.3-alpha.
|
|
- When building with Rust on OSX, link against libresolv, to work
|
|
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
|
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
|
- Don't pass the --quiet option to cargo: it seems to suppress some
|
|
errors, which is not what we want to do when building. Fixes bug
|
|
24518; bugfix on 0.3.1.7.
|
|
- Build correctly when building from outside Tor's source tree with
|
|
the TOR_RUST_DEPENDENCIES option set. Fixes bug 22768; bugfix
|
|
on 0.3.1.7.
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Stop invoking undefined behaviour by using tor_free() on an
|
|
unaligned pointer in get_interface_addresses_ioctl(). This pointer
|
|
alignment issue exists on x86_64 macOS, but is unlikely to exist
|
|
elsewhere. Fixes bug 24733; bugfix on 0.3.0.0-alpha-dev; not in
|
|
any released version of tor.
|
|
|
|
o Minor bugfixes (directory authorities, IPv6):
|
|
- When creating a routerstatus (vote) from a routerinfo (descriptor),
|
|
set the IPv6 address to the unspecified IPv6 address, and
|
|
explicitly initialize the port to zero. Fixes bug 24488; bugfix
|
|
on 0.2.4.1-alpha.
|
|
|
|
o Minor bugfixes (fallback directory mirrors):
|
|
- Make updateFallbackDirs.py search harder for python. (Some OSs
|
|
don't put it in /usr/bin.) Fixes bug 24708; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (hibernation):
|
|
- When hibernating, close connections normally and allow them to
|
|
flush. Fixes bug 23571; bugfix on 0.2.4.7-alpha. Also fixes
|
|
bug 7267.
|
|
|
|
o Minor bugfixes (hibernation, bandwidth accounting, shutdown):
|
|
- Do not attempt to launch self-reachability tests when entering
|
|
hibernation. Fixes a base of bug 12062; bugfix on 0.0.9pre5.
|
|
- Resolve several bugs related to descriptor fetching on bridge
|
|
clients with bandwidth accounting enabled. (This combination is
|
|
not recommended!) Fixes a case of bug 12062; bugfix
|
|
on 0.2.0.3-alpha.
|
|
- When hibernating, do not attempt to launch DNS checks. Fixes a
|
|
case of bug 12062; bugfix on 0.1.2.2-alpha.
|
|
- When hibernating, do not try to upload or download descriptors.
|
|
Fixes a case of bug 12062; bugfix on 0.0.9pre5.
|
|
|
|
o Minor bugfixes (IPv6, bridges):
|
|
- Tor now always sets IPv6 preferences for bridges, even if there is
|
|
only router information or router status and warns about them.
|
|
Fixes bug 24573; bugfix on 0.2.8.2-alpha.
|
|
- Tor now sets IPv6 address in rs as well as it's set the one in ri.
|
|
Closes ticket 24572; bugfix on 0.2.4.5-alpha. Patch by "ffmancera".
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- When running with the sandbox enabled, reload configuration files
|
|
correctly even when %include was used. Previously we would crash.
|
|
Fixes bug 22605; bugfix on 0.3.1. Patch from Daniel Pinto.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Avoid possible at-exit memory leaks related to use of Libevent's
|
|
event_base_once() function. (This function tends to leak memory if
|
|
the event_base is closed before the event fires.) Fixes bug 24584;
|
|
bugfix on 0.2.8.1-alpha.
|
|
- Fix a harmless memory leak in tor-resolve. Fixes bug 24582; bugfix
|
|
on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (OSX):
|
|
- Don't exit the Tor process if setrlimit() fails to change the file
|
|
limit (which can happen sometimes on some versions of OSX). Fixes
|
|
bug 21074; bugfix on 0.0.9pre5.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Consider circuits for timeout as soon as they complete a hop. This
|
|
is more accurate than applying the timeout in
|
|
circuit_expire_building() because that function is only called
|
|
once per second, which is now too slow for typical timeouts on the
|
|
current network. Fixes bug 23114; bugfix on 0.2.2.2-alpha.
|
|
- Use onion service circuits (and other circuits longer than 3 hops)
|
|
to calculate a circuit build timeout. Previously, Tor only
|
|
calculated its build timeout based on circuits that planned to be
|
|
exactly 3 hops long. With this change, we include measurements
|
|
from all circuits at the point where they complete their third
|
|
hop. Fixes bug 23100; bugfix on 0.2.2.2-alpha.
|
|
|
|
o Minor bugfixes (performance, fragile-hardening):
|
|
- Improve the performance of our consensus-diff application code
|
|
when Tor is built with the --enable-fragile-hardening option set.
|
|
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Give out Exit flags in bootstrapping networks. Fixes bug 24137;
|
|
bugfix on 0.2.3.1-alpha.
|
|
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
|
25005; bugfix on 0.3.2.7-rc.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove /usr/athena from search path in configure.ac. Closes
|
|
ticket 24363.
|
|
- Remove duplicate code in node_has_curve25519_onion_key() and
|
|
node_get_curve25519_onion_key(), and add a check for a zero
|
|
microdesc curve25519 onion key. Closes ticket 23966, patch by
|
|
"aruna1234" and "teor".
|
|
- Rewrite channel_rsa_id_group_set_badness to reduce temporary
|
|
memory allocations with large numbers of OR connections (e.g.
|
|
relays). Closes ticket 24119.
|
|
- Separate the function that deletes ephemeral files when Tor
|
|
stops gracefully.
|
|
- Small changes to Tor's buf_t API to make it suitable for use as a
|
|
general-purpose safe string constructor. Closes ticket 22342.
|
|
- Switch -Wnormalized=id to -Wnormalized=nfkc in configure.ac to
|
|
avoid source code identifier confusion. Closes ticket 24467.
|
|
- The tor_git_revision[] constant no longer needs to be redeclared
|
|
by everything that links against the rest of Tor. Done as part of
|
|
ticket 23845, to simplify our external API.
|
|
- We make extend_info_from_node() use node_get_curve25519_onion_key()
|
|
introduced in ticket 23577 to access the curve25519 public keys
|
|
rather than accessing it directly. Closes ticket 23760. Patch by
|
|
Neel Chauhan.
|
|
- Add a function to log channels' scheduler state changes to aide
|
|
debugging efforts. Closes ticket 24531.
|
|
|
|
o Documentation:
|
|
- Add documentation on how to build tor with Rust dependencies
|
|
without requiring being online. Closes ticket 22907; bugfix
|
|
on 0.3.0.3-alpha.
|
|
- Clarify the behavior of RelayBandwidth{Rate,Burst} with client
|
|
traffic. Closes ticket 24318.
|
|
- Document that OutboundBindAddress doesn't apply to DNS requests.
|
|
Closes ticket 22145. Patch from Aruna Maurya.
|
|
- Document that operators who run more than one relay or bridge are
|
|
expected to set MyFamily and ContactInfo correctly. Closes
|
|
ticket 24526.
|
|
|
|
o Code simplification and refactoring (channels):
|
|
- Remove the incoming and outgoing channel queues. The reason to do
|
|
so was due to the fact that they were always empty meaning never
|
|
used but still looked at in our fast path. Bottom line, it was an
|
|
unused code path.
|
|
- The majority ot the channel unit tests have been rewritten and the
|
|
code coverage has now been raised to 83.6% for channel.c. Closes
|
|
ticket 23709.
|
|
- We've simplify a lot the channel subsystem by removing those
|
|
queues but also by removing a lot of unused code or dead code
|
|
around it. Overall this is a cleanup removing more than 1500 lines
|
|
of code overall and adding very little except for unit test.
|
|
|
|
o Code simplification and refactoring (circuit rendezvous):
|
|
- Split get rendezvous circuit on client side on two different
|
|
functions. One that returns only established circuits and another
|
|
that returns all kinds of circuits. Closes ticket 23459.
|
|
|
|
o Code simplification and refactoring (controller):
|
|
- Make most of the variables in networkstatus_getinfo_by_purpose()
|
|
const. Implements ticket 24489.
|
|
|
|
o Code simplification and refactoring (fallbacks):
|
|
- Stop logging excessive information about fallback netblocks.
|
|
Implements ticket 24791.
|
|
|
|
|
|
Changes in version 0.3.2.9 - 2018-01-09
|
|
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
|
|
|
The 0.3.2 series includes our long-anticipated new onion service
|
|
design, with numerous security features. (For more information, see
|
|
our blog post at https://blog.torproject.org/fall-harvest.) We also
|
|
have a new circuit scheduler algorithm for improved performance on
|
|
relays everywhere (see https://blog.torproject.org/kist-and-tell),
|
|
along with many smaller features and bugfixes.
|
|
|
|
Per our stable release policy, we plan to support each stable release
|
|
series for at least the next nine months, or for three months after
|
|
the first stable release of the next series: whichever is longer. If
|
|
you need a release with long-term support, we recommend that you stay
|
|
with the 0.2.9 series.
|
|
|
|
Below is a list of the changes since 0.3.2.8-rc. For a list of all
|
|
changes since 0.3.1, see the ReleaseNotes file.
|
|
|
|
o Minor features (fallback directory mirrors):
|
|
- The fallback directory list has been re-generated based on the
|
|
current status of the network. Tor uses fallback directories to
|
|
bootstrap when it doesn't yet have up-to-date directory
|
|
information. Closes ticket 24801.
|
|
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
|
prefer to bootstrap from fallback directory mirrors. This is a
|
|
follow-up to 24679, which removed weights from the default
|
|
fallbacks. Implements ticket 24681.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (address selection):
|
|
- When the fascist_firewall_choose_address_ functions don't find a
|
|
reachable address, set the returned address to the null address
|
|
and port. This is a precautionary measure, because some callers do
|
|
not check the return value. Fixes bug 24736; bugfix
|
|
on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Resolve a few shadowed-variable warnings in the onion service
|
|
code. Fixes bug 24634; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (portability, msvc):
|
|
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
|
MSVC. (Note that MSVC is still not a supported build platform, due
|
|
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
|
on 0.2.9.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.2.8-rc - 2017-12-21
|
|
Tor 0.3.2.8-rc fixes a pair of bugs in the KIST and KISTLite
|
|
schedulers that had led servers under heavy load to overload their
|
|
outgoing connections. All relay operators running earlier 0.3.2.x
|
|
versions should upgrade. This version also includes a mitigation for
|
|
over-full DESTROY queues leading to out-of-memory conditions: if it
|
|
works, we will soon backport it to earlier release series.
|
|
|
|
This is the second release candidate in the 0.3.2 series. If we find
|
|
no new bugs or regression here, then the first stable 0.3.2 release
|
|
will be nearly identical to this.
|
|
|
|
o Major bugfixes (KIST, scheduler):
|
|
- The KIST scheduler did not correctly account for data already
|
|
enqueued in each connection's send socket buffer, particularly in
|
|
cases when the TCP/IP congestion window was reduced between
|
|
scheduler calls. This situation lead to excessive per-connection
|
|
buffering in the kernel, and a potential memory DoS. Fixes bug
|
|
24665; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (hidden service v3):
|
|
- Bump hsdir_spread_store parameter from 3 to 4 in order to increase
|
|
the probability of reaching a service for a client missing
|
|
microdescriptors. Fixes bug 24425; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (memory usage):
|
|
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
|
and reason fields: not the entire 514-byte cell. This fix should
|
|
help mitigate any bugs or attacks that fill up these queues, and
|
|
free more RAM for other uses. Fixes bug 24666; bugfix
|
|
on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (scheduler, KIST):
|
|
- Use a sane write limit for KISTLite when writing onto a connection
|
|
buffer instead of using INT_MAX and shoving as much as it can.
|
|
Because the OOM handler cleans up circuit queues, we are better
|
|
off at keeping them in that queue instead of the connection's
|
|
buffer. Fixes bug 24671; bugfix on 0.3.2.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.2.7-rc - 2017-12-14
|
|
Tor 0.3.2.7-rc fixes various bugs in earlier versions of Tor,
|
|
including some that could affect reliability or correctness.
|
|
|
|
This is the first release candidate in the 0.3.2 series. If we find no
|
|
new bugs or regression here, then the first stable 0.3.2. release will
|
|
be nearly identical to this.
|
|
|
|
o Major bugfixes (circuit prediction):
|
|
- Fix circuit prediction logic so that a client doesn't treat a port
|
|
as being "handled" by a circuit if that circuit already has
|
|
isolation settings on it. This change should make Tor clients more
|
|
responsive by improving their chances of having a pre-created
|
|
circuit ready for use when a request arrives. Fixes bug 18859;
|
|
bugfix on 0.2.3.3-alpha.
|
|
|
|
o Minor features (logging):
|
|
- Provide better warnings when the getrandom() syscall fails. Closes
|
|
ticket 24500.
|
|
|
|
o Minor features (portability):
|
|
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
|
(It doesn't yet work with the sandbox enabled.) Closes
|
|
ticket 24424.
|
|
|
|
o Minor bugfixes (bridge clients, bootstrap):
|
|
- Retry directory downloads when we get our first bridge descriptor
|
|
during bootstrap or while reconnecting to the network. Keep
|
|
retrying every time we get a bridge descriptor, until we have a
|
|
reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
|
|
- Stop delaying bridge descriptor fetches when we have cached bridge
|
|
descriptors. Instead, only delay bridge descriptor fetches when we
|
|
have at least one reachable bridge. Fixes part of bug 24367;
|
|
bugfix on 0.2.0.3-alpha.
|
|
- Stop delaying directory fetches when we have cached bridge
|
|
descriptors. Instead, only delay bridge descriptor fetches when
|
|
all our bridges are definitely unreachable. Fixes part of bug
|
|
24367; bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix a signed/unsigned comparison warning introduced by our fix to
|
|
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Fix several places in our codebase where a C compiler would be
|
|
likely to eliminate a check, based on assuming that undefined
|
|
behavior had not happened elsewhere in the code. These cases are
|
|
usually a sign of redundant checking or dubious arithmetic. Found
|
|
by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
|
|
Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
|
|
Tor versions.
|
|
|
|
o Minor bugfixes (onion service v3):
|
|
- Fix a race where an onion service would launch a new intro circuit
|
|
after closing an old one, but fail to register it before freeing
|
|
the previously closed circuit. This bug was making the service
|
|
unable to find the established intro circuit and thus not upload
|
|
its descriptor, thus making a service unavailable for up to 24
|
|
hours. Fixes bug 23603; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (scheduler, KIST):
|
|
- Properly set the scheduler state of an unopened channel in the
|
|
KIST scheduler main loop. This prevents a harmless but annoying
|
|
log warning. Fixes bug 24502; bugfix on 0.3.2.4-alpha.
|
|
- Avoid a possible integer overflow when computing the available
|
|
space on the TCP buffer of a channel. This had no security
|
|
implications; but could make KIST allow too many cells on a
|
|
saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
|
|
- Downgrade to "info" a harmless warning about the monotonic time
|
|
moving backwards: This can happen on platform not supporting
|
|
monotonic time. Fixes bug 23696; bugfix on 0.3.2.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.2.6-alpha - 2017-12-01
|
|
This version of Tor is the latest in the 0.3.2 alpha series. It
|
|
includes fixes for several important security issues. All Tor users
|
|
should upgrade to this release, or to one of the other releases coming
|
|
out today.
|
|
|
|
o Major bugfixes (security):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- Fix a denial of service issue where an attacker could crash a
|
|
directory authority using a malformed router descriptor. Fixes bug
|
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
|
and CVE-2017-8820.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, onion service v2):
|
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
|
when they failed to open circuits while expiring introduction
|
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
|
o Major bugfixes (security, relay):
|
|
- When running as a relay, make sure that we never build a path
|
|
through ourselves, even in the case where we have somehow lost the
|
|
version of our descriptor appearing in the consensus. Fixes part
|
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
|
as TROVE-2017-012 and CVE-2017-8822.
|
|
- When running as a relay, make sure that we never choose ourselves
|
|
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
|
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
|
|
|
o Minor feature (relay statistics):
|
|
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
|
hours in order to reduce the efficiency of guard discovery
|
|
attacks. Fixes ticket 23856.
|
|
|
|
o Minor features (directory authority):
|
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
|
ticket 24394.
|
|
|
|
o Minor bugfixes (client):
|
|
- By default, do not enable storage of client-side DNS values. These
|
|
values were unused by default previously, but they should not have
|
|
been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.9 - 2017-12-01:
|
|
Tor 0.3.1.9 backports important security and stability fixes from the
|
|
0.3.2 development series. All Tor users should upgrade to this
|
|
release, or to another of the releases coming out today.
|
|
|
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- Fix a denial of service issue where an attacker could crash a
|
|
directory authority using a malformed router descriptor. Fixes bug
|
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
|
and CVE-2017-8820.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
|
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
|
when they failed to open circuits while expiring introduction
|
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
|
- When running as a relay, make sure that we never build a path
|
|
through ourselves, even in the case where we have somehow lost the
|
|
version of our descriptor appearing in the consensus. Fixes part
|
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
|
as TROVE-2017-012 and CVE-2017-8822.
|
|
- When running as a relay, make sure that we never choose ourselves
|
|
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
|
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
|
|
|
o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
|
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
|
identifying and finding a workaround to this bug and to Moritz,
|
|
Arthur Edelstein, and Roger for helping to track it down and
|
|
analyze it.
|
|
|
|
o Minor features (bridge):
|
|
- Bridges now include notice in their descriptors that they are
|
|
bridges, and notice of their distribution status, based on their
|
|
publication settings. Implements ticket 18329. For more fine-
|
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
|
or later.
|
|
|
|
o Minor features (directory authority, backport from 0.3.2.6-alpha):
|
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
|
ticket 24394.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
|
|
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
|
relays, to prevent spurious address resolutions and descriptor
|
|
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
|
bugfix on in 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
|
|
- Fix unused variable warnings in donna's Curve25519 SSE2 code.
|
|
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
|
|
- When a circuit is marked for close, do not attempt to package any
|
|
cells for channels on that circuit. Previously, we would detect
|
|
this condition lower in the call stack, when we noticed that the
|
|
circuit had no attached channel, and log an annoying message.
|
|
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
|
|
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
|
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
|
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
|
Previously, we would launch the worker threads whenever our
|
|
"public server" mode changed, but not when our "server" mode
|
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.13 - 2017-12-01
|
|
Tor 0.3.0.13 backports important security and stability bugfixes from
|
|
later Tor releases. All Tor users should upgrade to this release, or
|
|
to another of the releases coming out today.
|
|
|
|
Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
|
|
2018. If you need a release with long-term support, please stick with
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- Fix a denial of service issue where an attacker could crash a
|
|
directory authority using a malformed router descriptor. Fixes bug
|
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
|
and CVE-2017-8820.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
|
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
|
when they failed to open circuits while expiring introduction
|
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
|
- When running as a relay, make sure that we never build a path
|
|
through ourselves, even in the case where we have somehow lost the
|
|
version of our descriptor appearing in the consensus. Fixes part
|
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
|
as TROVE-2017-012 and CVE-2017-8822.
|
|
- When running as a relay, make sure that we never choose ourselves
|
|
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
|
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
|
|
|
o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
|
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
|
identifying and finding a workaround to this bug and to Moritz,
|
|
Arthur Edelstein, and Roger for helping to track it down and
|
|
analyze it.
|
|
|
|
o Minor features (security, windows, backport from 0.3.1.1-alpha):
|
|
- Enable a couple of pieces of Windows hardening: one
|
|
(HeapEnableTerminationOnCorruption) that has been on-by-default
|
|
since Windows 8, and unavailable before Windows 7; and one
|
|
(PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
|
|
affect us, but shouldn't do any harm. Closes ticket 21953.
|
|
|
|
o Minor features (bridge, backport from 0.3.1.9):
|
|
- Bridges now include notice in their descriptors that they are
|
|
bridges, and notice of their distribution status, based on their
|
|
publication settings. Implements ticket 18329. For more fine-
|
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
|
or later.
|
|
|
|
o Minor features (directory authority, backport from 0.3.2.6-alpha):
|
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
|
ticket 24394.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
|
|
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
|
relays, to prevent spurious address resolutions and descriptor
|
|
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
|
bugfix on in 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
|
|
- Fix unused variable warnings in donna's Curve25519 SSE2 code.
|
|
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
|
|
- When a circuit is marked for close, do not attempt to package any
|
|
cells for channels on that circuit. Previously, we would detect
|
|
this condition lower in the call stack, when we noticed that the
|
|
circuit had no attached channel, and log an annoying message.
|
|
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
|
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
|
Previously, we would launch the worker threads whenever our
|
|
"public server" mode changed, but not when our "server" mode
|
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (testing, backport from 0.3.1.6-rc):
|
|
- Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
|
|
bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
|
|
|
|
|
|
Changes in version 0.2.9.14 - 2017-12-01
|
|
Tor 0.3.0.13 backports important security and stability bugfixes from
|
|
later Tor releases. All Tor users should upgrade to this release, or
|
|
to another of the releases coming out today.
|
|
|
|
o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
|
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
|
identifying and finding a workaround to this bug and to Moritz,
|
|
Arthur Edelstein, and Roger for helping to track it down and
|
|
analyze it.
|
|
|
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- Fix a denial of service issue where an attacker could crash a
|
|
directory authority using a malformed router descriptor. Fixes bug
|
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
|
and CVE-2017-8820.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
|
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
|
when they failed to open circuits while expiring introduction
|
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
|
- When running as a relay, make sure that we never build a path
|
|
through ourselves, even in the case where we have somehow lost the
|
|
version of our descriptor appearing in the consensus. Fixes part
|
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
|
as TROVE-2017-012 and CVE-2017-8822.
|
|
|
|
o Minor features (bridge, backport from 0.3.1.9):
|
|
- Bridges now include notice in their descriptors that they are
|
|
bridges, and notice of their distribution status, based on their
|
|
publication settings. Implements ticket 18329. For more fine-
|
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
|
or later.
|
|
|
|
o Minor features (directory authority, backport from 0.3.2.6-alpha):
|
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
|
ticket 24394.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (security, windows, backport from 0.3.1.1-alpha):
|
|
- Enable a couple of pieces of Windows hardening: one
|
|
(HeapEnableTerminationOnCorruption) that has been on-by-default
|
|
since Windows 8, and unavailable before Windows 7; and one
|
|
(PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
|
|
affect us, but shouldn't do any harm. Closes ticket 21953.
|
|
|
|
o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
|
|
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
|
relays, to prevent spurious address resolutions and descriptor
|
|
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
|
bugfix on in 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
|
|
- Fix unused variable warnings in donna's Curve25519 SSE2 code.
|
|
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
|
|
- When a circuit is marked for close, do not attempt to package any
|
|
cells for channels on that circuit. Previously, we would detect
|
|
this condition lower in the call stack, when we noticed that the
|
|
circuit had no attached channel, and log an annoying message.
|
|
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
|
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
|
Previously, we would launch the worker threads whenever our
|
|
"public server" mode changed, but not when our "server" mode
|
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (testing, backport from 0.3.1.6-rc):
|
|
- Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
|
|
bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
|
|
|
|
|
|
Changes in version 0.2.8.17 - 2017-12-01
|
|
Tor 0.2.8.17 backports important security and stability bugfixes from
|
|
later Tor releases. All Tor users should upgrade to this release, or
|
|
to another of the releases coming out today.
|
|
|
|
Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
|
|
2018. If you need a release with long-term support, please upgrade with
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
|
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
|
when they failed to open circuits while expiring introduction
|
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
|
- When running as a relay, make sure that we never build a path through
|
|
ourselves, even in the case where we have somehow lost the version of
|
|
our descriptor appearing in the consensus. Fixes part of bug 21534;
|
|
bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
|
|
and CVE-2017-8822.
|
|
|
|
o Minor features (bridge, backport from 0.3.1.9):
|
|
- Bridges now include notice in their descriptors that they are
|
|
bridges, and notice of their distribution status, based on their
|
|
publication settings. Implements ticket 18329. For more fine-
|
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
|
or later.
|
|
|
|
o Minor features (directory authority, backport from 0.3.2.6-alpha):
|
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
|
ticket 24394.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (testing, backport from 0.3.1.6-rc):
|
|
- Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
|
|
bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
|
|
|
|
|
|
Changes in version 0.2.5.16 - 2017-12-01
|
|
Tor 0.2.5.13 backports important security and stability bugfixes from
|
|
later Tor releases. All Tor users should upgrade to this release, or
|
|
to another of the releases coming out today.
|
|
|
|
Note: the Tor 0.2.5 series will no longer be supported after 1 May
|
|
2018. If you need a release with long-term support, please upgrade to
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
|
- Fix a denial of service bug where an attacker could use a
|
|
malformed directory object to cause a Tor instance to pause while
|
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
|
instances run without a terminal, which is the case for most Tor
|
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
|
- When checking for replays in the INTRODUCE1 cell data for a
|
|
(legacy) onion service, correctly detect replays in the RSA-
|
|
encrypted part of the cell. We were previously checking for
|
|
replays on the entire cell, but those can be circumvented due to
|
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
|
and CVE-2017-8819.
|
|
|
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
|
- When running as a relay, make sure that we never build a path
|
|
through ourselves, even in the case where we have somehow lost the
|
|
version of our descriptor appearing in the consensus. Fixes part
|
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
|
as TROVE-2017-012 and CVE-2017-8822.
|
|
|
|
o Minor features (bridge, backport from 0.3.1.9):
|
|
- Bridges now include notice in their descriptors that they are
|
|
bridges, and notice of their distribution status, based on their
|
|
publication settings. Implements ticket 18329. For more fine-
|
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
|
or later.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.3.2.5-alpha - 2017-11-22
|
|
Tor 0.3.2.5-alpha is the fifth alpha release in the 0.3.2.x series. It
|
|
fixes several stability and reliability bugs, including a fix for
|
|
intermittent bootstrapping failures that some people have been seeing
|
|
since the 0.3.0.x series.
|
|
|
|
Please test this alpha out -- many of these fixes will soon be
|
|
backported to stable Tor versions if no additional bugs are found
|
|
in them.
|
|
|
|
o Major bugfixes (bootstrapping):
|
|
- Fetch descriptors aggressively whenever we lack enough to build
|
|
circuits, regardless of how many descriptors we are missing.
|
|
Previously, we would delay launching the fetch when we had fewer
|
|
than 15 missing descriptors, even if some of those descriptors
|
|
were blocking circuits from building. Fixes bug 23985; bugfix on
|
|
0.1.1.11-alpha. The effects of this bug became worse in
|
|
0.3.0.3-alpha, when we began treating missing descriptors from our
|
|
primary guards as a reason to delay circuits.
|
|
- Don't try fetching microdescriptors from relays that have failed
|
|
to deliver them in the past. Fixes bug 23817; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Minor features (directory authority):
|
|
- Make the "Exit" flag assignment only depend on whether the exit
|
|
policy allows connections to ports 80 and 443. Previously relays
|
|
would get the Exit flag if they allowed connections to one of
|
|
these ports and also port 6667. Resolves ticket 23637.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (linux seccomp2 sandbox):
|
|
- Update the sandbox rules so that they should now work correctly
|
|
with Glibc 2.26. Closes ticket 24315.
|
|
|
|
o Minor features (logging):
|
|
- Downgrade a pair of log messages that could occur when an exit's
|
|
resolver gave us an unusual (but not forbidden) response. Closes
|
|
ticket 24097.
|
|
- Improve the message we log when re-enabling circuit build timeouts
|
|
after having received a consensus. Closes ticket 20963.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix a memory leak warning in one of the libevent-related
|
|
configuration tests that could occur when manually specifying
|
|
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
|
Found and patched by Alex Xu.
|
|
- When detecting OpenSSL on Windows from our configure script, make
|
|
sure to try linking with the ws2_32 library. Fixes bug 23783;
|
|
bugfix on 0.3.2.2-alpha.
|
|
|
|
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
|
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
|
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
|
on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (control port, onion services):
|
|
- Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
|
|
HS_DESC event when a service is not able to upload a descriptor.
|
|
Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (directory cache):
|
|
- Recover better from empty or corrupt files in the consensus cache
|
|
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
|
- When a consensus diff calculation is only partially successful,
|
|
only record the successful parts as having succeeded. Partial
|
|
success can happen if (for example) one compression method fails
|
|
but the others succeed. Previously we misrecorded all the
|
|
calculations as having succeeded, which would later cause a
|
|
nonfatal assertion failure. Fixes bug 24086; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Only log once if we notice that KIST support is gone. Fixes bug
|
|
24158; bugfix on 0.3.2.1-alpha.
|
|
- Suppress a log notice when relay descriptors arrive. We already
|
|
have a bootstrap progress for this so no need to log notice
|
|
everytime tor receives relay descriptors. Microdescriptors behave
|
|
the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (network layer):
|
|
- When closing a connection via close_connection_immediately(), we
|
|
mark it as "not blocked on bandwidth", to prevent later calls from
|
|
trying to unblock it, and give it permission to read. This fixes a
|
|
backtrace warning that can happen on relays under various
|
|
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (onion services):
|
|
- The introduction circuit was being timed out too quickly while
|
|
waiting for the rendezvous circuit to complete. Keep the intro
|
|
circuit around longer instead of timing out and reopening new ones
|
|
constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
|
|
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
|
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
|
on 0.3.1.1-alpha.
|
|
- Silence a warning about failed v3 onion descriptor uploads that
|
|
can happen naturally under certain edge cases. Fixes part of bug
|
|
23662; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (tests):
|
|
- Fix a memory leak in one of the bridge-distribution test cases.
|
|
Fixes bug 24345; bugfix on 0.3.2.3-alpha.
|
|
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
|
|
to correctly handle cases where a caller gives it an RSA key of
|
|
under 160 bits. (This is not actually a bug in Tor itself, but
|
|
rather in our fuzzing code.) Fixes bug 24247; bugfix on
|
|
0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
|
|
|
|
o Documentation:
|
|
- Add notes in man page regarding OS support for the various
|
|
scheduler types. Attempt to use less jargon in the scheduler
|
|
section. Closes ticket 24254.
|
|
|
|
|
|
Changes in version 0.3.2.4-alpha - 2017-11-08
|
|
Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series.
|
|
It fixes several stability and reliability bugs, especially including
|
|
a major reliability issue that has been plaguing fast exit relays in
|
|
recent months.
|
|
|
|
o Major bugfixes (exit relays, DNS):
|
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
|
identifying and finding a workaround to this bug and to Moritz,
|
|
Arthur Edelstein, and Roger for helping to track it down and
|
|
analyze it.
|
|
|
|
o Major bugfixes (scheduler, channel):
|
|
- Stop processing scheduled channels if they closed while flushing
|
|
cells. This can happen if the write on the connection fails
|
|
leading to the channel being closed while in the scheduler loop.
|
|
Fixes bug 23751; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor features (logging, scheduler):
|
|
- Introduce a SCHED_BUG() function to log extra information about
|
|
the scheduler state if we ever catch a bug in the scheduler.
|
|
Closes ticket 23753.
|
|
|
|
o Minor features (removed deprecations):
|
|
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
|
non-testing Tor networks, so long as they do not use the default
|
|
directory authorities. This change also removes the deprecation of
|
|
this flag from 0.2.9.2-alpha. Closes ticket 21031.
|
|
|
|
o Minor features (testing):
|
|
- Our fuzzing tests now test the encrypted portions of v3 onion
|
|
service descriptors. Implements more of 21509.
|
|
|
|
o Minor bugfixes (directory client):
|
|
- On failure to download directory information, delay retry attempts
|
|
by a random amount based on the "decorrelated jitter" algorithm.
|
|
Our previous delay algorithm tended to produce extra-long delays
|
|
too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (IPv6, v3 single onion services):
|
|
- Remove buggy code for IPv6-only v3 single onion services, and
|
|
reject attempts to configure them. This release supports IPv4,
|
|
dual-stack, and IPv6-only v3 onion services; and IPv4 and dual-
|
|
stack v3 single onion services. Fixes bug 23820; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (logging, relay):
|
|
- Give only a protocol warning when the ed25519 key is not
|
|
consistent between the descriptor and microdescriptor of a relay.
|
|
This can happen, for instance, if the relay has been flagged
|
|
NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (manpage, onion service):
|
|
- Document that the HiddenServiceNumIntroductionPoints option is
|
|
0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115;
|
|
bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Fix a minor memory leak at exit in the KIST scheduler. This bug
|
|
should have no user-visible impact. Fixes bug 23774; bugfix
|
|
on 0.3.2.1-alpha.
|
|
- Fix a memory leak when decrypting a badly formatted v3 onion
|
|
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
|
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
|
|
|
o Minor bugfixes (onion services):
|
|
- Cache some needed onion service client information instead of
|
|
constantly computing it over and over again. Fixes bug 23623;
|
|
bugfix on 0.3.2.1-alpha.
|
|
- Properly retry HSv3 descriptor fetches when missing required
|
|
directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (path selection):
|
|
- When selecting relays by bandwidth, avoid a rounding error that
|
|
could sometimes cause load to be imbalanced incorrectly.
|
|
Previously, we would always round upwards; now, we round towards
|
|
the nearest integer. This had the biggest effect when a relay's
|
|
weight adjustments should have given it weight 0, but it got
|
|
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
|
- When calculating the fraction of nodes that have descriptors, and
|
|
all nodes in the network have zero bandwidths, count the number of
|
|
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
|
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
|
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
|
|
|
o Minor bugfixes (relay, crash):
|
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
|
Previously, we would launch the worker threads whenever our
|
|
"public server" mode changed, but not when our "server" mode
|
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Fix a spurious fuzzing-only use of an uninitialized value. Found
|
|
by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
|
- Test that IPv6-only clients can use microdescriptors when running
|
|
"make test-network-all". Requires chutney master 61c28b9 or later.
|
|
Closes ticket 24109.
|
|
|
|
|
|
Changes in version 0.3.2.3-alpha - 2017-10-27
|
|
Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes
|
|
numerous small bugs in earlier versions of 0.3.2.x, and adds a new
|
|
directory authority, Bastet.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Minor features (bridge):
|
|
- Bridge relays can now set the BridgeDistribution config option to
|
|
add a "bridge-distribution-request" line to their bridge
|
|
descriptor, which tells BridgeDB how they'd like their bridge
|
|
address to be given out. (Note that as of Oct 2017, BridgeDB does
|
|
not yet implement this feature.) As a side benefit, this feature
|
|
provides a way to distinguish bridge descriptors from non-bridge
|
|
descriptors. Implements tickets 18329.
|
|
|
|
o Minor features (client, entry guards):
|
|
- Improve log messages when missing descriptors for primary guards.
|
|
Resolves ticket 23670.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (bridge):
|
|
- Overwrite the bridge address earlier in the process of retrieving
|
|
its descriptor, to make sure we reach it on the configured
|
|
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Document better how to read gcov, and what our gcov postprocessing
|
|
scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (entry guards):
|
|
- Tor now updates its guard state when it reads a consensus
|
|
regardless of whether it's missing descriptors. That makes tor use
|
|
its primary guards to fetch descriptors in some edge cases where
|
|
it would previously have used fallback directories. Fixes bug
|
|
23862; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service client):
|
|
- When handling multiple SOCKS request for the same .onion address,
|
|
only fetch the service descriptor once.
|
|
- When a descriptor fetch fails with a non-recoverable error, close
|
|
all pending SOCKS requests for that .onion. Fixes bug 23653;
|
|
bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Always regenerate missing hidden service public key files. Prior
|
|
to this, if the public key was deleted from disk, it wouldn't get
|
|
recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch
|
|
from "cathugger".
|
|
- Make sure that we have a usable ed25519 key when the intro point
|
|
relay supports ed25519 link authentication. Fixes bug 24002;
|
|
bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service, v2):
|
|
- When reloading configured hidden services, copy all information
|
|
from the old service object. Previously, some data was omitted,
|
|
causing delays in descriptor upload, and other bugs. Fixes bug
|
|
23790; bugfix on 0.2.1.9-alpha.
|
|
|
|
o Minor bugfixes (memory safety, defensive programming):
|
|
- Clear the target address when node_get_prim_orport() returns
|
|
early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Avoid a BUG warning when receiving a dubious CREATE cell while an
|
|
option transition is in progress. Fixes bug 23952; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Adjust the GitLab CI configuration to more closely match that of
|
|
Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
|
|
- Prevent scripts/test/coverage from attempting to move gcov output
|
|
to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
|
|
- When running unit tests as root, skip a test that would fail
|
|
because it expects a permissions error. This affects some
|
|
continuous integration setups. Fixes bug 23758; bugfix
|
|
on 0.3.2.2-alpha.
|
|
- Stop unconditionally mirroring the tor repository in GitLab CI.
|
|
This prevented developers from enabling GitLab CI on master. Fixes
|
|
bug 23755; bugfix on 0.3.2.2-alpha.
|
|
- Fix the hidden service v3 descriptor decoding fuzzing to use the
|
|
latest decoding API correctly. Fixes bug 21509; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (warnings):
|
|
- When we get an HTTP request on a SOCKS port, tell the user about
|
|
the new HTTPTunnelPort option. Previously, we would give a "Tor is
|
|
not an HTTP Proxy" message, which stopped being true when
|
|
HTTPTunnelPort was introduced. Fixes bug 23678; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.5.15 - 2017-10-25
|
|
Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
|
|
series. It also adds a new directory authority, Bastet.
|
|
|
|
Note: the Tor 0.2.5 series will no longer be supported after 1 May
|
|
2018. If you need a release with long-term support, please upgrade to
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
|
|
- Avoid an assertion failure bug affecting our implementation of
|
|
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
|
|
handling of "0xx" differs from what we had expected. Fixes bug
|
|
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
|
|
- Fix a memset() off the end of an array when packing cells. This
|
|
bug should be harmless in practice, since the corrupted bytes are
|
|
still in the same structure, and are always padding bytes,
|
|
ignored, or immediately overwritten, depending on compiler
|
|
behavior. Nevertheless, because the memset()'s purpose is to make
|
|
sure that any other cell-handling bugs can't expose bytes to the
|
|
network, we need to fix it. Fixes bug 22737; bugfix on
|
|
0.2.4.11-alpha. Fixes CID 1401591.
|
|
|
|
o Build features (backport from 0.3.1.5-alpha):
|
|
- Tor's repository now includes a Travis Continuous Integration (CI)
|
|
configuration file (.travis.yml). This is meant to help new
|
|
developers and contributors who fork Tor to a Github repository be
|
|
better able to test their changes, and understand what we expect
|
|
to pass. To use this new build feature, you must fork Tor to your
|
|
Github account, then go into the "Integrations" menu in the
|
|
repository settings for your fork and enable Travis, then push
|
|
your changes. Closes ticket 22636.
|
|
|
|
|
|
Changes in version 0.2.8.16 - 2017-10-25
|
|
Tor 0.2.8.16 backports a collection of bugfixes from later Tor release
|
|
series, including a bugfix for a crash issue that had affected relays
|
|
under memory pressure. It also adds a new directory authority, Bastet.
|
|
|
|
Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
|
|
2018. If you need a release with long-term support, please stick with
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
|
|
- Fix a timing-based assertion failure that could occur when the
|
|
circuit out-of-memory handler freed a connection's output buffer.
|
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
|
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
|
3/8 directory authorities with IPv6 addresses, but there are also
|
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.9.13 - 2017-10-25
|
|
Tor 0.2.9.13 backports a collection of bugfixes from later Tor release
|
|
series, including a bugfix for a crash issue that had affected relays
|
|
under memory pressure. It also adds a new directory authority, Bastet.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
|
|
- Fix a timing-based assertion failure that could occur when the
|
|
circuit out-of-memory handler freed a connection's output buffer.
|
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
|
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
|
3/8 directory authorities with IPv6 addresses, but there are also
|
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
|
|
- When a directory authority rejects a descriptor or extrainfo with
|
|
a given digest, mark that digest as undownloadable, so that we do
|
|
not attempt to download it again over and over. We previously
|
|
tried to avoid downloading such descriptors by other means, but we
|
|
didn't notice if we accidentally downloaded one anyway. This
|
|
behavior became problematic in 0.2.7.2-alpha, when authorities
|
|
began pinning Ed25519 keys. Fixes bug 22349; bugfix
|
|
on 0.2.1.19-alpha.
|
|
|
|
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
|
|
- Clear the address when node_get_prim_orport() returns early.
|
|
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (Windows service, backport from 0.3.1.6-rc):
|
|
- When running as a Windows service, set the ID of the main thread
|
|
correctly. Failure to do so made us fail to send log messages to
|
|
the controller in 0.2.1.16-rc, slowed down controller event
|
|
delivery in 0.2.7.3-rc and later, and crash with an assertion
|
|
failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
|
|
Patch and diagnosis from "Vort".
|
|
|
|
|
|
Changes in version 0.3.0.12 - 2017-10-25
|
|
Tor 0.3.0.12 backports a collection of bugfixes from later Tor release
|
|
series, including a bugfix for a crash issue that had affected relays
|
|
under memory pressure. It also adds a new directory authority, Bastet.
|
|
|
|
Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
|
|
2018. If you need a release with long-term support, please stick with
|
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
|
|
- Fix a timing-based assertion failure that could occur when the
|
|
circuit out-of-memory handler freed a connection's output buffer.
|
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
|
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
|
3/8 directory authorities with IPv6 addresses, but there are also
|
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
|
|
- When a directory authority rejects a descriptor or extrainfo with
|
|
a given digest, mark that digest as undownloadable, so that we do
|
|
not attempt to download it again over and over. We previously
|
|
tried to avoid downloading such descriptors by other means, but we
|
|
didn't notice if we accidentally downloaded one anyway. This
|
|
behavior became problematic in 0.2.7.2-alpha, when authorities
|
|
began pinning Ed25519 keys. Fixes bug 22349; bugfix
|
|
on 0.2.1.19-alpha.
|
|
|
|
o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
|
|
- Avoid a possible double close of a circuit by the intro point on
|
|
error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
|
|
bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
|
|
- Clear the address when node_get_prim_orport() returns early.
|
|
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (Windows service, backport from 0.3.1.6-rc):
|
|
- When running as a Windows service, set the ID of the main thread
|
|
correctly. Failure to do so made us fail to send log messages to
|
|
the controller in 0.2.1.16-rc, slowed down controller event
|
|
delivery in 0.2.7.3-rc and later, and crash with an assertion
|
|
failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
|
|
Patch and diagnosis from "Vort".
|
|
|
|
|
|
Changes in version 0.3.1.8 - 2017-10-25
|
|
Tor 0.3.1.8 is the second stable release in the 0.3.1 series.
|
|
It includes several bugfixes, including a bugfix for a crash issue
|
|
that had affected relays under memory pressure. It also adds
|
|
a new directory authority, Bastet.
|
|
|
|
o Directory authority changes:
|
|
- Add "Bastet" as a ninth directory authority to the default list.
|
|
Closes ticket 23910.
|
|
- The directory authority "Longclaw" has changed its IP address.
|
|
Closes ticket 23592.
|
|
|
|
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
|
|
- Fix a timing-based assertion failure that could occur when the
|
|
circuit out-of-memory handler freed a connection's output buffer.
|
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
|
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
|
3/8 directory authorities with IPv6 addresses, but there are also
|
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
|
|
- Fix a compilation warning when building with zstd support on
|
|
32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
|
|
and fixed by Andreas Stieger.
|
|
|
|
o Minor bugfixes (compression, backport from 0.3.2.2-alpha):
|
|
- Handle a pathological case when decompressing Zstandard data when
|
|
the output buffer size is zero. Fixes bug 23551; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
|
|
- Remove the length limit on HTTP status lines that authorities can
|
|
send in their replies. Fixes bug 23499; bugfix on 0.3.1.6-rc.
|
|
|
|
o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
|
|
- Avoid a possible double close of a circuit by the intro point on
|
|
error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
|
|
bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
|
|
- Clear the address when node_get_prim_orport() returns early.
|
|
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
|
|
- Fix additional channelpadding unit test failures by using mocked
|
|
time instead of actual time for all tests. Fixes bug 23608; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.2.2-alpha - 2017-09-29
|
|
Tor 0.3.2.2-alpha is the second release in the 0.3.2 series. This
|
|
release fixes several minor bugs in the new scheduler and next-
|
|
generation onion services; both features were newly added in the 0.3.2
|
|
series. Other fixes in this alpha include several fixes for non-fatal
|
|
tracebacks which would appear in logs.
|
|
|
|
With the aim to stabilise the 0.3.2 series by 15 December 2017, this
|
|
alpha does not contain any substantial new features. Minor features
|
|
include better testing and logging.
|
|
|
|
The following comprises the complete list of changes included
|
|
in tor-0.3.2.2-alpha:
|
|
|
|
o Major bugfixes (relay, crash, assertion failure):
|
|
- Fix a timing-based assertion failure that could occur when the
|
|
circuit out-of-memory handler freed a connection's output buffer.
|
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Major bugfixes (scheduler):
|
|
- If a channel is put into the scheduler's pending list, then it
|
|
starts closing, and then if the scheduler runs before it finishes
|
|
closing, the scheduler will get stuck trying to flush its cells
|
|
while the lower layers refuse to cooperate. Fix that race
|
|
condition by giving the scheduler an escape method. Fixes bug
|
|
23676; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor features (build, compilation):
|
|
- The "check-changes" feature is now part of the "make check" tests;
|
|
we'll use it to try to prevent misformed changes files from
|
|
accumulating. Closes ticket 23564.
|
|
- Tor builds should now fail if there are any mismatches between the
|
|
C type representing a configuration variable and the C type the
|
|
data-driven parser uses to store a value there. Previously, we
|
|
needed to check these by hand, which sometimes led to mistakes.
|
|
Closes ticket 23643.
|
|
|
|
o Minor features (directory authorities):
|
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
|
3/8 directory authorities with IPv6 addresses, but there are also
|
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
|
|
|
o Minor features (hidden service, circuit, logging):
|
|
- Improve logging of many callsite in the circuit subsystem to print
|
|
the circuit identifier(s).
|
|
- Log when we cleanup an intro point from a service so we know when
|
|
and for what reason it happened. Closes ticket 23604.
|
|
|
|
o Minor features (logging):
|
|
- Log more circuit information whenever we are about to try to
|
|
package a relay cell on a circuit with a nonexistent n_chan.
|
|
Attempt to diagnose ticket 8185.
|
|
- Improve info-level log identification of particular circuits, to
|
|
help with debugging. Closes ticket 23645.
|
|
|
|
o Minor features (relay):
|
|
- When choosing which circuits can be expired as unused, consider
|
|
circuits from clients even if those clients used regular CREATE
|
|
cells to make them; and do not consider circuits from relays even
|
|
if they were made with CREATE_FAST. Part of ticket 22805.
|
|
|
|
o Minor features (robustness):
|
|
- Change several fatal assertions when flushing buffers into non-
|
|
fatal assertions, to prevent any recurrence of 23690.
|
|
|
|
o Minor features (spec conformance, bridge, diagnostic):
|
|
- When handling the USERADDR command on an ExtOrPort, warn when the
|
|
transports provides a USERADDR with no port. In a future version,
|
|
USERADDR commands of this format may be rejected. Detects problems
|
|
related to ticket 23080.
|
|
|
|
o Minor features (testing):
|
|
- Add a unit test to make sure that our own generated platform
|
|
string will be accepted by directory authorities. Closes
|
|
ticket 22109.
|
|
|
|
o Minor bugfixes (bootstrapping):
|
|
- When warning about state file clock skew, report the correct
|
|
direction for the detected skew. Fixes bug 23606; bugfix
|
|
on 0.2.8.1-alpha.
|
|
- Avoid an assertion failure when logging a state file clock skew
|
|
very early in bootstrapping. Fixes bug 23607; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (build, compilation):
|
|
- Fix a compilation warning when building with zstd support on
|
|
32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
|
|
and fixed by Andreas Stieger.
|
|
- When searching for OpenSSL, don't accept any OpenSSL library that
|
|
lacks TLSv1_1_method(): Tor doesn't build with those versions.
|
|
Additionally, look in /usr/local/opt/openssl, if it's present.
|
|
These changes together repair the default build on OSX systems
|
|
with Homebrew installed. Fixes bug 23602; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (compression):
|
|
- Handle a pathological case when decompressing Zstandard data when
|
|
the output buffer size is zero. Fixes bug 23551; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Fix manpage to not refer to the obsolete (and misspelled)
|
|
UseEntryGuardsAsDirectoryGuards parameter in the description of
|
|
NumDirectoryGuards. Fixes bug 23611; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Minor bugfixes (hidden service v3):
|
|
- Don't log an assertion failure when we can't find the right
|
|
information to extend to an introduction point. In rare cases,
|
|
this could happen, causing a warning, even though tor would
|
|
recover gracefully. Fixes bug 23159; bugfix on 0.3.2.1-alpha.
|
|
- Pad RENDEZVOUS cell up to the size of the legacy cell which is
|
|
much bigger so the rendezvous point can't distinguish which hidden
|
|
service protocol is being used. Fixes bug 23420; bugfix
|
|
on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service, relay):
|
|
- Avoid a possible double close of a circuit by the intro point on
|
|
error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
|
|
bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (logging, relay shutdown, annoyance):
|
|
- When a circuit is marked for close, do not attempt to package any
|
|
cells for channels on that circuit. Previously, we would detect
|
|
this condition lower in the call stack, when we noticed that the
|
|
circuit had no attached channel, and log an annoying message.
|
|
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (scheduler):
|
|
- When switching schedulers due to a consensus change, we didn't
|
|
give the new scheduler a chance to react to the consensus. Fix
|
|
that. Fixes bug 23537; bugfix on 0.3.2.1-alpha.
|
|
- Make the KISTSchedRunInterval option a non negative value. With
|
|
this, the way to disable KIST through the consensus is to set it
|
|
to 0. Fixes bug 23539; bugfix on 0.3.2.1-alpha.
|
|
- Only notice log the selected scheduler when we switch scheduler
|
|
types. Fixes bug 23552; bugfix on 0.3.2.1-alpha.
|
|
- Avoid a compilation warning on macOS in scheduler_ev_add() caused
|
|
by a different tv_usec data type. Fixes bug 23575; bugfix
|
|
on 0.3.2.1-alpha.
|
|
- Make a hard exit if tor is unable to pick a scheduler which can
|
|
happen if the user specifies a scheduler type that is not
|
|
supported and not other types in Schedulers. Fixes bug 23581;
|
|
bugfix on 0.3.2.1-alpha.
|
|
- Properly initialize the scheduler last run time counter so it is
|
|
not 0 at the first tick. Fixes bug 23696; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Capture and detect several "Result does not fit" warnings in unit
|
|
tests on platforms with 32-bit time_t. Fixes bug 21800; bugfix
|
|
on 0.2.9.3-alpha.
|
|
- Fix additional channelpadding unit test failures by using mocked
|
|
time instead of actual time for all tests. Fixes bug 23608; bugfix
|
|
on 0.3.1.1-alpha.
|
|
- The removal of some old scheduler options caused some tests to
|
|
fail on BSD systems. Assume current behavior is correct and make
|
|
the tests pass again. Fixes bug 23566; bugfix on 0.3.2.1-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove various ways of testing circuits and connections for
|
|
"clientness"; instead, favor channel_is_client(). Part of
|
|
ticket 22805.
|
|
|
|
o Deprecated features:
|
|
- The ReachableDirAddresses and ClientPreferIPv6DirPort options are
|
|
now deprecated; they do not apply to relays, and they have had no
|
|
effect on clients since 0.2.8.x. Closes ticket 19704.
|
|
|
|
o Documentation:
|
|
- HiddenServiceVersion man page entry wasn't mentioning the now
|
|
supported version 3. Fixes ticket 23580; bugfix on 0.3.2.1-alpha.
|
|
- Clarify that the Address option is entirely about setting an
|
|
advertised IPv4 address. Closes ticket 18891.
|
|
- Clarify the manpage's use of the term "address" to clarify what
|
|
kind of address is intended. Closes ticket 21405.
|
|
- Document that onion service subdomains are allowed, and ignored.
|
|
Closes ticket 18736.
|
|
|
|
|
|
Changes in version 0.3.2.1-alpha - 2017-09-18
|
|
Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It
|
|
includes support for our next-generation ("v3") onion service
|
|
protocol, and adds a new circuit scheduler for more responsive
|
|
forwarding decisions from relays. There are also numerous other small
|
|
features and bugfixes here.
|
|
|
|
Below are the changes since Tor 0.3.1.7.
|
|
|
|
o Major feature (scheduler, channel):
|
|
- Tor now uses new schedulers to decide which circuits should
|
|
deliver cells first, in order to improve congestion at relays. The
|
|
first type is called "KIST" ("Kernel Informed Socket Transport"),
|
|
and is only available on Linux-like systems: it uses feedback from
|
|
the kernel to prevent the kernel's TCP buffers from growing too
|
|
full. The second new scheduler type is called "KISTLite": it
|
|
behaves the same as KIST, but runs on systems without kernel
|
|
support for inspecting TCP implementation details. The old
|
|
scheduler is still available, under the name "Vanilla". To change
|
|
the default scheduler preference order, use the new "Schedulers"
|
|
option. (The default preference order is "KIST,KISTLite,Vanilla".)
|
|
|
|
Matt Traudt implemented KIST, based on research by Rob Jansen,
|
|
John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For
|
|
more information, see the design paper at
|
|
http://www.robgjansen.com/publications/kist-sec2014.pdf and the
|
|
followup implementation paper at https://arxiv.org/abs/1709.01044.
|
|
Closes ticket 12541.
|
|
|
|
o Major features (next-generation onion services):
|
|
- Tor now supports the next-generation onion services protocol for
|
|
clients and services! As part of this release, the core of
|
|
proposal 224 has been implemented and is available for
|
|
experimentation and testing by our users. This newer version of
|
|
onion services ("v3") features many improvements over the legacy
|
|
system, including:
|
|
|
|
a) Better crypto (replaced SHA1/DH/RSA1024
|
|
with SHA3/ed25519/curve25519)
|
|
|
|
b) Improved directory protocol, leaking much less information to
|
|
directory servers.
|
|
|
|
c) Improved directory protocol, with smaller surface for
|
|
targeted attacks.
|
|
|
|
d) Better onion address security against impersonation.
|
|
|
|
e) More extensible introduction/rendezvous protocol.
|
|
|
|
f) A cleaner and more modular codebase.
|
|
|
|
You can identify a next-generation onion address by its length:
|
|
they are 56 characters long, as in
|
|
"4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion".
|
|
|
|
In the future, we will release more options and features for v3
|
|
onion services, but we first need a testing period, so that the
|
|
current codebase matures and becomes more robust. Planned features
|
|
include: offline keys, advanced client authorization, improved
|
|
guard algorithms, and statistics. For full details, see
|
|
proposal 224.
|
|
|
|
Legacy ("v2") onion services will still work for the foreseeable
|
|
future, and will remain the default until this new codebase gets
|
|
tested and hardened. Service operators who want to experiment with
|
|
the new system can use the 'HiddenServiceVersion 3' torrc
|
|
directive along with the regular onion service configuration
|
|
options. We will publish a blog post about this new feature
|
|
soon! Enjoy!
|
|
|
|
o Major bugfixes (usability, control port):
|
|
- Report trusted clock skew indications as bootstrap errors, so
|
|
controllers can more easily alert users when their clocks are
|
|
wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha.
|
|
|
|
o Minor features (bug detection):
|
|
- Log a warning message with a stack trace for any attempt to call
|
|
get_options() during option validation. This pattern has caused
|
|
subtle bugs in the past. Closes ticket 22281.
|
|
|
|
o Minor features (client):
|
|
- You can now use Tor as a tunneled HTTP proxy: use the new
|
|
HTTPTunnelPort option to open a port that accepts HTTP CONNECT
|
|
requests. Closes ticket 22407.
|
|
- Add an extra check to make sure that we always use the newer guard
|
|
selection code for picking our guards. Closes ticket 22779.
|
|
- When downloading (micro)descriptors, don't split the list into
|
|
multiple requests unless we want at least 32 descriptors.
|
|
Previously, we split at 4, not 32, which led to significant
|
|
overhead in HTTP request size and degradation in compression
|
|
performance. Closes ticket 23220.
|
|
|
|
o Minor features (command line):
|
|
- Add a new commandline option, --key-expiration, which prints when
|
|
the current signing key is going to expire. Implements ticket
|
|
17639; patch by Isis Lovecruft.
|
|
|
|
o Minor features (control port):
|
|
- If an application tries to use the control port as an HTTP proxy,
|
|
respond with a meaningful "This is the Tor control port" message,
|
|
and log the event. Closes ticket 1667. Patch from Ravi
|
|
Chandra Padmala.
|
|
- Provide better error message for GETINFO desc/(id|name) when not
|
|
fetching router descriptors. Closes ticket 5847. Patch by
|
|
Kevin Butler.
|
|
- Add GETINFO "{desc,md}/download-enabled", to inform the controller
|
|
whether Tor will try to download router descriptors and
|
|
microdescriptors respectively. Closes ticket 22684.
|
|
- Added new GETINFO targets "ip-to-country/{ipv4,ipv6}-available",
|
|
so controllers can tell whether the geoip databases are loaded.
|
|
Closes ticket 23237.
|
|
- Adds a timestamp field to the CIRC_BW and STREAM_BW bandwidth
|
|
events. Closes ticket 19254. Patch by "DonnchaC".
|
|
|
|
o Minor features (development support):
|
|
- Developers can now generate a call-graph for Tor using the
|
|
"calltool" python program, which post-processes object dumps. It
|
|
should work okay on many Linux and OSX platforms, and might work
|
|
elsewhere too. To run it, install calltool from
|
|
https://gitweb.torproject.org/user/nickm/calltool.git and run
|
|
"make callgraph". Closes ticket 19307.
|
|
|
|
o Minor features (ed25519):
|
|
- Add validation function to checks for torsion components in
|
|
ed25519 public keys, used by prop224 client-side code. Closes
|
|
ticket 22006. Math help by Ian Goldberg.
|
|
|
|
o Minor features (exit relay, DNS):
|
|
- Improve the clarity and safety of the log message from evdns when
|
|
receiving an apparently spoofed DNS reply. Closes ticket 3056.
|
|
|
|
o Minor features (integration, hardening):
|
|
- Add a new NoExec option to prevent Tor from running other
|
|
programs. When this option is set to 1, Tor will never try to run
|
|
another program, regardless of the settings of
|
|
PortForwardingHelper, ClientTransportPlugin, or
|
|
ServerTransportPlugin. Once NoExec is set, it cannot be disabled
|
|
without restarting Tor. Closes ticket 22976.
|
|
|
|
o Minor features (logging):
|
|
- Improve the warning message for specifying a relay by nickname.
|
|
The previous message implied that nickname registration was still
|
|
part of the Tor network design, which it isn't. Closes
|
|
ticket 20488.
|
|
- If the sandbox filter fails to load, suggest to the user that
|
|
their kernel might not support seccomp2. Closes ticket 23090.
|
|
|
|
o Minor features (portability):
|
|
- Check at configure time whether uint8_t is the same type as
|
|
unsigned char. Lots of existing code already makes this
|
|
assumption, and there could be strict aliasing issues if the
|
|
assumption is violated. Closes ticket 22410.
|
|
|
|
o Minor features (relay, configuration):
|
|
- Reject attempts to use relative file paths when RunAsDaemon is
|
|
set. Previously, Tor would accept these, but the directory-
|
|
changing step of RunAsDaemon would give strange and/or confusing
|
|
results. Closes ticket 22731.
|
|
|
|
o Minor features (startup, safety):
|
|
- When configured to write a PID file, Tor now exits if it is unable
|
|
to do so. Previously, it would warn and continue. Closes
|
|
ticket 20119.
|
|
|
|
o Minor features (static analysis):
|
|
- The BUG() macro has been changed slightly so that Coverity no
|
|
longer complains about dead code if the bug is impossible. Closes
|
|
ticket 23054.
|
|
|
|
o Minor features (testing):
|
|
- The default chutney network tests now include tests for the v3
|
|
hidden service design. Make sure you have the latest version of
|
|
chutney if you want to run these. Closes ticket 22437.
|
|
- Add a unit test to verify that we can parse a hardcoded v2 hidden
|
|
service descriptor. Closes ticket 15554.
|
|
|
|
o Minor bugfixes (certificate handling):
|
|
- Fix a time handling bug in Tor certificates set to expire after
|
|
the year 2106. Fixes bug 23055; bugfix on 0.3.0.1-alpha. Found by
|
|
Coverity as CID 1415728.
|
|
|
|
o Minor bugfixes (client, usability):
|
|
- Refrain from needlessly rejecting SOCKS5-with-hostnames and
|
|
SOCKS4a requests that contain IP address strings, even when
|
|
SafeSocks in enabled, as this prevents user from connecting to
|
|
known IP addresses without relying on DNS for resolving. SafeSocks
|
|
still rejects SOCKS connections that connect to IP addresses when
|
|
those addresses are _not_ encoded as hostnames. Fixes bug 22461;
|
|
bugfix on Tor 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Call htons() in extend_cell_format() for encoding a 16-bit value.
|
|
Previously we used ntohs(), which happens to behave the same on
|
|
all the platforms we support, but which isn't really correct.
|
|
Fixes bug 23106; bugfix on 0.2.4.8-alpha.
|
|
- For defense-in-depth, make the controller's write_escaped_data()
|
|
function robust to extremely long inputs. Fixes bug 19281; bugfix
|
|
on 0.1.1.1-alpha. Reported by Guido Vranken.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix unused-variable warnings in donna's Curve25519 SSE2 code.
|
|
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (consensus expiry):
|
|
- Check for adequate directory information correctly. Previously, Tor
|
|
would reconsider whether it had sufficient directory information
|
|
every 2 minutes. Fixes bug 23091; bugfix on 0.2.0.19-alpha.
|
|
|
|
o Minor bugfixes (directory protocol):
|
|
- Directory servers now include a "Date:" http header for response
|
|
codes other than 200. Clients starting with a skewed clock and a
|
|
recent consensus were getting "304 Not modified" responses from
|
|
directory authorities, so without the Date header, the client
|
|
would never hear about a wrong clock. Fixes bug 23499; bugfix
|
|
on 0.0.8rc1.
|
|
- Make clients wait for 6 seconds before trying to download a
|
|
consensus from an authority. Fixes bug 17750; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (DoS-resistance):
|
|
- If future code asks if there are any running bridges, without
|
|
checking if bridges are enabled, log a BUG warning rather than
|
|
crashing. Fixes bug 23524; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (format strictness):
|
|
- Restrict several data formats to decimal. Previously, the
|
|
BuildTimeHistogram entries in the state file, the "bw=" entries in
|
|
the bandwidth authority file, and the process IDs passed to the
|
|
__OwningControllerProcess option could all be specified in hex or
|
|
octal as well as in decimal. This was not an intentional feature.
|
|
Fixes bug 22802; bugfixes on 0.2.2.1-alpha, 0.2.2.2-alpha,
|
|
and 0.2.2.28-beta.
|
|
|
|
o Minor bugfixes (heartbeat):
|
|
- If we fail to write a heartbeat message, schedule a retry for the
|
|
minimum heartbeat interval number of seconds in the future. Fixes
|
|
bug 19476; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox, logging):
|
|
- Fix some messages on unexpected errors from the seccomp2 library.
|
|
Fixes bug 22750; bugfix on 0.2.5.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Minor bugfixes (logging):
|
|
- Remove duplicate log messages regarding opening non-local
|
|
SocksPorts upon parsing config and opening listeners at startup.
|
|
Fixes bug 4019; bugfix on 0.2.3.3-alpha.
|
|
- Use a more comprehensible log message when telling the user
|
|
they've excluded every running exit node. Fixes bug 7890; bugfix
|
|
on 0.2.2.25-alpha.
|
|
- When logging the number of descriptors we intend to download per
|
|
directory request, do not log a number higher than then the number
|
|
of descriptors we're fetching in total. Fixes bug 19648; bugfix
|
|
on 0.1.1.8-alpha.
|
|
- When warning about a directory owned by the wrong user, log the
|
|
actual name of the user owning the directory. Previously, we'd log
|
|
the name of the process owner twice. Fixes bug 23487; bugfix
|
|
on 0.2.9.1-alpha.
|
|
- The tor specification says hop counts are 1-based, so fix two log
|
|
messages that mistakenly logged 0-based hop counts. Fixes bug
|
|
18982; bugfix on 0.2.6.2-alpha and 0.2.4.5-alpha. Patch by teor.
|
|
Credit to Xiaofan Li for reporting this issue.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Stop using the PATH_MAX variable, which is not defined on GNU
|
|
Hurd. Fixes bug 23098; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- When uploading our descriptor for the first time after startup,
|
|
report the reason for uploading as "Tor just started" rather than
|
|
leaving it blank. Fixes bug 22885; bugfix on 0.2.3.4-alpha.
|
|
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
|
relays, to prevent spurious address resolutions and descriptor
|
|
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
|
bugfix on in 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (tests):
|
|
- Fix a broken unit test for the OutboundAddress option: the parsing
|
|
function was never returning an error on failure. Fixes bug 23366;
|
|
bugfix on 0.3.0.3-alpha.
|
|
- Fix a signed-integer overflow in the unit tests for
|
|
dir/download_status_random_backoff, which was untriggered until we
|
|
fixed bug 17750. Fixes bug 22924; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (usability, control port):
|
|
- Stop making an unnecessary routerlist check in NETINFO clock skew
|
|
detection; this was preventing clients from reporting NETINFO clock
|
|
skew to controllers. Fixes bug 23532; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Extract the code for handling newly-open channels into a separate
|
|
function from the general code to handle channel state
|
|
transitions. This change simplifies our callgraph, reducing the
|
|
size of the largest strongly connected component by roughly a
|
|
factor of two. Closes ticket 22608.
|
|
- Remove dead code for largely unused statistics on the number of
|
|
times we've attempted various public key operations. Fixes bug
|
|
19871; bugfix on 0.1.2.4-alpha. Fix by Isis Lovecruft.
|
|
- Remove several now-obsolete functions for asking about old
|
|
variants directory authority status. Closes ticket 22311; patch
|
|
from "huyvq".
|
|
- Remove some of the code that once supported "Named" and "Unnamed"
|
|
routers. Authorities no longer vote for these flags. Closes
|
|
ticket 22215.
|
|
- Rename the obsolete malleable hybrid_encrypt functions used in TAP
|
|
and old hidden services, to indicate that they aren't suitable for
|
|
new protocols or formats. Closes ticket 23026.
|
|
- Replace our STRUCT_OFFSET() macro with offsetof(). Closes ticket
|
|
22521. Patch from Neel Chauhan.
|
|
- Split the enormous circuit_send_next_onion_skin() function into
|
|
multiple subfunctions. Closes ticket 22804.
|
|
- Split the portions of the buffer.c module that handle particular
|
|
protocols into separate modules. Part of ticket 23149.
|
|
- Use our test macros more consistently, to produce more useful
|
|
error messages when our unit tests fail. Add coccinelle patches to
|
|
allow us to re-check for test macro uses. Closes ticket 22497.
|
|
|
|
o Deprecated features:
|
|
- Deprecate HTTPProxy/HTTPProxyAuthenticator config options. They
|
|
only applies to direct unencrypted HTTP connections to your
|
|
directory server, which your Tor probably isn't using. Closes
|
|
ticket 20575.
|
|
|
|
o Documentation:
|
|
- Clarify in the manual that "Sandbox 1" is only supported on Linux
|
|
kernels. Closes ticket 22677.
|
|
- Document all values of PublishServerDescriptor in the manpage.
|
|
Closes ticket 15645.
|
|
- Improve the documentation for the directory port part of the
|
|
DirAuthority line. Closes ticket 20152.
|
|
- Restore documentation for the authorities' "approved-routers"
|
|
file. Closes ticket 21148.
|
|
|
|
o Removed features:
|
|
- The AllowDotExit option has been removed as unsafe. It has been
|
|
deprecated since 0.2.9.2-alpha. Closes ticket 23426.
|
|
- The ClientDNSRejectInternalAddresses flag can no longer be set on
|
|
non-testing networks. It has been deprecated since 0.2.9.2-alpha.
|
|
Closes ticket 21031.
|
|
- The controller API no longer includes an AUTHDIR_NEWDESCS event:
|
|
nobody was using it any longer. Closes ticket 22377.
|
|
|
|
|
|
Changes in version 0.2.8.15 - 2017-09-18
|
|
Tor 0.2.8.15 backports a collection of bugfixes from later
|
|
Tor series.
|
|
|
|
Most significantly, it includes a fix for TROVE-2017-008, a
|
|
security bug that affects hidden services running with the
|
|
SafeLogging option disabled. For more information, see
|
|
https://trac.torproject.org/projects/tor/ticket/23490
|
|
|
|
Note that Tor 0.2.8.x will no longer be supported after 1 Jan
|
|
2018. We suggest that you upgrade to the latest stable release if
|
|
possible. If you can't, we recommend that you upgrade at least to
|
|
0.2.9, which will be supported until 2020.
|
|
|
|
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
|
|
- Avoid an assertion failure bug affecting our implementation of
|
|
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
|
|
handling of "0xx" differs from what we had expected. Fixes bug
|
|
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
|
|
|
|
o Minor features:
|
|
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
|
|
- Backport a fix for an "unused variable" warning that appeared
|
|
in some versions of mingw. Fixes bug 22838; bugfix on
|
|
0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
|
|
- Fix a memset() off the end of an array when packing cells. This
|
|
bug should be harmless in practice, since the corrupted bytes are
|
|
still in the same structure, and are always padding bytes,
|
|
ignored, or immediately overwritten, depending on compiler
|
|
behavior. Nevertheless, because the memset()'s purpose is to make
|
|
sure that any other cell-handling bugs can't expose bytes to the
|
|
network, we need to fix it. Fixes bug 22737; bugfix on
|
|
0.2.4.11-alpha. Fixes CID 1401591.
|
|
|
|
o Build features (backport from 0.3.1.5-alpha):
|
|
- Tor's repository now includes a Travis Continuous Integration (CI)
|
|
configuration file (.travis.yml). This is meant to help new
|
|
developers and contributors who fork Tor to a Github repository be
|
|
better able to test their changes, and understand what we expect
|
|
to pass. To use this new build feature, you must fork Tor to your
|
|
Github account, then go into the "Integrations" menu in the
|
|
repository settings for your fork and enable Travis, then push
|
|
your changes. Closes ticket 22636.
|
|
|
|
|
|
Changes in version 0.2.9.12 - 2017-09-18
|
|
Tor 0.2.9.12 backports a collection of bugfixes from later
|
|
Tor series.
|
|
|
|
Most significantly, it includes a fix for TROVE-2017-008, a
|
|
security bug that affects hidden services running with the
|
|
SafeLogging option disabled. For more information, see
|
|
https://trac.torproject.org/projects/tor/ticket/23490
|
|
|
|
o Major features (security, backport from 0.3.0.2-alpha):
|
|
- Change the algorithm used to decide DNS TTLs on client and server
|
|
side, to better resist DNS-based correlation attacks like the
|
|
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
|
|
Feamster. Now relays only return one of two possible DNS TTL
|
|
values, and clients are willing to believe DNS TTL values up to 3
|
|
hours long. Closes ticket 19769.
|
|
|
|
o Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc):
|
|
- Fix a rare crash when sending a begin cell on a circuit whose
|
|
linked directory connection had already been closed. Fixes bug
|
|
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
|
|
|
|
o Major bugfixes (DNS, backport from 0.3.0.2-alpha):
|
|
- Fix a bug that prevented exit nodes from caching DNS records for
|
|
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
|
|
- Fix a typo that had prevented TPROXY-based transparent proxying
|
|
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
|
|
Patch from "d4fq0fQAgoJ".
|
|
|
|
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
|
|
- Avoid an assertion failure bug affecting our implementation of
|
|
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
|
|
handling of "0xx" differs from what we had expected. Fixes bug
|
|
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
|
|
|
|
o Minor features (code style, backport from 0.3.1.3-alpha):
|
|
- Add "Falls through" comments to our codebase, in order to silence
|
|
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
|
|
Stieger. Closes ticket 22446.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha):
|
|
- Roll over monthly accounting at the configured hour and minute,
|
|
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
|
|
Found by Andrey Karpov with PVS-Studio.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.1.5-alpha):
|
|
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
|
|
bugfix on 0.2.8.1-alpha.
|
|
- Fix warnings when building with libscrypt and openssl scrypt support
|
|
on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
|
|
- When building with certain versions the mingw C header files, avoid
|
|
float-conversion warnings when calling the C functions isfinite(),
|
|
isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.1.7):
|
|
- Avoid compiler warnings in the unit tests for running tor_sscanf()
|
|
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
|
|
- Backport a fix for an "unused variable" warning that appeared
|
|
in some versions of mingw. Fixes bug 22838; bugfix on
|
|
0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (controller, backport from 0.3.1.7):
|
|
- Do not crash when receiving a HSPOST command with an empty body.
|
|
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
|
|
- Do not crash when receiving a POSTDESCRIPTOR command with an
|
|
empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
|
|
- Avoid Coverity build warnings related to our BUG() macro. By
|
|
default, Coverity treats BUG() as the Linux kernel does: an
|
|
instant abort(). We need to override that so our BUG() macro
|
|
doesn't prevent Coverity from analyzing functions that use it.
|
|
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
|
|
- Fix a memset() off the end of an array when packing cells. This
|
|
bug should be harmless in practice, since the corrupted bytes are
|
|
still in the same structure, and are always padding bytes,
|
|
ignored, or immediately overwritten, depending on compiler
|
|
behavior. Nevertheless, because the memset()'s purpose is to make
|
|
sure that any other cell-handling bugs can't expose bytes to the
|
|
network, we need to fix it. Fixes bug 22737; bugfix on
|
|
0.2.4.11-alpha. Fixes CID 1401591.
|
|
|
|
o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
|
|
- When setting the maximum number of connections allowed by the OS,
|
|
always allow some extra file descriptors for other files. Fixes
|
|
bug 22797; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
|
|
- Avoid a sandbox failure when trying to re-bind to a socket and
|
|
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
|
|
- Permit the fchmod system call, to avoid crashing on startup when
|
|
starting with the seccomp2 sandbox and an unexpected set of
|
|
permissions on the data directory or its contents. Fixes bug
|
|
22516; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (relay, backport from 0.3.0.5-rc):
|
|
- Avoid a double-marked-circuit warning that could happen when we
|
|
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
|
|
- Reject version numbers with non-numeric prefixes (such as +, -, or
|
|
whitespace). Disallowing whitespace prevents differential version
|
|
parsing between POSIX-based and Windows platforms. Fixes bug 21507
|
|
and part of 21508; bugfix on 0.0.8pre1.
|
|
|
|
o Build features (backport from 0.3.1.5-alpha):
|
|
- Tor's repository now includes a Travis Continuous Integration (CI)
|
|
configuration file (.travis.yml). This is meant to help new
|
|
developers and contributors who fork Tor to a Github repository be
|
|
better able to test their changes, and understand what we expect
|
|
to pass. To use this new build feature, you must fork Tor to your
|
|
Github account, then go into the "Integrations" menu in the
|
|
repository settings for your fork and enable Travis, then push
|
|
your changes. Closes ticket 22636.
|
|
|
|
|
|
Changes in version 0.3.0.11 - 2017-09-18
|
|
Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
|
|
series.
|
|
|
|
Most significantly, it includes a fix for TROVE-2017-008, a
|
|
security bug that affects hidden services running with the
|
|
SafeLogging option disabled. For more information, see
|
|
https://trac.torproject.org/projects/tor/ticket/23490
|
|
|
|
o Minor features (code style, backport from 0.3.1.7):
|
|
- Add "Falls through" comments to our codebase, in order to silence
|
|
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
|
|
Stieger. Closes ticket 22446.
|
|
|
|
o Minor features:
|
|
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.3.1.7):
|
|
- Avoid compiler warnings in the unit tests for calling tor_sscanf()
|
|
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (controller, backport from 0.3.1.7):
|
|
- Do not crash when receiving a HSPOST command with an empty body.
|
|
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
|
|
- Do not crash when receiving a POSTDESCRIPTOR command with an empty
|
|
body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
|
|
- When setting the maximum number of connections allowed by the OS,
|
|
always allow some extra file descriptors for other files. Fixes
|
|
bug 22797; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
|
|
- Remove a forgotten debugging message when an introduction point
|
|
successfully establishes a hidden service prop224 circuit with
|
|
a client.
|
|
- Change three other log_warn() for an introduction point to
|
|
protocol warnings, because they can be failure from the network
|
|
and are not relevant to the operator. Fixes bug 23078; bugfix on
|
|
0.3.0.1-alpha and 0.3.0.2-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.7 - 2017-09-18
|
|
Tor 0.3.1.7 is the first stable release in the 0.3.1 series.
|
|
|
|
With the 0.3.1 series, Tor now serves and downloads directory
|
|
information in more compact formats, to save on bandwidth overhead. It
|
|
also contains a new padding system to resist netflow-based traffic
|
|
analysis, and experimental support for building parts of Tor in Rust
|
|
(though no parts of Tor are in Rust yet). There are also numerous
|
|
small features, bugfixes on earlier release series, and groundwork for
|
|
the hidden services revamp of 0.3.2.
|
|
|
|
This release also includes a fix for TROVE-2017-008, a security bug
|
|
that affects hidden services running with the SafeLogging option
|
|
disabled. For more information, see
|
|
https://trac.torproject.org/projects/tor/ticket/23490
|
|
|
|
Per our stable release policy, we plan to support each stable release
|
|
series for at least the next nine months, or for three months after
|
|
the first stable release of the next series: whichever is longer. If
|
|
you need a release with long-term support, we recommend that you stay
|
|
with the 0.2.9 series.
|
|
|
|
Below is a list of the changes since 0.3.1.6-rc. For a list of all
|
|
changes since 0.3.0, see the ReleaseNotes file.
|
|
|
|
o Major bugfixes (security, hidden services, loggging):
|
|
- Fix a bug where we could log uninitialized stack when a certain
|
|
hidden service error occurred while SafeLogging was disabled.
|
|
Fixes bug #23490; bugfix on 0.2.7.2-alpha. This is also tracked as
|
|
TROVE-2017-008 and CVE-2017-0380.
|
|
|
|
o Minor features (defensive programming):
|
|
- Create a pair of consensus parameters, nf_pad_tor2web and
|
|
nf_pad_single_onion, to disable netflow padding in the consensus
|
|
for non-anonymous connections in case the overhead is high. Closes
|
|
ticket 17857.
|
|
|
|
o Minor features (diagnostic):
|
|
- Add a stack trace to the bug warnings that can be logged when
|
|
trying to send an outgoing relay cell with n_chan == 0. Diagnostic
|
|
attempt for bug 23105.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Avoid compiler warnings in the unit tests for calling tor_sscanf()
|
|
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Do not crash when receiving a HSPOST command with an empty body.
|
|
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
|
|
- Do not crash when receiving a POSTDESCRIPTOR command with an empty
|
|
body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Inform the geoip and rephist modules about all requests, even on
|
|
relays that are only fetching microdescriptors. Fixes a bug
|
|
related to 21585; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Fix a channelpadding unit test failure on slow systems by using
|
|
mocked time instead of actual time. Fixes bug 23077; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.6-rc - 2017-09-05
|
|
Tor 0.3.1.6-rc fixes a few small bugs and annoyances in the 0.3.1
|
|
release series, including a bug that produced weird behavior on
|
|
Windows directory caches.
|
|
|
|
This is the first release candidate in the Tor 0.3.1 series. If we
|
|
find no new bugs or regressions here, the first stable 0.3.1 release
|
|
will be nearly identical to it.
|
|
|
|
o Major bugfixes (windows, directory cache):
|
|
- On Windows, do not try to delete cached consensus documents and
|
|
diffs before they are unmapped from memory--Windows won't allow
|
|
that. Instead, allow the consensus cache directory to grow larger,
|
|
to hold files that might need to stay around longer. Fixes bug
|
|
22752; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor features (directory authority):
|
|
- Improve the message that authorities report to relays that present
|
|
RSA/Ed25519 keypairs that conflict with previously pinned keys.
|
|
Closes ticket 22348.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the August 3 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (testing):
|
|
- Add more tests for compression backend initialization. Closes
|
|
ticket 22286.
|
|
|
|
o Minor bugfixes (directory cache):
|
|
- Fix a memory leak when recovering space in the consensus cache.
|
|
Fixes bug 23139; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Increase the number of circuits that a service is allowed to
|
|
open over a specific period of time. The value was lower than it
|
|
should be (8 vs 12) in the normal case of 3 introduction points.
|
|
Fixes bug 22159; bugfix on 0.3.0.5-rc.
|
|
- Fix a BUG warning during HSv3 descriptor decoding that could be
|
|
cause by a specially crafted descriptor. Fixes bug 23233; bugfix
|
|
on 0.3.0.1-alpha. Bug found by "haxxpop".
|
|
- Rate-limit the log messages if we exceed the maximum number of
|
|
allowed intro circuits. Fixes bug 22159; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (logging, relay):
|
|
- Remove a forgotten debugging message when an introduction point
|
|
successfully establishes a hidden service prop224 circuit with
|
|
a client.
|
|
- Change three other log_warn() for an introduction point to
|
|
protocol warnings, because they can be failure from the network
|
|
and are not relevant to the operator. Fixes bug 23078; bugfix on
|
|
0.3.0.1-alpha and 0.3.0.2-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- When a relay is not running as a directory cache, it will no
|
|
longer generate compressed consensuses and consensus diff
|
|
information. Previously, this was a waste of disk and CPU. Fixes
|
|
bug 23275; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (robustness, error handling):
|
|
- Improve our handling of the cases where OpenSSL encounters a
|
|
memory error while encoding keys and certificates. We haven't
|
|
observed these errors in the wild, but if they do happen, we now
|
|
detect and respond better. Fixes bug 19418; bugfix on all versions
|
|
of Tor. Reported by Guido Vranken.
|
|
|
|
o Minor bugfixes (stability):
|
|
- Avoid crashing on a double-free when unable to load or process an
|
|
included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha. Found
|
|
with the clang static analyzer.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
|
|
bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
|
|
- Port the hs_ntor handshake test to work correctly with recent
|
|
versions of the pysha3 module. Fixes bug 23071; bugfix
|
|
on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (Windows service):
|
|
- When running as a Windows service, set the ID of the main thread
|
|
correctly. Failure to do so made us fail to send log messages to
|
|
the controller in 0.2.1.16-rc, slowed down controller event
|
|
delivery in 0.2.7.3-rc and later, and crash with an assertion
|
|
failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
|
|
Patch and diagnosis from "Vort".
|
|
|
|
|
|
Changes in version 0.3.0.10 - 2017-08-02
|
|
Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
|
|
from the current Tor alpha series. OpenBSD users and TPROXY users
|
|
should upgrade; others are probably okay sticking with 0.3.0.9.
|
|
|
|
o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
|
|
- Tor's repository now includes a Travis Continuous Integration (CI)
|
|
configuration file (.travis.yml). This is meant to help new
|
|
developers and contributors who fork Tor to a Github repository be
|
|
better able to test their changes, and understand what we expect
|
|
to pass. To use this new build feature, you must fork Tor to your
|
|
Github account, then go into the "Integrations" menu in the
|
|
repository settings for your fork and enable Travis, then push
|
|
your changes. Closes ticket 22636.
|
|
|
|
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
|
|
- Fix a typo that had prevented TPROXY-based transparent proxying
|
|
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
|
|
Patch from "d4fq0fQAgoJ".
|
|
|
|
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
|
|
- Avoid an assertion failure bug affecting our implementation of
|
|
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
|
|
handling of "0xbar" differs from what we had expected. Fixes bug
|
|
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
|
|
|
|
o Minor features (backport from 0.3.1.5-alpha):
|
|
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
|
|
- Roll over monthly accounting at the configured hour and minute,
|
|
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
|
|
Found by Andrey Karpov with PVS-Studio.
|
|
|
|
o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
|
|
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
|
|
bugfix on 0.2.8.1-alpha.
|
|
- Fix warnings when building with libscrypt and openssl scrypt
|
|
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
|
|
- When building with certain versions of the mingw C header files,
|
|
avoid float-conversion warnings when calling the C functions
|
|
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
|
|
- Backport a fix for an "unused variable" warning that appeared
|
|
in some versions of mingw. Fixes bug 22838; bugfix on
|
|
0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
|
|
- Avoid Coverity build warnings related to our BUG() macro. By
|
|
default, Coverity treats BUG() as the Linux kernel does: an
|
|
instant abort(). We need to override that so our BUG() macro
|
|
doesn't prevent Coverity from analyzing functions that use it.
|
|
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
|
|
- When rejecting a router descriptor for running an obsolete version
|
|
of Tor without ntor support, warn about the obsolete tor version,
|
|
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
|
|
- Avoid a sandbox failure when trying to re-bind to a socket and
|
|
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
|
|
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
|
|
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.5-alpha - 2017-08-01
|
|
Tor 0.3.1.5-alpha improves the performance of consensus diff
|
|
calculation, fixes a crash bug on older versions of OpenBSD, and fixes
|
|
several other bugs. If no serious bugs are found in this version, the
|
|
next version will be a release candidate.
|
|
|
|
This release also marks the end of support for the Tor 0.2.4.x,
|
|
0.2.6.x, and 0.2.7.x release series. Those releases will receive no
|
|
further bug or security fixes. Anyone still running or distributing
|
|
one of those versions should upgrade.
|
|
|
|
o Major features (build system, continuous integration):
|
|
- Tor's repository now includes a Travis Continuous Integration (CI)
|
|
configuration file (.travis.yml). This is meant to help new
|
|
developers and contributors who fork Tor to a Github repository be
|
|
better able to test their changes, and understand what we expect
|
|
to pass. To use this new build feature, you must fork Tor to your
|
|
Github account, then go into the "Integrations" menu in the
|
|
repository settings for your fork and enable Travis, then push
|
|
your changes. Closes ticket 22636.
|
|
|
|
o Major bugfixes (openbsd, denial-of-service):
|
|
- Avoid an assertion failure bug affecting our implementation of
|
|
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
|
|
handling of "0xbar" differs from what we had expected. Fixes bug
|
|
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
|
|
|
|
o Major bugfixes (relay, performance):
|
|
- Perform circuit handshake operations at a higher priority than we
|
|
use for consensus diff creation and compression. This should
|
|
prevent circuits from starving when a relay or bridge receives a
|
|
new consensus, especially on lower-powered machines. Fixes bug
|
|
22883; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor features (bridge authority):
|
|
- Add "fingerprint" lines to the networkstatus-bridges file produced
|
|
by bridge authorities. Closes ticket 22207.
|
|
|
|
o Minor features (directory cache, consensus diff):
|
|
- Add a new MaxConsensusAgeForDiffs option to allow directory cache
|
|
operators with low-resource environments to adjust the number of
|
|
consensuses they'll store and generate diffs from. Most cache
|
|
operators should leave it unchanged. Helps to work around
|
|
bug 22883.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (relay, performance):
|
|
- Always start relays with at least two worker threads, to prevent
|
|
priority inversion on slow tasks. Part of the fix for bug 22883.
|
|
- Allow background work to be queued with different priorities, so
|
|
that a big pile of slow low-priority jobs will not starve out
|
|
higher priority jobs. This lays the groundwork for a fix for
|
|
bug 22883.
|
|
|
|
o Minor bugfixes (build system, rust):
|
|
- Fix a problem where Rust toolchains were not being found when
|
|
building without --enable-cargo-online-mode, due to setting the
|
|
$HOME environment variable instead of $CARGO_HOME. Fixes bug
|
|
22830; bugfix on 0.3.1.1-alpha. Fix by Chelsea Komlo.
|
|
|
|
o Minor bugfixes (compatibility, zstd):
|
|
- Write zstd epilogues correctly when the epilogue requires
|
|
reallocation of the output buffer, even with zstd 1.3.0.
|
|
(Previously, we worked on 1.2.0 and failed with 1.3.0). Fixes bug
|
|
22927; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (compilation warnings):
|
|
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug
|
|
22915; bugfix on 0.2.8.1-alpha.
|
|
- Fix warnings when building with libscrypt and openssl scrypt
|
|
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
|
|
- Compile correctly when both openssl 1.1.0 and libscrypt are
|
|
detected. Previously this would cause an error. Fixes bug 22892;
|
|
bugfix on 0.3.1.1-alpha.
|
|
- When building with certain versions of the mingw C header files,
|
|
avoid float-conversion warnings when calling the C functions
|
|
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (coverity build support):
|
|
- Avoid Coverity build warnings related to our BUG() macro. By
|
|
default, Coverity treats BUG() as the Linux kernel does: an
|
|
instant abort(). We need to override that so our BUG() macro
|
|
doesn't prevent Coverity from analyzing functions that use it.
|
|
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- When a directory authority rejects a descriptor or extrainfo with
|
|
a given digest, mark that digest as undownloadable, so that we do
|
|
not attempt to download it again over and over. We previously
|
|
tried to avoid downloading such descriptors by other means, but we
|
|
didn't notice if we accidentally downloaded one anyway. This
|
|
behavior became problematic in 0.2.7.2-alpha, when authorities
|
|
began pinning Ed25519 keys. Fixes bug 22349; bugfix
|
|
on 0.2.1.19-alpha.
|
|
|
|
o Minor bugfixes (error reporting, windows):
|
|
- When formatting Windows error messages, use the English format to
|
|
avoid codepage issues. Fixes bug 22520; bugfix on 0.1.2.8-alpha.
|
|
Patch from "Vort".
|
|
|
|
o Minor bugfixes (file limits, osx):
|
|
- When setting the maximum number of connections allowed by the OS,
|
|
always allow some extra file descriptors for other files. Fixes
|
|
bug 22797; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- Avoid a sandbox failure when trying to re-bind to a socket and
|
|
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Fix a small memory leak when validating a configuration that uses
|
|
two or more AF_UNIX sockets for the same port type. Fixes bug
|
|
23053; bugfix on 0.2.6.3-alpha. This is CID 1415725.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- test_consdiff_base64cmp would fail on OS X because while OS X
|
|
follows the standard of (less than zero/zero/greater than zero),
|
|
it doesn't follow the convention of (-1/0/+1). Make the test
|
|
comply with the standard. Fixes bug 22870; bugfix on 0.3.1.1-alpha.
|
|
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
|
|
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.4-alpha - 2017-06-29
|
|
Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client
|
|
to use a guard that was in the same network family as a chosen exit
|
|
relay. This is a security regression; all clients running earlier
|
|
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9
|
|
or 0.3.1.4-alpha.
|
|
|
|
This release also fixes several other bugs introduced in 0.3.0.x
|
|
and 0.3.1.x, including others that can affect bandwidth usage
|
|
and correctness.
|
|
|
|
o New dependencies:
|
|
- To build with zstd and lzma support, Tor now requires the
|
|
pkg-config tool at build time. (This requirement was new in
|
|
0.3.1.1-alpha, but was not noted at the time. Noting it here to
|
|
close ticket 22623.)
|
|
|
|
o Major bugfixes (path selection, security):
|
|
- When choosing which guard to use for a circuit, avoid the exit's
|
|
family along with the exit itself. Previously, the new guard
|
|
selection logic avoided the exit, but did not consider its family.
|
|
Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
|
|
006 and CVE-2017-0377.
|
|
|
|
o Major bugfixes (compression, zstd):
|
|
- Correctly detect a full buffer when decompressing a large zstd-
|
|
compressed input. Previously, we would sometimes treat a full
|
|
buffer as an error. Fixes bug 22628; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Major bugfixes (directory protocol):
|
|
- Ensure that we send "304 Not modified" as HTTP status code when a
|
|
client is attempting to fetch a consensus or consensus diff, and
|
|
the best one we can send them is one they already have. Fixes bug
|
|
22702; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Major bugfixes (entry guards):
|
|
- When starting with an old consensus, do not add new entry guards
|
|
unless the consensus is "reasonably live" (under 1 day old). Fixes
|
|
one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor features (bug mitigation, diagnostics, logging):
|
|
- Avoid an assertion failure, and log a better error message, when
|
|
unable to remove a file from the consensus cache on Windows.
|
|
Attempts to mitigate and diagnose bug 22752.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compression):
|
|
- When compressing or decompressing a buffer, check for a failure to
|
|
create a compression object. Fixes bug 22626; bugfix
|
|
on 0.3.1.1-alpha.
|
|
- When decompressing a buffer, check for extra data after the end of
|
|
the compressed data. Fixes bug 22629; bugfix on 0.3.1.1-alpha.
|
|
- When decompressing an object received over an anonymous directory
|
|
connection, if we have already decompressed it using an acceptable
|
|
compression method, do not reject it for looking like an
|
|
unacceptable compression method. Fixes part of bug 22670; bugfix
|
|
on 0.3.1.1-alpha.
|
|
- When serving directory votes compressed with zlib, do not claim to
|
|
have compressed them with zstd. Fixes bug 22669; bugfix
|
|
on 0.3.1.1-alpha.
|
|
- When spooling compressed data to an output buffer, don't try to
|
|
spool more data when there is no more data to spool and we are not
|
|
trying to flush the input. Previously, we would sometimes launch
|
|
compression requests with nothing to do, which interferes with our
|
|
22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha.
|
|
|
|
o Minor bugfixes (defensive programming):
|
|
- Detect and break out of infinite loops in our compression code. We
|
|
don't think that any such loops exist now, but it's best to be
|
|
safe. Closes ticket 22672.
|
|
- Fix a memset() off the end of an array when packing cells. This
|
|
bug should be harmless in practice, since the corrupted bytes are
|
|
still in the same structure, and are always padding bytes,
|
|
ignored, or immediately overwritten, depending on compiler
|
|
behavior. Nevertheless, because the memset()'s purpose is to make
|
|
sure that any other cell-handling bugs can't expose bytes to the
|
|
network, we need to fix it. Fixes bug 22737; bugfix on
|
|
0.2.4.11-alpha. Fixes CID 1401591.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- Permit the fchmod system call, to avoid crashing on startup when
|
|
starting with the seccomp2 sandbox and an unexpected set of
|
|
permissions on the data directory or its contents. Fixes bug
|
|
22516; bugfix on 0.2.5.4-alpha.
|
|
- Fix a crash in the LZMA module, when the sandbox was enabled, and
|
|
liblzma would allocate more than 16 MB of memory. We solve this by
|
|
bumping the mprotect() limit in the sandbox module from 16 MB to
|
|
20 MB. Fixes bug 22751; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When decompressing, do not warn if we fail to decompress using a
|
|
compression method that we merely guessed. Fixes part of bug
|
|
22670; bugfix on 0.1.1.14-alpha.
|
|
- When decompressing, treat mismatch between content-encoding and
|
|
actual compression type as a protocol warning. Fixes part of bug
|
|
22670; bugfix on 0.1.1.9-alpha.
|
|
- Downgrade "assigned_to_cpuworker failed" message to info-level
|
|
severity. In every case that can reach it, either a better warning
|
|
has already been logged, or no warning is warranted. Fixes bug
|
|
22356; bugfix on 0.2.6.3-alpha.
|
|
- Demote a warn that was caused by libevent delays to info if
|
|
netflow padding is less than 4.5 seconds late, or to notice
|
|
if it is more (4.5 seconds is the amount of time that a netflow
|
|
record might be emitted after, if we chose the maximum timeout).
|
|
Fixes bug 22212; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (process behavior):
|
|
- When exiting because of an error, always exit with a nonzero exit
|
|
status. Previously, we would fail to report an error in our exit
|
|
status in cases related to __OwningControllerProcess failure,
|
|
lockfile contention, and Ed25519 key initialization. Fixes bug
|
|
22720; bugfix on versions 0.2.1.6-alpha, 0.2.2.28-beta, and
|
|
0.2.7.2-alpha respectively. Reported by "f55jwk4f"; patch
|
|
from "huyvq".
|
|
|
|
o Documentation:
|
|
- Add a manpage description for the key-pinning-journal file. Closes
|
|
ticket 22347.
|
|
- Correctly note that bandwidth accounting values are stored in the
|
|
state file, and the bw_accounting file is now obsolete. Closes
|
|
ticket 16082.
|
|
- Document more of the files in the Tor data directory, including
|
|
cached-extrainfo, secret_onion_key{,_ntor}.old, hidserv-stats,
|
|
approved-routers, sr-random, and diff-cache. Found while fixing
|
|
ticket 22347.
|
|
|
|
|
|
Changes in version 0.3.0.9 - 2017-06-29
|
|
Tor 0.3.0.9 fixes a path selection bug that would allow a client
|
|
to use a guard that was in the same network family as a chosen exit
|
|
relay. This is a security regression; all clients running earlier
|
|
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
|
|
0.3.1.4-alpha.
|
|
|
|
This release also backports several other bugfixes from the 0.3.1.x
|
|
series.
|
|
|
|
o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
|
|
- When choosing which guard to use for a circuit, avoid the exit's
|
|
family along with the exit itself. Previously, the new guard
|
|
selection logic avoided the exit, but did not consider its family.
|
|
Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
|
|
006 and CVE-2017-0377.
|
|
|
|
o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
|
|
- Don't block bootstrapping when a primary bridge is offline and we
|
|
can't get its descriptor. Fixes bug 22325; fixes one case of bug
|
|
21969; bugfix on 0.3.0.3-alpha.
|
|
|
|
o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
|
|
- When starting with an old consensus, do not add new entry guards
|
|
unless the consensus is "reasonably live" (under 1 day old). Fixes
|
|
one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
|
|
- Reject version numbers with non-numeric prefixes (such as +, -, or
|
|
whitespace). Disallowing whitespace prevents differential version
|
|
parsing between POSIX-based and Windows platforms. Fixes bug 21507
|
|
and part of 21508; bugfix on 0.0.8pre1.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
|
|
- Permit the fchmod system call, to avoid crashing on startup when
|
|
starting with the seccomp2 sandbox and an unexpected set of
|
|
permissions on the data directory or its contents. Fixes bug
|
|
22516; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
|
|
- Fix a memset() off the end of an array when packing cells. This
|
|
bug should be harmless in practice, since the corrupted bytes are
|
|
still in the same structure, and are always padding bytes,
|
|
ignored, or immediately overwritten, depending on compiler
|
|
behavior. Nevertheless, because the memset()'s purpose is to make
|
|
sure that any other cell-handling bugs can't expose bytes to the
|
|
network, we need to fix it. Fixes bug 22737; bugfix on
|
|
0.2.4.11-alpha. Fixes CID 1401591.
|
|
|
|
|
|
Changes in version 0.3.1.3-alpha - 2017-06-08
|
|
Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-004 and TROVE-2017-005.
|
|
|
|
Tor 0.3.1.3-alpha also includes fixes for several key management bugs
|
|
that sometimes made relays unreliable, as well as several other
|
|
bugfixes described below.
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure when a hidden service
|
|
handles a malformed BEGIN cell. Fixes bug 22493, tracked as
|
|
TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Major bugfixes (relay, link handshake):
|
|
- When performing the v3 link handshake on a TLS connection, report
|
|
that we have the x509 certificate that we actually used on that
|
|
connection, even if we have changed certificates since that
|
|
connection was first opened. Previously, we would claim to have
|
|
used our most recent x509 link certificate, which would sometimes
|
|
make the link handshake fail. Fixes one case of bug 22460; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (relays, key management):
|
|
- Regenerate link and authentication certificates whenever the key
|
|
that signs them changes; also, regenerate link certificates
|
|
whenever the signed key changes. Previously, these processes were
|
|
only weakly coupled, and we relays could (for minutes to hours)
|
|
wind up with an inconsistent set of keys and certificates, which
|
|
other relays would not accept. Fixes two cases of bug 22460;
|
|
bugfix on 0.3.0.1-alpha.
|
|
- When sending an Ed25519 signing->link certificate in a CERTS cell,
|
|
send the certificate that matches the x509 certificate that we
|
|
used on the TLS connection. Previously, there was a race condition
|
|
if the TLS context rotated after we began the TLS handshake but
|
|
before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (torrc, crash):
|
|
- Fix a crash bug when using %include in torrc. Fixes bug 22417;
|
|
bugfix on 0.3.1.1-alpha. Patch by Daniel Pinto.
|
|
|
|
o Minor features (code style):
|
|
- Add "Falls through" comments to our codebase, in order to silence
|
|
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
|
|
Stieger. Closes ticket 22446.
|
|
|
|
o Minor features (diagnostic):
|
|
- Add logging messages to try to diagnose a rare bug that seems to
|
|
generate RSA->Ed25519 cross-certificates dated in the 1970s. We
|
|
think this is happening because of incorrect system clocks, but
|
|
we'd like to know for certain. Diagnostic for bug 22466.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
o Minor bugfixes (directory protocol):
|
|
- Check for libzstd >= 1.1, because older versions lack the
|
|
necessary streaming API. Fixes bug 22413; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (link handshake):
|
|
- Lower the lifetime of the RSA->Ed25519 cross-certificate to six
|
|
months, and regenerate it when it is within one month of expiring.
|
|
Previously, we had generated this certificate at startup with a
|
|
ten-year lifetime, but that could lead to weird behavior when Tor
|
|
was started with a grossly inaccurate clock. Mitigates bug 22466;
|
|
mitigation on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (storage directories):
|
|
- Always check for underflows in the cached storage directory usage.
|
|
If the usage does underflow, re-calculate it. Also, avoid a
|
|
separate underflow when the usage is not known. Fixes bug 22424;
|
|
bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- The unit tests now pass on systems where localhost is misconfigured
|
|
to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix
|
|
on 0.0.9pre2.
|
|
|
|
o Documentation:
|
|
- Clarify the manpage for the (deprecated) torify script. Closes
|
|
ticket 6892.
|
|
|
|
Changes in version 0.3.0.8 - 2017-06-08
|
|
Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-004 and TROVE-2017-005.
|
|
|
|
Tor 0.3.0.8 also includes fixes for several key management bugs
|
|
that sometimes made relays unreliable, as well as several other
|
|
bugfixes described below.
|
|
|
|
o Major bugfixes (hidden service, relay, security, backport
|
|
from 0.3.1.3-alpha):
|
|
- Fix a remotely triggerable assertion failure when a hidden service
|
|
handles a malformed BEGIN cell. Fixes bug 22493, tracked as
|
|
TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
|
|
- When performing the v3 link handshake on a TLS connection, report
|
|
that we have the x509 certificate that we actually used on that
|
|
connection, even if we have changed certificates since that
|
|
connection was first opened. Previously, we would claim to have
|
|
used our most recent x509 link certificate, which would sometimes
|
|
make the link handshake fail. Fixes one case of bug 22460; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
|
|
- Regenerate link and authentication certificates whenever the key
|
|
that signs them changes; also, regenerate link certificates
|
|
whenever the signed key changes. Previously, these processes were
|
|
only weakly coupled, and we relays could (for minutes to hours)
|
|
wind up with an inconsistent set of keys and certificates, which
|
|
other relays would not accept. Fixes two cases of bug 22460;
|
|
bugfix on 0.3.0.1-alpha.
|
|
- When sending an Ed25519 signing->link certificate in a CERTS cell,
|
|
send the certificate that matches the x509 certificate that we
|
|
used on the TLS connection. Previously, there was a race condition
|
|
if the TLS context rotated after we began the TLS handshake but
|
|
before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
|
|
- Stop rejecting v3 hidden service descriptors because their size
|
|
did not match an old padding rule. Fixes bug 22447; bugfix on
|
|
tor-0.3.0.1-alpha.
|
|
|
|
o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
|
|
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
|
|
December 2016 (of which ~126 were still functional) with a list of
|
|
151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
|
|
2017. Resolves ticket 21564.
|
|
|
|
o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
|
|
- Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
|
|
bug 22252; bugfix on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
|
|
- Lower the lifetime of the RSA->Ed25519 cross-certificate to six
|
|
months, and regenerate it when it is within one month of expiring.
|
|
Previously, we had generated this certificate at startup with a
|
|
ten-year lifetime, but that could lead to weird behavior when Tor
|
|
was started with a grossly inaccurate clock. Mitigates bug 22466;
|
|
mitigation on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (memory leak, directory authority, backport from
|
|
0.3.1.2-alpha):
|
|
- When directory authorities reject a router descriptor due to
|
|
keypinning, free the router descriptor rather than leaking the
|
|
memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
|
|
|
|
|
|
Changes in version 0.2.9.11 - 2017-06-08
|
|
Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
Tor 0.2.9.11 also backports fixes for several key management bugs
|
|
that sometimes made relays unreliable, as well as several other
|
|
bugfixes described below.
|
|
|
|
o Major bugfixes (hidden service, relay, security, backport
|
|
from 0.3.1.3-alpha):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
|
|
- When performing the v3 link handshake on a TLS connection, report
|
|
that we have the x509 certificate that we actually used on that
|
|
connection, even if we have changed certificates since that
|
|
connection was first opened. Previously, we would claim to have
|
|
used our most recent x509 link certificate, which would sometimes
|
|
make the link handshake fail. Fixes one case of bug 22460; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
|
|
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
|
|
December 2016 (of which ~126 were still functional) with a list of
|
|
151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
|
|
2017. Resolves ticket 21564.
|
|
|
|
o Minor features (future-proofing, backport from 0.3.0.7):
|
|
- Tor no longer refuses to download microdescriptors or descriptors if
|
|
they are listed as "published in the future". This change will
|
|
eventually allow us to stop listing meaningful "published" dates
|
|
in microdescriptor consensuses, and thereby allow us to reduce the
|
|
resources required to download consensus diffs by over 50%.
|
|
Implements part of ticket 21642; implements part of proposal 275.
|
|
|
|
o Minor features (directory authorities, backport from 0.3.0.4-rc)
|
|
- Directory authorities now reject relays running versions
|
|
0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
|
|
suffer from bug 20499 and don't keep their consensus cache
|
|
up-to-date. Resolves ticket 20509.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (control port, backport from 0.3.0.6):
|
|
- The GETINFO extra-info/digest/<digest> command was broken because
|
|
of a wrong base16 decode return value check, introduced when
|
|
refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7):
|
|
- The getpid() system call is now permitted under the Linux seccomp2
|
|
sandbox, to avoid crashing with versions of OpenSSL (and other
|
|
libraries) that attempt to learn the process's PID by using the
|
|
syscall rather than the VDSO code. Fixes bug 21943; bugfix
|
|
on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (memory leak, directory authority, backport
|
|
from 0.3.1.2-alpha):
|
|
- When directory authorities reject a router descriptor due to
|
|
keypinning, free the router descriptor rather than leaking the
|
|
memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
|
|
|
|
Changes in version 0.2.8.14 - 2017-06-08
|
|
Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
|
|
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
|
|
December 2016 (of which ~126 were still functional) with a list of
|
|
151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
|
|
2017. Resolves ticket 21564.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
Changes in version 0.2.7.8 - 2017-06-08
|
|
Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
|
|
Changes in version 0.2.6.12 - 2017-06-08
|
|
Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
Changes in version 0.2.5.14 - 2017-06-08
|
|
Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
Changes in version 0.2.4.29 - 2017-06-08
|
|
Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to
|
|
remotely crash a hidden service with an assertion failure. Anyone
|
|
running a hidden service should upgrade to this version, or to some
|
|
other version with fixes for TROVE-2017-005. (Versions before 0.3.0
|
|
are not affected by TROVE-2017-004.)
|
|
|
|
o Major bugfixes (hidden service, relay, security):
|
|
- Fix a remotely triggerable assertion failure caused by receiving a
|
|
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
|
|
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
|
|
on 0.2.2.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Avoid undefined behavior when parsing IPv6 entries from the geoip6
|
|
file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.2-alpha - 2017-05-26
|
|
Tor 0.3.1.2-alpha is the second release in the 0.3.1.x series. It
|
|
fixes a few bugs found while testing 0.3.1.1-alpha, including a
|
|
memory corruption bug that affected relay stability.
|
|
|
|
o Major bugfixes (crash, relay):
|
|
- Fix a memory-corruption bug in relays that set MyFamily.
|
|
Previously, they would double-free MyFamily elements when making
|
|
the next descriptor or when changing their configuration. Fixes
|
|
bug 22368; bugfix on 0.3.1.1-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Log a better message when a directory authority replies to an
|
|
upload with an unexpected status code. Fixes bug 11121; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (memory leak, directory authority):
|
|
- When directory authorities reject a router descriptor due to
|
|
keypinning, free the router descriptor rather than leaking the
|
|
memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
|
|
|
|
|
|
Changes in version 0.3.1.1-alpha - 2017-05-22
|
|
Tor 0.3.1.1-alpha is the first release in the 0.3.1.x series. It
|
|
reduces the bandwidth usage for Tor's directory protocol, adds some
|
|
basic padding to resist netflow-based traffic analysis and to serve as
|
|
the basis of other padding in the future, and adds rust support to the
|
|
build system.
|
|
|
|
It also contains numerous other small features and improvements to
|
|
security, correctness, and performance.
|
|
|
|
Below are the changes since 0.3.0.7.
|
|
|
|
o Major features (directory protocol):
|
|
- Tor relays and authorities can now serve clients an abbreviated
|
|
version of the consensus document, containing only the changes
|
|
since an older consensus document that the client holds. Clients
|
|
now request these documents when available. When both client and
|
|
server use this new protocol, they will use far less bandwidth (up
|
|
to 94% less) to keep the client's consensus up-to-date. Implements
|
|
proposal 140; closes ticket 13339. Based on work by Daniel Martí.
|
|
- Tor can now compress directory traffic with lzma or with zstd
|
|
compression algorithms, which can deliver better bandwidth
|
|
performance. Because lzma is computationally expensive, it's only
|
|
used for documents that can be compressed once and served many
|
|
times. Support for these algorithms requires that tor is built
|
|
with the libzstd and/or liblzma libraries available. Implements
|
|
proposal 278; closes ticket 21662.
|
|
- Relays now perform the more expensive compression operations, and
|
|
consensus diff generation, in worker threads. This separation
|
|
avoids delaying the main thread when a new consensus arrives.
|
|
|
|
o Major features (experimental):
|
|
- Tor can now build modules written in Rust. To turn this on, pass
|
|
the "--enable-rust" flag to the configure script. It's not time to
|
|
get excited yet: currently, there is no actual Rust functionality
|
|
beyond some simple glue code, and a notice at startup to tell you
|
|
that Rust is running. Still, we hope that programmers and
|
|
packagers will try building Tor with Rust support, so that we can
|
|
find issues and solve portability problems. Closes ticket 22106.
|
|
|
|
o Major features (traffic analysis resistance):
|
|
- Connections between clients and relays now send a padding cell in
|
|
each direction every 1.5 to 9.5 seconds (tunable via consensus
|
|
parameters). This padding will not resist specialized
|
|
eavesdroppers, but it should be enough to make many ISPs' routine
|
|
network flow logging less useful in traffic analysis against
|
|
Tor users.
|
|
|
|
Padding is negotiated using Tor's link protocol, so both relays
|
|
and clients must upgrade for this to take effect. Clients may
|
|
still send padding despite the relay's version by setting
|
|
ConnectionPadding 1 in torrc, and may disable padding by setting
|
|
ConnectionPadding 0 in torrc. Padding may be minimized for mobile
|
|
users with the torrc option ReducedConnectionPadding. Implements
|
|
Proposal 251 and Section 2 of Proposal 254; closes ticket 16861.
|
|
- Relays will publish 24 hour totals of padding and non-padding cell
|
|
counts to their extra-info descriptors, unless PaddingStatistics 0
|
|
is set in torrc. These 24 hour totals are also rounded to
|
|
multiples of 10000.
|
|
|
|
o Major bugfixes (connection usage):
|
|
- We use NETINFO cells to try to determine if both relays involved
|
|
in a connection will agree on the canonical status of that
|
|
connection. We prefer the connections where this is the case for
|
|
extend cells, and try to close connections where relays disagree
|
|
on their canonical status early. Also, we now prefer the oldest
|
|
valid connection for extend cells. These two changes should reduce
|
|
the number of long-term connections that are kept open between
|
|
relays. Fixes bug 17604; bugfix on 0.2.5.5-alpha.
|
|
- Relays now log hourly statistics (look for
|
|
"channel_check_for_duplicates" lines) on the total number of
|
|
connections to other relays. If the number of connections per
|
|
relay is unexpectedly large, this log message is at notice level.
|
|
Otherwise it is at info.
|
|
|
|
o Major bugfixes (entry guards):
|
|
- Don't block bootstrapping when a primary bridge is offline and we
|
|
can't get its descriptor. Fixes bug 22325; fixes one case of bug
|
|
21969; bugfix on 0.3.0.3-alpha.
|
|
|
|
o Major bugfixes (linux TPROXY support):
|
|
- Fix a typo that had prevented TPROXY-based transparent proxying
|
|
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
|
|
Patch from "d4fq0fQAgoJ".
|
|
|
|
o Minor features (security, windows):
|
|
- Enable a couple of pieces of Windows hardening: one
|
|
(HeapEnableTerminationOnCorruption) that has been on-by-default
|
|
since Windows 8, and unavailable before Windows 7; and one
|
|
(PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
|
|
affect us, but shouldn't do any harm. Closes ticket 21953.
|
|
|
|
o Minor features (config options):
|
|
- Allow "%include" directives in torrc configuration files. These
|
|
directives import the settings from other files, or from all the
|
|
files in a directory. Closes ticket 1922. Code by Daniel Pinto.
|
|
- Make SAVECONF return an error when overwriting a torrc that has
|
|
includes. Using SAVECONF with the FORCE option will allow it to
|
|
overwrite torrc even if includes are used. Related to ticket 1922.
|
|
- Add "GETINFO config-can-saveconf" to tell controllers if SAVECONF
|
|
will work without the FORCE option. Related to ticket 1922.
|
|
|
|
o Minor features (controller):
|
|
- Warn the first time that a controller requests data in the long-
|
|
deprecated 'GETINFO network-status' format. Closes ticket 21703.
|
|
|
|
o Minor features (defaults):
|
|
- The default value for UseCreateFast is now 0: clients which
|
|
haven't yet received a consensus document will now use a proper
|
|
ntor handshake to talk to their directory servers whenever they
|
|
can. Closes ticket 21407.
|
|
- Onion key rotation and expiry intervals are now defined as a
|
|
network consensus parameter, per proposal 274. The default
|
|
lifetime of an onion key is increased from 7 to 28 days. Old onion
|
|
keys will expire after 7 days by default. This change will make
|
|
consensus diffs much smaller, and save significant bandwidth.
|
|
Closes ticket 21641.
|
|
|
|
o Minor features (fallback directory list):
|
|
- Update the fallback directory mirror whitelist and blacklist based
|
|
on operator emails. Closes task 21121.
|
|
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
|
|
December 2016 (of which ~126 were still functional) with a list of
|
|
151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
|
|
2017. Resolves ticket 21564.
|
|
|
|
o Minor features (hidden services, logging):
|
|
- Log a message when a hidden service descriptor has fewer
|
|
introduction points than specified in
|
|
HiddenServiceNumIntroductionPoints. Closes tickets 21598.
|
|
- Log a message when a hidden service reaches its introduction point
|
|
circuit limit, and when that limit is reset. Follow up to ticket
|
|
21594; closes ticket 21622.
|
|
- Warn user if multiple entries in EntryNodes and at least one
|
|
HiddenService are used together. Pinning EntryNodes along with a
|
|
hidden service can be possibly harmful; for instance see ticket
|
|
14917 or 21155. Closes ticket 21155.
|
|
|
|
o Minor features (linux seccomp2 sandbox):
|
|
- We now have a document storage backend compatible with the Linux
|
|
seccomp2 sandbox. This backend is used for consensus documents and
|
|
diffs between them; in the long term, we'd like to use it for
|
|
unparseable directory material too. Closes ticket 21645
|
|
- Increase the maximum allowed size passed to mprotect(PROT_WRITE)
|
|
from 1MB to 16MB. This was necessary with the glibc allocator in
|
|
order to allow worker threads to allocate more memory -- which in
|
|
turn is necessary because of our new use of worker threads for
|
|
compression. Closes ticket 22096.
|
|
|
|
o Minor features (logging):
|
|
- Log files are no longer created world-readable by default.
|
|
(Previously, most distributors would store the logs in a non-
|
|
world-readable location to prevent inappropriate access. This
|
|
change is an extra precaution.) Closes ticket 21729; patch
|
|
from toralf.
|
|
|
|
o Minor features (performance):
|
|
- Our Keccak (SHA-3) implementation now accesses memory more
|
|
efficiently, especially on little-endian systems. Closes
|
|
ticket 21737.
|
|
- Add an O(1) implementation of channel_find_by_global_id(), to
|
|
speed some controller functions.
|
|
|
|
o Minor features (relay, configuration):
|
|
- The MyFamily option may now be repeated as many times as desired,
|
|
for relays that want to configure large families. Closes ticket
|
|
4998; patch by Daniel Pinto.
|
|
|
|
o Minor features (safety):
|
|
- Add an explicit check to extrainfo_parse_entry_from_string() for
|
|
NULL inputs. We don't believe this can actually happen, but it may
|
|
help silence a warning from the Clang analyzer. Closes
|
|
ticket 21496.
|
|
|
|
o Minor features (testing):
|
|
- Add a "--disable-memory-sentinels" feature to help with fuzzing.
|
|
When Tor is compiled with this option, we disable a number of
|
|
redundant memory-safety failsafes that are intended to stop bugs
|
|
from becoming security issues. This makes it easier to hunt for
|
|
bugs that would be security issues without the failsafes turned
|
|
on. Closes ticket 21439.
|
|
- Add a general event-tracing instrumentation support to Tor. This
|
|
subsystem will enable developers and researchers to add fine-
|
|
grained instrumentation to their Tor instances, for use when
|
|
examining Tor network performance issues. There are no trace
|
|
events yet, and event-tracing is off by default unless enabled at
|
|
compile time. Implements ticket 13802.
|
|
- Improve our version parsing tests: add tests for typical version
|
|
components, add tests for invalid versions, including numeric
|
|
range and non-numeric prefixes. Unit tests 21278, 21450, and
|
|
21507. Partially implements 21470.
|
|
|
|
o Minor bugfixes (bandwidth accounting):
|
|
- Roll over monthly accounting at the configured hour and minute,
|
|
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
|
|
Found by Andrey Karpov with PVS-Studio.
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Accurately identify client connections by their lack of peer
|
|
authentication. This means that we bail out earlier if asked to
|
|
extend to a client. Follow-up to 21407. Fixes bug 21406; bugfix
|
|
on 0.2.4.23.
|
|
|
|
o Minor bugfixes (configuration):
|
|
- Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
|
|
bug 22252; bugfix on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (connection lifespan):
|
|
- Allow more control over how long TLS connections are kept open:
|
|
unify CircuitIdleTimeout and PredictedPortsRelevanceTime into a
|
|
single option called CircuitsAvailableTimeout. Also, allow the
|
|
consensus to control the default values for both this preference
|
|
and the lifespan of relay-to-relay connections. Fixes bug 17592;
|
|
bugfix on 0.2.5.5-alpha.
|
|
- Increase the initial circuit build timeout testing frequency, to
|
|
help ensure that ReducedConnectionPadding clients finish learning
|
|
a timeout before their orconn would expire. The initial testing
|
|
rate was set back in the days of TAP and before the Tor Browser
|
|
updater, when we had to be much more careful about new clients
|
|
making lots of circuits. With this change, a circuit build timeout
|
|
is learned in about 15-20 minutes, instead of 100-120 minutes.
|
|
|
|
o Minor bugfixes (controller):
|
|
- GETINFO onions/current and onions/detached no longer respond with
|
|
551 on empty lists. Fixes bug 21329; bugfix on 0.2.7.1-alpha.
|
|
- Trigger HS descriptor events on the control port when the client
|
|
fails to pick a hidden service directory for a hidden service.
|
|
This can happen if all the hidden service directories are in
|
|
ExcludeNodes, or they have all been queried within the last 15
|
|
minutes. Fixes bug 22042; bugfix on 0.2.5.2-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- When rejecting a router descriptor for running an obsolete version
|
|
of Tor without ntor support, warn about the obsolete tor version,
|
|
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
|
|
- Prevent the shared randomness subsystem from asserting when
|
|
initialized by a bridge authority with an incomplete configuration
|
|
file. Fixes bug 21586; bugfix on 0.2.9.8.
|
|
|
|
o Minor bugfixes (exit-side DNS):
|
|
- Fix an untriggerable assertion that checked the output of a
|
|
libevent DNS error, so that the assertion actually behaves as
|
|
expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey
|
|
Karpov using PVS-Studio.
|
|
|
|
o Minor bugfixes (fallback directories):
|
|
- Make the usage example in updateFallbackDirs.py actually work, and
|
|
explain what it does. Fixes bug 22270; bugfix on 0.3.0.3-alpha.
|
|
- Decrease the guard flag average required to be a fallback. This
|
|
allows us to keep relays that have their guard flag removed when
|
|
they restart. Fixes bug 20913; bugfix on 0.2.8.1-alpha.
|
|
- Decrease the minimum number of fallbacks to 100. Fixes bug 20913;
|
|
bugfix on 0.2.8.1-alpha.
|
|
- Make sure fallback directory mirrors have the same address, port,
|
|
and relay identity key for at least 30 days before they are
|
|
selected. Fixes bug 20913; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop printing a cryptic warning when a hidden service gets a
|
|
request to connect to a virtual port that it hasn't configured.
|
|
Fixes bug 16706; bugfix on 0.2.6.3-alpha.
|
|
- Simplify hidden service descriptor creation by using an existing
|
|
flag to check if an introduction point is established. Fixes bug
|
|
21599; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (memory leak):
|
|
- Fix a small memory leak at exit from the backtrace handler code.
|
|
Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto.
|
|
|
|
o Minor bugfixes (protocol, logging):
|
|
- Downgrade a log statement about unexpected relay cells from "bug"
|
|
to "protocol warning", because there is at least one use case
|
|
where it can be triggered by a buggy tor implementation. Fixes bug
|
|
21293; bugfix on 0.1.1.14-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Use unbuffered I/O for utility functions around the
|
|
process_handle_t type. This fixes unit test failures reported on
|
|
OpenBSD and FreeBSD. Fixes bug 21654; bugfix on 0.2.3.1-alpha.
|
|
- Make display of captured unit test log messages consistent. Fixes
|
|
bug 21510; bugfix on 0.2.9.3-alpha.
|
|
- Make test-network.sh always call chutney's test-network.sh.
|
|
Previously, this only worked on systems which had bash installed,
|
|
due to some bash-specific code in the script. Fixes bug 19699;
|
|
bugfix on 0.3.0.4-rc. Follow-up to ticket 21581.
|
|
|
|
o Minor bugfixes (voting consistency):
|
|
- Reject version numbers with non-numeric prefixes (such as +, -, or
|
|
whitespace). Disallowing whitespace prevents differential version
|
|
parsing between POSIX-based and Windows platforms. Fixes bug 21507
|
|
and part of 21508; bugfix on 0.0.8pre1.
|
|
|
|
o Minor bugfixes (windows, relay):
|
|
- Resolve "Failure from drain_fd: No error" warnings on Windows
|
|
relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Break up the 630-line function connection_dir_client_reached_eof()
|
|
into a dozen smaller functions. This change should help
|
|
maintainability and readability of the client directory code.
|
|
- Isolate our use of the openssl headers so that they are only
|
|
included from our crypto wrapper modules, and from tests that
|
|
examine those modules' internals. Closes ticket 21841.
|
|
- Simplify our API to launch directory requests, making it more
|
|
extensible and less error-prone. Now it's easier to add extra
|
|
headers to directory requests. Closes ticket 21646.
|
|
- Our base64 decoding functions no longer overestimate the output
|
|
space that they need when parsing unpadded inputs. Closes
|
|
ticket 17868.
|
|
- Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value.
|
|
Resolves ticket 22213.
|
|
- The logic that directory caches use to spool request to clients,
|
|
serving them one part at a time so as not to allocate too much
|
|
memory, has been refactored for consistency. Previously there was
|
|
a separate spooling implementation per type of spoolable data. Now
|
|
there is one common spooling implementation, with extensible data
|
|
types. Closes ticket 21651.
|
|
- Tor's compression module now supports multiple backends. Part of
|
|
the implementation for proposal 278; closes ticket 21663.
|
|
|
|
o Documentation:
|
|
- Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option.
|
|
Closes ticket 21873.
|
|
- Correct documentation about the default DataDirectory value.
|
|
Closes ticket 21151.
|
|
- Document the default behavior of NumEntryGuards and
|
|
NumDirectoryGuards correctly. Fixes bug 21715; bugfix
|
|
on 0.3.0.1-alpha.
|
|
- Document key=value pluggable transport arguments for Bridge lines
|
|
in torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha.
|
|
- Note that bandwidth-limiting options don't affect TCP headers or
|
|
DNS. Closes ticket 17170.
|
|
|
|
o Removed features (configuration options, all in ticket 22060):
|
|
- These configuration options are now marked Obsolete, and no longer
|
|
have any effect: AllowInvalidNodes, AllowSingleHopCircuits,
|
|
AllowSingleHopExits, ExcludeSingleHopRelays, FastFirstHopPK,
|
|
TLSECGroup, WarnUnsafeSocks. They were first marked as deprecated
|
|
in 0.2.9.2-alpha and have now been removed. The previous default
|
|
behavior is now always chosen; the previous (less secure) non-
|
|
default behavior is now unavailable.
|
|
- CloseHSClientCircuitsImmediatelyOnTimeout and
|
|
CloseHSServiceRendCircuitsImmediatelyOnTimeout were deprecated in
|
|
0.2.9.2-alpha and now have been removed. HS circuits never close
|
|
on circuit build timeout; they have a longer timeout period.
|
|
- {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress were deprecated
|
|
in 0.2.9.2-alpha and now have been removed. Use the ORPort option
|
|
(and others) to configure listen-only and advertise-only addresses.
|
|
|
|
o Removed features (tools):
|
|
- We've removed the tor-checkkey tool from src/tools. Long ago, we
|
|
used it to help people detect RSA keys that were generated by
|
|
versions of Debian affected by CVE-2008-0166. But those keys have
|
|
been out of circulation for ages, and this tool is no longer
|
|
required. Closes ticket 21842.
|
|
|
|
|
|
Changes in version 0.3.0.7 - 2017-05-15
|
|
Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
|
|
of Tor 0.3.0.x, where an attacker could cause a Tor relay process
|
|
to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
|
|
clients are not affected.
|
|
|
|
o Major bugfixes (hidden service directory, security):
|
|
- Fix an assertion failure in the hidden service directory code, which
|
|
could be used by an attacker to remotely cause a Tor relay process to
|
|
exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
|
|
should upgrade. This security issue is tracked as TROVE-2017-002.
|
|
Fixes bug 22246; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (future-proofing):
|
|
- Tor no longer refuses to download microdescriptors or descriptors
|
|
if they are listed as "published in the future". This change will
|
|
eventually allow us to stop listing meaningful "published" dates
|
|
in microdescriptor consensuses, and thereby allow us to reduce the
|
|
resources required to download consensus diffs by over 50%.
|
|
Implements part of ticket 21642; implements part of proposal 275.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- The getpid() system call is now permitted under the Linux seccomp2
|
|
sandbox, to avoid crashing with versions of OpenSSL (and other
|
|
libraries) that attempt to learn the process's PID by using the
|
|
syscall rather than the VDSO code. Fixes bug 21943; bugfix
|
|
on 0.2.5.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.6 - 2017-04-26
|
|
Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
|
|
|
|
With the 0.3.0 series, clients and relays now use Ed25519 keys to
|
|
authenticate their link connections to relays, rather than the old
|
|
RSA1024 keys that they used before. (Circuit crypto has been
|
|
Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
|
|
the guard selection and replacement algorithm to behave more robustly
|
|
in the presence of unreliable networks, and to resist guard-
|
|
capture attacks.
|
|
|
|
This series also includes numerous other small features and bugfixes,
|
|
along with more groundwork for the upcoming hidden-services revamp.
|
|
|
|
Per our stable release policy, we plan to support the Tor 0.3.0
|
|
release series for at least the next nine months, or for three months
|
|
after the first stable release of the 0.3.1 series: whichever is
|
|
longer. If you need a release with long-term support, we recommend
|
|
that you stay with the 0.2.9 series.
|
|
|
|
Below are the changes since 0.3.0.5-rc. For a list of all changes
|
|
since 0.2.9, see the ReleaseNotes file.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (control port):
|
|
- The GETINFO extra-info/digest/<digest> command was broken because
|
|
of a wrong base16 decode return value check, introduced when
|
|
refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (crash prevention):
|
|
- Fix a (currently untriggerable, but potentially dangerous) crash
|
|
bug when base32-encoding inputs whose sizes are not a multiple of
|
|
5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.5-rc - 2017-04-05
|
|
Tor 0.3.0.5-rc fixes a few remaining bugs, large and small, in the
|
|
0.3.0 release series.
|
|
|
|
This is the second release candidate in the Tor 0.3.0 series, and has
|
|
much fewer changes than the first. If we find no new bugs or
|
|
regressions here, the first stable 0.3.0 release will be nearly
|
|
identical to it.
|
|
|
|
o Major bugfixes (crash, directory connections):
|
|
- Fix a rare crash when sending a begin cell on a circuit whose
|
|
linked directory connection had already been closed. Fixes bug
|
|
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
|
|
|
|
o Major bugfixes (guard selection):
|
|
- Fix a guard selection bug where Tor would refuse to bootstrap in
|
|
some cases if the user swapped a bridge for another bridge in
|
|
their configuration file. Fixes bug 21771; bugfix on 0.3.0.1-alpha.
|
|
Reported by "torvlnt33r".
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfix (compilation):
|
|
- Fix a warning when compiling hs_service.c. Previously, it had no
|
|
exported symbols when compiled for libor.a, resulting in a
|
|
compilation warning from clang. Fixes bug 21825; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Make hidden services check for failed intro point connections,
|
|
even when they have exceeded their intro point creation limit.
|
|
Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
|
|
- Make hidden services with 8 to 10 introduction points check for
|
|
failed circuits immediately after startup. Previously, they would
|
|
wait for 5 minutes before performing their first checks. Fixes bug
|
|
21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Fix a memory leak when using GETCONF on a port option. Fixes bug
|
|
21682; bugfix on 0.3.0.3-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Avoid a double-marked-circuit warning that could happen when we
|
|
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (tests):
|
|
- Run the entry_guard_parse_from_state_full() test with the time set
|
|
to a specific date. (The guard state that this test was parsing
|
|
contained guards that had expired since the test was first
|
|
written.) Fixes bug 21799; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Documentation:
|
|
- Update the description of the directory server options in the
|
|
manual page, to clarify that a relay no longer needs to set
|
|
DirPort in order to be a directory cache. Closes ticket 21720.
|
|
|
|
|
|
|
|
Changes in version 0.2.8.13 - 2017-03-03
|
|
Tor 0.2.8.13 backports a security fix from later Tor
|
|
releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this
|
|
this release, if for some reason they cannot upgrade to a later
|
|
release series, and if they build Tor with the --enable-expensive-hardening
|
|
option.
|
|
|
|
Note that support for Tor 0.2.8.x is ending next year: we will not issue
|
|
any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need
|
|
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.7.7 - 2017-03-03
|
|
Tor 0.2.7.7 backports a number of security fixes from later Tor
|
|
releases. Anybody running Tor 0.2.7.6 or earlier should upgrade to
|
|
this release, if for some reason they cannot upgrade to a later
|
|
release series.
|
|
|
|
Note that support for Tor 0.2.7.x is ending this year: we will not issue
|
|
any fixes for the Tor 0.2.7.x series after 1 August 2017. If you need
|
|
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
o Directory authority changes (backport from 0.2.8.5-rc):
|
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
- Update the V3 identity key for the dannenberg directory authority:
|
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
|
by "teor".
|
|
|
|
o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
- Stop a crash that could occur when a client running with DNSPort
|
|
received a query with multiple address types, and the first
|
|
address type was not supported. Found and fixed by Scott Dial.
|
|
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
Reported by Guido Vranken.
|
|
|
|
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
pointer to the previous (uninitialized) key value. The impact here
|
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
running an engine that makes key generation failures possible, or
|
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
Baishakhi Ray.
|
|
|
|
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
patch by "teor".
|
|
|
|
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
- Make Tor survive errors involving connections without a
|
|
corresponding event object. Previously we'd fail with an
|
|
assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.6.11 - 2017-03-03
|
|
Tor 0.2.6.11 backports a number of security fixes from later Tor
|
|
releases. Anybody running Tor 0.2.6.10 or earlier should upgrade to
|
|
this release, if for some reason they cannot upgrade to a later
|
|
release series.
|
|
|
|
Note that support for Tor 0.2.6.x is ending this year: we will not issue
|
|
any fixes for the Tor 0.2.6.x series after 1 August 2017. If you need
|
|
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
o Directory authority changes (backport from 0.2.8.5-rc):
|
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
- Update the V3 identity key for the dannenberg directory authority:
|
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
|
by "teor".
|
|
|
|
o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
- Stop a crash that could occur when a client running with DNSPort
|
|
received a query with multiple address types, and the first
|
|
address type was not supported. Found and fixed by Scott Dial.
|
|
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
- Fix an error that could cause us to read 4 bytes before the
|
|
beginning of an openssl string. This bug could be used to cause
|
|
Tor to crash on systems with unusual malloc implementations, or
|
|
systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
Reported by Guido Vranken.
|
|
|
|
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
- Actually look at the Guard flag when selecting a new directory
|
|
guard. When we implemented the directory guard design, we
|
|
accidentally started treating all relays as if they have the Guard
|
|
flag during guard selection, leading to weaker anonymity and worse
|
|
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
by Mohsen Imani.
|
|
|
|
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
pointer to the previous (uninitialized) key value. The impact here
|
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
running an engine that makes key generation failures possible, or
|
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
Baishakhi Ray.
|
|
|
|
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
patch by "teor".
|
|
|
|
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
- Make Tor survive errors involving connections without a
|
|
corresponding event object. Previously we'd fail with an
|
|
assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
- Fix a compilation warning with Clang 3.6: Do not check the
|
|
presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
|
|
Changes in version 0.2.5.13 - 2017-03-03
|
|
Tor 0.2.5.13 backports a number of security fixes from later Tor
|
|
releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to
|
|
this release, if for some reason they cannot upgrade to a later
|
|
release series.
|
|
|
|
Note that support for Tor 0.2.5.x is ending next year: we will not issue
|
|
any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need
|
|
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
o Directory authority changes (backport from 0.2.8.5-rc):
|
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
- Update the V3 identity key for the dannenberg directory authority:
|
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
|
by "teor".
|
|
|
|
o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
- Stop a crash that could occur when a client running with DNSPort
|
|
received a query with multiple address types, and the first
|
|
address type was not supported. Found and fixed by Scott Dial.
|
|
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
- Fix an error that could cause us to read 4 bytes before the
|
|
beginning of an openssl string. This bug could be used to cause
|
|
Tor to crash on systems with unusual malloc implementations, or
|
|
systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
Reported by Guido Vranken.
|
|
|
|
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
- Actually look at the Guard flag when selecting a new directory
|
|
guard. When we implemented the directory guard design, we
|
|
accidentally started treating all relays as if they have the Guard
|
|
flag during guard selection, leading to weaker anonymity and worse
|
|
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
by Mohsen Imani.
|
|
|
|
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
pointer to the previous (uninitialized) key value. The impact here
|
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
running an engine that makes key generation failures possible, or
|
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
Baishakhi Ray.
|
|
|
|
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
patch by "teor".
|
|
|
|
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
- Make Tor survive errors involving connections without a
|
|
corresponding event object. Previously we'd fail with an
|
|
assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
- Fix a compilation warning with Clang 3.6: Do not check the
|
|
presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
|
|
- Check for failures from crypto_early_init, and refuse to continue.
|
|
A previous typo meant that we could keep going with an
|
|
uninitialized crypto library, and would have OpenSSL initialize
|
|
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
|
when implementing ticket 4900. Patch by "teor".
|
|
|
|
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
a client authorized hidden service. Fixes bug 15823; bugfix
|
|
on 0.2.1.6-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.28 - 2017-03-03
|
|
Tor 0.2.4.28 backports a number of security fixes from later Tor
|
|
releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to
|
|
this release, if for some reason they cannot upgrade to a later
|
|
release series.
|
|
|
|
Note that support for Tor 0.2.4.x is ending soon: we will not issue
|
|
any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need
|
|
a Tor release series with long-term support, we recommend Tor 0.2.9.x.
|
|
|
|
o Directory authority changes (backport from 0.2.8.5-rc):
|
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
- Update the V3 identity key for the dannenberg directory authority:
|
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
|
by "teor".
|
|
|
|
o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
- Fix an error that could cause us to read 4 bytes before the
|
|
beginning of an openssl string. This bug could be used to cause
|
|
Tor to crash on systems with unusual malloc implementations, or
|
|
systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
Reported by Guido Vranken.
|
|
|
|
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
- Actually look at the Guard flag when selecting a new directory
|
|
guard. When we implemented the directory guard design, we
|
|
accidentally started treating all relays as if they have the Guard
|
|
flag during guard selection, leading to weaker anonymity and worse
|
|
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
by Mohsen Imani.
|
|
|
|
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
pointer to the previous (uninitialized) key value. The impact here
|
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
running an engine that makes key generation failures possible, or
|
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
Baishakhi Ray.
|
|
|
|
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
patch by "teor".
|
|
|
|
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
- Make Tor survive errors involving connections without a
|
|
corresponding event object. Previously we'd fail with an
|
|
assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):
|
|
- Make it harder for attackers to overload hidden services with
|
|
introductions, by blocking multiple introduction requests on the
|
|
same circuit. Resolves ticket 15515.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
- Fix a compilation warning with Clang 3.6: Do not check the
|
|
presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
a client authorized hidden service. Fixes bug 15823; bugfix
|
|
on 0.2.1.6-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.4-rc - 2017-03-01
|
|
Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the
|
|
0.3.0 release series, and introduces a few reliability features to
|
|
keep them from coming back.
|
|
|
|
This is the first release candidate in the Tor 0.3.0 series. If we
|
|
find no new bugs or regressions here, the first stable 0.3.0 release
|
|
will be nearly identical to it.
|
|
|
|
o Major bugfixes (bridges):
|
|
- When the same bridge is configured multiple times with the same
|
|
identity, but at different address:port combinations, treat those
|
|
bridge instances as separate guards. This fix restores the ability
|
|
of clients to configure the same bridge with multiple pluggable
|
|
transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (hidden service directory v3):
|
|
- Stop crashing on a failed v3 hidden service descriptor lookup
|
|
failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (parsing):
|
|
- When parsing a malformed content-length field from an HTTP
|
|
message, do not read off the end of the buffer. This bug was a
|
|
potential remote denial-of-service attack against Tor clients and
|
|
relays. A workaround was released in October 2016, to prevent this
|
|
bug from crashing Tor. This is a fix for the underlying issue,
|
|
which should no longer matter (if you applied the earlier patch).
|
|
Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
|
|
using AFL (http://lcamtuf.coredump.cx/afl/).
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor feature (protocol versioning):
|
|
- Add new protocol version for proposal 224. HSIntro now advertises
|
|
version "3-4" and HSDir version "1-2". Fixes ticket 20656.
|
|
|
|
o Minor features (directory authorities):
|
|
- Directory authorities now reject descriptors that claim to be
|
|
malformed versions of Tor. Helps prevent exploitation of
|
|
bug 21278.
|
|
- Reject version numbers with components that exceed INT32_MAX.
|
|
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
|
|
Fixes bug 21450; bugfix on 0.0.8pre1.
|
|
- Directory authorities now reject relays running versions
|
|
0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
|
|
suffer from bug 20499 and don't keep their consensus cache
|
|
up-to-date. Resolves ticket 20509.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (reliability, crash):
|
|
- Try better to detect problems in buffers where they might grow (or
|
|
think they have grown) over 2 GB in size. Diagnostic for
|
|
bug 21369.
|
|
|
|
o Minor features (testing):
|
|
- During 'make test-network-all', if tor logs any warnings, ask
|
|
chutney to output them. Requires a recent version of chutney with
|
|
the 21572 patch. Implements 21570.
|
|
|
|
o Minor bugfixes (certificate expiration time):
|
|
- Avoid using link certificates that don't become valid till some
|
|
time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Repair a couple of (unreachable or harmless) cases of the risky
|
|
comparison-by-subtraction pattern that caused bug 21278.
|
|
- Remove a redundant check for the UseEntryGuards option from the
|
|
options_transition_affects_guards() function. Fixes bug 21492;
|
|
bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (directory mirrors):
|
|
- Allow relays to use directory mirrors without a DirPort: these
|
|
relays need to be contacted over their ORPorts using a begindir
|
|
connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
|
|
- Clarify the message logged when a remote relay is unexpectedly
|
|
missing an ORPort or DirPort: users were confusing this with a
|
|
local port. Fixes another case of bug 20711; bugfix
|
|
on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (guards):
|
|
- Don't warn about a missing guard state on timeout-measurement
|
|
circuits: they aren't supposed to be using guards. Fixes an
|
|
instance of bug 21007; bugfix on 0.3.0.1-alpha.
|
|
- Silence a BUG() warning when attempting to use a guard whose
|
|
descriptor we don't know, and make this scenario less likely to
|
|
happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Pass correct buffer length when encoding legacy ESTABLISH_INTRO
|
|
cells. Previously, we were using sizeof() on a pointer, instead of
|
|
the real destination buffer. Fortunately, that value was only used
|
|
to double-check that there was enough room--which was already
|
|
enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Fix Raspbian build issues related to missing socket errno in
|
|
test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch
|
|
by "hein".
|
|
- Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't
|
|
actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha.
|
|
- Use bash in src/test/test-network.sh. This ensures we reliably
|
|
call chutney's newer tools/test-network.sh when available. Fixes
|
|
bug 21562; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Documentation:
|
|
- Small fixes to the fuzzing documentation. Closes ticket 21472.
|
|
|
|
|
|
Changes in version 0.2.9.10 - 2017-03-01
|
|
Tor 0.2.9.10 backports a security fix from later Tor release. It also
|
|
includes fixes for some major issues affecting directory authorities,
|
|
LibreSSL compatibility, and IPv6 correctness.
|
|
|
|
The Tor 0.2.9.x release series is now marked as a long-term-support
|
|
series. We intend to backport security fixes to 0.2.9.x until at
|
|
least January of 2020.
|
|
|
|
o Major bugfixes (directory authority, 0.3.0.3-alpha):
|
|
- During voting, when marking a relay as a probable sybil, do not
|
|
clear its BadExit flag: sybils can still be bad in other ways
|
|
too. (We still clear the other flags.) Fixes bug 21108; bugfix
|
|
on 0.2.0.13-alpha.
|
|
|
|
o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
|
|
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
|
|
any IPv6 addresses. Instead, only reject a port over IPv6 if the
|
|
exit policy rejects that port on more than an IPv6 /16 of
|
|
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
|
|
which rejected a relay's own IPv6 address by default. Fixes bug
|
|
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
|
|
|
|
o Major bugfixes (parsing, also in 0.3.0.4-rc):
|
|
- Fix an integer underflow bug when comparing malformed Tor
|
|
versions. This bug could crash Tor when built with
|
|
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
o Minor features (directory authorities, also in 0.3.0.4-rc):
|
|
- Directory authorities now reject descriptors that claim to be
|
|
malformed versions of Tor. Helps prevent exploitation of
|
|
bug 21278.
|
|
- Reject version numbers with components that exceed INT32_MAX.
|
|
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
|
|
Fixes bug 21450; bugfix on 0.0.8pre1.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
|
|
- Autoconf now checks to determine if OpenSSL structures are opaque,
|
|
instead of explicitly checking for OpenSSL version numbers. Part
|
|
of ticket 21359.
|
|
- Support building with recent LibreSSL code that uses opaque
|
|
structures. Closes ticket 21359.
|
|
|
|
o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
|
|
- Repair a couple of (unreachable or harmless) cases of the risky
|
|
comparison-by-subtraction pattern that caused bug 21278.
|
|
|
|
o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
|
|
- The tor-resolve command line tool now rejects hostnames over 255
|
|
characters in length. Previously, it would silently truncate them,
|
|
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
|
|
Patch by "junglefowl".
|
|
|
|
|
|
Changes in version 0.3.0.3-alpha - 2017-02-03
|
|
Tor 0.3.0.3-alpha fixes a few significant bugs introduced over the
|
|
0.3.0.x development series, including some that could cause
|
|
authorities to behave badly. There is also a fix for a longstanding
|
|
bug that could prevent IPv6 exits from working. Tor 0.3.0.3-alpha also
|
|
includes some smaller features and bugfixes.
|
|
|
|
The Tor 0.3.0.x release series is now in patch-freeze: no additional
|
|
features will be considered for inclusion in 0.3.0.x. We suspect that
|
|
some bugs will probably remain, however, and we encourage people to
|
|
test this release.
|
|
|
|
o Major bugfixes (directory authority):
|
|
- During voting, when marking a relay as a probable sybil, do not
|
|
clear its BadExit flag: sybils can still be bad in other ways
|
|
too. (We still clear the other flags.) Fixes bug 21108; bugfix
|
|
on 0.2.0.13-alpha.
|
|
- When deciding whether we have just found a router to be reachable,
|
|
do not penalize it for not having performed an Ed25519 link
|
|
handshake if it does not claim to support an Ed25519 handshake.
|
|
Previously, we would treat such relays as non-running. Fixes bug
|
|
21107; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (entry guards):
|
|
- Stop trying to build circuits through entry guards for which we
|
|
have no descriptor. Also, stop crashing in the case that we *do*
|
|
accidentally try to build a circuit in such a state. Fixes bug
|
|
21242; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (IPv6 Exits):
|
|
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
|
|
any IPv6 addresses. Instead, only reject a port over IPv6 if the
|
|
exit policy rejects that port on more than an IPv6 /16 of
|
|
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
|
|
which rejected a relay's own IPv6 address by default. Fixes bug
|
|
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
|
|
|
|
o Minor feature (client):
|
|
- Enable IPv6 traffic on the SocksPort by default. To disable this,
|
|
a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
|
|
|
|
o Minor feature (fallback scripts):
|
|
- Add a check_existing mode to updateFallbackDirs.py, which checks
|
|
if fallbacks in the hard-coded list are working. Closes ticket
|
|
20174. Patch by haxxpop.
|
|
|
|
o Minor features (ciphersuite selection):
|
|
- Clients now advertise a list of ciphersuites closer to the ones
|
|
preferred by Firefox. Closes part of ticket 15426.
|
|
- Allow relays to accept a wider range of ciphersuites, including
|
|
chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
|
|
|
|
o Minor features (controller, configuration):
|
|
- Each of the *Port options, such as SocksPort, ORPort, ControlPort,
|
|
and so on, now comes with a __*Port variant that will not be saved
|
|
to the torrc file by the controller's SAVECONF command. This
|
|
change allows TorBrowser to set up a single-use domain socket for
|
|
each time it launches Tor. Closes ticket 20956.
|
|
- The GETCONF command can now query options that may only be
|
|
meaningful in context-sensitive lists. This allows the controller
|
|
to query the mixed SocksPort/__SocksPort style options introduced
|
|
in feature 20956. Implements ticket 21300.
|
|
|
|
o Minor features (portability, compilation):
|
|
- Autoconf now checks to determine if OpenSSL structures are opaque,
|
|
instead of explicitly checking for OpenSSL version numbers. Part
|
|
of ticket 21359.
|
|
- Support building with recent LibreSSL code that uses opaque
|
|
structures. Closes ticket 21359.
|
|
|
|
o Minor features (relay):
|
|
- We now allow separation of exit and relay traffic to different
|
|
source IP addresses, using the OutboundBindAddressExit and
|
|
OutboundBindAddressOR options respectively. Closes ticket 17975.
|
|
Written by Michael Sonntag.
|
|
|
|
o Minor bugfix (logging):
|
|
- Don't recommend the use of Tor2web in non-anonymous mode.
|
|
Recommending Tor2web is a bad idea because the client loses all
|
|
anonymity. Tor2web should only be used in specific cases by users
|
|
who *know* and understand the issues. Fixes bug 21294; bugfix
|
|
on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (client):
|
|
- Always recover from failures in extend_info_from_node(), in an
|
|
attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
|
|
bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (client, entry guards):
|
|
- Fix a bug warning (with backtrace) when we fail a channel that
|
|
circuits to fallback directories on it. Fixes bug 21128; bugfix
|
|
on 0.3.0.1-alpha.
|
|
- Fix a spurious bug warning (with backtrace) when removing an
|
|
expired entry guard. Fixes bug 21129; bugfix on 0.3.0.1-alpha.
|
|
- Fix a bug of the new guard algorithm where tor could stall for up
|
|
to 10 minutes before retrying a guard after a long period of no
|
|
network. Fixes bug 21052; bugfix on 0.3.0.1-alpha.
|
|
- Do not try to build circuits until we have descriptors for our
|
|
primary entry guards. Related to fix for bug 21242.
|
|
|
|
o Minor bugfixes (configure, autoconf):
|
|
- Rename the configure option --enable-expensive-hardening to
|
|
--enable-fragile-hardening. Expensive hardening makes the tor
|
|
daemon abort when some kinds of issues are detected. Thus, it
|
|
makes tor more at risk of remote crashes but safer against RCE or
|
|
heartbleed bug category. We now try to explain this issue in a
|
|
message from the configure script. Fixes bug 21290; bugfix
|
|
on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Restore the (deprecated) DROPGUARDS controller command. Fixes bug
|
|
20824; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Clean up the code for expiring intro points with no associated
|
|
circuits. It was causing, rarely, a service with some expiring
|
|
introduction points to not open enough additional introduction
|
|
points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
|
|
- Stop setting the torrc option HiddenServiceStatistics to "0" just
|
|
because we're not a bridge or relay. Instead, we preserve whatever
|
|
value the user set (or didn't set). Fixes bug 21150; bugfix
|
|
on 0.2.6.2-alpha.
|
|
- Resolve two possible underflows which could lead to creating and
|
|
closing a lot of introduction point circuits in a non-stop loop.
|
|
Fixes bug 21302; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
|
|
It is supported by OpenBSD itself, and also by most OpenBSD
|
|
variants (such as Bitrig). Fixes bug 20980; bugfix
|
|
on 0.1.2.1-alpha.
|
|
- When mapping a file of length greater than SIZE_MAX, do not
|
|
silently truncate its contents. This issue could occur on 32 bit
|
|
systems with large file support and files which are larger than 4
|
|
GB. Fixes bug 21134; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (tor-resolve):
|
|
- The tor-resolve command line tool now rejects hostnames over 255
|
|
characters in length. Previously, it would silently truncate them,
|
|
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
|
|
Patch by "junglefowl".
|
|
|
|
o Minor bugfixes (Windows services):
|
|
- Be sure to initialize the monotonic time subsystem before using
|
|
it, even when running as an NT service. Fixes bug 21356; bugfix
|
|
on 0.2.9.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.2-alpha - 2017-01-23
|
|
Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could
|
|
cause relays and clients to crash, even if they were not built with
|
|
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
|
|
versions, and also affects 0.3.0.1-alpha: all relays running an affected
|
|
version should upgrade.
|
|
|
|
Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS
|
|
time-to-live values, makes directory authorities enforce the 1-to-1
|
|
mapping of relay RSA identity keys to ED25519 identity keys, fixes a
|
|
client-side onion service reachability bug, does better at selecting
|
|
the set of fallback directories, and more.
|
|
|
|
o Major bugfixes (security, also in 0.2.9.9):
|
|
- Downgrade the "-ftrapv" option from "always on" to "only on when
|
|
--enable-expensive-hardening is provided." This hardening option, like
|
|
others, can turn survivable bugs into crashes--and having it on by
|
|
default made a (relatively harmless) integer overflow bug into a
|
|
denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
|
|
0.2.9.1-alpha.
|
|
|
|
o Major features (security):
|
|
- Change the algorithm used to decide DNS TTLs on client and server
|
|
side, to better resist DNS-based correlation attacks like the
|
|
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
|
|
Feamster. Now relays only return one of two possible DNS TTL
|
|
values, and clients are willing to believe DNS TTL values up to 3
|
|
hours long. Closes ticket 19769.
|
|
|
|
o Major features (directory authority, security):
|
|
- The default for AuthDirPinKeys is now 1: directory authorities
|
|
will reject relays where the RSA identity key matches a previously
|
|
seen value, but the Ed25519 key has changed. Closes ticket 18319.
|
|
|
|
o Major bugfixes (client, guard, crash):
|
|
- In circuit_get_global_origin_list(), return the actual list of
|
|
origin circuits. The previous version of this code returned the
|
|
list of all the circuits, and could have caused strange bugs,
|
|
including possible crashes. Fixes bug 21118; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Major bugfixes (client, onion service, also in 0.2.9.9):
|
|
- Fix a client-side onion service reachability bug, where multiple
|
|
socks requests to an onion service (or a single slow request)
|
|
could cause us to mistakenly mark some of the service's
|
|
introduction points as failed, and we cache that failure so
|
|
eventually we run out and can't reach the service. Also resolves a
|
|
mysterious "Remote server sent bogus reason code 65021" log
|
|
warning. The bug was introduced in ticket 17218, where we tried to
|
|
remember the circuit end reason as a uint16_t, which mangled
|
|
negative values. Partially fixes bug 21056 and fixes bug 20307;
|
|
bugfix on 0.2.8.1-alpha.
|
|
|
|
o Major bugfixes (DNS):
|
|
- Fix a bug that prevented exit nodes from caching DNS records for
|
|
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor features (controller):
|
|
- Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
|
|
shared-random values to the controller. Closes ticket 19925.
|
|
|
|
o Minor features (entry guards):
|
|
- Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
|
|
break regression tests.
|
|
- Require UseEntryGuards when UseBridges is set, in order to make
|
|
sure bridges aren't bypassed. Resolves ticket 20502.
|
|
|
|
o Minor features (fallback directories):
|
|
- Select 200 fallback directories for each release. Closes
|
|
ticket 20881.
|
|
- Allow 3 fallback relays per operator, which is safe now that we
|
|
are choosing 200 fallback relays. Closes ticket 20912.
|
|
- Exclude relays affected by bug 20499 from the fallback list.
|
|
Exclude relays from the fallback list if they are running versions
|
|
known to be affected by bug 20499, or if in our tests they deliver
|
|
a stale consensus (i.e. one that expired more than 24 hours ago).
|
|
Closes ticket 20539.
|
|
- Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
|
|
ticket 18828.
|
|
- Require fallback directories to have the same address and port for
|
|
7 days (now that we have enough relays with this stability).
|
|
Relays whose OnionOO stability timer is reset on restart by bug
|
|
18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
|
|
this issue. Closes ticket 20880; maintains short-term fix
|
|
in 0.2.8.2-alpha.
|
|
- Require fallbacks to have flags for 90% of the time (weighted
|
|
decaying average), rather than 95%. This allows at least 73% of
|
|
clients to bootstrap in the first 5 seconds without contacting an
|
|
authority. Part of ticket 18828.
|
|
- Annotate updateFallbackDirs.py with the bandwidth and consensus
|
|
weight for each candidate fallback. Closes ticket 20878.
|
|
- Make it easier to change the output sort order of fallbacks.
|
|
Closes ticket 20822.
|
|
- Display the relay fingerprint when downloading consensuses from
|
|
fallbacks. Closes ticket 20908.
|
|
|
|
o Minor features (geoip, also in 0.2.9.9):
|
|
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (next-gen onion service directories):
|
|
- Remove the "EnableOnionServicesV3" consensus parameter that we
|
|
introduced in 0.3.0.1-alpha: relays are now always willing to act
|
|
as v3 onion service directories. Resolves ticket 19899.
|
|
|
|
o Minor features (linting):
|
|
- Enhance the changes file linter to warn on Tor versions that are
|
|
prefixed with "tor-". Closes ticket 21096.
|
|
|
|
o Minor features (logging):
|
|
- In several places, describe unset ed25519 keys as "<unset>",
|
|
rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
|
|
|
|
o Minor bugfix (control protocol):
|
|
- The reply to a "GETINFO config/names" request via the control
|
|
protocol now spells the type "Dependent" correctly. This is a
|
|
breaking change in the control protocol. (The field seems to be
|
|
ignored by the most common known controllers.) Fixes bug 18146;
|
|
bugfix on 0.1.1.4-alpha.
|
|
|
|
o Minor bugfixes (bug resilience):
|
|
- Fix an unreachable size_t overflow in base64_decode(). Fixes bug
|
|
19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
|
|
Hans Jerry Illikainen.
|
|
|
|
o Minor bugfixes (build):
|
|
- Replace obsolete Autoconf macros with their modern equivalent and
|
|
prevent similar issues in the future. Fixes bug 20990; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (client, guards):
|
|
- Fix bug where Tor would think that there are circuits waiting for
|
|
better guards even though those circuits have been freed. Fixes
|
|
bug 21142; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (config):
|
|
- Don't assert on startup when trying to get the options list and
|
|
LearnCircuitBuildTimeout is set to 0: we are currently parsing the
|
|
options so of course they aren't ready yet. Fixes bug 21062;
|
|
bugfix on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Make the GETINFO interface for inquiring about entry guards
|
|
support the new guards backend. Fixes bug 20823; bugfix
|
|
on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (dead code):
|
|
- Remove a redundant check for PidFile changes at runtime in
|
|
options_transition_allowed(): this check is already performed
|
|
regardless of whether the sandbox is active. Fixes bug 21123;
|
|
bugfix on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Update the tor manual page to document every option that can not
|
|
be changed while tor is running. Fixes bug 21122.
|
|
|
|
o Minor bugfixes (fallback directories):
|
|
- Stop failing when a relay has no uptime data in
|
|
updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
|
|
- Avoid checking fallback candidates' DirPorts if they are down in
|
|
OnionOO. When a relay operator has multiple relays, this
|
|
prioritizes relays that are up over relays that are down. Fixes
|
|
bug 20926; bugfix on 0.2.8.3-alpha.
|
|
- Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
|
|
Fixes bug 20877; bugfix on 0.2.8.3-alpha.
|
|
|
|
o Minor bugfixes (guards, bootstrapping):
|
|
- When connecting to a directory guard during bootstrap, do not mark
|
|
the guard as successful until we receive a good-looking directory
|
|
response from it. Fixes bug 20974; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (onion services):
|
|
- Fix the config reload pruning of old vs new services so it
|
|
actually works when both ephemeral and non-ephemeral services are
|
|
configured. Fixes bug 21054; bugfix on 0.3.0.1-alpha.
|
|
- Allow the number of introduction points to be as low as 0, rather
|
|
than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (IPv6):
|
|
- Make IPv6-using clients try harder to find an IPv6 directory
|
|
server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
|
|
- When IPv6 addresses have not been downloaded yet (microdesc
|
|
consensus documents don't list relay IPv6 addresses), use hard-
|
|
coded addresses for authorities, fallbacks, and configured
|
|
bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
|
|
20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Fix a memory leak when configuring hidden services. Fixes bug
|
|
20987; bugfix on 0.3.0.1-alpha.
|
|
|
|
o Minor bugfixes (portability, also in 0.2.9.9):
|
|
- Avoid crashing when Tor is built using headers that contain
|
|
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
|
|
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
|
|
on 0.2.9.1-alpha.
|
|
- Fix Libevent detection on platforms without Libevent 1 headers
|
|
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Honor DataDirectoryGroupReadable when tor is a relay. Previously,
|
|
initializing the keys would reset the DataDirectory to 0700
|
|
instead of 0750 even if DataDirectoryGroupReadable was set to 1.
|
|
Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
|
|
|
|
o Minor bugfixes (testing):
|
|
- Remove undefined behavior from the backtrace generator by removing
|
|
its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Allow the unit tests to pass even when DNS lookups of bogus
|
|
addresses do not fail as expected. Fixes bug 20862 and 20863;
|
|
bugfix on unit tests introduced in 0.2.8.1-alpha
|
|
through 0.2.9.4-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Refactor code to manipulate global_origin_circuit_list into
|
|
separate functions. Closes ticket 20921.
|
|
|
|
o Documentation (formatting):
|
|
- Clean up formatting of tor.1 man page and HTML doc, where <pre>
|
|
blocks were incorrectly appearing. Closes ticket 20885.
|
|
|
|
o Documentation (man page):
|
|
- Clarify many options in tor.1 and add some min/max values for
|
|
HiddenService options. Closes ticket 21058.
|
|
|
|
|
|
Changes in version 0.2.9.9 - 2017-01-23
|
|
Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
|
|
cause relays and clients to crash, even if they were not built with
|
|
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
|
|
versions, and also affects 0.3.0.1-alpha: all relays running an affected
|
|
version should upgrade.
|
|
|
|
This release also resolves a client-side onion service reachability
|
|
bug, and resolves a pair of small portability issues.
|
|
|
|
o Major bugfixes (security):
|
|
- Downgrade the "-ftrapv" option from "always on" to "only on when
|
|
--enable-expensive-hardening is provided." This hardening option,
|
|
like others, can turn survivable bugs into crashes -- and having
|
|
it on by default made a (relatively harmless) integer overflow bug
|
|
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
|
|
bugfix on 0.2.9.1-alpha.
|
|
|
|
o Major bugfixes (client, onion service):
|
|
- Fix a client-side onion service reachability bug, where multiple
|
|
socks requests to an onion service (or a single slow request)
|
|
could cause us to mistakenly mark some of the service's
|
|
introduction points as failed, and we cache that failure so
|
|
eventually we run out and can't reach the service. Also resolves a
|
|
mysterious "Remote server sent bogus reason code 65021" log
|
|
warning. The bug was introduced in ticket 17218, where we tried to
|
|
remember the circuit end reason as a uint16_t, which mangled
|
|
negative values. Partially fixes bug 21056 and fixes bug 20307;
|
|
bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Avoid crashing when Tor is built using headers that contain
|
|
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
|
|
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
|
|
on 0.2.9.1-alpha.
|
|
- Fix Libevent detection on platforms without Libevent 1 headers
|
|
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
|
|
|
|
|
|
Changes in version 0.3.0.1-alpha - 2016-12-19
|
|
Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development
|
|
series. It strengthens Tor's link and circuit handshakes by
|
|
identifying relays by their Ed25519 keys, improves the algorithm that
|
|
clients use to choose and maintain their list of guards, and includes
|
|
additional backend support for the next-generation hidden service
|
|
design. It also contains numerous other small features and
|
|
improvements to security, correctness, and performance.
|
|
|
|
Below are the changes since 0.2.9.8.
|
|
|
|
o Major features (guard selection algorithm):
|
|
- Tor's guard selection algorithm has been redesigned from the
|
|
ground up, to better support unreliable networks and restrictive
|
|
sets of entry nodes, and to better resist guard-capture attacks by
|
|
hostile local networks. Implements proposal 271; closes
|
|
ticket 19877.
|
|
|
|
o Major features (next-generation hidden services):
|
|
- Relays can now handle v3 ESTABLISH_INTRO cells as specified by
|
|
prop224 aka "Next Generation Hidden Services". Service and clients
|
|
don't use this functionality yet. Closes ticket 19043. Based on
|
|
initial code by Alec Heifetz.
|
|
- Relays now support the HSDir version 3 protocol, so that they can
|
|
can store and serve v3 descriptors. This is part of the next-
|
|
generation onion service work detailed in proposal 224. Closes
|
|
ticket 17238.
|
|
|
|
o Major features (protocol, ed25519 identity keys):
|
|
- Relays now use Ed25519 to prove their Ed25519 identities and to
|
|
one another, and to clients. This algorithm is faster and more
|
|
secure than the RSA-based handshake we've been doing until now.
|
|
Implements the second big part of proposal 220; Closes
|
|
ticket 15055.
|
|
- Clients now support including Ed25519 identity keys in the EXTEND2
|
|
cells they generate. By default, this is controlled by a consensus
|
|
parameter, currently disabled. You can turn this feature on for
|
|
testing by setting ExtendByEd25519ID in your configuration. This
|
|
might make your traffic appear different than the traffic
|
|
generated by other users, however. Implements part of ticket
|
|
15056; part of proposal 220.
|
|
- Relays now understand requests to extend to other relays by their
|
|
Ed25519 identity keys. When an Ed25519 identity key is included in
|
|
an EXTEND2 cell, the relay will only extend the circuit if the
|
|
other relay can prove ownership of that identity. Implements part
|
|
of ticket 15056; part of proposal 220.
|
|
|
|
o Major bugfixes (scheduler):
|
|
- Actually compare circuit policies in ewma_cmp_cmux(). This bug
|
|
caused the channel scheduler to behave more or less randomly,
|
|
rather than preferring channels with higher-priority circuits.
|
|
Fixes bug 20459; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor features (controller):
|
|
- When HSFETCH arguments cannot be parsed, say "Invalid argument"
|
|
rather than "unrecognized." Closes ticket 20389; patch from
|
|
Ivan Markin.
|
|
|
|
o Minor features (diagnostic, directory client):
|
|
- Warn when we find an unexpected inconsistency in directory
|
|
download status objects. Prevents some negative consequences of
|
|
bug 20593.
|
|
|
|
o Minor features (directory authority):
|
|
- Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
|
|
default) to control whether authorities should try to probe relays
|
|
by their Ed25519 link keys. This option will go away in a few
|
|
releases--unless we encounter major trouble in our ed25519 link
|
|
protocol rollout, in which case it will serve as a safety option.
|
|
|
|
o Minor features (directory cache):
|
|
- Relays and bridges will now refuse to serve the consensus they
|
|
have if they know it is too old for a client to use. Closes
|
|
ticket 20511.
|
|
|
|
o Minor features (ed25519 link handshake):
|
|
- Advertise support for the ed25519 link handshake using the
|
|
subprotocol-versions mechanism, so that clients can tell which
|
|
relays can identity themselves by Ed25519 ID. Closes ticket 20552.
|
|
|
|
o Minor features (fingerprinting resistance, authentication):
|
|
- Extend the length of RSA keys used for TLS link authentication to
|
|
2048 bits. (These weren't used for forward secrecy; for forward
|
|
secrecy, we used P256.) Closes ticket 13752.
|
|
|
|
o Minor features (infrastructure):
|
|
- Implement smartlist_add_strdup() function. Replaces the use of
|
|
smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
|
|
|
|
o Minor bugfixes (client):
|
|
- When clients that use bridges start up with a cached consensus on
|
|
disk, they were ignoring it and downloading a new one. Now they
|
|
use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
|
|
|
|
o Minor bugfixes (configuration):
|
|
- Accept non-space whitespace characters after the severity level in
|
|
the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
|
|
- Support "TByte" and "TBytes" units in options given in bytes.
|
|
"TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
|
|
supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
|
|
|
|
o Minor bugfixes (consensus weight):
|
|
- Add new consensus method that initializes bw weights to 1 instead
|
|
of 0. This prevents a zero weight from making it all the way to
|
|
the end (happens in small testing networks) and causing an error.
|
|
Fixes bug 14881; bugfix on 0.2.2.17-alpha.
|
|
|
|
o Minor bugfixes (descriptors):
|
|
- Correctly recognise downloaded full descriptors as valid, even
|
|
when using microdescriptors as circuits. This affects clients with
|
|
FetchUselessDescriptors set, and may affect directory authorities.
|
|
Fixes bug 20839; bugfix on 0.2.3.2-alpha.
|
|
|
|
o Minor bugfixes (directory system):
|
|
- Download all consensus flavors, descriptors, and authority
|
|
certificates when FetchUselessDescriptors is set, regardless of
|
|
whether tor is a directory cache or not. Fixes bug 20667; bugfix
|
|
on all recent tor versions.
|
|
- Bridges and relays now use microdescriptors (like clients do)
|
|
rather than old-style router descriptors. Now bridges will blend
|
|
in with clients in terms of the circuits they build. Fixes bug
|
|
6769; bugfix on 0.2.3.2-alpha.
|
|
|
|
o Minor bugfixes (ed25519 certificates):
|
|
- Correctly interpret ed25519 certificates that would expire some
|
|
time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop ignoring misconfigured hidden services. Instead, refuse to
|
|
start tor until the misconfigurations have been corrected. Fixes
|
|
bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
|
|
and earlier.
|
|
|
|
o Minor bugfixes (memory leak at exit):
|
|
- Fix a small harmless memory leak at exit of the previously unused
|
|
RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
|
|
on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (util):
|
|
- When finishing writing a file to disk, if we were about to replace
|
|
the file with the temporary file created before and we fail to
|
|
replace it, remove the temporary file so it doesn't stay on disk.
|
|
Fixes bug 20646; bugfix on tor-0.2.0.7-alpha. Patch by fk.
|
|
|
|
o Minor bugfixes (Windows):
|
|
- Check for getpagesize before using it to mmap files. This fixes
|
|
compilation in some MinGW environments. Fixes bug 20530; bugfix on
|
|
0.1.2.1-alpha. Reported by "ice".
|
|
|
|
o Code simplification and refactoring:
|
|
- Abolish all global guard context in entrynodes.c; replace with new
|
|
guard_selection_t structure as preparation for proposal 271.
|
|
Closes ticket 19858.
|
|
- Introduce rend_service_is_ephemeral() that tells if given onion
|
|
service is ephemeral. Replace unclear NULL-checkings for service
|
|
directory with this function. Closes ticket 20526.
|
|
- Extract magic numbers in circuituse.c into defined variables.
|
|
- Refactor circuit_is_available_for_use to remove unnecessary check.
|
|
- Refactor circuit_predict_and_launch_new for readability and
|
|
testability. Closes ticket 18873.
|
|
- Refactor large if statement in purpose_needs_anonymity to use
|
|
switch statement instead. Closes part of ticket 20077.
|
|
- Refactor the hashing API to return negative values for errors, as
|
|
is done as throughout the codebase. Closes ticket 20717.
|
|
- Remove data structures that were used to index or_connection
|
|
objects by their RSA identity digests. These structures are fully
|
|
redundant with the similar structures used in the
|
|
channel abstraction.
|
|
- Remove duplicate code in the channel_write_*cell() functions.
|
|
Closes ticket 13827; patch from Pingl.
|
|
- Remove redundant behavior of is_sensitive_dir_purpose, refactor to
|
|
use only purpose_needs_anonymity. Closes part of ticket 20077.
|
|
- The code to generate and parse EXTEND and EXTEND2 cells has been
|
|
replaced with code automatically generated by the
|
|
"trunnel" utility.
|
|
|
|
o Documentation:
|
|
- Include the "TBits" unit in Tor's man page. Fixes part of bug
|
|
20622; bugfix on tor-0.2.5.1-alpha.
|
|
- Change '1' to 'weight_scale' in consensus bw weights calculation
|
|
comments, as that is reality. Closes ticket 20273. Patch
|
|
from pastly.
|
|
- Correct the value for AuthDirGuardBWGuarantee in the manpage, from
|
|
250 KBytes to 2 MBytes. Fixes bug 20435; bugfix
|
|
on tor-0.2.5.6-alpha.
|
|
- Stop the man page from incorrectly stating that HiddenServiceDir
|
|
must already exist. Fixes 20486.
|
|
- Clarify that when ClientRejectInternalAddresses is enabled (which
|
|
is the default), multicast DNS hostnames for machines on the local
|
|
network (of the form *.local) are also rejected. Closes
|
|
ticket 17070.
|
|
|
|
o Removed features:
|
|
- The AuthDirMaxServersPerAuthAddr option no longer exists: The same
|
|
limit for relays running on a single IP applies to authority IP
|
|
addresses as well as to non-authority IP addresses. Closes
|
|
ticket 20960.
|
|
- The UseDirectoryGuards torrc option no longer exists: all users
|
|
that use entry guards will also use directory guards. Related to
|
|
proposal 271; implements part of ticket 20831.
|
|
|
|
o Testing:
|
|
- New unit tests for tor_htonll(). Closes ticket 19563. Patch
|
|
from "overcaffeinated".
|
|
- Perform the coding style checks when running the tests and fail
|
|
when coding style violations are found. Closes ticket 5500.
|
|
- Add tests for networkstatus_compute_bw_weights_v10.
|
|
- Add unit tests circuit_predict_and_launch_new.
|
|
- Extract dummy_origin_circuit_new so it can be used by other
|
|
test functions.
|
|
|
|
|
|
Changes in version 0.2.8.12 - 2016-12-19
|
|
Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018
|
|
below) where Tor clients could crash when attempting to visit a
|
|
hostile hidden service. Clients are recommended to upgrade as packages
|
|
become available for their systems.
|
|
|
|
It also includes an updated list of fallback directories, backported
|
|
from 0.2.9.
|
|
|
|
Now that the Tor 0.2.9 series is stable, only major bugfixes will be
|
|
backported to 0.2.8 in the future.
|
|
|
|
o Major bugfixes (parsing, security, backported from 0.2.9.8):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Minor features (fallback directory list, backported from 0.2.9.8):
|
|
- Replace the 81 remaining fallbacks of the 100 originally
|
|
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
|
|
fallbacks (123 new, 54 existing, 27 removed) generated in December
|
|
2016. Resolves ticket 20170.
|
|
|
|
o Minor features (geoip, backported from 0.2.9.7-rc):
|
|
- Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.9.8 - 2016-12-19
|
|
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
|
|
|
|
The Tor 0.2.9 series makes mandatory a number of security features
|
|
that were formerly optional. It includes support for a new shared-
|
|
randomness protocol that will form the basis for next generation
|
|
hidden services, includes a single-hop hidden service mode for
|
|
optimizing .onion services that don't actually want to be hidden,
|
|
tries harder not to overload the directory authorities with excessive
|
|
downloads, and supports a better protocol versioning scheme for
|
|
improved compatibility with other implementations of the Tor protocol.
|
|
|
|
And of course, there are numerous other bugfixes and improvements.
|
|
|
|
This release also includes a fix for a medium-severity issue (bug
|
|
21018 below) where Tor clients could crash when attempting to visit a
|
|
hostile hidden service. Clients are recommended to upgrade as packages
|
|
become available for their systems.
|
|
|
|
Below are the changes since 0.2.9.7-rc. For a list of all changes
|
|
since 0.2.8, see the ReleaseNotes file.
|
|
|
|
o Major bugfixes (parsing, security):
|
|
- Fix a bug in parsing that could cause clients to read a single
|
|
byte past the end of an allocated region. This bug could be used
|
|
to cause hardened clients (built with --enable-expensive-hardening)
|
|
to crash if they tried to visit a hostile hidden service. Non-
|
|
hardened clients are only affected depending on the details of
|
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
2016-12-002 and as CVE-2016-1254.
|
|
|
|
o Minor features (fallback directory list):
|
|
- Replace the 81 remaining fallbacks of the 100 originally
|
|
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
|
|
fallbacks (123 new, 54 existing, 27 removed) generated in December
|
|
2016. Resolves ticket 20170.
|
|
|
|
|
|
Changes in version 0.2.9.7-rc - 2016-12-12
|
|
Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc,
|
|
including a few that had prevented tests from passing on
|
|
some platforms.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfix (build):
|
|
- The current Git revision when building from a local repository is
|
|
now detected correctly when using git worktrees. Fixes bug 20492;
|
|
bugfix on 0.2.3.9-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- When computing old Tor protocol line version in protover, we were
|
|
looking at 0.2.7.5 twice instead of a specific case for
|
|
0.2.9.1-alpha. Fixes bug 20810; bugfix on 0.2.9.4-alpha.
|
|
|
|
o Minor bugfixes (download scheduling):
|
|
- Resolve a "bug" warning when considering a download schedule whose
|
|
delay had approached INT_MAX. Fixes 20875; bugfix on 0.2.9.5-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Downgrade a harmless log message about the
|
|
pending_entry_connections list from "warn" to "info". Mitigates
|
|
bug 19926.
|
|
|
|
o Minor bugfixes (memory leak):
|
|
- Fix a small memory leak when receiving AF_UNIX connections on a
|
|
SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
|
|
- When moving a signed descriptor object from a source to an
|
|
existing destination, free the allocated memory inside that
|
|
destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha.
|
|
|
|
o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox):
|
|
- Fix a memory leak and use-after-free error when removing entries
|
|
from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
|
|
0.2.5.5-alpha. Patch from "cypherpunks".
|
|
|
|
o Minor bugfixes (portability):
|
|
- Use the correct spelling of MAC_OS_X_VERSION_10_12 on configure.ac
|
|
Fixes bug 20935; bugfix on 0.2.9.6-rc.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Stop expecting NetBSD unit tests to report success for ipfw. Part
|
|
of a fix for bug 19960; bugfix on 0.2.9.5-alpha.
|
|
- Fix tolerances in unit tests for monotonic time comparisons
|
|
between nanoseconds and microseconds. Previously, we accepted a 10
|
|
us difference only, which is not realistic on every platform's
|
|
clock_gettime(). Fixes bug 19974; bugfix on 0.2.9.1-alpha.
|
|
- Remove a double-free in the single onion service unit test. Stop
|
|
ignoring a return value. Make future changes less error-prone.
|
|
Fixes bug 20864; bugfix on 0.2.9.6-rc.
|
|
|
|
|
|
Changes in version 0.2.8.11 - 2016-12-08
|
|
Tor 0.2.8.11 backports fixes for additional portability issues that
|
|
could prevent Tor from building correctly on OSX Sierra, or with
|
|
OpenSSL 1.1. Affected users should upgrade; others can safely stay
|
|
with 0.2.8.10.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Avoid compilation errors when building on OSX Sierra. Sierra began
|
|
to support the getentropy() and clock_gettime() APIs, but created
|
|
a few problems in doing so. Tor 0.2.9 has a more thorough set of
|
|
workarounds; in 0.2.8, we are just using the /dev/urandom and mach
|
|
monotonic time interfaces. Fixes bug 20865. Bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (portability, backport from 0.2.9.5-alpha):
|
|
- Fix compilation with OpenSSL 1.1 and less commonly-used CPU
|
|
architectures. Closes ticket 20588.
|
|
|
|
|
|
Changes in version 0.2.8.10 - 2016-12-02
|
|
Tor 0.2.8.10 backports a fix for a bug that would sometimes make clients
|
|
unusable after they left standby mode. It also backports fixes for
|
|
a few portability issues and a small but problematic memory leak.
|
|
|
|
o Major bugfixes (client reliability, backport from 0.2.9.5-alpha):
|
|
- When Tor leaves standby because of a new application request, open
|
|
circuits as needed to serve that request. Previously, we would
|
|
potentially wait a very long time. Fixes part of bug 19969; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Major bugfixes (client performance, backport from 0.2.9.5-alpha):
|
|
- Clients now respond to new application stream requests immediately
|
|
when they arrive, rather than waiting up to one second before
|
|
starting to handle them. Fixes part of bug 19969; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (portability, backport from 0.2.9.6-rc):
|
|
- Work around a bug in the OSX 10.12 SDK that would prevent us from
|
|
successfully targeting earlier versions of OSX. Resolves
|
|
ticket 20235.
|
|
|
|
o Minor bugfixes (portability, backport from 0.2.9.5-alpha):
|
|
- Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug
|
|
20551; bugfix on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (relay, backport from 0.2.9.5-alpha):
|
|
- Work around a memory leak in OpenSSL 1.1 when encoding public
|
|
keys. Fixes bug 20553; bugfix on 0.0.2pre8.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
Changes in version 0.2.9.6-rc - 2016-12-02
|
|
Tor 0.2.9.6-rc fixes a few remaining bugs found in the previous alpha
|
|
version. We hope that it will be ready to become stable soon, and we
|
|
encourage everyone to test this release. If no showstopper bugs are
|
|
found here, the next 0.2.9 release will be stable.
|
|
|
|
o Major bugfixes (relay, resolver, logging):
|
|
- For relays that don't know their own address, avoid attempting a
|
|
local hostname resolve for each descriptor we download. This
|
|
will cut down on the number of "Success: chose address 'x.x.x.x'"
|
|
log lines, and also avoid confusing clock jumps if the resolver
|
|
is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (client, fascistfirewall):
|
|
- Avoid spurious warnings when ReachableAddresses or FascistFirewall
|
|
is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop ignoring the anonymity status of saved keys for hidden
|
|
services and single onion services when first starting tor.
|
|
Instead, refuse to start tor if any hidden service key has been
|
|
used in a different hidden service anonymity mode. Fixes bug
|
|
20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Work around a bug in the OSX 10.12 SDK that would prevent us from
|
|
successfully targeting earlier versions of OSX. Resolves
|
|
ticket 20235.
|
|
- Run correctly when built on Windows build environments that
|
|
require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
|
|
|
|
o Minor bugfixes (single onion services, Tor2web):
|
|
- Stop complaining about long-term one-hop circuits deliberately
|
|
created by single onion services and Tor2web. These log messages
|
|
are intended to diagnose issue 8387, which relates to circuits
|
|
hanging around forever for no reason. Fixes bug 20613; bugfix on
|
|
0.2.9.1-alpha. Reported by "pastly".
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Stop spurious failures in the local interface address discovery
|
|
unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
|
|
Neel Chauhan.
|
|
|
|
o Documentation:
|
|
- Correct the minimum bandwidth value in torrc.sample, and queue a
|
|
corresponding change for torrc.minimal. Closes ticket 20085.
|
|
|
|
|
|
Changes in version 0.2.9.5-alpha - 2016-11-08
|
|
Tor 0.2.9.5-alpha fixes numerous bugs discovered in the previous alpha
|
|
version. We believe one or two probably remain, and we encourage
|
|
everyone to test this release.
|
|
|
|
o Major bugfixes (client performance):
|
|
- Clients now respond to new application stream requests immediately
|
|
when they arrive, rather than waiting up to one second before
|
|
starting to handle them. Fixes part of bug 19969; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Major bugfixes (client reliability):
|
|
- When Tor leaves standby because of a new application request, open
|
|
circuits as needed to serve that request. Previously, we would
|
|
potentially wait a very long time. Fixes part of bug 19969; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Major bugfixes (download scheduling):
|
|
- When using an exponential backoff schedule, do not give up on
|
|
downloading just because we have failed a bunch of times. Since
|
|
each delay is longer than the last, retrying indefinitely won't
|
|
hurt. Fixes bug 20536; bugfix on 0.2.9.1-alpha.
|
|
- If a consensus expires while we are waiting for certificates to
|
|
download, stop waiting for certificates.
|
|
- If we stop waiting for certificates less than a minute after we
|
|
started downloading them, do not consider the certificate download
|
|
failure a separate failure. Fixes bug 20533; bugfix
|
|
on 0.2.0.9-alpha.
|
|
- Remove the maximum delay on exponential-backoff scheduling. Since
|
|
we now allow an infinite number of failures (see ticket 20536), we
|
|
must now allow the time to grow longer on each failure. Fixes part
|
|
of bug 20534; bugfix on 0.2.9.1-alpha.
|
|
- Make our initial download delays closer to those from 0.2.8. Fixes
|
|
another part of bug 20534; bugfix on 0.2.9.1-alpha.
|
|
- When determining when to download a directory object, handle times
|
|
after 2038 if the operating system supports them. (Someday this
|
|
will be important!) Fixes bug 20587; bugfix on 0.2.8.1-alpha.
|
|
- When using exponential backoff in test networks, use a lower
|
|
exponent, so the delays do not vary as much. This helps test
|
|
networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (client directory scheduling):
|
|
- Treat "relay too busy to answer request" as a failed request and a
|
|
reason to back off on our retry frequency. This is safe now that
|
|
exponential backoffs retry indefinitely, and avoids a bug where we
|
|
would reset our download schedule erroneously. Fixes bug 20593;
|
|
bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (client, logging):
|
|
- Remove a BUG warning in circuit_pick_extend_handshake(). Instead,
|
|
assume all nodes support EXTEND2. Use ntor whenever a key is
|
|
available. Fixes bug 20472; bugfix on 0.2.9.3-alpha.
|
|
- On DNSPort, stop logging a BUG warning on a failed hostname
|
|
lookup. Fixes bug 19869; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- When configuring hidden services, check every hidden service
|
|
directory's permissions. Previously, we only checked the last
|
|
hidden service. Fixes bug 20529; bugfix the work to fix 13942
|
|
in 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Fix compilation with OpenSSL 1.1 and less commonly-used CPU
|
|
architectures. Closes ticket 20588.
|
|
- Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
|
|
removed the ECDH ciphers which caused the tests to fail on
|
|
platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
|
|
- Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug
|
|
20551; bugfix on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (relay bootstrap):
|
|
- Ensure relays don't make multiple connections during bootstrap.
|
|
Fixes bug 20591; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Work around a memory leak in OpenSSL 1.1 when encoding public
|
|
keys. Fixes bug 20553; bugfix on 0.0.2pre8.
|
|
- Avoid a small memory leak when informing worker threads about
|
|
rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
|
|
- Do not try to parallelize workers more than 16x without the user
|
|
explicitly configuring us to do so, even if we do detect more than
|
|
16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (single onion services):
|
|
- Start correctly when creating a single onion service in a
|
|
directory that did not previously exist. Fixes bug 20484; bugfix
|
|
on 0.2.9.3-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Avoid a unit test failure on systems with over 16 detectable CPU
|
|
cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Documentation:
|
|
- Clarify that setting HiddenServiceNonAnonymousMode requires you to
|
|
also set "SOCKSPort 0". Fixes bug 20487; bugfix on 0.2.9.3-alpha.
|
|
- Module-level documentation for several more modules. Closes
|
|
tickets 19287 and 19290.
|
|
|
|
|
|
Changes in version 0.2.8.9 - 2016-10-17
|
|
Tor 0.2.8.9 backports a fix for a security hole in previous versions
|
|
of Tor that would allow a remote attacker to crash a Tor client,
|
|
hidden service, relay, or authority. All Tor users should upgrade to
|
|
this version, or to 0.2.9.4-alpha. Patches will be released for older
|
|
versions of Tor.
|
|
|
|
o Major features (security fixes, also in 0.2.9.4-alpha):
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.9.4-alpha - 2016-10-17
|
|
Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor
|
|
that would allow a remote attacker to crash a Tor client, hidden
|
|
service, relay, or authority. All Tor users should upgrade to this
|
|
version, or to 0.2.8.9. Patches will be released for older versions
|
|
of Tor.
|
|
|
|
Tor 0.2.9.4-alpha also adds numerous small features and fix-ups to
|
|
previous versions of Tor, including the implementation of a feature to
|
|
future- proof the Tor ecosystem against protocol changes, some bug
|
|
fixes necessary for Tor Browser to use unix domain sockets correctly,
|
|
and several portability improvements. We anticipate that this will be
|
|
the last alpha in the Tor 0.2.9 series, and that the next release will
|
|
be a release candidate.
|
|
|
|
o Major features (security fixes):
|
|
- Prevent a class of security bugs caused by treating the contents
|
|
of a buffer chunk as if they were a NUL-terminated string. At
|
|
least one such bug seems to be present in all currently used
|
|
versions of Tor, and would allow an attacker to remotely crash
|
|
most Tor instances, especially those compiled with extra compiler
|
|
hardening. With this defense in place, such bugs can't crash Tor,
|
|
though we should still fix them as they occur. Closes ticket
|
|
20384 (TROVE-2016-10-001).
|
|
|
|
o Major features (subprotocol versions):
|
|
- Tor directory authorities now vote on a set of recommended
|
|
subprotocol versions, and on a set of required subprotocol
|
|
versions. Clients and relays that lack support for a _required_
|
|
subprotocol version will not start; those that lack support for a
|
|
_recommended_ subprotocol version will warn the user to upgrade.
|
|
Closes ticket 19958; implements part of proposal 264.
|
|
- Tor now uses "subprotocol versions" to indicate compatibility.
|
|
Previously, versions of Tor looked at the declared Tor version of
|
|
a relay to tell whether they could use a given feature. Now, they
|
|
should be able to rely on its declared subprotocol versions. This
|
|
change allows compatible implementations of the Tor protocol(s) to
|
|
exist without pretending to be 100% bug-compatible with particular
|
|
releases of Tor itself. Closes ticket 19958; implements part of
|
|
proposal 264.
|
|
|
|
o Minor feature (fallback directories):
|
|
- Remove broken fallbacks from the hard-coded fallback directory
|
|
list. Closes ticket 20190; patch by teor.
|
|
|
|
o Minor features (client, directory):
|
|
- Since authorities now omit all routers that lack the Running and
|
|
Valid flags, we assume that any relay listed in the consensus must
|
|
have those flags. Closes ticket 20001; implements part of
|
|
proposal 272.
|
|
|
|
o Minor features (compilation, portability):
|
|
- Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
|
|
ticket 20241.
|
|
|
|
o Minor features (development tools, etags):
|
|
- Teach the "make tags" Makefile target how to correctly find
|
|
"MOCK_IMPL" function definitions. Patch from nherring; closes
|
|
ticket 16869.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (unix domain sockets):
|
|
- When configuring a unix domain socket for a SocksPort,
|
|
ControlPort, or Hidden service, you can now wrap the address in
|
|
quotes, using C-style escapes inside the quotes. This allows unix
|
|
domain socket paths to contain spaces.
|
|
|
|
o Minor features (virtual addresses):
|
|
- Increase the maximum number of bits for the IPv6 virtual network
|
|
prefix from 16 to 104. In this way, the condition for address
|
|
allocation is less restrictive. Closes ticket 20151; feature
|
|
on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (address discovery):
|
|
- Stop reordering IP addresses returned by the OS. This makes it
|
|
more likely that Tor will guess the same relay IP address every
|
|
time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
|
|
Reported by René Mayrhofer, patch by "cypherpunks".
|
|
|
|
o Minor bugfixes (client, unix domain sockets):
|
|
- Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
|
|
the client address is meaningless. Fixes bug 20261; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (compilation, OpenBSD):
|
|
- Detect Libevent2 functions correctly on systems that provide
|
|
libevent2, but where libevent1 is linked with -levent. Fixes bug
|
|
19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
|
|
|
|
o Minor bugfixes (configuration):
|
|
- When parsing quoted configuration values from the torrc file,
|
|
handle windows line endings correctly. Fixes bug 19167; bugfix on
|
|
0.2.0.16-alpha. Patch from "Pingl".
|
|
|
|
o Minor bugfixes (getpass):
|
|
- Defensively fix a non-triggerable heap corruption at do_getpass()
|
|
to protect ourselves from mistakes in the future. Fixes bug
|
|
19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch
|
|
by nherring.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Allow hidden services to run on IPv6 addresses even when the
|
|
IPv6Exit option is not set. Fixes bug 18357; bugfix
|
|
on 0.2.4.7-alpha.
|
|
|
|
o Documentation:
|
|
- Add module-level internal documentation for 36 C files that
|
|
previously didn't have a high-level overview. Closes ticket #20385.
|
|
|
|
o Required libraries:
|
|
- When building with OpenSSL, Tor now requires version 1.0.1 or
|
|
later. OpenSSL 1.0.0 and earlier are no longer supported by the
|
|
OpenSSL team, and should not be used. Closes ticket 20303.
|
|
|
|
|
|
Changes in version 0.2.9.3-alpha - 2016-09-23
|
|
Tor 0.2.9.3-alpha adds improved support for entities that want to make
|
|
high-performance services available through the Tor .onion mechanism
|
|
without themselves receiving anonymity as they host those services. It
|
|
also tries harder to ensure that all steps on a circuit are using the
|
|
strongest crypto possible, strengthens some TLS properties, and
|
|
resolves several bugs -- including a pair of crash bugs from the 0.2.8
|
|
series. Anybody running an earlier version of 0.2.9.x should upgrade.
|
|
|
|
o Major bugfixes (crash, also in 0.2.8.8):
|
|
- Fix a complicated crash bug that could affect Tor clients
|
|
configured to use bridges when replacing a networkstatus consensus
|
|
in which one of their bridges was mentioned. OpenBSD users saw
|
|
more crashes here, but all platforms were potentially affected.
|
|
Fixes bug 20103; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Major bugfixes (relay, OOM handler, also in 0.2.8.8):
|
|
- Fix a timing-dependent assertion failure that could occur when we
|
|
tried to flush from a circuit after having freed its cells because
|
|
of an out-of-memory condition. Fixes bug 20203; bugfix on
|
|
0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
|
|
this one.
|
|
|
|
o Major features (circuit building, security):
|
|
- Authorities, relays and clients now require ntor keys in all
|
|
descriptors, for all hops (except for rare hidden service protocol
|
|
cases), for all circuits, and for all other roles. Part of
|
|
ticket 19163.
|
|
- Tor authorities, relays, and clients only use ntor, except for
|
|
rare cases in the hidden service protocol. Part of ticket 19163.
|
|
|
|
o Major features (single-hop "hidden" services):
|
|
- Add experimental HiddenServiceSingleHopMode and
|
|
HiddenServiceNonAnonymousMode options. When both are set to 1,
|
|
every hidden service on a Tor instance becomes a non-anonymous
|
|
Single Onion Service. Single Onions make one-hop (direct)
|
|
connections to their introduction and renzedvous points. One-hop
|
|
circuits make Single Onion servers easily locatable, but clients
|
|
remain location-anonymous. This is compatible with the existing
|
|
hidden service implementation, and works on the current tor
|
|
network without any changes to older relays or clients. Implements
|
|
proposal 260, completes ticket 17178. Patch by teor and asn.
|
|
|
|
o Major features (resource management):
|
|
- Tor can now notice it is about to run out of sockets, and
|
|
preemptively close connections of lower priority. (This feature is
|
|
off by default for now, since the current prioritizing method is
|
|
yet not mature enough. You can enable it by setting
|
|
"DisableOOSCheck 0", but watch out: it might close some sockets
|
|
you would rather have it keep.) Closes ticket 18640.
|
|
|
|
o Major bugfixes (circuit building):
|
|
- Hidden service client-to-intro-point and service-to-rendezvous-
|
|
point circuits use the TAP key supplied by the protocol, to avoid
|
|
epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
|
|
|
|
o Major bugfixes (compilation, OpenBSD):
|
|
- Fix a Libevent-detection bug in our autoconf script that would
|
|
prevent Tor from linking successfully on OpenBSD. Patch from
|
|
rubiate. Fixes bug 19902; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Clients now require hidden services to include the TAP keys for
|
|
their intro points in the hidden service descriptor. This prevents
|
|
an inadvertent upgrade to ntor, which a malicious hidden service
|
|
could use to distinguish clients by consensus version. Fixes bug
|
|
20012; bugfix on 0.2.4.8-alpha. Patch by teor.
|
|
|
|
o Minor features (security, TLS):
|
|
- Servers no longer support clients that without AES ciphersuites.
|
|
(3DES is no longer considered an acceptable cipher.) We believe
|
|
that no such Tor clients currently exist, since Tor has required
|
|
OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
|
|
|
|
o Minor feature (fallback directories):
|
|
- Remove 8 fallbacks that are no longer suitable, leaving 81 of the
|
|
100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March
|
|
2016. Closes ticket 20190; patch by teor.
|
|
|
|
o Minor features (geoip, also in 0.2.8.8):
|
|
- Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor feature (port flags):
|
|
- Add new flags to the *Port options to finer control over which
|
|
requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
|
|
and the synthetic flag OnionTrafficOnly, which is equivalent to
|
|
NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
|
|
18693; patch by "teor".
|
|
|
|
o Minor features (directory authority):
|
|
- After voting, if the authorities decide that a relay is not
|
|
"Valid", they no longer include it in the consensus at all. Closes
|
|
ticket 20002; implements part of proposal 272.
|
|
|
|
o Minor features (testing):
|
|
- Disable memory protections on OpenBSD when performing our unit
|
|
tests for memwipe(). The test deliberately invokes undefined
|
|
behavior, and the OpenBSD protections interfere with this. Patch
|
|
from "rubiate". Closes ticket 20066.
|
|
|
|
o Minor features (testing, ipv6):
|
|
- Add the single-onion and single-onion-ipv6 chutney targets to
|
|
"make test-network-all". This requires a recent chutney version
|
|
with the single onion network flavours (git c72a652 or later).
|
|
Closes ticket 20072; patch by teor.
|
|
- Add the hs-ipv6 chutney target to make test-network-all's IPv6
|
|
tests. Remove bridges+hs, as it's somewhat redundant. This
|
|
requires a recent chutney version that supports IPv6 clients,
|
|
relays, and authorities. Closes ticket 20069; patch by teor.
|
|
|
|
o Minor features (Tor2web):
|
|
- Make Tor2web clients respect ReachableAddresses. This feature was
|
|
inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
|
|
0.2.8.7. Implements feature 20034. Patch by teor.
|
|
|
|
o Minor features (unit tests):
|
|
- We've done significant work to make the unit tests run faster.
|
|
- Our link-handshake unit tests now check that when invalid
|
|
handshakes fail, they fail with the error messages we expected.
|
|
- Our unit testing code that captures log messages no longer
|
|
prevents them from being written out if the user asked for them
|
|
(by passing --debug or --info or or --notice --warn to the "test"
|
|
binary). This change prevents us from missing unexpected log
|
|
messages simply because we were looking for others. Related to
|
|
ticket 19999.
|
|
- The unit tests now log all warning messages with the "BUG" flag.
|
|
Previously, they only logged errors by default. This change will
|
|
help us make our testing code more correct, and make sure that we
|
|
only hit this code when we mean to. In the meantime, however,
|
|
there will be more warnings in the unit test logs than before.
|
|
This is preparatory work for ticket 19999.
|
|
- The unit tests now treat any failure of a "tor_assert_nonfatal()"
|
|
assertion as a test failure.
|
|
|
|
o Minor bug fixes (circuits):
|
|
- Use the CircuitBuildTimeout option whenever
|
|
LearnCircuitBuildTimeout is disabled. Previously, we would respect
|
|
the option when a user disabled it, but not when it was disabled
|
|
because some other option was set. Fixes bug 20073; bugfix on
|
|
0.2.4.12-alpha. Patch by teor.
|
|
|
|
o Minor bugfixes (allocation):
|
|
- Change how we allocate memory for large chunks on buffers, to
|
|
avoid a (currently impossible) integer overflow, and to waste less
|
|
space when allocating unusually large chunks. Fixes bug 20081;
|
|
bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
|
|
- Always include orconfig.h before including any other C headers.
|
|
Sometimes, it includes macros that affect the behavior of the
|
|
standard headers. Fixes bug 19767; bugfix on 0.2.9.1-alpha (the
|
|
first version to use AC_USE_SYSTEM_EXTENSIONS).
|
|
- Fix a syntax error in the IF_BUG_ONCE__() macro in non-GCC-
|
|
compatible compilers. Fixes bug 20141; bugfix on 0.2.9.1-alpha.
|
|
Patch from Gisle Vanem.
|
|
- Stop trying to build with Clang 4.0's -Wthread-safety warnings.
|
|
They apparently require a set of annotations that we aren't
|
|
currently using, and they create false positives in our pthreads
|
|
wrappers. Fixes bug 20110; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- Die with a more useful error when the operator forgets to place
|
|
the authority_signing_key file into the keys directory. This
|
|
avoids an uninformative assert & traceback about having an invalid
|
|
key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
|
|
- When allowing private addresses, mark Exits that only exit to
|
|
private locations as such. Fixes bug 20064; bugfix
|
|
on 0.2.2.9-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Document the default PathsNeededToBuildCircuits value that's used
|
|
by clients when the directory authorities don't set
|
|
min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02
|
|
in 0.2.4.10-alpha. Patch by teor, reported by Jesse V.
|
|
- Fix manual for the User option: it takes a username, not a UID.
|
|
Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
|
|
a manpage!).
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop logging intro point details to the client log on certain
|
|
error conditions. Fixed as part of bug 20012; bugfix on
|
|
0.2.4.8-alpha. Patch by teor.
|
|
|
|
o Minor bugfixes (IPv6, testing):
|
|
- Check for IPv6 correctly on Linux when running test networks.
|
|
Fixes bug 19905; bugfix on 0.2.7.3-rc; patch by teor.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Add permission to run the sched_yield() and sigaltstack() system
|
|
calls, in order to support versions of Tor compiled with asan or
|
|
ubsan code that use these calls. Now "sandbox 1" and
|
|
"--enable-expensive-hardening" should be compatible on more
|
|
systems. Fixes bug 20063; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When logging a message from the BUG() macro, be explicit about
|
|
what we were asserting. Previously we were confusing what we were
|
|
asserting with what the bug was. Fixes bug 20093; bugfix
|
|
on 0.2.9.1-alpha.
|
|
- When we are unable to remove the bw_accounting file, do not warn
|
|
if the reason we couldn't remove it was that it didn't exist.
|
|
Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from 'pastly'.
|
|
|
|
o Minor bugfixes (option parsing):
|
|
- Count unix sockets when counting client listeners (SOCKS, Trans,
|
|
NATD, and DNS). This has no user-visible behaviour changes: these
|
|
options are set once, and never read. Required for correct
|
|
behaviour in ticket 17178. Fixes bug 19677; bugfix on
|
|
0.2.6.3-alpha. Patch by teor.
|
|
|
|
o Minor bugfixes (options):
|
|
- Check the consistency of UseEntryGuards and EntryNodes more
|
|
reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch
|
|
by teor.
|
|
- Stop changing the configured value of UseEntryGuards on
|
|
authorities and Tor2web clients. Fixes bug 20074; bugfix on
|
|
commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha.
|
|
Patch by teor.
|
|
|
|
o Minor bugfixes (Tor2web):
|
|
- Prevent Tor2web clients running hidden services, these services
|
|
are not anonymous due to the one-hop client paths. Fixes bug
|
|
19678. Patch by teor.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Fix a shared-random unit test that was failing on big endian
|
|
architectures due to internal representation of a integer copied
|
|
to a buffer. The test is changed to take a full 32 bytes of data
|
|
and use the output of a python script that make the COMMIT and
|
|
REVEAL calculation according to the spec. Fixes bug 19977; bugfix
|
|
on 0.2.9.1-alpha.
|
|
- The tor_tls_server_info_callback unit test no longer crashes when
|
|
debug-level logging is turned on. Fixes bug 20041; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.8.8 - 2016-09-23
|
|
Tor 0.2.8.8 fixes two crash bugs present in previous versions of the
|
|
0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users
|
|
who select public relays as their bridges.
|
|
|
|
o Major bugfixes (crash):
|
|
- Fix a complicated crash bug that could affect Tor clients
|
|
configured to use bridges when replacing a networkstatus consensus
|
|
in which one of their bridges was mentioned. OpenBSD users saw
|
|
more crashes here, but all platforms were potentially affected.
|
|
Fixes bug 20103; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Major bugfixes (relay, OOM handler):
|
|
- Fix a timing-dependent assertion failure that could occur when we
|
|
tried to flush from a circuit after having freed its cells because
|
|
of an out-of-memory condition. Fixes bug 20203; bugfix on
|
|
0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
|
|
this one.
|
|
|
|
o Minor feature (fallback directories):
|
|
- Remove 8 fallbacks that are no longer suitable, leaving 81 of the
|
|
100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March
|
|
2016. Closes ticket 20190; patch by teor.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.9.2-alpha - 2016-08-24
|
|
Tor 0.2.9.2-alpha continues development of the 0.2.9 series with
|
|
several new features and bugfixes. It also includes an important
|
|
authority update and an important bugfix from 0.2.8.7. Everyone who
|
|
sets the ReachableAddresses option, and all bridges, are strongly
|
|
encouraged to upgrade to 0.2.8.7, or to 0.2.9.2-alpha.
|
|
|
|
o Directory authority changes (also in 0.2.8.7):
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Major bugfixes (client, security, also in 0.2.8.7):
|
|
- Only use the ReachableAddresses option to restrict the first hop
|
|
in a path. In earlier versions of 0.2.8.x, it would apply to
|
|
every hop in the path, with a possible degradation in anonymity
|
|
for anyone using an uncommon ReachableAddress setting. Fixes bug
|
|
19973; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Major features (user interface):
|
|
- Tor now supports the ability to declare options deprecated, so
|
|
that we can recommend that people stop using them. Previously,
|
|
this was done in an ad-hoc way. Closes ticket 19820.
|
|
|
|
o Major bugfixes (directory downloads):
|
|
- Avoid resetting download status for consensuses hourly, since we
|
|
already have another, smarter retry mechanism. Fixes bug 8625;
|
|
bugfix on 0.2.0.9-alpha.
|
|
|
|
o Minor features (config):
|
|
- Warn users when descriptor and port addresses are inconsistent.
|
|
Mitigates bug 13953; patch by teor.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (user interface):
|
|
- There is a new --list-deprecated-options command-line option to
|
|
list all of the deprecated options. Implemented as part of
|
|
ticket 19820.
|
|
|
|
o Minor bugfixes (code style):
|
|
- Fix an integer signedness conversion issue in the case conversion
|
|
tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Build correctly on versions of libevent2 without support for
|
|
evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
|
|
on 0.2.5.4-alpha.
|
|
- Fix a compilation warning on GCC versions before 4.6. Our
|
|
ENABLE_GCC_WARNING macro used the word "warning" as an argument,
|
|
when it is also required as an argument to the compiler pragma.
|
|
Fixes bug 19901; bugfix on 0.2.9.1-alpha.
|
|
|
|
o Minor bugfixes (compilation, also in 0.2.8.7):
|
|
- Remove an inappropriate "inline" in tortls.c that was causing
|
|
warnings on older versions of GCC. Fixes bug 19903; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (fallback directories, also in 0.2.8.7):
|
|
- Avoid logging a NULL string pointer when loading fallback
|
|
directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha
|
|
and 0.2.8.1-alpha. Report and patch by "rubiate".
|
|
|
|
o Minor bugfixes (logging):
|
|
- Log a more accurate message when we fail to dump a microdescriptor.
|
|
Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto.
|
|
|
|
o Minor bugfixes (memory leak):
|
|
- Fix a series of slow memory leaks related to parsing torrc files
|
|
and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha.
|
|
|
|
o Deprecated features:
|
|
- A number of DNS-cache-related sub-options for client ports are now
|
|
deprecated for security reasons, and may be removed in a future
|
|
version of Tor. (We believe that client-side DNS caching is a bad
|
|
idea for anonymity, and you should not turn it on.) The options
|
|
are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
|
|
UseIPv4Cache, and UseIPv6Cache.
|
|
- A number of options are deprecated for security reasons, and may
|
|
be removed in a future version of Tor. The options are:
|
|
AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
|
|
AllowSingleHopExits, ClientDNSRejectInternalAddresses,
|
|
CloseHSClientCircuitsImmediatelyOnTimeout,
|
|
CloseHSServiceRendCircuitsImmediatelyOnTimeout,
|
|
ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
|
|
UseNTorHandshake, and WarnUnsafeSocks.
|
|
- The *ListenAddress options are now deprecated as unnecessary: the
|
|
corresponding *Port options should be used instead. These options
|
|
may someday be removed. The affected options are:
|
|
ControlListenAddress, DNSListenAddress, DirListenAddress,
|
|
NATDListenAddress, ORListenAddress, SocksListenAddress,
|
|
and TransListenAddress.
|
|
|
|
o Documentation:
|
|
- Correct the IPv6 syntax in our documentation for the
|
|
VirtualAddrNetworkIPv6 torrc option. Closes ticket 19743.
|
|
|
|
o Removed code:
|
|
- We no longer include the (dead, deprecated) bufferevent code in
|
|
Tor. Closes ticket 19450. Based on a patch from U+039b.
|
|
|
|
|
|
Changes in version 0.2.8.7 - 2016-08-24
|
|
Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses
|
|
option in 0.2.8.6, and replaces a retiring bridge authority. Everyone
|
|
who sets the ReachableAddresses option, and all bridges, are strongly
|
|
encouraged to upgrade.
|
|
|
|
o Directory authority changes:
|
|
- The "Tonga" bridge authority has been retired; the new bridge
|
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
o Major bugfixes (client, security):
|
|
- Only use the ReachableAddresses option to restrict the first hop
|
|
in a path. In earlier versions of 0.2.8.x, it would apply to
|
|
every hop in the path, with a possible degradation in anonymity
|
|
for anyone using an uncommon ReachableAddress setting. Fixes bug
|
|
19973; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Remove an inappropriate "inline" in tortls.c that was causing
|
|
warnings on older versions of GCC. Fixes bug 19903; bugfix
|
|
on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (fallback directories):
|
|
- Avoid logging a NULL string pointer when loading fallback
|
|
directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha
|
|
and 0.2.8.1-alpha. Report and patch by "rubiate".
|
|
|
|
|
|
Changes in version 0.2.9.1-alpha - 2016-08-08
|
|
Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development
|
|
series. It improves our support for hardened builds and compiler
|
|
warnings, deploys some critical infrastructure for improvements to
|
|
hidden services, includes a new timing backend that we hope to use for
|
|
better support for traffic padding, makes it easier for programmers to
|
|
log unexpected events, and contains other small improvements to
|
|
security, correctness, and performance.
|
|
|
|
Below are the changes since 0.2.8.6.
|
|
|
|
o New system requirements:
|
|
- Tor now requires Libevent version 2.0.10-stable or later. Older
|
|
versions of Libevent have less efficient backends for several
|
|
platforms, and lack the DNS code that we use for our server-side
|
|
DNS support. This implements ticket 19554.
|
|
- Tor now requires zlib version 1.2 or later, for security,
|
|
efficiency, and (eventually) gzip support. (Back when we started,
|
|
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
|
|
released in 2003. We recommend the latest version.)
|
|
|
|
o Major features (build, hardening):
|
|
- Tor now builds with -ftrapv by default on compilers that support
|
|
it. This option detects signed integer overflow (which C forbids),
|
|
and turns it into a hard-failure. We do not apply this option to
|
|
code that needs to run in constant time to avoid side-channels;
|
|
instead, we use -fwrapv in that code. Closes ticket 17983.
|
|
- When --enable-expensive-hardening is selected, stop applying the
|
|
clang/gcc sanitizers to code that needs to run in constant time.
|
|
Although we are aware of no introduced side-channels, we are not
|
|
able to prove that there are none. Related to ticket 17983.
|
|
|
|
o Major features (compilation):
|
|
- Our big list of extra GCC warnings is now enabled by default when
|
|
building with GCC (or with anything like Clang that claims to be
|
|
GCC-compatible). To make all warnings into fatal compilation
|
|
errors, pass --enable-fatal-warnings to configure. Closes
|
|
ticket 19044.
|
|
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
|
|
turn on C and POSIX extensions. (Previously, we attempted to do
|
|
this on an ad hoc basis.) Closes ticket 19139.
|
|
|
|
o Major features (directory authorities, hidden services):
|
|
- Directory authorities can now perform the shared randomness
|
|
protocol specified by proposal 250. Using this protocol, directory
|
|
authorities generate a global fresh random value every day. In the
|
|
future, this value will be used by hidden services to select
|
|
HSDirs. This release implements the directory authority feature;
|
|
the hidden service side will be implemented in the future as part
|
|
of proposal 224. Resolves ticket 16943; implements proposal 250.
|
|
|
|
o Major features (downloading, random exponential backoff):
|
|
- When we fail to download an object from a directory service, wait
|
|
for an (exponentially increasing) randomized amount of time before
|
|
retrying, rather than a fixed interval as we did before. This
|
|
prevents a group of Tor instances from becoming too synchronized,
|
|
or a single Tor instance from becoming too predictable, in its
|
|
download schedule. Closes ticket 15942.
|
|
|
|
o Major bugfixes (exit policies):
|
|
- Avoid disclosing exit outbound bind addresses, configured port
|
|
bind addresses, and local interface addresses in relay descriptors
|
|
by default under ExitPolicyRejectPrivate. Instead, only reject
|
|
these (otherwise unlisted) addresses if
|
|
ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
|
|
0.2.7.2-alpha. Patch by teor.
|
|
|
|
o Major bugfixes (hidden service client):
|
|
- Allow Tor clients with appropriate controllers to work with
|
|
FetchHidServDescriptors set to 0. Previously, this option also
|
|
disabled descriptor cache lookup, thus breaking hidden services
|
|
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
|
|
|
|
o Minor features (build, hardening):
|
|
- Detect and work around a libclang_rt problem that would prevent
|
|
clang from finding __mulodi4() on some 32-bit platforms, and thus
|
|
keep -ftrapv from linking on those systems. Closes ticket 19079.
|
|
- When building on a system without runtime support for the runtime
|
|
hardening options, try to log a useful warning at configuration
|
|
time, rather than an incomprehensible warning at link time. If
|
|
expensive hardening was requested, this warning becomes an error.
|
|
Closes ticket 18895.
|
|
|
|
o Minor features (code safety):
|
|
- In our integer-parsing functions, ensure that maxiumum value we
|
|
give is no smaller than the minimum value. Closes ticket 19063;
|
|
patch from U+039b.
|
|
|
|
o Minor features (controller):
|
|
- Implement new GETINFO queries for all downloads that use
|
|
download_status_t to schedule retries. This allows controllers to
|
|
examine the schedule for pending downloads. Closes ticket 19323.
|
|
- Allow controllers to configure basic client authorization on
|
|
hidden services when they create them with the ADD_ONION control
|
|
command. Implements ticket 15588. Patch by "special".
|
|
- Fire a STATUS_SERVER controller event whenever the hibernation
|
|
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
|
|
|
|
o Minor features (directory authority):
|
|
- Directory authorities now only give the Guard flag to a relay if
|
|
they are also giving it the Stable flag. This change allows us to
|
|
simplify path selection for clients. It should have minimal effect
|
|
in practice, since >99% of Guards already have the Stable flag.
|
|
Implements ticket 18624.
|
|
- Directory authorities now write their v3-status-votes file out to
|
|
disk earlier in the consensus process, so we have a record of the
|
|
votes even if we abort the consensus process. Resolves
|
|
ticket 19036.
|
|
|
|
o Minor features (hidden service):
|
|
- Stop being so strict about the payload length of "rendezvous1"
|
|
cells. We used to be locked in to the "TAP" handshake length, and
|
|
now we can handle better handshakes like "ntor". Resolves
|
|
ticket 18998.
|
|
|
|
o Minor features (infrastructure, time):
|
|
- Tor now uses the operating system's monotonic timers (where
|
|
available) for internal fine-grained timing. Previously we would
|
|
look at the system clock, and then attempt to compensate for the
|
|
clock running backwards. Closes ticket 18908.
|
|
- Tor now includes an improved timer backend, so that we can
|
|
efficiently support tens or hundreds of thousands of concurrent
|
|
timers, as will be needed for some of our planned anti-traffic-
|
|
analysis work. This code is based on William Ahern's "timeout.c"
|
|
project, which implements a "tickless hierarchical timing wheel".
|
|
Closes ticket 18365.
|
|
|
|
o Minor features (logging):
|
|
- Provide a more useful warning message when configured with an
|
|
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
|
|
- When dumping unparseable router descriptors, optionally store them
|
|
in separate files, named by digest, up to a configurable size
|
|
limit. You can change the size limit by setting the
|
|
MaxUnparseableDescSizeToLog option, and disable this feature by
|
|
setting that option to 0. Closes ticket 18322.
|
|
- Add a set of macros to check nonfatal assertions, for internal
|
|
use. Migrating more of our checks to these should help us avoid
|
|
needless crash bugs. Closes ticket 18613.
|
|
|
|
o Minor features (performance):
|
|
- Changer the "optimistic data" extension from "off by default" to
|
|
"on by default". The default was ordinarily overridden by a
|
|
consensus option, but when clients were bootstrapping for the
|
|
first time, they would not have a consensus to get the option
|
|
from. Changing this default When fetching a consensus for the
|
|
first time, use optimistic data. This saves a round-trip during
|
|
startup. Closes ticket 18815.
|
|
|
|
o Minor features (relay, usability):
|
|
- When the directory authorities refuse a bad relay's descriptor,
|
|
encourage the relay operator to contact us. Many relay operators
|
|
won't notice this line in their logs, but it's a win if even a few
|
|
learn why we don't like what their relay was doing. Resolves
|
|
ticket 18760.
|
|
|
|
o Minor features (testing):
|
|
- Let backtrace tests work correctly under AddressSanitizer. Fixes
|
|
part of bug 18934; bugfix on 0.2.5.2-alpha.
|
|
- Move the test-network.sh script to chutney, and modify tor's test-
|
|
network.sh to call the (newer) chutney version when available.
|
|
Resolves ticket 19116. Patch by teor.
|
|
- Use the lcov convention for marking lines as unreachable, so that
|
|
we don't count them when we're generating test coverage data.
|
|
Update our coverage tools to understand this convention. Closes
|
|
ticket 16792.
|
|
|
|
o Minor bugfixes (bootstrap):
|
|
- Remember the directory we fetched the consensus or previous
|
|
certificates from, and use it to fetch future authority
|
|
certificates. This change improves bootstrapping performance.
|
|
Fixes bug 18963; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (build):
|
|
- The test-stem and test-network makefile targets now depend only on
|
|
the tor binary that they are testing. Previously, they depended on
|
|
"make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
|
|
patch from "cypherpunks".
|
|
|
|
o Minor bugfixes (circuits):
|
|
- Make sure extend_info_from_router() is only called on servers.
|
|
Fixes bug 19639; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- When building with Clang, use a full set of GCC warnings.
|
|
(Previously, we included only a subset, because of the way we
|
|
detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- Authorities now sort the "package" lines in their votes, for ease
|
|
of debugging. (They are already sorted in consensus documents.)
|
|
Fixes bug 18840; bugfix on 0.2.6.3-alpha.
|
|
- When parsing a detached signature, make sure we use the length of
|
|
the digest algorithm instead of an hardcoded DIGEST256_LEN in
|
|
order to avoid comparing bytes out-of-bounds with a smaller digest
|
|
length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Document the --passphrase-fd option in the tor manpage. Fixes bug
|
|
19504; bugfix on 0.2.7.3-rc.
|
|
- Fix the description of the --passphrase-fd option in the
|
|
tor-gencert manpage. The option is used to pass the number of a
|
|
file descriptor to read the passphrase from, not to read the file
|
|
descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
|
|
|
|
o Minor bugfixes (ephemeral hidden service):
|
|
- When deleting an ephemeral hidden service, close its intro points
|
|
even if they are not completely open. Fixes bug 18604; bugfix
|
|
on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (guard selection):
|
|
- Use a single entry guard even if the NumEntryGuards consensus
|
|
parameter is not provided. Fixes bug 17688; bugfix
|
|
on 0.2.5.6-alpha.
|
|
- Don't mark guards as unreachable if connection_connect() fails.
|
|
That function fails for local reasons, so it shouldn't reveal
|
|
anything about the status of the guard. Fixes bug 14334; bugfix
|
|
on 0.2.3.10-alpha.
|
|
|
|
o Minor bugfixes (hidden service client):
|
|
- Increase the minimum number of internal circuits we preemptively
|
|
build from 2 to 3, so a circuit is available when a client
|
|
connects to another onion service. Fixes bug 13239; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When logging a directory ownership mismatch, log the owning
|
|
username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Fix a small, uncommon memory leak that could occur when reading a
|
|
truncated ed25519 key file. Fixes bug 18956; bugfix
|
|
on 0.2.6.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Allow clients to retry HSDirs much faster in test networks. Fixes
|
|
bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
|
|
- Disable ASAN's detection of segmentation faults while running
|
|
test_bt.sh, so that we can make sure that our own backtrace
|
|
generation code works. Fixes another aspect of bug 18934; bugfix
|
|
on 0.2.5.2-alpha. Patch from "cypherpunks".
|
|
- Fix the test-network-all target on out-of-tree builds by using the
|
|
correct path to the test driver script. Fixes bug 19421; bugfix
|
|
on 0.2.7.3-rc.
|
|
|
|
o Minor bugfixes (time):
|
|
- Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
|
|
bugfix on all released tor versions.
|
|
- When computing the difference between two times in milliseconds,
|
|
we now round to the nearest millisecond correctly. Previously, we
|
|
could sometimes round in the wrong direction. Fixes bug 19428;
|
|
bugfix on 0.2.2.2-alpha.
|
|
|
|
o Minor bugfixes (user interface):
|
|
- Display a more accurate number of suppressed messages in the log
|
|
rate-limiter. Previously, there was a potential integer overflow
|
|
in the counter. Now, if the number of messages hits a maximum, the
|
|
rate-limiter doesn't count any further. Fixes bug 19435; bugfix
|
|
on 0.2.4.11-alpha.
|
|
- Fix a typo in the passphrase prompt for the ed25519 identity key.
|
|
Fixes bug 19503; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove redundant declarations of the MIN macro. Closes
|
|
ticket 18889.
|
|
- Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
|
|
Closes ticket 18462; patch from "icanhasaccount".
|
|
- Split the 600-line directory_handle_command_get function into
|
|
separate functions for different URL types. Closes ticket 16698.
|
|
|
|
o Documentation:
|
|
- Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
|
|
ticket 19153. Patch from "U+039b".
|
|
|
|
o Removed features:
|
|
- Remove support for "GET /tor/bytes.txt" DirPort request, and
|
|
"GETINFO dir-usage" controller request, which were only available
|
|
via a compile-time option in Tor anyway. Feature was added in
|
|
0.2.2.1-alpha. Resolves ticket 19035.
|
|
- There is no longer a compile-time option to disable support for
|
|
TransPort. (If you don't want TransPort; just don't use it.) Patch
|
|
from "U+039b". Closes ticket 19449.
|
|
|
|
o Testing:
|
|
- Run more workqueue tests as part of "make check". These had
|
|
previously been implemented, but you needed to know special
|
|
command-line options to enable them.
|
|
- We now have unit tests for our code to reject zlib "compression
|
|
bombs". (Fortunately, the code works fine.)
|
|
|
|
|
|
Changes in version 0.2.8.6 - 2016-08-02
|
|
|
|
Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.
|
|
|
|
The Tor 0.2.8 series improves client bootstrapping performance,
|
|
completes the authority-side implementation of improved identity
|
|
keys for relays, and includes numerous bugfixes and performance
|
|
improvements throughout the program. This release continues to
|
|
improve the coverage of Tor's test suite. For a full list of
|
|
changes since Tor 0.2.7, see the ReleaseNotes file.
|
|
|
|
Changes since 0.2.8.5-rc:
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix a compilation warning in the unit tests on systems where char
|
|
is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (fallback directories):
|
|
- Remove 1 fallback that was on the hardcoded list, then opted-out,
|
|
leaving 89 of the 100 fallbacks originally introduced in Tor
|
|
0.2.8.2-alpha in March 2016. Closes ticket 19782; patch by teor.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Allow more syscalls when running with "Sandbox 1" enabled:
|
|
sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On
|
|
some systems, these are required for Tor to start. Fixes bug
|
|
18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto.
|
|
- Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1",
|
|
so that get_interface_address6_via_udp_socket_hack() can work.
|
|
Fixes bug 19660; bugfix on 0.2.5.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.8.5-rc - 2016-07-07
|
|
Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8
|
|
series. If we find no new bugs or regressions here, the first stable
|
|
0.2.8 release will be identical to it. It has a few small bugfixes
|
|
against previous versions.
|
|
|
|
o Directory authority changes:
|
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
o Major bugfixes (heartbeat):
|
|
- Fix a regression that would crash Tor when the periodic
|
|
"heartbeat" log messages were disabled. Fixes bug 19454; bugfix on
|
|
0.2.8.1-alpha. Reported by "kubaku".
|
|
|
|
o Minor features (build):
|
|
- Tor now again builds with the recent OpenSSL 1.1 development
|
|
branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
|
|
- When building manual pages, set the timezone to "UTC", so that the
|
|
output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha.
|
|
Patch from intrigeri.
|
|
|
|
o Minor bugfixes (fallback directory selection):
|
|
- Avoid errors during fallback selection if there are no eligible
|
|
fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch
|
|
by teor.
|
|
|
|
o Minor bugfixes (IPv6, microdescriptors):
|
|
- Don't check node addresses when we only have a routerstatus. This
|
|
allows IPv6-only clients to bootstrap by fetching microdescriptors
|
|
from fallback directory mirrors. (The microdescriptor consensus
|
|
has no IPv6 addresses in it.) Fixes bug 19608; bugfix
|
|
on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Reduce pointlessly verbose log messages when directory servers
|
|
can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and
|
|
0.2.8.1-alpha. Patch by teor.
|
|
- When a fallback directory changes its fingerprint from the hard-
|
|
coded fingerprint, log a less severe, more explanatory log
|
|
message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandboxing):
|
|
- Allow statistics to be written to disk when "Sandbox 1" is
|
|
enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and
|
|
0.2.6.1-alpha respectively.
|
|
|
|
o Minor bugfixes (user interface):
|
|
- Remove a warning message "Service [scrubbed] not found after
|
|
descriptor upload". This message appears when one uses HSPOST
|
|
control command to upload a service descriptor. Since there is
|
|
only a descriptor and no service, showing this message is
|
|
pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Fallback directory list:
|
|
- Add a comment to the generated fallback directory list that
|
|
explains how to comment out unsuitable fallbacks in a way that's
|
|
compatible with the stem fallback parser.
|
|
- Update fallback whitelist and blacklist based on relay operator
|
|
emails. Blacklist unsuitable (non-working, over-volatile)
|
|
fallbacks. Resolves ticket 19071. Patch by teor.
|
|
- Remove 10 unsuitable fallbacks, leaving 90 of the 100 fallbacks
|
|
originally introduced in Tor 0.2.8.2-alpha in March 2016. Closes
|
|
ticket 19071; patch by teor.
|
|
|
|
|
|
Changes in version 0.2.8.4-rc - 2016-06-15
|
|
Tor 0.2.8.4-rc is the first release candidate in the Tor 0.2.8 series.
|
|
If we find no new bugs or regressions here, the first stable 0.2.8
|
|
release will be identical to it. It has a few small bugfixes against
|
|
previous versions.
|
|
|
|
o Major bugfixes (user interface):
|
|
- Correctly give a warning in the cases where a relay is specified
|
|
by nickname, and one such relay is found, but it is not officially
|
|
Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor features (build):
|
|
- Tor now builds once again with the recent OpenSSL 1.1 development
|
|
branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev).
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Cause the unit tests to compile correctly on mingw64 versions that
|
|
lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (downloading):
|
|
- Predict more correctly whether we'll be downloading over HTTP when
|
|
we determine the maximum length of a URL. This should avoid a
|
|
"BUG" warning about the Squid HTTP proxy and its URL limits. Fixes
|
|
bug 19191.
|
|
|
|
|
|
Changes in version 0.2.8.3-alpha - 2016-05-26
|
|
Tor 0.2.8.3-alpha resolves several bugs, most of them introduced over
|
|
the course of the 0.2.8 development cycle. It improves the behavior of
|
|
directory clients, fixes several crash bugs, fixes a gap in compiler
|
|
hardening, and allows the full integration test suite to run on
|
|
more platforms.
|
|
|
|
o Major bugfixes (security, client, DNS proxy):
|
|
- Stop a crash that could occur when a client running with DNSPort
|
|
received a query with multiple address types, and the first
|
|
address type was not supported. Found and fixed by Scott Dial.
|
|
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Major bugfixes (security, compilation):
|
|
- Correctly detect compiler flags on systems where _FORTIFY_SOURCE
|
|
is predefined. Previously, our use of -D_FORTIFY_SOURCE would
|
|
cause a compiler warning, thereby making other checks fail, and
|
|
needlessly disabling compiler-hardening support. Fixes one case of
|
|
bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal".
|
|
|
|
o Major bugfixes (security, directory authorities):
|
|
- Fix a crash and out-of-bounds write during authority voting, when
|
|
the list of relays includes duplicate ed25519 identity keys. Fixes
|
|
bug 19032; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Major bugfixes (client, bootstrapping):
|
|
- Check if bootstrap consensus downloads are still needed when the
|
|
linked connection attaches. This prevents tor making unnecessary
|
|
begindir-style connections, which are the only directory
|
|
connections tor clients make since the fix for 18483 was merged.
|
|
- Fix some edge cases where consensus download connections may not
|
|
have been closed, even though they were not needed. Related to fix
|
|
for 18809.
|
|
- Make relays retry consensus downloads the correct number of times,
|
|
rather than the more aggressive client retry count. Fixes part of
|
|
ticket 18809.
|
|
- Stop downloading consensuses when we have a consensus, even if we
|
|
don't have all the certificates for it yet. Fixes bug 18809;
|
|
bugfix on 0.2.8.1-alpha. Patches by arma and teor.
|
|
|
|
o Major bugfixes (directory mirrors):
|
|
- Decide whether to advertise begindir support in the the same way
|
|
we decide whether to advertise our DirPort. Allowing these
|
|
decisions to become out-of-sync led to surprising behavior like
|
|
advertising begindir support when hibernation made us not
|
|
advertise a DirPort. Resolves bug 18616; bugfix on 0.2.8.1-alpha.
|
|
Patch by teor.
|
|
|
|
o Major bugfixes (IPv6 bridges, client):
|
|
- Actually use IPv6 addresses when selecting directory addresses for
|
|
IPv6 bridges. Fixes bug 18921; bugfix on 0.2.8.1-alpha. Patch
|
|
by "teor".
|
|
|
|
o Major bugfixes (key management):
|
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
pointer to the previous (uninitialized) key value. The impact here
|
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
running an engine that makes key generation failures possible, or
|
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
Baishakhi Ray.
|
|
|
|
o Major bugfixes (testing):
|
|
- Fix a bug that would block 'make test-network-all' on systems where
|
|
IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc.
|
|
- Avoid "WSANOTINITIALISED" warnings in the unit tests. Fixes bug 18668;
|
|
bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor features (clients):
|
|
- Make clients, onion services, and bridge relays always use an
|
|
encrypted begindir connection for directory requests. Resolves
|
|
ticket 18483. Patch by "teor".
|
|
|
|
o Minor features (fallback directory mirrors):
|
|
- Give each fallback the same weight for client selection; restrict
|
|
fallbacks to one per operator; report fallback directory detail
|
|
changes when rebuilding list; add new fallback directory mirrors
|
|
to the whitelist; and many other minor simplifications and fixes.
|
|
Closes tasks 17905, 18749, bug 18689, and fixes part of bug 18812 on
|
|
0.2.8.1-alpha; patch by "teor".
|
|
- Replace the 21 fallbacks generated in January 2016 and included in
|
|
Tor 0.2.8.1-alpha, with a list of 100 fallbacks generated in March
|
|
2016. Closes task 17158; patch by "teor".
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (assert, portability):
|
|
- Fix an assertion failure in memarea.c on systems where "long" is
|
|
shorter than the size of a pointer. Fixes bug 18716; bugfix
|
|
on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (bootstrap):
|
|
- Consistently use the consensus download schedule for authority
|
|
certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha.
|
|
|
|
o Minor bugfixes (build):
|
|
- Remove a pair of redundant AM_CONDITIONAL declarations from
|
|
configure.ac. Fixes one final case of bug 17744; bugfix
|
|
on 0.2.8.2-alpha.
|
|
- Resolve warnings when building on systems that are concerned with
|
|
signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha
|
|
and 0.2.6.1-alpha.
|
|
- When libscrypt.h is found, but no libscrypt library can be linked,
|
|
treat libscrypt as absent. Fixes bug 19161; bugfix
|
|
on 0.2.6.1-alpha.
|
|
|
|
o Minor bugfixes (client):
|
|
- Turn all TestingClientBootstrap* into non-testing torrc options.
|
|
This changes simply renames them by removing "Testing" in front of
|
|
them and they do not require TestingTorNetwork to be enabled
|
|
anymore. Fixes bug 18481; bugfix on 0.2.8.1-alpha.
|
|
- Make directory node selection more reliable, mainly for IPv6-only
|
|
clients and clients with few reachable addresses. Fixes bug 18929;
|
|
bugfix on 0.2.8.1-alpha. Patch by "teor".
|
|
|
|
o Minor bugfixes (controller, microdescriptors):
|
|
- Make GETINFO dir/status-vote/current/consensus conform to the
|
|
control specification by returning "551 Could not open cached
|
|
consensus..." when not caching consensuses. Fixes bug 18920;
|
|
bugfix on 0.2.2.6-alpha.
|
|
|
|
o Minor bugfixes (crypto, portability):
|
|
- The SHA3 and SHAKE routines now produce the correct output on Big
|
|
Endian systems. No code calls either algorithm yet, so this is
|
|
primarily a build fix. Fixes bug 18943; bugfix on 0.2.8.1-alpha.
|
|
- Tor now builds again with the recent OpenSSL 1.1 development
|
|
branch (tested against 1.1.0-pre4 and 1.1.0-pre5-dev). Closes
|
|
ticket 18286.
|
|
|
|
o Minor bugfixes (directories):
|
|
- When fetching extrainfo documents, compare their SHA256 digests
|
|
and Ed25519 signing key certificates with the routerinfo that led
|
|
us to fetch them, rather than with the most recent routerinfo.
|
|
Otherwise we generate many spurious warnings about mismatches.
|
|
Fixes bug 17150; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When we can't generate a signing key because OfflineMasterKey is
|
|
set, do not imply that we should have been able to load it. Fixes
|
|
bug 18133; bugfix on 0.2.7.2-alpha.
|
|
- Stop periodic_event_dispatch() from blasting twelve lines per
|
|
second at loglevel debug. Fixes bug 18729; fix on 0.2.8.1-alpha.
|
|
- When rejecting a misformed INTRODUCE2 cell, only log at
|
|
PROTOCOL_WARN severity. Fixes bug 18761; bugfix on 0.2.8.2-alpha.
|
|
|
|
o Minor bugfixes (pluggable transports):
|
|
- Avoid reporting a spurious error when we decide that we don't need
|
|
to terminate a pluggable transport because it has already exited.
|
|
Fixes bug 18686; bugfix on 0.2.5.5-alpha.
|
|
|
|
o Minor bugfixes (pointer arithmetic):
|
|
- Fix a bug in memarea_alloc() that could have resulted in remote
|
|
heap write access, if Tor had ever passed an unchecked size to
|
|
memarea_alloc(). Fortunately, all the sizes we pass to
|
|
memarea_alloc() are pre-checked to be less than 128 kilobytes.
|
|
Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by
|
|
Guido Vranken.
|
|
|
|
o Minor bugfixes (relays):
|
|
- Consider more config options when relays decide whether to
|
|
regenerate their descriptor. Fixes more of bug 12538; bugfix
|
|
on 0.2.8.1-alpha.
|
|
- Resolve some edge cases where we might launch an ORPort
|
|
reachability check even when DisableNetwork is set. Noticed while
|
|
fixing bug 18616; bugfix on 0.2.3.9-alpha.
|
|
|
|
o Minor bugfixes (statistics):
|
|
- We now include consensus downloads via IPv6 in our directory-
|
|
request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Allow directories in small networks to bootstrap by skipping
|
|
DirPort checks when the consensus has no exits. Fixes bug 19003;
|
|
bugfix on 0.2.8.1-alpha. Patch by teor.
|
|
- Fix a small memory leak that would occur when the
|
|
TestingEnableCellStatsEvent option was turned on. Fixes bug 18673;
|
|
bugfix on 0.2.5.2-alpha.
|
|
|
|
o Minor bugfixes (time handling):
|
|
- When correcting a corrupt 'struct tm' value, fill in the tm_wday
|
|
field. Otherwise, our unit tests crash on Windows. Fixes bug
|
|
18977; bugfix on 0.2.2.25-alpha.
|
|
|
|
o Documentation:
|
|
- Document the contents of the 'datadir/keys' subdirectory in the
|
|
manual page. Closes ticket 17621.
|
|
- Stop recommending use of nicknames to identify relays in our
|
|
MapAddress documentation. Closes ticket 18312.
|
|
|
|
|
|
Changes in version 0.2.8.2-alpha - 2016-03-28
|
|
Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous
|
|
bugs in earlier versions of Tor, including some that prevented
|
|
authorities using Tor 0.2.7.x from running correctly. IPv6 and
|
|
directory support should also be much improved.
|
|
|
|
o New system requirements:
|
|
- Tor no longer supports versions of OpenSSL with a broken
|
|
implementation of counter mode. (This bug was present in OpenSSL
|
|
1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no
|
|
longer runs with, these versions.
|
|
- Tor no longer attempts to support platforms where the "time_t"
|
|
type is unsigned. (To the best of our knowledge, only OpenVMS does
|
|
this, and Tor has never actually built on OpenVMS.) Closes
|
|
ticket 18184.
|
|
- Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or
|
|
later (released in 2008 and 2009 respectively). If you are
|
|
building Tor from the git repository instead of from the source
|
|
distribution, and your tools are older than this, you will need to
|
|
upgrade. Closes ticket 17732.
|
|
|
|
o Major bugfixes (security, pointers):
|
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
Reported by Guido Vranken.
|
|
|
|
o Major bugfixes (bridges, pluggable transports):
|
|
- Modify the check for OR connections to private addresses. Allow
|
|
bridges on private addresses, including pluggable transports that
|
|
ignore the (potentially private) address in the bridge line. Fixes
|
|
bug 18517; bugfix on 0.2.8.1-alpha. Reported by gk, patch by teor.
|
|
|
|
o Major bugfixes (compilation):
|
|
- Repair hardened builds under the clang compiler. Previously, our
|
|
use of _FORTIFY_SOURCE would conflict with clang's address
|
|
sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha.
|
|
|
|
o Major bugfixes (crash on shutdown):
|
|
- Correctly handle detaching circuits from muxes when shutting down.
|
|
Fixes bug 18116; bugfix on 0.2.8.1-alpha.
|
|
- Fix an assert-on-exit bug related to counting memory usage in
|
|
rephist.c. Fixes bug 18651; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Major bugfixes (crash on startup):
|
|
- Fix a segfault during startup: If a Unix domain socket was
|
|
configured as listener (such as a ControlSocket or a SocksPort
|
|
"unix:" socket), and tor was started as root but not configured to
|
|
switch to another user, tor would segfault while trying to string
|
|
compare a NULL value. Fixes bug 18261; bugfix on 0.2.8.1-alpha.
|
|
Patch by weasel.
|
|
|
|
o Major bugfixes (dns proxy mode, crash):
|
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
o Major bugfixes (relays, bridge clients):
|
|
- Ensure relays always allow IPv4 OR and Dir connections. Ensure
|
|
bridge clients use the address configured in the bridge line.
|
|
Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb,
|
|
patch by teor.
|
|
|
|
o Major bugfixes (voting):
|
|
- Actually enable support for authorities to match routers by their
|
|
Ed25519 identities. Previously, the code had been written, but
|
|
some debugging code that had accidentally been left in the
|
|
codebase made it stay turned off. Fixes bug 17702; bugfix
|
|
on 0.2.7.2-alpha.
|
|
- When collating votes by Ed25519 identities, authorities now
|
|
include a "NoEdConsensus" flag if the ed25519 value (or lack
|
|
thereof) for a server does not reflect the majority consensus.
|
|
Related to bug 17668; bugfix on 0.2.7.2-alpha.
|
|
- When generating a vote with keypinning disabled, never include two
|
|
entries for the same ed25519 identity. This bug was causing
|
|
authorities to generate votes that they could not parse when a
|
|
router violated key pinning by changing its RSA identity but
|
|
keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug
|
|
18318. Bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor features (security, win32):
|
|
- Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing
|
|
attack. Fixes bug 18123; bugfix on all tor versions. Patch
|
|
by teor.
|
|
|
|
o Minor features (bug-resistance):
|
|
- Make Tor survive errors involving connections without a
|
|
corresponding event object. Previously we'd fail with an
|
|
assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
o Minor features (build):
|
|
- Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD)
|
|
as having possible IPFW support. Closes ticket 18448. Patch from
|
|
Steven Chamberlain.
|
|
|
|
o Minor features (code hardening):
|
|
- Use tor_snprintf() and tor_vsnprintf() even in external and low-
|
|
level code, to harden against accidental failures to NUL-
|
|
terminate. Part of ticket 17852. Patch from jsturgix. Found
|
|
with Flawfinder.
|
|
|
|
o Minor features (crypto):
|
|
- Validate the hard-coded Diffie-Hellman parameters and ensure that
|
|
p is a safe prime, and g is a suitable generator. Closes
|
|
ticket 18221.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (hidden service directory):
|
|
- Streamline relay-side hsdir handling: when relays consider whether
|
|
to accept an uploaded hidden service descriptor, they no longer
|
|
check whether they are one of the relays in the network that is
|
|
"supposed" to handle that descriptor. Implements ticket 18332.
|
|
|
|
o Minor features (IPv6):
|
|
- Add ClientPreferIPv6DirPort, which is set to 0 by default. If set
|
|
to 1, tor prefers IPv6 directory addresses.
|
|
- Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor
|
|
avoids using IPv4 for client OR and directory connections.
|
|
- Try harder to obey the IP version restrictions "ClientUseIPv4 0",
|
|
"ClientUseIPv6 0", "ClientPreferIPv6ORPort", and
|
|
"ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor.
|
|
|
|
o Minor features (linux seccomp2 sandbox):
|
|
- Reject attempts to change our Address with "Sandbox 1" enabled.
|
|
Changing Address with Sandbox turned on would never actually work,
|
|
but previously it would fail in strange and confusing ways. Found
|
|
while fixing 18548.
|
|
|
|
o Minor features (robustness):
|
|
- Exit immediately with an error message if the code attempts to use
|
|
Libevent without having initialized it. This should resolve some
|
|
frequently-made mistakes in our unit tests. Closes ticket 18241.
|
|
|
|
o Minor features (unix domain sockets):
|
|
- Add a new per-socket option, RelaxDirModeCheck, to allow creating
|
|
Unix domain sockets without checking the permissions on the parent
|
|
directory. (Tor checks permissions by default because some
|
|
operating systems only check permissions on the parent directory.
|
|
However, some operating systems do look at permissions on the
|
|
socket, and tor's default check is unneeded.) Closes ticket 18458.
|
|
Patch by weasel.
|
|
|
|
o Minor bugfixes (exit policies, security):
|
|
- Refresh an exit relay's exit policy when interface addresses
|
|
change. Previously, tor only refreshed the exit policy when the
|
|
configured external address changed. Fixes bug 18208; bugfix on
|
|
0.2.7.3-rc. Patch by teor.
|
|
|
|
o Minor bugfixes (security, hidden services):
|
|
- Prevent hidden services connecting to client-supplied rendezvous
|
|
addresses that are reserved as internal or multicast. Fixes bug
|
|
8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor.
|
|
|
|
o Minor bugfixes (build):
|
|
- Do not link the unit tests against both the testing and non-
|
|
testing versions of the static libraries. Fixes bug 18490; bugfix
|
|
on 0.2.7.1-alpha.
|
|
- Avoid spurious failures from configure files related to calling
|
|
exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18626; bugfix on
|
|
0.2.0.1-alpha. Patch from "cypherpunks".
|
|
- Silence spurious clang-scan warnings in the ed25519_donna code by
|
|
explicitly initializing some objects. Fixes bug 18384; bugfix on
|
|
0.2.7.2-alpha. Patch by teor.
|
|
|
|
o Minor bugfixes (client, bootstrap):
|
|
- Count receipt of new microdescriptors as progress towards
|
|
bootstrapping. Previously, with EntryNodes set, Tor might not
|
|
successfully repopulate the guard set on bootstrapping. Fixes bug
|
|
16825; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Update to the latest version of Trunnel, which tries harder to
|
|
avoid generating code that can invoke memcpy(p,NULL,0). Bug found
|
|
by clang address sanitizer. Fixes bug 18373; bugfix
|
|
on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (configuration):
|
|
- Fix a tiny memory leak when parsing a port configuration ending in
|
|
":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha.
|
|
|
|
o Minor bugfixes (containers):
|
|
- If we somehow attempt to construct a heap with more than
|
|
1073741822 elements, avoid an integer overflow when maintaining
|
|
the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- Fix a bad memory handling bug that would occur if we had queued a
|
|
cell on a channel's incoming queue. Fortunately, we can't actually
|
|
queue a cell like that as our code is constructed today, but it's
|
|
best to avoid this kind of error, even if there isn't any code
|
|
that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Minor bugfixes (directory):
|
|
- When generating a URL for a directory server on an IPv6 address,
|
|
wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix
|
|
on 0.2.3.9-alpha. Patch from Malek.
|
|
|
|
o Minor bugfixes (fallback directory mirrors):
|
|
- When requesting extrainfo descriptors from a trusted directory
|
|
server, check whether it is an authority or a fallback directory
|
|
which supports extrainfo descriptors. Fixes bug 18489; bugfix on
|
|
0.2.4.7-alpha. Reported by atagar, patch by teor.
|
|
|
|
o Minor bugfixes (hidden service, client):
|
|
- Handle the case where the user makes several fast consecutive
|
|
requests to the same .onion address. Previously, the first six
|
|
requests would each trigger a descriptor fetch, each picking a
|
|
directory (there are 6 overall) and the seventh one would fail
|
|
because no directories were left, thereby triggering a close on
|
|
all current directory connections asking for the hidden service.
|
|
The solution here is to not close the connections if we have
|
|
pending directory fetches. Fixes bug 15937; bugfix
|
|
on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (hidden service, control port):
|
|
- Add the onion address to the HS_DESC event for the UPLOADED action
|
|
both on success or failure. It was previously hardcoded with
|
|
UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (hidden service, directory):
|
|
- Bridges now refuse "rendezvous2" (hidden service descriptor)
|
|
publish attempts. Suggested by ticket 18332.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- Allow the setrlimit syscall, and the prlimit and prlimit64
|
|
syscalls, which some libc implementations use under the hood.
|
|
Fixes bug 15221; bugfix on 0.2.5.1-alpha.
|
|
- Avoid a 10-second delay when starting as a client with "Sandbox 1"
|
|
enabled and no DNS resolvers configured. This should help TAILS
|
|
start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha.
|
|
- Fix the sandbox's interoperability with unix domain sockets under
|
|
setuid. Fixes bug 18253; bugfix on 0.2.8.1-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When logging information about an unparsable networkstatus vote or
|
|
consensus, do not say "vote" when we mean consensus. Fixes bug
|
|
18368; bugfix on 0.2.0.8-alpha.
|
|
- Scrub service name in "unrecognized service ID" log messages.
|
|
Fixes bug 18600; bugfix on 0.2.4.11-alpha.
|
|
- Downgrade logs and backtraces about IP versions to info-level.
|
|
Only log backtraces once each time tor runs. Assists in diagnosing
|
|
bug 18351; bugfix on 0.2.8.1-alpha. Reported by sysrqb and
|
|
Christian, patch by teor.
|
|
|
|
o Minor bugfixes (memory safety):
|
|
- Avoid freeing an uninitialized pointer when opening a socket fails
|
|
in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on
|
|
0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch
|
|
by teor.
|
|
- Correctly duplicate addresses in get_interface_address6_list().
|
|
Fixes bug 18454; bugfix on 0.2.8.1-alpha. Reported by toralf,
|
|
patch by "cypherpunks".
|
|
- Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix
|
|
on 0.2.0.1-alpha.
|
|
- Fix a memory leak in "tor --list-fingerprint". Fixes part of bug
|
|
18672; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (private directory):
|
|
- Prevent a race condition when creating private directories. Fixes
|
|
part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852.
|
|
Patch from jsturgix. Found with Flawfinder.
|
|
|
|
o Minor bugfixes (test networks, IPv6):
|
|
- Allow internal IPv6 addresses in descriptors in test networks.
|
|
Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported
|
|
by karsten.
|
|
|
|
o Minor bugfixes (testing):
|
|
- We no longer disable assertions in the unit tests when coverage is
|
|
enabled. Instead, we require you to say --disable-asserts-in-tests
|
|
to the configure script if you need assertions disabled in the
|
|
unit tests (for example, if you want to perform branch coverage).
|
|
Fixes bug 18242; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (time parsing):
|
|
- Avoid overflow in tor_timegm when parsing dates in and after 2038
|
|
on platforms with 32-bit time_t. Fixes bug 18479; bugfix on
|
|
0.0.2pre14. Patch by teor.
|
|
|
|
o Minor bugfixes (tor-gencert):
|
|
- Correctly handle the case where an authority operator enters a
|
|
passphrase but sends an EOF before sending a newline. Fixes bug
|
|
17443; bugfix on 0.2.0.20-rc. Found by junglefowl.
|
|
|
|
o Code simplification and refactoring:
|
|
- Quote all the string interpolations in configure.ac -- even those
|
|
which we are pretty sure can't contain spaces. Closes ticket
|
|
17744. Patch from zerosion.
|
|
- Remove specialized code for non-inplace AES_CTR. 99% of our AES is
|
|
inplace, so there's no need to have a separate implementation for
|
|
the non-inplace code. Closes ticket 18258. Patch from Malek.
|
|
- Simplify return types for some crypto functions that can't
|
|
actually fail. Patch from Hassan Alsibyani. Closes ticket 18259.
|
|
|
|
o Documentation:
|
|
- Change build messages to refer to "Fedora" instead of "Fedora
|
|
Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426.
|
|
Patches from "icanhasaccount" and "cypherpunks".
|
|
|
|
o Removed features:
|
|
- We no longer maintain an internal freelist in memarea.c.
|
|
Allocators should be good enough to make this code unnecessary,
|
|
and it's doubtful that it ever had any performance benefit.
|
|
|
|
o Testing:
|
|
- Fix several warnings from clang's address sanitizer produced in
|
|
the unit tests.
|
|
- Treat backtrace test failures as expected on FreeBSD until we
|
|
solve bug 17808. Closes ticket 18204.
|
|
|
|
|
|
Changes in version 0.2.8.1-alpha - 2016-02-04
|
|
Tor 0.2.8.1-alpha is the first alpha release in its series. It
|
|
includes numerous small features and bugfixes against previous Tor
|
|
versions, and numerous small infrastructure improvements. The most
|
|
notable features are a set of improvements to the directory subsystem.
|
|
|
|
o Major features (security, Linux):
|
|
- When Tor starts as root on Linux and is told to switch user ID, it
|
|
can now retain the capability to bind to low ports. By default,
|
|
Tor will do this only when it's switching user ID and some low
|
|
ports have been configured. You can change this behavior with the
|
|
new option KeepBindCapabilities. Closes ticket 8195.
|
|
|
|
o Major features (directory system):
|
|
- When bootstrapping multiple consensus downloads at a time, use the
|
|
first one that starts downloading, and close the rest. This
|
|
reduces failures when authorities or fallback directories are slow
|
|
or down. Together with the code for feature 15775, this feature
|
|
should reduces failures due to fallback churn. Implements ticket
|
|
4483. Patch by "teor". Implements IPv4 portions of proposal 210 by
|
|
"mikeperry" and "teor".
|
|
- Include a trial list of 21 default fallback directories, generated
|
|
in January 2016, based on an opt-in survey of suitable relays.
|
|
Doing this should make clients bootstrap more quickly and reliably,
|
|
and reduce the load on the directory authorities. Closes ticket
|
|
15775. Patch by "teor".
|
|
Candidates identified using an OnionOO script by "weasel", "teor",
|
|
"gsathya", and "karsten".
|
|
- Previously only relays that explicitly opened a directory port
|
|
(DirPort) accepted directory requests from clients. Now all
|
|
relays, with and without a DirPort, accept and serve tunneled
|
|
directory requests that they receive through their ORPort. You can
|
|
disable this behavior using the new DirCache option. Closes
|
|
ticket 12538.
|
|
|
|
o Major key updates:
|
|
- Update the V3 identity key for the dannenberg directory authority:
|
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
|
by "teor".
|
|
|
|
o Minor features (security, clock):
|
|
- Warn when the system clock appears to move back in time (when the
|
|
state file was last written in the future). Tor doesn't know that
|
|
consensuses have expired if the clock is in the past. Patch by
|
|
"teor". Implements ticket 17188.
|
|
|
|
o Minor features (security, exit policies):
|
|
- ExitPolicyRejectPrivate now rejects more private addresses by
|
|
default. Specifically, it now rejects the relay's outbound bind
|
|
addresses (if configured), and the relay's configured port
|
|
addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
|
|
0.2.0.11-alpha. Patch by "teor".
|
|
|
|
o Minor features (security, memory erasure):
|
|
- Set the unused entries in a smartlist to NULL. This helped catch
|
|
a (harmless) bug, and shouldn't affect performance too much.
|
|
Implements ticket 17026.
|
|
- Use SecureMemoryWipe() function to securely clean memory on
|
|
Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
|
|
Implements feature 17986.
|
|
- Use explicit_bzero or memset_s when present. Previously, we'd use
|
|
OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
|
|
from <logan@hackers.mu> and <selven@hackers.mu>.
|
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
patch by "teor".
|
|
|
|
o Minor features (security, RNG):
|
|
- Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
|
|
positively are not allowed to fail. Previously we depended on
|
|
internal details of OpenSSL's behavior. Closes ticket 17686.
|
|
- Never use the system entropy output directly for anything besides
|
|
seeding the PRNG. When we want to generate important keys, instead
|
|
of using system entropy directly, we now hash it with the PRNG
|
|
stream. This may help resist certain attacks based on broken OS
|
|
entropy implementations. Closes part of ticket 17694.
|
|
- Use modern system calls (like getentropy() or getrandom()) to
|
|
generate strong entropy on platforms that have them. Closes
|
|
ticket 13696.
|
|
|
|
o Minor features (accounting):
|
|
- Added two modes to the AccountingRule option: One for limiting
|
|
only the number of bytes sent ("AccountingRule out"), and one for
|
|
limiting only the number of bytes received ("AccountingRule in").
|
|
Closes ticket 15989; patch from "unixninja92".
|
|
|
|
o Minor features (build):
|
|
- Since our build process now uses "make distcheck", we no longer
|
|
force "make dist" to depend on "make check". Closes ticket 17893;
|
|
patch from "cypherpunks."
|
|
- Tor now builds successfully with the recent OpenSSL 1.1
|
|
development branch, and with the latest LibreSSL. Closes tickets
|
|
17549, 17921, and 17984.
|
|
|
|
o Minor features (controller):
|
|
- Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
|
|
tickets 16774 and 17817. Patch by George Tankersley.
|
|
- New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
|
|
service descriptor from a service's local hidden service
|
|
descriptor cache. Closes ticket 14846.
|
|
- Add 'GETINFO exit-policy/reject-private/[default,relay]', so
|
|
controllers can examine the the reject rules added by
|
|
ExitPolicyRejectPrivate. This makes it easier for stem to display
|
|
exit policies.
|
|
|
|
o Minor features (crypto):
|
|
- Add SHA512 support to crypto.c. Closes ticket 17663; patch from
|
|
George Tankersley.
|
|
- Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
|
|
- When allocating a digest state object, allocate no more space than
|
|
we actually need. Previously, we would allocate as much space as
|
|
the state for the largest algorithm would need. This change saves
|
|
up to 672 bytes per circuit. Closes ticket 17796.
|
|
- Improve performance when hashing non-multiple of 8 sized buffers,
|
|
based on Andrew Moon's public domain SipHash-2-4 implementation.
|
|
Fixes bug 17544; bugfix on 0.2.5.3-alpha.
|
|
|
|
o Minor features (directory downloads):
|
|
- Wait for busy authorities and fallback directories to become non-
|
|
busy when bootstrapping. (A similar change was made in 6c443e987d
|
|
for directory caches chosen from the consensus.) Closes ticket
|
|
17864; patch by "teor".
|
|
- Add UseDefaultFallbackDirs, which enables any hard-coded fallback
|
|
directory mirrors. The default is 1; set it to 0 to disable
|
|
fallbacks. Implements ticket 17576. Patch by "teor".
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (IPv6):
|
|
- Add an argument 'ipv6=address:orport' to the DirAuthority and
|
|
FallbackDir torrc options, to specify an IPv6 address for an
|
|
authority or fallback directory. Add hard-coded ipv6 addresses for
|
|
directory authorities that have them. Closes ticket 17327; patch
|
|
from Nick Mathewson and "teor".
|
|
- Add address policy assume_action support for IPv6 addresses.
|
|
- Limit IPv6 mask bits to 128.
|
|
- Warn when comparing against an AF_UNSPEC address in a policy, it's
|
|
almost always a bug. Closes ticket 17863; patch by "teor".
|
|
- Allow users to configure directory authorities and fallback
|
|
directory servers with IPv6 addresses and ORPorts. Resolves
|
|
ticket 6027.
|
|
- routerset_parse now accepts IPv6 literal addresses. Fixes bug
|
|
17060; bugfix on 0.2.1.3-alpha. Patch by "teor".
|
|
- Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug
|
|
17638; bugfix on 0.0.2pre8. Patch by "teor".
|
|
|
|
o Minor features (logging):
|
|
- When logging to syslog, allow a tag to be added to the syslog
|
|
identity (the string prepended to every log message). The tag can
|
|
be configured with SyslogIdentityTag and defaults to none. Setting
|
|
it to "foo" will cause logs to be tagged as "Tor-foo". Closes
|
|
ticket 17194.
|
|
|
|
o Minor features (portability):
|
|
- Use timingsafe_memcmp() where available. Closes ticket 17944;
|
|
patch from <logan@hackers.mu>.
|
|
|
|
o Minor features (relay, address discovery):
|
|
- Add a family argument to get_interface_addresses_raw() and
|
|
subfunctions to make network interface address interogation more
|
|
efficient. Now Tor can specifically ask for IPv4, IPv6 or both
|
|
types of interfaces from the operating system. Resolves
|
|
ticket 17950.
|
|
- When get_interface_address6_list(.,AF_UNSPEC,.) is called and
|
|
fails to enumerate interface addresses using the platform-specific
|
|
API, have it rely on the UDP socket fallback technique to try and
|
|
find out what IP addresses (both IPv4 and IPv6) our machine has.
|
|
Resolves ticket 17951.
|
|
|
|
o Minor features (replay cache):
|
|
- The replay cache now uses SHA256 instead of SHA1. Implements
|
|
feature 8961. Patch by "teor", issue reported by "rransom".
|
|
|
|
o Minor features (unix file permissions):
|
|
- Defer creation of Unix sockets until after setuid. This avoids
|
|
needing CAP_CHOWN and CAP_FOWNER when using systemd's
|
|
CapabilityBoundingSet, or chown and fowner when using SELinux.
|
|
Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
- If any directory created by Tor is marked as group readable, the
|
|
filesystem group is allowed to be either the default GID or the
|
|
root user. Allowing root to read the DataDirectory prevents the
|
|
need for CAP_READ_SEARCH when using systemd's
|
|
CapabilityBoundingSet, or dac_read_search when using SELinux.
|
|
Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
- Introduce a new DataDirectoryGroupReadable option. If it is set to
|
|
1, the DataDirectory will be made readable by the default GID.
|
|
Implements part of ticket 17562. Patch from Jamie Nguyen.
|
|
|
|
o Minor bugfixes (accounting):
|
|
- The max bandwidth when using 'AccountRule sum' is now correctly
|
|
logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch
|
|
from "unixninja92".
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- When closing an entry connection, generate a warning if we should
|
|
have sent an end cell for it but we haven't. Fixes bug 17876;
|
|
bugfix on 0.2.3.2-alpha.
|
|
- Assert that allocated memory held by the reputation code is freed
|
|
according to its internal counters. Fixes bug 17753; bugfix
|
|
on 0.1.1.1-alpha.
|
|
- Assert when the TLS contexts fail to initialize. Fixes bug 17683;
|
|
bugfix on 0.0.6.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Mark all object files that include micro-revision.i as depending
|
|
on it, so as to make parallel builds more reliable. Fixes bug
|
|
17826; bugfix on 0.2.5.1-alpha.
|
|
- Don't try to use the pthread_condattr_setclock() function unless
|
|
it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
|
|
17819; bugfix on 0.2.6.3-alpha.
|
|
- Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
|
|
on 0.2.5.2-alpha.
|
|
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
|
|
bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
|
|
- Fix search for libevent libraries on OpenBSD (and other systems
|
|
that install libevent 1 and libevent 2 in parallel). Fixes bug
|
|
16651; bugfix on 0.1.0.7-rc. Patch from "rubiate".
|
|
- Isolate environment variables meant for tests from the rest of the
|
|
build system. Fixes bug 17818; bugfix on 0.2.7.3-rc.
|
|
- Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
|
|
on 0.0.2pre8.
|
|
- Remove config.log only from make distclean, not from make clean.
|
|
Fixes bug 17924; bugfix on 0.2.4.1-alpha.
|
|
|
|
o Minor bugfixes (crypto):
|
|
- Check the return value of HMAC() and assert on failure. Fixes bug
|
|
17658; bugfix on 0.2.3.6-alpha. Patch by "teor".
|
|
|
|
o Minor bugfixes (fallback directories):
|
|
- Mark fallbacks as "too busy" when they return a 503 response,
|
|
rather than just marking authorities. Fixes bug 17572; bugfix on
|
|
0.2.4.7-alpha. Patch by "teor".
|
|
|
|
o Minor bugfixes (IPv6):
|
|
- Update the limits in max_dl_per_request for IPv6 address length.
|
|
Fixes bug 17573; bugfix on 0.2.1.5-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- Fix a crash when using offline master ed25519 keys with the Linux
|
|
seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-rc.
|
|
|
|
o Minor bugfixes (logging):
|
|
- In log messages that include a function name, use __FUNCTION__
|
|
instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but
|
|
with clang __PRETTY_FUNCTION__ has extra information we don't
|
|
need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van
|
|
der Woerdt.
|
|
- Remove needless quotes from a log message about unparseable
|
|
addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Remove an #endif from configure.ac so that we correctly detect the
|
|
presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix
|
|
on 0.2.0.13-alpha.
|
|
|
|
o Minor bugfixes (relays):
|
|
- Check that both the ORPort and DirPort (if present) are reachable
|
|
before publishing a relay descriptor. Otherwise, relays publish a
|
|
descriptor with DirPort 0 when the DirPort reachability test takes
|
|
longer than the ORPort reachability test. Fixes bug 18050; bugfix
|
|
on 0.1.0.1-rc. Reported by "starlight", patch by "teor".
|
|
|
|
o Minor bugfixes (relays, hidden services):
|
|
- Refuse connection requests to private OR addresses unless
|
|
ExtendAllowPrivateAddresses is set. Previously, tor would connect,
|
|
then refuse to send any cells to a private address. Fixes bugs
|
|
17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor".
|
|
|
|
o Minor bugfixes (safe logging):
|
|
- When logging a malformed hostname received through socks4, scrub
|
|
it if SafeLogging says we should. Fixes bug 17419; bugfix
|
|
on 0.1.1.16-rc.
|
|
|
|
o Minor bugfixes (statistics code):
|
|
- Consistently check for overflow in round_*_to_next_multiple_of
|
|
functions, and add unit tests with additional and maximal values.
|
|
Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
|
|
- Handle edge cases in the laplace functions: avoid division by
|
|
zero, avoid taking the log of zero, and silence clang type
|
|
conversion warnings using round and trunc. Add unit tests for edge
|
|
cases with maximal values. Fixes part of bug 13192; bugfix
|
|
on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- The test for log_heartbeat was incorrectly failing in timezones
|
|
with non-integer offsets. Instead of comparing the end of the time
|
|
string against a constant, compare it to the output of
|
|
format_local_iso_time when given the correct input. Fixes bug
|
|
18039; bugfix on 0.2.5.4-alpha.
|
|
- Make unit tests pass on IPv6-only systems, and systems without
|
|
localhost addresses (like some FreeBSD jails). Fixes bug 17632;
|
|
bugfix on 0.2.7.3-rc. Patch by "teor".
|
|
- Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
|
|
on 0.2.4.8-alpha.
|
|
- Check the full results of SHA256 and SHA512 digests in the unit
|
|
tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".
|
|
|
|
o Code simplification and refactoring:
|
|
- Move logging of redundant policy entries in
|
|
policies_parse_exit_policy_internal into its own function. Closes
|
|
ticket 17608; patch from "juce".
|
|
- Extract the more complicated parts of circuit_mark_for_close()
|
|
into a new function that we run periodically before circuits are
|
|
freed. This change removes more than half of the functions
|
|
currently in the "blob". Closes ticket 17218.
|
|
- Clean up a little duplicated code in
|
|
crypto_expand_key_material_TAP(). Closes ticket 17587; patch
|
|
from "pfrankw".
|
|
- Decouple the list of streams waiting to be attached to circuits
|
|
from the overall connection list. This change makes it possible to
|
|
attach streams quickly while simplifying Tor's callgraph and
|
|
avoiding O(N) scans of the entire connection list. Closes
|
|
ticket 17590.
|
|
- When a direct directory request fails immediately on launch,
|
|
instead of relaunching that request from inside the code that
|
|
launches it, instead mark the connection for teardown. This change
|
|
simplifies Tor's callback and prevents the directory-request
|
|
launching code from invoking itself recursively. Closes
|
|
ticket 17589
|
|
- Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
|
|
use them. Closes ticket 17926.
|
|
|
|
o Documentation:
|
|
- Add a description of the correct use of the '--keygen' command-
|
|
line option. Closes ticket 17583; based on text by 's7r'.
|
|
- Document the minimum HeartbeatPeriod value. Closes ticket 15638.
|
|
- Explain actual minima for BandwidthRate. Closes ticket 16382.
|
|
- Fix a minor formatting typo in the manpage. Closes ticket 17791.
|
|
- Mention torspec URL in the manpage and point the reader to it
|
|
whenever we mention a document that belongs in torspce. Fixes
|
|
issue 17392.
|
|
|
|
o Removed features:
|
|
- Remove client-side support for connecting to Tor relays running
|
|
versions of Tor before 0.2.3.6-alpha. These relays didn't support
|
|
the v3 TLS handshake protocol, and are no longer allowed on the
|
|
Tor network. Implements the client side of ticket 11150. Based on
|
|
patches by Tom van der Woerdt.
|
|
|
|
o Testing:
|
|
- Add unit tests to check for common RNG failure modes, such as
|
|
returning all zeroes, identical values, or incrementing values
|
|
(OpenSSL's rand_predictable feature). Patch by "teor".
|
|
- Log more information when the backtrace tests fail. Closes ticket
|
|
17892. Patch from "cypherpunks."
|
|
- Always test both ed25519 backends, so that we can be sure that our
|
|
batch-open replacement code works. Part of ticket 16794.
|
|
- Cover dns_resolve_impl() in dns.c with unit tests. Implements a
|
|
portion of ticket 16831.
|
|
- More unit tests for compat_libevent.c, procmon.c, tortls.c,
|
|
util_format.c, directory.c, and options_validate.c. Closes tickets
|
|
17075, 17082, 17084, 17003, and 17076 respectively. Patches from
|
|
Ola Bini.
|
|
- Unit tests for directory_handle_command_get. Closes ticket 17004.
|
|
Patch from Reinaldo de Souza Jr.
|
|
|
|
|
|
Changes in version 0.2.7.6 - 2015-12-10
|
|
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
|
|
well as a minor bug in hidden service reliability.
|
|
|
|
o Major bugfixes (guard selection):
|
|
- Actually look at the Guard flag when selecting a new directory
|
|
guard. When we implemented the directory guard design, we
|
|
accidentally started treating all relays as if they have the Guard
|
|
flag during guard selection, leading to weaker anonymity and worse
|
|
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
by Mohsen Imani.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- When checking for net/pfvar.h, include netinet/in.h if possible.
|
|
This fixes transparent proxy detection on OpenBSD. Fixes bug
|
|
17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
|
|
- Fix a compilation warning with Clang 3.6: Do not check the
|
|
presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- When displaying an IPv6 exit policy, include the mask bits
|
|
correctly even when the number is greater than 31. Fixes bug
|
|
16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
|
|
- The wrong list was used when looking up expired intro points in a
|
|
rend service object, causing what we think could be reachability
|
|
issues for hidden services, and triggering a BUG log. Fixes bug
|
|
16702; bugfix on 0.2.7.2-alpha.
|
|
- Fix undefined behavior in the tor_cert_checksig function. Fixes
|
|
bug 17722; bugfix on 0.2.7.2-alpha.
|
|
|
|
|
|
Changes in version 0.2.7.5 - 2015-11-20
|
|
The Tor 0.2.7 release series is dedicated to the memory of Tor user
|
|
and privacy advocate Caspar Bowden (1961-2015). Caspar worked
|
|
tirelessly to advocate human rights regardless of national borders,
|
|
and oppose the encroachments of mass surveillance. He opposed national
|
|
exceptionalism, he brought clarity to legal and policy debates, he
|
|
understood and predicted the impact of mass surveillance on the world,
|
|
and he laid the groundwork for resisting it. While serving on the Tor
|
|
Project's board of directors, he brought us his uncompromising focus
|
|
on technical excellence in the service of humankind. Caspar was an
|
|
inimitable force for good and a wonderful friend. He was kind,
|
|
humorous, generous, gallant, and believed we should protect one
|
|
another without exception. We honor him here for his ideals, his
|
|
efforts, and his accomplishments. Please honor his memory with works
|
|
that would make him proud.
|
|
|
|
Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
|
|
|
|
The 0.2.7 series adds a more secure identity key type for relays,
|
|
improves cryptography performance, resolves several longstanding
|
|
hidden-service performance issues, improves controller support for
|
|
hidden services, and includes small bugfixes and performance
|
|
improvements throughout the program. This release series also includes
|
|
more tests than before, and significant simplifications to which parts
|
|
of Tor invoke which others.
|
|
|
|
(This release contains no code changes since 0.2.7.4-rc.)
|
|
|
|
|
|
Changes in version 0.2.7.4-rc - 2015-10-21
|
|
Tor 0.2.7.4-rc is the second release candidate in the 0.2.7 series. It
|
|
fixes some important memory leaks, and a scary-looking (but mostly
|
|
harmless in practice) invalid-read bug. It also has a few small
|
|
bugfixes, notably fixes for compilation and portability on different
|
|
platforms. If no further significant bounds are found, the next
|
|
release will the the official stable release.
|
|
|
|
o Major bugfixes (security, correctness):
|
|
- Fix an error that could cause us to read 4 bytes before the
|
|
beginning of an openssl string. This bug could be used to cause
|
|
Tor to crash on systems with unusual malloc implementations, or
|
|
systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Major bugfixes (correctness):
|
|
- Fix a use-after-free bug in validate_intro_point_failure(). Fixes
|
|
bug 17401; bugfix on 0.2.7.3-rc.
|
|
|
|
o Major bugfixes (memory leaks):
|
|
- Fix a memory leak in ed25519 batch signature checking. Fixes bug
|
|
17398; bugfix on 0.2.6.1-alpha.
|
|
- Fix a memory leak in rend_cache_failure_entry_free(). Fixes bug
|
|
17402; bugfix on 0.2.7.3-rc.
|
|
- Fix a memory leak when reading an expired signing key from disk.
|
|
Fixes bug 17403; bugfix on 0.2.7.2-rc.
|
|
|
|
o Minor features (geoIP):
|
|
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Repair compilation with the most recent (unreleased, alpha)
|
|
vesions of OpenSSL 1.1. Fixes part of ticket 17237.
|
|
- Fix an integer overflow warning in test_crypto_slow.c. Fixes bug
|
|
17251; bugfix on 0.2.7.2-alpha.
|
|
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
|
|
bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Use libexecinfo on FreeBSD to enable backtrace support. Fixes
|
|
part of bug 17151; bugfix on 0.2.5.2-alpha. Patch from
|
|
Marcin Cieślak.
|
|
|
|
o Minor bugfixes (sandbox):
|
|
- Add the "hidserv-stats" filename to our sandbox filter for the
|
|
HiddenServiceStatistics option to work properly. Fixes bug 17354;
|
|
bugfix on 0.2.6.2-alpha. Patch from David Goulet.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Add unit tests for get_interface_address* failure cases. Fixes bug
|
|
17173; bugfix on 0.2.7.3-rc. Patch by fk/teor.
|
|
- Fix breakage when running 'make check' with BSD make. Fixes bug
|
|
17154; bugfix on 0.2.7.3-rc. Patch by Marcin Cieślak.
|
|
- Make the get_ifaddrs_* unit tests more tolerant of different
|
|
network configurations. (Don't assume every test box has an IPv4
|
|
address, and don't assume every test box has a non-localhost
|
|
address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor".
|
|
- Skip backtrace tests when backtrace support is not compiled in.
|
|
Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from
|
|
Marcin Cieślak.
|
|
|
|
o Documentation:
|
|
- Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
|
|
- Note that HiddenServicePorts can take a unix domain socket. Closes
|
|
ticket 17364.
|
|
|
|
|
|
Changes in version 0.2.7.3-rc - 2015-09-25
|
|
Tor 0.2.7.3-rc is the first release candidate in the 0.2.7 series. It
|
|
contains numerous usability fixes for Ed25519 keys, safeguards against
|
|
several misconfiguration problems, significant simplifications to
|
|
Tor's callgraph, and numerous bugfixes and small features.
|
|
|
|
This is the most tested release of Tor to date. The unit tests cover
|
|
39.40% of the code, and the integration tests (accessible with "make
|
|
test-full-online", requiring stem and chutney and a network
|
|
connection) raise the coverage to 64.49%.
|
|
|
|
o Major features (security, hidden services):
|
|
- Hidden services, if using the EntryNodes option, are required to
|
|
use more than one EntryNode, in order to avoid a guard discovery
|
|
attack. (This would only affect people who had configured hidden
|
|
services and manually specified the EntryNodes option with a
|
|
single entry-node. The impact was that it would be easy to
|
|
remotely identify the guard node used by such a hidden service.
|
|
See ticket for more information.) Fixes ticket 14917.
|
|
|
|
o Major features (Ed25519 keys, keypinning):
|
|
- The key-pinning option on directory authorities is now advisory-
|
|
only by default. In a future version, or when the AuthDirPinKeys
|
|
option is set, pins are enforced again. Disabling key-pinning
|
|
seemed like a good idea so that we can survive the fallout of any
|
|
usability problems associated with Ed25519 keys. Closes
|
|
ticket 17135.
|
|
|
|
o Major features (Ed25519 performance):
|
|
- Improve the speed of Ed25519 operations and Curve25519 keypair
|
|
generation when built targeting 32 bit x86 platforms with SSE2
|
|
available. Implements ticket 16535.
|
|
- Improve the runtime speed of Ed25519 signature verification by
|
|
using Ed25519-donna's batch verification support. Implements
|
|
ticket 16533.
|
|
|
|
o Major features (performance testing):
|
|
- The test-network.sh script now supports performance testing.
|
|
Requires corresponding chutney performance testing changes. Patch
|
|
by "teor". Closes ticket 14175.
|
|
|
|
o Major features (relay, Ed25519):
|
|
- Significant usability improvements for Ed25519 key management. Log
|
|
messages are better, and the code can recover from far more
|
|
failure conditions. Thanks to "s7r" for reporting and diagnosing
|
|
so many of these!
|
|
- Add a new OfflineMasterKey option to tell Tor never to try loading
|
|
or generating a secret Ed25519 identity key. You can use this in
|
|
combination with tor --keygen to manage offline and/or encrypted
|
|
Ed25519 keys. Implements ticket 16944.
|
|
- Add a --newpass option to allow changing or removing the
|
|
passphrase of an encrypted key with tor --keygen. Implements part
|
|
of ticket 16769.
|
|
- On receiving a HUP signal, check to see whether the Ed25519
|
|
signing key has changed, and reload it if so. Closes ticket 16790.
|
|
|
|
o Major bugfixes (relay, Ed25519):
|
|
- Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on
|
|
0.2.7.2-alpha. Reported by "s7r".
|
|
- Improve handling of expired signing keys with offline master keys.
|
|
Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r".
|
|
|
|
o Minor features (client-side privacy):
|
|
- New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
|
|
lifespan when IsolateSOCKSAuth and streams with SOCKS
|
|
authentication are attached to the circuit. This allows
|
|
applications like TorBrowser to manage circuit lifetime on their
|
|
own. Implements feature 15482.
|
|
- When logging malformed hostnames from SOCKS5 requests, respect
|
|
SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
|
|
|
|
o Minor features (compilation):
|
|
- Give a warning as early as possible when trying to build with an
|
|
unsupported OpenSSL version. Closes ticket 16901.
|
|
- Fail during configure if we're trying to build against an OpenSSL
|
|
built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha
|
|
which started requiring ECC.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (hidden services):
|
|
- Relays need to have the Fast flag to get the HSDir flag. As this
|
|
is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
|
|
drop. This change should make some attacks against the hidden
|
|
service directory system harder. Fixes ticket 15963.
|
|
- Turn on hidden service statistics collection by setting the torrc
|
|
option HiddenServiceStatistics to "1" by default. (This keeps
|
|
track only of the fraction of traffic used by hidden services, and
|
|
the total number of hidden services in existence.) Closes
|
|
ticket 15254.
|
|
- Client now uses an introduction point failure cache to know when
|
|
to fetch or keep a descriptor in their cache. Previously, failures
|
|
were recorded implicitly, but not explicitly remembered. Closes
|
|
ticket 16389.
|
|
|
|
o Minor features (testing, authorities, documentation):
|
|
- New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
|
|
explicitly manage consensus flags in testing networks. Patch by
|
|
"robgjansen", modified by "teor". Implements part of ticket 14882.
|
|
|
|
o Minor bugfixes (security, exit policies):
|
|
- ExitPolicyRejectPrivate now also rejects the relay's published
|
|
IPv6 address (if any), and any publicly routable IPv4 or IPv6
|
|
addresses on any local interfaces. ticket 17027. Patch by "teor".
|
|
Fixes bug 17027; bugfix on 0.2.0.11-alpha.
|
|
|
|
o Minor bug fixes (torrc exit policies):
|
|
- In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
|
|
produce IPv6 wildcard addresses. Previously they would produce
|
|
both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
|
|
of bug 16069; bugfix on 0.2.4.7-alpha.
|
|
- When parsing torrc ExitPolicies, we now warn for a number of cases
|
|
where the user's intent is likely to differ from Tor's actual
|
|
behavior. These include: using an IPv4 address with an accept6 or
|
|
reject6 line; using "private" on an accept6 or reject6 line; and
|
|
including any ExitPolicy lines after accept *:* or reject *:*.
|
|
Related to ticket 16069.
|
|
- When parsing torrc ExitPolicies, we now issue an info-level
|
|
message when expanding an "accept/reject *" line to include both
|
|
IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
|
|
- In each instance above, usage advice is provided to avoid the
|
|
message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
|
|
16069; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (authority):
|
|
- Don't assign "HSDir" to a router if it isn't Valid and Running.
|
|
Fixes bug 16524; bugfix on 0.2.7.2-alpha.
|
|
- Downgrade log messages about Ed25519 key issues if they are in old
|
|
cached router descriptors. Fixes part of bug 16286; bugfix
|
|
on 0.2.7.2-alpha.
|
|
- When we find an Ed25519 key issue in a cached descriptor, stop
|
|
saying the descriptor was just "uploaded". Fixes another part of
|
|
bug 16286; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (control port):
|
|
- Repair a warning and a spurious result when getting the maximum
|
|
number of file descriptors from the controller. Fixes bug 16697;
|
|
bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (correctness):
|
|
- When calling channel_free_list(), avoid calling smartlist_remove()
|
|
while inside a FOREACH loop. This partially reverts commit
|
|
17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
|
|
incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Minor bugfixes (documentation):
|
|
- Advise users on how to configure separate IPv4 and IPv6 exit
|
|
policies in the manpage and sample torrcs. Related to ticket 16069.
|
|
- Fix the usage message of tor-resolve(1) so that it no longer lists
|
|
the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
|
|
- Fix an error in the manual page and comments for
|
|
TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
|
|
required "ORPort connectivity". While this is true, it is in no
|
|
way unique to the HSDir flag. Of all the flags, only HSDirs need a
|
|
DirPort configured in order for the authorities to assign that
|
|
particular flag. Patch by "teor". Fixed as part of 14882; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (Ed25519):
|
|
- Fix a memory leak when reading router descriptors with expired
|
|
Ed25519 certificates. Fixes bug 16539; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (linux seccomp2 sandbox):
|
|
- Allow bridge authorities to run correctly under the seccomp2
|
|
sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
|
|
- Allow routers with ed25519 keys to run correctly under the
|
|
seccomp2 sandbox. Fixes bug 16965; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (open file limit):
|
|
- Fix set_max_file_descriptors() to set by default the max open file
|
|
limit to the current limit when setrlimit() fails. Fixes bug
|
|
16274; bugfix on 0.2.0.10-alpha. Patch by dgoulet.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Try harder to normalize the exit status of the Tor process to the
|
|
standard-provided range. Fixes bug 16975; bugfix on every version
|
|
of Tor ever.
|
|
- Check correctly for Windows socket errors in the workqueue
|
|
backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
|
|
- Fix the behavior of crypto_rand_time_range() when told to consider
|
|
times before 1970. (These times were possible when running in a
|
|
simulated network environment where time()'s output starts at
|
|
zero.) Fixes bug 16980; bugfix on 0.2.7.1-alpha.
|
|
- Restore correct operation of TLS client-cipher detection on
|
|
OpenSSL 1.1. Fixes bug 14047; bugfix on 0.2.7.2-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Ensure that worker threads actually exit when a fatal error or
|
|
shutdown is indicated. This fix doesn't currently affect the
|
|
behavior of Tor, because Tor workers never indicates fatal error
|
|
or shutdown except in the unit tests. Fixes bug 16868; bugfix
|
|
on 0.2.6.3-alpha.
|
|
- Unblock threads before releasing the work queue mutex to ensure
|
|
predictable scheduling behavior. Fixes bug 16644; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Change the function that's called when we need to retry all
|
|
downloads so that it only reschedules the downloads to happen
|
|
immediately, rather than launching them all at once itself. This
|
|
further simplifies Tor's callgraph.
|
|
- Move some format-parsing functions out of crypto.c and
|
|
crypto_curve25519.c into crypto_format.c and/or util_format.c.
|
|
- Move the client-only parts of init_keys() into a separate
|
|
function. Closes ticket 16763.
|
|
- Simplify the microdesc_free() implementation so that it no longer
|
|
appears (to code analysis tools) to potentially invoke a huge
|
|
suite of other microdesc functions.
|
|
- Simply the control graph further by deferring the inner body of
|
|
directory_all_unreachable() into a callback. Closes ticket 16762.
|
|
- Treat the loss of an owning controller as equivalent to a SIGTERM
|
|
signal. This removes a tiny amount of duplicated code, and
|
|
simplifies our callgraph. Closes ticket 16788.
|
|
- When generating an event to send to the controller, we no longer
|
|
put the event over the network immediately. Instead, we queue
|
|
these events, and use a Libevent callback to deliver them. This
|
|
change simplifies Tor's callgraph by reducing the number of
|
|
functions from which all other Tor functions are reachable. Closes
|
|
ticket 16695.
|
|
- Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
|
|
that try to scan or compile every file on Unix won't decide that
|
|
they are broken.
|
|
- Remove the unused "nulterminate" argument from buf_pullup().
|
|
|
|
o Documentation:
|
|
- Recommend a 40 GB example AccountingMax in torrc.sample rather
|
|
than a 4 GB max. Closes ticket 16742.
|
|
- Include the TUNING document in our source tarball. It is referred
|
|
to in the ChangeLog and an error message. Fixes bug 16929; bugfix
|
|
on 0.2.6.1-alpha.
|
|
|
|
o Removed code:
|
|
- The internal pure-C tor-fw-helper tool is now removed from the Tor
|
|
distribution, in favor of the pure-Go clone available from
|
|
https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries
|
|
used by the C tor-fw-helper are not, in our opinion, very
|
|
confidence- inspiring in their secure-programming techniques.
|
|
Closes ticket 13338.
|
|
- Remove the code that would try to aggressively flush controller
|
|
connections while writing to them. This code was introduced in
|
|
0.1.2.7-alpha, in order to keep output buffers from exceeding
|
|
their limits. But there is no longer a maximum output buffer size,
|
|
and flushing data in this way caused some undesirable recursions
|
|
in our call graph. Closes ticket 16480.
|
|
|
|
o Testing:
|
|
- Make "bridges+hs" the default test network. This tests almost all
|
|
tor functionality during make test-network, while allowing tests
|
|
to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
|
|
test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
|
|
(chutney). Patches by "teor".
|
|
- Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
|
|
by-side in the same parent directory. Closes ticket 16903. Patch
|
|
by "teor".
|
|
- Use environment variables rather than autoconf substitutions to
|
|
send variables from the build system to the test scripts. This
|
|
change should be easier to maintain, and cause 'make distcheck' to
|
|
work better than before. Fixes bug 17148.
|
|
- Add a new set of callgraph analysis scripts that use clang to
|
|
produce a list of which Tor functions are reachable from which
|
|
other Tor functions. We're planning to use these to help simplify
|
|
our code structure by identifying illogical dependencies.
|
|
- Add new 'test-full' and 'test-full-online' targets to run all
|
|
tests, including integration tests with stem and chutney.
|
|
- Make the test-workqueue test work on Windows by initializing the
|
|
network before we begin.
|
|
- New make target (make test-network-all) to run multiple applicable
|
|
chutney test cases. Patch from Teor; closes 16953.
|
|
- Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
|
|
functions in dns.c. Implements a portion of ticket 16831.
|
|
- When building Tor with testing coverage enabled, run Chutney tests
|
|
(if any) using the 'tor-cov' coverage binary.
|
|
- When running test-network or test-stem, check for the absence of
|
|
stem/chutney before doing any build operations.
|
|
|
|
|
|
Changes in version 0.2.7.2-alpha - 2015-07-27
|
|
This, the second alpha in the Tor 0.2.7 series, has a number of new
|
|
features, including a way to manually pick the number of introduction
|
|
points for hidden services, and the much stronger Ed25519 signing key
|
|
algorithm for regular Tor relays (including support for encrypted
|
|
offline identity keys in the new algorithm).
|
|
|
|
Support for Ed25519 on relays is currently limited to signing router
|
|
descriptors; later alphas in this series will extend Ed25519 key
|
|
support to more parts of the Tor protocol.
|
|
|
|
o Major features (Ed25519 identity keys, Proposal 220):
|
|
- All relays now maintain a stronger identity key, using the Ed25519
|
|
elliptic curve signature format. This master key is designed so
|
|
that it can be kept offline. Relays also generate an online
|
|
signing key, and a set of other Ed25519 keys and certificates.
|
|
These are all automatically regenerated and rotated as needed.
|
|
Implements part of ticket 12498.
|
|
- Directory authorities now vote on Ed25519 identity keys along with
|
|
RSA1024 keys. Implements part of ticket 12498.
|
|
- Directory authorities track which Ed25519 identity keys have been
|
|
used with which RSA1024 identity keys, and do not allow them to
|
|
vary freely. Implements part of ticket 12498.
|
|
- Microdescriptors now include Ed25519 identity keys. Implements
|
|
part of ticket 12498.
|
|
- Add support for offline encrypted Ed25519 master keys. To use this
|
|
feature on your tor relay, run "tor --keygen" to make a new master
|
|
key (or to make a new signing key if you already have a master
|
|
key). Closes ticket 13642.
|
|
|
|
o Major features (Hidden services):
|
|
- Add the torrc option HiddenServiceNumIntroductionPoints, to
|
|
specify a fixed number of introduction points. Its maximum value
|
|
is 10 and default is 3. Using this option can increase a hidden
|
|
service's reliability under load, at the cost of making it more
|
|
visible that the hidden service is facing extra load. Closes
|
|
ticket 4862.
|
|
- Remove the adaptive algorithm for choosing the number of
|
|
introduction points, which used to change the number of
|
|
introduction points (poorly) depending on the number of
|
|
connections the HS sees. Closes ticket 4862.
|
|
|
|
o Major features (onion key cross-certification):
|
|
- Relay descriptors now include signatures of their own identity
|
|
keys, made using the TAP and ntor onion keys. These signatures
|
|
allow relays to prove ownership of their own onion keys. Because
|
|
of this change, microdescriptors will no longer need to include
|
|
RSA identity keys. Implements proposal 228; closes ticket 12499.
|
|
|
|
o Major features (performance):
|
|
- Improve the runtime speed of Ed25519 operations by using the
|
|
public-domain Ed25519-donna by Andrew M. ("floodyberry").
|
|
Implements ticket 16467.
|
|
- Improve the runtime speed of the ntor handshake by using an
|
|
optimized curve25519 basepoint scalarmult implementation from the
|
|
public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
|
|
ideas by Adam Langley. Implements ticket 9663.
|
|
|
|
o Major bugfixes (client-side privacy, also in 0.2.6.9):
|
|
- Properly separate out each SOCKSPort when applying stream
|
|
isolation. The error occurred because each port's session group
|
|
was being overwritten by a default value when the listener
|
|
connection was initialized. Fixes bug 16247; bugfix on
|
|
0.2.6.3-alpha. Patch by "jojelino".
|
|
|
|
o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
|
|
- Stop refusing to store updated hidden service descriptors on a
|
|
client. This reverts commit 9407040c59218 (which indeed fixed bug
|
|
14219, but introduced a major hidden service reachability
|
|
regression detailed in bug 16381). This is a temporary fix since
|
|
we can live with the minor issue in bug 14219 (it just results in
|
|
some load on the network) but the regression of 16381 is too much
|
|
of a setback. First-round fix for bug 16381; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- When cannibalizing a circuit for an introduction point, always
|
|
extend to the chosen exit node (creating a 4 hop circuit).
|
|
Previously Tor would use the current circuit exit node, which
|
|
changed the original choice of introduction point, and could cause
|
|
the hidden service to skip excluded introduction points or
|
|
reconnect to a skipped introduction point. Fixes bug 16260; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Major bugfixes (open file limit):
|
|
- The open file limit wasn't checked before calling
|
|
tor_accept_socket_nonblocking(), which would make Tor exceed the
|
|
limit. Now, before opening a new socket, Tor validates the open
|
|
file limit just before, and if the max has been reached, return an
|
|
error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
|
|
|
|
o Major bugfixes (stability, also in 0.2.6.10):
|
|
- Stop crashing with an assertion failure when parsing certain kinds
|
|
of malformed or truncated microdescriptors. Fixes bug 16400;
|
|
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
|
|
by "cypherpunks_backup".
|
|
- Stop random client-side assertion failures that could occur when
|
|
connecting to a busy hidden service, or connecting to a hidden
|
|
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor features (directory authorities, security, also in 0.2.6.9):
|
|
- The HSDir flag given by authorities now requires the Stable flag.
|
|
For the current network, this results in going from 2887 to 2806
|
|
HSDirs. Also, it makes it harder for an attacker to launch a sybil
|
|
attack by raising the effort for a relay to become Stable to
|
|
require at the very least 7 days, while maintaining the 96 hours
|
|
uptime requirement for HSDir. Implements ticket 8243.
|
|
|
|
o Minor features (client):
|
|
- Relax the validation of hostnames in SOCKS5 requests, allowing the
|
|
character '_' to appear, in order to cope with domains observed in
|
|
the wild that are serving non-RFC compliant records. Resolves
|
|
ticket 16430.
|
|
- Relax the validation done to hostnames in SOCKS5 requests, and
|
|
allow a single trailing '.' to cope with clients that pass FQDNs
|
|
using that syntax to explicitly indicate that the domain name is
|
|
fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
|
|
- Add GroupWritable and WorldWritable options to unix-socket based
|
|
SocksPort and ControlPort options. These options apply to a single
|
|
socket, and override {Control,Socks}SocketsGroupWritable. Closes
|
|
ticket 15220.
|
|
|
|
o Minor features (control protocol):
|
|
- Support network-liveness GETINFO key and NETWORK_LIVENESS event in
|
|
the control protocol. Resolves ticket 15358.
|
|
|
|
o Minor features (directory authorities):
|
|
- Directory authorities no longer vote against the "Fast", "Stable",
|
|
and "HSDir" flags just because they were going to vote against
|
|
"Running": if the consensus turns out to be that the router was
|
|
running, then the authority's vote should count. Patch from Peter
|
|
Retzlaff; closes issue 8712.
|
|
|
|
o Minor features (geoip, also in 0.2.6.10):
|
|
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
|
|
o Minor features (hidden services):
|
|
- Add the new options "HiddenServiceMaxStreams" and
|
|
"HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
|
|
limit the maximum number of simultaneous streams per circuit, and
|
|
optionally tear down the circuit when the limit is exceeded. Part
|
|
of ticket 16052.
|
|
|
|
o Minor features (portability):
|
|
- Use C99 variadic macros when the compiler is not GCC. This avoids
|
|
failing compilations on MSVC, and fixes a log-file-based race
|
|
condition in our old workarounds. Original patch from Gisle Vanem.
|
|
|
|
o Minor bugfixes (compilation, also in 0.2.6.9):
|
|
- Build with --enable-systemd correctly when libsystemd is
|
|
installed, but systemd is not. Fixes bug 16164; bugfix on
|
|
0.2.6.3-alpha. Patch from Peter Palfrader.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Add the descriptor ID in each HS_DESC control event. It was
|
|
missing, but specified in control-spec.txt. Fixes bug 15881;
|
|
bugfix on 0.2.5.2-alpha.
|
|
|
|
o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
|
|
- Check for failures from crypto_early_init, and refuse to continue.
|
|
A previous typo meant that we could keep going with an
|
|
uninitialized crypto library, and would have OpenSSL initialize
|
|
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
|
when implementing ticket 4900. Patch by "teor".
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Fix a crash when reloading configuration while at least one
|
|
configured and one ephemeral hidden service exists. Fixes bug
|
|
16060; bugfix on 0.2.7.1-alpha.
|
|
- Avoid crashing with a double-free bug when we create an ephemeral
|
|
hidden service but adding it fails for some reason. Fixes bug
|
|
16228; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
|
|
defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
|
|
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
|
|
these when eventfd2() support is missing. Fixes bug 16363; bugfix
|
|
on 0.2.6.3-alpha. Patch from "teor".
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
|
|
- Fix sandboxing to work when running as a relay, by allowing the
|
|
renaming of secret_id_key, and allowing the eventfd2 and futex
|
|
syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
|
|
Peter Palfrader.
|
|
- Allow systemd connections to work with the Linux seccomp2 sandbox
|
|
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
|
|
Peter Palfrader.
|
|
|
|
o Minor bugfixes (relay):
|
|
- Fix a rarely-encountered memory leak when failing to initialize
|
|
the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
|
|
from "cypherpunks".
|
|
|
|
o Minor bugfixes (systemd):
|
|
- Fix an accidental formatting error that broke the systemd
|
|
configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
|
|
- Tor's systemd unit file no longer contains extraneous spaces.
|
|
These spaces would sometimes confuse tools like deb-systemd-
|
|
helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
|
|
|
|
o Minor bugfixes (tests):
|
|
- Use the configured Python executable when running test-stem-full.
|
|
Fixes bug 16470; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Minor bugfixes (tests, also in 0.2.6.9):
|
|
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
|
|
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
|
|
|
|
o Minor bugfixes (threads, comments):
|
|
- Always initialize return value in compute_desc_id in rendcommon.c
|
|
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
|
|
- Check for NULL values in getinfo_helper_onions(). Patch by "teor".
|
|
Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
|
|
- Remove undefined directive-in-macro in test_util_writepid clang
|
|
3.7 complains that using a preprocessor directive inside a macro
|
|
invocation in test_util_writepid in test_util.c is undefined.
|
|
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
|
|
to ensure they remain consistent and visible everywhere.
|
|
- Remove some vestigial workarounds for the MSVC6 compiler. We
|
|
haven't supported that in ages.
|
|
- The link authentication code has been refactored for better
|
|
testability and reliability. It now uses code generated with the
|
|
"trunnel" binary encoding generator, to reduce the risk of bugs
|
|
due to programmer error. Done as part of ticket 12498.
|
|
|
|
o Documentation:
|
|
- Include a specific and (hopefully) accurate documentation of the
|
|
torrc file's meta-format in doc/torrc_format.txt. This is mainly
|
|
of interest to people writing programs to parse or generate torrc
|
|
files. This document is not a commitment to long-term
|
|
compatibility; some aspects of the current format are a bit
|
|
ridiculous. Closes ticket 2325.
|
|
|
|
o Removed features:
|
|
- Tor no longer supports copies of OpenSSL that are missing support
|
|
for Elliptic Curve Cryptography. (We began using ECC when
|
|
available in 0.2.4.8-alpha, for more safe and efficient key
|
|
negotiation.) In particular, support for at least one of P256 or
|
|
P224 is now required, with manual configuration needed if only
|
|
P224 is available. Resolves ticket 16140.
|
|
- Tor no longer supports versions of OpenSSL before 1.0. (If you are
|
|
on an operating system that has not upgraded to OpenSSL 1.0 or
|
|
later, and you compile Tor from source, you will need to install a
|
|
more recent OpenSSL to link Tor against.) These versions of
|
|
OpenSSL are still supported by the OpenSSL, but the numerous
|
|
cryptographic improvements in later OpenSSL releases makes them a
|
|
clear choice. Resolves ticket 16034.
|
|
- Remove the HidServDirectoryV2 option. Now all relays offer to
|
|
store hidden service descriptors. Related to 16543.
|
|
- Remove the VoteOnHidServDirectoriesV2 option, since all
|
|
authorities have long set it to 1. Closes ticket 16543.
|
|
|
|
o Testing:
|
|
- Document use of coverity, clang static analyzer, and clang dynamic
|
|
undefined behavior and address sanitizers in doc/HACKING. Include
|
|
detailed usage instructions in the blacklist. Patch by "teor".
|
|
Closes ticket 15817.
|
|
- The link authentication protocol code now has extensive tests.
|
|
- The relay descriptor signature testing code now has
|
|
extensive tests.
|
|
- The test_workqueue program now runs faster, and is enabled by
|
|
default as a part of "make check".
|
|
- Now that OpenSSL has its own scrypt implementation, add an unit
|
|
test that checks for interoperability between libscrypt_scrypt()
|
|
and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
|
|
and rely on EVP_PBE_scrypt() whenever possible. Resolves
|
|
ticket 16189.
|
|
|
|
|
|
Changes in version 0.2.6.10 - 2015-07-12
|
|
Tor version 0.2.6.10 fixes some significant stability and hidden
|
|
service client bugs, bulletproofs the cryptography init process, and
|
|
fixes a bug when using the sandbox code with some older versions of
|
|
Linux. Everyone running an older version, especially an older version
|
|
of 0.2.6, should upgrade.
|
|
|
|
o Major bugfixes (hidden service clients, stability):
|
|
- Stop refusing to store updated hidden service descriptors on a
|
|
client. This reverts commit 9407040c59218 (which indeed fixed bug
|
|
14219, but introduced a major hidden service reachability
|
|
regression detailed in bug 16381). This is a temporary fix since
|
|
we can live with the minor issue in bug 14219 (it just results in
|
|
some load on the network) but the regression of 16381 is too much
|
|
of a setback. First-round fix for bug 16381; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Major bugfixes (stability):
|
|
- Stop crashing with an assertion failure when parsing certain kinds
|
|
of malformed or truncated microdescriptors. Fixes bug 16400;
|
|
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
|
|
by "cypherpunks_backup".
|
|
- Stop random client-side assertion failures that could occur when
|
|
connecting to a busy hidden service, or connecting to a hidden
|
|
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
|
|
on 0.1.0.1-rc.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
|
|
o Minor bugfixes (crypto error-handling):
|
|
- Check for failures from crypto_early_init, and refuse to continue.
|
|
A previous typo meant that we could keep going with an
|
|
uninitialized crypto library, and would have OpenSSL initialize
|
|
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
|
when implementing ticket 4900. Patch by "teor".
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
|
|
these when eventfd2() support is missing. Fixes bug 16363; bugfix
|
|
on 0.2.6.3-alpha. Patch from "teor".
|
|
|
|
|
|
Changes in version 0.2.6.9 - 2015-06-11
|
|
Tor 0.2.6.9 fixes a regression in the circuit isolation code, increases the
|
|
requirements for receiving an HSDir flag, and addresses some other small
|
|
bugs in the systemd and sandbox code. Clients using circuit isolation
|
|
should upgrade; all directory authorities should upgrade.
|
|
|
|
o Major bugfixes (client-side privacy):
|
|
- Properly separate out each SOCKSPort when applying stream
|
|
isolation. The error occurred because each port's session group was
|
|
being overwritten by a default value when the listener connection
|
|
was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
|
|
by "jojelino".
|
|
|
|
o Minor feature (directory authorities, security):
|
|
- The HSDir flag given by authorities now requires the Stable flag.
|
|
For the current network, this results in going from 2887 to 2806
|
|
HSDirs. Also, it makes it harder for an attacker to launch a sybil
|
|
attack by raising the effort for a relay to become Stable which
|
|
takes at the very least 7 days to do so and by keeping the 96
|
|
hours uptime requirement for HSDir. Implements ticket 8243.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Build with --enable-systemd correctly when libsystemd is
|
|
installed, but systemd is not. Fixes bug 16164; bugfix on
|
|
0.2.6.3-alpha. Patch from Peter Palfrader.
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Fix sandboxing to work when running as a relaymby renaming of
|
|
secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
|
|
bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
|
|
- Allow systemd connections to work with the Linux seccomp2 sandbox
|
|
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
|
|
Peter Palfrader.
|
|
|
|
o Minor bugfixes (tests):
|
|
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
|
|
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
|
|
|
|
|
|
Changes in version 0.2.6.8 - 2015-05-21
|
|
Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
|
|
fixes an authority-side bug in assigning the HSDir flag. All directory
|
|
authorities should upgrade.
|
|
|
|
o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
|
|
- Revert commit that made directory authorities assign the HSDir
|
|
flag to relays without a DirPort; this was bad because such relays
|
|
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
a client authorized hidden service. Fixes bug 15823; bugfix
|
|
on 0.2.1.6-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the April 8 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.7.1-alpha - 2015-05-12
|
|
Tor 0.2.7.1-alpha is the first alpha release in its series. It
|
|
includes numerous small features and bugfixes against previous Tor
|
|
versions, and numerous small infrastructure improvements. The most
|
|
notable features are several new ways for controllers to interact with
|
|
the hidden services subsystem.
|
|
|
|
o New system requirements:
|
|
- Tor no longer includes workarounds to support Libevent versions
|
|
before 1.3e. Libevent 2.0 or later is recommended. Closes
|
|
ticket 15248.
|
|
|
|
o Major features (controller):
|
|
- Add the ADD_ONION and DEL_ONION commands that allow the creation
|
|
and management of hidden services via the controller. Closes
|
|
ticket 6411.
|
|
- New "GETINFO onions/current" and "GETINFO onions/detached"
|
|
commands to get information about hidden services created via the
|
|
controller. Part of ticket 6411.
|
|
- New HSFETCH command to launch a request for a hidden service
|
|
descriptor. Closes ticket 14847.
|
|
- New HSPOST command to upload a hidden service descriptor. Closes
|
|
ticket 3523. Patch by "DonnchaC".
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Revert commit that made directory authorities assign the HSDir
|
|
flag to relays without a DirPort; this was bad because such relays
|
|
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
|
|
on 0.2.6.3-alpha.
|
|
|
|
o Minor features (clock-jump tolerance):
|
|
- Recover better when our clock jumps back many hours, like might
|
|
happen for Tails or Whonix users who start with a very wrong
|
|
hardware clock, use Tor to discover a more accurate time, and then
|
|
fix their clock. Resolves part of ticket 8766.
|
|
|
|
o Minor features (command-line interface):
|
|
- Make --hash-password imply --hush to prevent unnecessary noise.
|
|
Closes ticket 15542. Patch from "cypherpunks".
|
|
- Print a warning whenever we find a relative file path being used
|
|
as torrc option. Resolves issue 14018.
|
|
|
|
o Minor features (controller):
|
|
- Add DirAuthority lines for default directory authorities to the
|
|
output of the "GETINFO config/defaults" command if not already
|
|
present. Implements ticket 14840.
|
|
- Controllers can now use "GETINFO hs/client/desc/id/..." to
|
|
retrieve items from the client's hidden service descriptor cache.
|
|
Closes ticket 14845.
|
|
- Implement a new controller command "GETINFO status/fresh-relay-
|
|
descs" to fetch a descriptor/extrainfo pair that was generated on
|
|
demand just for the controller's use. Implements ticket 14784.
|
|
|
|
o Minor features (DoS-resistance):
|
|
- Make it harder for attackers to overload hidden services with
|
|
introductions, by blocking multiple introduction requests on the
|
|
same circuit. Resolves ticket 15515.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the April 8 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (HS popularity countermeasure):
|
|
- To avoid leaking HS popularity, don't cycle the introduction point
|
|
when we've handled a fixed number of INTRODUCE2 cells but instead
|
|
cycle it when a random number of introductions is reached, thus
|
|
making it more difficult for an attacker to find out the amount of
|
|
clients that have used the introduction point for a specific HS.
|
|
Closes ticket 15745.
|
|
|
|
o Minor features (logging):
|
|
- Include the Tor version in all LD_BUG log messages, since people
|
|
tend to cut and paste those into the bugtracker. Implements
|
|
ticket 15026.
|
|
|
|
o Minor features (pluggable transports):
|
|
- When launching managed pluggable transports on Linux systems,
|
|
attempt to have the kernel deliver a SIGTERM on tor exit if the
|
|
pluggable transport process is still running. Resolves
|
|
ticket 15471.
|
|
- When launching managed pluggable transports, setup a valid open
|
|
stdin in the child process that can be used to detect if tor has
|
|
terminated. The "TOR_PT_EXIT_ON_STDIN_CLOSE" environment variable
|
|
can be used by implementations to detect this new behavior.
|
|
Resolves ticket 15435.
|
|
|
|
o Minor features (testing):
|
|
- Add a test to verify that the compiler does not eliminate our
|
|
memwipe() implementation. Closes ticket 15377.
|
|
- Add make rule `check-changes` to verify the format of changes
|
|
files. Closes ticket 15180.
|
|
- Add unit tests for control_event_is_interesting(). Add a compile-
|
|
time check that the number of events doesn't exceed the capacity
|
|
of control_event_t.event_mask. Closes ticket 15431, checks for
|
|
bugs similar to 13085. Patch by "teor".
|
|
- Command-line argument tests moved to Stem. Resolves ticket 14806.
|
|
- Integrate the ntor, backtrace, and zero-length keys tests into the
|
|
automake test suite. Closes ticket 15344.
|
|
- Remove assertions during builds to determine Tor's test coverage.
|
|
We don't want to trigger these even in assertions, so including
|
|
them artificially makes our branch coverage look worse than it is.
|
|
This patch provides the new test-stem-full and coverage-html-full
|
|
configure options. Implements ticket 15400.
|
|
|
|
o Minor bugfixes (build):
|
|
- Improve out-of-tree builds by making non-standard rules work and
|
|
clean up additional files and directories. Fixes bug 15053; bugfix
|
|
on 0.2.7.0-alpha.
|
|
|
|
o Minor bugfixes (command-line interface):
|
|
- When "--quiet" is provided along with "--validate-config", do not
|
|
write anything to stdout on success. Fixes bug 14994; bugfix
|
|
on 0.2.3.3-alpha.
|
|
- When complaining about bad arguments to "--dump-config", use
|
|
stderr, not stdout.
|
|
|
|
o Minor bugfixes (configuration, unit tests):
|
|
- Only add the default fallback directories when the DirAuthorities,
|
|
AlternateDirAuthority, and FallbackDir directory config options
|
|
are set to their defaults. The default fallback directory list is
|
|
currently empty, this fix will only change tor's behavior when it
|
|
has default fallback directories. Includes unit tests for
|
|
consider_adding_dir_servers(). Fixes bug 15642; bugfix on
|
|
90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor".
|
|
|
|
o Minor bugfixes (correctness):
|
|
- For correctness, avoid modifying a constant string in
|
|
handle_control_postdescriptor. Fixes bug 15546; bugfix
|
|
on 0.1.1.16-rc.
|
|
- Remove side-effects from tor_assert() calls. This was harmless,
|
|
because we never disable assertions, but it is bad style and
|
|
unnecessary. Fixes bug 15211; bugfix on 0.2.5.5, 0.2.2.36,
|
|
and 0.2.0.10.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
a client authorized hidden service. Fixes bug 15823; bugfix
|
|
on 0.2.1.6-alpha.
|
|
- Remove an extraneous newline character from the end of hidden
|
|
service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (interface):
|
|
- Print usage information for --dump-config when it is used without
|
|
an argument. Also, fix the error message to use different wording
|
|
and add newline at the end. Fixes bug 15541; bugfix
|
|
on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (logs):
|
|
- When building Tor under Clang, do not include an extra set of
|
|
parentheses in log messages that include function names. Fixes bug
|
|
15269; bugfix on every released version of Tor when compiled with
|
|
recent enough Clang.
|
|
|
|
o Minor bugfixes (network):
|
|
- When attempting to use fallback technique for network interface
|
|
lookup, disregard loopback and multicast addresses since they are
|
|
unsuitable for public communications.
|
|
|
|
o Minor bugfixes (statistics):
|
|
- Disregard the ConnDirectionStatistics torrc options when Tor is
|
|
not a relay since in that mode of operation no sensible data is
|
|
being collected and because Tor might run into measurement hiccups
|
|
when running as a client for some time, then becoming a relay.
|
|
Fixes bug 15604; bugfix on 0.2.2.35.
|
|
|
|
o Minor bugfixes (test networks):
|
|
- When self-testing reachability, use ExtendAllowPrivateAddresses to
|
|
determine if local/private addresses imply reachability. The
|
|
previous fix used TestingTorNetwork, which implies
|
|
ExtendAllowPrivateAddresses, but this excluded rare configurations
|
|
where ExtendAllowPrivateAddresses is set but TestingTorNetwork is
|
|
not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
|
|
issue discovered by CJ Ess.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Check for matching value in server response in ntor_ref.py. Fixes
|
|
bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
|
|
by "joelanders".
|
|
- Set the severity correctly when testing
|
|
get_interface_addresses_ifaddrs() and
|
|
get_interface_addresses_win32(), so that the tests fail gracefully
|
|
instead of triggering an assertion. Fixes bug 15759; bugfix on
|
|
0.2.6.3-alpha. Reported by Nicolas Derive.
|
|
|
|
o Code simplification and refactoring:
|
|
- Move the hacky fallback code out of get_interface_address6() into
|
|
separate function and get it covered with unit-tests. Resolves
|
|
ticket 14710.
|
|
- Refactor hidden service client-side cache lookup to intelligently
|
|
report its various failure cases, and disentangle failure cases
|
|
involving a lack of introduction points. Closes ticket 14391.
|
|
- Use our own Base64 encoder instead of OpenSSL's, to allow more
|
|
control over the output. Part of ticket 15652.
|
|
|
|
o Documentation:
|
|
- Improve the descriptions of statistics-related torrc options in
|
|
the manpage to describe rationale and possible uses cases. Fixes
|
|
issue 15550.
|
|
- Improve the layout and formatting of ./configure --help messages.
|
|
Closes ticket 15024. Patch from "cypherpunks".
|
|
- Standardize on the term "server descriptor" in the manual page.
|
|
Previously, we had used "router descriptor", "server descriptor",
|
|
and "relay descriptor" interchangeably. Part of ticket 14987.
|
|
|
|
o Removed code:
|
|
- Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
|
|
and always use the internal Base64 decoder. The internal decoder
|
|
has been part of tor since 0.2.0.10-alpha, and no one should
|
|
be using the OpenSSL one. Part of ticket 15652.
|
|
- Remove the 'tor_strclear()' function; use memwipe() instead.
|
|
Closes ticket 14922.
|
|
|
|
o Removed features:
|
|
- Remove the (seldom-used) DynamicDHGroups feature. For anti-
|
|
fingerprinting we now recommend pluggable transports; for forward-
|
|
secrecy in TLS, we now use the P-256 group. Closes ticket 13736.
|
|
- Remove the undocumented "--digests" command-line option. It
|
|
complicated our build process, caused subtle build issues on
|
|
multiple platforms, and is now redundant since we started
|
|
including git version identifiers. Closes ticket 14742.
|
|
- Tor no longer contains checks for ancient directory cache versions
|
|
that didn't know about microdescriptors.
|
|
- Tor no longer contains workarounds for stat files generated by
|
|
super-old versions of Tor that didn't choose guards sensibly.
|
|
|
|
|
|
Changes in version 0.2.4.27 - 2015-04-06
|
|
Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that
|
|
could be used by an attacker to crash hidden services, or crash clients
|
|
visiting hidden services. Hidden services should upgrade as soon as
|
|
possible; clients should upgrade whenever packages become available.
|
|
|
|
This release also backports a simple improvement to make hidden
|
|
services a bit less vulnerable to denial-of-service attacks.
|
|
|
|
o Major bugfixes (security, hidden service):
|
|
- Fix an issue that would allow a malicious client to trigger an
|
|
assertion failure and halt a hidden service. Fixes bug 15600;
|
|
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
|
|
- Fix a bug that could cause a client to crash with an assertion
|
|
failure when parsing a malformed hidden service descriptor. Fixes
|
|
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
|
|
|
|
o Minor features (DoS-resistance, hidden service):
|
|
- Introduction points no longer allow multiple INTRODUCE1 cells to
|
|
arrive on the same circuit. This should make it more expensive for
|
|
attackers to overwhelm hidden services with introductions.
|
|
Resolves ticket 15515.
|
|
|
|
|
|
Changes in version 0.2.5.12 - 2015-04-06
|
|
Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
|
|
could be used by an attacker to crash hidden services, or crash clients
|
|
visiting hidden services. Hidden services should upgrade as soon as
|
|
possible; clients should upgrade whenever packages become available.
|
|
|
|
This release also backports a simple improvement to make hidden
|
|
services a bit less vulnerable to denial-of-service attacks.
|
|
|
|
o Major bugfixes (security, hidden service):
|
|
- Fix an issue that would allow a malicious client to trigger an
|
|
assertion failure and halt a hidden service. Fixes bug 15600;
|
|
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
|
|
- Fix a bug that could cause a client to crash with an assertion
|
|
failure when parsing a malformed hidden service descriptor. Fixes
|
|
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
|
|
|
|
o Minor features (DoS-resistance, hidden service):
|
|
- Introduction points no longer allow multiple INTRODUCE1 cells to
|
|
arrive on the same circuit. This should make it more expensive for
|
|
attackers to overwhelm hidden services with introductions.
|
|
Resolves ticket 15515.
|
|
|
|
|
|
Changes in version 0.2.6.7 - 2015-04-06
|
|
Tor 0.2.6.7 fixes two security issues that could be used by an
|
|
attacker to crash hidden services, or crash clients visiting hidden
|
|
services. Hidden services should upgrade as soon as possible; clients
|
|
should upgrade whenever packages become available.
|
|
|
|
This release also contains two simple improvements to make hidden
|
|
services a bit less vulnerable to denial-of-service attacks.
|
|
|
|
o Major bugfixes (security, hidden service):
|
|
- Fix an issue that would allow a malicious client to trigger an
|
|
assertion failure and halt a hidden service. Fixes bug 15600;
|
|
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
|
|
- Fix a bug that could cause a client to crash with an assertion
|
|
failure when parsing a malformed hidden service descriptor. Fixes
|
|
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
|
|
|
|
o Minor features (DoS-resistance, hidden service):
|
|
- Introduction points no longer allow multiple INTRODUCE1 cells to
|
|
arrive on the same circuit. This should make it more expensive for
|
|
attackers to overwhelm hidden services with introductions.
|
|
Resolves ticket 15515.
|
|
- Decrease the amount of reattempts that a hidden service performs
|
|
when its rendezvous circuits fail. This reduces the computational
|
|
cost for running a hidden service under heavy load. Resolves
|
|
ticket 11447.
|
|
|
|
|
|
Changes in version 0.2.6.6 - 2015-03-24
|
|
Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
|
|
|
|
It adds numerous safety, security, correctness, and performance
|
|
improvements. Client programs can be configured to use more kinds of
|
|
sockets, AutomapHosts works better, the multithreading backend is
|
|
improved, cell transmission is refactored, test coverage is much
|
|
higher, more denial-of-service attacks are handled, guard selection is
|
|
improved to handle long-term guards better, pluggable transports
|
|
should work a bit better, and some annoying hidden service performance
|
|
bugs should be addressed.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Use the correct datatype in the SipHash-2-4 function to prevent
|
|
compilers from assuming any sort of alignment. Fixes bug 15436;
|
|
bugfix on 0.2.5.3-alpha.
|
|
|
|
Changes in version 0.2.6.5-rc - 2015-03-18
|
|
Tor 0.2.6.5-rc is the second and (hopefully) last release candidate in
|
|
the 0.2.6. It fixes a small number of bugs found in 0.2.6.4-rc.
|
|
|
|
o Major bugfixes (client):
|
|
- Avoid crashing when making certain configuration option changes on
|
|
clients. Fixes bug 15245; bugfix on 0.2.6.3-alpha. Reported
|
|
by "anonym".
|
|
|
|
o Major bugfixes (pluggable transports):
|
|
- Initialize the extended OR Port authentication cookie before
|
|
launching pluggable transports. This prevents a race condition
|
|
that occured when server-side pluggable transports would cache the
|
|
authentication cookie before it has been (re)generated. Fixes bug
|
|
15240; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Major bugfixes (portability):
|
|
- Do not crash on startup when running on Solaris. Fixes a bug
|
|
related to our fix for 9495; bugfix on 0.2.6.1-alpha. Reported
|
|
by "ruebezahl".
|
|
|
|
o Minor features (heartbeat):
|
|
- On relays, report how many connections we negotiated using each
|
|
version of the Tor link protocols. This information will let us
|
|
know if removing support for very old versions of the Tor
|
|
protocols is harming the network. Closes ticket 15212.
|
|
|
|
o Code simplification and refactoring:
|
|
- Refactor main loop to extract the 'loop' part. This makes it
|
|
easier to run Tor under Shadow. Closes ticket 15176.
|
|
|
|
|
|
Changes in version 0.2.5.11 - 2015-03-17
|
|
Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
|
|
|
|
It backports several bugfixes from the 0.2.6 branch, including a
|
|
couple of medium-level security fixes for relays and exit nodes.
|
|
It also updates the list of directory authorities.
|
|
|
|
o Directory authority changes:
|
|
- Remove turtles as a directory authority.
|
|
- Add longclaw as a new (v3) directory authority. This implements
|
|
ticket 13296. This keeps the directory authority count at 9.
|
|
- The directory authority Faravahar has a new IP address. This
|
|
closes ticket 14487.
|
|
|
|
o Major bugfixes (crash, OSX, security):
|
|
- Fix a remote denial-of-service opportunity caused by a bug in
|
|
OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
|
|
in OSX 10.9.
|
|
|
|
o Major bugfixes (relay, stability, possible security):
|
|
- Fix a bug that could lead to a relay crashing with an assertion
|
|
failure if a buffer of exactly the wrong layout was passed to
|
|
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
|
|
0.2.0.10-alpha. Patch from 'cypherpunks'.
|
|
- Do not assert if the 'data' pointer on a buffer is advanced to the
|
|
very end of the buffer; log a BUG message instead. Only assert if
|
|
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Major bugfixes (exit node stability):
|
|
- Fix an assertion failure that could occur under high DNS load.
|
|
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
|
|
diagnosed and fixed by "cypherpunks".
|
|
|
|
o Major bugfixes (Linux seccomp2 sandbox):
|
|
- Upon receiving sighup with the seccomp2 sandbox enabled, do not
|
|
crash during attempts to call wait4. Fixes bug 15088; bugfix on
|
|
0.2.5.1-alpha. Patch from "sanic".
|
|
|
|
o Minor features (controller):
|
|
- New "GETINFO bw-event-cache" to get information about recent
|
|
bandwidth events. Closes ticket 14128. Useful for controllers to
|
|
get recent bandwidth history after the fix for ticket 13988.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (client, automapping):
|
|
- Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
|
|
no value follows the option. Fixes bug 14142; bugfix on
|
|
0.2.4.7-alpha. Patch by "teor".
|
|
- Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
|
|
14195; bugfix on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Build without warnings with the stock OpenSSL srtp.h header, which
|
|
has a duplicate declaration of SSL_get_selected_srtp_profile().
|
|
Fixes bug 14220; this is OpenSSL's bug, not ours.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- Allow directory authorities to fetch more data from one another if
|
|
they find themselves missing lots of votes. Previously, they had
|
|
been bumping against the 10 MB queued data limit. Fixes bug 14261;
|
|
bugfix on 0.1.2.5-alpha.
|
|
- Enlarge the buffer to read bwauth generated files to avoid an
|
|
issue when parsing the file in dirserv_read_measured_bandwidths().
|
|
Fixes bug 14125; bugfix on 0.2.2.1-alpha.
|
|
|
|
o Minor bugfixes (statistics):
|
|
- Increase period over which bandwidth observations are aggregated
|
|
from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
|
|
|
|
o Minor bugfixes (preventative security, C safety):
|
|
- When reading a hexadecimal, base-32, or base-64 encoded value from
|
|
a string, always overwrite the whole output buffer. This prevents
|
|
some bugs where we would look at (but fortunately, not reveal)
|
|
uninitialized memory on the stack. Fixes bug 14013; bugfix on all
|
|
versions of Tor.
|
|
|
|
|
|
Changes in version 0.2.4.26 - 2015-03-17
|
|
Tor 0.2.4.26 includes an updated list of directory authorities. It
|
|
also backports a couple of stability and security bugfixes from 0.2.5
|
|
and beyond.
|
|
|
|
o Directory authority changes:
|
|
- Remove turtles as a directory authority.
|
|
- Add longclaw as a new (v3) directory authority. This implements
|
|
ticket 13296. This keeps the directory authority count at 9.
|
|
- The directory authority Faravahar has a new IP address. This
|
|
closes ticket 14487.
|
|
|
|
o Major bugfixes (exit node stability, also in 0.2.6.3-alpha):
|
|
- Fix an assertion failure that could occur under high DNS load.
|
|
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
|
|
diagnosed and fixed by "cypherpunks".
|
|
|
|
o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc):
|
|
- Fix a bug that could lead to a relay crashing with an assertion
|
|
failure if a buffer of exactly the wrong layout was passed to
|
|
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
|
|
0.2.0.10-alpha. Patch from 'cypherpunks'.
|
|
- Do not assert if the 'data' pointer on a buffer is advanced to the
|
|
very end of the buffer; log a BUG message instead. Only assert if
|
|
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
Changes in version 0.2.6.4-rc - 2015-03-09
|
|
Tor 0.2.6.4-alpha fixes an issue in the directory code that an
|
|
attacker might be able to use in order to crash certain Tor
|
|
directories. It also resolves some minor issues left over from, or
|
|
introduced in, Tor 0.2.6.3-alpha or earlier.
|
|
|
|
o Major bugfixes (crash, OSX, security):
|
|
- Fix a remote denial-of-service opportunity caused by a bug in
|
|
OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
|
|
in OSX 10.9.
|
|
|
|
o Major bugfixes (relay, stability, possible security):
|
|
- Fix a bug that could lead to a relay crashing with an assertion
|
|
failure if a buffer of exactly the wrong layout is passed to
|
|
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
|
|
0.2.0.10-alpha. Patch from "cypherpunks".
|
|
- Do not assert if the 'data' pointer on a buffer is advanced to the
|
|
very end of the buffer; log a BUG message instead. Only assert if
|
|
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Major bugfixes (FreeBSD IPFW transparent proxy):
|
|
- Fix address detection with FreeBSD transparent proxies, when
|
|
"TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
|
|
on 0.2.5.4-alpha.
|
|
|
|
o Major bugfixes (Linux seccomp2 sandbox):
|
|
- Pass IPPROTO_TCP rather than 0 to socket(), so that the Linux
|
|
seccomp2 sandbox doesn't fail. Fixes bug 14989; bugfix
|
|
on 0.2.6.3-alpha.
|
|
- Allow AF_UNIX hidden services to be used with the seccomp2
|
|
sandbox. Fixes bug 15003; bugfix on 0.2.6.3-alpha.
|
|
- Upon receiving sighup with the seccomp2 sandbox enabled, do not
|
|
crash during attempts to call wait4. Fixes bug 15088; bugfix on
|
|
0.2.5.1-alpha. Patch from "sanic".
|
|
|
|
o Minor features (controller):
|
|
- Messages about problems in the bootstrap process now include
|
|
information about the server we were trying to connect to when we
|
|
noticed the problem. Closes ticket 15006.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
|
|
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (logs):
|
|
- Quiet some log messages in the heartbeat and at startup. Closes
|
|
ticket 14950.
|
|
|
|
o Minor bugfixes (certificate handling):
|
|
- If an authority operator accidentally makes a signing certificate
|
|
with a future publication time, do not discard its real signing
|
|
certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
|
|
- Remove any old authority certificates that have been superseded
|
|
for at least two days. Previously, we would keep superseded
|
|
certificates until they expired, if they were published close in
|
|
time to the certificate that superseded them. Fixes bug 11454;
|
|
bugfix on 0.2.1.8-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix a compilation warning on s390. Fixes bug 14988; bugfix
|
|
on 0.2.5.2-alpha.
|
|
- Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix
|
|
on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Fix endianness issues in unit test for resolve_my_address() to
|
|
have it pass on big endian systems. Fixes bug 14980; bugfix on
|
|
Tor 0.2.6.3-alpha.
|
|
- Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
|
|
15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
|
|
- When running the new 'make test-stem' target, use the configured
|
|
python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch
|
|
from "cypherpunks".
|
|
- When running the zero-length-keys tests, do not use the default
|
|
torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported
|
|
by "reezer".
|
|
|
|
o Directory authority IP change:
|
|
- The directory authority Faravahar has a new IP address. This
|
|
closes ticket 14487.
|
|
|
|
o Removed code:
|
|
- Remove some lingering dead code that once supported mempools.
|
|
Mempools were disabled by default in 0.2.5, and removed entirely
|
|
in 0.2.6.3-alpha. Closes more of ticket 14848; patch
|
|
by "cypherpunks".
|
|
|
|
|
|
Changes in version 0.2.6.3-alpha - 2015-02-19
|
|
Tor 0.2.6.3-alpha is the third (and hopefully final) alpha release in
|
|
the 0.2.6.x series. It introduces support for more kinds of sockets,
|
|
makes it harder to accidentally run an exit, improves our
|
|
multithreading backend, incorporates several fixes for the
|
|
AutomapHostsOnResolve option, and fixes numerous other bugs besides.
|
|
|
|
If no major regressions or security holes are found in this version,
|
|
the next version will be a release candidate.
|
|
|
|
o Deprecated versions:
|
|
- Tor relays older than 0.2.4.18-rc are no longer allowed to
|
|
advertise themselves on the network. Closes ticket 13555.
|
|
|
|
o Major features (security, unix domain sockets):
|
|
- Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk
|
|
applications can reach Tor without having to create AF_INET or
|
|
AF_INET6 sockets, meaning they can completely disable their
|
|
ability to make non-Tor network connections. To create a socket of
|
|
this type, use "SocksPort unix:/path/to/socket". Implements
|
|
ticket 12585.
|
|
- Support mapping hidden service virtual ports to AF_UNIX sockets.
|
|
The syntax is "HiddenServicePort 80 unix:/path/to/socket".
|
|
Implements ticket 11485.
|
|
|
|
o Major features (changed defaults):
|
|
- Prevent relay operators from unintentionally running exits: When a
|
|
relay is configured as an exit node, we now warn the user unless
|
|
the "ExitRelay" option is set to 1. We warn even more loudly if
|
|
the relay is configured with the default exit policy, since this
|
|
can indicate accidental misconfiguration. Setting "ExitRelay 0"
|
|
stops Tor from running as an exit relay. Closes ticket 10067.
|
|
|
|
o Major features (directory system):
|
|
- When downloading server- or microdescriptors from a directory
|
|
server, we no longer launch multiple simultaneous requests to the
|
|
same server. This reduces load on the directory servers,
|
|
especially when directory guards are in use. Closes ticket 9969.
|
|
- When downloading server- or microdescriptors over a tunneled
|
|
connection, do not limit the length of our requests to what the
|
|
Squid proxy is willing to handle. Part of ticket 9969.
|
|
- Authorities can now vote on the correct digests and latest
|
|
versions for different software packages. This allows packages
|
|
that include Tor to use the Tor authority system as a way to get
|
|
notified of updates and their correct digests. Implements proposal
|
|
227. Closes ticket 10395.
|
|
|
|
o Major features (guards):
|
|
- Introduce the Guardfraction feature to improves load balancing on
|
|
guard nodes. Specifically, it aims to reduce the traffic gap that
|
|
guard nodes experience when they first get the Guard flag. This is
|
|
a required step if we want to increase the guard lifetime to 9
|
|
months or greater. Closes ticket 9321.
|
|
|
|
o Major features (performance):
|
|
- Make the CPU worker implementation more efficient by avoiding the
|
|
kernel and lengthening pipelines. The original implementation used
|
|
sockets to transfer data from the main thread to the workers, and
|
|
didn't allow any thread to be assigned more than a single piece of
|
|
work at once. The new implementation avoids communications
|
|
overhead by making requests in shared memory, avoiding kernel IO
|
|
where possible, and keeping more requests in flight at once.
|
|
Implements ticket 9682.
|
|
|
|
o Major features (relay):
|
|
- Raise the minimum acceptable configured bandwidth rate for bridges
|
|
to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were
|
|
20 KiB/sec.) Closes ticket 13822.
|
|
|
|
o Major bugfixes (exit node stability):
|
|
- Fix an assertion failure that could occur under high DNS load.
|
|
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
|
|
diagnosed and fixed by "cypherpunks".
|
|
|
|
o Major bugfixes (mixed relay-client operation):
|
|
- When running as a relay and client at the same time (not
|
|
recommended), if we decide not to use a new guard because we want
|
|
to retry older guards, only close the locally-originating circuits
|
|
passing through that guard. Previously we would close all the
|
|
circuits through that guard. Fixes bug 9819; bugfix on
|
|
0.2.1.1-alpha. Reported by "skruffy".
|
|
|
|
o Minor features (build):
|
|
- New --disable-system-torrc compile-time option to prevent Tor from
|
|
looking for the system-wide torrc or torrc-defaults files.
|
|
Resolves ticket 13037.
|
|
|
|
o Minor features (controller):
|
|
- Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller
|
|
events so controllers can observe circuit isolation inputs. Closes
|
|
ticket 8405.
|
|
- ControlPort now supports the unix:/path/to/socket syntax as an
|
|
alternative to the ControlSocket option, for consistency with
|
|
SocksPort and HiddenServicePort. Closes ticket 14451.
|
|
- New "GETINFO bw-event-cache" to get information about recent
|
|
bandwidth events. Closes ticket 14128. Useful for controllers to
|
|
get recent bandwidth history after the fix for ticket 13988.
|
|
|
|
o Minor features (Denial of service resistance):
|
|
- Count the total number of bytes used storing hidden service
|
|
descriptors against the value of MaxMemInQueues. If we're low on
|
|
memory, and more than 20% of our memory is used holding hidden
|
|
service descriptors, free them until no more than 10% of our
|
|
memory holds hidden service descriptors. Free the least recently
|
|
fetched descriptors first. Resolves ticket 13806.
|
|
- When we have recently been under memory pressure (over 3/4 of
|
|
MaxMemInQueues is allocated), then allocate smaller zlib objects
|
|
for small requests. Closes ticket 11791.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 files to the January 7 2015 Maxmind
|
|
GeoLite2 Country database.
|
|
|
|
o Minor features (guard nodes):
|
|
- Reduce the time delay before saving guard status to disk from 10
|
|
minutes to 30 seconds (or from one hour to 10 minutes if
|
|
AvoidDiskWrites is set). Closes ticket 12485.
|
|
|
|
o Minor features (hidden service):
|
|
- Make Sybil attacks against hidden services harder by changing the
|
|
minimum time required to get the HSDir flag from 25 hours up to 96
|
|
hours. Addresses ticket 14149.
|
|
- New option "HiddenServiceAllowUnknownPorts" to allow hidden
|
|
services to disable the anti-scanning feature introduced in
|
|
0.2.6.2-alpha. With this option not set, a connection to an
|
|
unlisted port closes the circuit. With this option set, only a
|
|
RELAY_DONE cell is sent. Closes ticket 14084.
|
|
|
|
o Minor features (interface):
|
|
- Implement "-f -" command-line option to read torrc configuration
|
|
from standard input, if you don't want to store the torrc file in
|
|
the file system. Implements feature 13865.
|
|
|
|
o Minor features (logging):
|
|
- Add a count of unique clients to the bridge heartbeat message.
|
|
Resolves ticket 6852.
|
|
- Suppress "router info incompatible with extra info" message when
|
|
reading extrainfo documents from cache. (This message got loud
|
|
around when we closed bug 9812 in 0.2.6.2-alpha.) Closes
|
|
ticket 13762.
|
|
- Elevate hidden service authorized-client message from DEBUG to
|
|
INFO. Closes ticket 14015.
|
|
|
|
o Minor features (stability):
|
|
- Add assertions in our hash-table iteration code to check for
|
|
corrupted values that could cause infinite loops. Closes
|
|
ticket 11737.
|
|
|
|
o Minor features (systemd):
|
|
- Various improvements and modernizations in systemd hardening
|
|
support. Closes ticket 13805. Patch from Craig Andrews.
|
|
|
|
o Minor features (testing networks):
|
|
- Drop the minimum RendPostPeriod on a testing network to 5 seconds,
|
|
and the default on a testing network to 2 minutes. Drop the
|
|
MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but
|
|
keep the default on a testing network at 30 seconds. This reduces
|
|
HS bootstrap time to around 25 seconds. Also, change the default
|
|
time in test-network.sh to match. Closes ticket 13401. Patch
|
|
by "teor".
|
|
- Create TestingDirAuthVoteHSDir to correspond to
|
|
TestingDirAuthVoteExit/Guard. Ensures that authorities vote the
|
|
HSDir flag for the listed relays regardless of uptime or ORPort
|
|
connectivity. Respects the value of VoteOnHidServDirectoriesV2.
|
|
Partial implementation for ticket 14067. Patch by "teor".
|
|
|
|
o Minor features (tor2web mode):
|
|
- Introduce the config option Tor2webRendezvousPoints, which allows
|
|
clients in Tor2webMode to select a specific Rendezvous Point to be
|
|
used in HS circuits. This might allow better performance for
|
|
Tor2Web nodes. Implements ticket 12844.
|
|
|
|
o Minor bugfixes (client DNS):
|
|
- Report the correct cached DNS expiration times on SOCKS port or in
|
|
DNS replies. Previously, we would report everything as "never
|
|
expires." Fixes bug 14193; bugfix on 0.2.3.17-beta.
|
|
- Avoid a small memory leak when we find a cached answer for a
|
|
reverse DNS lookup in a client-side DNS cache. (Remember, client-
|
|
side DNS caching is off by default, and is not recommended.) Fixes
|
|
bug 14259; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (client, automapping):
|
|
- Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
|
|
no value follows the option. Fixes bug 14142; bugfix on
|
|
0.2.4.7-alpha. Patch by "teor".
|
|
- Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
|
|
14195; bugfix on 0.1.0.1-rc.
|
|
- Prevent changes to other options from removing the wildcard value
|
|
"." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix
|
|
on 0.2.0.1-alpha.
|
|
- Allow MapAddress and AutomapHostsOnResolve to work together when
|
|
an address is mapped into another address type (like .onion) that
|
|
must be automapped at resolve time. Fixes bug 7555; bugfix
|
|
on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (client, bridges):
|
|
- When we are using bridges and we had a network connectivity
|
|
problem, only retry connecting to our currently configured
|
|
bridges, not all bridges we know about and remember using. Fixes
|
|
bug 14216; bugfix on 0.2.2.17-alpha.
|
|
|
|
o Minor bugfixes (client, IPv6):
|
|
- Reject socks requests to literal IPv6 addresses when IPv6Traffic
|
|
flag is not set; and not because the NoIPv4Traffic flag was set.
|
|
Previously we'd looked at the NoIPv4Traffic flag for both types of
|
|
literal addresses. Fixes bug 14280; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- The address of an array in the middle of a structure will always
|
|
be non-NULL. clang recognises this and complains. Disable the
|
|
tautologous and redundant check to silence this warning. Fixes bug
|
|
14001; bugfix on 0.2.1.2-alpha.
|
|
- Avoid warnings when building with systemd 209 or later. Fixes bug
|
|
14072; bugfix on 0.2.6.2-alpha. Patch from "h.venev".
|
|
- Compile correctly with (unreleased) OpenSSL 1.1.0 headers.
|
|
Addresses ticket 14188.
|
|
- Build without warnings with the stock OpenSSL srtp.h header, which
|
|
has a duplicate declaration of SSL_get_selected_srtp_profile().
|
|
Fixes bug 14220; this is OpenSSL's bug, not ours.
|
|
- Do not compile any code related to Tor2Web mode when Tor2Web mode
|
|
is not enabled at compile time. Previously, this code was included
|
|
in a disabled state. See discussion on ticket 12844.
|
|
- Remove the --disable-threads configure option again. It was
|
|
accidentally partially reintroduced in 29ac883606d6d. Fixes bug
|
|
14819; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Report "down" in response to the "GETINFO entry-guards" command
|
|
when relays are down with an unreachable_since value. Previously,
|
|
we would report "up". Fixes bug 14184; bugfix on 0.1.2.2-alpha.
|
|
- Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug
|
|
14116; bugfix on 0.2.2.9-alpha.
|
|
- Add a code for the END_CIRC_REASON_IP_NOW_REDUNDANT circuit close
|
|
reason. Fixes bug 14207; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (directory authority):
|
|
- Allow directory authorities to fetch more data from one another if
|
|
they find themselves missing lots of votes. Previously, they had
|
|
been bumping against the 10 MB queued data limit. Fixes bug 14261;
|
|
bugfix on 0.1.2.5-alpha.
|
|
- Do not attempt to download extrainfo documents which we will be
|
|
unable to validate with a matching server descriptor. Fixes bug
|
|
13762; bugfix on 0.2.0.1-alpha.
|
|
- Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the
|
|
control port. Fixes bug 14953; bugfix on 0.2.0.1-alpha.
|
|
- Enlarge the buffer to read bwauth generated files to avoid an
|
|
issue when parsing the file in dirserv_read_measured_bandwidths().
|
|
Fixes bug 14125; bugfix on 0.2.2.1-alpha.
|
|
|
|
o Minor bugfixes (file handling):
|
|
- Stop failing when key files are zero-length. Instead, generate new
|
|
keys, and overwrite the empty key files. Fixes bug 13111; bugfix
|
|
on all versions of Tor. Patch by "teor".
|
|
- Stop generating a fresh .old RSA onion key file when the .old file
|
|
is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
|
|
- Avoid overwriting .old key files with empty key files.
|
|
- Skip loading zero-length extrainfo store, router store, stats,
|
|
state, and key files.
|
|
- Avoid crashing when trying to reload a torrc specified as a
|
|
relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix
|
|
on 0.2.3.11-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Close the introduction circuit when we have no more usable intro
|
|
points, instead of waiting for it to time out. This also ensures
|
|
that no follow-up HS descriptor fetch is triggered when the
|
|
circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
|
|
- When fetching a hidden service descriptor for a down service that
|
|
was recently up, do not keep refetching until we try the same
|
|
replica twice in a row. Fixes bug 14219; bugfix on 0.2.0.10-alpha.
|
|
- Successfully launch Tor with a nonexistent hidden service
|
|
directory. Our fix for bug 13942 didn't catch this case. Fixes bug
|
|
14106; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Avoid crashing when there are more log domains than entries in
|
|
domain_list. Bugfix on 0.2.3.1-alpha.
|
|
- Add a string representation for LD_SCHED. Fixes bug 14740; bugfix
|
|
on 0.2.6.1-alpha.
|
|
- Don't log messages to stdout twice when starting up. Fixes bug
|
|
13993; bugfix on 0.2.6.1-alpha.
|
|
|
|
o Minor bugfixes (parsing):
|
|
- Stop accepting milliseconds (or other junk) at the end of
|
|
descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
|
|
- Support two-number and three-number version numbers correctly, in
|
|
case we change the Tor versioning system in the future. Fixes bug
|
|
13661; bugfix on 0.0.8pre1.
|
|
|
|
o Minor bugfixes (path counting):
|
|
- When deciding whether the consensus lists any exit nodes, count
|
|
the number listed in the consensus, not the number we have
|
|
descriptors for. Fixes part of bug 14918; bugfix on 0.2.6.2-alpha.
|
|
- When deciding whether we have any exit nodes, only examine
|
|
ExitNodes when the ExitNodes option is actually set. Fixes part of
|
|
bug 14918; bugfix on 0.2.6.2-alpha.
|
|
- Get rid of redundant and possibly scary warnings that we are
|
|
missing directory information while we bootstrap. Fixes part of
|
|
bug 14918; bugfix on 0.2.6.2-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Fix the ioctl()-based network interface lookup code so that it
|
|
will work on systems that have variable-length struct ifreq, for
|
|
example Mac OS X.
|
|
- Fix scheduler compilation on targets where char is unsigned. Fixes
|
|
bug 14764; bugfix on 0.2.6.2-alpha. Reported by Christian Kujau.
|
|
|
|
o Minor bugfixes (sandbox):
|
|
- Allow glibc fatal errors to be sent to stderr before Tor exits.
|
|
Previously, glibc would try to write them to /dev/tty, and the
|
|
sandbox would trap the call and make Tor exit prematurely. Fixes
|
|
bug 14759; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (shutdown):
|
|
- When shutting down, always call event_del() on lingering read or
|
|
write events before freeing them. Otherwise, we risk double-frees
|
|
or read-after-frees in event_base_free(). Fixes bug 12985; bugfix
|
|
on 0.1.0.2-rc.
|
|
|
|
o Minor bugfixes (small memory leaks):
|
|
- Avoid leaking memory when using IPv6 virtual address mappings.
|
|
Fixes bug 14123; bugfix on 0.2.4.7-alpha. Patch by Tom van
|
|
der Woerdt.
|
|
|
|
o Minor bugfixes (statistics):
|
|
- Increase period over which bandwidth observations are aggregated
|
|
from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
|
|
|
|
o Minor bugfixes (systemd support):
|
|
- Fix detection and operation of systemd watchdog. Fixes part of bug
|
|
14141; bugfix on 0.2.6.2-alpha. Patch from Tomasz Torcz.
|
|
- Run correctly under systemd with the RunAsDaemon option set. Fixes
|
|
part of bug 14141; bugfix on 0.2.5.7-rc. Patch from Tomasz Torcz.
|
|
- Inform the systemd supervisor about more changes in the Tor
|
|
process status. Implements part of ticket 14141. Patch from
|
|
Tomasz Torcz.
|
|
- Cause the "--disable-systemd" option to actually disable systemd
|
|
support. Fixes bug 14350; bugfix on 0.2.6.2-alpha. Patch
|
|
from "blueness".
|
|
|
|
o Minor bugfixes (TLS):
|
|
- Check more thoroughly throughout the TLS code for possible
|
|
unlogged TLS errors. Possible diagnostic or fix for bug 13319.
|
|
|
|
o Minor bugfixes (transparent proxy):
|
|
- Use getsockname, not getsockopt, to retrieve the address for a
|
|
TPROXY-redirected connection. Fixes bug 13796; bugfix
|
|
on 0.2.5.2-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Move fields related to isolating and configuring client ports into
|
|
a shared structure. Previously, they were duplicated across
|
|
port_cfg_t, listener_connection_t, and edge_connection_t. Failure
|
|
to copy them correctly had been the cause of at least one bug in
|
|
the past. Closes ticket 8546.
|
|
- Refactor the get_interface_addresses_raw() doom-function into
|
|
multiple smaller and simpler subfunctions. Cover the resulting
|
|
subfunctions with unit-tests. Fixes a significant portion of
|
|
issue 12376.
|
|
- Remove workaround in dirserv_thinks_router_is_hs_dir() that was
|
|
only for version <= 0.2.2.24 which is now deprecated. Closes
|
|
ticket 14202.
|
|
- Remove a test for a long-defunct broken version-one
|
|
directory server.
|
|
|
|
o Documentation:
|
|
- Adding section on OpenBSD to our TUNING document. Thanks to mmcc
|
|
for writing the OpenBSD-specific tips. Resolves ticket 13702.
|
|
- Make the tor-resolve documentation match its help string and its
|
|
options. Resolves part of ticket 14325.
|
|
- Log a more useful error message from tor-resolve when failing to
|
|
look up a hidden service address. Resolves part of ticket 14325.
|
|
|
|
o Downgraded warnings:
|
|
- Don't warn when we've attempted to contact a relay using the wrong
|
|
ntor onion key. Closes ticket 9635.
|
|
|
|
o Removed features:
|
|
- To avoid confusion with the "ExitRelay" option, "ExitNode" is no
|
|
longer silently accepted as an alias for "ExitNodes".
|
|
- The --enable-mempool and --enable-buf-freelists options, which
|
|
were originally created to work around bad malloc implementations,
|
|
no longer exist. They were off-by-default in 0.2.5. Closes
|
|
ticket 14848.
|
|
|
|
o Testing:
|
|
- Make the checkdir/perms test complete successfully even if the
|
|
global umask is not 022. Fixes bug 14215; bugfix on 0.2.6.2-alpha.
|
|
- Test that tor does not fail when key files are zero-length. Check
|
|
that tor generates new keys, and overwrites the empty key files.
|
|
- Test that tor generates new keys when keys are missing
|
|
(existing behavior).
|
|
- Test that tor does not overwrite key files that already contain
|
|
data (existing behavior). Tests bug 13111. Patch by "teor".
|
|
- New "make test-stem" target to run stem integration tests.
|
|
Requires that the "STEM_SOURCE_DIR" environment variable be set.
|
|
Closes ticket 14107.
|
|
- Make the test_cmdline_args.py script work correctly on Windows.
|
|
Patch from Gisle Vanem.
|
|
- Move the slower unit tests into a new "./src/test/test-slow"
|
|
binary that can be run independently of the other tests. Closes
|
|
ticket 13243.
|
|
- Avoid undefined behavior when sampling huge values from the
|
|
Laplace distribution. This made unittests fail on Raspberry Pi.
|
|
Bug found by Device. Fixes bug 14090; bugfix on 0.2.6.2-alpha.
|
|
|
|
|
|
Changes in version 0.2.6.2-alpha - 2014-12-31
|
|
Tor 0.2.6.2-alpha is the second alpha release in the 0.2.6.x series.
|
|
It introduces a major new backend for deciding when to send cells on
|
|
channels, which should lead down the road to big performance
|
|
increases. It contains security and statistics features for better
|
|
work on hidden services, and numerous bugfixes.
|
|
|
|
This release contains many new unit tests, along with major
|
|
performance improvements for running testing networks using Chutney.
|
|
Thanks to a series of patches contributed by "teor", testing networks
|
|
should now bootstrap in seconds, rather than minutes.
|
|
|
|
o Major features (relay, infrastructure):
|
|
- Complete revision of the code that relays use to decide which cell
|
|
to send next. Formerly, we selected the best circuit to write on
|
|
each channel, but we didn't select among channels in any
|
|
sophisticated way. Now, we choose the best circuits globally from
|
|
among those whose channels are ready to deliver traffic.
|
|
|
|
This patch implements a new inter-cmux comparison API, a global
|
|
high/low watermark mechanism and a global scheduler loop for
|
|
transmission prioritization across all channels as well as among
|
|
circuits on one channel. This schedule is currently tuned to
|
|
(tolerantly) avoid making changes in network performance, but it
|
|
should form the basis for major circuit performance increases in
|
|
the future. Code by Andrea; tuning by Rob Jansen; implements
|
|
ticket 9262.
|
|
|
|
o Major features (hidden services):
|
|
- Make HS port scanning more difficult by immediately closing the
|
|
circuit when a user attempts to connect to a nonexistent port.
|
|
Closes ticket 13667.
|
|
- Add a HiddenServiceStatistics option that allows Tor relays to
|
|
gather and publish statistics about the overall size and volume of
|
|
hidden service usage. Specifically, when this option is turned on,
|
|
an HSDir will publish an approximate number of hidden services
|
|
that have published descriptors to it the past 24 hours. Also, if
|
|
a relay has acted as a hidden service rendezvous point, it will
|
|
publish the approximate amount of rendezvous cells it has relayed
|
|
the past 24 hours. The statistics themselves are obfuscated so
|
|
that the exact values cannot be derived. For more details see
|
|
proposal 238, "Better hidden service stats from Tor relays". This
|
|
feature is currently disabled by default. Implements feature 13192.
|
|
|
|
o Major bugfixes (client, automap):
|
|
- Repair automapping with IPv6 addresses. This automapping should
|
|
have worked previously, but one piece of debugging code that we
|
|
inserted to detect a regression actually caused the regression to
|
|
manifest itself again. Fixes bug 13811 and bug 12831; bugfix on
|
|
0.2.4.7-alpha. Diagnosed and fixed by Francisco Blas
|
|
Izquierdo Riera.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- When closing an introduction circuit that was opened in parallel
|
|
with others, don't mark the introduction point as unreachable.
|
|
Previously, the first successful connection to an introduction
|
|
point would make the other introduction points get marked as
|
|
having timed out. Fixes bug 13698; bugfix on 0.0.6rc2.
|
|
|
|
o Directory authority changes:
|
|
- Remove turtles as a directory authority.
|
|
- Add longclaw as a new (v3) directory authority. This implements
|
|
ticket 13296. This keeps the directory authority count at 9.
|
|
|
|
o Major removed features:
|
|
- Tor clients no longer support connecting to hidden services
|
|
running on Tor 0.2.2.x and earlier; the Support022HiddenServices
|
|
option has been removed. (There shouldn't be any hidden services
|
|
running these versions on the network.) Closes ticket 7803.
|
|
|
|
o Minor features (client):
|
|
- Validate hostnames in SOCKS5 requests more strictly. If SafeSocks
|
|
is enabled, reject requests with IP addresses as hostnames.
|
|
Resolves ticket 13315.
|
|
|
|
o Minor features (controller):
|
|
- Add a "SIGNAL HEARTBEAT" controller command that tells Tor to
|
|
write an unscheduled heartbeat message to the log. Implements
|
|
feature 9503.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the November 15 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor features (hidden services):
|
|
- When re-enabling the network, don't try to build introduction
|
|
circuits until we have successfully built a circuit. This makes
|
|
hidden services come up faster when the network is re-enabled.
|
|
Patch from "akwizgran". Closes ticket 13447.
|
|
- When we fail to retrieve a hidden service descriptor, send the
|
|
controller an "HS_DESC FAILED" controller event. Implements
|
|
feature 13212.
|
|
- New HiddenServiceDirGroupReadable option to cause hidden service
|
|
directories and hostname files to be created group-readable. Patch
|
|
from "anon", David Stainton, and "meejah". Closes ticket 11291.
|
|
|
|
o Minor features (systemd):
|
|
- Where supported, when running with systemd, report successful
|
|
startup to systemd. Part of ticket 11016. Patch by Michael Scherer.
|
|
- When running with systemd, support systemd watchdog messages. Part
|
|
of ticket 11016. Patch by Michael Scherer.
|
|
|
|
o Minor features (transparent proxy):
|
|
- Update the transparent proxy option checks to allow for both ipfw
|
|
and pf on OS X. Closes ticket 14002.
|
|
- Use the correct option when using IPv6 with transparent proxy
|
|
support on Linux. Resolves 13808. Patch by Francisco Blas
|
|
Izquierdo Riera.
|
|
|
|
o Minor bugfixes (preventative security, C safety):
|
|
- When reading a hexadecimal, base-32, or base-64 encoded value from
|
|
a string, always overwrite the whole output buffer. This prevents
|
|
some bugs where we would look at (but fortunately, not reveal)
|
|
uninitialized memory on the stack. Fixes bug 14013; bugfix on all
|
|
versions of Tor.
|
|
- Clear all memory targetted by tor_addr_{to,from}_sockaddr(), not
|
|
just the part that's used. This makes it harder for data leak bugs
|
|
to occur in the event of other programming failures. Resolves
|
|
ticket 14041.
|
|
|
|
o Minor bugfixes (client, microdescriptors):
|
|
- Use a full 256 bits of the SHA256 digest of a microdescriptor when
|
|
computing which microdescriptors to download. This keeps us from
|
|
erroneous download behavior if two microdescriptor digests ever
|
|
have the same first 160 bits. Fixes part of bug 13399; bugfix
|
|
on 0.2.3.1-alpha.
|
|
- Reset a router's status if its microdescriptor digest changes,
|
|
even if the first 160 bits remain the same. Fixes part of bug
|
|
13399; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Silence clang warnings under --enable-expensive-hardening,
|
|
including implicit truncation of 64 bit values to 32 bit, const
|
|
char assignment to self, tautological compare, and additional
|
|
parentheses around equality tests. Fixes bug 13577; bugfix
|
|
on 0.2.5.4-alpha.
|
|
- Fix a clang warning about checking whether an address in the
|
|
middle of a structure is NULL. Fixes bug 14001; bugfix
|
|
on 0.2.1.2-alpha.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Correctly send a controller event when we find that a rendezvous
|
|
circuit has finished. Fixes bug 13936; bugfix on 0.1.1.5-alpha.
|
|
- Pre-check directory permissions for new hidden-services to avoid
|
|
at least one case of "Bug: Acting on config options left us in a
|
|
broken state. Dying." Fixes bug 13942; bugfix on 0.0.6pre1.
|
|
- When adding a new hidden service (for example, via SETCONF), Tor
|
|
no longer congratulates the user for running a relay. Fixes bug
|
|
13941; bugfix on 0.2.6.1-alpha.
|
|
- When fetching hidden service descriptors, we now check not only
|
|
for whether we got the hidden service we had in mind, but also
|
|
whether we got the particular descriptors we wanted. This prevents
|
|
a class of inefficient but annoying DoS attacks by hidden service
|
|
directories. Fixes bug 13214; bugfix on 0.2.1.6-alpha. Reported
|
|
by "special".
|
|
|
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
- Make transparent proxy support work along with the seccomp2
|
|
sandbox. Fixes part of bug 13808; bugfix on 0.2.5.1-alpha. Patch
|
|
by Francisco Blas Izquierdo Riera.
|
|
- Fix a memory leak in tor-resolve when running with the sandbox
|
|
enabled. Fixes bug 14050; bugfix on 0.2.5.9-rc.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Downgrade warnings about RSA signature failures to info log level.
|
|
Emit a warning when an extra info document is found incompatible
|
|
with a corresponding router descriptor. Fixes bug 9812; bugfix
|
|
on 0.0.6rc3.
|
|
- Make connection_ap_handshake_attach_circuit() log the circuit ID
|
|
correctly. Fixes bug 13701; bugfix on 0.0.6.
|
|
|
|
o Minor bugfixes (misc):
|
|
- Stop allowing invalid address patterns like "*/24" that contain
|
|
both a wildcard address and a bit prefix length. This affects all
|
|
our address-range parsing code. Fixes bug 7484; bugfix
|
|
on 0.0.2pre14.
|
|
|
|
o Minor bugfixes (testing networks, fast startup):
|
|
- Allow Tor to build circuits using a consensus with no exits. If
|
|
the consensus has no exits (typical of a bootstrapping test
|
|
network), allow Tor to build circuits once enough descriptors have
|
|
been downloaded. This assists in bootstrapping a testing Tor
|
|
network. Fixes bug 13718; bugfix on 0.2.4.10-alpha. Patch
|
|
by "teor".
|
|
- When V3AuthVotingInterval is low, give a lower If-Modified-Since
|
|
header to directory servers. This allows us to obtain consensuses
|
|
promptly when the consensus interval is very short. This assists
|
|
in bootstrapping a testing Tor network. Fixes parts of bugs 13718
|
|
and 13963; bugfix on 0.2.0.3-alpha. Patch by "teor".
|
|
- Stop assuming that private addresses are local when checking
|
|
reachability in a TestingTorNetwork. Instead, when testing, assume
|
|
all OR connections are remote. (This is necessary due to many test
|
|
scenarios running all relays on localhost.) This assists in
|
|
bootstrapping a testing Tor network. Fixes bug 13924; bugfix on
|
|
0.1.0.1-rc. Patch by "teor".
|
|
- Avoid building exit circuits from a consensus with no exits. Now
|
|
thanks to our fix for 13718, we accept a no-exit network as not
|
|
wholly lost, but we need to remember not to try to build exit
|
|
circuits on it. Closes ticket 13814; patch by "teor".
|
|
- Stop requiring exits to have non-zero bandwithcapacity in a
|
|
TestingTorNetwork. Instead, when TestingMinExitFlagThreshold is 0,
|
|
ignore exit bandwidthcapacity. This assists in bootstrapping a
|
|
testing Tor network. Fixes parts of bugs 13718 and 13839; bugfix
|
|
on 0.2.0.3-alpha. Patch by "teor".
|
|
- Add "internal" to some bootstrap statuses when no exits are
|
|
available. If the consensus does not contain Exits, Tor will only
|
|
build internal circuits. In this case, relevant statuses will
|
|
contain the word "internal" as indicated in the Tor control-
|
|
spec.txt. When bootstrap completes, Tor will be ready to build
|
|
internal circuits. If a future consensus contains Exits, exit
|
|
circuits may become available. Fixes part of bug 13718; bugfix on
|
|
0.2.4.10-alpha. Patch by "teor".
|
|
- Decrease minimum consensus interval to 10 seconds when
|
|
TestingTorNetwork is set, or 5 seconds for the first consensus.
|
|
Fix assumptions throughout the code that assume larger intervals.
|
|
Fixes bugs 13718 and 13823; bugfix on 0.2.0.3-alpha. Patch
|
|
by "teor".
|
|
- Avoid excluding guards from path building in minimal test
|
|
networks, when we're in a test network and excluding guards would
|
|
exclude all relays. This typically occurs in incredibly small tor
|
|
networks, and those using "TestingAuthVoteGuard *". Fixes part of
|
|
bug 13718; bugfix on 0.1.1.11-alpha. Patch by "teor".
|
|
|
|
o Code simplification and refactoring:
|
|
- Stop using can_complete_circuits as a global variable; access it
|
|
with a function instead.
|
|
- Avoid using operators directly as macro arguments: this lets us
|
|
apply coccinelle transformations to our codebase more directly.
|
|
Closes ticket 13172.
|
|
- Combine the functions used to parse ClientTransportPlugin and
|
|
ServerTransportPlugin into a single function. Closes ticket 6456.
|
|
- Add inline functions and convenience macros for inspecting channel
|
|
state. Refactor the code to use convenience macros instead of
|
|
checking channel state directly. Fixes issue 7356.
|
|
- Document all members of was_router_added_t and rename
|
|
ROUTER_WAS_NOT_NEW to ROUTER_IS_ALREADY_KNOWN to make it less
|
|
confusable with ROUTER_WAS_TOO_OLD. Fixes issue 13644.
|
|
- In connection_exit_begin_conn(), use END_CIRC_REASON_TORPROTOCOL
|
|
constant instead of hardcoded value. Fixes issue 13840.
|
|
- Refactor our generic strmap and digestmap types into a single
|
|
implementation, so that we can add a new digest256map
|
|
type trivially.
|
|
|
|
o Documentation:
|
|
- Document the bridge-authority-only 'networkstatus-bridges' file.
|
|
Closes ticket 13713; patch from "tom".
|
|
- Fix typo in PredictedPortsRelevanceTime option description in
|
|
manpage. Resolves issue 13707.
|
|
- Stop suggesting that users specify relays by nickname: it isn't a
|
|
good idea. Also, properly cross-reference how to specify relays in
|
|
all parts of manual documenting options that take a list of
|
|
relays. Closes ticket 13381.
|
|
- Clarify the HiddenServiceDir option description in manpage to make
|
|
it clear that relative paths are taken with respect to the current
|
|
working directory. Also clarify that this behavior is not
|
|
guaranteed to remain indefinitely. Fixes issue 13913.
|
|
|
|
o Testing:
|
|
- New tests for many parts of channel, relay, and circuitmux
|
|
functionality. Code by Andrea; part of 9262.
|
|
- New tests for parse_transport_line(). Part of ticket 6456.
|
|
- In the unit tests, use chgrp() to change the group of the unit
|
|
test temporary directory to the current user, so that the sticky
|
|
bit doesn't interfere with tests that check directory groups.
|
|
Closes 13678.
|
|
- Add unit tests for resolve_my_addr(). Part of ticket 12376; patch
|
|
by 'rl1987'.
|
|
|
|
|
|
Changes in version 0.2.6.1-alpha - 2014-10-30
|
|
Tor 0.2.6.1-alpha is the first release in the Tor 0.2.6.x series. It
|
|
includes numerous code cleanups and new tests, and fixes a large
|
|
number of annoying bugs. Out-of-memory conditions are handled better
|
|
than in 0.2.5, pluggable transports have improved proxy support, and
|
|
clients now use optimistic data for contacting hidden services. Also,
|
|
we are now more robust to changes in what we consider a parseable
|
|
directory object, so that tightening restrictions does not have a risk
|
|
of introducing infinite download loops.
|
|
|
|
This is the first alpha release in a new series, so expect there to be
|
|
bugs. Users who would rather test out a more stable branch should stay
|
|
with 0.2.5.x for now.
|
|
|
|
o New compiler and system requirements:
|
|
- Tor 0.2.6.x requires that your compiler support more of the C99
|
|
language standard than before. The 'configure' script now detects
|
|
whether your compiler supports C99 mid-block declarations and
|
|
designated initializers. If it does not, Tor will not compile.
|
|
|
|
We may revisit this requirement if it turns out that a significant
|
|
number of people need to build Tor with compilers that don't
|
|
bother implementing a 15-year-old standard. Closes ticket 13233.
|
|
- Tor no longer supports systems without threading support. When we
|
|
began working on Tor, there were several systems that didn't have
|
|
threads, or where the thread support wasn't able to run the
|
|
threads of a single process on multiple CPUs. That no longer
|
|
holds: every system where Tor needs to run well now has threading
|
|
support. Resolves ticket 12439.
|
|
|
|
o Removed platform support:
|
|
- We no longer include special code to build on Windows CE; as far
|
|
as we know, nobody has used Tor on Windows CE in a very long time.
|
|
Closes ticket 11446.
|
|
|
|
o Major features (bridges):
|
|
- Expose the outgoing upstream HTTP/SOCKS proxy to pluggable
|
|
transports if they are configured via the "TOR_PT_PROXY"
|
|
environment variable. Implements proposal 232. Resolves
|
|
ticket 8402.
|
|
|
|
o Major features (client performance, hidden services):
|
|
- Allow clients to use optimistic data when connecting to a hidden
|
|
service, which should remove a round-trip from hidden service
|
|
initialization. See proposal 181 for details. Implements
|
|
ticket 13211.
|
|
|
|
o Major features (directory system):
|
|
- Upon receiving an unparseable directory object, if its digest
|
|
matches what we expected, then don't try to download it again.
|
|
Previously, when we got a descriptor we didn't like, we would keep
|
|
trying to download it over and over. Closes ticket 11243.
|
|
|
|
o Major features (sample torrc):
|
|
- Add a new, infrequently-changed "torrc.minimal". This file is
|
|
similar to torrc.sample, but it will change as infrequently as
|
|
possible, for the benefit of users whose systems prompt them for
|
|
intervention whenever a default configuration file is changed.
|
|
Making this change allows us to update torrc.sample to be a more
|
|
generally useful "sample torrc".
|
|
|
|
o Major bugfixes (directory authorities):
|
|
- Do not assign the HSDir flag to relays if they are not Valid, or
|
|
currently hibernating. Fixes 12573; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Major bugfixes (directory bandwidth performance):
|
|
- Don't flush the zlib buffer aggressively when compressing
|
|
directory information for clients. This should save about 7% of
|
|
the bandwidth currently used for compressed descriptors and
|
|
microdescriptors. Fixes bug 11787; bugfix on 0.1.1.23.
|
|
|
|
o Minor features (security, memory wiping):
|
|
- Ensure we securely wipe keys from memory after
|
|
crypto_digest_get_digest and init_curve25519_keypair_from_file
|
|
have finished using them. Resolves ticket 13477.
|
|
|
|
o Minor features (security, out-of-memory handling):
|
|
- When handling an out-of-memory condition, allocate less memory for
|
|
temporary data structures. Fixes issue 10115.
|
|
- When handling an out-of-memory condition, consider more types of
|
|
buffers, including those on directory connections, and zlib
|
|
buffers. Resolves ticket 11792.
|
|
|
|
o Minor features:
|
|
- When identity keypair is generated for first time, log a
|
|
congratulatory message that links to the new relay lifecycle
|
|
document. Implements feature 10427.
|
|
|
|
o Minor features (client):
|
|
- Clients are now willing to send optimistic data (before they
|
|
receive a 'connected' cell) to relays of any version. (Relays
|
|
without support for optimistic data are no longer supported on the
|
|
Tor network.) Resolves ticket 13153.
|
|
|
|
o Minor features (directory authorities):
|
|
- Don't list relays with a bandwidth estimate of 0 in the consensus.
|
|
Implements a feature proposed during discussion of bug 13000.
|
|
- In tor-gencert, report an error if the user provides the same
|
|
argument more than once.
|
|
- If a directory authority can't find a best consensus method in the
|
|
votes that it holds, it now falls back to its favorite consensus
|
|
method. Previously, it fell back to method 1. Neither of these is
|
|
likely to get enough signatures, but "fall back to favorite"
|
|
doesn't require us to maintain support an obsolete consensus
|
|
method. Implements part of proposal 215.
|
|
|
|
o Minor features (logging):
|
|
- On Unix-like systems, you can now use named pipes as the target of
|
|
the Log option, and other options that try to append to files.
|
|
Closes ticket 12061. Patch from "carlo von lynX".
|
|
- When opening a log file at startup, send it every log message that
|
|
we generated between startup and opening it. Previously, log
|
|
messages that were generated before opening the log file were only
|
|
logged to stdout. Closes ticket 6938.
|
|
- Add a TruncateLogFile option to overwrite logs instead of
|
|
appending to them. Closes ticket 5583.
|
|
|
|
o Minor features (portability, Solaris):
|
|
- Threads are no longer disabled by default on Solaris; we believe
|
|
that the versions of Solaris with broken threading support are all
|
|
obsolete by now. Resolves ticket 9495.
|
|
|
|
o Minor features (relay):
|
|
- Re-check our address after we detect a changed IP address from
|
|
getsockname(). This ensures that the controller command "GETINFO
|
|
address" will report the correct value. Resolves ticket 11582.
|
|
Patch from "ra".
|
|
- A new AccountingRule option lets Relays set whether they'd like
|
|
AccountingMax to be applied separately to inbound and outbound
|
|
traffic, or applied to the sum of inbound and outbound traffic.
|
|
Resolves ticket 961. Patch by "chobe".
|
|
|
|
o Minor features (testing networks):
|
|
- Add the TestingDirAuthVoteExit option, which lists nodes to assign
|
|
the "Exit" flag regardless of their uptime, bandwidth, or exit
|
|
policy. TestingTorNetwork must be set for this option to have any
|
|
effect. Previously, authorities would take up to 35 minutes to
|
|
give nodes the Exit flag in a test network. Partially implements
|
|
ticket 13161.
|
|
|
|
o Minor features (validation):
|
|
- Check all date/time values passed to tor_timegm and
|
|
parse_rfc1123_time for validity, taking leap years into account.
|
|
Improves HTTP header validation. Implemented with bug 13476.
|
|
- In correct_tm(), limit the range of values returned by system
|
|
localtime(_r) and gmtime(_r) to be between the years 1 and 8099.
|
|
This means we don't have to deal with negative or too large dates,
|
|
even if a clock is wrong. Otherwise we might fail to read a file
|
|
written by us which includes such a date. Fixes bug 13476.
|
|
|
|
o Minor bugfixes (bridge clients):
|
|
- When configured to use a bridge without an identity digest (not
|
|
recommended), avoid launching an extra channel to it when
|
|
bootstrapping. Fixes bug 7733; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Minor bugfixes (bridges):
|
|
- When DisableNetwork is set, do not launch pluggable transport
|
|
plugins, and if any are running, terminate them. Fixes bug 13213;
|
|
bugfix on 0.2.3.6-alpha.
|
|
|
|
o Minor bugfixes (C correctness):
|
|
- Fix several instances of possible integer overflow/underflow/NaN.
|
|
Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches
|
|
from "teor".
|
|
- In circuit_build_times_calculate_timeout() in circuitstats.c,
|
|
avoid dividing by zero in the pareto calculations. This traps
|
|
under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix
|
|
on 0.2.2.2-alpha.
|
|
- Fix an integer overflow in format_time_interval(). Fixes bug
|
|
13393; bugfix on 0.2.0.10-alpha.
|
|
- Set the correct day of year value when the system's localtime(_r)
|
|
or gmtime(_r) functions fail to set struct tm. Not externally
|
|
visible. Fixes bug 13476; bugfix on 0.0.2pre14.
|
|
- Avoid unlikely signed integer overflow in tor_timegm on systems
|
|
with 32-bit time_t. Fixes bug 13476; bugfix on 0.0.2pre14.
|
|
|
|
o Minor bugfixes (client):
|
|
- Fix smartlist_choose_node_by_bandwidth() so that relays with the
|
|
BadExit flag are not considered worthy candidates. Fixes bug
|
|
13066; bugfix on 0.1.2.3-alpha.
|
|
- Use the consensus schedule for downloading consensuses, and not
|
|
the generic schedule. Fixes bug 11679; bugfix on 0.2.2.6-alpha.
|
|
- Handle unsupported or malformed SOCKS5 requests properly by
|
|
responding with the appropriate error message before closing the
|
|
connection. Fixes bugs 12971 and 13314; bugfix on 0.0.2pre13.
|
|
|
|
o Minor bugfixes (client, torrc):
|
|
- Stop modifying the value of our DirReqStatistics torrc option just
|
|
because we're not a bridge or relay. This bug was causing Tor
|
|
Browser users to write "DirReqStatistics 0" in their torrc files
|
|
as if they had chosen to change the config. Fixes bug 4244; bugfix
|
|
on 0.2.3.1-alpha.
|
|
- When GeoIPExcludeUnknown is enabled, do not incorrectly decide
|
|
that our options have changed every time we SIGHUP. Fixes bug
|
|
9801; bugfix on 0.2.4.10-alpha. Patch from "qwerty1".
|
|
|
|
o Minor bugfixes (controller):
|
|
- Return an error when the second or later arguments of the
|
|
"setevents" controller command are invalid events. Previously we
|
|
would return success while silently skipping invalid events. Fixes
|
|
bug 13205; bugfix on 0.2.3.2-alpha. Reported by "fpxnns".
|
|
|
|
o Minor bugfixes (directory system):
|
|
- Always believe that v3 directory authorities serve extra-info
|
|
documents, whether they advertise "caches-extra-info" or not.
|
|
Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
|
|
- When running as a v3 directory authority, advertise that you serve
|
|
extra-info documents so that clients who want them can find them
|
|
from you too. Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
|
|
- Check the BRIDGE_DIRINFO flag bitwise rather than using equality.
|
|
Previously, directories offering BRIDGE_DIRINFO and some other
|
|
flag (i.e. microdescriptors or extrainfo) would be ignored when
|
|
looking for bridges. Partially fixes bug 13163; bugfix
|
|
on 0.2.0.7-alpha.
|
|
|
|
o Minor bugfixes (networking):
|
|
- Check for orconns and use connection_or_close_for_error() rather
|
|
than connection_mark_for_close() directly in the getsockopt()
|
|
failure case of connection_handle_write_impl(). Fixes bug 11302;
|
|
bugfix on 0.2.4.4-alpha.
|
|
|
|
o Minor bugfixes (relay):
|
|
- When generating our family list, remove spaces from around the
|
|
entries. Fixes bug 12728; bugfix on 0.2.1.7-alpha.
|
|
- If our previous bandwidth estimate was 0 bytes, allow publishing a
|
|
new relay descriptor immediately. Fixes bug 13000; bugfix
|
|
on 0.1.1.6-alpha.
|
|
|
|
o Minor bugfixes (testing networks):
|
|
- Fix TestingDirAuthVoteGuard to properly give out Guard flags in a
|
|
testing network. Fixes bug 13064; bugfix on 0.2.5.2-alpha.
|
|
- Stop using the default authorities in networks which provide both
|
|
AlternateDirAuthority and AlternateBridgeAuthority. Partially
|
|
fixes bug 13163; bugfix on 0.2.0.13-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Stop spawn test failures due to a race condition between the
|
|
SIGCHLD handler updating the process status, and the test reading
|
|
it. Fixes bug 13291; bugfix on 0.2.3.3-alpha.
|
|
|
|
o Minor bugfixes (testing, Windows):
|
|
- Avoid passing an extra backslash when creating a temporary
|
|
directory for running the unit tests on Windows. Fixes bug 12392;
|
|
bugfix on 0.2.2.25-alpha. Patch from Gisle Vanem.
|
|
|
|
o Minor bugfixes (windows):
|
|
- Remove code to special-case handling of NTE_BAD_KEYSET when
|
|
acquiring windows CryptoAPI context. This error can't actually
|
|
occur for the parameters we're providing. Fixes bug 10816; bugfix
|
|
on 0.0.2pre26.
|
|
|
|
o Minor bugfixes (zlib):
|
|
- Avoid truncating a zlib stream when trying to finalize it with an
|
|
empty output buffer. Fixes bug 11824; bugfix on 0.1.1.23.
|
|
|
|
o Build fixes:
|
|
- Allow our configure script to build correctly with autoconf 2.62
|
|
again. Fixes bug 12693; bugfix on 0.2.5.2-alpha.
|
|
- Improve the error message from ./configure to make it clear that
|
|
when asciidoc has not been found, the user will have to either add
|
|
--disable-asciidoc argument or install asciidoc. Resolves
|
|
ticket 13228.
|
|
|
|
o Code simplification and refactoring:
|
|
- Change the entry_is_live() function to take named bitfield
|
|
elements instead of an unnamed list of booleans. Closes
|
|
ticket 12202.
|
|
- Refactor and unit-test entry_is_time_to_retry() in entrynodes.c.
|
|
Resolves ticket 12205.
|
|
- Use calloc and reallocarray functions instead of multiply-
|
|
then-malloc. This makes it less likely for us to fall victim to an
|
|
integer overflow attack when allocating. Resolves ticket 12855.
|
|
- Use the standard macro name SIZE_MAX, instead of our
|
|
own SIZE_T_MAX.
|
|
- Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in
|
|
functions which take them as arguments. Replace 0 with NO_DIRINFO
|
|
in a function call for clarity. Seeks to prevent future issues
|
|
like 13163.
|
|
- Avoid 4 null pointer errors under clang static analysis by using
|
|
tor_assert() to prove that the pointers aren't null. Fixes
|
|
bug 13284.
|
|
- Rework the API of policies_parse_exit_policy() to use a bitmask to
|
|
represent parsing options, instead of a confusing mess of
|
|
booleans. Resolves ticket 8197.
|
|
- Introduce a helper function to parse ExitPolicy in
|
|
or_options_t structure.
|
|
|
|
o Documentation:
|
|
- Add a doc/TUNING document with tips for handling large numbers of
|
|
TCP connections when running busy Tor relay. Update the warning
|
|
message to point to this file when running out of sockets
|
|
operating system is allowing to use simultaneously. Resolves
|
|
ticket 9708.
|
|
|
|
o Removed features:
|
|
- We no longer remind the user about configuration options that have
|
|
been obsolete since 0.2.3.x or earlier. Patch by Adrien Bak.
|
|
- Remove our old, non-weighted bandwidth-based node selection code.
|
|
Previously, we used it as a fallback when we couldn't perform
|
|
weighted bandwidth-based node selection. But that would only
|
|
happen in the cases where we had no consensus, or when we had a
|
|
consensus generated by buggy or ancient directory authorities. In
|
|
either case, it's better to use the more modern, better maintained
|
|
algorithm, with reasonable defaults for the weights. Closes
|
|
ticket 13126.
|
|
- Remove the --disable-curve25519 configure option. Relays and
|
|
clients now are required to support curve25519 and the
|
|
ntor handshake.
|
|
- The old "StrictEntryNodes" and "StrictExitNodes" options, which
|
|
used to be deprecated synonyms for "StrictNodes", are now marked
|
|
obsolete. Resolves ticket 12226.
|
|
- Clients don't understand the BadDirectory flag in the consensus
|
|
anymore, and ignore it.
|
|
|
|
o Testing:
|
|
- Refactor the function that chooses guard nodes so that it can more
|
|
easily be tested; write some tests for it.
|
|
- Fix and re-enable the fgets_eagain unit test. Fixes bug 12503;
|
|
bugfix on 0.2.3.1-alpha. Patch from "cypherpunks."
|
|
- Create unit tests for format_time_interval(). With bug 13393.
|
|
- Add unit tests for tor_timegm signed overflow, tor_timegm and
|
|
parse_rfc1123_time validity checks, correct_tm year clamping. Unit
|
|
tests (visible) fixes in bug 13476.
|
|
- Add a "coverage-html" make target to generate HTML-visualized
|
|
coverage results when building with --enable-coverage. (Requires
|
|
lcov.) Patch from Kevin Murray.
|
|
- Enable the backtrace handler (where supported) when running the
|
|
unit tests.
|
|
- Revise all unit tests that used the legacy test_* macros to
|
|
instead use the recommended tt_* macros. This patch was generated
|
|
with coccinelle, to avoid manual errors. Closes ticket 13119.
|
|
|
|
o Distribution (systemd):
|
|
- systemd unit file: only allow tor to write to /var/lib/tor and
|
|
/var/log/tor. The rest of the filesystem is accessible for reading
|
|
only. Patch by intrigeri; resolves ticket 12751.
|
|
- systemd unit file: ensure that the process and all its children
|
|
can never gain new privileges. Patch by intrigeri; resolves
|
|
ticket 12939.
|
|
- systemd unit file: set up /var/run/tor as writable for the Tor
|
|
service. Patch by intrigeri; resolves ticket 13196.
|
|
|
|
o Removed features (directory authorities):
|
|
- Remove code that prevented authorities from listing Tor relays
|
|
affected by CVE-2011-2769 as guards. These relays are already
|
|
rejected altogether due to the minimum version requirement of
|
|
0.2.3.16-alpha. Closes ticket 13152.
|
|
- The "AuthDirRejectUnlisted" option no longer has any effect, as
|
|
the fingerprints file (approved-routers) has been deprecated.
|
|
- Directory authorities do not support being Naming dirauths anymore.
|
|
The "NamingAuthoritativeDir" config option is now obsolete.
|
|
- Directory authorities do not support giving out the BadDirectory
|
|
flag anymore.
|
|
- Directory authorities no longer advertise or support consensus
|
|
methods 1 through 12 inclusive. These consensus methods were
|
|
obsolete and/or insecure: maintaining the ability to support them
|
|
served no good purpose. Implements part of proposal 215; closes
|
|
ticket 10163.
|
|
|
|
o Testing (test-network.sh):
|
|
- Stop using "echo -n", as some shells' built-in echo doesn't
|
|
support "-n". Instead, use "/bin/echo -n". Partially fixes
|
|
bug 13161.
|
|
- Stop an apparent test-network hang when used with make -j2. Fixes
|
|
bug 13331.
|
|
- Add a --delay option to test-network.sh, which configures the
|
|
delay before the chutney network tests for data transmission.
|
|
Partially implements ticket 13161.
|
|
|
|
|
|
Changes in version 0.2.5.10 - 2014-10-24
|
|
Tor 0.2.5.10 is the first stable release in the 0.2.5 series.
|
|
|
|
It adds several new security features, including improved
|
|
denial-of-service resistance for relays, new compiler hardening
|
|
options, and a system-call sandbox for hardened installations on Linux
|
|
(requires seccomp2). The controller protocol has several new features,
|
|
resolving IPv6 addresses should work better than before, and relays
|
|
should be a little more CPU-efficient. We've added support for more
|
|
OpenBSD and FreeBSD transparent proxy types. We've improved the build
|
|
system and testing infrastructure to allow unit testing of more parts
|
|
of the Tor codebase. Finally, we've addressed several nagging pluggable
|
|
transport usability issues, and included numerous other small bugfixes
|
|
and features mentioned below.
|
|
|
|
This release marks end-of-life for Tor 0.2.3.x; those Tor versions
|
|
have accumulated many known flaws; everyone should upgrade.
|
|
|
|
o Deprecated versions:
|
|
- Tor 0.2.3.x has reached end-of-life; it has received no patches or
|
|
attention for some while.
|
|
|
|
|
|
Changes in version 0.2.5.9-rc - 2014-10-20
|
|
Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x
|
|
series. It disables SSL3 in response to the recent "POODLE" attack
|
|
(even though POODLE does not affect Tor). It also works around a crash
|
|
bug caused by some operating systems' response to the "POODLE" attack
|
|
(which does affect Tor). It also contains a few miscellaneous fixes.
|
|
|
|
o Major security fixes:
|
|
- Disable support for SSLv3. All versions of OpenSSL in use with Tor
|
|
today support TLS 1.0 or later, so we can safely turn off support
|
|
for this old (and insecure) protocol. Fixes bug 13426.
|
|
|
|
o Major bugfixes (openssl bug workaround):
|
|
- Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
|
|
1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug
|
|
13471. This is a workaround for an OpenSSL bug.
|
|
|
|
o Minor bugfixes:
|
|
- Disable the sandbox name resolver cache when running tor-resolve:
|
|
tor-resolve doesn't use the sandbox code, and turning it on was
|
|
breaking attempts to do tor-resolve on a non-default server on
|
|
Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha.
|
|
|
|
o Compilation fixes:
|
|
- Build and run correctly on systems like OpenBSD-current that have
|
|
patched OpenSSL to remove get_cipher_by_char and/or its
|
|
implementations. Fixes issue 13325.
|
|
|
|
o Downgraded warnings:
|
|
- Downgrade the severity of the 'unexpected sendme cell from client'
|
|
from 'warn' to 'protocol warning'. Closes ticket 8093.
|
|
|
|
|
|
Changes in version 0.2.4.25 - 2014-10-20
|
|
Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
|
|
(even though POODLE does not affect Tor). It also works around a crash
|
|
bug caused by some operating systems' response to the "POODLE" attack
|
|
(which does affect Tor).
|
|
|
|
o Major security fixes (also in 0.2.5.9-rc):
|
|
- Disable support for SSLv3. All versions of OpenSSL in use with Tor
|
|
today support TLS 1.0 or later, so we can safely turn off support
|
|
for this old (and insecure) protocol. Fixes bug 13426.
|
|
|
|
o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc):
|
|
- Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
|
|
1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug
|
|
13471. This is a workaround for an OpenSSL bug.
|
|
|
|
|
|
Changes in version 0.2.5.8-rc - 2014-09-22
|
|
Tor 0.2.5.8-rc is the second release candidate for the Tor 0.2.5.x
|
|
series. It fixes a bug that affects consistency and speed when
|
|
connecting to hidden services, and it updates the location of one of
|
|
the directory authorities.
|
|
|
|
o Major bugfixes:
|
|
- Clients now send the correct address for their chosen rendezvous
|
|
point when trying to access a hidden service. They used to send
|
|
the wrong address, which would still work some of the time because
|
|
they also sent the identity digest of the rendezvous point, and if
|
|
the hidden service happened to try connecting to the rendezvous
|
|
point from a relay that already had a connection open to it,
|
|
the relay would reuse that connection. Now connections to hidden
|
|
services should be more robust and faster. Also, this bug meant
|
|
that clients were leaking to the hidden service whether they were
|
|
on a little-endian (common) or big-endian (rare) system, which for
|
|
some users might have reduced their anonymity. Fixes bug 13151;
|
|
bugfix on 0.2.1.5-alpha.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for gabelmoo (v3 directory authority).
|
|
|
|
|
|
Changes in version 0.2.4.24 - 2014-09-22
|
|
Tor 0.2.4.24 fixes a bug that affects consistency and speed when
|
|
connecting to hidden services, and it updates the location of one of
|
|
the directory authorities.
|
|
|
|
o Major bugfixes:
|
|
- Clients now send the correct address for their chosen rendezvous
|
|
point when trying to access a hidden service. They used to send
|
|
the wrong address, which would still work some of the time because
|
|
they also sent the identity digest of the rendezvous point, and if
|
|
the hidden service happened to try connecting to the rendezvous
|
|
point from a relay that already had a connection open to it,
|
|
the relay would reuse that connection. Now connections to hidden
|
|
services should be more robust and faster. Also, this bug meant
|
|
that clients were leaking to the hidden service whether they were
|
|
on a little-endian (common) or big-endian (rare) system, which for
|
|
some users might have reduced their anonymity. Fixes bug 13151;
|
|
bugfix on 0.2.1.5-alpha.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for gabelmoo (v3 directory authority).
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.5.7-rc - 2014-09-11
|
|
Tor 0.2.5.7-rc fixes several regressions from earlier in the 0.2.5.x
|
|
release series, and some long-standing bugs related to ORPort reachability
|
|
testing and failure to send CREATE cells. It is the first release
|
|
candidate for the Tor 0.2.5.x series.
|
|
|
|
o Major bugfixes (client, startup):
|
|
- Start making circuits as soon as DisabledNetwork is turned off.
|
|
When Tor started with DisabledNetwork set, it would correctly
|
|
conclude that it shouldn't build circuits, but it would mistakenly
|
|
cache this conclusion, and continue believing it even when
|
|
DisableNetwork is set to 0. Fixes the bug introduced by the fix
|
|
for bug 11200; bugfix on 0.2.5.4-alpha.
|
|
- Resume expanding abbreviations for command-line options. The fix
|
|
for bug 4647 accidentally removed our hack from bug 586 that
|
|
rewrote HashedControlPassword to __HashedControlSessionPassword
|
|
when it appears on the commandline (which allowed the user to set
|
|
her own HashedControlPassword in the torrc file while the
|
|
controller generates a fresh session password for each run). Fixes
|
|
bug 12948; bugfix on 0.2.5.1-alpha.
|
|
- Warn about attempts to run hidden services and relays in the same
|
|
process: that's probably not a good idea. Closes ticket 12908.
|
|
|
|
o Major bugfixes (relay):
|
|
- Avoid queuing or sending destroy cells for circuit ID zero when we
|
|
fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1.
|
|
Found and fixed by "cypherpunks".
|
|
- Fix ORPort reachability detection on relays running behind a
|
|
proxy, by correctly updating the "local" mark on the controlling
|
|
channel when changing the address of an or_connection_t after the
|
|
handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Minor features (bridge):
|
|
- Add an ExtORPortCookieAuthFileGroupReadable option to make the
|
|
cookie file for the ExtORPort g+r by default.
|
|
|
|
o Minor features (geoip):
|
|
- Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Reduce the log severity of the "Pluggable transport proxy does not
|
|
provide any needed transports and will not be launched." message,
|
|
since Tor Browser includes several ClientTransportPlugin lines in
|
|
its torrc-defaults file, leading every Tor Browser user who looks
|
|
at her logs to see these notices and wonder if they're dangerous.
|
|
Resolves bug 13124; bugfix on 0.2.5.3-alpha.
|
|
- Downgrade "Unexpected onionskin length after decryption" warning
|
|
to a protocol-warn, since there's nothing relay operators can do
|
|
about a client that sends them a malformed create cell. Resolves
|
|
bug 12996; bugfix on 0.0.6rc1.
|
|
- Log more specific warnings when we get an ESTABLISH_RENDEZVOUS
|
|
cell on a cannibalized or non-OR circuit. Resolves ticket 12997.
|
|
- When logging information about an EXTEND2 or EXTENDED2 cell, log
|
|
their names correctly. Fixes part of bug 12700; bugfix
|
|
on 0.2.4.8-alpha.
|
|
- When logging information about a relay cell whose command we don't
|
|
recognize, log its command as an integer. Fixes part of bug 12700;
|
|
bugfix on 0.2.1.10-alpha.
|
|
- Escape all strings from the directory connection before logging
|
|
them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor".
|
|
|
|
o Minor bugfixes (controller):
|
|
- Restore the functionality of CookieAuthFileGroupReadable. Fixes
|
|
bug 12864; bugfix on 0.2.5.1-alpha.
|
|
- Actually send TRANSPORT_LAUNCHED and HS_DESC events to
|
|
controllers. Fixes bug 13085; bugfix on 0.2.5.1-alpha. Patch
|
|
by "teor".
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix compilation of test.h with MSVC. Patch from Gisle Vanem;
|
|
bugfix on 0.2.5.5-alpha.
|
|
- Make the nmake make files work again. Fixes bug 13081. Bugfix on
|
|
0.2.5.1-alpha. Patch from "NewEraCracker".
|
|
- In routerlist_assert_ok(), don't take the address of a
|
|
routerinfo's cache_info member unless that routerinfo is non-NULL.
|
|
Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor".
|
|
- Fix a large number of false positive warnings from the clang
|
|
analyzer static analysis tool. This should make real warnings
|
|
easier for clang analyzer to find. Patch from "teor". Closes
|
|
ticket 13036.
|
|
|
|
o Distribution (systemd):
|
|
- Verify configuration file via ExecStartPre in the systemd unit
|
|
file. Patch from intrigeri; resolves ticket 12730.
|
|
- Explicitly disable RunAsDaemon in the systemd unit file. Our
|
|
current systemd unit uses "Type = simple", so systemd does not
|
|
expect tor to fork. If the user has "RunAsDaemon 1" in their
|
|
torrc, then things won't work as expected. This is e.g. the case
|
|
on Debian (and derivatives), since there we pass "--defaults-torrc
|
|
/usr/share/tor/tor-service-defaults-torrc" (that contains
|
|
"RunAsDaemon 1") by default. Patch by intrigeri; resolves
|
|
ticket 12731.
|
|
|
|
o Documentation:
|
|
- Adjust the URLs in the README to refer to the new locations of
|
|
several documents on the website. Fixes bug 12830. Patch from
|
|
Matt Pagan.
|
|
- Document 'reject6' and 'accept6' ExitPolicy entries. Resolves
|
|
ticket 12878.
|
|
|
|
|
|
Changes in version 0.2.5.6-alpha - 2014-07-28
|
|
Tor 0.2.5.6-alpha brings us a big step closer to slowing down the
|
|
risk from guard rotation, and fixes a variety of other issues to get
|
|
us closer to a release candidate.
|
|
|
|
o Major features (also in 0.2.4.23):
|
|
- Make the number of entry guards configurable via a new
|
|
NumEntryGuards consensus parameter, and the number of directory
|
|
guards configurable via a new NumDirectoryGuards consensus
|
|
parameter. Implements ticket 12688.
|
|
|
|
o Major bugfixes (also in 0.2.4.23):
|
|
- Fix a bug in the bounds-checking in the 32-bit curve25519-donna
|
|
implementation that caused incorrect results on 32-bit
|
|
implementations when certain malformed inputs were used along with
|
|
a small class of private ntor keys. This bug does not currently
|
|
appear to allow an attacker to learn private keys or impersonate a
|
|
Tor server, but it could provide a means to distinguish 32-bit Tor
|
|
implementations from 64-bit Tor implementations. Fixes bug 12694;
|
|
bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from
|
|
Adam Langley.
|
|
|
|
o Major bugfixes:
|
|
- Perform circuit cleanup operations even when circuit
|
|
construction operations are disabled (because the network is
|
|
disabled, or because there isn't enough directory information).
|
|
Previously, when we were not building predictive circuits, we
|
|
were not closing expired circuits either. Fixes bug 8387; bugfix on
|
|
0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we
|
|
became more strict about when we have "enough directory information
|
|
to build circuits".
|
|
|
|
o Minor features:
|
|
- Authorities now assign the Guard flag to the fastest 25% of the
|
|
network (it used to be the fastest 50%). Also raise the consensus
|
|
weight that guarantees the Guard flag from 250 to 2000. For the
|
|
current network, this results in about 1100 guards, down from 2500.
|
|
This step paves the way for moving the number of entry guards
|
|
down to 1 (proposal 236) while still providing reasonable expected
|
|
performance for most users. Implements ticket 12690.
|
|
- Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2
|
|
Country database.
|
|
- Slightly enhance the diagnostic message for bug 12184.
|
|
|
|
o Minor bugfixes (also in 0.2.4.23):
|
|
- Warn and drop the circuit if we receive an inbound 'relay early'
|
|
cell. Those used to be normal to receive on hidden service circuits
|
|
due to bug 1038, but the buggy Tor versions are long gone from
|
|
the network so we can afford to resume watching for them. Resolves
|
|
the rest of bug 1038; bugfix on 0.2.1.19.
|
|
- Correct a confusing error message when trying to extend a circuit
|
|
via the control protocol but we don't know a descriptor or
|
|
microdescriptor for one of the specified relays. Fixes bug 12718;
|
|
bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compilation when building with bufferevents enabled. (This
|
|
configuration is still not expected to work, however.)
|
|
Fixes bugs 12438, 12474, 11578; bugfixes on 0.2.5.1-alpha and
|
|
0.2.5.3-alpha. Patches from Anthony G. Basile and Sathyanarayanan
|
|
Gunasekaran.
|
|
- Compile correctly with builds and forks of OpenSSL (such as
|
|
LibreSSL) that disable compression. Fixes bug 12602; bugfix on
|
|
0.2.1.1-alpha. Patch from "dhill".
|
|
|
|
|
|
Changes in version 0.2.4.23 - 2014-07-28
|
|
Tor 0.2.4.23 brings us a big step closer to slowing down the risk from
|
|
guard rotation, and also backports several important fixes from the
|
|
Tor 0.2.5 alpha release series.
|
|
|
|
o Major features:
|
|
- Clients now look at the "usecreatefast" consensus parameter to
|
|
decide whether to use CREATE_FAST or CREATE cells for the first hop
|
|
of their circuit. This approach can improve security on connections
|
|
where Tor's circuit handshake is stronger than the available TLS
|
|
connection security levels, but the tradeoff is more computational
|
|
load on guard relays. Implements proposal 221. Resolves ticket 9386.
|
|
- Make the number of entry guards configurable via a new
|
|
NumEntryGuards consensus parameter, and the number of directory
|
|
guards configurable via a new NumDirectoryGuards consensus
|
|
parameter. Implements ticket 12688.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug in the bounds-checking in the 32-bit curve25519-donna
|
|
implementation that caused incorrect results on 32-bit
|
|
implementations when certain malformed inputs were used along with
|
|
a small class of private ntor keys. This bug does not currently
|
|
appear to allow an attacker to learn private keys or impersonate a
|
|
Tor server, but it could provide a means to distinguish 32-bit Tor
|
|
implementations from 64-bit Tor implementations. Fixes bug 12694;
|
|
bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from
|
|
Adam Langley.
|
|
|
|
o Minor bugfixes:
|
|
- Warn and drop the circuit if we receive an inbound 'relay early'
|
|
cell. Those used to be normal to receive on hidden service circuits
|
|
due to bug 1038, but the buggy Tor versions are long gone from
|
|
the network so we can afford to resume watching for them. Resolves
|
|
the rest of bug 1038; bugfix on 0.2.1.19.
|
|
- Correct a confusing error message when trying to extend a circuit
|
|
via the control protocol but we don't know a descriptor or
|
|
microdescriptor for one of the specified relays. Fixes bug 12718;
|
|
bugfix on 0.2.3.1-alpha.
|
|
- Avoid an illegal read from stack when initializing the TLS
|
|
module using a version of OpenSSL without all of the ciphers
|
|
used by the v2 link handshake. Fixes bug 12227; bugfix on
|
|
0.2.4.8-alpha. Found by "starlight".
|
|
|
|
o Minor features:
|
|
- Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
|
|
Changes in version 0.2.5.5-alpha - 2014-06-18
|
|
Tor 0.2.5.5-alpha fixes a wide variety of remaining issues in the Tor
|
|
0.2.5.x release series, including a couple of DoS issues, some
|
|
performance regressions, a large number of bugs affecting the Linux
|
|
seccomp2 sandbox code, and various other bugfixes. It also adds
|
|
diagnostic bugfixes for a few tricky issues that we're trying to
|
|
track down.
|
|
|
|
o Major features (security, traffic analysis resistance):
|
|
- Several major improvements to the algorithm used to decide when to
|
|
close TLS connections. Previous versions of Tor closed connections
|
|
at a fixed interval after the last time a non-padding cell was
|
|
sent over the connection, regardless of the target of the
|
|
connection. Now, we randomize the intervals by adding up to 50% of
|
|
their base value, we measure the length of time since connection
|
|
last had at least one circuit, and we allow connections to known
|
|
ORs to remain open a little longer (15 minutes instead of 3
|
|
minutes minimum). These changes should improve Tor's resistance
|
|
against some kinds of traffic analysis, and lower some overhead
|
|
from needlessly closed connections. Fixes ticket 6799.
|
|
Incidentally fixes ticket 12023; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Major bugfixes (security, OOM, new since 0.2.5.4-alpha, also in 0.2.4.22):
|
|
- Fix a memory leak that could occur if a microdescriptor parse
|
|
fails during the tokenizing step. This bug could enable a memory
|
|
exhaustion attack by directory servers. Fixes bug 11649; bugfix
|
|
on 0.2.2.6-alpha.
|
|
|
|
o Major bugfixes (security, directory authorities):
|
|
- Directory authorities now include a digest of each relay's
|
|
identity key as a part of its microdescriptor.
|
|
|
|
This is a workaround for bug 11743 (reported by "cypherpunks"),
|
|
where Tor clients do not support receiving multiple
|
|
microdescriptors with the same SHA256 digest in the same
|
|
consensus. When clients receive a consensus like this, they only
|
|
use one of the relays. Without this fix, a hostile relay could
|
|
selectively disable some client use of target relays by
|
|
constructing a router descriptor with a different identity and the
|
|
same microdescriptor parameters and getting the authorities to
|
|
list it in a microdescriptor consensus. This fix prevents an
|
|
attacker from causing a microdescriptor collision, because the
|
|
router's identity is not forgeable.
|
|
|
|
o Major bugfixes (relay):
|
|
- Use a direct dirport connection when uploading non-anonymous
|
|
descriptors to the directory authorities. Previously, relays would
|
|
incorrectly use tunnel connections under a fairly wide variety of
|
|
circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha.
|
|
- When a circuit accidentally has the same circuit ID for its
|
|
forward and reverse direction, correctly detect the direction of
|
|
cells using that circuit. Previously, this bug made roughly one
|
|
circuit in a million non-functional. Fixes bug 12195; this is a
|
|
bugfix on every version of Tor.
|
|
|
|
o Major bugfixes (client, pluggable transports):
|
|
- When managing pluggable transports, use OS notification facilities
|
|
to learn if they have crashed, and don't attempt to kill any
|
|
process that has already exited. Fixes bug 8746; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Minor features (diagnostic):
|
|
- When logging a warning because of bug 7164, additionally check the
|
|
hash table for consistency (as proposed on ticket 11737). This may
|
|
help diagnose bug 7164.
|
|
- When we log a heartbeat, log how many one-hop circuits we have
|
|
that are at least 30 minutes old, and log status information about
|
|
a few of them. This is an attempt to track down bug 8387.
|
|
- When encountering an unexpected CR while writing text to a file on
|
|
Windows, log the name of the file. Should help diagnosing
|
|
bug 11233.
|
|
- Give more specific warnings when a client notices that an onion
|
|
handshake has failed. Fixes ticket 9635.
|
|
- Add significant new logging code to attempt to diagnose bug 12184,
|
|
where relays seem to run out of available circuit IDs.
|
|
- Improve the diagnostic log message for bug 8387 even further to
|
|
try to improve our odds of figuring out why one-hop directory
|
|
circuits sometimes do not get closed.
|
|
|
|
o Minor features (security, memory management):
|
|
- Memory allocation tricks (mempools and buffer freelists) are now
|
|
disabled by default. You can turn them back on with
|
|
--enable-mempools and --enable-buf-freelists respectively. We're
|
|
disabling these features because malloc performance is good enough
|
|
on most platforms, and a similar feature in OpenSSL exacerbated
|
|
exploitation of the Heartbleed attack. Resolves ticket 11476.
|
|
|
|
o Minor features (security):
|
|
- Apply the secure SipHash-2-4 function to the hash table mapping
|
|
circuit IDs and channels to circuits. We missed this one when we
|
|
were converting all the other hash functions to use SipHash back
|
|
in 0.2.5.3-alpha. Resolves ticket 11750.
|
|
|
|
o Minor features (build):
|
|
- The configure script has a --disable-seccomp option to turn off
|
|
support for libseccomp on systems that have it, in case it (or
|
|
Tor's use of it) is broken. Resolves ticket 11628.
|
|
|
|
o Minor features (other):
|
|
- Update geoip and geoip6 to the June 4 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (security, new since 0.2.5.4-alpha, also in 0.2.4.22):
|
|
- When running a hidden service, do not allow TunneledDirConns 0;
|
|
this will keep the hidden service from running, and also
|
|
make it publish its descriptors directly over HTTP. Fixes bug 10849;
|
|
bugfix on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Avoid a bug where every successful connection made us recompute
|
|
the flag telling us whether we have sufficient information to
|
|
build circuits. Previously, we would forget our cached value
|
|
whenever we successfully opened a channel (or marked a router as
|
|
running or not running for any other reason), regardless of
|
|
whether we had previously believed the router to be running. This
|
|
forced us to run an expensive update operation far too often.
|
|
Fixes bug 12170; bugfix on 0.1.2.1-alpha.
|
|
- Avoid using tor_memeq() for checking relay cell integrity. This
|
|
removes a possible performance bottleneck. Fixes part of bug
|
|
12169; bugfix on 0.2.1.31.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix compilation of test_status.c when building with MVSC. Bugfix
|
|
on 0.2.5.4-alpha. Patch from Gisle Vanem.
|
|
- Resolve GCC complaints on OpenBSD about discarding constness in
|
|
TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix
|
|
on 0.1.1.23. Patch from Dana Koch.
|
|
- Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to
|
|
treatment of long and time_t as comparable types. Fixes part of
|
|
bug 11633. Patch from Dana Koch.
|
|
- Make Tor compile correctly with --disable-buf-freelists. Fixes bug
|
|
11623; bugfix on 0.2.5.3-alpha.
|
|
- When deciding whether to build the 64-bit curve25519
|
|
implementation, detect platforms where we can compile 128-bit
|
|
arithmetic but cannot link it. Fixes bug 11729; bugfix on
|
|
0.2.4.8-alpha. Patch from "conradev".
|
|
- Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761;
|
|
bugfix on 0.2.3.13-alpha. Found by "cypherpunks".
|
|
- Fix compilation with dmalloc. Fixes bug 11605; bugfix
|
|
on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (Directory server):
|
|
- When sending a compressed set of descriptors or microdescriptors,
|
|
make sure to finalize the zlib stream. Previously, we would write
|
|
all the compressed data, but if the last descriptor we wanted to
|
|
send was missing or too old, we would not mark the stream as
|
|
finished. This caused problems for decompression tools. Fixes bug
|
|
11648; bugfix on 0.1.1.23.
|
|
|
|
o Minor bugfixes (Linux seccomp sandbox):
|
|
- Make the seccomp sandbox code compile under ARM Linux. Fixes bug
|
|
11622; bugfix on 0.2.5.1-alpha.
|
|
- Avoid crashing when re-opening listener ports with the seccomp
|
|
sandbox active. Fixes bug 12115; bugfix on 0.2.5.1-alpha.
|
|
- Avoid crashing with the seccomp sandbox enabled along with
|
|
ConstrainedSockets. Fixes bug 12139; bugfix on 0.2.5.1-alpha.
|
|
- When we receive a SIGHUP with the sandbox enabled, correctly
|
|
support rotating our log files. Fixes bug 12032; bugfix
|
|
on 0.2.5.1-alpha.
|
|
- Avoid crash when running with sandboxing enabled and
|
|
DirReqStatistics not disabled. Fixes bug 12035; bugfix
|
|
on 0.2.5.1-alpha.
|
|
- Fix a "BUG" warning when trying to write bridge-stats files with
|
|
the Linux syscall sandbox filter enabled. Fixes bug 12041; bugfix
|
|
on 0.2.5.1-alpha.
|
|
- Prevent the sandbox from crashing on startup when run with the
|
|
--enable-expensive-hardening configuration option. Fixes bug
|
|
11477; bugfix on 0.2.5.4-alpha.
|
|
- When running with DirPortFrontPage and sandboxing both enabled,
|
|
reload the DirPortFrontPage correctly when restarting. Fixes bug
|
|
12028; bugfix on 0.2.5.1-alpha.
|
|
- Don't try to enable the sandbox when using the Tor binary to check
|
|
its configuration, hash a passphrase, or so on. Doing so was
|
|
crashing on startup for some users. Fixes bug 11609; bugfix
|
|
on 0.2.5.1-alpha.
|
|
- Avoid warnings when running with sandboxing and node statistics
|
|
enabled at the same time. Fixes part of 12064; bugfix on
|
|
0.2.5.1-alpha. Patch from Michael Wolf.
|
|
- Avoid warnings when running with sandboxing enabled at the same
|
|
time as cookie authentication, hidden services, or directory
|
|
authority voting. Fixes part of 12064; bugfix on 0.2.5.1-alpha.
|
|
- Do not allow options that require calls to exec to be enabled
|
|
alongside the seccomp2 sandbox: they will inevitably crash. Fixes
|
|
bug 12043; bugfix on 0.2.5.1-alpha.
|
|
- Handle failures in getpwnam()/getpwuid() when running with the
|
|
User option set and the Linux syscall sandbox enabled. Fixes bug
|
|
11946; bugfix on 0.2.5.1-alpha.
|
|
- Refactor the getaddrinfo workaround that the seccomp sandbox uses
|
|
to avoid calling getaddrinfo() after installing the sandbox
|
|
filters. Previously, it preloaded a cache with the IPv4 address
|
|
for our hostname, and nothing else. Now, it loads the cache with
|
|
every address that it used to initialize the Tor process. Fixes
|
|
bug 11970; bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (pluggable transports):
|
|
- Enable the ExtORPortCookieAuthFile option, to allow changing the
|
|
default location of the authentication token for the extended OR
|
|
Port as used by sever-side pluggable transports. We had
|
|
implemented this option before, but the code to make it settable
|
|
had been omitted. Fixes bug 11635; bugfix on 0.2.5.1-alpha.
|
|
- Avoid another 60-second delay when starting Tor in a pluggable-
|
|
transport-using configuration when we already have cached
|
|
descriptors for our bridges. Fixes bug 11965; bugfix
|
|
on 0.2.3.6-alpha.
|
|
|
|
o Minor bugfixes (client):
|
|
- Avoid "Tried to open a socket with DisableNetwork set" warnings
|
|
when starting a client with bridges configured and DisableNetwork
|
|
set. (Tor launcher starts Tor with DisableNetwork set the first
|
|
time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- The Python parts of the test scripts now work on Python 3 as well
|
|
as Python 2, so systems where '/usr/bin/python' is Python 3 will
|
|
no longer have the tests break. Fixes bug 11608; bugfix
|
|
on 0.2.5.2-alpha.
|
|
- When looking for versions of python that we could run the tests
|
|
with, check for "python2.7" and "python3.3"; previously we were
|
|
only looking for "python", "python2", and "python3". Patch from
|
|
Dana Koch. Fixes bug 11632; bugfix on 0.2.5.2-alpha.
|
|
- Fix all valgrind warnings produced by the unit tests. There were
|
|
over a thousand memory leak warnings previously, mostly produced
|
|
by forgetting to free things in the unit test code. Fixes bug
|
|
11618, bugfixes on many versions of Tor.
|
|
|
|
o Minor bugfixes (tor-fw-helper):
|
|
- Give a correct log message when tor-fw-helper fails to launch.
|
|
(Previously, we would say something like "tor-fw-helper sent us a
|
|
string we could not parse".) Fixes bug 9781; bugfix
|
|
on 0.2.4.2-alpha.
|
|
|
|
o Minor bugfixes (relay, threading):
|
|
- Check return code on spawn_func() in cpuworker code, so that we
|
|
don't think we've spawned a nonworking cpuworker and write junk to
|
|
it forever. Fix related to bug 4345; bugfix on all released Tor
|
|
versions. Found by "skruffy".
|
|
- Use a pthread_attr to make sure that spawn_func() cannot return an
|
|
error while at the same time launching a thread. Fix related to
|
|
bug 4345; bugfix on all released Tor versions. Reported
|
|
by "cypherpunks".
|
|
|
|
o Minor bugfixes (relay, oom prevention):
|
|
- Correctly detect the total available system memory. We tried to do
|
|
this in 0.2.5.4-alpha, but the code was set up to always return an
|
|
error value, even on success. Fixes bug 11805; bugfix
|
|
on 0.2.5.4-alpha.
|
|
|
|
o Minor bugfixes (relay, other):
|
|
- We now drop CREATE cells for already-existent circuit IDs and for
|
|
zero-valued circuit IDs, regardless of other factors that might
|
|
otherwise have called for DESTROY cells. Fixes bug 12191; bugfix
|
|
on 0.0.8pre1.
|
|
- Avoid an illegal read from stack when initializing the TLS module
|
|
using a version of OpenSSL without all of the ciphers used by the
|
|
v2 link handshake. Fixes bug 12227; bugfix on 0.2.4.8-alpha. Found
|
|
by "starlight".
|
|
- When rejecting DATA cells for stream_id zero, still count them
|
|
against the circuit's deliver window so that we don't fail to send
|
|
a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (logging):
|
|
- Fix a misformatted log message about delayed directory fetches.
|
|
Fixes bug 11654; bugfix on 0.2.5.3-alpha.
|
|
- Squelch a spurious LD_BUG message "No origin circuit for
|
|
successful SOCKS stream" in certain hidden service failure cases;
|
|
fixes bug 10616.
|
|
|
|
o Distribution:
|
|
- Include a tor.service file in contrib/dist for use with systemd.
|
|
Some distributions will be able to use this file unmodified;
|
|
others will need to tweak it, or write their own. Patch from Jamie
|
|
Nguyen; resolves ticket 8368.
|
|
|
|
o Documentation:
|
|
- Clean up several option names in the manpage to match their real
|
|
names, add the missing documentation for a couple of testing and
|
|
directory authority options, remove the documentation for a
|
|
V2-directory fetching option that no longer exists. Resolves
|
|
ticket 11634.
|
|
- Correct the documenation so that it lists the correct directory
|
|
for the stats files. (They are in a subdirectory called "stats",
|
|
not "status".)
|
|
- In the manpage, move more authority-only options into the
|
|
directory authority section so that operators of regular directory
|
|
caches don't get confused.
|
|
|
|
o Package cleanup:
|
|
- The contrib directory has been sorted and tidied. Before, it was
|
|
an unsorted dumping ground for useful and not-so-useful things.
|
|
Now, it is divided based on functionality, and the items which
|
|
seemed to be nonfunctional or useless have been removed. Resolves
|
|
ticket 8966; based on patches from "rl1987".
|
|
|
|
o Removed code:
|
|
- Remove /tor/dbg-stability.txt URL that was meant to help debug WFU
|
|
and MTBF calculations, but that nobody was using. Fixes ticket 11742.
|
|
- The TunnelDirConns and PreferTunnelledDirConns options no longer
|
|
exist; tunneled directory connections have been available since
|
|
0.1.2.5-alpha, and turning them off is not a good idea. This is a
|
|
brute-force fix for 10849, where "TunnelDirConns 0" would break
|
|
hidden services.
|
|
|
|
|
|
Changes in version 0.2.4.22 - 2014-05-16
|
|
Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5
|
|
alpha release series. These include blocking all authority signing
|
|
keys that may have been affected by the OpenSSL "heartbleed" bug,
|
|
choosing a far more secure set of TLS ciphersuites by default, closing
|
|
a couple of memory leaks that could be used to run a target relay out
|
|
of RAM, and several others.
|
|
|
|
o Major features (security, backport from 0.2.5.4-alpha):
|
|
- Block authority signing keys that were used on authorities
|
|
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
|
|
don't have any evidence that these keys _were_ compromised; we're
|
|
doing this to be prudent.) Resolves ticket 11464.
|
|
|
|
o Major bugfixes (security, OOM):
|
|
- Fix a memory leak that could occur if a microdescriptor parse
|
|
fails during the tokenizing step. This bug could enable a memory
|
|
exhaustion attack by directory servers. Fixes bug 11649; bugfix
|
|
on 0.2.2.6-alpha.
|
|
|
|
o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha):
|
|
- The relay ciphersuite list is now generated automatically based on
|
|
uniform criteria, and includes all OpenSSL ciphersuites with
|
|
acceptable strength and forward secrecy. Previously, we had left
|
|
some perfectly fine ciphersuites unsupported due to omission or
|
|
typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by
|
|
'cypherpunks'. Bugfix on 0.2.4.8-alpha.
|
|
- Relays now trust themselves to have a better view than clients of
|
|
which TLS ciphersuites are better than others. (Thanks to bug
|
|
11513, the relay list is now well-considered, whereas the client
|
|
list has been chosen mainly for anti-fingerprinting purposes.)
|
|
Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over
|
|
CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over
|
|
AES128. Resolves ticket 11528.
|
|
- Clients now try to advertise the same list of ciphersuites as
|
|
Firefox 28. This change enables selection of (fast) GCM
|
|
ciphersuites, disables some strange old ciphers, and stops
|
|
advertising the ECDH (not to be confused with ECDHE) ciphersuites.
|
|
Resolves ticket 11438.
|
|
|
|
o Minor bugfixes (configuration, security):
|
|
- When running a hidden service, do not allow TunneledDirConns 0:
|
|
trying to set that option together with a hidden service would
|
|
otherwise prevent the hidden service from running, and also make
|
|
it publish its descriptors directly over HTTP. Fixes bug 10849;
|
|
bugfix on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes (controller, backport from 0.2.5.4-alpha):
|
|
- Avoid sending a garbage value to the controller when a circuit is
|
|
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
|
|
|
|
o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha):
|
|
- Stop leaking memory when we successfully resolve a PTR record.
|
|
Fixes bug 11437; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha):
|
|
- Avoid 60-second delays in the bootstrapping process when Tor is
|
|
launching for a second time while using bridges. Fixes bug 9229;
|
|
bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha):
|
|
- Give the correct URL in the warning message when trying to run a
|
|
relay on an ancient version of Windows. Fixes bug 9393.
|
|
|
|
o Minor bugfixes (compilation):
|
|
- Fix a compilation error when compiling with --disable-curve25519.
|
|
Fixes bug 9700; bugfix on 0.2.4.17-rc.
|
|
|
|
o Minor bugfixes:
|
|
- Downgrade the warning severity for the the "md was still
|
|
referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code
|
|
for trying to diagnose this bug, and the current warning in
|
|
earlier versions of tor achieves nothing useful. Addresses warning
|
|
from bug 7164.
|
|
|
|
o Minor features (log verbosity, backport from 0.2.5.4-alpha):
|
|
- When we run out of usable circuit IDs on a channel, log only one
|
|
warning for the whole channel, and describe how many circuits
|
|
there were on the channel. Fixes part of ticket 11553.
|
|
|
|
o Minor features (security, backport from 0.2.5.4-alpha):
|
|
- Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but
|
|
leave the default at 8GBytes), to better support Raspberry Pi
|
|
users. Fixes bug 9686; bugfix on 0.2.4.14-alpha.
|
|
|
|
o Documentation (backport from 0.2.5.4-alpha):
|
|
- Correctly document that we search for a system torrc file before
|
|
looking in ~/.torrc. Fixes documentation side of 9213; bugfix on
|
|
0.2.3.18-rc.
|
|
|
|
|
|
Changes in version 0.2.5.4-alpha - 2014-04-25
|
|
Tor 0.2.5.4-alpha includes several security and performance
|
|
improvements for clients and relays, including blacklisting authority
|
|
signing keys that were used while susceptible to the OpenSSL
|
|
"heartbleed" bug, fixing two expensive functions on busy relays,
|
|
improved TLS ciphersuite preference lists, support for run-time
|
|
hardening on compilers that support AddressSanitizer, and more work on
|
|
the Linux sandbox code.
|
|
|
|
There are also several usability fixes for clients (especially clients
|
|
that use bridges), two new TransPort protocols supported (one on
|
|
OpenBSD, one on FreeBSD), and various other bugfixes.
|
|
|
|
This release marks end-of-life for Tor 0.2.2.x; those Tor versions
|
|
have accumulated many known flaws; everyone should upgrade.
|
|
|
|
o Major features (security):
|
|
- If you don't specify MaxMemInQueues yourself, Tor now tries to
|
|
pick a good value based on your total system memory. Previously,
|
|
the default was always 8 GB. You can still override the default by
|
|
setting MaxMemInQueues yourself. Resolves ticket 11396.
|
|
- Block authority signing keys that were used on authorities
|
|
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
|
|
don't have any evidence that these keys _were_ compromised; we're
|
|
doing this to be prudent.) Resolves ticket 11464.
|
|
|
|
o Major features (relay performance):
|
|
- Speed up server-side lookups of rendezvous and introduction point
|
|
circuits by using hashtables instead of linear searches. These
|
|
functions previously accounted between 3 and 7% of CPU usage on
|
|
some busy relays. Resolves ticket 9841.
|
|
- Avoid wasting CPU when extending a circuit over a channel that is
|
|
nearly out of circuit IDs. Previously, we would do a linear scan
|
|
over possible circuit IDs before finding one or deciding that we
|
|
had exhausted our possibilities. Now, we try at most 64 random
|
|
circuit IDs before deciding that we probably won't succeed. Fixes
|
|
a possible root cause of ticket 11553.
|
|
|
|
o Major features (seccomp2 sandbox, Linux only):
|
|
- The seccomp2 sandbox can now run a test network for multiple hours
|
|
without crashing. The sandbox is still experimental, and more bugs
|
|
will probably turn up. To try it, enable "Sandbox 1" on a Linux
|
|
host. Resolves ticket 11351.
|
|
- Strengthen sandbox code: the sandbox can now test the arguments
|
|
for rename(), and blocks _sysctl() entirely. Resolves another part
|
|
of ticket 11351.
|
|
- When the sandbox blocks a system call, it now tries to log a stack
|
|
trace before exiting. Resolves ticket 11465.
|
|
|
|
o Major bugfixes (TLS cipher selection):
|
|
- The relay ciphersuite list is now generated automatically based on
|
|
uniform criteria, and includes all OpenSSL ciphersuites with
|
|
acceptable strength and forward secrecy. Previously, we had left
|
|
some perfectly fine ciphersuites unsupported due to omission or
|
|
typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by
|
|
'cypherpunks'. Bugfix on 0.2.4.8-alpha.
|
|
- Relays now trust themselves to have a better view than clients of
|
|
which TLS ciphersuites are better than others. (Thanks to bug
|
|
11513, the relay list is now well-considered, whereas the client
|
|
list has been chosen mainly for anti-fingerprinting purposes.)
|
|
Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over
|
|
CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over
|
|
AES128. Resolves ticket 11528.
|
|
- Clients now try to advertise the same list of ciphersuites as
|
|
Firefox 28. This change enables selection of (fast) GCM
|
|
ciphersuites, disables some strange old ciphers, and stops
|
|
advertising the ECDH (not to be confused with ECDHE) ciphersuites.
|
|
Resolves ticket 11438.
|
|
|
|
o Major bugfixes (bridge client):
|
|
- Avoid 60-second delays in the bootstrapping process when Tor is
|
|
launching for a second time while using bridges. Fixes bug 9229;
|
|
bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor features (transparent proxy, *BSD):
|
|
- Support FreeBSD's ipfw firewall interface for TransPort ports on
|
|
FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
|
|
10267; patch from "yurivict".
|
|
- Support OpenBSD's divert-to rules with the pf firewall for
|
|
transparent proxy ports. To enable it, set "TransProxyType
|
|
pf-divert". This allows Tor to run a TransPort transparent proxy
|
|
port on OpenBSD 4.4 or later without root privileges. See the
|
|
pf.conf(5) manual page for information on configuring pf to use
|
|
divert-to rules. Closes ticket 10896; patch from Dana Koch.
|
|
|
|
o Minor features (security):
|
|
- New --enable-expensive-hardening option to enable security
|
|
hardening options that consume nontrivial amounts of CPU and
|
|
memory. Right now, this includes AddressSanitizer and UbSan, which
|
|
are supported in newer versions of GCC and Clang. Closes ticket
|
|
11477.
|
|
|
|
o Minor features (log verbosity):
|
|
- Demote the message that we give when a flushing connection times
|
|
out for too long from NOTICE to INFO. It was usually meaningless.
|
|
Resolves ticket 5286.
|
|
- Don't log so many notice-level bootstrapping messages at startup
|
|
about downloading descriptors. Previously, we'd log a notice
|
|
whenever we learned about more routers. Now, we only log a notice
|
|
at every 5% of progress. Fixes bug 9963.
|
|
- Warn less verbosely when receiving a malformed
|
|
ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
|
|
- When we run out of usable circuit IDs on a channel, log only one
|
|
warning for the whole channel, and describe how many circuits
|
|
there were on the channel. Fixes part of ticket 11553.
|
|
|
|
o Minor features (relay):
|
|
- If a circuit timed out for at least 3 minutes, check if we have a
|
|
new external IP address, and publish a new descriptor with the new
|
|
IP address if it changed. Resolves ticket 2454.
|
|
|
|
o Minor features (controller):
|
|
- Make the entire exit policy available from the control port via
|
|
GETINFO exit-policy/*. Implements enhancement 7952. Patch from
|
|
"rl1987".
|
|
- Because of the fix for ticket 11396, the real limit for memory
|
|
usage may no longer match the configured MaxMemInQueues value. The
|
|
real limit is now exposed via GETINFO limits/max-mem-in-queues.
|
|
|
|
o Minor features (bridge client):
|
|
- Report a more useful failure message when we can't connect to a
|
|
bridge because we don't have the right pluggable transport
|
|
configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
|
|
|
|
o Minor features (diagnostic):
|
|
- Add more log messages to diagnose bug 7164, which causes
|
|
intermittent "microdesc_free() called but md was still referenced"
|
|
warnings. We now include more information, to figure out why we
|
|
might be cleaning a microdescriptor for being too old if it's
|
|
still referenced by a live node_t object.
|
|
|
|
o Minor bugfixes (client, DNSPort):
|
|
- When using DNSPort, try to respond to AAAA requests with AAAA
|
|
answers. Previously, we hadn't looked at the request type when
|
|
deciding which answer type to prefer. Fixes bug 10468; bugfix on
|
|
0.2.4.7-alpha.
|
|
- When receiving a DNS query for an unsupported record type, reply
|
|
with no answer rather than with a NOTIMPL error. This behavior
|
|
isn't correct either, but it will break fewer client programs, we
|
|
hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
|
|
from "epoch".
|
|
|
|
o Minor bugfixes (exit relay):
|
|
- Stop leaking memory when we successfully resolve a PTR record.
|
|
Fixes bug 11437; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (bridge client):
|
|
- Stop accepting bridge lines containing hostnames. Doing so would
|
|
cause clients to perform DNS requests on the hostnames, which was
|
|
not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
|
|
- Avoid a 60-second delay in the bootstrapping process when a Tor
|
|
client with pluggable transports re-reads its configuration at
|
|
just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha.
|
|
|
|
o Minor bugfixes (client, logging during bootstrap):
|
|
- Warn only once if we start logging in an unsafe way. Previously,
|
|
we complain as many times as we had problems. Fixes bug 9870;
|
|
bugfix on 0.2.5.1-alpha.
|
|
- Only report the first fatal bootstrap error on a given OR
|
|
connection. This stops us from telling the controller bogus error
|
|
messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
|
|
- Be more helpful when trying to run sandboxed on Linux without
|
|
libseccomp. Instead of saying "Sandbox is not implemented on this
|
|
platform", we now explain that we need to be built with
|
|
libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
|
|
- Avoid generating spurious warnings when starting with
|
|
DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
|
|
0.2.3.9-alpha.
|
|
|
|
o Minor bugfixes (closing OR connections):
|
|
- If write_to_buf() in connection_write_to_buf_impl_() ever fails,
|
|
check if it's an or_connection_t and correctly call
|
|
connection_or_close_for_error() rather than
|
|
connection_mark_for_close() directly. Fixes bug 11304; bugfix on
|
|
0.2.4.4-alpha.
|
|
- When closing all connections on setting DisableNetwork to 1, use
|
|
connection_or_close_normally() rather than closing OR connections
|
|
out from under the channel layer. Fixes bug 11306; bugfix on
|
|
0.2.4.4-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Avoid sending a garbage value to the controller when a circuit is
|
|
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
|
|
|
|
o Minor bugfixes (tor-fw-helper):
|
|
- Allow tor-fw-helper to build again by adding src/ext to its
|
|
CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha.
|
|
|
|
o Minor bugfixes (bridges):
|
|
- Avoid potential crashes or bad behavior when launching a
|
|
server-side managed proxy with ORPort or ExtORPort temporarily
|
|
disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha.
|
|
|
|
o Minor bugfixes (platform-specific):
|
|
- Fix compilation on Solaris, which does not have <endian.h>. Fixes
|
|
bug 11426; bugfix on 0.2.5.3-alpha.
|
|
- When dumping a malformed directory object to disk, save it in
|
|
binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
|
|
0.2.2.1-alpha.
|
|
- Don't report failures from make_socket_reuseable() on incoming
|
|
sockets on OSX: this can happen when incoming connections close
|
|
early. Fixes bug 10081.
|
|
|
|
o Minor bugfixes (trivial memory leaks):
|
|
- Fix a small memory leak when signing a directory object. Fixes bug
|
|
11275; bugfix on 0.2.4.13-alpha.
|
|
- Free placeholder entries in our circuit table at exit; fixes a
|
|
harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha.
|
|
- Don't re-initialize a second set of OpenSSL mutexes when starting
|
|
up. Previously, we'd make one set of mutexes, and then immediately
|
|
replace them with another. Fixes bug 11726; bugfix on
|
|
0.2.5.3-alpha.
|
|
- Resolve some memory leaks found by coverity in the unit tests, on
|
|
exit in tor-gencert, and on a failure to compute digests for our
|
|
own keys when generating a v3 networkstatus vote. These leaks
|
|
should never have affected anyone in practice.
|
|
|
|
o Minor bugfixes (hidden service):
|
|
- Only retry attempts to connect to a chosen rendezvous point 8
|
|
times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (misc code correctness):
|
|
- Fix various instances of undefined behavior in channeltls.c,
|
|
tor_memmem(), and eventdns.c that would cause us to construct
|
|
pointers to memory outside an allocated object. (These invalid
|
|
pointers were not accessed, but C does not even allow them to
|
|
exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha,
|
|
0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom".
|
|
- Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
|
|
fix some miscellaneous errors in our tests and codebase. Fixes bug
|
|
11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
|
|
- Always check return values for unlink, munmap, UnmapViewOfFile;
|
|
check strftime return values more often. In some cases all we can
|
|
do is report a warning, but this may help prevent deeper bugs from
|
|
going unnoticed. Closes ticket 8787; bugfixes on many, many tor
|
|
versions.
|
|
- Fix numerous warnings from the clang "scan-build" static analyzer.
|
|
Some of these are programming style issues; some of them are false
|
|
positives that indicated awkward code; some are undefined behavior
|
|
cases related to constructing (but not using) invalid pointers;
|
|
some are assumptions about API behavior; some are (harmlessly)
|
|
logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be
|
|
correct; and one or two are genuine bugs that weren't reachable
|
|
from the rest of the program. Fixes bug 8793; bugfixes on many,
|
|
many tor versions.
|
|
|
|
o Documentation:
|
|
- Build the torify.1 manpage again. Previously, we were only trying
|
|
to build it when also building tor-fw-helper. That's why we didn't
|
|
notice that we'd broken the ability to build it. Fixes bug 11321;
|
|
bugfix on 0.2.5.1-alpha.
|
|
- Fix the layout of the SOCKSPort flags in the manpage. Fixes bug
|
|
11061; bugfix on 0.2.4.7-alpha.
|
|
- Correctly document that we search for a system torrc file before
|
|
looking in ~/.torrc. Fixes documentation side of 9213; bugfix on
|
|
0.2.3.18-rc.
|
|
- Resolve warnings from Doxygen.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove is_internal_IP() function. Resolves ticket 4645.
|
|
- Remove unused function circuit_dump_by_chan from circuitlist.c.
|
|
Closes issue 9107; patch from "marek".
|
|
- Change our use of the ENUM_BF macro to avoid declarations that
|
|
confuse Doxygen.
|
|
|
|
o Deprecated versions:
|
|
- Tor 0.2.2.x has reached end-of-life; it has received no patches or
|
|
attention for some while. Directory authorities no longer accept
|
|
descriptors from relays running any version of Tor prior to Tor
|
|
0.2.3.16-alpha. Resolves ticket 11149.
|
|
|
|
o Testing:
|
|
- New macros in test.h to simplify writing mock-functions for unit
|
|
tests. Part of ticket 11507. Patch from Dana Koch.
|
|
- Complete tests for the status.c module. Resolves ticket 11507.
|
|
Patch from Dana Koch.
|
|
|
|
o Removed code:
|
|
- Remove all code for the long unused v1 directory protocol.
|
|
Resolves ticket 11070.
|
|
|
|
|
|
Changes in version 0.2.5.3-alpha - 2014-03-22
|
|
Tor 0.2.5.3-alpha includes all the fixes from 0.2.4.21. It contains
|
|
two new anti-DoS features for Tor relays, resolves a bug that kept
|
|
SOCKS5 support for IPv6 from working, fixes several annoying usability
|
|
issues for bridge users, and removes more old code for unused
|
|
directory formats.
|
|
|
|
The Tor 0.2.5.x release series is now in patch-freeze: no feature
|
|
patches not already written will be considered for inclusion in 0.2.5.x.
|
|
|
|
o Major features (relay security, DoS-resistance):
|
|
- When deciding whether we have run out of memory and we need to
|
|
close circuits, also consider memory allocated in buffers for
|
|
streams attached to each circuit.
|
|
|
|
This change, which extends an anti-DoS feature introduced in
|
|
0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays
|
|
better resist more memory-based DoS attacks than before. Since the
|
|
MaxMemInCellQueues option now applies to all queues, it is renamed
|
|
to MaxMemInQueues. This feature fixes bug 10169.
|
|
- Avoid hash-flooding denial-of-service attacks by using the secure
|
|
SipHash-2-4 hash function for our hashtables. Without this
|
|
feature, an attacker could degrade performance of a targeted
|
|
client or server by flooding their data structures with a large
|
|
number of entries to be stored at the same hash table position,
|
|
thereby slowing down the Tor instance. With this feature, hash
|
|
table positions are derived from a randomized cryptographic key,
|
|
and an attacker cannot predict which entries will collide. Closes
|
|
ticket 4900.
|
|
- Decrease the lower limit of MaxMemInQueues to 256 MBytes (but leave
|
|
the default at 8GBytes), to better support Raspberry Pi users. Fixes
|
|
bug 9686; bugfix on 0.2.4.14-alpha.
|
|
|
|
o Minor features (bridges, pluggable transports):
|
|
- Bridges now write the SHA1 digest of their identity key
|
|
fingerprint (that is, a hash of a hash of their public key) to
|
|
notice-level logs, and to a new hashed-fingerprint file. This
|
|
information will help bridge operators look up their bridge in
|
|
Globe and similar tools. Resolves ticket 10884.
|
|
- Improve the message that Tor displays when running as a bridge
|
|
using pluggable transports without an Extended ORPort listener.
|
|
Also, log the message in the log file too. Resolves ticket 11043.
|
|
|
|
o Minor features (other):
|
|
- Add a new option, PredictedPortsRelevanceTime, to control how long
|
|
after having received a request to connect to a given port Tor
|
|
will try to keep circuits ready in anticipation of future requests
|
|
for that port. Patch from "unixninja92"; implements ticket 9176.
|
|
- Generate a warning if any ports are listed in the SocksPolicy,
|
|
DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or
|
|
AuthDirBadExit options. (These options only support address
|
|
ranges.) Fixes part of ticket 11108.
|
|
- Update geoip and geoip6 to the February 7 2014 Maxmind GeoLite2
|
|
Country database.
|
|
|
|
o Minor bugfixes (new since 0.2.5.2-alpha, also in 0.2.4.21):
|
|
- Build without warnings under clang 3.4. (We have some macros that
|
|
define static functions only some of which will get used later in
|
|
the module. Starting with clang 3.4, these give a warning unless the
|
|
unused attribute is set on them.) Resolves ticket 10904.
|
|
- Fix build warnings about missing "a2x" comment when building the
|
|
manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py".
|
|
Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch.
|
|
|
|
o Minor bugfixes (client):
|
|
- Improve the log message when we can't connect to a hidden service
|
|
because all of the hidden service directory nodes hosting its
|
|
descriptor are excluded. Improves on our fix for bug 10722, which
|
|
was a bugfix on 0.2.0.10-alpha.
|
|
- Raise a control port warning when we fail to connect to all of
|
|
our bridges. Previously, we didn't inform the controller, and
|
|
the bootstrap process would stall. Fixes bug 11069; bugfix on
|
|
0.2.1.2-alpha.
|
|
- Exit immediately when a process-owning controller exits.
|
|
Previously, tor relays would wait for a little while after their
|
|
controller exited, as if they had gotten an INT signal -- but this
|
|
was problematic, since there was no feedback for the user. To do a
|
|
clean shutdown, controllers should send an INT signal and give Tor
|
|
a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta.
|
|
- Stop attempting to connect to bridges before our pluggable
|
|
transports are configured (harmless but resulted in some erroneous
|
|
log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha.
|
|
- Fix connections to IPv6 addresses over SOCKS5. Previously, we were
|
|
generating incorrect SOCKS5 responses, and confusing client
|
|
applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (relays and bridges):
|
|
- Avoid crashing on a malformed resolv.conf file when running a
|
|
relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23.
|
|
- Non-exit relays no longer launch mock DNS requests to check for
|
|
DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when
|
|
non-exit relays stopped servicing DNS requests. Fixes bug 965;
|
|
bugfix on 0.2.1.7-alpha. Patch from Matt Pagan.
|
|
- Bridges now report complete directory request statistics. Related
|
|
to bug 5824; bugfix on 0.2.2.1-alpha.
|
|
- Bridges now never collect statistics that were designed for
|
|
relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha.
|
|
- Stop giving annoying warning messages when we decide not to launch
|
|
a pluggable transport proxy that we don't need (because there are
|
|
no bridges configured to use it). Resolves ticket 5018; bugfix
|
|
on 0.2.5.2-alpha.
|
|
- Give the correct URL in the warning message when trying to run a
|
|
relay on an ancient version of Windows. Fixes bug 9393.
|
|
|
|
o Minor bugfixes (backtrace support):
|
|
- Support automatic backtraces on more platforms by using the
|
|
"-fasynchronous-unwind-tables" compiler option. This option is
|
|
needed for platforms like 32-bit Intel where "-fomit-frame-pointer"
|
|
is on by default and table generation is not. This doesn't yet
|
|
add Windows support; only Linux, OSX, and some BSDs are affected.
|
|
Reported by 'cypherpunks'; fixes bug 11047; bugfix on 0.2.5.2-alpha.
|
|
- Avoid strange behavior if two threads hit failed assertions at the
|
|
same time and both try to log backtraces at once. (Previously, if
|
|
this had happened, both threads would have stored their intermediate
|
|
results in the same buffer, and generated junk outputs.) Reported by
|
|
"cypherpunks". Fixes bug 11048; bugfix on 0.2.5.2-alpha.
|
|
- Fix a compiler warning in format_number_sigsafe(). Bugfix on
|
|
0.2.5.2-alpha; patch from Nick Hopper.
|
|
|
|
o Minor bugfixes (unit tests):
|
|
- Fix a small bug in the unit tests that might have made the tests
|
|
call 'chmod' with an uninitialized bitmask. Fixes bug 10928;
|
|
bugfix on 0.2.5.1-alpha. Patch from Dana Koch.
|
|
|
|
o Removed code:
|
|
- Remove all remaining code related to version-0 hidden service
|
|
descriptors: they have not been in use since 0.2.2.1-alpha. Fixes
|
|
the rest of bug 10841.
|
|
|
|
o Documentation:
|
|
- Document in the manpage that "KBytes" may also be written as
|
|
"kilobytes" or "KB", that "Kbits" may also be written as
|
|
"kilobits", and so forth. Closes ticket 9222.
|
|
- Document that the ClientOnly config option overrides ORPort.
|
|
Our old explanation made ClientOnly sound as though it did
|
|
nothing at all. Resolves bug 9059.
|
|
- Explain that SocksPolicy, DirPolicy, and similar options don't
|
|
take port arguments. Fixes the other part of ticket 11108.
|
|
- Fix a comment about the rend_server_descriptor_t.protocols field
|
|
to more accurately describe its range. Also, make that field
|
|
unsigned, to more accurately reflect its usage. Fixes bug 9099;
|
|
bugfix on 0.2.1.5-alpha.
|
|
- Fix the manpage's description of HiddenServiceAuthorizeClient:
|
|
the maximum client name length is 16, not 19. Fixes bug 11118;
|
|
bugfix on 0.2.1.6-alpha.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Get rid of router->address, since in all cases it was just the
|
|
string representation of router->addr. Resolves ticket 5528.
|
|
|
|
o Test infrastructure:
|
|
- Update to the latest version of tinytest.
|
|
- Improve the tinytest implementation of string operation tests so
|
|
that comparisons with NULL strings no longer crash the tests; they
|
|
now just fail, normally. Fixes bug 9004; bugfix on 0.2.2.4-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.21 - 2014-02-28
|
|
Tor 0.2.4.21 further improves security against potential adversaries who
|
|
find breaking 1024-bit crypto doable, and backports several stability
|
|
and robustness patches from the 0.2.5 branch.
|
|
|
|
o Major features (client security):
|
|
- When we choose a path for a 3-hop circuit, make sure it contains
|
|
at least one relay that supports the NTor circuit extension
|
|
handshake. Otherwise, there is a chance that we're building
|
|
a circuit that's worth attacking by an adversary who finds
|
|
breaking 1024-bit crypto doable, and that chance changes the game
|
|
theory. Implements ticket 9777.
|
|
|
|
o Major bugfixes:
|
|
- Do not treat streams that fail with reason
|
|
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
|
|
since it could also indicate an ENETUNREACH connection error. Fixes
|
|
part of bug 10777; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove data structures which were introduced to implement the
|
|
CellStatistics option: they are now redundant with the new timestamp
|
|
field in the regular packed_cell_t data structure, which we did
|
|
in 0.2.4.18-rc in order to resolve bug 9093. Resolves ticket 10870.
|
|
|
|
o Minor features:
|
|
- Always clear OpenSSL bignums before freeing them -- even bignums
|
|
that don't contain secrets. Resolves ticket 10793. Patch by
|
|
Florent Daigniere.
|
|
- Build without warnings under clang 3.4. (We have some macros that
|
|
define static functions only some of which will get used later in
|
|
the module. Starting with clang 3.4, these give a warning unless the
|
|
unused attribute is set on them.) Resolves ticket 10904.
|
|
- Update geoip and geoip6 files to the February 7 2014 Maxmind
|
|
GeoLite2 Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Set the listen() backlog limit to the largest actually supported
|
|
on the system, not to the value in a header file. Fixes bug 9716;
|
|
bugfix on every released Tor.
|
|
- Treat ENETUNREACH, EACCES, and EPERM connection failures at an
|
|
exit node as a NOROUTE error, not an INTERNAL error, since they
|
|
can apparently happen when trying to connect to the wrong sort
|
|
of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc.
|
|
- Fix build warnings about missing "a2x" comment when building the
|
|
manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py".
|
|
Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch.
|
|
- Avoid a segfault on SIGUSR1, where we had freed a connection but did
|
|
not entirely remove it from the connection lists. Fixes bug 9602;
|
|
bugfix on 0.2.4.4-alpha.
|
|
- Fix a segmentation fault in our benchmark code when running with
|
|
Fedora's OpenSSL package, or any other OpenSSL that provides
|
|
ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha.
|
|
- Turn "circuit handshake stats since last time" log messages into a
|
|
heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc.
|
|
|
|
o Documentation fixes:
|
|
- Document that all but one DirPort entry must have the NoAdvertise
|
|
flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha.
|
|
|
|
|
|
Changes in version 0.2.5.2-alpha - 2014-02-13
|
|
Tor 0.2.5.2-alpha includes all the fixes from 0.2.4.18-rc and 0.2.4.20,
|
|
like the "poor random number generation" fix and the "building too many
|
|
circuits" fix. It also further improves security against potential
|
|
adversaries who find breaking 1024-bit crypto doable, and launches
|
|
pluggable transports on demand (which gets us closer to integrating
|
|
pluggable transport support by default -- not to be confused with Tor
|
|
bundles enabling pluggable transports and bridges by default).
|
|
|
|
o Major features (client security):
|
|
- When we choose a path for a 3-hop circuit, make sure it contains
|
|
at least one relay that supports the NTor circuit extension
|
|
handshake. Otherwise, there is a chance that we're building
|
|
a circuit that's worth attacking by an adversary who finds
|
|
breaking 1024-bit crypto doable, and that chance changes the game
|
|
theory. Implements ticket 9777.
|
|
- Clients now look at the "usecreatefast" consensus parameter to
|
|
decide whether to use CREATE_FAST or CREATE cells for the first hop
|
|
of their circuit. This approach can improve security on connections
|
|
where Tor's circuit handshake is stronger than the available TLS
|
|
connection security levels, but the tradeoff is more computational
|
|
load on guard relays. Implements proposal 221. Resolves ticket 9386.
|
|
|
|
o Major features (bridges):
|
|
- Don't launch pluggable transport proxies if we don't have any
|
|
bridges configured that would use them. Now we can list many
|
|
pluggable transports, and Tor will dynamically start one when it
|
|
hears a bridge address that needs it. Resolves ticket 5018.
|
|
- The bridge directory authority now assigns status flags (Stable,
|
|
Guard, etc) to bridges based on thresholds calculated over all
|
|
Running bridges. Now bridgedb can finally make use of its features
|
|
to e.g. include at least one Stable bridge in its answers. Fixes
|
|
bug 9859.
|
|
|
|
o Major features (other):
|
|
- Extend ORCONN controller event to include an "ID" parameter,
|
|
and add four new controller event types CONN_BW, CIRC_BW,
|
|
CELL_STATS, and TB_EMPTY that show connection and circuit usage.
|
|
The new events are emitted in private Tor networks only, with the
|
|
goal of being able to better track performance and load during
|
|
full-network simulations. Implements proposal 218 and ticket 7359.
|
|
- On some platforms (currently: recent OSX versions, glibc-based
|
|
platforms that support the ELF format, and a few other
|
|
Unix-like operating systems), Tor can now dump stack traces
|
|
when a crash occurs or an assertion fails. By default, traces
|
|
are dumped to stderr (if possible) and to any logs that are
|
|
reporting errors. Implements ticket 9299.
|
|
|
|
o Major bugfixes:
|
|
- Avoid a segfault on SIGUSR1, where we had freed a connection but did
|
|
not entirely remove it from the connection lists. Fixes bug 9602;
|
|
bugfix on 0.2.4.4-alpha.
|
|
- Do not treat streams that fail with reason
|
|
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
|
|
since it could also indicate an ENETUNREACH connection error. Fixes
|
|
part of bug 10777; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Major bugfixes (new since 0.2.5.1-alpha, also in 0.2.4.20):
|
|
- Do not allow OpenSSL engines to replace the PRNG, even when
|
|
HardwareAccel is set. The only default builtin PRNG engine uses
|
|
the Intel RDRAND instruction to replace the entire PRNG, and
|
|
ignores all attempts to seed it with more entropy. That's
|
|
cryptographically stupid: the right response to a new alleged
|
|
entropy source is never to discard all previously used entropy
|
|
sources. Fixes bug 10402; works around behavior introduced in
|
|
OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
|
|
and "rl1987".
|
|
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
|
|
address. Fixes bug 10465; bugfix on 0.2.4.7-alpha.
|
|
- Avoid launching spurious extra circuits when a stream is pending.
|
|
This fixes a bug where any circuit that _wasn't_ unusable for new
|
|
streams would be treated as if it were, causing extra circuits to
|
|
be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha.
|
|
|
|
o Major bugfixes (new since 0.2.5.1-alpha, also in 0.2.4.18-rc):
|
|
- No longer stop reading or writing on cpuworker connections when
|
|
our rate limiting buckets go empty. Now we should handle circuit
|
|
handshake requests more promptly. Resolves bug 9731.
|
|
- Stop trying to bootstrap all our directory information from
|
|
only our first guard. Discovered while fixing bug 9946; bugfix
|
|
on 0.2.4.8-alpha.
|
|
|
|
o Minor features (bridges, pluggable transports):
|
|
- Add threshold cutoffs to the networkstatus document created by
|
|
the Bridge Authority. Fixes bug 1117.
|
|
- On Windows, spawn background processes using the CREATE_NO_WINDOW
|
|
flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled
|
|
doesn't pop up a blank console window. (In Tor Browser Bundle 2.x,
|
|
Vidalia set this option for us.) Implements ticket 10297.
|
|
|
|
o Minor features (security):
|
|
- Always clear OpenSSL bignums before freeing them -- even bignums
|
|
that don't contain secrets. Resolves ticket 10793. Patch by
|
|
Florent Daignière.
|
|
|
|
o Minor features (config options and command line):
|
|
- Add an --allow-missing-torrc commandline option that tells Tor to
|
|
run even if the configuration file specified by -f is not available.
|
|
Implements ticket 10060.
|
|
- Add support for the TPROXY transparent proxying facility on Linux.
|
|
See documentation for the new TransProxyType option for more
|
|
details. Implementation by "thomo". Closes ticket 10582.
|
|
|
|
o Minor features (controller):
|
|
- Add a new "HS_DESC" controller event that reports activities
|
|
related to hidden service descriptors. Resolves ticket 8510.
|
|
- New "DROPGUARDS" controller command to forget all current entry
|
|
guards. Not recommended for ordinary use, since replacing guards
|
|
too frequently makes several attacks easier. Resolves ticket 9934;
|
|
patch from "ra".
|
|
|
|
o Minor features (build):
|
|
- Assume that a user using ./configure --host wants to cross-compile,
|
|
and give an error if we cannot find a properly named
|
|
tool-chain. Add a --disable-tool-name-check option to proceed
|
|
nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz.
|
|
- If we run ./configure and the compiler recognizes -fstack-protector
|
|
but the linker rejects it, warn the user about a potentially missing
|
|
libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz.
|
|
|
|
o Minor features (testing):
|
|
- If Python is installed, "make check" now runs extra tests beyond
|
|
the unit test scripts.
|
|
- When bootstrapping a test network, sometimes very few relays get
|
|
the Guard flag. Now a new option "TestingDirAuthVoteGuard" can
|
|
specify a set of relays which should be voted Guard regardless of
|
|
their uptime or bandwidth. Addresses ticket 9206.
|
|
|
|
o Minor features (log messages):
|
|
- When ServerTransportPlugin is set on a bridge, Tor can write more
|
|
useful statistics about bridge use in its extrainfo descriptors,
|
|
but only if the Extended ORPort ("ExtORPort") is set too. Add a
|
|
log message to inform the user in this case. Resolves ticket 9651.
|
|
- When receiving a new controller connection, log the origin address.
|
|
Resolves ticket 9698; patch from "sigpipe".
|
|
- When logging OpenSSL engine status at startup, log the status of
|
|
more engines. Fixes ticket 10043; patch from Joshua Datko.
|
|
- Turn "circuit handshake stats since last time" log messages into a
|
|
heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc.
|
|
|
|
o Minor features (new since 0.2.5.1-alpha, also in 0.2.4.18-rc):
|
|
- Improve the circuit queue out-of-memory handler. Previously, when
|
|
we ran low on memory, we'd close whichever circuits had the most
|
|
queued cells. Now, we close those that have the *oldest* queued
|
|
cells, on the theory that those are most responsible for us
|
|
running low on memory. Based on analysis from a forthcoming paper
|
|
by Jansen, Tschorsch, Johnson, and Scheuermann. Fixes bug 9093.
|
|
- Generate bootstrapping status update events correctly when fetching
|
|
microdescriptors. Fixes bug 9927.
|
|
- Update to the October 2 2013 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (clients):
|
|
- When closing a channel that has already been open, do not close
|
|
pending circuits that were waiting to connect to the same relay.
|
|
Fixes bug 9880; bugfix on 0.2.5.1-alpha. Thanks to skruffy for
|
|
finding this bug.
|
|
|
|
o Minor bugfixes (relays):
|
|
- Treat ENETUNREACH, EACCES, and EPERM connection failures at an
|
|
exit node as a NOROUTE error, not an INTERNAL error, since they
|
|
can apparently happen when trying to connect to the wrong sort
|
|
of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc.
|
|
|
|
o Minor bugfixes (bridges):
|
|
- Fix a bug where the first connection works to a bridge that uses a
|
|
pluggable transport with client-side parameters, but we don't send
|
|
the client-side parameters on subsequent connections. (We don't
|
|
use any pluggable transports with client-side parameters yet,
|
|
but ScrambleSuit will soon become the first one.) Fixes bug 9162;
|
|
bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987".
|
|
|
|
o Minor bugfixes (node selection):
|
|
- If ExcludeNodes is set, consider non-excluded hidden service
|
|
directory servers before excluded ones. Do not consider excluded
|
|
hidden service directory servers at all if StrictNodes is
|
|
set. (Previously, we would sometimes decide to connect to those
|
|
servers, and then realize before we initiated a connection that
|
|
we had excluded them.) Fixes bug 10722; bugfix on 0.2.0.10-alpha.
|
|
Reported by "mr-4".
|
|
- If we set the ExitNodes option but it doesn't include any nodes
|
|
that have the Exit flag, we would choose not to bootstrap. Now we
|
|
bootstrap so long as ExitNodes includes nodes which can exit to
|
|
some port. Fixes bug 10543; bugfix on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (controller and command-line):
|
|
- If changing a config option via "setconf" fails in a recoverable
|
|
way, we used to nonetheless write our new control ports to the
|
|
file described by the "ControlPortWriteToFile" option. Now we only
|
|
write out that file if we successfully switch to the new config
|
|
option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman".
|
|
- When a command-line option such as --version or --help that
|
|
ordinarily implies --hush appears on the command line along with
|
|
--quiet, then actually obey --quiet. Previously, we obeyed --quiet
|
|
only if it appeared later on the command line. Fixes bug 9578;
|
|
bugfix on 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (code correctness):
|
|
- Previously we used two temporary files when writing descriptors to
|
|
disk; now we only use one. Fixes bug 1376.
|
|
- Remove an erroneous (but impossible and thus harmless) pointer
|
|
comparison that would have allowed compilers to skip a bounds
|
|
check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on
|
|
0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield.
|
|
- Fix an always-true assertion in pluggable transports code so it
|
|
actually checks what it was trying to check. Fixes bug 10046;
|
|
bugfix on 0.2.3.9-alpha. Found by "dcb".
|
|
|
|
o Minor bugfixes (protocol correctness):
|
|
- When receiving a VERSIONS cell with an odd number of bytes, close
|
|
the connection immediately since the cell is malformed. Fixes bug
|
|
10365; bugfix on 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by
|
|
"rl1987".
|
|
|
|
o Minor bugfixes (build):
|
|
- Restore the ability to compile Tor with V2_HANDSHAKE_SERVER
|
|
turned off (that is, without support for v2 link handshakes). Fixes
|
|
bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet".
|
|
- Fix compilation warnings and startup issues when running with
|
|
"Sandbox 1" and libseccomp-2.1.0. Fixes bug 10563; bugfix on
|
|
0.2.5.1-alpha.
|
|
- Fix compilation on Solaris 9, which didn't like us having an
|
|
identifier named "sun". Fixes bug 10565; bugfix in 0.2.5.1-alpha.
|
|
|
|
o Minor bugfixes (testing):
|
|
- Fix a segmentation fault in our benchmark code when running with
|
|
Fedora's OpenSSL package, or any other OpenSSL that provides
|
|
ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Minor bugfixes (log messages):
|
|
- Fix a bug where clients using bridges would report themselves
|
|
as 50% bootstrapped even without a live consensus document.
|
|
Fixes bug 9922; bugfix on 0.2.1.1-alpha.
|
|
- Suppress a warning where, if there's only one directory authority
|
|
in the network, we would complain that votes and signatures cannot
|
|
be uploaded to other directory authorities. Fixes bug 10842;
|
|
bugfix on 0.2.2.26-beta.
|
|
- Report bootstrapping progress correctly when we're downloading
|
|
microdescriptors. We had updated our "do we have enough microdescs
|
|
to begin building circuits?" logic most recently in 0.2.4.10-alpha
|
|
(see bug 5956), but we left the bootstrap status event logic at
|
|
"how far through getting 1/4 of them are we?" Fixes bug 9958;
|
|
bugfix on 0.2.2.36, which is where they diverged (see bug 5343).
|
|
|
|
o Minor bugfixes (new since 0.2.5.1-alpha, also in 0.2.4.20):
|
|
- Avoid a crash bug when starting with a corrupted microdescriptor
|
|
cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha.
|
|
- If we fail to dump a previously cached microdescriptor to disk, avoid
|
|
freeing duplicate data later on. Fixes bug 10423; bugfix on
|
|
0.2.4.13-alpha. Spotted by "bobnomnom".
|
|
|
|
o Minor bugfixes on 0.2.4.x (new since 0.2.5.1-alpha, also in 0.2.4.18-rc):
|
|
- Correctly log long IPv6 exit policies, instead of truncating them
|
|
or reporting an error. Fixes bug 9596; bugfix on 0.2.4.7-alpha.
|
|
- Our default TLS ecdhe groups were backwards: we meant to be using
|
|
P224 for relays (for performance win) and P256 for bridges (since
|
|
it is more common in the wild). Instead we had it backwards. After
|
|
reconsideration, we decided that the default should be P256 on all
|
|
hosts, since its security is probably better, and since P224 is
|
|
reportedly used quite little in the wild. Found by "skruffy" on
|
|
IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha.
|
|
- Free directory authority certificate download statuses on exit
|
|
rather than leaking them. Fixes bug 9644; bugfix on 0.2.4.13-alpha.
|
|
|
|
o Minor bugfixes on 0.2.3.x (new since 0.2.5.1-alpha, also in 0.2.4.18-rc):
|
|
- If the guard we choose first doesn't answer, we would try the
|
|
second guard, but once we connected to the second guard we would
|
|
abandon it and retry the first one, slowing down bootstrapping.
|
|
The fix is to treat all our initially chosen guards as acceptable
|
|
to use. Fixes bug 9946; bugfix on 0.1.1.11-alpha.
|
|
- Fix an assertion failure that would occur when disabling the
|
|
ORPort setting on a running Tor process while accounting was
|
|
enabled. Fixes bug 6979; bugfix on 0.2.2.18-alpha.
|
|
- When examining the list of network interfaces to find our address,
|
|
do not consider non-running or disabled network interfaces. Fixes
|
|
bug 9904; bugfix on 0.2.3.11-alpha. Patch from "hantwister".
|
|
- Avoid an off-by-one error when checking buffer boundaries when
|
|
formatting the exit status of a pluggable transport helper.
|
|
This is probably not an exploitable bug, but better safe than
|
|
sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by
|
|
Pedro Ribeiro.
|
|
|
|
o Removed code and features:
|
|
- Clients now reject any directory authority certificates lacking
|
|
a dir-key-crosscert element. These have been included since
|
|
0.2.1.9-alpha, so there's no real reason for them to be optional
|
|
any longer. Completes proposal 157. Resolves ticket 10162.
|
|
- Remove all code that existed to support the v2 directory system,
|
|
since there are no longer any v2 directory authorities. Resolves
|
|
ticket 10758.
|
|
- Remove the HSAuthoritativeDir and AlternateHSAuthority torrc
|
|
options, which were used for designating authorities as "Hidden
|
|
service authorities". There has been no use of hidden service
|
|
authorities since 0.2.2.1-alpha, when we stopped uploading or
|
|
downloading v0 hidden service descriptors. Fixes bug 10881; also
|
|
part of a fix for bug 10841.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove some old fallback code designed to keep Tor clients working
|
|
in a network with only two working relays. Elsewhere in the code we
|
|
have long since stopped supporting such networks, so there wasn't
|
|
much point in keeping it around. Addresses ticket 9926.
|
|
- Reject 0-length EXTEND2 cells more explicitly. Fixes bug 10536;
|
|
bugfix on 0.2.4.8-alpha. Reported by "cypherpunks".
|
|
- Remove data structures which were introduced to implement the
|
|
CellStatistics option: they are now redundant with the addition
|
|
of a timestamp to the regular packed_cell_t data structure, which
|
|
we did in 0.2.4.18-rc in order to resolve ticket 9093. Implements
|
|
ticket 10870.
|
|
|
|
o Documentation (man page) fixes:
|
|
- Update manpage to describe some of the files you can expect to
|
|
find in Tor's DataDirectory. Addresses ticket 9839.
|
|
- Document that all but one DirPort entry must have the NoAdvertise
|
|
flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha.
|
|
|
|
o Documentation fixes (new since 0.2.5.1-alpha, also in 0.2.4.18-rc):
|
|
- Clarify the usage and risks of setting the ContactInfo torrc line
|
|
for your relay or bridge. Resolves ticket 9854.
|
|
- Add anchors to the manpage so we can link to the html version of
|
|
the documentation for specific options. Resolves ticket 9866.
|
|
- Replace remaining references to DirServer in man page and
|
|
log entries. Resolves ticket 10124.
|
|
|
|
o Tool changes:
|
|
- Make the "tor-gencert" tool used by directory authority operators
|
|
create 2048-bit signing keys by default (rather than 1024-bit, since
|
|
1024-bit is uncomfortably small these days). Addresses ticket 10324.
|
|
|
|
|
|
Changes in version 0.2.4.20 - 2013-12-22
|
|
Tor 0.2.4.20 fixes potentially poor random number generation for users
|
|
who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their
|
|
torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors,
|
|
and 4) have no state file in their DataDirectory (as would happen on
|
|
first start). Users who generated relay or hidden service identity
|
|
keys in such a situation should discard them and generate new ones.
|
|
|
|
This release also fixes a logic error that caused Tor clients to build
|
|
many more preemptive circuits than they actually need.
|
|
|
|
o Major bugfixes:
|
|
- Do not allow OpenSSL engines to replace the PRNG, even when
|
|
HardwareAccel is set. The only default builtin PRNG engine uses
|
|
the Intel RDRAND instruction to replace the entire PRNG, and
|
|
ignores all attempts to seed it with more entropy. That's
|
|
cryptographically stupid: the right response to a new alleged
|
|
entropy source is never to discard all previously used entropy
|
|
sources. Fixes bug 10402; works around behavior introduced in
|
|
OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
|
|
and "rl1987".
|
|
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
|
|
address. Fixes bug 10465; bugfix on 0.2.4.7-alpha.
|
|
- Avoid launching spurious extra circuits when a stream is pending.
|
|
This fixes a bug where any circuit that _wasn't_ unusable for new
|
|
streams would be treated as if it were, causing extra circuits to
|
|
be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a crash bug when starting with a corrupted microdescriptor
|
|
cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha.
|
|
- If we fail to dump a previously cached microdescriptor to disk, avoid
|
|
freeing duplicate data later on. Fixes bug 10423; bugfix on
|
|
0.2.4.13-alpha. Spotted by "bobnomnom".
|
|
|
|
|
|
Changes in version 0.2.4.19 - 2013-12-11
|
|
The Tor 0.2.4 release series is dedicated to the memory of Aaron Swartz
|
|
(1986-2013). Aaron worked on diverse projects including helping to guide
|
|
Creative Commons, playing a key role in stopping SOPA/PIPA, bringing
|
|
transparency to the U.S government's PACER documents, and contributing
|
|
design and development for Tor and Tor2Web. Aaron was one of the latest
|
|
martyrs in our collective fight for civil liberties and human rights,
|
|
and his death is all the more painful because he was one of us.
|
|
|
|
Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features
|
|
a new circuit handshake and link encryption that use ECC to provide
|
|
better security and efficiency; makes relays better manage circuit
|
|
creation requests; uses "directory guards" to reduce client enumeration
|
|
risks; makes bridges collect and report statistics about the pluggable
|
|
transports they support; cleans up and improves our geoip database;
|
|
gets much closer to IPv6 support for clients, bridges, and relays; makes
|
|
directory authorities use measured bandwidths rather than advertised
|
|
ones when computing flags and thresholds; disables client-side DNS
|
|
caching to reduce tracking risks; and fixes a big bug in bridge
|
|
reachability testing. This release introduces two new design
|
|
abstractions in the code: a new "channel" abstraction between circuits
|
|
and or_connections to allow for implementing alternate relay-to-relay
|
|
transports, and a new "circuitmux" abstraction storing the queue of
|
|
circuits for a channel. The release also includes many stability,
|
|
security, and privacy fixes.
|
|
|
|
|
|
Changes in version 0.2.4.18-rc - 2013-11-16
|
|
Tor 0.2.4.18-rc is the fourth release candidate for the Tor 0.2.4.x
|
|
series. It takes a variety of fixes from the 0.2.5.x branch to improve
|
|
stability, performance, and better handling of edge cases.
|
|
|
|
o Major features:
|
|
- Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
|
|
Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or
|
|
1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented
|
|
renegotiation from working with TLS 1.1 or 1.2, so we had disabled
|
|
them to solve bug 6033.)
|
|
|
|
o Major bugfixes:
|
|
- No longer stop reading or writing on cpuworker connections when
|
|
our rate limiting buckets go empty. Now we should handle circuit
|
|
handshake requests more promptly. Resolves bug 9731.
|
|
- If we are unable to save a microdescriptor to the journal, do not
|
|
drop it from memory and then reattempt downloading it. Fixes bug
|
|
9645; bugfix on 0.2.2.6-alpha.
|
|
- Stop trying to bootstrap all our directory information from
|
|
only our first guard. Discovered while fixing bug 9946; bugfix
|
|
on 0.2.4.8-alpha.
|
|
- The new channel code sometimes lost track of in-progress circuits,
|
|
causing long-running clients to stop building new circuits. The
|
|
fix is to always call circuit_n_chan_done(chan, 0) from
|
|
channel_closed(). Fixes bug 9776; bugfix on 0.2.4.17-rc.
|
|
|
|
o Minor bugfixes (on 0.2.4.x):
|
|
- Correctly log long IPv6 exit policies, instead of truncating them
|
|
or reporting an error. Fixes bug 9596; bugfix on 0.2.4.7-alpha.
|
|
- Our default TLS ecdhe groups were backwards: we meant to be using
|
|
P224 for relays (for performance win) and P256 for bridges (since
|
|
it is more common in the wild). Instead we had it backwards. After
|
|
reconsideration, we decided that the default should be P256 on all
|
|
hosts, since its security is probably better, and since P224 is
|
|
reportedly used quite little in the wild. Found by "skruffy" on
|
|
IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha.
|
|
- Free directory authority certificate download statuses on exit
|
|
rather than leaking them. Fixes bug 9644; bugfix on 0.2.4.13-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.3.x and earlier):
|
|
- If the guard we choose first doesn't answer, we would try the
|
|
second guard, but once we connected to the second guard we would
|
|
abandon it and retry the first one, slowing down bootstrapping.
|
|
The fix is to treat all our initially chosen guards as acceptable
|
|
to use. Fixes bug 9946; bugfix on 0.1.1.11-alpha.
|
|
- Fix an assertion failure that would occur when disabling the
|
|
ORPort setting on a running Tor process while accounting was
|
|
enabled. Fixes bug 6979; bugfix on 0.2.2.18-alpha.
|
|
- When examining the list of network interfaces to find our address,
|
|
do not consider non-running or disabled network interfaces. Fixes
|
|
bug 9904; bugfix on 0.2.3.11-alpha. Patch from "hantwister".
|
|
- Avoid an off-by-one error when checking buffer boundaries when
|
|
formatting the exit status of a pluggable transport helper.
|
|
This is probably not an exploitable bug, but better safe than
|
|
sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by
|
|
Pedro Ribeiro.
|
|
|
|
o Minor features (protecting client timestamps):
|
|
- Clients no longer send timestamps in their NETINFO cells. These were
|
|
not used for anything, and they provided one small way for clients
|
|
to be distinguished from each other as they moved from network to
|
|
network or behind NAT. Implements part of proposal 222.
|
|
- Clients now round timestamps in INTRODUCE cells down to the nearest
|
|
10 minutes. If a new Support022HiddenServices option is set to 0, or
|
|
if it's set to "auto" and the feature is disabled in the consensus,
|
|
the timestamp is sent as 0 instead. Implements part of proposal 222.
|
|
- Stop sending timestamps in AUTHENTICATE cells. This is not such
|
|
a big deal from a security point of view, but it achieves no actual
|
|
good purpose, and isn't needed. Implements part of proposal 222.
|
|
- Reduce down accuracy of timestamps in hidden service descriptors.
|
|
Implements part of proposal 222.
|
|
|
|
o Minor features (other):
|
|
- Improve the circuit queue out-of-memory handler. Previously, when
|
|
we ran low on memory, we'd close whichever circuits had the most
|
|
queued cells. Now, we close those that have the *oldest* queued
|
|
cells, on the theory that those are most responsible for us
|
|
running low on memory. Based on analysis from a forthcoming paper
|
|
by Jansen, Tschorsch, Johnson, and Scheuermann. Fixes bug 9093.
|
|
- Generate bootstrapping status update events correctly when fetching
|
|
microdescriptors. Fixes bug 9927.
|
|
- Update to the October 2 2013 Maxmind GeoLite Country database.
|
|
|
|
o Documentation fixes:
|
|
- Clarify the usage and risks of setting the ContactInfo torrc line
|
|
for your relay or bridge. Resolves ticket 9854.
|
|
- Add anchors to the manpage so we can link to the html version of
|
|
the documentation for specific options. Resolves ticket 9866.
|
|
- Replace remaining references to DirServer in man page and
|
|
log entries. Resolves ticket 10124.
|
|
|
|
|
|
Changes in version 0.2.5.1-alpha - 2013-10-02
|
|
Tor 0.2.5.1-alpha introduces experimental support for syscall sandboxing
|
|
on Linux, allows bridges that offer pluggable transports to report usage
|
|
statistics, fixes many issues to make testing easier, and provides
|
|
a pile of minor features and bugfixes that have been waiting for a
|
|
release of the new branch.
|
|
|
|
This is the first alpha release in a new series, so expect there to
|
|
be bugs. Users who would rather test out a more stable branch should
|
|
stay with 0.2.4.x for now.
|
|
|
|
o Major features (security):
|
|
- Use the seccomp2 syscall filtering facility on Linux to limit
|
|
which system calls Tor can invoke. This is an experimental,
|
|
Linux-only feature to provide defense-in-depth against unknown
|
|
attacks. To try turning it on, set "Sandbox 1" in your torrc
|
|
file. Please be ready to report bugs. We hope to add support
|
|
for better sandboxing in the future, including more fine-grained
|
|
filters, better division of responsibility, and support for more
|
|
platforms. This work has been done by Cristian-Matei Toader for
|
|
Google Summer of Code.
|
|
- Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
|
|
Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or
|
|
1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented
|
|
renegotiation from working with TLS 1.1 or 1.2, so we had disabled
|
|
them to solve bug 6033.)
|
|
|
|
o Major features (other):
|
|
- Add support for passing arguments to managed pluggable transport
|
|
proxies. Implements ticket 3594.
|
|
- Bridges now track GeoIP information and the number of their users
|
|
even when pluggable transports are in use, and report usage
|
|
statistics in their extra-info descriptors. Resolves tickets 4773
|
|
and 5040.
|
|
- Make testing Tor networks bootstrap better: lower directory fetch
|
|
retry schedules and maximum interval without directory requests,
|
|
and raise maximum download tries. Implements ticket 6752.
|
|
- Add make target 'test-network' to run tests on a Chutney network.
|
|
Implements ticket 8530.
|
|
- The ntor handshake is now on-by-default, no matter what the
|
|
directory authorities recommend. Implements ticket 8561.
|
|
|
|
o Major bugfixes:
|
|
- Instead of writing destroy cells directly to outgoing connection
|
|
buffers, queue them and intersperse them with other outgoing cells.
|
|
This can prevent a set of resource starvation conditions where too
|
|
many pending destroy cells prevent data cells from actually getting
|
|
delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
|
|
bugfix on 0.2.0.1-alpha.
|
|
- If we are unable to save a microdescriptor to the journal, do not
|
|
drop it from memory and then reattempt downloading it. Fixes bug
|
|
9645; bugfix on 0.2.2.6-alpha.
|
|
- The new channel code sometimes lost track of in-progress circuits,
|
|
causing long-running clients to stop building new circuits. The
|
|
fix is to always call circuit_n_chan_done(chan, 0) from
|
|
channel_closed(). Fixes bug 9776; bugfix on 0.2.4.17-rc.
|
|
|
|
o Build features:
|
|
- Tor now builds each source file in two modes: a mode that avoids
|
|
exposing identifiers needlessly, and another mode that exposes
|
|
more identifiers for testing. This lets the compiler do better at
|
|
optimizing the production code, while enabling us to take more
|
|
radical measures to let the unit tests test things.
|
|
- The production builds no longer include functions used only in
|
|
the unit tests; all functions exposed from a module only for
|
|
unit-testing are now static in production builds.
|
|
- Add an --enable-coverage configuration option to make the unit
|
|
tests (and a new src/or/tor-cov target) to build with gcov test
|
|
coverage support.
|
|
|
|
o Testing:
|
|
- We now have rudimentary function mocking support that our unit
|
|
tests can use to test functions in isolation. Function mocking
|
|
lets the tests temporarily replace a function's dependencies with
|
|
stub functions, so that the tests can check the function without
|
|
invoking the other functions it calls.
|
|
- Add more unit tests for the <circid,channel>->circuit map, and
|
|
the destroy-cell-tracking code to fix bug 7912.
|
|
- Unit tests for failing cases of the TAP onion handshake.
|
|
- More unit tests for address-manipulation functions.
|
|
|
|
o Minor features (protecting client timestamps):
|
|
- Clients no longer send timestamps in their NETINFO cells. These were
|
|
not used for anything, and they provided one small way for clients
|
|
to be distinguished from each other as they moved from network to
|
|
network or behind NAT. Implements part of proposal 222.
|
|
- Clients now round timestamps in INTRODUCE cells down to the nearest
|
|
10 minutes. If a new Support022HiddenServices option is set to 0, or
|
|
if it's set to "auto" and the feature is disabled in the consensus,
|
|
the timestamp is sent as 0 instead. Implements part of proposal 222.
|
|
- Stop sending timestamps in AUTHENTICATE cells. This is not such
|
|
a big deal from a security point of view, but it achieves no actual
|
|
good purpose, and isn't needed. Implements part of proposal 222.
|
|
- Reduce down accuracy of timestamps in hidden service descriptors.
|
|
Implements part of proposal 222.
|
|
|
|
o Minor features (config options):
|
|
- Config (torrc) lines now handle fingerprints which are missing
|
|
their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
|
|
- Support a --dump-config option to print some or all of the
|
|
configured options. Mainly useful for debugging the command-line
|
|
option parsing code. Helps resolve ticket 4647.
|
|
- Raise awareness of safer logging: notify user of potentially
|
|
unsafe config options, like logging more verbosely than severity
|
|
"notice" or setting SafeLogging to 0. Resolves ticket 5584.
|
|
- Add a new configuration option TestingV3AuthVotingStartOffset
|
|
that bootstraps a network faster by changing the timing for
|
|
consensus votes. Addresses ticket 8532.
|
|
- Add a new torrc option "ServerTransportOptions" that allows
|
|
bridge operators to pass configuration parameters to their
|
|
pluggable transports. Resolves ticket 8929.
|
|
- The config (torrc) file now accepts bandwidth and space limits in
|
|
bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
|
|
you can now say "16 kilobits", and so on.) Resolves ticket 9214.
|
|
Patch by CharlieB.
|
|
|
|
o Minor features (build):
|
|
- Add support for `--library-versions` flag. Implements ticket 6384.
|
|
- Return the "unexpected sendme" warnings to a warn severity, but make
|
|
them rate limited, to help diagnose ticket 8093.
|
|
- Detect a missing asciidoc, and warn the user about it, during
|
|
configure rather than at build time. Fixes issue 6506. Patch from
|
|
Arlo Breault.
|
|
|
|
o Minor features (other):
|
|
- Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
|
|
sockets in a single system call. Implements ticket 5129.
|
|
- Log current accounting state (bytes sent and received + remaining
|
|
time for the current accounting period) in the relay's heartbeat
|
|
message. Implements ticket 5526; patch from Peter Retzlaff.
|
|
- Implement the TRANSPORT_LAUNCHED control port event that
|
|
notifies controllers about new launched pluggable
|
|
transports. Resolves ticket 5609.
|
|
- If we're using the pure-C 32-bit curve25519_donna implementation
|
|
of curve25519, build it with the -fomit-frame-pointer option to
|
|
make it go faster on register-starved hosts. This improves our
|
|
handshake performance by about 6% on i386 hosts without nacl.
|
|
Closes ticket 8109.
|
|
- Update to the September 4 2013 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Set the listen() backlog limit to the largest actually supported
|
|
on the system, not to the value in a header file. Fixes bug 9716;
|
|
bugfix on every released Tor.
|
|
- No longer accept malformed http headers when parsing urls from
|
|
headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
|
|
bugfix on 0.0.6pre1.
|
|
- In munge_extrainfo_into_routerinfo(), check the return value of
|
|
memchr(). This would have been a serious issue if we ever passed
|
|
it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch
|
|
from Arlo Breault.
|
|
- On the chance that somebody manages to build Tor on a
|
|
platform where time_t is unsigned, correct the way that
|
|
microdesc_add_to_cache() handles negative time arguments.
|
|
Fixes bug 8042; bugfix on 0.2.3.1-alpha.
|
|
- Reject relative control socket paths and emit a warning. Previously,
|
|
single-component control socket paths would be rejected, but Tor
|
|
would not log why it could not validate the config. Fixes bug 9258;
|
|
bugfix on 0.2.3.16-alpha.
|
|
|
|
o Minor bugfixes (command line):
|
|
- Use a single command-line parser for parsing torrc options on the
|
|
command line and for finding special command-line options to avoid
|
|
inconsistent behavior for torrc option arguments that have the same
|
|
names as command-line options. Fixes bugs 4647 and 9578; bugfix on
|
|
0.0.9pre5.
|
|
- No longer allow 'tor --hash-password' with no arguments. Fixes bug
|
|
9573; bugfix on 0.0.9pre5.
|
|
|
|
o Minor fixes (build, auxiliary programs):
|
|
- Stop preprocessing the "torify" script with autoconf, since
|
|
it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
|
|
from Guilhem.
|
|
- The tor-fw-helper program now follows the standard convention and
|
|
exits with status code "0" on success. Fixes bug 9030; bugfix on
|
|
0.2.3.1-alpha. Patch by Arlo Breault.
|
|
- Corrected ./configure advice for what openssl dev package you should
|
|
install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor code improvements:
|
|
- Remove constants and tests for PKCS1 padding; it's insecure and
|
|
shouldn't be used for anything new. Fixes bug 8792; patch
|
|
from Arlo Breault.
|
|
- Remove instances of strcpy() from the unit tests. They weren't
|
|
hurting anything, since they were only in the unit tests, but it's
|
|
embarassing to have strcpy() in the code at all, and some analysis
|
|
tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and
|
|
0.2.3.8-alpha. Patch from Arlo Breault.
|
|
|
|
o Removed features:
|
|
- Remove migration code from when we renamed the "cached-routers"
|
|
file to "cached-descriptors" back in 0.2.0.8-alpha. This
|
|
incidentally resolves ticket 6502 by cleaning up the related code
|
|
a bit. Patch from Akshay Hebbar.
|
|
|
|
o Code simplification and refactoring:
|
|
- Extract the common duplicated code for creating a subdirectory
|
|
of the data directory and writing to a file in it. Fixes ticket
|
|
4282; patch from Peter Retzlaff.
|
|
- Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
|
|
buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
|
|
i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
|
|
- Add a set of accessor functions for the circuit timeout data
|
|
structure. Fixes ticket 6153; patch from "piet".
|
|
- Clean up exit paths from connection_listener_new(). Closes ticket
|
|
8789. Patch from Arlo Breault.
|
|
- Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
|
|
and drop our own custom pkey_eq() implementation. Fixes bug 9043.
|
|
- Use a doubly-linked list to implement the global circuit list.
|
|
Resolves ticket 9108. Patch from Marek Majkowski.
|
|
- Remove contrib/id_to_fp.c since it wasn't used anywhere.
|
|
|
|
|
|
Changes in version 0.2.4.17-rc - 2013-09-05
|
|
Tor 0.2.4.17-rc is the third release candidate for the Tor 0.2.4.x
|
|
series. It adds an emergency step to help us tolerate the massive
|
|
influx of users: 0.2.4 clients using the new (faster and safer) "NTor"
|
|
circuit-level handshakes now effectively jump the queue compared to
|
|
the 0.2.3 clients using "TAP" handshakes. This release also fixes a
|
|
big bug hindering bridge reachability tests.
|
|
|
|
o Major features:
|
|
- Relays now process the new "NTor" circuit-level handshake requests
|
|
with higher priority than the old "TAP" circuit-level handshake
|
|
requests. We still process some TAP requests to not totally starve
|
|
0.2.3 clients when NTor becomes popular. A new consensus parameter
|
|
"NumNTorsPerTAP" lets us tune the balance later if we need to.
|
|
Implements ticket 9574.
|
|
|
|
o Major bugfixes:
|
|
- If the circuit build timeout logic is disabled (via the consensus,
|
|
or because we are an authority), then don't build testing circuits.
|
|
Fixes bug 9657; bugfix on 0.2.2.14-alpha.
|
|
- Bridges now send AUTH_CHALLENGE cells during their v3 handshakes;
|
|
previously they did not, which prevented them from receiving
|
|
successful connections from relays for self-test or bandwidth
|
|
testing. Also, when a relay is extending a circuit to a bridge,
|
|
it needs to send a NETINFO cell, even when the bridge hasn't sent
|
|
an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha.
|
|
- If the time to download the next old-style networkstatus is in
|
|
the future, do not decline to consider whether to download the
|
|
next microdescriptor networkstatus. Fixes bug 9564; bugfix on
|
|
0.2.3.14-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid double-closing the listener socket in our socketpair()
|
|
replacement (used on Windows) in the case where the addresses on
|
|
our opened sockets don't match what we expected. Fixes bug 9400;
|
|
bugfix on 0.0.2pre7. Found by Coverity.
|
|
|
|
o Minor fixes (config options):
|
|
- Avoid overflows when the user sets MaxCircuitDirtiness to a
|
|
ridiculously high value, by imposing a (ridiculously high) 30-day
|
|
maximum on MaxCircuitDirtiness.
|
|
- Fix the documentation of HeartbeatPeriod to say that the heartbeat
|
|
message is logged at notice, not at info.
|
|
- Warn and fail if a server is configured not to advertise any
|
|
ORPorts at all. (We need *something* to put in our descriptor,
|
|
or we just won't work.)
|
|
|
|
o Minor features:
|
|
- Track how many "TAP" and "NTor" circuit handshake requests we get,
|
|
and how many we complete, and log it every hour to help relay
|
|
operators follow trends in network load. Addresses ticket 9658.
|
|
- Update to the August 7 2013 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.4.16-rc - 2013-08-10
|
|
Tor 0.2.4.16-rc is the second release candidate for the Tor 0.2.4.x
|
|
series. It fixes several crash bugs in the 0.2.4 branch.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug in the voting algorithm that could yield incorrect results
|
|
when a non-naming authority declared too many flags. Fixes bug 9200;
|
|
bugfix on 0.2.0.3-alpha.
|
|
- Fix an uninitialized read that could in some cases lead to a remote
|
|
crash while parsing INTRODUCE2 cells. Bugfix on 0.2.4.1-alpha.
|
|
Anybody running a hidden service on the experimental 0.2.4.x
|
|
branch should upgrade. (This is, so far as we know, unrelated to
|
|
the recent news.)
|
|
- Avoid an assertion failure when processing DNS replies without the
|
|
answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha.
|
|
- Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on
|
|
0.2.4.15-rc. Found by stem integration tests.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an invalid memory read that occured when a pluggable
|
|
transport proxy failed its configuration protocol.
|
|
Fixes bug 9288; bugfix on 0.2.4.1-alpha.
|
|
- When evaluating whether to use a connection that we haven't
|
|
decided is canonical using a recent link protocol version,
|
|
decide that it's canonical only if it used address _does_
|
|
match the desired address. Fixes bug 9309; bugfix on
|
|
0.2.4.4-alpha. Reported by skruffy.
|
|
- Make the default behavior of NumDirectoryGuards be to track
|
|
NumEntryGuards. Now a user who changes only NumEntryGuards will get
|
|
the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha.
|
|
- Fix a spurious compilation warning with some older versions of
|
|
GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the July 3 2013 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.4.15-rc - 2013-07-01
|
|
Tor 0.2.4.15-rc is the first release candidate for the Tor 0.2.4.x
|
|
series. It fixes a few smaller bugs, but generally appears stable.
|
|
Please test it and let us know whether it is!
|
|
|
|
o Major bugfixes:
|
|
- When receiving a new configuration file via the control port's
|
|
LOADCONF command, do not treat the defaults file as absent.
|
|
Fixes bug 9122; bugfix on 0.2.3.9-alpha.
|
|
|
|
o Minor features:
|
|
- Issue a warning when running with the bufferevents backend enabled.
|
|
It's still not stable, and people should know that they're likely
|
|
to hit unexpected problems. Closes ticket 9147.
|
|
|
|
|
|
Changes in version 0.2.4.14-alpha - 2013-06-18
|
|
Tor 0.2.4.14-alpha fixes a pair of client guard enumeration problems
|
|
present in 0.2.4.13-alpha.
|
|
|
|
o Major bugfixes:
|
|
- When we have too much memory queued in circuits (according to a new
|
|
MaxMemInCellQueues option), close the circuits consuming the most
|
|
memory. This prevents us from running out of memory as a relay if
|
|
circuits fill up faster than they can be drained. Fixes bug 9063;
|
|
bugfix on the 54th commit of Tor. This bug is a further fix beyond
|
|
bug 6252, whose fix was merged into 0.2.3.21-rc.
|
|
|
|
This change also fixes an earlier approach taken in 0.2.4.13-alpha,
|
|
where we tried to solve this issue simply by imposing an upper limit
|
|
on the number of queued cells for a single circuit. That approach
|
|
proved to be problematic, since there are ways to provoke clients to
|
|
send a number of cells in excess of any such reasonable limit. Fixes
|
|
bug 9072; bugfix on 0.2.4.13-alpha.
|
|
|
|
- Limit hidden service descriptors to at most ten introduction
|
|
points, to slow one kind of guard enumeration. Fixes bug 9002;
|
|
bugfix on 0.1.1.11-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.13-alpha - 2013-06-14
|
|
Tor 0.2.4.13-alpha fixes a variety of potential remote crash
|
|
vulnerabilities, makes socks5 username/password circuit isolation
|
|
actually actually work (this time for sure!), and cleans up a bunch
|
|
of other issues in preparation for a release candidate.
|
|
|
|
o Major bugfixes (robustness):
|
|
- Close any circuit that has too many cells queued on it. Fixes
|
|
bug 9063; bugfix on the 54th commit of Tor. This bug is a further
|
|
fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc.
|
|
- Prevent the get_freelists() function from running off the end of
|
|
the list of freelists if it somehow gets an unrecognized
|
|
allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by
|
|
eugenis.
|
|
- Avoid an assertion failure on OpenBSD (and perhaps other BSDs)
|
|
when an exit connection with optimistic data succeeds immediately
|
|
rather than returning EINPROGRESS. Fixes bug 9017; bugfix on
|
|
0.2.3.1-alpha.
|
|
- Fix a directory authority crash bug when building a consensus
|
|
using an older consensus as its basis. Fixes bug 8833. Bugfix
|
|
on 0.2.4.12-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Avoid a memory leak where we would leak a consensus body when we
|
|
find that a consensus which we couldn't previously verify due to
|
|
missing certificates is now verifiable. Fixes bug 8719; bugfix
|
|
on 0.2.0.10-alpha.
|
|
- We used to always request authority certificates by identity digest,
|
|
meaning we'd get the newest one even when we wanted one with a
|
|
different signing key. Then we would complain about being given
|
|
a certificate we already had, and never get the one we really
|
|
wanted. Now we use the "fp-sk/" resource as well as the "fp/"
|
|
resource to request the one we want. Fixes bug 5595; bugfix on
|
|
0.2.0.8-alpha.
|
|
- Follow the socks5 protocol when offering username/password
|
|
authentication. The fix for bug 8117 exposed this bug, and it
|
|
turns out real-world applications like Pidgin do care. Bugfix on
|
|
0.2.3.2-alpha; fixes bug 8879.
|
|
- Prevent failures on Windows Vista and later when rebuilding the
|
|
microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822;
|
|
bugfix on 0.2.4.12-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an impossible buffer overrun in the AES unit tests. Fixes
|
|
bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis.
|
|
- If for some reason we fail to write a microdescriptor while
|
|
rebuilding the cache, do not let the annotations from that
|
|
microdescriptor linger in the cache file, and do not let the
|
|
microdescriptor stay recorded as present in its old location.
|
|
Fixes bug 9047; bugfix on 0.2.2.6-alpha.
|
|
- Fix a memory leak that would occur whenever a configuration
|
|
option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha.
|
|
- Paste the description for PathBias parameters from the man
|
|
page into or.h, so the code documents them too. Fixes bug 7982;
|
|
bugfix on 0.2.3.17-beta and 0.2.4.8-alpha.
|
|
- Relays now treat a changed IPv6 ORPort as sufficient reason to
|
|
publish an updated descriptor. Fixes bug 6026; bugfix on
|
|
0.2.4.1-alpha.
|
|
- When launching a resolve request on behalf of an AF_UNIX control
|
|
socket, omit the address field of the new entry connection, used in
|
|
subsequent controller events, rather than letting tor_dup_addr()
|
|
set it to "<unknown address type>". Fixes bug 8639; bugfix on
|
|
0.2.4.12-alpha.
|
|
|
|
o Minor bugfixes (log messages):
|
|
- Fix a scaling issue in the path bias accounting code that
|
|
resulted in "Bug:" log messages from either
|
|
pathbias_scale_close_rates() or pathbias_count_build_success().
|
|
This represents a bugfix on a previous bugfix: the original fix
|
|
attempted in 0.2.4.10-alpha was incomplete. Fixes bug 8235; bugfix
|
|
on 0.2.4.1-alpha.
|
|
- Give a less useless error message when the user asks for an IPv4
|
|
address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix
|
|
on 0.2.4.7-alpha.
|
|
|
|
o Minor features:
|
|
- Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4.x,
|
|
to tolerate bug 8093 for now.
|
|
- Add an "ignoring-advertised-bws" boolean to the flag-threshold lines
|
|
in directory authority votes to describe whether they have enough
|
|
measured bandwidths to ignore advertised (relay descriptor)
|
|
bandwidth claims. Resolves ticket 8711.
|
|
- Update to the June 5 2013 Maxmind GeoLite Country database.
|
|
|
|
o Removed documentation:
|
|
- Remove some of the older contents of doc/ as obsolete; move others
|
|
to torspec.git. Fixes bug 8965.
|
|
|
|
o Code simplification and refactoring:
|
|
- Avoid using character buffers when constructing most directory
|
|
objects: this approach was unwieldy and error-prone. Instead,
|
|
build smartlists of strings, and concatenate them when done.
|
|
|
|
|
|
Changes in version 0.2.4.12-alpha - 2013-04-18
|
|
Tor 0.2.4.12-alpha moves Tor forward on several fronts: it starts the
|
|
process for lengthening the guard rotation period, makes directory
|
|
authority opinions in the consensus a bit less gameable, makes socks5
|
|
username/password circuit isolation actually work, and fixes a wide
|
|
variety of other issues.
|
|
|
|
o Major features:
|
|
- Raise the default time that a client keeps an entry guard from
|
|
"1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES
|
|
2012 paper. (We would make it even longer, but we need better client
|
|
load balancing first.) Also, make the guard lifetime controllable
|
|
via a new GuardLifetime torrc option and a GuardLifetime consensus
|
|
parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha.
|
|
- Directory authorities now prefer using measured bandwidths to
|
|
advertised ones when computing flags and thresholds. Resolves
|
|
ticket 8273.
|
|
- Directory authorities that have more than a threshold number
|
|
of relays with measured bandwidths now treat relays with unmeasured
|
|
bandwidths as having bandwidth 0. Resolves ticket 8435.
|
|
|
|
o Major bugfixes (assert / resource use):
|
|
- Avoid a bug where our response to TLS renegotiation under certain
|
|
network conditions could lead to a busy-loop, with 100% CPU
|
|
consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha.
|
|
- Avoid an assertion when we discover that we'd like to write a cell
|
|
onto a closing connection: just discard the cell. Fixes another
|
|
case of bug 7350; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Major bugfixes (client-side privacy):
|
|
- When we mark a circuit as unusable for new circuits, have it
|
|
continue to be unusable for new circuits even if MaxCircuitDirtiness
|
|
is increased too much at the wrong time, or the system clock jumps
|
|
backwards. Fixes bug 6174; bugfix on 0.0.2pre26.
|
|
- If ClientDNSRejectInternalAddresses ("do not believe DNS queries
|
|
which have resolved to internal addresses") is set, apply that
|
|
rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha.
|
|
- When an exit relay rejects a stream with reason "exit policy", but
|
|
we only know an exit policy summary (e.g. from the microdesc
|
|
consensus) for it, do not mark the relay as useless for all exiting.
|
|
Instead, mark just the circuit as unsuitable for that particular
|
|
address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha.
|
|
- Allow applications to get proper stream isolation with
|
|
IsolateSOCKSAuth. Many SOCKS5 clients that want to offer
|
|
username/password authentication also offer "no authentication". Tor
|
|
had previously preferred "no authentication", so the applications
|
|
never actually sent Tor their auth details. Now Tor selects
|
|
username/password authentication if it's offered. You can disable
|
|
this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes
|
|
bug 8117; bugfix on 0.2.3.3-alpha.
|
|
|
|
o Major bugfixes (other):
|
|
- When unable to find any working directory nodes to use as a
|
|
directory guard, give up rather than adding the same non-working
|
|
nodes to the directory guard list over and over. Fixes bug 8231;
|
|
bugfix on 0.2.4.8-alpha.
|
|
|
|
o Minor features:
|
|
- Reject as invalid most directory objects containing a NUL.
|
|
Belt-and-suspender fix for bug 8037.
|
|
- In our testsuite, create temporary directories with a bit more
|
|
entropy in their name to make name collisions less likely. Fixes
|
|
bug 8638.
|
|
- Add CACHED keyword to ADDRMAP events in the control protocol
|
|
to indicate whether a DNS result will be cached or not. Resolves
|
|
ticket 8596.
|
|
- Update to the April 3 2013 Maxmind GeoLite Country database.
|
|
|
|
o Minor features (build):
|
|
- Detect and reject attempts to build Tor with threading support
|
|
when OpenSSL has been compiled without threading support.
|
|
Fixes bug 6673.
|
|
- Clarify that when autoconf is checking for nacl, it is checking
|
|
specifically for nacl with a fast curve25519 implementation.
|
|
Fixes bug 8014.
|
|
- Warn if building on a platform with an unsigned time_t: there
|
|
are too many places where Tor currently assumes that time_t can
|
|
hold negative values. We'd like to fix them all, but probably
|
|
some will remain.
|
|
|
|
o Minor bugfixes (build):
|
|
- Fix some bugs in tor-fw-helper-natpmp when trying to build and
|
|
run it on Windows. More bugs likely remain. Patch from Gisle Vanem.
|
|
Fixes bug 7280; bugfix on 0.2.3.1-alpha.
|
|
- Add the old src/or/micro-revision.i filename to CLEANFILES.
|
|
On the off chance that somebody has one, it will go away as soon
|
|
as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha.
|
|
- Build Tor correctly on 32-bit platforms where the compiler can build
|
|
but not run code using the "uint128_t" construction. Fixes bug 8587;
|
|
bugfix on 0.2.4.8-alpha.
|
|
- Fix compilation warning with some versions of clang that would
|
|
prefer the -Wswitch-enum compiler flag to warn about switch
|
|
statements with missing enum values, even if those switch
|
|
statements have a "default:" statement. Fixes bug 8598; bugfix
|
|
on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (protocol):
|
|
- Fix the handling of a TRUNCATE cell when it arrives while the
|
|
circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1.
|
|
- Fix a misframing issue when reading the version numbers in a
|
|
VERSIONS cell. Previously we would recognize [00 01 00 02] as
|
|
'version 1, version 2, and version 0x100', when it should have
|
|
only included versions 1 and 2. Fixes bug 8059; bugfix on
|
|
0.2.0.10-alpha. Reported pseudonymously.
|
|
- Make the format and order of STREAM events for DNS lookups
|
|
consistent among the various ways to launch DNS lookups. Fixes
|
|
bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy".
|
|
- Correct our check for which versions of Tor support the EXTEND2
|
|
cell. We had been willing to send it to Tor 0.2.4.7-alpha and
|
|
later, when support was really added in version 0.2.4.8-alpha.
|
|
Fixes bug 8464; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Minor bugfixes (other):
|
|
- Correctly store microdescriptors and extrainfo descriptors with
|
|
an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha.
|
|
Bug reported by "cypherpunks".
|
|
- Increase the width of the field used to remember a connection's
|
|
link protocol version to two bytes. Harmless for now, since the
|
|
only currently recognized versions are one byte long. Reported
|
|
pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha.
|
|
- If the state file's path bias counts are invalid (presumably from a
|
|
buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add
|
|
additional checks and log messages to the scaling of Path Bias
|
|
counts, in case there still are remaining issues with scaling.
|
|
Should help resolve bug 8235.
|
|
- Eliminate several instances where we use "Nickname=ID" to refer to
|
|
nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use
|
|
"$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix
|
|
on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (syscalls):
|
|
- Always check the return values of functions fcntl() and
|
|
setsockopt(). We don't believe these are ever actually failing in
|
|
practice, but better safe than sorry. Also, checking these return
|
|
values should please analysis tools like Coverity. Patch from
|
|
'flupzor'. Fixes bug 8206; bugfix on all versions of Tor.
|
|
- Use direct writes rather than stdio when building microdescriptor
|
|
caches, in an attempt to mitigate bug 8031, or at least make it
|
|
less common.
|
|
|
|
o Minor bugfixes (config):
|
|
- When rejecting a configuration because we were unable to parse a
|
|
quoted string, log an actual error message. Fixes bug 7950; bugfix
|
|
on 0.2.0.16-alpha.
|
|
- Behave correctly when the user disables LearnCircuitBuildTimeout
|
|
but doesn't tell us what they would like the timeout to be. Fixes
|
|
bug 6304; bugfix on 0.2.2.14-alpha.
|
|
- When autodetecting the number of CPUs, use the number of available
|
|
CPUs in preference to the number of configured CPUs. Inform the
|
|
user if this reduces the number of available CPUs. Fixes bug 8002;
|
|
bugfix on 0.2.3.1-alpha.
|
|
- Make it an error when you set EntryNodes but disable UseGuardNodes,
|
|
since it will (surprisingly to some users) ignore EntryNodes. Fixes
|
|
bug 8180; bugfix on 0.2.3.11-alpha.
|
|
- Allow TestingTorNetworks to override the 4096-byte minimum for
|
|
the Fast threshold. Otherwise they can't bootstrap until they've
|
|
observed more traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha.
|
|
- Fix some logic errors when the user manually overrides the
|
|
PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix
|
|
on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (log messages to help diagnose bugs):
|
|
- If we fail to free a microdescriptor because of bug 7164, log
|
|
the filename and line number from which we tried to free it.
|
|
- Add another diagnostic to the heartbeat message: track and log
|
|
overhead that TLS is adding to the data we write. If this is
|
|
high, we are sending too little data to SSL_write at a time.
|
|
Diagnostic for bug 7707.
|
|
- Add more detail to a log message about relaxed timeouts, to help
|
|
track bug 7799.
|
|
- Warn more aggressively when flushing microdescriptors to a
|
|
microdescriptor cache fails, in an attempt to mitigate bug 8031,
|
|
or at least make it more diagnosable.
|
|
- Improve debugging output to help track down bug 8185 ("Bug:
|
|
outgoing relay cell has n_chan==NULL. Dropping.")
|
|
- Log the purpose of a path-bias testing circuit correctly.
|
|
Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Minor bugfixes (0.2.4.x log messages that were too noisy):
|
|
- Don't attempt to relax the timeout of already opened 1-hop circuits.
|
|
They might never timeout. This should eliminate some/all cases of
|
|
the relaxed timeout log message.
|
|
- Use circuit creation time for network liveness evaluation. This
|
|
should eliminate warning log messages about liveness caused
|
|
by changes in timeout evaluation. Fixes bug 6572; bugfix on
|
|
0.2.4.8-alpha.
|
|
- Reduce a path bias length check from notice to info. The message
|
|
is triggered when creating controller circuits. Fixes bug 8196;
|
|
bugfix on 0.2.4.8-alpha.
|
|
- Fix a path state issue that triggered a notice during relay startup.
|
|
Fixes bug 8320; bugfix on 0.2.4.10-alpha.
|
|
- Reduce occurrences of warns about circuit purpose in
|
|
connection_ap_expire_building(). Fixes bug 8477; bugfix on
|
|
0.2.4.11-alpha.
|
|
|
|
o Minor bugfixes (pre-0.2.4.x log messages that were too noisy):
|
|
- If we encounter a write failure on a SOCKS connection before we
|
|
finish our SOCKS handshake, don't warn that we closed the
|
|
connection before we could send a SOCKS reply. Fixes bug 8427;
|
|
bugfix on 0.1.0.1-rc.
|
|
- Correctly recognize that [::1] is a loopback address. Fixes
|
|
bug 8377; bugfix on 0.2.1.3-alpha.
|
|
- Fix a directory authority warn caused when we have a large amount
|
|
of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha.
|
|
- Don't log inappropriate heartbeat messages when hibernating: a
|
|
hibernating node is _expected_ to drop out of the consensus,
|
|
decide it isn't bootstrapped, and so forth. Fixes bug 7302;
|
|
bugfix on 0.2.3.1-alpha.
|
|
- Don't complain about bootstrapping problems while hibernating.
|
|
These complaints reflect a general code problem, but not one
|
|
with any problematic effects (no connections are actually
|
|
opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha.
|
|
|
|
o Documentation fixes:
|
|
- Update tor-fw-helper.1.txt and tor-fw-helper.c to make option
|
|
names match. Fixes bug 7768.
|
|
- Make the torify manpage no longer refer to tsocks; torify hasn't
|
|
supported tsocks since 0.2.3.14-alpha.
|
|
- Make the tor manpage no longer reference tsocks.
|
|
- Fix the GeoIPExcludeUnknown documentation to refer to
|
|
ExcludeExitNodes rather than the currently nonexistent
|
|
ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk.
|
|
|
|
o Removed files:
|
|
- The tor-tsocks.conf is no longer distributed or installed. We
|
|
recommend that tsocks users use torsocks instead. Resolves
|
|
ticket 8290.
|
|
|
|
|
|
Changes in version 0.2.4.11-alpha - 2013-03-11
|
|
Tor 0.2.4.11-alpha makes relay measurement by directory authorities
|
|
more robust, makes hidden service authentication work again, and
|
|
resolves a DPI fingerprint for Tor's SSL transport.
|
|
|
|
o Major features (directory authorities):
|
|
- Directory authorities now support a new consensus method (17)
|
|
where they cap the published bandwidth of servers for which
|
|
insufficient bandwidth measurements exist. Fixes part of bug 2286.
|
|
- Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer
|
|
serve any v2 directory information. Now we can test disabling the
|
|
old deprecated v2 directory format, and see whether doing so has
|
|
any effect on network load. Begins to fix bug 6783.
|
|
- Directory authorities now include inside each vote a statement of
|
|
the performance thresholds they used when assigning flags.
|
|
Implements ticket 8151.
|
|
|
|
o Major bugfixes (directory authorities):
|
|
- Stop marking every relay as having been down for one hour every
|
|
time we restart a directory authority. These artificial downtimes
|
|
were messing with our Stable and Guard flag calculations. Fixes
|
|
bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Allow hidden service authentication to succeed again. When we
|
|
refactored the hidden service introduction code back
|
|
in 0.2.4.1-alpha, we didn't update the code that checks
|
|
whether authentication information is present, causing all
|
|
authentication checks to return "false". Fix for bug 8207; bugfix
|
|
on 0.2.4.1-alpha. Found by Coverity; this is CID 718615.
|
|
|
|
o Minor features (relays, bridges):
|
|
- Make bridge relays check once a minute for whether their IP
|
|
address has changed, rather than only every 15 minutes. Resolves
|
|
bugs 1913 and 1992.
|
|
- Refactor resolve_my_address() so it returns the method by which we
|
|
decided our public IP address (explicitly configured, resolved from
|
|
explicit hostname, guessed from interfaces, learned by gethostname).
|
|
Now we can provide more helpful log messages when a relay guesses
|
|
its IP address incorrectly (e.g. due to unexpected lines in
|
|
/etc/hosts). Resolves ticket 2267.
|
|
- Teach bridge-using clients to avoid 0.2.2 bridges when making
|
|
microdescriptor-related dir requests, and only fall back to normal
|
|
descriptors if none of their bridges can handle microdescriptors
|
|
(as opposed to the fix in ticket 4013, which caused them to fall
|
|
back to normal descriptors if *any* of their bridges preferred
|
|
them). Resolves ticket 4994.
|
|
- Randomize the lifetime of our SSL link certificate, so censors can't
|
|
use the static value for filtering Tor flows. Resolves ticket 8443;
|
|
related to ticket 4014 which was included in 0.2.2.33.
|
|
- Support a new version of the link protocol that allows 4-byte circuit
|
|
IDs. Previously, circuit IDs were limited to 2 bytes, which presented
|
|
a possible resource exhaustion issue. Closes ticket 7351; implements
|
|
proposal 214.
|
|
|
|
o Minor features (portability):
|
|
- Tweak the curve25519-donna*.c implementations to tolerate systems
|
|
that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha.
|
|
- Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine
|
|
the signs of types during autoconf. This is better than our old
|
|
approach, which didn't work when cross-compiling.
|
|
- Detect the sign of enum values, rather than assuming that MSC is the
|
|
only compiler where enum types are all signed. Fixes bug 7727;
|
|
bugfix on 0.2.4.10-alpha.
|
|
|
|
o Minor features (other):
|
|
- Say "KBytes" rather than "KB" in the man page (for various values
|
|
of K), to further reduce confusion about whether Tor counts in
|
|
units of memory or fractions of units of memory. Resolves ticket 7054.
|
|
- Clear the high bit on curve25519 public keys before passing them to
|
|
our backend, in case we ever wind up using a backend that doesn't do
|
|
so itself. If we used such a backend, and *didn't* clear the high bit,
|
|
we could wind up in a situation where users with such backends would
|
|
be distinguishable from users without. Fixes bug 8121; bugfix on
|
|
0.2.4.8-alpha.
|
|
- Update to the March 6 2013 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (clients):
|
|
- When we receive a RELAY_END cell with the reason DONE, or with no
|
|
reason, before receiving a RELAY_CONNECTED cell, report the SOCKS
|
|
status as "connection refused". Previously we reported these cases
|
|
as success but then immediately closed the connection. Fixes bug
|
|
7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed".
|
|
- Downgrade an assertion in connection_ap_expire_beginning to an
|
|
LD_BUG message. The fix for bug 8024 should prevent this message
|
|
from displaying, but just in case, a warn that we can diagnose
|
|
is better than more assert crashes. Fixes bug 8065; bugfix on
|
|
0.2.4.8-alpha.
|
|
- Lower path use bias thresholds to .80 for notice and .60 for warn.
|
|
Also make the rate limiting flags for the path use bias log messages
|
|
independent from the original path bias flags. Fixes bug 8161;
|
|
bugfix on 0.2.4.10-alpha.
|
|
|
|
o Minor bugfixes (relays):
|
|
- Stop trying to resolve our hostname so often (e.g. every time we
|
|
think about doing a directory fetch). Now we reuse the cached
|
|
answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc)
|
|
and 2410 (bugfix on 0.1.2.2-alpha).
|
|
- Stop sending a stray "(null)" in some cases for the server status
|
|
"EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix
|
|
on 0.1.2.6-alpha.
|
|
- When choosing which stream on a formerly stalled circuit to wake
|
|
first, make better use of the platform's weak RNG. Previously,
|
|
we had been using the % ("modulo") operator to try to generate a
|
|
1/N chance of picking each stream, but this behaves badly with
|
|
many platforms' choice of weak RNG. Fixes bug 7801; bugfix on
|
|
0.2.2.20-alpha.
|
|
- Use our own weak RNG when we need a weak RNG. Windows's rand() and
|
|
Irix's random() only return 15 bits; Solaris's random() returns more
|
|
bits but its RAND_MAX says it only returns 15, and so on. Motivated
|
|
by the fix for bug 7801; bugfix on 0.2.2.20-alpha.
|
|
|
|
o Minor bugfixes (directory authorities):
|
|
- Directory authorities now use less space when formatting identical
|
|
microdescriptor lines in directory votes. Fixes bug 8158; bugfix
|
|
on 0.2.4.1-alpha.
|
|
|
|
o Minor bugfixes (memory leaks spotted by Coverity -- bug 7816):
|
|
- Avoid leaking memory if we fail to compute a consensus signature
|
|
or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha.
|
|
- Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix
|
|
on 0.2.1.1-alpha.
|
|
- Fix a memory leak during safe-cookie controller authentication.
|
|
Bugfix on 0.2.3.13-alpha.
|
|
- Avoid memory leak of IPv6 policy content if we fail to format it into
|
|
a router descriptor. Bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor bugfixes (other code correctness issues):
|
|
- Avoid a crash if we fail to generate an extrainfo descriptor.
|
|
Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity;
|
|
this is CID 718634.
|
|
- When detecting the largest possible file descriptor (in order to
|
|
close all file descriptors when launching a new program), actually
|
|
use _SC_OPEN_MAX. The old code for doing this was very, very broken.
|
|
Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this
|
|
is CID 743383.
|
|
- Fix a copy-and-paste error when adding a missing A1 to a routerset
|
|
because of GeoIPExcludeUnknown. Fix for Coverity CID 980650.
|
|
Bugfix on 0.2.4.10-alpha.
|
|
- Fix an impossible-to-trigger integer overflow when estimating how
|
|
long our onionskin queue would take. (This overflow would require us
|
|
to accept 4 million onionskins before processing 100 of them.) Fixes
|
|
bug 8210; bugfix on 0.2.4.10-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Add a wrapper function for the common "log a message with a
|
|
rate-limit" case.
|
|
|
|
|
|
Changes in version 0.2.4.10-alpha - 2013-02-04
|
|
Tor 0.2.4.10-alpha adds defenses at the directory authority level from
|
|
certain attacks that flood the network with relays; changes the queue
|
|
for circuit create requests from a sized-based limit to a time-based
|
|
limit; resumes building with MSVC on Windows; and fixes a wide variety
|
|
of other issues.
|
|
|
|
o Major bugfixes (directory authority):
|
|
- When computing directory thresholds, ignore any rejected-as-sybil
|
|
nodes during the computation so that they can't influence Fast,
|
|
Guard, etc. (We should have done this for proposal 109.) Fixes
|
|
bug 8146.
|
|
- When marking a node as a likely sybil, reset its uptime metrics
|
|
to zero, so that it cannot time towards getting marked as Guard,
|
|
Stable, or HSDir. (We should have done this for proposal 109.) Fixes
|
|
bug 8147.
|
|
|
|
o Major bugfixes:
|
|
- When a TLS write is partially successful but incomplete, remember
|
|
that the flushed part has been flushed, and notice that bytes were
|
|
actually written. Reported and fixed pseudonymously. Fixes bug
|
|
7708; bugfix on Tor 0.1.0.5-rc.
|
|
- Reject bogus create and relay cells with 0 circuit ID or 0 stream
|
|
ID: these could be used to create unexpected streams and circuits
|
|
which would count as "present" to some parts of Tor but "absent"
|
|
to others, leading to zombie circuits and streams or to a bandwidth
|
|
denial-of-service. Fixes bug 7889; bugfix on every released version
|
|
of Tor. Reported by "oftc_must_be_destroyed".
|
|
- Rename all macros in our local copy of queue.h to begin with "TOR_".
|
|
This change seems the only good way to permanently prevent conflicts
|
|
with queue.h on various operating systems. Fixes bug 8107; bugfix
|
|
on 0.2.4.6-alpha.
|
|
|
|
o Major features (relay):
|
|
- Instead of limiting the number of queued onionskins (aka circuit
|
|
create requests) to a fixed, hard-to-configure number, we limit
|
|
the size of the queue based on how many we expect to be able to
|
|
process in a given amount of time. We estimate the time it will
|
|
take to process an onionskin based on average processing time
|
|
of previous onionskins. Closes ticket 7291. You'll never have to
|
|
configure MaxOnionsPending again.
|
|
|
|
o Major features (portability):
|
|
- Resume building correctly with MSVC and Makefile.nmake. This patch
|
|
resolves numerous bugs and fixes reported by ultramage, including
|
|
7305, 7308, 7309, 7310, 7312, 7313, 7315, 7316, and 7669.
|
|
- Make the ntor and curve25519 code build correctly with MSVC.
|
|
Fix on 0.2.4.8-alpha.
|
|
|
|
o Minor features:
|
|
- When directory authorities are computing thresholds for flags,
|
|
never let the threshold for the Fast flag fall below 4096
|
|
bytes. Also, do not consider nodes with extremely low bandwidths
|
|
when deciding thresholds for various directory flags. This change
|
|
should raise our threshold for Fast relays, possibly in turn
|
|
improving overall network performance; see ticket 1854. Resolves
|
|
ticket 8145.
|
|
- The Tor client now ignores sub-domain components of a .onion
|
|
address. This change makes HTTP "virtual" hosting
|
|
possible: http://foo.aaaaaaaaaaaaaaaa.onion/ and
|
|
http://bar.aaaaaaaaaaaaaaaa.onion/ can be two different websites
|
|
hosted on the same hidden service. Implements proposal 204.
|
|
- We compute the overhead from passing onionskins back and forth to
|
|
cpuworkers, and report it when dumping statistics in response to
|
|
SIGUSR1. Supports ticket 7291.
|
|
|
|
o Minor features (path selection):
|
|
- When deciding whether we have enough descriptors to build circuits,
|
|
instead of looking at raw relay counts, look at which fraction
|
|
of (bandwidth-weighted) paths we're able to build. This approach
|
|
keeps clients from building circuits if their paths are likely to
|
|
stand out statistically. The default fraction of paths needed is
|
|
taken from the consensus directory; you can override it with the
|
|
new PathsNeededToBuildCircuits option. Fixes ticket 5956.
|
|
- When any country code is listed in ExcludeNodes or ExcludeExitNodes,
|
|
and we have GeoIP information, also exclude all nodes with unknown
|
|
countries "??" and "A1". This behavior is controlled by the
|
|
new GeoIPExcludeUnknown option: you can make such nodes always
|
|
excluded with "GeoIPExcludeUnknown 1", and disable the feature
|
|
with "GeoIPExcludeUnknown 0". Setting "GeoIPExcludeUnknown auto"
|
|
gets you the default behavior. Implements feature 7706.
|
|
- Path Use Bias: Perform separate accounting for successful circuit
|
|
use. Keep separate statistics on stream attempt rates versus stream
|
|
success rates for each guard. Provide configurable thresholds to
|
|
determine when to emit log messages or disable use of guards that
|
|
fail too many stream attempts. Resolves ticket 7802.
|
|
|
|
o Minor features (log messages):
|
|
- When learning a fingerprint for a bridge, log its corresponding
|
|
transport type. Implements ticket 7896.
|
|
- Improve the log message when "Bug/attack: unexpected sendme cell
|
|
from client" occurs, to help us track bug 8093.
|
|
|
|
o Minor bugfixes:
|
|
- Remove a couple of extraneous semicolons that were upsetting the
|
|
cparser library. Patch by Christian Grothoff. Fixes bug 7115;
|
|
bugfix on 0.2.2.1-alpha.
|
|
- Remove a source of rounding error during path bias count scaling;
|
|
don't count cannibalized circuits as used for path bias until we
|
|
actually try to use them; and fix a circuit_package_relay_cell()
|
|
warning message about n_chan==NULL. Fixes bug 7802.
|
|
- Detect nacl when its headers are in a nacl/ subdirectory. Also,
|
|
actually link against nacl when we're configured to use it. Fixes
|
|
bug 7972; bugfix on 0.2.4.8-alpha.
|
|
- Compile correctly with the --disable-curve25519 option. Fixes
|
|
bug 8153; bugfix on 0.2.4.8-alpha.
|
|
|
|
o Build improvements:
|
|
- Do not report status verbosely from autogen.sh unless the -v flag
|
|
is specified. Fixes issue 4664. Patch from Onizuka.
|
|
- Replace all calls to snprintf() outside of src/ext with
|
|
tor_snprintf(). Also remove the #define to replace snprintf with
|
|
_snprintf on Windows; they have different semantics, and all of
|
|
our callers should be using tor_snprintf() anyway. Fixes bug 7304.
|
|
- Try to detect if we are ever building on a platform where
|
|
memset(...,0,...) does not set the value of a double to 0.0. Such
|
|
platforms are permitted by the C standard, though in practice
|
|
they're pretty rare (since IEEE 754 is nigh-ubiquitous). We don't
|
|
currently support them, but it's better to detect them and fail
|
|
than to perform erroneously.
|
|
|
|
o Removed features:
|
|
- Stop exporting estimates of v2 and v3 directory traffic shares
|
|
in extrainfo documents. They were unneeded and sometimes inaccurate.
|
|
Also stop exporting any v2 directory request statistics. Resolves
|
|
ticket 5823.
|
|
- Drop support for detecting and warning about versions of Libevent
|
|
before 1.3e. Nothing reasonable ships with them any longer;
|
|
warning the user about them shouldn't be needed. Resolves ticket
|
|
6826.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Rename "isin" functions to "contains", for grammar. Resolves
|
|
ticket 5285.
|
|
- Rename Tor's logging function log() to tor_log(), to avoid conflicts
|
|
with the natural logarithm function from the system libm. Resolves
|
|
ticket 7599.
|
|
|
|
|
|
Changes in version 0.2.4.9-alpha - 2013-01-15
|
|
Tor 0.2.4.9-alpha provides a quick fix to make the new ntor handshake
|
|
work more robustly.
|
|
|
|
o Major bugfixes:
|
|
- Fix backward compatibility logic when receiving an embedded ntor
|
|
handshake tunneled in a CREATE cell. This clears up the "Bug:
|
|
couldn't format CREATED cell" warning. Fixes bug 7959; bugfix
|
|
on 0.2.4.8-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
Tor 0.2.4.8-alpha introduces directory guards to reduce user enumeration
|
|
risks, adds a new stronger and faster circuit handshake, and offers
|
|
stronger and faster link encryption when both sides support it.
|
|
|
|
o Major features:
|
|
- Preliminary support for directory guards (proposal 207): when
|
|
possible, clients now use their entry guards for non-anonymous
|
|
directory requests. This can help prevent client enumeration. Note
|
|
that this behavior only works when we have a usable consensus
|
|
directory, and when options about what to download are more or less
|
|
standard. In the future we should re-bootstrap from our guards,
|
|
rather than re-bootstrapping from the preconfigured list of
|
|
directory sources that ships with Tor. Resolves ticket 6526.
|
|
- Tor relays and clients now support a better CREATE/EXTEND cell
|
|
format, allowing the sender to specify multiple address, identity,
|
|
and handshake types. Implements Robert Ransom's proposal 200;
|
|
closes ticket 7199.
|
|
|
|
o Major features (new circuit handshake):
|
|
- Tor now supports a new circuit extension handshake designed by Ian
|
|
Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original
|
|
circuit extension handshake, later called "TAP", was a bit slow
|
|
(especially on the relay side), had a fragile security proof, and
|
|
used weaker keys than we'd now prefer. The new circuit handshake
|
|
uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman
|
|
function, making it significantly more secure than the older
|
|
handshake, and significantly faster. Tor can use one of two built-in
|
|
pure-C curve25519-donna implementations by Adam Langley, or it
|
|
can link against the "nacl" library for a tuned version if present.
|
|
|
|
The built-in version is very fast for 64-bit systems when building
|
|
with GCC. The built-in 32-bit version is still faster than the
|
|
old TAP protocol, but using libnacl is better on most such hosts.
|
|
|
|
Clients don't currently use this protocol by default, since
|
|
comparatively few clients support it so far. To try it, set
|
|
UseNTorHandshake to 1.
|
|
|
|
Implements proposal 216; closes ticket 7202.
|
|
|
|
o Major features (better link encryption):
|
|
- Relays can now enable the ECDHE TLS ciphersuites when available
|
|
and appropriate. These ciphersuites let us negotiate forward-secure
|
|
TLS secret keys more safely and more efficiently than with our
|
|
previous use of Diffie-Hellman modulo a 1024-bit prime. By default,
|
|
public relays prefer the (faster) P224 group, and bridges prefer
|
|
the (more common) P256 group; you can override this with the
|
|
TLSECGroup option.
|
|
|
|
Enabling these ciphers was a little tricky, since for a long time,
|
|
clients had been claiming to support them without actually doing
|
|
so, in order to foil fingerprinting. But with the client-side
|
|
implementation of proposal 198 in 0.2.3.17-beta, clients can now
|
|
match the ciphers from recent Firefox versions *and* list the
|
|
ciphers they actually mean, so relays can believe such clients
|
|
when they advertise ECDHE support in their TLS ClientHello messages.
|
|
|
|
This feature requires clients running 0.2.3.17-beta or later,
|
|
and requires both sides to be running OpenSSL 1.0.0 or later
|
|
with ECC support. OpenSSL 1.0.1, with the compile-time option
|
|
"enable-ec_nistp_64_gcc_128", is highly recommended.
|
|
|
|
Implements the relay side of proposal 198; closes ticket 7200.
|
|
|
|
o Major bugfixes:
|
|
- Avoid crashing when, as a relay without IPv6-exit support, a
|
|
client insists on getting an IPv6 address or nothing. Fixes bug
|
|
7814; bugfix on 0.2.4.7-alpha.
|
|
|
|
o Minor features:
|
|
- Improve circuit build timeout handling for hidden services.
|
|
In particular: adjust build timeouts more accurately depending
|
|
upon the number of hop-RTTs that a particular circuit type
|
|
undergoes. Additionally, launch intro circuits in parallel
|
|
if they timeout, and take the first one to reply as valid.
|
|
- Work correctly on Unix systems where EAGAIN and EWOULDBLOCK are
|
|
separate error codes; or at least, don't break for that reason.
|
|
Fixes bug 7935. Reported by "oftc_must_be_destroyed".
|
|
- Update to the January 2 2013 Maxmind GeoLite Country database.
|
|
|
|
o Minor features (testing):
|
|
- Add benchmarks for DH (1024-bit multiplicative group) and ECDH
|
|
(P-256) Diffie-Hellman handshakes to src/or/bench.
|
|
- Add benchmark functions to test onion handshake performance.
|
|
|
|
o Minor features (path bias detection):
|
|
- Alter the Path Bias log messages to be more descriptive in terms
|
|
of reporting timeouts and other statistics.
|
|
- Create three levels of Path Bias log messages, as opposed to just
|
|
two. These are configurable via consensus as well as via the torrc
|
|
options PathBiasNoticeRate, PathBiasWarnRate, PathBiasExtremeRate.
|
|
The default values are 0.70, 0.50, and 0.30 respectively.
|
|
- Separate the log message levels from the decision to drop guards,
|
|
which also is available via torrc option PathBiasDropGuards.
|
|
PathBiasDropGuards still defaults to 0 (off).
|
|
- Deprecate PathBiasDisableRate in favor of PathBiasDropGuards
|
|
in combination with PathBiasExtremeRate.
|
|
- Increase the default values for PathBiasScaleThreshold and
|
|
PathBiasCircThreshold from (200, 20) to (300, 150).
|
|
- Add in circuit usage accounting to path bias. If we try to use a
|
|
built circuit but fail for any reason, it counts as path bias.
|
|
Certain classes of circuits where the adversary gets to pick your
|
|
destination node are exempt from this accounting. Usage accounting
|
|
can be specifically disabled via consensus parameter or torrc.
|
|
- Convert all internal path bias state to double-precision floating
|
|
point, to avoid roundoff error and other issues.
|
|
- Only record path bias information for circuits that have completed
|
|
*two* hops. Assuming end-to-end tagging is the attack vector, this
|
|
makes us more resilient to ambient circuit failure without any
|
|
detection capability loss.
|
|
|
|
o Minor bugfixes (log messages):
|
|
- Rate-limit the "No circuits are opened. Relaxed timeout for a
|
|
circuit with channel state open..." message to once per hour to
|
|
keep it from filling the notice logs. Mitigates bug 7799 but does
|
|
not fix the underlying cause. Bugfix on 0.2.4.7-alpha.
|
|
- Avoid spurious warnings when configuring multiple client ports of
|
|
which only some are nonlocal. Previously, we had claimed that some
|
|
were nonlocal when in fact they weren't. Fixes bug 7836; bugfix on
|
|
0.2.3.3-alpha.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Get rid of a couple of harmless clang warnings, where we compared
|
|
enums to ints. These warnings are newly introduced in clang 3.2.
|
|
- Split the onion.c file into separate modules for the onion queue
|
|
and the different handshakes it supports.
|
|
- Remove the marshalling/unmarshalling code for sending requests to
|
|
cpuworkers over a socket, and instead just send structs. The
|
|
recipient will always be the same Tor binary as the sender, so
|
|
any encoding is overkill.
|
|
|
|
|
|
Changes in version 0.2.4.7-alpha - 2012-12-24
|
|
Tor 0.2.4.7-alpha introduces a new approach to providing fallback
|
|
directory mirrors for more robust bootstrapping; fixes more issues where
|
|
clients with changing network conditions refuse to make any circuits;
|
|
adds initial support for exiting to IPv6 addresses; resumes being able
|
|
to update our GeoIP database, and includes the geoip6 file this time;
|
|
turns off the client-side DNS cache by default due to privacy risks;
|
|
and fixes a variety of other issues.
|
|
|
|
o Major features (client resilience):
|
|
- Add a new "FallbackDir" torrc option to use when we can't use
|
|
a directory mirror from the consensus (either because we lack a
|
|
consensus, or because they're all down). Currently, all authorities
|
|
are fallbacks by default, and there are no other default fallbacks,
|
|
but that will change. This option will allow us to give clients a
|
|
longer list of servers to try to get a consensus from when first
|
|
connecting to the Tor network, and thereby reduce load on the
|
|
directory authorities. Implements proposal 206, "Preconfigured
|
|
directory sources for bootstrapping". We also removed the old
|
|
"FallbackNetworkstatus" option, since we never got it working well
|
|
enough to use it. Closes bug 572.
|
|
- If we have no circuits open, use a relaxed timeout (the
|
|
95-percentile cutoff) until a circuit succeeds. This heuristic
|
|
should allow Tor to succeed at building circuits even when the
|
|
network connection drastically changes. Should help with bug 3443.
|
|
|
|
o Major features (IPv6):
|
|
- Relays can now exit to IPv6 addresses: make sure that you have IPv6
|
|
connectivity, then set the IPv6Exit flag to 1. Also make sure your
|
|
exit policy reads as you would like: the address * applies to all
|
|
address families, whereas *4 is IPv4 address only, and *6 is IPv6
|
|
addresses only. On the client side, you'll need to wait until the
|
|
authorities have upgraded, wait for enough exits to support IPv6,
|
|
apply the "IPv6Traffic" flag to a SocksPort, and use Socks5. Closes
|
|
ticket 5547, implements proposal 117 as revised in proposal 208.
|
|
|
|
We DO NOT recommend that clients with actual anonymity needs start
|
|
using IPv6 over Tor yet, since not enough exits support it yet.
|
|
|
|
o Major features (geoip database):
|
|
- Maxmind began labelling Tor relays as being in country "A1",
|
|
which breaks by-country node selection inside Tor. Now we use a
|
|
script to replace "A1" ("Anonymous Proxy") entries in our geoip
|
|
file with real country codes. This script fixes about 90% of "A1"
|
|
entries automatically and uses manual country code assignments to
|
|
fix the remaining 10%. See src/config/README.geoip for details.
|
|
Fixes bug 6266. Also update to the December 5 2012 Maxmind GeoLite
|
|
Country database, as modified above.
|
|
|
|
o Major bugfixes (client-side DNS):
|
|
- Turn off the client-side DNS cache by default. Updating and using
|
|
the DNS cache is now configurable on a per-client-port
|
|
level. SOCKSPort, DNSPort, etc lines may now contain
|
|
{No,}Cache{IPv4,IPv6,}DNS lines to indicate that we shouldn't
|
|
cache these types of DNS answers when we receive them from an
|
|
exit node in response to an application request on this port, and
|
|
{No,}UseCached{IPv4,IPv6,DNS} lines to indicate that if we have
|
|
cached DNS answers of these types, we shouldn't use them. It's
|
|
potentially risky to use cached DNS answers at the client, since
|
|
doing so can indicate to one exit what answers we've gotten
|
|
for DNS lookups in the past. With IPv6, this becomes especially
|
|
problematic. Using cached DNS answers for requests on the same
|
|
circuit would present less linkability risk, since all traffic
|
|
on a circuit is already linkable, but it would also provide
|
|
little performance benefit: the exit node caches DNS replies
|
|
too. Implements a simplified version of Proposal 205. Implements
|
|
ticket 7570.
|
|
|
|
o Major bugfixes (other):
|
|
- Alter circuit build timeout measurement to start at the point
|
|
where we begin the CREATE/CREATE_FAST step (as opposed to circuit
|
|
initialization). This should make our timeout measurements more
|
|
uniform. Previously, we were sometimes including ORconn setup time
|
|
in our circuit build time measurements. Should resolve bug 3443.
|
|
- Fix an assertion that could trigger in hibernate_go_dormant() when
|
|
closing an or_connection_t: call channel_mark_for_close() rather
|
|
than connection_mark_for_close(). Fixes bug 7267. Bugfix on
|
|
0.2.4.4-alpha.
|
|
- Include the geoip6 IPv6 GeoIP database in the tarball. Fixes bug
|
|
7655; bugfix on 0.2.4.6-alpha.
|
|
|
|
o Minor features:
|
|
- Add a new torrc option "ServerTransportListenAddr" to let bridge
|
|
operators select the address where their pluggable transports will
|
|
listen for connections. Resolves ticket 7013.
|
|
- Allow an optional $ before the node identity digest in the
|
|
controller command GETINFO ns/id/<identity>, for consistency with
|
|
md/id/<identity> and desc/id/<identity>. Resolves ticket 7059.
|
|
- Log packaged cell fullness as part of the heartbeat message.
|
|
Diagnosis to try to determine the extent of bug 7743.
|
|
|
|
o Minor features (IPv6):
|
|
- AutomapHostsOnResolve now supports IPv6 addresses. By default, we
|
|
prefer to hand out virtual IPv6 addresses, since there are more of
|
|
them and we can't run out. To override this behavior and make IPv4
|
|
addresses preferred, set NoPreferIPv6Automap on whatever SOCKSPort
|
|
or DNSPort you're using for resolving. Implements ticket 7571.
|
|
- AutomapHostsOnResolve responses are now randomized, to avoid
|
|
annoying situations where Tor is restarted and applications
|
|
connect to the wrong addresses.
|
|
- Never try more than 1000 times to pick a new virtual address when
|
|
AutomapHostsOnResolve is set. That's good enough so long as we
|
|
aren't close to handing out our entire virtual address space;
|
|
if you're getting there, it's best to switch to IPv6 virtual
|
|
addresses anyway.
|
|
|
|
o Minor bugfixes:
|
|
- The ADDRMAP command can no longer generate an ill-formed error
|
|
code on a failed MAPADDRESS. It now says "internal" rather than
|
|
an English sentence fragment with spaces in the middle. Bugfix on
|
|
Tor 0.2.0.19-alpha.
|
|
- Fix log messages and comments to avoid saying "GMT" when we mean
|
|
"UTC". Fixes bug 6113.
|
|
- Compile on win64 using mingw64. Fixes bug 7260; patches from
|
|
"yayooo".
|
|
- Fix a crash when debugging unit tests on Windows: deallocate a
|
|
shared library with FreeLibrary, not CloseHandle. Fixes bug 7306;
|
|
bugfix on 0.2.2.17-alpha. Reported by "ultramage".
|
|
|
|
o Renamed options:
|
|
- The DirServer option is now DirAuthority, for consistency with
|
|
current naming patterns. You can still use the old DirServer form.
|
|
|
|
o Code simplification and refactoring:
|
|
- Move the client-side address-map/virtual-address/DNS-cache code
|
|
out of connection_edge.c into a new addressmap.c module.
|
|
- Remove unused code for parsing v1 directories and "running routers"
|
|
documents. Fixes bug 6887.
|
|
|
|
|
|
Changes in version 0.2.3.25 - 2012-11-19
|
|
The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi"
|
|
Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher,
|
|
Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer,
|
|
programmer, and friend. Unstinting in his dedication to the cause of
|
|
freedom, he inspired and helped many of us as we began our work on
|
|
anonymity, and inspires us still. Please honor his memory by writing
|
|
software to protect people's freedoms, and by helping others to do so.
|
|
|
|
Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
|
|
significantly reduced directory overhead (via microdescriptors),
|
|
enormous crypto performance improvements for fast relays on new
|
|
enough hardware, a new v3 TLS handshake protocol that can better
|
|
resist fingerprinting, support for protocol obfuscation plugins (aka
|
|
pluggable transports), better scalability for hidden services, IPv6
|
|
support for bridges, performance improvements like allowing clients
|
|
to skip the first round-trip on the circuit ("optimistic data") and
|
|
refilling token buckets more often, a new "stream isolation" design
|
|
to isolate different applications on different circuits, and many
|
|
stability, security, and privacy fixes.
|
|
|
|
o Major bugfixes:
|
|
- Tor tries to wipe potentially sensitive data after using it, so
|
|
that if some subsequent security failure exposes Tor's memory,
|
|
the damage will be limited. But we had a bug where the compiler
|
|
was eliminating these wipe operations when it decided that the
|
|
memory was no longer visible to a (correctly running) program,
|
|
hence defeating our attempt at defense in depth. We fix that
|
|
by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
|
|
is unlikely to optimize away. Future versions of Tor may use
|
|
a less ridiculously heavy approach for this. Fixes bug 7352.
|
|
Reported in an article by Andrey Karpov.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a harmless bug when opting against publishing a relay descriptor
|
|
because DisableNetwork is set. Fixes bug 7464; bugfix on
|
|
0.2.3.9-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.6-alpha - 2012-11-13
|
|
Tor 0.2.4.6-alpha fixes an assert bug that has been plaguing relays,
|
|
makes our defense-in-depth memory wiping more reliable, and begins to
|
|
count IPv6 addresses in bridge statistics,
|
|
|
|
o Major bugfixes:
|
|
- Fix an assertion failure that could occur when closing a connection
|
|
with a spliced rendezvous circuit. Fix for bug 7212; bugfix on
|
|
Tor 0.2.4.4-alpha.
|
|
- Tor tries to wipe potentially sensitive data after using it, so
|
|
that if some subsequent security failure exposes Tor's memory,
|
|
the damage will be limited. But we had a bug where the compiler
|
|
was eliminating these wipe operations when it decided that the
|
|
memory was no longer visible to a (correctly running) program,
|
|
hence defeating our attempt at defense in depth. We fix that
|
|
by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
|
|
is unlikely to optimize away. Future versions of Tor may use
|
|
a less ridiculously heavy approach for this. Fixes bug 7352.
|
|
Reported in an article by Andrey Karpov.
|
|
|
|
o Minor features:
|
|
- Add GeoIP database for IPv6 addresses. The new config option
|
|
is GeoIPv6File.
|
|
- Bridge statistics now count bridge clients connecting over IPv6:
|
|
bridge statistics files now list "bridge-ip-versions" and
|
|
extra-info documents list "geoip6-db-digest". The control protocol
|
|
"CLIENTS_SEEN" and "ip-to-country" queries now support IPv6. Initial
|
|
implementation by "shkoo", addressing ticket 5055.
|
|
|
|
o Minor bugfixes:
|
|
- Warn when we are binding low ports when hibernation is enabled;
|
|
previously we had warned when we were _advertising_ low ports with
|
|
hibernation enabled. Fixes bug 7285; bugfix on 0.2.3.9-alpha.
|
|
- Fix a harmless bug when opting against publishing a relay descriptor
|
|
because DisableNetwork is set. Fixes bug 7464; bugfix on
|
|
0.2.3.9-alpha.
|
|
- Add warning message when a managed proxy dies during configuration.
|
|
Fixes bug 7195; bugfix on 0.2.4.2-alpha.
|
|
- Fix a linking error when building tor-fw-helper without miniupnp.
|
|
Fixes bug 7235; bugfix on 0.2.4.2-alpha. Fix by Anthony G. Basile.
|
|
- Check for closing an or_connection_t without going through correct
|
|
channel functions; emit a warning and then call
|
|
connection_or_close_for_error() so we don't assert as in bugs 7212
|
|
and 7267.
|
|
- Compile correctly on compilers without C99 designated initializer
|
|
support. Fixes bug 7286; bugfix on 0.2.4.4-alpha.
|
|
- Avoid a possible assert that can occur when channel_send_destroy() is
|
|
called on a channel in CHANNEL_STATE_CLOSING, CHANNEL_STATE_CLOSED,
|
|
or CHANNEL_STATE_ERROR when the Tor process is resumed after being
|
|
blocked for a long interval. Fixes bug 7350; bugfix on 0.2.4.4-alpha.
|
|
- Fix a memory leak on failing cases of channel_tls_process_certs_cell.
|
|
Fixes bug 7422; bugfix on 0.2.4.4-alpha.
|
|
|
|
o Code simplification and refactoring:
|
|
- Start using OpenBSD's implementation of queue.h, so that we don't
|
|
need to hand-roll our own pointer and list structures whenever we
|
|
need them. (We can't rely on a sys/queue.h, since some operating
|
|
systems don't have them, and the ones that do have them don't all
|
|
present the same extensions.)
|
|
|
|
|
|
Changes in version 0.2.4.5-alpha - 2012-10-25
|
|
Tor 0.2.4.5-alpha comes hard at the heels of 0.2.4.4-alpha, to fix
|
|
two important security vulnerabilities that could lead to remotely
|
|
triggerable relay crashes, fix a major bug that was preventing clients
|
|
from choosing suitable exit nodes, and refactor some of our code.
|
|
|
|
o Major bugfixes (security, also in 0.2.3.24-rc):
|
|
- Fix a group of remotely triggerable assertion failures related to
|
|
incorrect link protocol negotiation. Found, diagnosed, and fixed
|
|
by "some guy from France". Fix for CVE-2012-2250; bugfix on
|
|
0.2.3.6-alpha.
|
|
- Fix a denial of service attack by which any directory authority
|
|
could crash all the others, or by which a single v2 directory
|
|
authority could crash everybody downloading v2 directory
|
|
information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Major bugfixes (also in 0.2.3.24-rc):
|
|
- When parsing exit policy summaries from microdescriptors, we had
|
|
previously been ignoring the last character in each one, so that
|
|
"accept 80,443,8080" would be treated by clients as indicating
|
|
a node that allows access to ports 80, 443, and 808. That would
|
|
lead to clients attempting connections that could never work,
|
|
and ignoring exit nodes that would support their connections. Now
|
|
clients parse these exit policy summaries correctly. Fixes bug 7192;
|
|
bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (also in 0.2.3.24-rc):
|
|
- Clients now consider the ClientRejectInternalAddresses config option
|
|
when using a microdescriptor consensus stanza to decide whether
|
|
an exit relay would allow exiting to an internal address. Fixes
|
|
bug 7190; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Only disable TLS session ticket support when running as a TLS
|
|
server. Now clients will blend better with regular Firefox
|
|
connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc.
|
|
|
|
o Code simplification and refactoring:
|
|
- Start using OpenBSD's implementation of queue.h (originally by
|
|
Niels Provos).
|
|
- Move the entry node code from circuitbuild.c to its own file.
|
|
- Move the circuit build timeout tracking code from circuitbuild.c
|
|
to its own file.
|
|
|
|
|
|
Changes in version 0.2.3.24-rc - 2012-10-25
|
|
Tor 0.2.3.24-rc fixes two important security vulnerabilities that
|
|
could lead to remotely triggerable relay crashes, and fixes
|
|
a major bug that was preventing clients from choosing suitable exit
|
|
nodes.
|
|
|
|
o Major bugfixes (security):
|
|
- Fix a group of remotely triggerable assertion failures related to
|
|
incorrect link protocol negotiation. Found, diagnosed, and fixed
|
|
by "some guy from France". Fix for CVE-2012-2250; bugfix on
|
|
0.2.3.6-alpha.
|
|
- Fix a denial of service attack by which any directory authority
|
|
could crash all the others, or by which a single v2 directory
|
|
authority could crash everybody downloading v2 directory
|
|
information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Major bugfixes:
|
|
- When parsing exit policy summaries from microdescriptors, we had
|
|
previously been ignoring the last character in each one, so that
|
|
"accept 80,443,8080" would be treated by clients as indicating
|
|
a node that allows access to ports 80, 443, and 808. That would
|
|
lead to clients attempting connections that could never work,
|
|
and ignoring exit nodes that would support their connections. Now
|
|
clients parse these exit policy summaries correctly. Fixes bug 7192;
|
|
bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Clients now consider the ClientRejectInternalAddresses config option
|
|
when using a microdescriptor consensus stanza to decide whether
|
|
an exit relay would allow exiting to an internal address. Fixes
|
|
bug 7190; bugfix on 0.2.3.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.4-alpha - 2012-10-20
|
|
Tor 0.2.4.4-alpha adds a new v3 directory authority, fixes a privacy
|
|
vulnerability introduced by a change in OpenSSL, fixes a remotely
|
|
triggerable assert, and adds new channel_t and circuitmux_t abstractions
|
|
that will make it easier to test new connection transport and cell
|
|
scheduling algorithms.
|
|
|
|
o New directory authorities (also in 0.2.3.23-rc):
|
|
- Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
|
|
authority. Closes ticket 5749.
|
|
|
|
o Major bugfixes (security/privacy, also in 0.2.3.23-rc):
|
|
- Disable TLS session tickets. OpenSSL's implementation was giving
|
|
our TLS session keys the lifetime of our TLS context objects, when
|
|
perfect forward secrecy would want us to discard anything that
|
|
could decrypt a link connection as soon as the link connection
|
|
was closed. Fixes bug 7139; bugfix on all versions of Tor linked
|
|
against OpenSSL 1.0.0 or later. Found by Florent Daignière.
|
|
- Discard extraneous renegotiation attempts once the V3 link
|
|
protocol has been initiated. Failure to do so left us open to
|
|
a remotely triggerable assertion failure. Fixes CVE-2012-2249;
|
|
bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
|
|
|
|
o Internal abstraction features:
|
|
- Introduce new channel_t abstraction between circuits and
|
|
or_connection_t to allow for implementing alternate OR-to-OR
|
|
transports. A channel_t is an abstract object which can either be a
|
|
cell-bearing channel, which is responsible for authenticating and
|
|
handshaking with the remote OR and transmitting cells to and from
|
|
it, or a listening channel, which spawns new cell-bearing channels
|
|
at the request of remote ORs. Implements part of ticket 6465.
|
|
- Also new is the channel_tls_t subclass of channel_t, adapting it
|
|
to the existing or_connection_t code. The V2/V3 protocol handshaking
|
|
code which formerly resided in command.c has been moved below the
|
|
channel_t abstraction layer and may be found in channeltls.c now.
|
|
Implements the rest of ticket 6465.
|
|
- Introduce new circuitmux_t storing the queue of circuits for
|
|
a channel; this encapsulates and abstracts the queue logic and
|
|
circuit selection policy, and allows the latter to be overridden
|
|
easily by switching out a policy object. The existing EWMA behavior
|
|
is now implemented as a circuitmux_policy_t. Resolves ticket 6816.
|
|
|
|
o Required libraries:
|
|
- Tor now requires OpenSSL 0.9.8 or later. OpenSSL 1.0.0 or later is
|
|
strongly recommended.
|
|
|
|
o Minor features:
|
|
- Warn users who run hidden services on a Tor client with
|
|
UseEntryGuards disabled that their hidden services will be
|
|
vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the
|
|
attack which motivated Tor to support entry guards in the first
|
|
place). Resolves ticket 6889.
|
|
- Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from
|
|
dhill. Resolves ticket 6982.
|
|
- Option OutboundBindAddress can be specified multiple times and
|
|
accepts IPv6 addresses. Resolves ticket 6876.
|
|
|
|
o Minor bugfixes (also in 0.2.3.23-rc):
|
|
- Don't serve or accept v2 hidden service descriptors over a
|
|
relay's DirPort. It's never correct to do so, and disabling it
|
|
might make it more annoying to exploit any bugs that turn up in the
|
|
descriptor-parsing code. Fixes bug 7149.
|
|
- Fix two cases in src/or/transports.c where we were calling
|
|
fmt_addr() twice in a parameter list. Bug found by David
|
|
Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
|
|
- Fix memory leaks whenever we logged any message about the "path
|
|
bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.
|
|
- When relays refuse a "create" cell because their queue of pending
|
|
create cells is too big (typically because their cpu can't keep up
|
|
with the arrival rate), send back reason "resource limit" rather
|
|
than reason "internal", so network measurement scripts can get a
|
|
more accurate picture. Fixes bug 7037; bugfix on 0.1.1.11-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Command-line option "--version" implies "--quiet". Fixes bug 6997.
|
|
- Free some more still-in-use memory at exit, to make hunting for
|
|
memory leaks easier. Resolves bug 7029.
|
|
- When a Tor client gets a "truncated" relay cell, the first byte of
|
|
its payload specifies why the circuit was truncated. We were
|
|
ignoring this 'reason' byte when tearing down the circuit, resulting
|
|
in the controller not being told why the circuit closed. Now we
|
|
pass the reason from the truncated cell to the controller. Bugfix
|
|
on 0.1.2.3-alpha; fixes bug 7039.
|
|
- Downgrade "Failed to hand off onionskin" messages to "debug"
|
|
severity, since they're typically redundant with the "Your computer
|
|
is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha.
|
|
- Make clients running with IPv6 bridges connect over IPv6 again,
|
|
even without setting new config options ClientUseIPv6 and
|
|
ClientPreferIPv6ORPort. Fixes bug 6757; bugfix on 0.2.4.1-alpha.
|
|
- Use square brackets around IPv6 addresses in numerous places
|
|
that needed them, including log messages, HTTPS CONNECT proxy
|
|
requests, TransportProxy statefile entries, and pluggable transport
|
|
extra-info lines. Fixes bug 7011; patch by David Fifield.
|
|
|
|
o Code refactoring and cleanup:
|
|
- Source files taken from other packages now reside in src/ext;
|
|
previously they were scattered around the rest of Tor.
|
|
- Avoid use of reserved identifiers in our C code. The C standard
|
|
doesn't like us declaring anything that starts with an
|
|
underscore, so let's knock it off before we get in trouble. Fix
|
|
for bug 1031; bugfix on the first Tor commit.
|
|
|
|
|
|
Changes in version 0.2.3.23-rc - 2012-10-20
|
|
Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy
|
|
vulnerability introduced by a change in OpenSSL, and fixes a variety
|
|
of smaller bugs in preparation for the release.
|
|
|
|
o New directory authorities:
|
|
- Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
|
|
authority. Closes ticket 5749.
|
|
|
|
o Major bugfixes (security/privacy):
|
|
- Disable TLS session tickets. OpenSSL's implementation was giving
|
|
our TLS session keys the lifetime of our TLS context objects, when
|
|
perfect forward secrecy would want us to discard anything that
|
|
could decrypt a link connection as soon as the link connection
|
|
was closed. Fixes bug 7139; bugfix on all versions of Tor linked
|
|
against OpenSSL 1.0.0 or later. Found by Florent Daignière.
|
|
- Discard extraneous renegotiation attempts once the V3 link
|
|
protocol has been initiated. Failure to do so left us open to
|
|
a remotely triggerable assertion failure. Fixes CVE-2012-2249;
|
|
bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
|
|
|
|
o Major bugfixes:
|
|
- Fix a possible crash bug when checking for deactivated circuits
|
|
in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
|
|
bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- Fix two cases in src/or/transports.c where we were calling
|
|
fmt_addr() twice in a parameter list. Bug found by David
|
|
Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
|
|
- Convert an assert in the pathbias code to a log message. The assert
|
|
appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
|
|
bugfix on 0.2.3.17-beta.
|
|
- Fix memory leaks whenever we logged any message about the "path
|
|
bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Don't serve or accept v2 hidden service descriptors over a relay's
|
|
DirPort. It's never correct to do so, and disabling it might
|
|
make it more annoying to exploit any bugs that turn up in the
|
|
descriptor-parsing code. Fixes bug 7149.
|
|
- When relays refuse a "create" cell because their queue of pending
|
|
create cells is too big (typically because their cpu can't keep up
|
|
with the arrival rate), send back reason "resource limit" rather
|
|
than reason "internal", so network measurement scripts can get a
|
|
more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
|
|
- Correct file sizes when reading binary files on Cygwin, to avoid
|
|
a bug where Tor would fail to read its state file. Fixes bug 6844;
|
|
bugfix on 0.1.2.7-alpha.
|
|
- Avoid undefined behavior when parsing the list of supported
|
|
rendezvous/introduction protocols in a hidden service descriptor.
|
|
Previously, Tor would have confused (as-yet-unused) protocol version
|
|
numbers greater than 32 with lower ones on many platforms. Fixes
|
|
bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
|
|
|
|
o Documentation fixes:
|
|
- Clarify that hidden services are TCP only. Fixes bug 6024.
|
|
|
|
|
|
Changes in version 0.2.4.3-alpha - 2012-09-22
|
|
Tor 0.2.4.3-alpha fixes another opportunity for a remotely triggerable
|
|
assertion, resumes letting relays test reachability of their DirPort,
|
|
and cleans up a bunch of smaller bugs.
|
|
|
|
o Security fixes:
|
|
- Fix an assertion failure in tor_timegm() that could be triggered
|
|
by a badly formatted directory object. Bug found by fuzzing with
|
|
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
|
|
|
|
o Major bugfixes:
|
|
- Fix a possible crash bug when checking for deactivated circuits
|
|
in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
|
|
bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
|
|
- Allow routers to detect that their own DirPorts are running. When
|
|
we removed support for versions_supports_begindir, we also
|
|
accidentally removed the mechanism we used to self-test our
|
|
DirPort. Diagnosed with help from kargig. Fixes bugs 6814 and 6815;
|
|
bugfix on 0.2.4.2-alpha.
|
|
|
|
o Security features:
|
|
- Switch to a completely time-invariant approach for picking nodes
|
|
weighted by bandwidth. Our old approach would run through the
|
|
part of the loop after it had made its choice slightly slower
|
|
than it ran through the part of the loop before it had made its
|
|
choice. Addresses ticket 6538.
|
|
- Disable the use of Guard nodes when in Tor2WebMode. Guard usage
|
|
by tor2web clients allows hidden services to identify tor2web
|
|
clients through their repeated selection of the same rendezvous
|
|
and introduction point circuit endpoints (their guards). Resolves
|
|
ticket 6888.
|
|
|
|
o Minor features:
|
|
- Enable Tor to read configuration, state, and key information from
|
|
a FIFO. Previously Tor would only read from files with a positive
|
|
stat.st_size. Code from meejah; fixes bug 6044.
|
|
|
|
o Minor bugfixes:
|
|
- Correct file sizes when reading binary files on Cygwin, to avoid
|
|
a bug where Tor would fail to read its state file. Fixes bug 6844;
|
|
bugfix on 0.1.2.7-alpha.
|
|
- Correctly handle votes with more than 31 flags. Fixes bug 6853;
|
|
bugfix on 0.2.0.3-alpha.
|
|
- When complaining about a client port on a public address, log
|
|
which address we're complaining about. Fixes bug 4020; bugfix on
|
|
0.2.3.3-alpha. Patch by Tom Fitzhenry.
|
|
- Convert an assert in the pathbias code to a log message. The assert
|
|
appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
|
|
bugfix on 0.2.3.17-beta.
|
|
- Our new buildsystem was overzealous about rebuilding manpages: it
|
|
would rebuild them all whenever any one of them changed. Now our
|
|
dependency checking should be correct. Fixes bug 6843; bugfix on
|
|
0.2.4.1-alpha.
|
|
- Don't do reachability testing over IPv6 unless AuthDirPublishIPv6
|
|
is set. Fixes bug 6880. Bugfix on 0.2.4.1-alpha.
|
|
- Correct log printout about which address family is preferred
|
|
when connecting to a bridge with both an IPv4 and IPv6 OR port.
|
|
Fixes bug 6884; bugfix on 0.2.4.1-alpha.
|
|
|
|
o Minor bugfixes (code cleanliness):
|
|
- Fix round_to_power_of_2() so it doesn't invoke undefined behavior
|
|
with large values. This situation was untriggered, but nevertheless
|
|
incorrect. Fixes bug 6831; bugfix on 0.2.0.1-alpha.
|
|
- Reject consensus votes with more than 64 known-flags. We aren't even
|
|
close to that limit yet, and our code doesn't handle it correctly.
|
|
Fixes bug 6833; bugfix on 0.2.0.1-alpha.
|
|
- Avoid undefined behavior when parsing the list of supported
|
|
rendezvous/introduction protocols in a hidden service descriptor.
|
|
Previously, Tor would have confused (as-yet-unused) protocol version
|
|
numbers greater than 32 with lower ones on many platforms. Fixes
|
|
bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
|
|
- Fix handling of rendezvous client authorization types over 8.
|
|
Fixes bug 6861; bugfix on 0.2.1.5-alpha.
|
|
- Fix building with older versions of GCC (2.95, for one) that don't
|
|
like preprocessor directives inside macro arguments. Found by
|
|
grarpamp. Fixes bug 6842; bugfix on 0.2.4.2-alpha.
|
|
- Switch weighted node selection rule from using a list of doubles
|
|
to using a list of int64_t. This change should make the process
|
|
slightly easier to debug and maintain. Needed to finish ticket 6538.
|
|
|
|
o Code simplification and refactoring:
|
|
- Move the generic "config" code into a new file, and have "config.c"
|
|
hold only torrc- and state-related code. Resolves ticket 6823.
|
|
- Move the core of our "choose a weighted element at random" logic
|
|
into its own function, and give it unit tests. Now the logic is
|
|
testable, and a little less fragile too.
|
|
- Removed the testing_since field of node_t, which hasn't been used
|
|
for anything since 0.2.0.9-alpha.
|
|
|
|
o Documentation fixes:
|
|
- Clarify that hidden services are TCP only. Fixes bug 6024.
|
|
- Resolve a typo in torrc.sample.in. Fixes bug 6819; bugfix on
|
|
0.2.3.14-alpha.
|
|
|
|
|
|
Changes in version 0.2.3.22-rc - 2012-09-11
|
|
Tor 0.2.3.22-rc fixes another opportunity for a remotely triggerable
|
|
assertion.
|
|
|
|
o Security fixes:
|
|
- Fix an assertion failure in tor_timegm() that could be triggered
|
|
by a badly formatted directory object. Bug found by fuzzing with
|
|
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid segfault when starting up having run with an extremely old
|
|
version of Tor and parsing its state file. Fixes bug 6801; bugfix
|
|
on 0.2.2.23-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.39 - 2012-09-11
|
|
Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
|
|
assertions.
|
|
|
|
o Security fixes:
|
|
- Fix an assertion failure in tor_timegm() that could be triggered
|
|
by a badly formatted directory object. Bug found by fuzzing with
|
|
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
|
|
- Do not crash when comparing an address with port value 0 to an
|
|
address policy. This bug could have been used to cause a remote
|
|
assertion failure by or against directory authorities, or to
|
|
allow some applications to crash clients. Fixes bug 6690; bugfix
|
|
on 0.2.1.10-alpha.
|
|
|
|
|
|
Changes in version 0.2.4.2-alpha - 2012-09-10
|
|
Tor 0.2.4.2-alpha enables port forwarding for pluggable transports,
|
|
raises the default rate limiting even more, and makes the bootstrapping
|
|
log messages less noisy.
|
|
|
|
o Major features:
|
|
- Automatically forward the TCP ports of pluggable transport
|
|
proxies using tor-fw-helper if PortForwarding is enabled. Implements
|
|
ticket 4567.
|
|
|
|
o Major bugfixes:
|
|
- Raise the default BandwidthRate/BandwidthBurst values from 5MB/10MB
|
|
to 1GB/1GB. The previous defaults were intended to be "basically
|
|
infinite", but it turns out they're now limiting our 100mbit+
|
|
relays and bridges. Fixes bug 6605; bugfix on 0.2.0.10-alpha (the
|
|
last time we raised it).
|
|
|
|
o Minor features:
|
|
- Detect when we're running with a version of OpenSSL other than the
|
|
one we compiled with. This has occasionally given people hard-to-
|
|
track-down errors.
|
|
- Log fewer lines at level "notice" about our OpenSSL and Libevent
|
|
versions and capabilities when everything is going right. Resolves
|
|
part of ticket 6736.
|
|
- Directory authorities no long accept descriptors for any version of
|
|
Tor before 0.2.2.35, or for any 0.2.3 release before 0.2.3.10-alpha.
|
|
These versions are insecure, unsupported, or both. Implements
|
|
ticket 6789.
|
|
|
|
o Minor bugfixes:
|
|
- Rename the (internal-use-only) UsingTestingNetworkDefaults option
|
|
to start with a triple-underscore so the controller won't touch it.
|
|
Patch by Meejah. Fixes bug 3155. Bugfix on 0.2.2.23-alpha.
|
|
- Avoid segfault when starting up having run with an extremely old
|
|
version of Tor and parsing its state file. Fixes bug 6801; bugfix
|
|
on 0.2.2.23-alpha.
|
|
- Rename the (testing-use-only) _UseFilteringSSLBufferevents option
|
|
so it doesn't start with _. Fixes bug 3155. Bugfix on 0.2.3.1-alpha.
|
|
- Don't follow the NULL pointer if microdescriptor generation fails.
|
|
(This does not appear to be triggerable, but it's best to be safe.)
|
|
Found by "f. tp.". Fixes bug 6797; bugfix on 0.2.4.1-alpha.
|
|
- Fix mis-declared dependencies on src/common/crypto.c and
|
|
src/or/tor_main.c that could break out-of-tree builds under some
|
|
circumstances. Fixes bug 6778; bugfix on 0.2.4.1-alpha.
|
|
- Avoid a warning when building common_sha1.i out of tree. Fixes bug
|
|
6778; bugfix on 0.2.4.1-alpha.
|
|
- Fix a harmless (in this case) build warning for implicitly
|
|
converting a strlen() to an int. Bugfix on 0.2.4.1-alpha.
|
|
|
|
o Removed features:
|
|
- Now that all versions before 0.2.2.x are disallowed, we no longer
|
|
need to work around their missing features. Thus we can remove a
|
|
bunch of compatibility code.
|
|
|
|
o Code refactoring:
|
|
- Tweak tor-fw-helper to accept an arbitrary amount of arbitrary
|
|
TCP ports to forward. In the past it only accepted two ports:
|
|
the ORPort and the DirPort.
|
|
|
|
|
|
Changes in version 0.2.4.1-alpha - 2012-09-05
|
|
Tor 0.2.4.1-alpha lets bridges publish their pluggable transports to
|
|
bridgedb; lets relays use IPv6 addresses and directory authorities
|
|
advertise them; and switches to a cleaner build interface.
|
|
|
|
This is the first alpha release in a new series, so expect there to
|
|
be bugs. Users who would rather test out a more stable branch should
|
|
stay with 0.2.3.x for now.
|
|
|
|
o Major features (bridges):
|
|
- Bridges now report the pluggable transports they support to the
|
|
bridge authority, so it can pass the supported transports on to
|
|
bridgedb and/or eventually do reachability testing. Implements
|
|
ticket 3589.
|
|
|
|
o Major features (IPv6):
|
|
- Bridge authorities now accept IPv6 bridge addresses and include
|
|
them in network status documents. Implements ticket 5534.
|
|
- Clients who set "ClientUseIPv6 1" may connect to entry nodes over
|
|
IPv6. Set "ClientPreferIPv6ORPort 1" to make this even more likely
|
|
to happen. Implements ticket 5535.
|
|
- All kind of relays, not just bridges, can now advertise an IPv6
|
|
OR port. Implements ticket 6362.
|
|
- Directory authorities vote on IPv6 OR ports using the new consensus
|
|
method 14. Implements ticket 6363.
|
|
|
|
o Major features (build):
|
|
- Switch to a nonrecursive Makefile structure. Now instead of each
|
|
Makefile.am invoking other Makefile.am's, there is a master
|
|
Makefile.am that includes the others. This change makes our build
|
|
process slightly more maintainable, and improves parallelism for
|
|
building with make -j. Original patch by Stewart Smith; various
|
|
fixes by Jim Meyering.
|
|
- Where available, we now use automake's "silent" make rules by
|
|
default, so that warnings are easier to spot. You can get the old
|
|
behavior with "make V=1". Patch by Stewart Smith for ticket 6522.
|
|
|
|
o Minor features (code security and spec conformance):
|
|
- Clear keys and key-derived material left on the stack in
|
|
rendservice.c and rendclient.c. Check return value of
|
|
crypto_pk_write_private_key_to_string() in rend_service_load_keys().
|
|
These fixes should make us more forward-secure against cold-boot
|
|
attacks and the like. Fixes bug 2385.
|
|
- Reject EXTEND cells sent to nonexistent streams. According to the
|
|
spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but
|
|
we were only checking for stream IDs that were currently in use.
|
|
Found while hunting for more instances of bug 6271. Bugfix on
|
|
0.0.2pre8, which introduced incremental circuit construction.
|
|
|
|
o Minor features (streamlining);
|
|
- No longer include the "opt" prefix when generating routerinfos
|
|
or v2 directories: it has been needless since Tor 0.1.2. Closes
|
|
ticket 5124.
|
|
- Remove some now-needless code that tried to aggressively flush
|
|
OR connections as data was added to them. Since 0.2.0.1-alpha, our
|
|
cell queue logic has saved us from the failure mode that this code
|
|
was supposed to prevent. Removing this code will limit the number
|
|
of baroque control flow paths through Tor's network logic. Reported
|
|
pseudonymously on IRC. Fixes bug 6468; bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features (controller):
|
|
- Add a "GETINFO signal/names" control port command. Implements
|
|
ticket 3842.
|
|
- Provide default values for all options via "GETINFO config/defaults".
|
|
Implements ticket 4971.
|
|
|
|
o Minor features (IPv6):
|
|
- New config option "AuthDirHasIPv6Connectivity 1" that directory
|
|
authorities should set if they have IPv6 connectivity and want to
|
|
do reachability tests for IPv6 relays. Implements feature 5974.
|
|
- A relay with an IPv6 OR port now sends that address in NETINFO
|
|
cells (in addition to its other address). Implements ticket 6364.
|
|
|
|
o Minor features (log messages):
|
|
- Omit the first heartbeat log message, because it never has anything
|
|
useful to say, and it clutters up the bootstrapping messages.
|
|
Resolves ticket 6758.
|
|
- Don't log about reloading the microdescriptor cache at startup. Our
|
|
bootstrap warnings are supposed to tell the user when there's a
|
|
problem, and our bootstrap notices say when there isn't. Resolves
|
|
ticket 6759; bugfix on 0.2.2.6-alpha.
|
|
- Don't log "I learned some more directory information" when we're
|
|
reading cached directory information. Reserve it for when new
|
|
directory information arrives in response to a fetch. Resolves
|
|
ticket 6760.
|
|
- Prevent rounding error in path bias counts when scaling
|
|
them down, and use the correct scale factor default. Also demote
|
|
some path bias related log messages down a level and make others
|
|
less scary sounding. Fixes bug 6647. Bugfix against 0.2.3.17-beta.
|
|
- We no longer warn so much when generating manpages from their
|
|
asciidoc source.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Enhance our internal sscanf replacement so that we can eliminate
|
|
the last remaining uses of the system sscanf. (Though those uses
|
|
of sscanf were safe, sscanf itself is generally error prone, so
|
|
we want to eliminate when we can.) Fixes ticket 4195 and Coverity
|
|
CID 448.
|
|
- Move ipv6_preferred from routerinfo_t to node_t. Addresses bug 4620.
|
|
- Move last_reachable and testing_since from routerinfo_t to node_t.
|
|
Implements ticket 5529.
|
|
- Add replaycache_t structure, functions and unit tests, then refactor
|
|
rend_service_introduce() to be more clear to read, improve, debug,
|
|
and test. Resolves bug 6177.
|
|
- Finally remove support for malloc_good_size and malloc_usable_size.
|
|
We had hoped that these functions would let us eke a little more
|
|
memory out of our malloc implementation. Unfortunately, the only
|
|
implementations that provided these functions are also ones that
|
|
are already efficient about not overallocation: they never got us
|
|
more than 7 or so bytes per allocation. Removing them saves us a
|
|
little code complexity and a nontrivial amount of build complexity.
|
|
|
|
o New requirements:
|
|
- Tor maintainers now require Automake version 1.9 or later to build
|
|
Tor from the Git repository. (Automake is not required when building
|
|
from a source distribution.)
|
|
|
|
|
|
Changes in version 0.2.3.21-rc - 2012-09-05
|
|
Tor 0.2.3.21-rc is the fourth release candidate for the Tor 0.2.3.x
|
|
series. It fixes a trio of potential security bugs, fixes a bug where
|
|
we were leaving some of the fast relays out of the microdescriptor
|
|
consensus, resumes interpreting "ORPort 0" and "DirPort 0" correctly,
|
|
and cleans up other smaller issues.
|
|
|
|
o Major bugfixes (security):
|
|
- Tear down the circuit if we get an unexpected SENDME cell. Clients
|
|
could use this trick to make their circuits receive cells faster
|
|
than our flow control would have allowed, or to gum up the network,
|
|
or possibly to do targeted memory denial-of-service attacks on
|
|
entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
|
|
from July 2002, before the release of Tor 0.0.0. We had committed
|
|
this patch previously, but we had to revert it because of bug 6271.
|
|
Now that 6271 is fixed, this patch appears to work.
|
|
- Reject any attempt to extend to an internal address. Without
|
|
this fix, a router could be used to probe addresses on an internal
|
|
network to see whether they were accepting connections. Fixes bug
|
|
6710; bugfix on 0.0.8pre1.
|
|
- Do not crash when comparing an address with port value 0 to an
|
|
address policy. This bug could have been used to cause a remote
|
|
assertion failure by or against directory authorities, or to
|
|
allow some applications to crash clients. Fixes bug 6690; bugfix
|
|
on 0.2.1.10-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Remove the upper bound on microdescriptor length. We were hitting
|
|
the limit for routers with complex exit policies or family
|
|
declarations, causing clients to not use them. Fixes the first
|
|
piece of bug 6404; fix on 0.2.2.6-alpha.
|
|
- Detect "ORPort 0" as meaning, uniformly, that we're not running
|
|
as a relay. Previously, some of our code would treat the presence
|
|
of any ORPort line as meaning that we should act like a relay,
|
|
even though our new listener code would correctly not open any
|
|
ORPorts for ORPort 0. Similar bugs in other Port options are also
|
|
fixed. Fixes the first half of bug 6507; bugfix on 0.2.3.3-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a pair of double-free and use-after-mark bugs that can
|
|
occur with certain timings in canceled and re-received DNS
|
|
requests. Fixes bug 6472; bugfix on 0.0.7rc1.
|
|
- Fix build and 64-bit compile warnings from --enable-openbsd-malloc.
|
|
Fixes bug 6379. Bugfix on 0.2.0.20-rc.
|
|
- Allow one-hop directory fetching circuits the full "circuit build
|
|
timeout" period, rather than just half of it, before failing them
|
|
and marking the relay down. This fix should help reduce cases where
|
|
clients declare relays (or worse, bridges) unreachable because
|
|
the TLS handshake takes a few seconds to complete. Fixes bug 6743;
|
|
bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
|
|
30 seconds.
|
|
- Authorities no longer include any router in their microdescriptor
|
|
consensuses for which they couldn't generate or agree on a
|
|
microdescriptor. Fixes the second piece of bug 6404; fix on
|
|
0.2.2.6-alpha.
|
|
- Detect and reject attempts to specify both "FooPort" and
|
|
"FooPort 0" in the same configuration domain. (It's still okay
|
|
to have a FooPort in your configuration file, and use "FooPort 0"
|
|
on the command line to disable it.) Fixes the second half of bug
|
|
6507; bugfix on 0.2.3.3-alpha.
|
|
- Make wildcarded addresses (that is, ones beginning with "*.") work
|
|
when provided via the controller's MapAddress command. Previously,
|
|
they were accepted, but we never actually noticed that they were
|
|
wildcards. Fixes bug 6244; bugfix on 0.2.3.9-alpha.
|
|
- Avoid crashing on a malformed state file where EntryGuardPathBias
|
|
precedes EntryGuard. Fix for bug 6774; bugfix on 0.2.3.17-beta.
|
|
- Add a (probably redundant) memory clear between iterations of
|
|
the router status voting loop, to prevent future coding errors
|
|
where data might leak between iterations of the loop. Resolves
|
|
ticket 6514.
|
|
|
|
o Minor bugfixes (log messages):
|
|
- Downgrade "set buildtimeout to low value" messages to "info"
|
|
severity; they were never an actual problem, there was never
|
|
anything reasonable to do about them, and they tended to spam logs
|
|
from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha.
|
|
- Downgrade path-bias warning messages to "info". We'll try to get
|
|
them working better in 0.2.4. Add internal circuit construction
|
|
state to protect against the noisy warn message "Unexpectedly high
|
|
circuit_successes". Also add some additional rate-limited notice
|
|
messages to help determine the root cause of the warn. Fixes bug
|
|
6475. Bugfix against 0.2.3.17-beta.
|
|
- Move log message when unable to find a microdesc in a routerstatus
|
|
entry to parse time. Previously we'd spam this warning every time
|
|
we tried to figure out which microdescriptors to download. Fixes
|
|
the third piece of bug 6404; fix on 0.2.3.18-rc.
|
|
|
|
o Minor features:
|
|
- Consider new, removed or changed IPv6 OR ports a non-cosmetic
|
|
change when the authority is deciding whether to accept a newly
|
|
uploaded descriptor. Implements ticket 6423.
|
|
- Add missing documentation for consensus and microdesc files.
|
|
Resolves ticket 6732.
|
|
|
|
|
|
Changes in version 0.2.2.38 - 2012-08-12
|
|
Tor 0.2.2.38 fixes a remotely triggerable crash bug, and fixes a timing
|
|
attack that could in theory leak path information.
|
|
|
|
o Security fixes:
|
|
- Avoid an uninitialized memory read when reading a vote or consensus
|
|
document that has an unrecognized flavor name. This read could
|
|
lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
|
|
- Try to leak less information about what relays a client is
|
|
choosing to a side-channel attacker. Previously, a Tor client would
|
|
stop iterating through the list of available relays as soon as it
|
|
had chosen one, thus finishing a little earlier when it picked
|
|
a router earlier in the list. If an attacker can recover this
|
|
timing information (nontrivial but not proven to be impossible),
|
|
they could learn some coarse-grained information about which relays
|
|
a client was picking (middle nodes in particular are likelier to
|
|
be affected than exits). The timing attack might be mitigated by
|
|
other factors (see bug 6537 for some discussion), but it's best
|
|
not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
|
|
|
|
|
|
Changes in version 0.2.3.20-rc - 2012-08-05
|
|
Tor 0.2.3.20-rc is the third release candidate for the Tor 0.2.3.x
|
|
series. It fixes a pair of code security bugs and a potential anonymity
|
|
issue, updates our RPM spec files, and cleans up other smaller issues.
|
|
|
|
o Security fixes:
|
|
- Avoid read-from-freed-memory and double-free bugs that could occur
|
|
when a DNS request fails while launching it. Fixes bug 6480;
|
|
bugfix on 0.2.0.1-alpha.
|
|
- Avoid an uninitialized memory read when reading a vote or consensus
|
|
document that has an unrecognized flavor name. This read could
|
|
lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
|
|
- Try to leak less information about what relays a client is
|
|
choosing to a side-channel attacker. Previously, a Tor client would
|
|
stop iterating through the list of available relays as soon as it
|
|
had chosen one, thus finishing a little earlier when it picked
|
|
a router earlier in the list. If an attacker can recover this
|
|
timing information (nontrivial but not proven to be impossible),
|
|
they could learn some coarse-grained information about which relays
|
|
a client was picking (middle nodes in particular are likelier to
|
|
be affected than exits). The timing attack might be mitigated by
|
|
other factors (see bug 6537 for some discussion), but it's best
|
|
not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
|
|
|
|
o Minor features:
|
|
- Try to make the warning when giving an obsolete SOCKSListenAddress
|
|
a little more useful.
|
|
- Terminate active server managed proxies if Tor stops being a
|
|
relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha.
|
|
- Provide a better error message about possible OSX Asciidoc failure
|
|
reasons. Fixes bug 6436.
|
|
- Warn when Tor is configured to use accounting in a way that can
|
|
link a hidden service to some other hidden service or public
|
|
address. Resolves ticket 6490.
|
|
|
|
o Minor bugfixes:
|
|
- Check return value of fputs() when writing authority certificate
|
|
file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
|
|
- Ignore ServerTransportPlugin lines when Tor is not configured as
|
|
a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha.
|
|
- When disabling guards for having too high a proportion of failed
|
|
circuits, make sure to look at each guard. Fixes bug 6397; bugfix
|
|
on 0.2.3.17-beta.
|
|
|
|
o Packaging (RPM):
|
|
- Update our default RPM spec files to work with mock and rpmbuild
|
|
on RHEL/Fedora. They have an updated set of dependencies and
|
|
conflicts, a fix for an ancient typo when creating the "_tor"
|
|
user, and better instructions. Thanks to Ondrej Mikle for the
|
|
patch series. Fixes bug 6043.
|
|
|
|
o Testing:
|
|
- Make it possible to set the TestingTorNetwork configuration
|
|
option using AlternateDirAuthority and AlternateBridgeAuthority
|
|
as an alternative to setting DirServer. Addresses ticket 6377.
|
|
|
|
o Documentation:
|
|
- Clarify the documentation for the Alternate*Authority options.
|
|
Fixes bug 6387.
|
|
- Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.
|
|
|
|
o Code simplification and refactoring:
|
|
- Do not use SMARTLIST_FOREACH for any loop whose body exceeds
|
|
10 lines. Also, don't nest them. Doing so in the past has
|
|
led to hard-to-debug code. The new style is to use the
|
|
SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.
|
|
|
|
|
|
Changes in version 0.2.3.19-rc - 2012-07-06
|
|
Tor 0.2.3.19-rc is the second release candidate for the Tor 0.2.3.x
|
|
series. It fixes the compile on Windows, reverts to a GeoIP database
|
|
that isn't as broken, and fixes a flow control bug that has been around
|
|
since the beginning of Tor.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug handling SENDME cells on nonexistent streams that could
|
|
result in bizarre window values. Report and patch contributed
|
|
pseudonymously. Fixes part of bug 6271. This bug was introduced
|
|
before the first Tor release, in svn commit r152.
|
|
- Revert to the May 1 2012 Maxmind GeoLite Country database. In the
|
|
June 2012 database, Maxmind marked many Tor relays as country "A1",
|
|
which will cause risky behavior for clients that set EntryNodes
|
|
or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta.
|
|
- Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes compilation
|
|
on Windows. Fixes bug 6296; bugfix on 0.2.3.18-rc.
|
|
|
|
o Minor bugfixes:
|
|
- Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
|
|
bugfix on 0.2.1.10-alpha.
|
|
|
|
|
|
Changes in version 0.2.3.18-rc - 2012-06-28
|
|
Tor 0.2.3.18-rc is the first release candidate for the Tor 0.2.3.x
|
|
series. It fixes a few smaller bugs, but generally appears stable.
|
|
Please test it and let us know whether it is!
|
|
|
|
o Major bugfixes:
|
|
- Allow wildcarded mapaddress targets to be specified on the
|
|
controlport. Partially fixes bug 6244; bugfix on 0.2.3.9-alpha.
|
|
- Make our linker option detection code more robust against linkers
|
|
such as on FreeBSD 8, where a bad combination of options completes
|
|
successfully but makes an unrunnable binary. Fixes bug 6173;
|
|
bugfix on 0.2.3.17-beta.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Avoid a false positive in the util/threads unit test by increasing
|
|
the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha.
|
|
- Replace "Sending publish request" log messages with "Launching
|
|
upload", so that they no longer confusingly imply that we're
|
|
sending something to a directory we might not even be connected
|
|
to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha.
|
|
- Make sure to set *socket_error in all error cases in
|
|
connection_connect(), so it can't produce a warning about
|
|
errno being zero from errno_to_orconn_end_reason(). Bugfix on
|
|
0.2.1.1-alpha; resolves ticket 6028.
|
|
- Downgrade "Got a certificate, but we already have it" log messages
|
|
from warning to info, except when we're a dirauth. Fixes bug 5238;
|
|
bugfix on 0.2.1.7-alpha.
|
|
- When checking for requested signatures on the latest consensus
|
|
before serving it to a client, make sure to check the right
|
|
consensus flavor. Bugfix on 0.2.2.6-alpha.
|
|
- Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN.
|
|
Fixes bug 5932; bugfix on 0.2.2.7-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- Make format_helper_exit_status() avoid unnecessary space padding
|
|
and stop confusing log_from_pipe(). Fixes ticket 5557; bugfix
|
|
on 0.2.3.1-alpha.
|
|
- Downgrade a message about cleaning the microdescriptor cache to
|
|
"info" from "notice". Fixes bug 6238; bugfix on 0.2.3.1-alpha.
|
|
- Log a BUG message at severity INFO if we have a networkstatus with
|
|
a missing entry for some microdescriptor. Continues on a patch
|
|
to 0.2.3.2-alpha.
|
|
- Improve the log message when a managed proxy fails to launch. Fixes
|
|
bug 5099; bugfix on 0.2.3.6-alpha.
|
|
- Don't do DNS lookups when parsing corrupted managed proxy protocol
|
|
messages. Fixes bug 6226; bugfix on 0.2.3.6-alpha.
|
|
- When formatting wildcarded address mappings for the controller,
|
|
be sure to include "*." as appropriate. Partially fixes bug 6244;
|
|
bugfix on 0.2.3.9-alpha.
|
|
- Avoid a warning caused by using strcspn() from glibc with clang 3.0.
|
|
Bugfix on 0.2.3.13-alpha.
|
|
- Stop logging messages about running with circuit timeout learning
|
|
enabled at severity LD_BUG. Fixes bug 6169; bugfix on 0.2.3.17-beta.
|
|
- Disable a spurious warning about reading on a marked and flushing
|
|
connection. We shouldn't be doing that, but apparently we
|
|
sometimes do. Fixes bug 6203; bugfix on 0.2.3.17-beta.
|
|
- Fix a bug that stopped AllowDotExit from working on addresses
|
|
that had an entry in the DNS cache. Fixes bug 6211; bugfix on
|
|
0.2.3.17-beta.
|
|
|
|
o Code simplification, refactoring, unit tests:
|
|
- Move tor_gettimeofday_cached() into compat_libevent.c, and use
|
|
Libevent's notion of cached time when possible.
|
|
- Remove duplicate code for invoking getrlimit() from control.c.
|
|
- Add a unit test for the environment_variable_names_equal function.
|
|
|
|
o Documentation:
|
|
- Document the --defaults-torrc option, and the new (in 0.2.3)
|
|
semantics for overriding, extending, and clearing lists of
|
|
options. Closes bug 4748.
|
|
|
|
|
|
Changes in version 0.2.3.17-beta - 2012-06-15
|
|
Tor 0.2.3.17-beta enables compiler and linker hardening by default,
|
|
gets our TLS handshake back on track for being able to blend in with
|
|
Firefox, fixes a big bug in 0.2.3.16-alpha that broke Tor's interaction
|
|
with Vidalia, and otherwise continues to get us closer to a release
|
|
candidate.
|
|
|
|
o Major features:
|
|
- Enable gcc and ld hardening by default. Resolves ticket 5210.
|
|
- Update TLS cipher list to match Firefox 8 and later. Resolves
|
|
ticket 4744.
|
|
- Implement the client side of proposal 198: remove support for
|
|
clients falsely claiming to support standard ciphersuites that
|
|
they can actually provide. As of modern OpenSSL versions, it's not
|
|
necessary to fake any standard ciphersuite, and doing so prevents
|
|
us from using better ciphersuites in the future, since servers
|
|
can't know whether an advertised ciphersuite is really supported or
|
|
not. Some hosts -- notably, ones with very old versions of OpenSSL
|
|
or where OpenSSL has been built with ECC disabled -- will stand
|
|
out because of this change; TBB users should not be affected.
|
|
|
|
o Major bugfixes:
|
|
- Change the default value for DynamicDHGroups (introduced in
|
|
0.2.3.9-alpha) to 0. This feature can make Tor relays less
|
|
identifiable by their use of the mod_ssl DH group, but at
|
|
the cost of some usability (#4721) and bridge tracing (#6087)
|
|
regressions. Resolves ticket 5598.
|
|
- Send a CRLF at the end of each STATUS_* control protocol event. This
|
|
bug tickled a bug in Vidalia which would make it freeze. Fixes
|
|
bug 6094; bugfix on 0.2.3.16-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Disable writing on marked-for-close connections when they are
|
|
blocked on bandwidth, to prevent busy-looping in Libevent. Fixes
|
|
bug 5263; bugfix on 0.0.2pre13, where we first added a special
|
|
case for flushing marked connections.
|
|
- Detect SSL handshake even when the initial attempt to write the
|
|
server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha.
|
|
- Change the AllowDotExit rules so they should actually work.
|
|
We now enforce AllowDotExit only immediately after receiving an
|
|
address via SOCKS or DNSPort: other sources are free to provide
|
|
.exit addresses after the resolution occurs. Fixes bug 3940;
|
|
bugfix on 0.2.2.1-alpha.
|
|
- Fix a (harmless) integer overflow in cell statistics reported by
|
|
some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha.
|
|
- Make sure circuitbuild.c checks LearnCircuitBuildTimeout in all the
|
|
right places and never depends on the consensus parameters or
|
|
computes adaptive timeouts when it is disabled. Fixes bug 5049;
|
|
bugfix on 0.2.2.14-alpha.
|
|
- When building Tor on Windows with -DUNICODE (not default), ensure
|
|
that error messages, filenames, and DNS server names are always
|
|
NUL-terminated when we convert them to a single-byte encoding.
|
|
Fixes bug 5909; bugfix on 0.2.2.16-alpha.
|
|
- Make Tor build correctly again with -DUNICODE -D_UNICODE defined.
|
|
Fixes bug 6097; bugfix on 0.2.2.16-alpha.
|
|
- Fix an edge case where TestingTorNetwork is set but the authorities
|
|
and relays all have an uptime of zero, where the private Tor network
|
|
could briefly lack support for hidden services. Fixes bug 3886;
|
|
bugfix on 0.2.2.18-alpha.
|
|
- Correct the manpage's descriptions for the default values of
|
|
DirReqStatistics and ExtraInfoStatistics. Fixes bug 2865; bugfix
|
|
on 0.2.3.1-alpha.
|
|
- Fix the documentation for the --hush and --quiet command line
|
|
options, which changed their behavior back in 0.2.3.3-alpha.
|
|
- Fix compilation warning with clang 3.1. Fixes bug 6141; bugfix on
|
|
0.2.3.11-alpha.
|
|
|
|
o Minor features:
|
|
- Rate-limit the "Weighted bandwidth is 0.000000" message, and add
|
|
more information to it, so that we can track it down in case it
|
|
returns again. Mitigates bug 5235.
|
|
- Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
|
|
options_validate(); warn if LearnCircuitBuildTimeout is disabled and
|
|
CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452.
|
|
- Warn the user when HTTPProxy, but no other proxy type, is
|
|
configured. This can cause surprising behavior: it doesn't send
|
|
all of Tor's traffic over the HTTPProxy -- it sends unencrypted
|
|
directory traffic only. Resolves ticket 4663.
|
|
- Issue a notice if a guard completes less than 40% of your circuits.
|
|
Threshold is configurable by torrc option PathBiasNoticeRate and
|
|
consensus parameter pb_noticepct. There is additional, off-by-
|
|
default code to disable guards which fail too many circuits.
|
|
Addresses ticket 5458.
|
|
- Update to the June 6 2012 Maxmind GeoLite Country database.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove validate_pluggable_transports_config(): its warning
|
|
message is now handled by connection_or_connect().
|
|
|
|
|
|
Changes in version 0.2.2.37 - 2012-06-06
|
|
Tor 0.2.2.37 introduces a workaround for a critical renegotiation
|
|
bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself
|
|
currently).
|
|
|
|
o Major bugfixes:
|
|
- Work around a bug in OpenSSL that broke renegotiation with TLS
|
|
1.1 and TLS 1.2. Without this workaround, all attempts to speak
|
|
the v2 Tor connection protocol when both sides were using OpenSSL
|
|
1.0.1 would fail. Resolves ticket 6033.
|
|
- When waiting for a client to renegotiate, don't allow it to add
|
|
any bytes to the input buffer. This fixes a potential DoS issue.
|
|
Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc.
|
|
- Fix an edge case where if we fetch or publish a hidden service
|
|
descriptor, we might build a 4-hop circuit and then use that circuit
|
|
for exiting afterwards -- even if the new last hop doesn't obey our
|
|
ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a build warning with Clang 3.1 related to our use of vasprintf.
|
|
Fixes bug 5969. Bugfix on 0.2.2.11-alpha.
|
|
|
|
o Minor features:
|
|
- Tell GCC and Clang to check for any errors in format strings passed
|
|
to the tor_v*(print|scan)f functions.
|
|
|
|
|
|
Changes in version 0.2.3.16-alpha - 2012-06-05
|
|
Tor 0.2.3.16-alpha introduces a workaround for a critical renegotiation
|
|
bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself
|
|
currently). It also fixes a variety of smaller bugs and other cleanups
|
|
that get us closer to a release candidate.
|
|
|
|
o Major bugfixes (general):
|
|
- Work around a bug in OpenSSL that broke renegotiation with TLS
|
|
1.1 and TLS 1.2. Without this workaround, all attempts to speak
|
|
the v2 Tor connection protocol when both sides were using OpenSSL
|
|
1.0.1 would fail. Resolves ticket 6033.
|
|
- When waiting for a client to renegotiate, don't allow it to add
|
|
any bytes to the input buffer. This fixes a potential DoS issue.
|
|
Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc.
|
|
- Pass correct OR address to managed proxies (like obfsproxy),
|
|
even when ORListenAddress is used. Fixes bug 4865; bugfix on
|
|
0.2.3.9-alpha.
|
|
- The advertised platform of a router now includes only its operating
|
|
system's name (e.g., "Linux", "Darwin", "Windows 7"), and not its
|
|
service pack level (for Windows) or its CPU architecture (for Unix).
|
|
We also no longer include the "git-XYZ" tag in the version. Resolves
|
|
part of bug 2988.
|
|
|
|
o Major bugfixes (clients):
|
|
- If we are unable to find any exit that supports our predicted ports,
|
|
stop calling them predicted, so that we don't loop and build
|
|
hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6,
|
|
which introduced predicted ports.
|
|
- Fix an edge case where if we fetch or publish a hidden service
|
|
descriptor, we might build a 4-hop circuit and then use that circuit
|
|
for exiting afterwards -- even if the new last hop doesn't obey our
|
|
ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha.
|
|
- Check at each new consensus whether our entry guards were picked
|
|
long enough ago that we should rotate them. Previously, we only
|
|
did this check at startup, which could lead to us holding a guard
|
|
indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc.
|
|
- When fetching a bridge descriptor from a bridge authority,
|
|
always do so anonymously, whether we have been able to open
|
|
circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha.
|
|
This behavior makes it *safer* to use UpdateBridgesFromAuthority,
|
|
but we'll need to wait for bug 6010 before it's actually usable.
|
|
|
|
o Major bugfixes (directory authorities):
|
|
- When computing weight parameters, behave more robustly in the
|
|
presence of a bad bwweightscale value. Previously, the authorities
|
|
would crash if they agreed on a sufficiently broken weight_scale
|
|
value: now, they use a reasonable default and carry on. Partial
|
|
fix for 5786; bugfix on 0.2.2.17-alpha.
|
|
- Check more thoroughly to prevent a rogue authority from
|
|
double-voting on any consensus directory parameter. Previously,
|
|
authorities would crash in this case if the total number of
|
|
votes for any parameter exceeded the number of active voters,
|
|
but would let it pass otherwise. Partial fix for bug 5786; bugfix
|
|
on 0.2.2.2-alpha.
|
|
|
|
o Minor features:
|
|
- Rate-limit log messages when asked to connect anonymously to
|
|
a private address. When these hit, they tended to hit fast and
|
|
often. Also, don't bother trying to connect to addresses that we
|
|
are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory
|
|
reply makes us think we have been lied to, even when the address the
|
|
client tried to connect to was "localhost." Resolves ticket 2822.
|
|
- Allow packagers to insert an extra string in server descriptor
|
|
platform lines by setting the preprocessor variable TOR_BUILD_TAG.
|
|
Resolves the rest of ticket 2988.
|
|
- Raise the threshold of server descriptors needed (75%) and exit
|
|
server descriptors needed (50%) before we will declare ourselves
|
|
bootstrapped. This will make clients start building circuits a
|
|
little later, but makes the initially constructed circuits less
|
|
skewed and less in conflict with further directory fetches. Fixes
|
|
ticket 3196.
|
|
- Close any connection that sends unrecognized junk before the
|
|
handshake. Solves an issue noted in bug 4369.
|
|
- Improve log messages about managed transports. Resolves ticket 5070.
|
|
- Tag a bridge's descriptor as "never to be sent unencrypted".
|
|
This shouldn't matter, since bridges don't open non-anonymous
|
|
connections to the bridge authority and don't allow unencrypted
|
|
directory connections from clients, but we might as well make
|
|
sure. Closes bug 5139.
|
|
- Expose our view of whether we have gone dormant to the controller,
|
|
via a new "GETINFO dormant" value. Torbutton and other controllers
|
|
can use this to avoid doing periodic requests through Tor while
|
|
it's dormant (bug 4718). Fixes bug 5954.
|
|
- Tell GCC and Clang to check for any errors in format strings passed
|
|
to the tor_v*(print|scan)f functions.
|
|
- Update to the May 1 2012 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (already included in 0.2.2.36):
|
|
- Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
|
|
Fixes bug 5346; bugfix on 0.0.8pre3.
|
|
- Correct parsing of certain date types in parse_http_time().
|
|
Without this patch, If-Modified-Since would behave
|
|
incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from
|
|
Esteban Manchado Velázques.
|
|
- Make our number-parsing functions always treat too-large values
|
|
as an error, even when those values exceed the width of the
|
|
underlying type. Previously, if the caller provided these
|
|
functions with minima or maxima set to the extreme values of the
|
|
underlying integer type, these functions would return those
|
|
values on overflow rather than treating overflow as an error.
|
|
Fixes part of bug 5786; bugfix on 0.0.9.
|
|
- If we hit the error case where routerlist_insert() replaces an
|
|
existing (old) server descriptor, make sure to remove that
|
|
server descriptor from the old_routers list. Fix related to bug
|
|
1776. Bugfix on 0.2.2.18-alpha.
|
|
- Clarify the behavior of MaxCircuitDirtiness with hidden service
|
|
circuits. Fixes issue 5259.
|
|
|
|
o Minor bugfixes (coding cleanup, on 0.2.2.x and earlier):
|
|
- Prevent a null-pointer dereference when receiving a data cell
|
|
for a nonexistent stream when the circuit in question has an
|
|
empty deliver window. We don't believe this is triggerable,
|
|
since we don't currently allow deliver windows to become empty,
|
|
but the logic is tricky enough that it's better to make the code
|
|
robust. Fixes bug 5541; bugfix on 0.0.2pre14.
|
|
- Fix a memory leak when trying to launch a DNS request when the
|
|
network is disabled or the nameservers are unconfigurable. Fixes
|
|
bug 5916; bugfix on Tor 0.1.2.1-alpha (for the unconfigurable
|
|
nameserver case) and on 0.2.3.9-alpha (for the DisableNetwork case).
|
|
- Don't hold a Windows file handle open for every file mapping;
|
|
the file mapping handle is sufficient. Fixes bug 5951; bugfix on
|
|
0.1.2.1-alpha.
|
|
- Avoid O(n^2) performance characteristics when parsing a large
|
|
extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha.
|
|
- Format more doubles with %f, not %lf. Patch from grarpamp to make
|
|
Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on
|
|
Tor 0.2.0.8-alpha.
|
|
- Make our replacement implementation of strtok_r() compatible with
|
|
the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091;
|
|
bugfix on 0.2.2.1-alpha.
|
|
- Fix a NULL-pointer dereference on a badly formed
|
|
SETCIRCUITPURPOSE command. Found by mikeyc. Fixes bug 5796;
|
|
bugfix on 0.2.2.9-alpha.
|
|
- Fix a build warning with Clang 3.1 related to our use of vasprintf.
|
|
Fixes bug 5969. Bugfix on 0.2.2.11-alpha.
|
|
- Defensively refactor rend_mid_rendezvous() so that protocol
|
|
violations and length checks happen in the beginning. Fixes
|
|
bug 5645.
|
|
- Set _WIN32_WINNT to 0x0501 consistently throughout the code, so
|
|
that IPv6 stuff will compile on MSVC, and compilation issues
|
|
will be easier to track down. Fixes bug 5861.
|
|
|
|
o Minor bugfixes (correctness, on 0.2.2.x and earlier):
|
|
- Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as
|
|
resource exhaustion, so that clients can adjust their load to
|
|
try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which
|
|
started using END_STREAM_REASON_RESOURCELIMIT.
|
|
- Don't check for whether the address we're using for outbound
|
|
connections has changed until after the outbound connection has
|
|
completed. On Windows, getsockname() doesn't succeed until the
|
|
connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha.
|
|
- If the configuration tries to set MyFamily on a bridge, refuse to
|
|
do so, and warn about the security implications. Fixes bug 4657;
|
|
bugfix on 0.2.0.3-alpha.
|
|
- If the client fails to set a reasonable set of ciphersuites
|
|
during its v2 handshake renegotiation, allow the renegotiation to
|
|
continue nevertheless (i.e. send all the required certificates).
|
|
Fixes bug 4591; bugfix on 0.2.0.20-rc.
|
|
- When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP
|
|
option is set to 0 (which Vidalia version 0.2.16 now does when
|
|
a SAVECONF attempt fails), perform other actions that SIGHUP
|
|
usually causes (like reopening the logs). Fixes bug 5095; bugfix
|
|
on 0.2.1.9-alpha.
|
|
- If we fail to write a microdescriptor to the disk cache, do not
|
|
continue replacing the old microdescriptor file. Fixes bug 2954;
|
|
bugfix on 0.2.2.6-alpha.
|
|
- Exit nodes don't need to fetch certificates for authorities that
|
|
they don't recognize; only directory authorities, bridges,
|
|
and caches need to do that. Fixes part of bug 2297; bugfix on
|
|
0.2.2.11-alpha.
|
|
- Correctly handle checking the permissions on the parent
|
|
directory of a control socket in the root directory. Bug found
|
|
by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor
|
|
0.2.2.26-beta.
|
|
- When told to add a bridge with the same digest as a preexisting
|
|
bridge but a different addr:port, change the addr:port as
|
|
requested. Previously we would not notice the change. Fixes half
|
|
of bug 5603; fix on 0.2.2.26-beta.
|
|
- End AUTHCHALLENGE error messages (in the control protocol) with
|
|
a CRLF. Fixes bug 5760; bugfix on 0.2.2.36 and 0.2.3.13-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- Turn an assertion (that the number of handshakes received as a
|
|
server is not < 1) into a warning. Fixes bug 4873; bugfix on
|
|
0.2.3.1-alpha.
|
|
- Format IPv4 addresses correctly in ADDRMAP events. (Previously,
|
|
we had reversed them when the answer was cached.) Fixes bug
|
|
5723; bugfix on 0.2.3.1-alpha.
|
|
- Work correctly on Linux systems with accept4 support advertised in
|
|
their headers, but without accept4 support in the kernel. Fix
|
|
by murb. Fixes bug 5762; bugfix on 0.2.3.1-alpha.
|
|
- When told to add a bridge with the same addr:port as a preexisting
|
|
bridge but a different transport, change the transport as
|
|
requested. Previously we would not notice the change. Fixes half
|
|
of bug 5603; fix on 0.2.3.2-alpha.
|
|
- Avoid a "double-reply" warning when replying to a SOCKS request
|
|
with a parse error. Patch from Fabian Keil. Fixes bug 4108;
|
|
bugfix on 0.2.3.4-alpha.
|
|
- Fix a bug where a bridge authority crashes if it has seen no
|
|
directory requests when it's time to write statistics to disk.
|
|
Fixes bug 5891; bugfix on 0.2.3.6-alpha. Also fixes bug 5508 in
|
|
a better way.
|
|
- Don't try to open non-control listeners when DisableNetwork is set.
|
|
Previously, we'd open all listeners, then immediately close them.
|
|
Fixes bug 5604; bugfix on 0.2.3.9-alpha.
|
|
- Don't abort the managed proxy protocol if the managed proxy
|
|
sends us an unrecognized line; ignore it instead. Fixes bug
|
|
5910; bugfix on 0.2.3.9-alpha.
|
|
- Fix a compile warning in crypto.c when compiling with clang 3.1.
|
|
Fixes bug 5969, bugfix on 0.2.3.9-alpha.
|
|
- Fix a compilation issue on GNU Hurd, which doesn't have PATH_MAX.
|
|
Fixes bug 5355; bugfix on 0.2.3.11-alpha.
|
|
- Remove bogus definition of "_WIN32" from src/win32/orconfig.h, to
|
|
unbreak the MSVC build. Fixes bug 5858; bugfix on 0.2.3.12-alpha.
|
|
- Resolve numerous small warnings and build issues with MSVC. Resolves
|
|
bug 5859.
|
|
|
|
o Documentation fixes:
|
|
- Improve the manual's documentation for the NT Service command-line
|
|
options. Addresses ticket 3964.
|
|
- Clarify SessionGroup documentation slightly; resolves ticket 5437.
|
|
- Document the changes to the ORPort and DirPort options, and the
|
|
fact that {OR/Dir}ListenAddress is now unnecessary (and
|
|
therefore deprecated). Resolves ticket 5597.
|
|
|
|
o Removed files:
|
|
- Remove the torrc.bridge file: we don't use it for anything, and
|
|
it had become badly desynchronized from torrc.sample. Resolves
|
|
bug 5622.
|
|
|
|
|
|
Changes in version 0.2.2.36 - 2012-05-24
|
|
Tor 0.2.2.36 updates the addresses for two of the eight directory
|
|
authorities, fixes some potential anonymity and security issues,
|
|
and fixes several crash bugs.
|
|
|
|
Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many
|
|
known flaws, and nobody should be using them. You should upgrade. If
|
|
you're using a Linux or BSD and its packages are obsolete, stop using
|
|
those packages and upgrade anyway.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for maatuska (v3 directory authority).
|
|
- Change IP address for ides (v3 directory authority), and rename
|
|
it to turtles.
|
|
|
|
o Security fixes:
|
|
- When building or running with any version of OpenSSL earlier
|
|
than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
|
|
versions have a bug (CVE-2011-4576) in which their block cipher
|
|
padding includes uninitialized data, potentially leaking sensitive
|
|
information to any peer with whom they make a SSLv3 connection. Tor
|
|
does not use SSL v3 by default, but a hostile client or server
|
|
could force an SSLv3 connection in order to gain information that
|
|
they shouldn't have been able to get. The best solution here is to
|
|
upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
|
|
or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
|
|
to make sure that the bug can't happen.
|
|
- Never use a bridge or a controller-supplied node as an exit, even
|
|
if its exit policy allows it. Found by wanoskarnet. Fixes bug
|
|
5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
|
|
and 0.2.0.3-alpha (for bridge-purpose descriptors).
|
|
- Only build circuits if we have a sufficient threshold of the total
|
|
descriptors that are marked in the consensus with the "Exit"
|
|
flag. This mitigates an attack proposed by wanoskarnet, in which
|
|
all of a client's bridges collude to restrict the exit nodes that
|
|
the client knows about. Fixes bug 5343.
|
|
- Provide controllers with a safer way to implement the cookie
|
|
authentication mechanism. With the old method, if another locally
|
|
running program could convince a controller that it was the Tor
|
|
process, then that program could trick the controller into telling
|
|
it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
|
|
authentication method uses a challenge-response approach to prevent
|
|
this attack. Fixes bug 5185; implements proposal 193.
|
|
|
|
o Major bugfixes:
|
|
- Avoid logging uninitialized data when unable to decode a hidden
|
|
service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
|
|
- Avoid a client-side assertion failure when receiving an INTRODUCE2
|
|
cell on a general purpose circuit. Fixes bug 5644; bugfix on
|
|
0.2.1.6-alpha.
|
|
- Fix builds when the path to sed, openssl, or sha1sum contains
|
|
spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
|
|
on 0.2.2.1-alpha.
|
|
- Correct our replacements for the timeradd() and timersub() functions
|
|
on platforms that lack them (for example, Windows). The timersub()
|
|
function is used when expiring circuits, while timeradd() is
|
|
currently unused. Bug report and patch by Vektor. Fixes bug 4778;
|
|
bugfix on 0.2.2.24-alpha.
|
|
- Fix the SOCKET_OK test that we use to tell when socket
|
|
creation fails so that it works on Win64. Fixes part of bug 4533;
|
|
bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
|
|
|
|
o Minor bugfixes:
|
|
- Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
|
|
Fixes bug 5346; bugfix on 0.0.8pre3.
|
|
- Make our number-parsing functions always treat too-large values
|
|
as an error, even when those values exceed the width of the
|
|
underlying type. Previously, if the caller provided these
|
|
functions with minima or maxima set to the extreme values of the
|
|
underlying integer type, these functions would return those
|
|
values on overflow rather than treating overflow as an error.
|
|
Fixes part of bug 5786; bugfix on 0.0.9.
|
|
- Older Linux kernels erroneously respond to strange nmap behavior
|
|
by having accept() return successfully with a zero-length
|
|
socket. When this happens, just close the connection. Previously,
|
|
we would try harder to learn the remote address: but there was
|
|
no such remote address to learn, and our method for trying to
|
|
learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
|
|
on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
|
|
- Correct parsing of certain date types in parse_http_time().
|
|
Without this patch, If-Modified-Since would behave
|
|
incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from
|
|
Esteban Manchado Velázques.
|
|
- Change the BridgePassword feature (part of the "bridge community"
|
|
design, which is not yet implemented) to use a time-independent
|
|
comparison. The old behavior might have allowed an adversary
|
|
to use timing to guess the BridgePassword value. Fixes bug 5543;
|
|
bugfix on 0.2.0.14-alpha.
|
|
- Detect and reject certain misformed escape sequences in
|
|
configuration values. Previously, these values would cause us
|
|
to crash if received in a torrc file or over an authenticated
|
|
control port. Bug found by Esteban Manchado Velázquez, and
|
|
independently by Robert Connolly from Matta Consulting who further
|
|
noted that it allows a post-authentication heap overflow. Patch
|
|
by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
|
|
bugfix on 0.2.0.16-alpha.
|
|
- Fix a compile warning when using the --enable-openbsd-malloc
|
|
configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
|
|
- During configure, detect when we're building with clang version
|
|
3.0 or lower and disable the -Wnormalized=id and -Woverride-init
|
|
CFLAGS. clang doesn't support them yet.
|
|
- When sending an HTTP/1.1 proxy request, include a Host header.
|
|
Fixes bug 5593; bugfix on 0.2.2.1-alpha.
|
|
- Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE
|
|
command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
|
|
- If we hit the error case where routerlist_insert() replaces an
|
|
existing (old) server descriptor, make sure to remove that
|
|
server descriptor from the old_routers list. Fix related to bug
|
|
1776. Bugfix on 0.2.2.18-alpha.
|
|
|
|
o Minor bugfixes (documentation and log messages):
|
|
- Fix a typo in a log message in rend_service_rendezvous_has_opened().
|
|
Fixes bug 4856; bugfix on Tor 0.0.6.
|
|
- Update "ClientOnly" man page entry to explain that there isn't
|
|
really any point to messing with it. Resolves ticket 5005.
|
|
- Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
|
|
directory authority option (introduced in Tor 0.2.2.34).
|
|
- Downgrade the "We're missing a certificate" message from notice
|
|
to info: people kept mistaking it for a real problem, whereas it
|
|
is seldom the problem even when we are failing to bootstrap. Fixes
|
|
bug 5067; bugfix on 0.2.0.10-alpha.
|
|
- Correctly spell "connect" in a log message on failure to create a
|
|
controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta.
|
|
- Clarify the behavior of MaxCircuitDirtiness with hidden service
|
|
circuits. Fixes issue 5259.
|
|
|
|
o Minor features:
|
|
- Directory authorities now reject versions of Tor older than
|
|
0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
|
|
inclusive. These versions accounted for only a small fraction of
|
|
the Tor network, and have numerous known security issues. Resolves
|
|
issue 4788.
|
|
- Update to the May 1 2012 Maxmind GeoLite Country database.
|
|
|
|
- Feature removal:
|
|
- When sending or relaying a RELAY_EARLY cell, we used to convert
|
|
it to a RELAY cell if the connection was using the v1 link
|
|
protocol. This was a workaround for older versions of Tor, which
|
|
didn't handle RELAY_EARLY cells properly. Now that all supported
|
|
versions can handle RELAY_EARLY cells, and now that we're enforcing
|
|
the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
|
|
remove this workaround. Addresses bug 4786.
|
|
|
|
|
|
Changes in version 0.2.3.15-alpha - 2012-04-30
|
|
Tor 0.2.3.15-alpha fixes a variety of smaller bugs, including making
|
|
the development branch build on Windows again.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Make sure that there are no unhandled pending TLS errors before
|
|
reading from a TLS stream. We had checks in 0.1.0.3-rc, but
|
|
lost them in 0.1.0.5-rc when we refactored read_to_buf_tls().
|
|
Bugfix on 0.1.0.5-rc; fixes bug 4528.
|
|
- Fix an assert that directory authorities could trigger on sighup
|
|
during some configuration state transitions. We now don't treat
|
|
it as a fatal error when the new descriptor we just generated in
|
|
init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha.
|
|
- After we pick a directory mirror, we would refuse to use it if
|
|
it's in our ExcludeExitNodes list, resulting in mysterious failures
|
|
to bootstrap for people who just wanted to avoid exiting from
|
|
certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha.
|
|
- When building with --enable-static-tor on OpenBSD, do not
|
|
erroneously attempt to link -lrt. Fixes bug 5103.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- When Tor is built with kernel headers from a recent (last few
|
|
years) Linux kernel, do not fail to run on older (pre-2.6.28
|
|
Linux kernels). Fixes bug 5112; bugfix on 0.2.3.1-alpha.
|
|
- Fix cross-compilation issues with mingw. Bugfixes on 0.2.3.6-alpha
|
|
and 0.2.3.12-alpha.
|
|
- Fix compilation with miniupnpc version 1.6; patch from
|
|
Anthony G. Basile. Fixes bug 5434; bugfix on 0.2.3.12-alpha.
|
|
- Fix compilation with MSVC, which had defined MS_WINDOWS. Bugfix
|
|
on 0.2.3.13-alpha; found and fixed by Gisle Vanem.
|
|
- Fix compilation on platforms without unistd.h, or where environ
|
|
is defined in stdlib.h. Fixes bug 5704; bugfix on 0.2.3.13-alpha.
|
|
|
|
o Minor features:
|
|
- Directory authorities are now a little more lenient at accepting
|
|
older router descriptors, or newer router descriptors that don't
|
|
make big changes. This should help ameliorate past and future
|
|
issues where routers think they have uploaded valid descriptors,
|
|
but the authorities don't think so. Fix for ticket 2479.
|
|
- Make the code that clients use to detect an address change be
|
|
IPv6-aware, so that it won't fill clients' logs with error
|
|
messages when trying to get the IPv4 address of an IPv6
|
|
connection. Implements ticket 5537.
|
|
|
|
o Removed features:
|
|
- Remove the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays option;
|
|
authorities needed to use it for a while to keep the network working
|
|
as people upgraded to 0.2.1.31, 0.2.2.34, or 0.2.3.6-alpha, but
|
|
that was six months ago. As of now, it should no longer be needed
|
|
or used.
|
|
|
|
|
|
Changes in version 0.2.3.14-alpha - 2012-04-23
|
|
Tor 0.2.3.14-alpha fixes yet more bugs to get us closer to a release
|
|
candidate. It also dramatically speeds up AES: fast relays should
|
|
consider switching to the newer OpenSSL library.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for ides (v3 directory authority), and rename
|
|
it to turtles.
|
|
|
|
o Major bugfixes:
|
|
- Avoid logging uninitialized data when unable to decode a hidden
|
|
service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
|
|
- Avoid a client-side assertion failure when receiving an INTRODUCE2
|
|
cell on a general purpose circuit. Fixes bug 5644; bugfix on
|
|
0.2.1.6-alpha.
|
|
- If authorities are unable to get a v2 consensus document from other
|
|
directory authorities, they no longer fall back to fetching
|
|
them from regular directory caches. Fixes bug 5635; bugfix on
|
|
0.2.2.26-beta, where routers stopped downloading v2 consensus
|
|
documents entirely.
|
|
- When we start a Tor client with a normal consensus already cached,
|
|
be willing to download a microdescriptor consensus. Fixes bug 4011;
|
|
fix on 0.2.3.1-alpha.
|
|
|
|
o Major features (performance):
|
|
- When built to use OpenSSL 1.0.1, and built for an x86 or x86_64
|
|
instruction set, take advantage of OpenSSL's AESNI, bitsliced, or
|
|
vectorized AES implementations as appropriate. These can be much,
|
|
much faster than other AES implementations.
|
|
|
|
o Minor bugfixes (0.2.2.x and earlier):
|
|
- Don't launch more than 10 service-side introduction-point circuits
|
|
for a hidden service in five minutes. Previously, we would consider
|
|
launching more introduction-point circuits if at least one second
|
|
had passed without any introduction-point circuits failing. Fixes
|
|
bug 4607; bugfix on 0.0.7pre1.
|
|
- Change the BridgePassword feature (part of the "bridge community"
|
|
design, which is not yet implemented) to use a time-independent
|
|
comparison. The old behavior might have allowed an adversary
|
|
to use timing to guess the BridgePassword value. Fixes bug 5543;
|
|
bugfix on 0.2.0.14-alpha.
|
|
- Enforce correct return behavior of tor_vsscanf() when the '%%'
|
|
pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13.
|
|
- When sending an HTTP/1.1 proxy request, include a Host header.
|
|
Fixes bug 5593; bugfix on 0.2.2.1-alpha.
|
|
- Don't log that we have "decided to publish new relay descriptor"
|
|
unless we are actually publishing a descriptor. Fixes bug 3942;
|
|
bugfix on 0.2.2.28-beta.
|
|
|
|
o Minor bugfixes (0.2.3.x):
|
|
- Fix a bug where a bridge authority crashes (on a failed assert)
|
|
if it has seen no directory requests when it's time to write
|
|
statistics to disk. Fixes bug 5508. Bugfix on 0.2.3.6-alpha.
|
|
- Fix bug stomping on ORPort option NoListen and ignoring option
|
|
NoAdvertise. Fixes bug 5151; bugfix on 0.2.3.9-alpha.
|
|
- In the testsuite, provide a large enough buffer in the tor_sscanf
|
|
unit test. Otherwise we'd overrun that buffer and crash during
|
|
the unit tests. Found by weasel. Fixes bug 5449; bugfix on
|
|
0.2.3.12-alpha.
|
|
- Make sure we create the keys directory if it doesn't exist and we're
|
|
about to store the dynamic Diffie-Hellman parameters. Fixes bug
|
|
5572; bugfix on 0.2.3.13-alpha.
|
|
- Fix a small memory leak when trying to decode incorrect base16
|
|
authenticator during SAFECOOKIE authentication. Found by
|
|
Coverity Scan. Fixes CID 507. Bugfix on 0.2.3.13-alpha.
|
|
|
|
o Minor features:
|
|
- Add more information to a log statement that might help track down
|
|
bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a
|
|
non-IP address" messages (or any Bug messages, for that matter!),
|
|
please let us know about it.
|
|
- Relays now understand an IPv6 address when they get one from a
|
|
directory server. Resolves ticket 4875.
|
|
- Resolve IPv6 addresses in bridge and entry statistics to country
|
|
code "??" which means we at least count them. Resolves ticket 5053;
|
|
improves on 0.2.3.9-alpha.
|
|
- Update to the April 3 2012 Maxmind GeoLite Country database.
|
|
- Begin a doc/state-contents.txt file to explain the contents of
|
|
the Tor state file. Fixes bug 2987.
|
|
|
|
o Default torrc changes:
|
|
- Stop listing "socksport 9050" in torrc.sample. We open a socks
|
|
port on 9050 by default anyway, so this should not change anything
|
|
in practice.
|
|
- Stop mentioning the deprecated *ListenAddress options in
|
|
torrc.sample. Fixes bug 5438.
|
|
- Document unit of bandwidth related options in sample torrc.
|
|
Fixes bug 5621.
|
|
|
|
o Removed features:
|
|
- The "torify" script no longer supports the "tsocks" socksifier
|
|
tool, since tsocks doesn't support DNS and UDP right for Tor.
|
|
Everyone should be using torsocks instead. Fixes bugs 3530 and
|
|
5180. Based on a patch by "ugh".
|
|
|
|
o Code refactoring:
|
|
- Change the symmetric cipher interface so that creating and
|
|
initializing a stream cipher are no longer separate functions.
|
|
- Remove all internal support for unpadded RSA. We never used it, and
|
|
it would be a bad idea to start.
|
|
|
|
|
|
Changes in version 0.2.3.13-alpha - 2012-03-26
|
|
Tor 0.2.3.13-alpha fixes a variety of stability and correctness bugs
|
|
in managed pluggable transports, as well as providing other cleanups
|
|
that get us closer to a release candidate.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for maatuska (v3 directory authority).
|
|
|
|
o Security fixes:
|
|
- Provide controllers with a safer way to implement the cookie
|
|
authentication mechanism. With the old method, if another locally
|
|
running program could convince a controller that it was the Tor
|
|
process, then that program could trick the controller into telling
|
|
it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
|
|
authentication method uses a challenge-response approach to prevent
|
|
this attack. Fixes bug 5185, implements proposal 193.
|
|
- Never use a bridge or a controller-supplied node as an exit, even
|
|
if its exit policy allows it. Found by wanoskarnet. Fixes bug
|
|
5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
|
|
and 0.2.0.3-alpha (for bridge-purpose descriptors).
|
|
- Only build circuits if we have a sufficient threshold of the total
|
|
descriptors that are marked in the consensus with the "Exit"
|
|
flag. This mitigates an attack proposed by wanoskarnet, in which
|
|
all of a client's bridges collude to restrict the exit nodes that
|
|
the client knows about. Fixes bug 5343.
|
|
|
|
o Major bugfixes (on Tor 0.2.3.x):
|
|
- Avoid an assert when managed proxies like obfsproxy are configured,
|
|
and we receive HUP signals or setconf attempts too rapidly. This
|
|
situation happens most commonly when Vidalia tries to attach to
|
|
Tor or tries to configure the Tor it's attached to. Fixes bug 5084;
|
|
bugfix on 0.2.3.6-alpha.
|
|
- Fix a relay-side pluggable transports bug where managed proxies were
|
|
unreachable from the Internet, because Tor asked them to bind on
|
|
localhost. Fixes bug 4725; bugfix on 0.2.3.9-alpha.
|
|
- Stop discarding command-line arguments when TestingTorNetwork
|
|
is set. Discovered by Kevin Bauer. Fixes bug 5373; bugfix on
|
|
0.2.3.9-alpha, where task 4552 added support for two layers of
|
|
torrc files.
|
|
- Resume allowing the unit tests to run in gdb. This was accidentally
|
|
made impossible when the DisableDebuggerAttachment option was
|
|
introduced. Fixes bug 5448; bugfix on 0.2.3.9-alpha.
|
|
- Resume building with nat-pmp support. Fixes bug 4955; bugfix on
|
|
0.2.3.11-alpha. Reported by Anthony G. Basile.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Ensure we don't cannibalize circuits that are longer than three hops
|
|
already, so we don't end up making circuits with 5 or more
|
|
hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on
|
|
0.1.0.1-rc which introduced cannibalization.
|
|
- Detect and reject certain misformed escape sequences in
|
|
configuration values. Previously, these values would cause us
|
|
to crash if received in a torrc file or over an authenticated
|
|
control port. Bug found by Esteban Manchado Velázquez, and
|
|
independently by Robert Connolly from Matta Consulting who further
|
|
noted that it allows a post-authentication heap overflow. Patch
|
|
by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
|
|
bugfix on 0.2.0.16-alpha.
|
|
- Fix a compile warning when using the --enable-openbsd-malloc
|
|
configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
|
|
- Directory caches no longer refuse to clean out descriptors because
|
|
of missing v2 networkstatus documents, unless they're configured
|
|
to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on
|
|
0.2.2.26-beta. Patch by Daniel Bryg.
|
|
- Update to the latest version of the tinytest unit testing framework.
|
|
This includes a couple of bugfixes that can be relevant for
|
|
running forked unit tests on Windows, and removes all reserved
|
|
identifiers.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- On a failed pipe() call, don't leak file descriptors. Fixes bug
|
|
4296; bugfix on 0.2.3.1-alpha.
|
|
- Spec conformance: on a v3 handshake, do not send a NETINFO cell
|
|
until after we have received a CERTS cell. Fixes bug 4361; bugfix
|
|
on 0.2.3.6-alpha. Patch by "frosty".
|
|
- When binding to an IPv6 address, set the IPV6_V6ONLY socket
|
|
option, so that the IP stack doesn't decide to use it for IPv4
|
|
too. Fixes bug 4760; bugfix on 0.2.3.9-alpha.
|
|
- Ensure that variables set in Tor's environment cannot override
|
|
environment variables that Tor passes to a managed
|
|
pluggable-transport proxy. Previously, Tor would pass every
|
|
variable in its environment to managed proxies along with the new
|
|
ones, in such a way that on many operating systems, the inherited
|
|
environment variables would override those which Tor tried to
|
|
explicitly set. Bugfix on 0.2.3.12-alpha for most Unixoid systems;
|
|
bugfix on 0.2.3.9-alpha for Windows.
|
|
|
|
o Minor features:
|
|
- A wide variety of new unit tests by Esteban Manchado Velázquez.
|
|
- Shorten links in the tor-exit-notice file. Patch by Christian Kujau.
|
|
- Update to the March 6 2012 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.3.12-alpha - 2012-02-13
|
|
Tor 0.2.3.12-alpha lets fast exit relays scale better, allows clients
|
|
to use bridges that run Tor 0.2.2.x, and resolves several big bugs
|
|
when Tor is configured to use a pluggable transport like obfsproxy.
|
|
|
|
o Major bugfixes:
|
|
- Fix builds when the path to sed, openssl, or sha1sum contains
|
|
spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
|
|
on 0.2.2.1-alpha.
|
|
- Set the SO_REUSEADDR socket option before we call bind() on outgoing
|
|
connections. This change should allow busy exit relays to stop
|
|
running out of available sockets as quickly. Fixes bug 4950;
|
|
bugfix on 0.2.2.26-beta.
|
|
- Allow 0.2.3.x clients to use 0.2.2.x bridges. Previously the client
|
|
would ask the bridge for microdescriptors, which are only supported
|
|
in 0.2.3.x, and then fail to bootstrap when it didn't get the
|
|
answers it wanted. Fixes bug 4013; bugfix on 0.2.3.2-alpha.
|
|
- Properly set up obfsproxy's environment when in managed mode. The
|
|
Tor Browser Bundle needs LD_LIBRARY_PATH to be passed to obfsproxy,
|
|
and when you run your Tor as a daemon, there's no HOME. Fixes bugs
|
|
5076 and 5082; bugfix on 0.2.3.6-alpha.
|
|
|
|
o Minor features:
|
|
- Use the dead_strip option when building Tor on OS X. This reduces
|
|
binary size by almost 19% when linking openssl and libevent
|
|
statically, which we do for Tor Browser Bundle.
|
|
- Fix broken URLs in the sample torrc file, and tell readers about
|
|
the OutboundBindAddress, ExitPolicyRejectPrivate, and
|
|
PublishServerDescriptor options. Addresses bug 4652.
|
|
- Update to the February 7 2012 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Downgrade the "We're missing a certificate" message from notice
|
|
to info: people kept mistaking it for a real problem, whereas it
|
|
is seldom the problem even when we are failing to bootstrap. Fixes
|
|
bug 5067; bugfix on 0.2.0.10-alpha.
|
|
- Don't put "TOR_PT_EXTENDED_SERVER_PORT=127.0.0.1:4200" in a
|
|
managed pluggable transport server proxy's environment.
|
|
Previously, we would put it there, even though Tor doesn't
|
|
implement an 'extended server port' yet, and even though Tor
|
|
almost certainly isn't listening at that address. For now, we set
|
|
it to an empty string to avoid crashing older obfsproxies. Bugfix
|
|
on 0.2.3.6-alpha.
|
|
- Log the heartbeat message every HeartbeatPeriod seconds, not every
|
|
HeartbeatPeriod + 1 seconds. Fixes bug 4942; bugfix on
|
|
0.2.3.1-alpha. Bug reported by Scott Bennett.
|
|
- Calculate absolute paths correctly on Windows. Fixes bug 4973;
|
|
bugfix on 0.2.3.11-alpha.
|
|
- Update "ClientOnly" man page entry to explain that there isn't
|
|
really any point to messing with it. Resolves ticket 5005.
|
|
- Use the correct CVE number for CVE-2011-4576 in our comments and
|
|
log messages. Found by "fermenthor". Resolves bug 5066; bugfix on
|
|
0.2.3.11-alpha.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Use the _WIN32 macro throughout our code to detect Windows.
|
|
(Previously we had used the obsolete 'WIN32' and the idiosyncratic
|
|
'MS_WINDOWS'.)
|
|
|
|
|
|
Changes in version 0.2.3.11-alpha - 2012-01-22
|
|
Tor 0.2.3.11-alpha marks feature-freeze for the 0.2.3 tree. It deploys
|
|
the last step of the plan to limit maximum circuit length, includes
|
|
a wide variety of hidden service performance and correctness fixes,
|
|
works around an OpenSSL security flaw if your distro is too stubborn
|
|
to upgrade, and fixes a bunch of smaller issues.
|
|
|
|
o Major features:
|
|
- Now that Tor 0.2.0.x is completely deprecated, enable the final
|
|
part of "Proposal 110: Avoiding infinite length circuits" by
|
|
refusing all circuit-extend requests that do not use a relay_early
|
|
cell. This change helps Tor resist a class of denial-of-service
|
|
attacks by limiting the maximum circuit length.
|
|
- Adjust the number of introduction points that a hidden service
|
|
will try to maintain based on how long its introduction points
|
|
remain in use and how many introductions they handle. Fixes
|
|
part of bug 3825.
|
|
- Try to use system facilities for enumerating local interface
|
|
addresses, before falling back to our old approach (which was
|
|
binding a UDP socket, and calling getsockname() on it). That
|
|
approach was scaring OS X users whose draconian firewall
|
|
software warned about binding to UDP sockets, regardless of
|
|
whether packets were sent. Now we try to use getifaddrs(),
|
|
SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
|
|
system supports. Resolves ticket 1827.
|
|
|
|
o Major security workaround:
|
|
- When building or running with any version of OpenSSL earlier
|
|
than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
|
|
versions have a bug (CVE-2011-4576) in which their block cipher
|
|
padding includes uninitialized data, potentially leaking sensitive
|
|
information to any peer with whom they make a SSLv3 connection. Tor
|
|
does not use SSL v3 by default, but a hostile client or server
|
|
could force an SSLv3 connection in order to gain information that
|
|
they shouldn't have been able to get. The best solution here is to
|
|
upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
|
|
or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
|
|
to make sure that the bug can't happen.
|
|
|
|
o Major bugfixes:
|
|
- Fix the SOCKET_OK test that we use to tell when socket
|
|
creation fails so that it works on Win64. Fixes part of bug 4533;
|
|
bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
|
|
- Correct our replacements for the timeradd() and timersub() functions
|
|
on platforms that lack them (for example, Windows). The timersub()
|
|
function is used when expiring circuits, while timeradd() is
|
|
currently unused. Bug report and patch by Vektor. Fixes bug 4778;
|
|
bugfix on 0.2.2.24-alpha and 0.2.3.1-alpha.
|
|
- Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
|
|
that was fixed in OpenSSL 1.0.0a. We test for the counter mode
|
|
bug at runtime, not compile time, because some distributions hack
|
|
their OpenSSL to mis-report its version. Fixes bug 4779; bugfix
|
|
on 0.2.3.9-alpha. Found by Pascal.
|
|
|
|
o Minor features (controller):
|
|
- Use absolute path names when reporting the torrc filename in the
|
|
control protocol, so a controller can more easily find the torrc
|
|
file. Resolves bug 1101.
|
|
- Extend the control protocol to report flags that control a circuit's
|
|
path selection in CIRC events and in replies to 'GETINFO
|
|
circuit-status'. Implements part of ticket 2411.
|
|
- Extend the control protocol to report the hidden service address
|
|
and current state of a hidden-service-related circuit in CIRC
|
|
events and in replies to 'GETINFO circuit-status'. Implements part
|
|
of ticket 2411.
|
|
- When reporting the path to the cookie file to the controller,
|
|
give an absolute path. Resolves ticket 4881.
|
|
- Allow controllers to request an event notification whenever a
|
|
circuit is cannibalized or its purpose is changed. Implements
|
|
part of ticket 3457.
|
|
- Include the creation time of a circuit in CIRC and CIRC2
|
|
control-port events and the list produced by the 'GETINFO
|
|
circuit-status' control-port command.
|
|
|
|
o Minor features (directory authorities):
|
|
- Directory authorities now reject versions of Tor older than
|
|
0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
|
|
inclusive. These versions accounted for only a small fraction of
|
|
the Tor network, and have numerous known security issues. Resolves
|
|
issue 4788.
|
|
- Authority operators can now vote for all relays in a given
|
|
set of countries to be BadDir/BadExit/Invalid/Rejected.
|
|
- Provide two consensus parameters (FastFlagMinThreshold and
|
|
FastFlagMaxThreshold) to control the range of allowable bandwidths
|
|
for the Fast directory flag. These allow authorities to run
|
|
experiments on appropriate requirements for being a "Fast" node.
|
|
The AuthDirFastGuarantee config value still applies. Implements
|
|
ticket 3946.
|
|
- Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
|
|
directory authority option (introduced in Tor 0.2.2.34).
|
|
|
|
o Minor features (other):
|
|
- Don't disable the DirPort when we cannot exceed our AccountingMax
|
|
limit during this interval because the effective bandwidthrate is
|
|
low enough. This is useful in a situation where AccountMax is only
|
|
used as an additional safeguard or to provide statistics.
|
|
- Prepend an informative header to generated dynamic_dh_params files.
|
|
- If EntryNodes are given, but UseEntryGuards is set to 0, warn that
|
|
EntryNodes will have no effect. Resolves issue 2571.
|
|
- Log more useful messages when we fail to disable debugger
|
|
attachment.
|
|
- Log which authority we're missing votes from when we go to fetch
|
|
them from the other auths.
|
|
- Log (at debug level) whenever a circuit's purpose is changed.
|
|
- Add missing documentation for the MaxClientCircuitsPending,
|
|
UseMicrodescriptors, UserspaceIOCPBuffers, and
|
|
_UseFilteringSSLBufferevents options, all introduced during
|
|
the 0.2.3.x series.
|
|
- Update to the January 3 2012 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Don't close hidden service client circuits which have almost
|
|
finished connecting to their destination when they reach
|
|
the normal circuit-build timeout. Previously, we would close
|
|
introduction circuits which are waiting for an acknowledgement
|
|
from the introduction point, and rendezvous circuits which have
|
|
been specified in an INTRODUCE1 cell sent to a hidden service,
|
|
after the normal CBT. Now, we mark them as 'timed out', and launch
|
|
another rendezvous attempt in parallel. This behavior change can
|
|
be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
|
|
option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha.
|
|
- Don't close hidden-service-side rendezvous circuits when they
|
|
reach the normal circuit-build timeout. This behavior change can
|
|
be disabled using the new
|
|
CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
|
|
remaining part of bug 1297; bugfix on 0.2.2.2-alpha.
|
|
- Make sure we never mark the wrong rendezvous circuit as having
|
|
had its introduction cell acknowleged by the introduction-point
|
|
relay. Previously, when we received an INTRODUCE_ACK cell on a
|
|
client-side hidden-service introduction circuit, we might have
|
|
marked a rendezvous circuit other than the one we specified in
|
|
the INTRODUCE1 cell as INTRO_ACKED, which would have produced
|
|
a warning message and interfered with the hidden service
|
|
connection-establishment process. Fixes bug 4759; bugfix on
|
|
0.2.3.3-alpha, when we added the stream-isolation feature which
|
|
might cause Tor to open multiple rendezvous circuits for the same
|
|
hidden service.
|
|
- Don't trigger an assertion failure when we mark a new client-side
|
|
hidden-service introduction circuit for close during the process
|
|
of creating it. Fixes bug 4796; bugfix on 0.2.3.6-alpha. Reported
|
|
by murb.
|
|
|
|
o Minor bugfixes (log messages):
|
|
- Correctly spell "connect" in a log message on failure to create a
|
|
controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta and
|
|
0.2.3.2-alpha.
|
|
- Fix a typo in a log message in rend_service_rendezvous_has_opened().
|
|
Fixes bug 4856; bugfix on Tor 0.0.6.
|
|
- Fix the log message describing how we work around discovering
|
|
that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
|
|
4837; bugfix on 0.2.2.9-alpha.
|
|
- When logging about a disallowed .exit name, do not also call it
|
|
an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha.
|
|
|
|
o Minor bugfixes (build fixes):
|
|
- During configure, detect when we're building with clang version
|
|
3.0 or lower and disable the -Wnormalized=id and -Woverride-init
|
|
CFLAGS. clang doesn't support them yet.
|
|
- During configure, search for library containing cos function as
|
|
libm lives in libcore on some platforms (BeOS/Haiku). Linking
|
|
against libm was hard-coded before. Fixes the first part of bug
|
|
4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes
|
|
Pedersen.
|
|
- Detect attempts to build Tor on (as yet hypothetical) versions
|
|
of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
|
|
fix for bug 4533. Bugfix on 0.2.2.28-beta.
|
|
- Preprocessor directives should not be put inside the arguments
|
|
of a macro. This would break compilation with GCC releases prior
|
|
to version 3.3. We would never recommend such an old GCC version,
|
|
but it is apparently required for binary compatibility on some
|
|
platforms (namely, certain builds of Haiku). Fixes the other part
|
|
of bug 4727; bugfix on 0.2.3.3-alpha. Patch and analysis by Martin
|
|
Hebnes Pedersen.
|
|
|
|
o Minor bugfixes (other):
|
|
- Older Linux kernels erroneously respond to strange nmap behavior
|
|
by having accept() return successfully with a zero-length
|
|
socket. When this happens, just close the connection. Previously,
|
|
we would try harder to learn the remote address: but there was
|
|
no such remote address to learn, and our method for trying to
|
|
learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
|
|
on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
|
|
- Fix null-pointer access that could occur if TLS allocation failed.
|
|
Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". This was
|
|
erroneously listed as fixed in 0.2.3.9-alpha, but the fix had
|
|
accidentally been reverted.
|
|
- Fix our implementation of crypto_random_hostname() so it can't
|
|
overflow on ridiculously large inputs. (No Tor version has ever
|
|
provided this kind of bad inputs, but let's be correct in depth.)
|
|
Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer.
|
|
- Find more places in the code that should have been testing for
|
|
invalid sockets using the SOCKET_OK macro. Required for a fix
|
|
for bug 4533. Bugfix on 0.2.2.28-beta.
|
|
- Fix an assertion failure when, while running with bufferevents, a
|
|
connection finishes connecting after it is marked for close, but
|
|
before it is closed. Fixes bug 4697; bugfix on 0.2.3.1-alpha.
|
|
- test_util_spawn_background_ok() hardcoded the expected value
|
|
for ENOENT to 2. This isn't portable as error numbers are
|
|
platform specific, and particularly the hurd has ENOENT at
|
|
0x40000002. Construct expected string at runtime, using the correct
|
|
value for ENOENT. Fixes bug 4733; bugfix on 0.2.3.1-alpha.
|
|
- Reject attempts to disable DisableDebuggerAttachment while Tor is
|
|
running. Fixes bug 4650; bugfix on 0.2.3.9-alpha.
|
|
- Use an appropriate-width type for sockets in tor-fw-helper on
|
|
win64. Fixes bug 1983 at last. Bugfix on 0.2.3.9-alpha.
|
|
|
|
o Feature removal:
|
|
- When sending or relaying a RELAY_EARLY cell, we used to convert
|
|
it to a RELAY cell if the connection was using the v1 link
|
|
protocol. This was a workaround for older versions of Tor, which
|
|
didn't handle RELAY_EARLY cells properly. Now that all supported
|
|
versions can handle RELAY_EARLY cells, and now that we're enforcing
|
|
the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
|
|
remove this workaround. Addresses bug 4786.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Use OpenSSL's built-in SSL_state_string_long() instead of our
|
|
own homebrewed ssl_state_to_string() replacement. Patch from
|
|
Emile Snyder. Fixes bug 4653.
|
|
- Use macros to indicate OpenSSL versions, so we don't need to worry
|
|
about accidental hexadecimal bit shifts.
|
|
- Remove some workaround code for OpenSSL 0.9.6 (which is no longer
|
|
supported).
|
|
- Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
|
|
- Use the smartlist_add_asprintf() alias more consistently.
|
|
- Use a TOR_INVALID_SOCKET macro when initializing a socket to an
|
|
invalid value, rather than just -1.
|
|
- Rename a handful of old identifiers, mostly related to crypto
|
|
structures and crypto functions. By convention, our "create an
|
|
object" functions are called "type_new()", our "free an object"
|
|
functions are called "type_free()", and our types indicate that
|
|
they are types only with a final "_t". But a handful of older
|
|
types and functions broke these rules, with function names like
|
|
"type_create" or "subsystem_op_type", or with type names like
|
|
type_env_t.
|
|
|
|
|
|
Changes in version 0.2.3.10-alpha - 2011-12-16
|
|
Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
|
|
Tor's buffers code. Absolutely everybody should upgrade.
|
|
|
|
The bug relied on an incorrect calculation when making data continuous
|
|
in one of our IO buffers, if the first chunk of the buffer was
|
|
misaligned by just the wrong amount. The miscalculation would allow an
|
|
attacker to overflow a piece of heap-allocated memory. To mount this
|
|
attack, the attacker would need to either open a SOCKS connection to
|
|
Tor's SocksPort (usually restricted to localhost), or target a Tor
|
|
instance configured to make its connections through a SOCKS proxy
|
|
(which Tor does not do by default).
|
|
|
|
Good security practice requires that all heap-overflow bugs should be
|
|
presumed to be exploitable until proven otherwise, so we are treating
|
|
this as a potential code execution attack. Please upgrade immediately!
|
|
This bug does not affect bufferevents-based builds of Tor. Special
|
|
thanks to "Vektor" for reporting this issue to us!
|
|
|
|
This release also contains a few minor bugfixes for issues discovered
|
|
in 0.2.3.9-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix a heap overflow bug that could occur when trying to pull
|
|
data into the first chunk of a buffer, when that chunk had
|
|
already had some data drained from it. Fixes CVE-2011-2778;
|
|
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
|
|
|
o Minor bugfixes:
|
|
- If we can't attach streams to a rendezvous circuit when we
|
|
finish connecting to a hidden service, clear the rendezvous
|
|
circuit's stream-isolation state and try to attach streams
|
|
again. Previously, we cleared rendezvous circuits' isolation
|
|
state either too early (if they were freshly built) or not at all
|
|
(if they had been built earlier and were cannibalized). Bugfix on
|
|
0.2.3.3-alpha; fixes bug 4655.
|
|
- Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
|
|
0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
|
|
- Fix an assertion failure when a relay with accounting enabled
|
|
starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.2.35 - 2011-12-16
|
|
Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
|
|
buffers code. Absolutely everybody should upgrade.
|
|
|
|
The bug relied on an incorrect calculation when making data continuous
|
|
in one of our IO buffers, if the first chunk of the buffer was
|
|
misaligned by just the wrong amount. The miscalculation would allow an
|
|
attacker to overflow a piece of heap-allocated memory. To mount this
|
|
attack, the attacker would need to either open a SOCKS connection to
|
|
Tor's SocksPort (usually restricted to localhost), or target a Tor
|
|
instance configured to make its connections through a SOCKS proxy
|
|
(which Tor does not do by default).
|
|
|
|
Good security practice requires that all heap-overflow bugs should be
|
|
presumed to be exploitable until proven otherwise, so we are treating
|
|
this as a potential code execution attack. Please upgrade immediately!
|
|
This bug does not affect bufferevents-based builds of Tor. Special
|
|
thanks to "Vektor" for reporting this issue to us!
|
|
|
|
Tor 0.2.2.35 also fixes several bugs in previous versions, including
|
|
crash bugs for unusual configurations, and a long-term bug that
|
|
would prevent Tor from starting on Windows machines with draconian
|
|
AV software.
|
|
|
|
With this release, we remind everyone that 0.2.0.x has reached its
|
|
formal end-of-life. Those Tor versions have many known flaws, and
|
|
nobody should be using them. You should upgrade -- ideally to the
|
|
0.2.2.x series. If you're using a Linux or BSD and its packages are
|
|
obsolete, stop using those packages and upgrade anyway.
|
|
|
|
The Tor 0.2.1.x series is also approaching its end-of-life: it will no
|
|
longer receive support after some time in early 2012.
|
|
|
|
o Major bugfixes:
|
|
- Fix a heap overflow bug that could occur when trying to pull
|
|
data into the first chunk of a buffer, when that chunk had
|
|
already had some data drained from it. Fixes CVE-2011-2778;
|
|
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
|
- Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
|
|
that it doesn't attempt to allocate a socketpair. This could cause
|
|
some problems on Windows systems with overzealous firewalls. Fix for
|
|
bug 4457; workaround for Libevent versions 2.0.1-alpha through
|
|
2.0.15-stable.
|
|
- If we mark an OR connection for close based on a cell we process,
|
|
don't process any further cells on it. We already avoid further
|
|
reads on marked-for-close connections, but now we also discard the
|
|
cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
|
|
which was the first version where we might mark a connection for
|
|
close based on processing a cell on it.
|
|
- Correctly sanity-check that we don't underflow on a memory
|
|
allocation (and then assert) for hidden service introduction
|
|
point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
|
|
bugfix on 0.2.1.5-alpha.
|
|
- Fix a memory leak when we check whether a hidden service
|
|
descriptor has any usable introduction points left. Fixes bug
|
|
4424. Bugfix on 0.2.2.25-alpha.
|
|
- Don't crash when we're running as a relay and don't have a GeoIP
|
|
file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix
|
|
we've had in the 0.2.3.x branch already.
|
|
- When running as a client, do not print a misleading (and plain
|
|
wrong) log message that we're collecting "directory request"
|
|
statistics: clients don't collect statistics. Also don't create a
|
|
useless (because empty) stats file in the stats/ directory. Fixes
|
|
bug 4353; bugfix on 0.2.2.34.
|
|
|
|
o Minor bugfixes:
|
|
- Detect failure to initialize Libevent. This fix provides better
|
|
detection for future instances of bug 4457.
|
|
- Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
|
|
function. This was eating up hideously large amounts of time on some
|
|
busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
|
|
- Resolve an integer overflow bug in smartlist_ensure_capacity().
|
|
Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
|
|
Mansour Moufid.
|
|
- Don't warn about unused log_mutex in log.c when building with
|
|
--disable-threads using a recent GCC. Fixes bug 4437; bugfix on
|
|
0.1.0.6-rc which introduced --disable-threads.
|
|
- When configuring, starting, or stopping an NT service, stop
|
|
immediately after the service configuration attempt has succeeded
|
|
or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
|
|
- When sending a NETINFO cell, include the original address
|
|
received for the other side, not its canonical address. Found
|
|
by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
|
|
- Fix a typo in a hibernation-related log message. Fixes bug 4331;
|
|
bugfix on 0.2.2.23-alpha; found by "tmpname0901".
|
|
- Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
|
|
occurred when a client tried to fetch a descriptor for a bridge
|
|
in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
|
|
- Backport fixes for a pair of compilation warnings on Windows.
|
|
Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta.
|
|
- If we had ever tried to call tor_addr_to_str on an address of
|
|
unknown type, we would have done a strdup on an uninitialized
|
|
buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
|
|
Reported by "troll_un".
|
|
- Correctly detect and handle transient lookup failures from
|
|
tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha.
|
|
Reported by "troll_un".
|
|
- Fix null-pointer access that could occur if TLS allocation failed.
|
|
Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
|
|
- Use tor_socket_t type for listener argument to accept(). Fixes bug
|
|
4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
|
|
|
|
o Minor features:
|
|
- Add two new config options for directory authorities:
|
|
AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
|
|
Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
|
|
that is always sufficient to satisfy the bandwidth requirement for
|
|
the Guard flag. Now it will be easier for researchers to simulate
|
|
Tor networks with different values. Resolves ticket 4484.
|
|
- When Tor ignores a hidden service specified in its configuration,
|
|
include the hidden service's directory in the warning message.
|
|
Previously, we would only tell the user that some hidden service
|
|
was ignored. Bugfix on 0.0.6; fixes bug 4426.
|
|
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
|
|
|
o Packaging changes:
|
|
- Make it easier to automate expert package builds on Windows,
|
|
by removing an absolute path from makensis.exe command.
|
|
|
|
|
|
Changes in version 0.2.1.32 - 2011-12-16
|
|
Tor 0.2.1.32 backports important security and privacy fixes for
|
|
oldstable. This release is intended only for package maintainers and
|
|
others who cannot use the 0.2.2 stable series. All others should be
|
|
using Tor 0.2.2.x or newer.
|
|
|
|
The Tor 0.2.1.x series will reach formal end-of-life some time in
|
|
early 2012; we will stop releasing patches for it then.
|
|
|
|
o Major bugfixes (also included in 0.2.2.x):
|
|
- Correctly sanity-check that we don't underflow on a memory
|
|
allocation (and then assert) for hidden service introduction
|
|
point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
|
|
bugfix on 0.2.1.5-alpha.
|
|
- Fix a heap overflow bug that could occur when trying to pull
|
|
data into the first chunk of a buffer, when that chunk had
|
|
already had some data drained from it. Fixes CVE-2011-2778;
|
|
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
|
|
|
o Minor features:
|
|
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.3.9-alpha - 2011-12-08
|
|
Tor 0.2.3.9-alpha introduces initial IPv6 support for bridges, adds
|
|
a "DisableNetwork" security feature that bundles can use to avoid
|
|
touching the network until bridges are configured, moves forward on
|
|
the pluggable transport design, fixes a flaw in the hidden service
|
|
design that unnecessarily prevented clients with wrong clocks from
|
|
reaching hidden services, and fixes a wide variety of other issues.
|
|
|
|
o Major features:
|
|
- Clients can now connect to private bridges over IPv6. Bridges
|
|
still need at least one IPv4 address in order to connect to
|
|
other relays. Note that we don't yet handle the case where the
|
|
user has two bridge lines for the same bridge (one IPv4, one
|
|
IPv6). Implements parts of proposal 186.
|
|
- New "DisableNetwork" config option to prevent Tor from launching any
|
|
connections or accepting any connections except on a control port.
|
|
Bundles and controllers can set this option before letting Tor talk
|
|
to the rest of the network, for example to prevent any connections
|
|
to a non-bridge address. Packages like Orbot can also use this
|
|
option to instruct Tor to save power when the network is off.
|
|
- Clients and bridges can now be configured to use a separate
|
|
"transport" proxy. This approach makes the censorship arms race
|
|
easier by allowing bridges to use protocol obfuscation plugins. It
|
|
implements the "managed proxy" part of proposal 180 (ticket 3472).
|
|
- When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode
|
|
implementation. It makes AES_CTR about 7% faster than our old one
|
|
(which was about 10% faster than the one OpenSSL used to provide).
|
|
Resolves ticket 4526.
|
|
- Add a "tor2web mode" for clients that want to connect to hidden
|
|
services non-anonymously (and possibly more quickly). As a safety
|
|
measure to try to keep users from turning this on without knowing
|
|
what they are doing, tor2web mode must be explicitly enabled at
|
|
compile time, and a copy of Tor compiled to run in tor2web mode
|
|
cannot be used as a normal Tor client. Implements feature 2553.
|
|
- Add experimental support for running on Windows with IOCP and no
|
|
kernel-space socket buffers. This feature is controlled by a new
|
|
"UserspaceIOCPBuffers" config option (off by default), which has
|
|
no effect unless Tor has been built with support for bufferevents,
|
|
is running on Windows, and has enabled IOCP. This may, in the long
|
|
run, help solve or mitigate bug 98.
|
|
- Use a more secure consensus parameter voting algorithm. Now at
|
|
least three directory authorities or a majority of them must
|
|
vote on a given parameter before it will be included in the
|
|
consensus. Implements proposal 178.
|
|
|
|
o Major bugfixes:
|
|
- Hidden services now ignore the timestamps on INTRODUCE2 cells.
|
|
They used to check that the timestamp was within 30 minutes
|
|
of their system clock, so they could cap the size of their
|
|
replay-detection cache, but that approach unnecessarily refused
|
|
service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when
|
|
the v3 intro-point protocol (the first one which sent a timestamp
|
|
field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
|
|
- Only use the EVP interface when AES acceleration is enabled,
|
|
to avoid a 5-7% performance regression. Resolves issue 4525;
|
|
bugfix on 0.2.3.8-alpha.
|
|
|
|
o Privacy/anonymity features (bridge detection):
|
|
- Make bridge SSL certificates a bit more stealthy by using random
|
|
serial numbers, in the same fashion as OpenSSL when generating
|
|
self-signed certificates. Implements ticket 4584.
|
|
- Introduce a new config option "DynamicDHGroups", enabled by
|
|
default, which provides each bridge with a unique prime DH modulus
|
|
to be used during SSL handshakes. This option attempts to help
|
|
against censors who might use the Apache DH modulus as a static
|
|
identifier for bridges. Addresses ticket 4548.
|
|
|
|
o Minor features (new/different config options):
|
|
- New configuration option "DisableDebuggerAttachment" (on by default)
|
|
to prevent basic debugging attachment attempts by other processes.
|
|
Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
|
|
- Allow MapAddress directives to specify matches against super-domains,
|
|
as in "MapAddress *.torproject.org *.torproject.org.torserver.exit".
|
|
Implements issue 933.
|
|
- Slightly change behavior of "list" options (that is, config
|
|
options that can appear more than once) when they appear both in
|
|
torrc and on the command line. Previously, the command-line options
|
|
would be appended to the ones from torrc. Now, the command-line
|
|
options override the torrc options entirely. This new behavior
|
|
allows the user to override list options (like exit policies and
|
|
ports to listen on) from the command line, rather than simply
|
|
appending to the list.
|
|
- You can get the old (appending) command-line behavior for "list"
|
|
options by prefixing the option name with a "+".
|
|
- You can remove all the values for a "list" option from the command
|
|
line without adding any new ones by prefixing the option name
|
|
with a "/".
|
|
- Add experimental support for a "defaults" torrc file to be parsed
|
|
before the regular torrc. Torrc options override the defaults file's
|
|
options in the same way that the command line overrides the torrc.
|
|
The SAVECONF controller command saves only those options which
|
|
differ between the current configuration and the defaults file. HUP
|
|
reloads both files. (Note: This is an experimental feature; its
|
|
behavior will probably be refined in future 0.2.3.x-alpha versions
|
|
to better meet packagers' needs.) Implements task 4552.
|
|
|
|
o Minor features:
|
|
- Try to make the introductory warning message that Tor prints on
|
|
startup more useful for actually finding help and information.
|
|
Resolves ticket 2474.
|
|
- Running "make version" now displays the version of Tor that
|
|
we're about to build. Idea from katmagic; resolves issue 4400.
|
|
- Expire old or over-used hidden service introduction points.
|
|
Required by fix for bug 3460.
|
|
- Move the replay-detection cache for the RSA-encrypted parts of
|
|
INTRODUCE2 cells to the introduction point data structures.
|
|
Previously, we would use one replay-detection cache per hidden
|
|
service. Required by fix for bug 3460.
|
|
- Reduce the lifetime of elements of hidden services' Diffie-Hellman
|
|
public key replay-detection cache from 60 minutes to 5 minutes. This
|
|
replay-detection cache is now used only to detect multiple
|
|
INTRODUCE2 cells specifying the same rendezvous point, so we can
|
|
avoid launching multiple simultaneous attempts to connect to it.
|
|
|
|
o Minor bugfixes (on Tor 0.2.2.x and earlier):
|
|
- Resolve an integer overflow bug in smartlist_ensure_capacity().
|
|
Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
|
|
Mansour Moufid.
|
|
- Fix a minor formatting issue in one of tor-gencert's error messages.
|
|
Fixes bug 4574.
|
|
- Prevent a false positive from the check-spaces script, by disabling
|
|
the "whitespace between function name and (" check for functions
|
|
named 'op()'.
|
|
- Fix a log message suggesting that people contact a non-existent
|
|
email address. Fixes bug 3448.
|
|
- Fix null-pointer access that could occur if TLS allocation failed.
|
|
Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
|
|
- Report a real bootstrap problem to the controller on router
|
|
identity mismatch. Previously we just said "foo", which probably
|
|
made a lot of sense at the time. Fixes bug 4169; bugfix on
|
|
0.2.1.1-alpha.
|
|
- If we had ever tried to call tor_addr_to_str() on an address of
|
|
unknown type, we would have done a strdup() on an uninitialized
|
|
buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
|
|
Reported by "troll_un".
|
|
- Correctly detect and handle transient lookup failures from
|
|
tor_addr_lookup(). Fixes bug 4530; bugfix on 0.2.1.5-alpha.
|
|
Reported by "troll_un".
|
|
- Use tor_socket_t type for listener argument to accept(). Fixes bug
|
|
4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
|
|
- Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes
|
|
bug 4532; found by "troll_un".
|
|
|
|
o Minor bugfixes (on Tor 0.2.3.x):
|
|
- Fix a compile warning in tor_inet_pton(). Bugfix on 0.2.3.8-alpha;
|
|
fixes bug 4554.
|
|
- Don't send two ESTABLISH_RENDEZVOUS cells when opening a new
|
|
circuit for use as a hidden service client's rendezvous point.
|
|
Fixes bugs 4641 and 4171; bugfix on 0.2.3.3-alpha. Diagnosed
|
|
with help from wanoskarnet.
|
|
- Restore behavior of overriding SocksPort, ORPort, and similar
|
|
options from the command line. Bugfix on 0.2.3.3-alpha.
|
|
|
|
o Build fixes:
|
|
- Properly handle the case where the build-tree is not the same
|
|
as the source tree when generating src/common/common_sha1.i,
|
|
src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953;
|
|
bugfix on 0.2.0.1-alpha.
|
|
|
|
o Code simplifications, cleanups, and refactorings:
|
|
- Remove the pure attribute from all functions that used it
|
|
previously. In many cases we assigned it incorrectly, because the
|
|
functions might assert or call impure functions, and we don't have
|
|
evidence that keeping the pure attribute is worthwhile. Implements
|
|
changes suggested in ticket 4421.
|
|
- Remove some dead code spotted by coverity. Fixes cid 432.
|
|
Bugfix on 0.2.3.1-alpha, closes bug 4637.
|
|
|
|
|
|
Changes in version 0.2.3.8-alpha - 2011-11-22
|
|
Tor 0.2.3.8-alpha fixes some crash and assert bugs, including a
|
|
socketpair-related bug that has been bothering Windows users. It adds
|
|
support to serve microdescriptors to controllers, so Vidalia's network
|
|
map can resume listing relays (once Vidalia implements its side),
|
|
and adds better support for hardware AES acceleration. Finally, it
|
|
starts the process of adjusting the bandwidth cutoff for getting the
|
|
"Fast" flag from 20KB to (currently) 32KB -- preliminary results show
|
|
that tiny relays harm performance more than they help network capacity.
|
|
|
|
o Major bugfixes:
|
|
- Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
|
|
that it doesn't attempt to allocate a socketpair. This could cause
|
|
some problems on Windows systems with overzealous firewalls. Fix for
|
|
bug 4457; workaround for Libevent versions 2.0.1-alpha through
|
|
2.0.15-stable.
|
|
- Correctly sanity-check that we don't underflow on a memory
|
|
allocation (and then assert) for hidden service introduction
|
|
point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
|
|
bugfix on 0.2.1.5-alpha.
|
|
- Remove the artificially low cutoff of 20KB to guarantee the Fast
|
|
flag. In the past few years the average relay speed has picked
|
|
up, and while the "top 7/8 of the network get the Fast flag" and
|
|
"all relays with 20KB or more of capacity get the Fast flag" rules
|
|
used to have the same result, now the top 7/8 of the network has
|
|
a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489.
|
|
- Fix a rare assertion failure when checking whether a v0 hidden
|
|
service descriptor has any usable introduction points left, and
|
|
we don't have enough information to build a circuit to the first
|
|
intro point named in the descriptor. The HS client code in
|
|
0.2.3.x no longer uses v0 HS descriptors, but this assertion can
|
|
trigger on (and crash) v0 HS authorities. Fixes bug 4411.
|
|
Bugfix on 0.2.3.1-alpha; diagnosed by frosty_un.
|
|
- Make bridge authorities not crash when they are asked for their own
|
|
descriptor. Bugfix on 0.2.3.7-alpha, reported by Lucky Green.
|
|
- When running as a client, do not print a misleading (and plain
|
|
wrong) log message that we're collecting "directory request"
|
|
statistics: clients don't collect statistics. Also don't create a
|
|
useless (because empty) stats file in the stats/ directory. Fixes
|
|
bug 4353; bugfix on 0.2.2.34 and 0.2.3.7-alpha.
|
|
|
|
o Major features:
|
|
- Allow Tor controllers like Vidalia to obtain the microdescriptor
|
|
for a relay by identity digest or nickname. Previously,
|
|
microdescriptors were only available by their own digests, so a
|
|
controller would have to ask for and parse the whole microdescriptor
|
|
consensus in order to look up a single relay's microdesc. Fixes
|
|
bug 3832; bugfix on 0.2.3.1-alpha.
|
|
- Use OpenSSL's EVP interface for AES encryption, so that all AES
|
|
operations can use hardware acceleration (if present). Resolves
|
|
ticket 4442.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Detect failure to initialize Libevent. This fix provides better
|
|
detection for future instances of bug 4457.
|
|
- Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
|
|
function. This was eating up hideously large amounts of time on some
|
|
busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
|
|
- Don't warn about unused log_mutex in log.c when building with
|
|
--disable-threads using a recent GCC. Fixes bug 4437; bugfix on
|
|
0.1.0.6-rc which introduced --disable-threads.
|
|
- Allow manual 'authenticate' commands to the controller interface
|
|
from netcat (nc) as well as telnet. We were rejecting them because
|
|
they didn't come with the expected whitespace at the end of the
|
|
command. Bugfix on 0.1.1.1-alpha; fixes bug 2893.
|
|
- Fix some (not actually triggerable) buffer size checks in usage of
|
|
tor_inet_ntop. Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch
|
|
by Anders Sundman.
|
|
- Fix parsing of some corner-cases with tor_inet_pton(). Fixes
|
|
bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman.
|
|
- When configuring, starting, or stopping an NT service, stop
|
|
immediately after the service configuration attempt has succeeded
|
|
or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
|
|
- When sending a NETINFO cell, include the original address
|
|
received for the other side, not its canonical address. Found
|
|
by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
|
|
- Rename the bench_{aes,dmap} functions to test_*, so that tinytest
|
|
can pick them up when the tests aren't disabled. Bugfix on
|
|
0.2.2.4-alpha which introduced tinytest.
|
|
- Fix a memory leak when we check whether a hidden service
|
|
descriptor has any usable introduction points left. Fixes bug
|
|
4424. Bugfix on 0.2.2.25-alpha.
|
|
- Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
|
|
occurred when a client tried to fetch a descriptor for a bridge
|
|
in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- Make util unit tests build correctly with MSVC. Bugfix on
|
|
0.2.3.3-alpha. Patch by Gisle Vanem.
|
|
- Successfully detect AUTH_CHALLENGE cells with no recognized
|
|
authentication type listed. Fixes bug 4367; bugfix on 0.2.3.6-alpha.
|
|
Found by frosty_un.
|
|
- If a relay receives an AUTH_CHALLENGE cell it can't answer,
|
|
it should still send a NETINFO cell to allow the connection to
|
|
become open. Fixes bug 4368; fix on 0.2.3.6-alpha; bug found by
|
|
"frosty".
|
|
- Log less loudly when we get an invalid authentication certificate
|
|
from a source other than a directory authority: it's not unusual
|
|
to see invalid certs because of clock skew. Fixes bug 4370; bugfix
|
|
on 0.2.3.6-alpha.
|
|
- Tolerate servers with more clock skew in their authentication
|
|
certificates than previously. Fixes bug 4371; bugfix on
|
|
0.2.3.6-alpha.
|
|
- Fix a couple of compile warnings on Windows. Fixes bug 4469; bugfix
|
|
on 0.2.3.4-alpha and 0.2.3.6-alpha.
|
|
|
|
o Minor features:
|
|
- Add two new config options for directory authorities:
|
|
AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
|
|
Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
|
|
that is always sufficient to satisfy the bandwidth requirement for
|
|
the Guard flag. Now it will be easier for researchers to simulate
|
|
Tor networks with different values. Resolves ticket 4484.
|
|
- When Tor ignores a hidden service specified in its configuration,
|
|
include the hidden service's directory in the warning message.
|
|
Previously, we would only tell the user that some hidden service
|
|
was ignored. Bugfix on 0.0.6; fixes bug 4426.
|
|
- When we fail to initialize Libevent, retry with IOCP disabled so we
|
|
don't need to turn on multi-threading support in Libevent, which in
|
|
turn requires a working socketpair(). This is a workaround for bug
|
|
4457, which affects Libevent versions from 2.0.1-alpha through
|
|
2.0.15-stable.
|
|
- Detect when we try to build on a platform that doesn't define
|
|
AF_UNSPEC to 0. We don't work there, so refuse to compile.
|
|
- Update to the November 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Packaging changes:
|
|
- Make it easier to automate expert package builds on Windows,
|
|
by removing an absolute path from makensis.exe command.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove some redundant #include directives throughout the code.
|
|
Patch from Andrea Gelmini.
|
|
- Unconditionally use OpenSSL's AES implementation instead of our
|
|
old built-in one. OpenSSL's AES has been better for a while, and
|
|
relatively few servers should still be on any version of OpenSSL
|
|
that doesn't have good optimized assembly AES.
|
|
- Use the name "CERTS" consistently to refer to the new cell type;
|
|
we were calling it CERT in some places and CERTS in others.
|
|
|
|
o Testing:
|
|
- Numerous new unit tests for functions in util.c and address.c by
|
|
Anders Sundman.
|
|
- The long-disabled benchmark tests are now split into their own
|
|
./src/test/bench binary.
|
|
- The benchmark tests can now use more accurate timers than
|
|
gettimeofday() when such timers are available.
|
|
|
|
|
|
Changes in version 0.2.3.7-alpha - 2011-10-30
|
|
Tor 0.2.3.7-alpha fixes a crash bug in 0.2.3.6-alpha introduced by
|
|
the new v3 handshake. It also resolves yet another bridge address
|
|
enumeration issue.
|
|
|
|
o Major bugfixes:
|
|
- If we mark an OR connection for close based on a cell we process,
|
|
don't process any further cells on it. We already avoid further
|
|
reads on marked-for-close connections, but now we also discard the
|
|
cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
|
|
which was the first version where we might mark a connection for
|
|
close based on processing a cell on it.
|
|
- Fix a double-free bug that would occur when we received an invalid
|
|
certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
|
|
bugfix on 0.2.3.6-alpha.
|
|
- Bridges no longer include their address in NETINFO cells on outgoing
|
|
OR connections, to allow them to blend in better with clients.
|
|
Removes another avenue for enumerating bridges. Reported by
|
|
"troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO
|
|
cells were introduced.
|
|
|
|
o Trivial fixes:
|
|
- Fixed a typo in a hibernation-related log message. Fixes bug 4331;
|
|
bugfix on 0.2.2.23-alpha; found by "tmpname0901".
|
|
|
|
|
|
Changes in version 0.2.3.6-alpha - 2011-10-26
|
|
Tor 0.2.3.6-alpha includes the fix from 0.2.2.34 for a critical
|
|
anonymity vulnerability where an attacker can deanonymize Tor
|
|
users. Everybody should upgrade.
|
|
|
|
This release also features support for a new v3 connection handshake
|
|
protocol, and fixes to make hidden service connections more robust.
|
|
|
|
o Major features:
|
|
- Implement a new handshake protocol (v3) for authenticating Tors to
|
|
each other over TLS. It should be more resistant to fingerprinting
|
|
than previous protocols, and should require less TLS hacking for
|
|
future Tor implementations. Implements proposal 176.
|
|
- Allow variable-length padding cells to disguise the length of
|
|
Tor's TLS records. Implements part of proposal 184.
|
|
|
|
o Privacy/anonymity fixes (clients):
|
|
- Clients and bridges no longer send TLS certificate chains on
|
|
outgoing OR connections. Previously, each client or bridge would
|
|
use the same cert chain for all outgoing OR connections until
|
|
its IP address changes, which allowed any relay that the client
|
|
or bridge contacted to determine which entry guards it is using.
|
|
Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
|
|
- If a relay receives a CREATE_FAST cell on a TLS connection, it
|
|
no longer considers that connection as suitable for satisfying a
|
|
circuit EXTEND request. Now relays can protect clients from the
|
|
CVE-2011-2768 issue even if the clients haven't upgraded yet.
|
|
- Directory authorities no longer assign the Guard flag to relays
|
|
that haven't upgraded to the above "refuse EXTEND requests
|
|
to client connections" fix. Now directory authorities can
|
|
protect clients from the CVE-2011-2768 issue even if neither
|
|
the clients nor the relays have upgraded yet. There's a new
|
|
"GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option
|
|
to let us transition smoothly, else tomorrow there would be no
|
|
guard relays.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Improve hidden service robustness: when an attempt to connect to
|
|
a hidden service ends, be willing to refetch its hidden service
|
|
descriptors from each of the HSDir relays responsible for them
|
|
immediately. Previously, we would not consider refetching the
|
|
service's descriptors from each HSDir for 15 minutes after the last
|
|
fetch, which was inconvenient if the hidden service was not running
|
|
during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335.
|
|
- When one of a hidden service's introduction points appears to be
|
|
unreachable, stop trying it. Previously, we would keep trying
|
|
to build circuits to the introduction point until we lost the
|
|
descriptor, usually because the user gave up and restarted Tor.
|
|
Partly fixes bug 3825.
|
|
- Don't launch a useless circuit after failing to use one of a
|
|
hidden service's introduction points. Previously, we would
|
|
launch a new introduction circuit, but not set the hidden service
|
|
which that circuit was intended to connect to, so it would never
|
|
actually be used. A different piece of code would then create a
|
|
new introduction circuit correctly. Bug reported by katmagic and
|
|
found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
|
|
|
|
o Major bugfixes (other):
|
|
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
|
|
that they initiated. Relays could distinguish incoming bridge
|
|
connections from client connections, creating another avenue for
|
|
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
|
|
Found by "frosty_un".
|
|
- Don't update the AccountingSoftLimitHitAt state file entry whenever
|
|
tor gets started. This prevents a wrong average bandwidth
|
|
estimate, which would cause relays to always start a new accounting
|
|
interval at the earliest possible moment. Fixes bug 2003; bugfix
|
|
on 0.2.2.7-alpha. Reported by BryonEldridge, who also helped
|
|
immensely in tracking this bug down.
|
|
- Fix a crash bug when changing node restrictions while a DNS lookup
|
|
is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix
|
|
by "Tey'".
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- When a hidden service turns an extra service-side introduction
|
|
circuit into a general-purpose circuit, free the rend_data and
|
|
intro_key fields first, so we won't leak memory if the circuit
|
|
is cannibalized for use as another service-side introduction
|
|
circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251.
|
|
- Rephrase the log message emitted if the TestSocks check is
|
|
successful. Patch from Fabian Keil; fixes bug 4094.
|
|
- Bridges now skip DNS self-tests, to act a little more stealthily.
|
|
Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced
|
|
bridges. Patch by "warms0x".
|
|
- Remove a confusing dollar sign from the example fingerprint in the
|
|
man page, and also make the example fingerprint a valid one. Fixes
|
|
bug 4309; bugfix on 0.2.1.3-alpha.
|
|
- Fix internal bug-checking logic that was supposed to catch
|
|
failures in digest generation so that it will fail more robustly
|
|
if we ask for a nonexistent algorithm. Found by Coverity Scan.
|
|
Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479.
|
|
- Report any failure in init_keys() calls launched because our
|
|
IP address has changed. Spotted by Coverity Scan. Bugfix on
|
|
0.1.1.4-alpha; fixes CID 484.
|
|
|
|
o Minor bugfixes (on 0.2.3.x):
|
|
- Fix a bug in configure.in that kept it from building a configure
|
|
script with autoconf versions earlier than 2.61. Fixes bug 2430;
|
|
bugfix on 0.2.3.1-alpha.
|
|
- Don't warn users that they are exposing a client port to the
|
|
Internet if they have specified an RFC1918 address. Previously,
|
|
we would warn if the user had specified any non-loopback
|
|
address. Bugfix on 0.2.3.3-alpha. Fixes bug 4018; reported by Tas.
|
|
- Fix memory leaks in the failing cases of the new SocksPort and
|
|
ControlPort code. Found by Coverity Scan. Bugfix on 0.2.3.3-alpha;
|
|
fixes coverity CIDs 485, 486, and 487.
|
|
|
|
o Minor features:
|
|
- When a hidden service's introduction point times out, consider
|
|
trying it again during the next attempt to connect to the
|
|
HS. Previously, we would not try it again unless a newly fetched
|
|
descriptor contained it. Required by fixes for bugs 1297 and 3825.
|
|
- The next version of Windows will be called Windows 8, and it has
|
|
a major version of 6, minor version of 2. Correctly identify that
|
|
version instead of calling it "Very recent version". Resolves
|
|
ticket 4153; reported by funkstar.
|
|
- The Bridge Authority now writes statistics on how many bridge
|
|
descriptors it gave out in total, and how many unique descriptors
|
|
it gave out. It also lists how often the most and least commonly
|
|
fetched descriptors were given out, as well as the median and
|
|
25th/75th percentile. Implements tickets 4200 and 4294.
|
|
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove some old code to remember statistics about which descriptors
|
|
we've served as a directory mirror. The feature wasn't used and
|
|
is outdated now that microdescriptors are around.
|
|
- Rename Tor functions that turn strings into addresses, so that
|
|
"parse" indicates that no hostname resolution occurs, and
|
|
"lookup" indicates that hostname resolution may occur. This
|
|
should help prevent mistakes in the future. Fixes bug 3512.
|
|
|
|
|
|
Changes in version 0.2.2.34 - 2011-10-26
|
|
Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
|
|
can deanonymize Tor users. Everybody should upgrade.
|
|
|
|
The attack relies on four components: 1) Clients reuse their TLS cert
|
|
when talking to different relays, so relays can recognize a user by
|
|
the identity key in her cert. 2) An attacker who knows the client's
|
|
identity key can probe each guard relay to see if that identity key
|
|
is connected to that guard relay right now. 3) A variety of active
|
|
attacks in the literature (starting from "Low-Cost Traffic Analysis
|
|
of Tor" by Murdoch and Danezis in 2005) allow a malicious website to
|
|
discover the guard relays that a Tor user visiting the website is using.
|
|
4) Clients typically pick three guards at random, so the set of guards
|
|
for a given user could well be a unique fingerprint for her. This
|
|
release fixes components #1 and #2, which is enough to block the attack;
|
|
the other two remain as open research problems. Special thanks to
|
|
"frosty_un" for reporting the issue to us!
|
|
|
|
Clients should upgrade so they are no longer recognizable by the TLS
|
|
certs they present. Relays should upgrade so they no longer allow a
|
|
remote attacker to probe them to test whether unpatched clients are
|
|
currently connected to them.
|
|
|
|
This release also fixes several vulnerabilities that allow an attacker
|
|
to enumerate bridge relays. Some bridge enumeration attacks still
|
|
remain; see for example proposal 188.
|
|
|
|
o Privacy/anonymity fixes (clients):
|
|
- Clients and bridges no longer send TLS certificate chains on
|
|
outgoing OR connections. Previously, each client or bridge would
|
|
use the same cert chain for all outgoing OR connections until
|
|
its IP address changes, which allowed any relay that the client
|
|
or bridge contacted to determine which entry guards it is using.
|
|
Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
|
|
- If a relay receives a CREATE_FAST cell on a TLS connection, it
|
|
no longer considers that connection as suitable for satisfying a
|
|
circuit EXTEND request. Now relays can protect clients from the
|
|
CVE-2011-2768 issue even if the clients haven't upgraded yet.
|
|
- Directory authorities no longer assign the Guard flag to relays
|
|
that haven't upgraded to the above "refuse EXTEND requests
|
|
to client connections" fix. Now directory authorities can
|
|
protect clients from the CVE-2011-2768 issue even if neither
|
|
the clients nor the relays have upgraded yet. There's a new
|
|
"GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option
|
|
to let us transition smoothly, else tomorrow there would be no
|
|
guard relays.
|
|
|
|
o Privacy/anonymity fixes (bridge enumeration):
|
|
- Bridge relays now do their directory fetches inside Tor TLS
|
|
connections, like all the other clients do, rather than connecting
|
|
directly to the DirPort like public relays do. Removes another
|
|
avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
|
|
- Bridges relays now build circuits for themselves in a more similar
|
|
way to how clients build them. Removes another avenue for
|
|
enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
|
|
when bridges were introduced.
|
|
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
|
|
that they initiated. Relays could distinguish incoming bridge
|
|
connections from client connections, creating another avenue for
|
|
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
|
|
Found by "frosty_un".
|
|
|
|
o Major bugfixes:
|
|
- Fix a crash bug when changing node restrictions while a DNS lookup
|
|
is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix
|
|
by "Tey'".
|
|
- Don't launch a useless circuit after failing to use one of a
|
|
hidden service's introduction points. Previously, we would
|
|
launch a new introduction circuit, but not set the hidden service
|
|
which that circuit was intended to connect to, so it would never
|
|
actually be used. A different piece of code would then create a
|
|
new introduction circuit correctly. Bug reported by katmagic and
|
|
found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
|
|
|
|
o Minor bugfixes:
|
|
- Change an integer overflow check in the OpenBSD_Malloc code so
|
|
that GCC is less likely to eliminate it as impossible. Patch
|
|
from Mansour Moufid. Fixes bug 4059.
|
|
- When a hidden service turns an extra service-side introduction
|
|
circuit into a general-purpose circuit, free the rend_data and
|
|
intro_key fields first, so we won't leak memory if the circuit
|
|
is cannibalized for use as another service-side introduction
|
|
circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251.
|
|
- Bridges now skip DNS self-tests, to act a little more stealthily.
|
|
Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced
|
|
bridges. Patch by "warms0x".
|
|
- Fix internal bug-checking logic that was supposed to catch
|
|
failures in digest generation so that it will fail more robustly
|
|
if we ask for a nonexistent algorithm. Found by Coverity Scan.
|
|
Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479.
|
|
- Report any failure in init_keys() calls launched because our
|
|
IP address has changed. Spotted by Coverity Scan. Bugfix on
|
|
0.1.1.4-alpha; fixes CID 484.
|
|
|
|
o Minor bugfixes (log messages and documentation):
|
|
- Remove a confusing dollar sign from the example fingerprint in the
|
|
man page, and also make the example fingerprint a valid one. Fixes
|
|
bug 4309; bugfix on 0.2.1.3-alpha.
|
|
- The next version of Windows will be called Windows 8, and it has
|
|
a major version of 6, minor version of 2. Correctly identify that
|
|
version instead of calling it "Very recent version". Resolves
|
|
ticket 4153; reported by funkstar.
|
|
- Downgrade log messages about circuit timeout calibration from
|
|
"notice" to "info": they don't require or suggest any human
|
|
intervention. Patch from Tom Lowenthal. Fixes bug 4063;
|
|
bugfix on 0.2.2.14-alpha.
|
|
|
|
o Minor features:
|
|
- Turn on directory request statistics by default and include them in
|
|
extra-info descriptors. Don't break if we have no GeoIP database.
|
|
Backported from 0.2.3.1-alpha; implements ticket 3951.
|
|
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.1.31 - 2011-10-26
|
|
Tor 0.2.1.31 backports important security and privacy fixes for
|
|
oldstable. This release is intended only for package maintainers and
|
|
others who cannot use the 0.2.2 stable series. All others should be
|
|
using Tor 0.2.2.x or newer.
|
|
|
|
o Security fixes (also included in 0.2.2.x):
|
|
- Replace all potentially sensitive memory comparison operations
|
|
with versions whose runtime does not depend on the data being
|
|
compared. This will help resist a class of attacks where an
|
|
adversary can use variations in timing information to learn
|
|
sensitive data. Fix for one case of bug 3122. (Safe memcmp
|
|
implementation by Robert Ransom based partially on code by DJB.)
|
|
- Fix an assert in parsing router descriptors containing IPv6
|
|
addresses. This one took down the directory authorities when
|
|
somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
|
|
|
|
o Privacy/anonymity fixes (also included in 0.2.2.x):
|
|
- Clients and bridges no longer send TLS certificate chains on
|
|
outgoing OR connections. Previously, each client or bridge would
|
|
use the same cert chain for all outgoing OR connections until
|
|
its IP address changes, which allowed any relay that the client
|
|
or bridge contacted to determine which entry guards it is using.
|
|
Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
|
|
- If a relay receives a CREATE_FAST cell on a TLS connection, it
|
|
no longer considers that connection as suitable for satisfying a
|
|
circuit EXTEND request. Now relays can protect clients from the
|
|
CVE-2011-2768 issue even if the clients haven't upgraded yet.
|
|
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
|
|
that they initiated. Relays could distinguish incoming bridge
|
|
connections from client connections, creating another avenue for
|
|
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
|
|
Found by "frosty_un".
|
|
- When receiving a hidden service descriptor, check that it is for
|
|
the hidden service we wanted. Previously, Tor would store any
|
|
hidden service descriptors that a directory gave it, whether it
|
|
wanted them or not. This wouldn't have let an attacker impersonate
|
|
a hidden service, but it did let directories pre-seed a client
|
|
with descriptors that it didn't want. Bugfix on 0.0.6.
|
|
- Avoid linkability based on cached hidden service descriptors: forget
|
|
all hidden service descriptors cached as a client when processing a
|
|
SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
|
|
- Make the bridge directory authority refuse to answer directory
|
|
requests for "all" descriptors. It used to include bridge
|
|
descriptors in its answer, which was a major information leak.
|
|
Found by "piebeer". Bugfix on 0.2.0.3-alpha.
|
|
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
|
NEWNYM. Previously, we would keep using an existing rendezvous
|
|
circuit if it remained open (i.e. if it were kept open by a
|
|
long-lived stream, or if a new stream were attached to it before
|
|
Tor could notice that it was old and no longer in use). Bugfix on
|
|
0.1.1.15-rc; fixes bug 3375.
|
|
|
|
o Minor bugfixes (also included in 0.2.2.x):
|
|
- When we restart our relay, we might get a successful connection
|
|
from the outside before we've started our reachability tests,
|
|
triggering a warning: "ORPort found reachable, but I have no
|
|
routerinfo yet. Failing to inform controller of success." This
|
|
bug was harmless unless Tor is running under a controller
|
|
like Vidalia, in which case the controller would never get a
|
|
REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
|
|
fixes bug 1172.
|
|
- Build correctly on OSX with zlib 1.2.4 and higher with all warnings
|
|
enabled. Fixes bug 1526.
|
|
- Remove undocumented option "-F" from tor-resolve: it hasn't done
|
|
anything since 0.2.1.16-rc.
|
|
- Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
|
|
None of the cases where we did this before were wrong, but by making
|
|
this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
|
|
- Fix a rare crash bug that could occur when a client was configured
|
|
with a large number of bridges. Fixes bug 2629; bugfix on
|
|
0.2.1.2-alpha. Bugfix by trac user "shitlei".
|
|
- Correct the warning displayed when a rendezvous descriptor exceeds
|
|
the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
|
|
John Brooks.
|
|
- Fix an uncommon assertion failure when running with DNSPort under
|
|
heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
|
|
- When warning about missing zlib development packages during compile,
|
|
give the correct package names. Bugfix on 0.2.0.1-alpha.
|
|
- Require that introduction point keys and onion keys have public
|
|
exponent 65537. Bugfix on 0.2.0.10-alpha.
|
|
- Do not crash when our configuration file becomes unreadable, for
|
|
example due to a permissions change, between when we start up
|
|
and when a controller calls SAVECONF. Fixes bug 3135; bugfix
|
|
on 0.0.9pre6.
|
|
- Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
|
|
Fixes bug 3208.
|
|
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
|
passing it to the kernel. (Not a security issue: kernels are
|
|
smart enough to reject bad sockaddr_uns.) Found by Coverity;
|
|
CID #428. Bugfix on Tor 0.2.0.3-alpha.
|
|
- Don't stack-allocate the list of supplementary GIDs when we're
|
|
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
|
could take up to 256K, which is way too much stack. Found by
|
|
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
|
|
|
o Minor bugfixes (only in 0.2.1.x):
|
|
- Resume using micro-version numbers in 0.2.1.x: our Debian packages
|
|
rely on them. Bugfix on 0.2.1.30.
|
|
- Use git revisions instead of svn revisions when generating our
|
|
micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
|
|
|
|
o Minor features (also included in 0.2.2.x):
|
|
- Adjust the expiration time on our SSL session certificates to
|
|
better match SSL certs seen in the wild. Resolves ticket 4014.
|
|
- Allow nameservers with IPv6 address. Resolves bug 2574.
|
|
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.3.5-alpha - 2011-09-28
|
|
Tor 0.2.3.5-alpha fixes two bugs that make it possible to enumerate
|
|
bridge relays; fixes an assertion error that many users started hitting
|
|
today; and adds the ability to refill token buckets more often than
|
|
once per second, allowing significant performance improvements.
|
|
|
|
o Security fixes:
|
|
- Bridge relays now do their directory fetches inside Tor TLS
|
|
connections, like all the other clients do, rather than connecting
|
|
directly to the DirPort like public relays do. Removes another
|
|
avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
|
|
- Bridges relays now build circuits for themselves in a more similar
|
|
way to how clients build them. Removes another avenue for
|
|
enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
|
|
when bridges were introduced.
|
|
|
|
o Major bugfixes:
|
|
- Fix an "Assertion md->held_by_node == 1 failed" error that could
|
|
occur when the same microdescriptor was referenced by two node_t
|
|
objects at once. Fix for bug 4118; bugfix on Tor 0.2.3.1-alpha.
|
|
|
|
o Major features (networking):
|
|
- Add a new TokenBucketRefillInterval option to refill token buckets
|
|
more frequently than once per second. This should improve network
|
|
performance, alleviate queueing problems, and make traffic less
|
|
bursty. Implements proposal 183; closes ticket 3630. Design by
|
|
Florian Tschorsch and Björn Scheuermann; implementation by
|
|
Florian Tschorsch.
|
|
|
|
o Minor bugfixes:
|
|
- Change an integer overflow check in the OpenBSD_Malloc code so
|
|
that GCC is less likely to eliminate it as impossible. Patch
|
|
from Mansour Moufid. Fixes bug 4059.
|
|
|
|
o Minor bugfixes (usability):
|
|
- Downgrade log messages about circuit timeout calibration from
|
|
"notice" to "info": they don't require or suggest any human
|
|
intervention. Patch from Tom Lowenthal. Fixes bug 4063;
|
|
bugfix on 0.2.2.14-alpha.
|
|
|
|
o Minor features (diagnostics):
|
|
- When the system call to create a listener socket fails, log the
|
|
error message explaining why. This may help diagnose bug 4027.
|
|
|
|
|
|
Changes in version 0.2.3.4-alpha - 2011-09-13
|
|
Tor 0.2.3.4-alpha includes the fixes from 0.2.2.33, including a slight
|
|
tweak to Tor's TLS handshake that makes relays and bridges that run
|
|
this new version reachable from Iran again. It also fixes a few new
|
|
bugs in 0.2.3.x, and teaches relays to recognize when they're not
|
|
listed in the network consensus and republish.
|
|
|
|
o Major bugfixes (also part of 0.2.2.33):
|
|
- Avoid an assertion failure when reloading a configuration with
|
|
TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug
|
|
3923; bugfix on 0.2.2.25-alpha.
|
|
|
|
o Minor features (security, also part of 0.2.2.33):
|
|
- Check for replays of the public-key encrypted portion of an
|
|
INTRODUCE1 cell, in addition to the current check for replays of
|
|
the g^x value. This prevents a possible class of active attacks
|
|
by an attacker who controls both an introduction point and a
|
|
rendezvous point, and who uses the malleability of AES-CTR to
|
|
alter the encrypted g^x portion of the INTRODUCE1 cell. We think
|
|
that these attacks are infeasible (requiring the attacker to send
|
|
on the order of zettabytes of altered cells in a short interval),
|
|
but we'd rather block them off in case there are any classes of
|
|
this attack that we missed. Reported by Willem Pinckaers.
|
|
|
|
o Minor features (also part of 0.2.2.33):
|
|
- Adjust the expiration time on our SSL session certificates to
|
|
better match SSL certs seen in the wild. Resolves ticket 4014.
|
|
- Change the default required uptime for a relay to be accepted as
|
|
a HSDir (hidden service directory) from 24 hours to 25 hours.
|
|
Improves on 0.2.0.10-alpha; resolves ticket 2649.
|
|
- Add a VoteOnHidServDirectoriesV2 config option to allow directory
|
|
authorities to abstain from voting on assignment of the HSDir
|
|
consensus flag. Related to bug 2649.
|
|
- Update to the September 6 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (also part of 0.2.2.33):
|
|
- Demote the 'replay detected' log message emitted when a hidden
|
|
service receives the same Diffie-Hellman public key in two different
|
|
INTRODUCE2 cells to info level. A normal Tor client can cause that
|
|
log message during its normal operation. Bugfix on 0.2.1.6-alpha;
|
|
fixes part of bug 2442.
|
|
- Demote the 'INTRODUCE2 cell is too {old,new}' log message to info
|
|
level. There is nothing that a hidden service's operator can do
|
|
to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part
|
|
of bug 2442.
|
|
- Clarify a log message specifying the characters permitted in
|
|
HiddenServiceAuthorizeClient client names. Previously, the log
|
|
message said that "[A-Za-z0-9+-_]" were permitted; that could have
|
|
given the impression that every ASCII character between "+" and "_"
|
|
was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
|
|
|
|
o Build fixes (also part of 0.2.2.33):
|
|
- Clean up some code issues that prevented Tor from building on older
|
|
BSDs. Fixes bug 3894; reported by "grarpamp".
|
|
- Search for a platform-specific version of "ar" when cross-compiling.
|
|
Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug where the SocksPort option (for example) would get
|
|
ignored and replaced by the default if a SocksListenAddress
|
|
option was set. Bugfix on 0.2.3.3-alpha; fixes bug 3936. Fix by
|
|
Fabian Keil.
|
|
|
|
o Major features:
|
|
- Relays now try regenerating and uploading their descriptor more
|
|
frequently if they are not listed in the consensus, or if the
|
|
version of their descriptor listed in the consensus is too
|
|
old. This fix should prevent situations where a server declines
|
|
to re-publish itself because it has done so too recently, even
|
|
though the authorities decided not to list its recent-enough
|
|
descriptor. Fix for bug 3327.
|
|
|
|
o Minor features:
|
|
- Relays now include a reason for regenerating their descriptors
|
|
in an HTTP header when uploading to the authorities. This will
|
|
make it easier to debug descriptor-upload issues in the future.
|
|
- When starting as root and then changing our UID via the User
|
|
control option, and we have a ControlSocket configured, make sure
|
|
that the ControlSocket is owned by the same account that Tor will
|
|
run under. Implements ticket 3421; fix by Jérémy Bobbio.
|
|
|
|
o Minor bugfixes:
|
|
- Abort if tor_vasprintf fails in connection_printf_to_buf (a
|
|
utility function used in the control-port code). This shouldn't
|
|
ever happen unless Tor is completely out of memory, but if it did
|
|
happen and Tor somehow recovered from it, Tor could have sent a log
|
|
message to a control port in the middle of a reply to a controller
|
|
command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha.
|
|
- Make 'FetchUselessDescriptors' cause all descriptor types and
|
|
all consensus types (including microdescriptors) to get fetched.
|
|
Fixes bug 3851; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Code refactoring:
|
|
- Make a new "entry connection" struct as an internal subtype of "edge
|
|
connection", to simplify the code and make exit connections smaller.
|
|
|
|
|
|
Changes in version 0.2.2.33 - 2011-09-13
|
|
Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's
|
|
TLS handshake that makes relays and bridges that run this new version
|
|
reachable from Iran again.
|
|
|
|
o Major bugfixes:
|
|
- Avoid an assertion failure when reloading a configuration with
|
|
TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug
|
|
3923; bugfix on 0.2.2.25-alpha.
|
|
|
|
o Minor features (security):
|
|
- Check for replays of the public-key encrypted portion of an
|
|
INTRODUCE1 cell, in addition to the current check for replays of
|
|
the g^x value. This prevents a possible class of active attacks
|
|
by an attacker who controls both an introduction point and a
|
|
rendezvous point, and who uses the malleability of AES-CTR to
|
|
alter the encrypted g^x portion of the INTRODUCE1 cell. We think
|
|
that these attacks are infeasible (requiring the attacker to send
|
|
on the order of zettabytes of altered cells in a short interval),
|
|
but we'd rather block them off in case there are any classes of
|
|
this attack that we missed. Reported by Willem Pinckaers.
|
|
|
|
o Minor features:
|
|
- Adjust the expiration time on our SSL session certificates to
|
|
better match SSL certs seen in the wild. Resolves ticket 4014.
|
|
- Change the default required uptime for a relay to be accepted as
|
|
a HSDir (hidden service directory) from 24 hours to 25 hours.
|
|
Improves on 0.2.0.10-alpha; resolves ticket 2649.
|
|
- Add a VoteOnHidServDirectoriesV2 config option to allow directory
|
|
authorities to abstain from voting on assignment of the HSDir
|
|
consensus flag. Related to bug 2649.
|
|
- Update to the September 6 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (documentation and log messages):
|
|
- Correct the man page to explain that HashedControlPassword and
|
|
CookieAuthentication can both be set, in which case either method
|
|
is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha,
|
|
when we decided to allow these config options to both be set. Issue
|
|
raised by bug 3898.
|
|
- Demote the 'replay detected' log message emitted when a hidden
|
|
service receives the same Diffie-Hellman public key in two different
|
|
INTRODUCE2 cells to info level. A normal Tor client can cause that
|
|
log message during its normal operation. Bugfix on 0.2.1.6-alpha;
|
|
fixes part of bug 2442.
|
|
- Demote the 'INTRODUCE2 cell is too {old,new}' log message to info
|
|
level. There is nothing that a hidden service's operator can do
|
|
to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part
|
|
of bug 2442.
|
|
- Clarify a log message specifying the characters permitted in
|
|
HiddenServiceAuthorizeClient client names. Previously, the log
|
|
message said that "[A-Za-z0-9+-_]" were permitted; that could have
|
|
given the impression that every ASCII character between "+" and "_"
|
|
was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
|
|
|
|
o Build fixes:
|
|
- Provide a substitute implementation of lround() for MSVC, which
|
|
apparently lacks it. Patch from Gisle Vanem.
|
|
- Clean up some code issues that prevented Tor from building on older
|
|
BSDs. Fixes bug 3894; reported by "grarpamp".
|
|
- Search for a platform-specific version of "ar" when cross-compiling.
|
|
Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.
|
|
|
|
|
|
Changes in version 0.2.3.3-alpha - 2011-09-01
|
|
Tor 0.2.3.3-alpha adds a new "stream isolation" feature to improve Tor's
|
|
security, and provides client-side support for the microdescriptor
|
|
and optimistic data features introduced earlier in the 0.2.3.x
|
|
series. It also includes numerous critical bugfixes in the (optional)
|
|
bufferevent-based networking backend.
|
|
|
|
o Major features (stream isolation):
|
|
- You can now configure Tor so that streams from different
|
|
applications are isolated on different circuits, to prevent an
|
|
attacker who sees your streams as they leave an exit node from
|
|
linking your sessions to one another. To do this, choose some way
|
|
to distinguish the applications: have them connect to different
|
|
SocksPorts, or have one of them use SOCKS4 while the other uses
|
|
SOCKS5, or have them pass different authentication strings to the
|
|
SOCKS proxy. Then, use the new SocksPort syntax to configure the
|
|
degree of isolation you need. This implements Proposal 171.
|
|
- There's a new syntax for specifying multiple client ports (such as
|
|
SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare
|
|
multiple *Port entries with full addr:port syntax on each.
|
|
The old *ListenAddress format is still supported, but you can't
|
|
mix it with the new *Port syntax.
|
|
|
|
o Major features (other):
|
|
- Enable microdescriptor fetching by default for clients. This allows
|
|
clients to download a much smaller amount of directory information.
|
|
To disable it (and go back to the old-style consensus and
|
|
descriptors), set "UseMicrodescriptors 0" in your torrc file.
|
|
- Tor's firewall-helper feature, introduced in 0.2.3.1-alpha (see the
|
|
"PortForwarding" config option), now supports Windows.
|
|
- When using an exit relay running 0.2.3.x, clients can now
|
|
"optimistically" send data before the exit relay reports that
|
|
the stream has opened. This saves a round trip when starting
|
|
connections where the client speaks first (such as web browsing).
|
|
This behavior is controlled by a consensus parameter (currently
|
|
disabled). To turn it on or off manually, use the "OptimisticData"
|
|
torrc option. Implements proposal 181; code by Ian Goldberg.
|
|
|
|
o Major bugfixes (bufferevents, fixes on 0.2.3.1-alpha):
|
|
- When using IOCP on Windows, we need to enable Libevent windows
|
|
threading support.
|
|
- The IOCP backend now works even when the user has not specified
|
|
the (internal, debugging-only) _UseFilteringSSLBufferevents option.
|
|
Fixes part of bug 3752.
|
|
- Correctly record the bytes we've read and written when using
|
|
bufferevents, so that we can include them in our bandwidth history
|
|
and advertised bandwidth. Fixes bug 3803.
|
|
- Apply rate-limiting only at the bottom of a chain of filtering
|
|
bufferevents. This prevents us from filling up internal read
|
|
buffers and violating rate-limits when filtering bufferevents
|
|
are enabled. Fixes part of bug 3804.
|
|
- Add high-watermarks to the output buffers for filtered
|
|
bufferevents. This prevents us from filling up internal write
|
|
buffers and wasting CPU cycles when filtering bufferevents are
|
|
enabled. Fixes part of bug 3804.
|
|
- Correctly notice when data has been written from a bufferevent
|
|
without flushing it completely. Fixes bug 3805.
|
|
- Fix a bug where server-side tunneled bufferevent-based directory
|
|
streams would get closed prematurely. Fixes bug 3814.
|
|
- Fix a use-after-free error with per-connection rate-limiting
|
|
buckets. Fixes bug 3888.
|
|
|
|
o Major bugfixes (also part of 0.2.2.31-rc):
|
|
- If we're configured to write our ControlPorts to disk, only write
|
|
them after switching UID and creating the data directory. This way,
|
|
we don't fail when starting up with a nonexistent DataDirectory
|
|
and a ControlPortWriteToFile setting based on that directory. Fixes
|
|
bug 3747; bugfix on Tor 0.2.2.26-beta.
|
|
|
|
o Minor features:
|
|
- Added a new CONF_CHANGED event so that controllers can be notified
|
|
of any configuration changes made by other controllers, or by the
|
|
user. Implements ticket 1692.
|
|
- Use evbuffer_copyout() in inspect_evbuffer(). This fixes a memory
|
|
leak when using bufferevents, and lets Libevent worry about how to
|
|
best copy data out of a buffer.
|
|
- Replace files in stats/ rather than appending to them. Now that we
|
|
include statistics in extra-info descriptors, it makes no sense to
|
|
keep old statistics forever. Implements ticket 2930.
|
|
|
|
o Minor features (build compatibility):
|
|
- Limited, experimental support for building with nmake and MSVC.
|
|
- Provide a substitute implementation of lround() for MSVC, which
|
|
apparently lacks it. Patch from Gisle Vanem.
|
|
|
|
o Minor features (also part of 0.2.2.31-rc):
|
|
- Update to the August 2 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes (on 0.2.3.x-alpha):
|
|
- Fix a spurious warning when parsing SOCKS requests with
|
|
bufferevents enabled. Fixes bug 3615; bugfix on 0.2.3.2-alpha.
|
|
- Get rid of a harmless warning that could happen on relays running
|
|
with bufferevents. The warning was caused by someone doing an http
|
|
request to a relay's orport. Also don't warn for a few related
|
|
non-errors. Fixes bug 3700; bugfix on 0.2.3.1-alpha.
|
|
|
|
o Minor bugfixes (on 2.2.x and earlier):
|
|
- Correct the man page to explain that HashedControlPassword and
|
|
CookieAuthentication can both be set, in which case either method
|
|
is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha,
|
|
when we decided to allow these config options to both be set. Issue
|
|
raised by bug 3898.
|
|
- The "--quiet" and "--hush" options now apply not only to Tor's
|
|
behavior before logs are configured, but also to Tor's behavior in
|
|
the absense of configured logs. Fixes bug 3550; bugfix on
|
|
0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes (also part of 0.2.2.31-rc):
|
|
- Write several files in text mode, on OSes that distinguish text
|
|
mode from binary mode (namely, Windows). These files are:
|
|
'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays
|
|
that collect those statistics; 'client_keys' and 'hostname' for
|
|
hidden services that use authentication; and (in the tor-gencert
|
|
utility) newly generated identity and signing keys. Previously,
|
|
we wouldn't specify text mode or binary mode, leading to an
|
|
assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when
|
|
the DirRecordUsageByCountry option which would have triggered
|
|
the assertion failure was added), although this assertion failure
|
|
would have occurred in tor-gencert on Windows in 0.2.0.1-alpha.
|
|
- Selectively disable deprecation warnings on OS X because Lion
|
|
started deprecating the shipped copy of openssl. Fixes bug 3643.
|
|
- Remove an extra pair of quotation marks around the error
|
|
message in control-port STATUS_GENERAL BUG events. Bugfix on
|
|
0.1.2.6-alpha; fixes bug 3732.
|
|
- When unable to format an address as a string, report its value
|
|
as "???" rather than reusing the last formatted address. Bugfix
|
|
on 0.2.1.5-alpha.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Rewrite the listener-selection logic so that parsing which ports
|
|
we want to listen on is now separate from binding to the ports
|
|
we want.
|
|
|
|
o Build changes:
|
|
- Building Tor with bufferevent support now requires Libevent
|
|
2.0.13-stable or later. Previous versions of Libevent had bugs in
|
|
SSL-related bufferevents and related issues that would make Tor
|
|
work badly with bufferevents. Requiring 2.0.13-stable also allows
|
|
Tor with bufferevents to take advantage of Libevent APIs
|
|
introduced after 2.0.8-rc.
|
|
|
|
|
|
Changes in version 0.2.2.32 - 2011-08-27
|
|
The Tor 0.2.2 release series is dedicated to the memory of Andreas
|
|
Pfitzmann (1958-2010), a pioneer in anonymity and privacy research,
|
|
a founder of the PETS community, a leader in our field, a mentor,
|
|
and a friend. He left us with these words: "I had the possibility
|
|
to contribute to this world that is not as it should be. I hope I
|
|
could help in some areas to make the world a better place, and that
|
|
I could also encourage other people to be engaged in improving the
|
|
world. Please, stay engaged. This world needs you, your love, your
|
|
initiative -- now I cannot be part of that anymore."
|
|
|
|
Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally
|
|
ready. More than two years in the making, this release features improved
|
|
client performance and hidden service reliability, better compatibility
|
|
for Android, correct behavior for bridges that listen on more than
|
|
one address, more extensible and flexible directory object handling,
|
|
better reporting of network statistics, improved code security, and
|
|
many many other features and bugfixes.
|
|
|
|
|
|
Changes in version 0.2.2.31-rc - 2011-08-17
|
|
Tor 0.2.2.31-rc is the second and hopefully final release candidate
|
|
for the Tor 0.2.2.x series.
|
|
|
|
o Major bugfixes:
|
|
- Remove an extra pair of quotation marks around the error
|
|
message in control-port STATUS_GENERAL BUG events. Bugfix on
|
|
0.1.2.6-alpha; fixes bug 3732.
|
|
- If we're configured to write our ControlPorts to disk, only write
|
|
them after switching UID and creating the data directory. This way,
|
|
we don't fail when starting up with a nonexistent DataDirectory
|
|
and a ControlPortWriteToFile setting based on that directory. Fixes
|
|
bug 3747; bugfix on Tor 0.2.2.26-beta.
|
|
|
|
o Minor features:
|
|
- Update to the August 2 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Allow GETINFO fingerprint to return a fingerprint even when
|
|
we have not yet built a router descriptor. Fixes bug 3577;
|
|
bugfix on 0.2.0.1-alpha.
|
|
- Write several files in text mode, on OSes that distinguish text
|
|
mode from binary mode (namely, Windows). These files are:
|
|
'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays
|
|
that collect those statistics; 'client_keys' and 'hostname' for
|
|
hidden services that use authentication; and (in the tor-gencert
|
|
utility) newly generated identity and signing keys. Previously,
|
|
we wouldn't specify text mode or binary mode, leading to an
|
|
assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when
|
|
the DirRecordUsageByCountry option which would have triggered
|
|
the assertion failure was added), although this assertion failure
|
|
would have occurred in tor-gencert on Windows in 0.2.0.1-alpha.
|
|
- Selectively disable deprecation warnings on OS X because Lion
|
|
started deprecating the shipped copy of openssl. Fixes bug 3643.
|
|
- When unable to format an address as a string, report its value
|
|
as "???" rather than reusing the last formatted address. Bugfix
|
|
on 0.2.1.5-alpha.
|
|
|
|
|
|
Changes in version 0.2.3.2-alpha - 2011-07-18
|
|
Tor 0.2.3.2-alpha introduces two new experimental features:
|
|
microdescriptors and pluggable transports. It also continues cleaning
|
|
up a variety of recently introduced features.
|
|
|
|
o Major features:
|
|
- Clients can now use microdescriptors instead of regular descriptors
|
|
to build circuits. Microdescriptors are authority-generated
|
|
summaries of regular descriptors' contents, designed to change
|
|
very rarely (see proposal 158 for details). This feature is
|
|
designed to save bandwidth, especially for clients on slow internet
|
|
connections. It's off by default for now, since nearly no caches
|
|
support it, but it will be on-by-default for clients in a future
|
|
version. You can use the UseMicrodescriptors option to turn it on.
|
|
- Tor clients using bridges can now be configured to use a separate
|
|
'transport' proxy for each bridge. This approach helps to resist
|
|
censorship by allowing bridges to use protocol obfuscation
|
|
plugins. It implements part of proposal 180. Implements ticket 2841.
|
|
- While we're trying to bootstrap, record how many TLS connections
|
|
fail in each state, and report which states saw the most failures
|
|
in response to any bootstrap failures. This feature may speed up
|
|
diagnosis of censorship events. Implements ticket 3116.
|
|
|
|
o Major bugfixes (on 0.2.3.1-alpha):
|
|
- When configuring a large set of nodes in EntryNodes (as with
|
|
'EntryNodes {cc}' or 'EntryNodes 1.1.1.1/16'), choose only a
|
|
random subset to be guards, and choose them in random
|
|
order. Fixes bug 2798.
|
|
- Tor could crash when remembering a consensus in a non-used consensus
|
|
flavor without having a current consensus set. Fixes bug 3361.
|
|
- Comparing an unknown address to a microdescriptor's shortened exit
|
|
policy would always give a "rejected" result. Fixes bug 3599.
|
|
- Using microdescriptors as a client no longer prevents Tor from
|
|
uploading and downloading hidden service descriptors. Fixes
|
|
bug 3601.
|
|
|
|
o Minor features:
|
|
- Allow nameservers with IPv6 address. Resolves bug 2574.
|
|
- Accept attempts to include a password authenticator in the
|
|
handshake, as supported by SOCKS5. This handles SOCKS clients that
|
|
don't know how to omit a password when authenticating. Resolves
|
|
bug 1666.
|
|
- When configuring a large set of nodes in EntryNodes, and there are
|
|
enough of them listed as Guard so that we don't need to consider
|
|
the non-guard entries, prefer the ones listed with the Guard flag.
|
|
- Check for and recover from inconsistency in the microdescriptor
|
|
cache. This will make it harder for us to accidentally free a
|
|
microdescriptor without removing it from the appropriate data
|
|
structures. Fixes issue 3135; issue noted by "wanoskarnet".
|
|
- Log SSL state transitions at log level DEBUG, log domain
|
|
HANDSHAKE. This can be useful for debugging censorship events.
|
|
Implements ticket 3264.
|
|
- Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri;
|
|
implements ticket 3439.
|
|
|
|
o Minor bugfixes (on 0.2.3.1-alpha):
|
|
- Do not free all general-purpose regular descriptors just
|
|
because microdescriptor use is enabled. Fixes bug 3113.
|
|
- Correctly link libevent_openssl when --enable-static-libevent
|
|
is passed to configure. Fixes bug 3118.
|
|
- Bridges should not complain during their heartbeat log messages that
|
|
they are unlisted in the consensus: that's more or less the point
|
|
of being a bridge. Fixes bug 3183.
|
|
- Report a SIGNAL event to controllers when acting on a delayed
|
|
SIGNAL NEWNYM command. Previously, we would report a SIGNAL
|
|
event to the controller if we acted on a SIGNAL NEWNYM command
|
|
immediately, and otherwise not report a SIGNAL event for the
|
|
command at all. Fixes bug 3349.
|
|
- Fix a crash when handling the SIGNAL controller command or
|
|
reporting ERR-level status events with bufferevents enabled. Found
|
|
by Robert Ransom. Fixes bug 3367.
|
|
- Always ship the tor-fw-helper manpage in our release tarballs.
|
|
Fixes bug 3389. Reported by Stephen Walker.
|
|
- Fix a class of double-mark-for-close bugs when bufferevents
|
|
are enabled. Fixes bug 3403.
|
|
- Update tor-fw-helper to support libnatpmp-20110618. Fixes bug 3434.
|
|
- Add SIGNAL to the list returned by the 'GETINFO events/names'
|
|
control-port command. Fixes part of bug 3465.
|
|
- Prevent using negative indices during unit test runs when read_all()
|
|
fails. Spotted by coverity.
|
|
- Fix a rare memory leak when checking the nodelist without it being
|
|
present. Found by coverity.
|
|
- Only try to download a microdescriptor-flavored consensus from
|
|
a directory cache that provides them.
|
|
|
|
o Minor bugfixes (on 0.2.2.x and earlier):
|
|
- Assert that hidden-service-related operations are not performed
|
|
using single-hop circuits. Previously, Tor would assert that
|
|
client-side streams are not attached to single-hop circuits,
|
|
but not that other sensitive operations on the client and service
|
|
side are not performed using single-hop circuits. Fixes bug 3332;
|
|
bugfix on 0.0.6.
|
|
- Don't publish a new relay descriptor when we reload our onion key,
|
|
unless the onion key has actually changed. Fixes bug 3263 and
|
|
resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha.
|
|
- Allow GETINFO fingerprint to return a fingerprint even when
|
|
we have not yet built a router descriptor. Fixes bug 3577;
|
|
bugfix on 0.2.0.1-alpha.
|
|
- Make 'tor --digests' list hashes of all Tor source files. Bugfix
|
|
on 0.2.2.4-alpha; fixes bug 3427.
|
|
|
|
o Code simplification and refactoring:
|
|
- Use tor_sscanf() in place of scanf() in more places through the
|
|
code. This makes us a little more locale-independent, and
|
|
should help shut up code-analysis tools that can't tell
|
|
a safe sscanf string from a dangerous one.
|
|
- Use tt_assert(), not tor_assert(), for checking for test failures.
|
|
This makes the unit tests more able to go on in the event that
|
|
one of them fails.
|
|
- Split connection_about_to_close() into separate functions for each
|
|
connection type.
|
|
|
|
o Build changes:
|
|
- On Windows, we now define the _WIN32_WINNT macros only if they
|
|
are not already defined. This lets the person building Tor decide,
|
|
if they want, to require a later version of Windows.
|
|
|
|
|
|
Changes in version 0.2.2.30-rc - 2011-07-07
|
|
Tor 0.2.2.30-rc is the first release candidate for the Tor 0.2.2.x
|
|
series. It fixes a few smaller bugs, but generally appears stable.
|
|
Please test it and let us know whether it is!
|
|
|
|
o Minor bugfixes:
|
|
- Send a SUCCEEDED stream event to the controller when a reverse
|
|
resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue
|
|
discovered by katmagic.
|
|
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
|
passing it to the kernel. (Not a security issue: kernels are
|
|
smart enough to reject bad sockaddr_uns.) Found by Coverity;
|
|
CID #428. Bugfix on Tor 0.2.0.3-alpha.
|
|
- Don't stack-allocate the list of supplementary GIDs when we're
|
|
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
|
could take up to 256K, which is way too much stack. Found by
|
|
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
|
- Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO
|
|
events/names' control-port command. Bugfix on 0.2.2.9-alpha;
|
|
fixes part of bug 3465.
|
|
- Fix a memory leak when receiving a descriptor for a hidden
|
|
service we didn't ask for. Found by Coverity; CID #30. Bugfix
|
|
on 0.2.2.26-beta.
|
|
|
|
o Minor features:
|
|
- Update to the July 1 2011 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.2.29-beta - 2011-06-20
|
|
Tor 0.2.2.29-beta reverts an accidental behavior change for users who
|
|
have bridge lines in their torrc but don't want to use them; gets
|
|
us closer to having the control socket feature working on Debian;
|
|
and fixes a variety of smaller bugs.
|
|
|
|
o Major bugfixes:
|
|
- Revert the UseBridges option to its behavior before 0.2.2.28-beta.
|
|
When we changed the default behavior to "use bridges if any
|
|
are listed in the torrc", we surprised users who had bridges
|
|
in their torrc files but who didn't actually want to use them.
|
|
Partial resolution for bug 3354.
|
|
|
|
o Privacy fixes:
|
|
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
|
NEWNYM. Previously, we would keep using an existing rendezvous
|
|
circuit if it remained open (i.e. if it were kept open by a
|
|
long-lived stream, or if a new stream were attached to it before
|
|
Tor could notice that it was old and no longer in use). Bugfix on
|
|
0.1.1.15-rc; fixes bug 3375.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a bug when using ControlSocketsGroupWritable with User. The
|
|
directory's group would be checked against the current group, not
|
|
the configured group. Patch by Jérémy Bobbio. Fixes bug 3393;
|
|
bugfix on 0.2.2.26-beta.
|
|
- Make connection_printf_to_buf()'s behavior sane. Its callers
|
|
expect it to emit a CRLF iff the format string ends with CRLF;
|
|
it actually emitted a CRLF iff (a) the format string ended with
|
|
CRLF or (b) the resulting string was over 1023 characters long or
|
|
(c) the format string did not end with CRLF *and* the resulting
|
|
string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha;
|
|
fixes part of bug 3407.
|
|
- Make send_control_event_impl()'s behavior sane. Its callers
|
|
expect it to always emit a CRLF at the end of the string; it
|
|
might have emitted extra control characters as well. Bugfix on
|
|
0.1.1.9-alpha; fixes another part of bug 3407.
|
|
- Make crypto_rand_int() check the value of its input correctly.
|
|
Previously, it accepted values up to UINT_MAX, but could return a
|
|
negative number if given a value above INT_MAX+1. Found by George
|
|
Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14.
|
|
- Avoid a segfault when reading a malformed circuit build state
|
|
with more than INT_MAX entries. Found by wanoskarnet. Bugfix on
|
|
0.2.2.4-alpha.
|
|
- When asked about a DNS record type we don't support via a
|
|
client DNSPort, reply with NOTIMPL rather than an empty
|
|
reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha.
|
|
- Fix a rare memory leak during stats writing. Found by coverity.
|
|
|
|
o Minor features:
|
|
- Update to the June 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove some dead code as indicated by coverity.
|
|
- Remove a few dead assignments during router parsing. Found by
|
|
coverity.
|
|
- Add some forgotten return value checks during unit tests. Found
|
|
by coverity.
|
|
- Don't use 1-bit wide signed bit fields. Found by coverity.
|
|
|
|
|
|
Changes in version 0.2.2.28-beta - 2011-06-04
|
|
Tor 0.2.2.28-beta makes great progress towards a new stable release: we
|
|
fixed a big bug in whether relays stay in the consensus consistently,
|
|
we moved closer to handling bridges and hidden services correctly,
|
|
and we started the process of better handling the dreaded "my Vidalia
|
|
died, and now my Tor demands a password when I try to reconnect to it"
|
|
usability issue.
|
|
|
|
o Major bugfixes:
|
|
- Don't decide to make a new descriptor when receiving a HUP signal.
|
|
This bug has caused a lot of 0.2.2.x relays to disappear from the
|
|
consensus periodically. Fixes the most common case of triggering
|
|
bug 1810; bugfix on 0.2.2.7-alpha.
|
|
- Actually allow nameservers with IPv6 addresses. Fixes bug 2574.
|
|
- Don't try to build descriptors if "ORPort auto" is set and we
|
|
don't know our actual ORPort yet. Fix for bug 3216; bugfix on
|
|
0.2.2.26-beta.
|
|
- Resolve a crash that occurred when setting BridgeRelay to 1 with
|
|
accounting enabled. Fixes bug 3228; bugfix on 0.2.2.18-alpha.
|
|
- Apply circuit timeouts to opened hidden-service-related circuits
|
|
based on the correct start time. Previously, we would apply the
|
|
circuit build timeout based on time since the circuit's creation;
|
|
it was supposed to be applied based on time since the circuit
|
|
entered its current state. Bugfix on 0.0.6; fixes part of bug 1297.
|
|
- Use the same circuit timeout for client-side introduction
|
|
circuits as for other four-hop circuits, rather than the timeout
|
|
for single-hop directory-fetch circuits; the shorter timeout may
|
|
have been appropriate with the static circuit build timeout in
|
|
0.2.1.x and earlier, but caused many hidden service access attempts
|
|
to fail with the adaptive CBT introduced in 0.2.2.2-alpha. Bugfix
|
|
on 0.2.2.2-alpha; fixes another part of bug 1297.
|
|
- In ticket 2511 we fixed a case where you could use an unconfigured
|
|
bridge if you had configured it as a bridge the last time you ran
|
|
Tor. Now fix another edge case: if you had configured it as a bridge
|
|
but then switched to a different bridge via the controller, you
|
|
would still be willing to use the old one. Bugfix on 0.2.0.1-alpha;
|
|
fixes bug 3321.
|
|
|
|
o Major features:
|
|
- Add an __OwningControllerProcess configuration option and a
|
|
TAKEOWNERSHIP control-port command. Now a Tor controller can ensure
|
|
that when it exits, Tor will shut down. Implements feature 3049.
|
|
- If "UseBridges 1" is set and no bridges are configured, Tor will
|
|
now refuse to build any circuits until some bridges are set.
|
|
If "UseBridges auto" is set, Tor will use bridges if they are
|
|
configured and we are not running as a server, but otherwise will
|
|
make circuits as usual. The new default is "auto". Patch by anonym,
|
|
so the Tails LiveCD can stop automatically revealing you as a Tor
|
|
user on startup.
|
|
|
|
o Minor bugfixes:
|
|
- Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
|
|
- Remove a trailing asterisk from "exit-policy/default" in the
|
|
output of the control port command "GETINFO info/names". Bugfix
|
|
on 0.1.2.5-alpha.
|
|
- Use a wide type to hold sockets when built for 64-bit Windows builds.
|
|
Fixes bug 3270.
|
|
- Warn when the user configures two HiddenServiceDir lines that point
|
|
to the same directory. Bugfix on 0.0.6 (the version introducing
|
|
HiddenServiceDir); fixes bug 3289.
|
|
- Remove dead code from rend_cache_lookup_v2_desc_as_dir. Fixes
|
|
part of bug 2748; bugfix on 0.2.0.10-alpha.
|
|
- Log malformed requests for rendezvous descriptors as protocol
|
|
warnings, not warnings. Also, use a more informative log message
|
|
in case someone sees it at log level warning without prior
|
|
info-level messages. Fixes the other part of bug 2748; bugfix
|
|
on 0.2.0.10-alpha.
|
|
- Clear the table recording the time of the last request for each
|
|
hidden service descriptor from each HS directory on SIGNAL NEWNYM.
|
|
Previously, we would clear our HS descriptor cache on SIGNAL
|
|
NEWNYM, but if we had previously retrieved a descriptor (or tried
|
|
to) from every directory responsible for it, we would refuse to
|
|
fetch it again for up to 15 minutes. Bugfix on 0.2.2.25-alpha;
|
|
fixes bug 3309.
|
|
- Fix a log message that said "bits" while displaying a value in
|
|
bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on
|
|
0.2.0.1-alpha.
|
|
- When checking for 1024-bit keys, check for 1024 bits, not 128
|
|
bytes. This allows Tor to correctly discard keys of length 1017
|
|
through 1023. Bugfix on 0.0.9pre5.
|
|
|
|
o Minor features:
|
|
- Relays now log the reason for publishing a new relay descriptor,
|
|
so we have a better chance of hunting down instances of bug 1810.
|
|
Resolves ticket 3252.
|
|
- Revise most log messages that refer to nodes by nickname to
|
|
instead use the "$key=nickname at address" format. This should be
|
|
more useful, especially since nicknames are less and less likely
|
|
to be unique. Resolves ticket 3045.
|
|
- Log (at info level) when purging pieces of hidden-service-client
|
|
state because of SIGNAL NEWNYM.
|
|
|
|
o Removed options:
|
|
- Remove undocumented option "-F" from tor-resolve: it hasn't done
|
|
anything since 0.2.1.16-rc.
|
|
|
|
|
|
Changes in version 0.2.2.27-beta - 2011-05-18
|
|
Tor 0.2.2.27-beta fixes a bridge-related stability bug in the previous
|
|
release, and also adds a few more general bugfixes.
|
|
|
|
o Major bugfixes:
|
|
- Fix a crash bug when changing bridges in a running Tor process.
|
|
Fixes bug 3213; bugfix on 0.2.2.26-beta.
|
|
- When the controller configures a new bridge, don't wait 10 to 60
|
|
seconds before trying to fetch its descriptor. Bugfix on
|
|
0.2.0.3-alpha; fixes bug 3198 (suggested by 2355).
|
|
|
|
o Minor bugfixes:
|
|
- Require that onion keys have exponent 65537 in microdescriptors too.
|
|
Fixes more of bug 3207; bugfix on 0.2.2.26-beta.
|
|
- Tor used to limit HttpProxyAuthenticator values to 48 characters.
|
|
Changed the limit to 512 characters by removing base64 newlines.
|
|
Fixes bug 2752. Fix by Michael Yakubovich.
|
|
- When a client starts or stops using bridges, never use a circuit
|
|
that was built before the configuration change. This behavior could
|
|
put at risk a user who uses bridges to ensure that her traffic
|
|
only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes
|
|
bug 3200.
|
|
|
|
|
|
Changes in version 0.2.2.26-beta - 2011-05-17
|
|
Tor 0.2.2.26-beta fixes a variety of potential privacy problems. It
|
|
also introduces a new "socksport auto" approach that should make it
|
|
easier to run multiple Tors on the same system, and does a lot of
|
|
cleanup to get us closer to a release candidate.
|
|
|
|
o Security/privacy fixes:
|
|
- Replace all potentially sensitive memory comparison operations
|
|
with versions whose runtime does not depend on the data being
|
|
compared. This will help resist a class of attacks where an
|
|
adversary can use variations in timing information to learn
|
|
sensitive data. Fix for one case of bug 3122. (Safe memcmp
|
|
implementation by Robert Ransom based partially on code by DJB.)
|
|
- When receiving a hidden service descriptor, check that it is for
|
|
the hidden service we wanted. Previously, Tor would store any
|
|
hidden service descriptors that a directory gave it, whether it
|
|
wanted them or not. This wouldn't have let an attacker impersonate
|
|
a hidden service, but it did let directories pre-seed a client
|
|
with descriptors that it didn't want. Bugfix on 0.0.6.
|
|
- On SIGHUP, do not clear out all TrackHostExits mappings, client
|
|
DNS cache entries, and virtual address mappings: that's what
|
|
NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc.
|
|
|
|
o Major features:
|
|
- The options SocksPort, ControlPort, and so on now all accept a
|
|
value "auto" that opens a socket on an OS-selected port. A
|
|
new ControlPortWriteToFile option tells Tor to write its
|
|
actual control port or ports to a chosen file. If the option
|
|
ControlPortFileGroupReadable is set, the file is created as
|
|
group-readable. Now users can run two Tor clients on the same
|
|
system without needing to manually mess with parameters. Resolves
|
|
part of ticket 3076.
|
|
- Set SO_REUSEADDR on all sockets, not just listeners. This should
|
|
help busy exit nodes avoid running out of useable ports just
|
|
because all the ports have been used in the near past. Resolves
|
|
issue 2850.
|
|
|
|
o Minor features:
|
|
- New "GETINFO net/listeners/(type)" controller command to return
|
|
a list of addresses and ports that are bound for listeners for a
|
|
given connection type. This is useful when the user has configured
|
|
"SocksPort auto" and the controller needs to know which port got
|
|
chosen. Resolves another part of ticket 3076.
|
|
- Add a new ControlSocketsGroupWritable configuration option: when
|
|
it is turned on, ControlSockets are group-writeable by the default
|
|
group of the current user. Patch by Jérémy Bobbio; implements
|
|
ticket 2972.
|
|
- Tor now refuses to create a ControlSocket in a directory that is
|
|
world-readable (or group-readable if ControlSocketsGroupWritable
|
|
is 0). This is necessary because some operating systems do not
|
|
enforce permissions on an AF_UNIX sockets. Permissions on the
|
|
directory holding the socket, however, seems to work everywhere.
|
|
- Rate-limit a warning about failures to download v2 networkstatus
|
|
documents. Resolves part of bug 1352.
|
|
- Backport code from 0.2.3.x that allows directory authorities to
|
|
clean their microdescriptor caches. Needed to resolve bug 2230.
|
|
- When an HTTPS proxy reports "403 Forbidden", we now explain
|
|
what it means rather than calling it an unexpected status code.
|
|
Closes bug 2503. Patch from Michael Yakubovich.
|
|
- Update to the May 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Authorities now clean their microdesc cache periodically and when
|
|
reading from disk initially, not only when adding new descriptors.
|
|
This prevents a bug where we could lose microdescriptors. Bugfix
|
|
on 0.2.2.6-alpha. Fixes bug 2230.
|
|
- Do not crash when our configuration file becomes unreadable, for
|
|
example due to a permissions change, between when we start up
|
|
and when a controller calls SAVECONF. Fixes bug 3135; bugfix
|
|
on 0.0.9pre6.
|
|
- Avoid a bug that would keep us from replacing a microdescriptor
|
|
cache on Windows. (We would try to replace the file while still
|
|
holding it open. That's fine on Unix, but Windows doesn't let us
|
|
do that.) Bugfix on 0.2.2.6-alpha; bug found by wanoskarnet.
|
|
- Add missing explanations for the authority-related torrc options
|
|
RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey in the
|
|
man page. Resolves issue 2379.
|
|
- As an authority, do not upload our own vote or signature set to
|
|
ourself. It would tell us nothing new, and as of 0.2.2.24-alpha,
|
|
it would get flagged as a duplicate. Resolves bug 3026.
|
|
- Accept hidden service descriptors if we think we might be a hidden
|
|
service directory, regardless of what our consensus says. This
|
|
helps robustness, since clients and hidden services can sometimes
|
|
have a more up-to-date view of the network consensus than we do,
|
|
and if they think that the directory authorities list us a HSDir,
|
|
we might actually be one. Related to bug 2732; bugfix on
|
|
0.2.0.10-alpha.
|
|
- When a controller changes TrackHostExits, remove mappings for
|
|
hosts that should no longer have their exits tracked. Bugfix on
|
|
0.1.0.1-rc.
|
|
- When a controller changes VirtualAddrNetwork, remove any mappings
|
|
for hosts that were automapped to the old network. Bugfix on
|
|
0.1.1.19-rc.
|
|
- When a controller changes one of the AutomapHosts* options, remove
|
|
any mappings for hosts that should no longer be automapped. Bugfix
|
|
on 0.2.0.1-alpha.
|
|
- Do not reset the bridge descriptor download status every time we
|
|
re-parse our configuration or get a configuration change. Fixes
|
|
bug 3019; bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (code cleanup):
|
|
- When loading the microdesc journal, remember its current size.
|
|
In 0.2.2, this helps prevent the microdesc journal from growing
|
|
without limit on authorities (who are the only ones to use it in
|
|
0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha.
|
|
Fix posted by "cypherpunks."
|
|
- The microdesc journal is supposed to get rebuilt only if it is
|
|
at least _half_ the length of the store, not _twice_ the length
|
|
of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230.
|
|
- Fix a potential null-pointer dereference while computing a
|
|
consensus. Bugfix on 0.2.0.3-alpha, found with the help of
|
|
clang's analyzer.
|
|
- Avoid a possible null-pointer dereference when rebuilding the mdesc
|
|
cache without actually having any descriptors to cache. Bugfix on
|
|
0.2.2.6-alpha. Issue discovered using clang's static analyzer.
|
|
- If we fail to compute the identity digest of a v3 legacy keypair,
|
|
warn, and don't use a buffer-full of junk instead. Bugfix on
|
|
0.2.1.1-alpha; fixes bug 3106.
|
|
- Resolve an untriggerable issue in smartlist_string_num_isin(),
|
|
where if the function had ever in the future been used to check
|
|
for the presence of a too-large number, it would have given an
|
|
incorrect result. (Fortunately, we only used it for 16-bit
|
|
values.) Fixes bug 3175; bugfix on 0.1.0.1-rc.
|
|
- Require that introduction point keys and onion handshake keys
|
|
have a public exponent of 65537. Starts to fix bug 3207; bugfix
|
|
on 0.2.0.10-alpha.
|
|
|
|
o Removed features:
|
|
- Caches no longer download and serve v2 networkstatus documents
|
|
unless FetchV2Networkstatus flag is set: these documents haven't
|
|
haven't been used by clients or relays since 0.2.0.x. Resolves
|
|
bug 3022.
|
|
|
|
|
|
Changes in version 0.2.3.1-alpha - 2011-05-05
|
|
Tor 0.2.3.1-alpha adds some new experimental features, including support
|
|
for an improved network IO backend, IOCP networking on Windows,
|
|
microdescriptor caching, "fast-start" support for streams, and automatic
|
|
home router configuration. There are also numerous internal improvements
|
|
to try to make the code easier for developers to work with.
|
|
|
|
This is the first alpha release in a new series, so expect there to be
|
|
bugs. Users who would rather test out a more stable branch should
|
|
stay with 0.2.2.x for now.
|
|
|
|
o Major features:
|
|
- Tor can now optionally build with the "bufferevents" buffered IO
|
|
backend provided by Libevent 2. To use this feature, make sure you
|
|
have the latest possible version of Libevent, and pass the
|
|
--enable-bufferevents flag to configure when building Tor from
|
|
source. This feature will make our networking code more flexible,
|
|
let us stack layers on each other, and let us use more efficient
|
|
zero-copy transports where available.
|
|
- As an experimental feature, Tor can use IOCP for networking on Windows.
|
|
Once this code is tuned and optimized, it promises much better
|
|
performance than the select-based backend we've used in the past. To
|
|
try this feature, you must build Tor with Libevent 2, configure Tor
|
|
with the "bufferevents" buffered IO backend, and add "DisableIOCP 0" to
|
|
your torrc. There are known bugs here: only try this if you can help
|
|
debug it as it breaks.
|
|
- The EntryNodes option can now include country codes like {de} or IP
|
|
addresses or network masks. Previously we had disallowed these options
|
|
because we didn't have an efficient way to keep the list up to
|
|
date. Fixes bug 1982, but see bug 2798 for an unresolved issue here.
|
|
- Exit nodes now accept and queue data on not-yet-connected streams.
|
|
Previously, the client wasn't allowed to send data until the stream was
|
|
connected, which slowed down all connections. This change will enable
|
|
clients to perform a "fast-start" on streams and send data without
|
|
having to wait for a confirmation that the stream has opened. (Patch
|
|
from Ian Goldberg; implements the server side of Proposal 174.)
|
|
- Tor now has initial support for automatic port mapping on the many
|
|
home routers that support NAT-PMP or UPnP. (Not yet supported on
|
|
Windows). To build the support code, you'll need to have libnatpnp
|
|
library and/or the libminiupnpc library, and you'll need to enable the
|
|
feature specifically by passing "--enable-upnp" and/or
|
|
"--enable-natpnp" to configure. To turn it on, use the new
|
|
PortForwarding option.
|
|
- Caches now download, cache, and serve multiple "flavors" of the
|
|
consensus, including a flavor that describes microdescriptors.
|
|
- Caches now download, cache, and serve microdescriptors -- small
|
|
summaries of router descriptors that are authenticated by all of the
|
|
directory authorities. Once enough caches are running this code,
|
|
clients will be able to save significant amounts of directory bandwidth
|
|
by downloading microdescriptors instead of router descriptors.
|
|
|
|
o Minor features:
|
|
- Make logging resolution configurable with a new LogTimeGranularity
|
|
option, and change the default from 1 millisecond to 1 second.
|
|
Implements enhancement 1668.
|
|
- We log which torrc file we're using on startup. Implements ticket
|
|
2444.
|
|
- Ordinarily, Tor does not count traffic from private addresses (like
|
|
127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting.
|
|
There is now a new option, CountPrivateBandwidth, to disable this
|
|
behavior. Patch from Daniel Cagara.
|
|
- New --enable-static-tor configure option for building Tor as
|
|
statically as possible. Idea, general hackery and thoughts from
|
|
Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket
|
|
2702.
|
|
- If you set the NumCPUs option to 0, Tor will now try to detect how
|
|
many CPUs you have. This is the new default behavior.
|
|
- Turn on directory request statistics by default and include them in
|
|
extra-info descriptors. Don't break if we have no GeoIP database.
|
|
- Relays that set "ConnDirectionStatistics 1" write statistics on the
|
|
bidirectional use of connections to disk every 24 hours.
|
|
- Add a GeoIP file digest to the extra-info descriptor. Implements
|
|
enhancement 1883.
|
|
- The NodeFamily option -- which let you declare that you want to
|
|
consider nodes to be part of a family whether they list themselves
|
|
that way or not -- now allows IP address ranges and country codes.
|
|
- Add a new 'Heartbeat' log message type to periodically log a message
|
|
describing Tor's status at level Notice. This feature is meant for
|
|
operators who log at notice, and want to make sure that their Tor
|
|
server is still working. Implementation by George Kadianakis.
|
|
|
|
o Minor bugfixes (on 0.2.2.25-alpha):
|
|
- When loading the microdesc journal, remember its current size.
|
|
In 0.2.2, this helps prevent the microdesc journal from growing
|
|
without limit on authorities (who are the only ones to use it in
|
|
0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha.
|
|
Fix posted by "cypherpunks."
|
|
- The microdesc journal is supposed to get rebuilt only if it is
|
|
at least _half_ the length of the store, not _twice_ the length
|
|
of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230.
|
|
- If as an authority we fail to compute the identity digest of a v3
|
|
legacy keypair, warn, and don't use a buffer-full of junk instead.
|
|
Bugfix on 0.2.1.1-alpha; fixes bug 3106.
|
|
- Authorities now clean their microdesc cache periodically and when
|
|
reading from disk initially, not only when adding new descriptors.
|
|
This prevents a bug where we could lose microdescriptors. Bugfix
|
|
on 0.2.2.6-alpha.
|
|
|
|
o Minor features (controller):
|
|
- Add a new SIGNAL event to the controller interface so that
|
|
controllers can be notified when Tor handles a signal. Resolves
|
|
issue 1955. Patch by John Brooks.
|
|
- Add a new GETINFO option to get total bytes read and written. Patch
|
|
from pipe, revised by atagar. Resolves ticket 2345.
|
|
- Implement some GETINFO controller fields to provide information about
|
|
the Tor process's pid, euid, username, and resource limits.
|
|
|
|
o Build changes:
|
|
- Our build system requires automake 1.6 or later to create the
|
|
Makefile.in files. Previously, you could have used 1.4.
|
|
This only affects developers and people building Tor from git;
|
|
people who build Tor from the source distribution without changing
|
|
the Makefile.am files should be fine.
|
|
- Our autogen.sh script uses autoreconf to launch autoconf, automake, and
|
|
so on. This is more robust against some of the failure modes
|
|
associated with running the autotools pieces on their own.
|
|
|
|
o Minor packaging issues:
|
|
- On OpenSUSE, create the /var/run/tor directory on startup if it is not
|
|
already created. Patch from Andreas Stieger. Fixes bug 2573.
|
|
|
|
o Code simplifications and refactoring:
|
|
- A major revision to our internal node-selecting and listing logic.
|
|
Tor already had at least two major ways to look at the question of
|
|
"which Tor servers do we know about": a list of router descriptors,
|
|
and a list of entries in the current consensus. With
|
|
microdescriptors, we're adding a third. Having so many systems
|
|
without an abstraction layer over them was hurting the codebase.
|
|
Now, we have a new "node_t" abstraction that presents a consistent
|
|
interface to a client's view of a Tor node, and holds (nearly) all
|
|
of the mutable state formerly in routerinfo_t and routerstatus_t.
|
|
- The helper programs tor-gencert, tor-resolve, and tor-checkkey
|
|
no longer link against Libevent: they never used it, but
|
|
our library structure used to force them to link it.
|
|
|
|
o Removed features:
|
|
- Remove some old code to work around even older versions of Tor that
|
|
used forked processes to handle DNS requests. Such versions of Tor
|
|
are no longer in use as servers.
|
|
|
|
o Documentation fixes:
|
|
- Correct a broken faq link in the INSTALL file. Fixes bug 2307.
|
|
- Add missing documentation for the authority-related torrc options
|
|
RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey. Resolves
|
|
issue 2379.
|
|
|
|
|
|
Changes in version 0.2.2.25-alpha - 2011-04-29
|
|
Tor 0.2.2.25-alpha fixes many bugs: hidden service clients are more
|
|
robust, routers no longer overreport their bandwidth, Win7 should crash
|
|
a little less, and NEWNYM (as used by Vidalia's "new identity" button)
|
|
now prevents hidden service-related activity from being linkable. It
|
|
provides more information to Vidalia so you can see if your bridge is
|
|
working. Also, 0.2.2.25-alpha revamps the Entry/Exit/ExcludeNodes and
|
|
StrictNodes configuration options to make them more reliable, more
|
|
understandable, and more regularly applied. If you use those options,
|
|
please see the revised documentation for them in the manual page.
|
|
|
|
o Major bugfixes:
|
|
- Relays were publishing grossly inflated bandwidth values because
|
|
they were writing their state files wrong--now they write the
|
|
correct value. Also, resume reading bandwidth history from the
|
|
state file correctly. Fixes bug 2704; bugfix on 0.2.2.23-alpha.
|
|
- Improve hidden service robustness: When we find that we have
|
|
extended a hidden service's introduction circuit to a relay not
|
|
listed as an introduction point in the HS descriptor we currently
|
|
have, retry with an introduction point from the current
|
|
descriptor. Previously we would just give up. Fixes bugs 1024 and
|
|
1930; bugfix on 0.2.0.10-alpha.
|
|
- Clients now stop trying to use an exit node associated with a given
|
|
destination by TrackHostExits if they fail to reach that exit node.
|
|
Fixes bug 2999. Bugfix on 0.2.0.20-rc.
|
|
- Fix crash bug on platforms where gmtime and localtime can return
|
|
NULL. Windows 7 users were running into this one. Fixes part of bug
|
|
2077. Bugfix on all versions of Tor. Found by boboper.
|
|
|
|
o Security and stability fixes:
|
|
- Don't double-free a parsable, but invalid, microdescriptor, even if
|
|
it is followed in the blob we're parsing by an unparsable
|
|
microdescriptor. Fixes an issue reported in a comment on bug 2954.
|
|
Bugfix on 0.2.2.6-alpha; fix by "cypherpunks".
|
|
- If the Nickname configuration option isn't given, Tor would pick a
|
|
nickname based on the local hostname as the nickname for a relay.
|
|
Because nicknames are not very important in today's Tor and the
|
|
"Unnamed" nickname has been implemented, this is now problematic
|
|
behavior: It leaks information about the hostname without being
|
|
useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which
|
|
introduced the Unnamed nickname. Reported by tagnaq.
|
|
- Fix an uncommon assertion failure when running with DNSPort under
|
|
heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
|
|
- Avoid linkability based on cached hidden service descriptors: forget
|
|
all hidden service descriptors cached as a client when processing a
|
|
SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
|
|
|
|
o Major features:
|
|
- Export GeoIP information on bridge usage to controllers even if we
|
|
have not yet been running for 24 hours. Now Vidalia bridge operators
|
|
can get more accurate and immediate feedback about their
|
|
contributions to the network.
|
|
|
|
o Major features and bugfixes (node selection):
|
|
- Revise and reconcile the meaning of the ExitNodes, EntryNodes,
|
|
ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes
|
|
options. Previously, we had been ambiguous in describing what
|
|
counted as an "exit" node, and what operations exactly "StrictNodes
|
|
0" would permit. This created confusion when people saw nodes built
|
|
through unexpected circuits, and made it hard to tell real bugs from
|
|
surprises. Now the intended behavior is:
|
|
. "Exit", in the context of ExitNodes and ExcludeExitNodes, means
|
|
a node that delivers user traffic outside the Tor network.
|
|
. "Entry", in the context of EntryNodes, means a node used as the
|
|
first hop of a multihop circuit. It doesn't include direct
|
|
connections to directory servers.
|
|
. "ExcludeNodes" applies to all nodes.
|
|
. "StrictNodes" changes the behavior of ExcludeNodes only. When
|
|
StrictNodes is set, Tor should avoid all nodes listed in
|
|
ExcludeNodes, even when it will make user requests fail. When
|
|
StrictNodes is *not* set, then Tor should follow ExcludeNodes
|
|
whenever it can, except when it must use an excluded node to
|
|
perform self-tests, connect to a hidden service, provide a
|
|
hidden service, fulfill a .exit request, upload directory
|
|
information, or fetch directory information.
|
|
Collectively, the changes to implement the behavior fix bug 1090.
|
|
- ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
|
|
a node is listed in both, it's treated as excluded.
|
|
- ExcludeNodes now applies to directory nodes -- as a preference if
|
|
StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
|
|
Don't exclude all the directory authorities and set StrictNodes to 1
|
|
unless you really want your Tor to break.
|
|
- ExcludeNodes and ExcludeExitNodes now override exit enclaving.
|
|
- ExcludeExitNodes now overrides .exit requests.
|
|
- We don't use bridges listed in ExcludeNodes.
|
|
- When StrictNodes is 1:
|
|
. We now apply ExcludeNodes to hidden service introduction points
|
|
and to rendezvous points selected by hidden service users. This
|
|
can make your hidden service less reliable: use it with caution!
|
|
. If we have used ExcludeNodes on ourself, do not try relay
|
|
reachability self-tests.
|
|
. If we have excluded all the directory authorities, we will not
|
|
even try to upload our descriptor if we're a relay.
|
|
. Do not honor .exit requests to an excluded node.
|
|
- Remove a misfeature that caused us to ignore the Fast/Stable flags
|
|
when ExitNodes is set. Bugfix on 0.2.2.7-alpha.
|
|
- When the set of permitted nodes changes, we now remove any mappings
|
|
introduced via TrackExitHosts to now-excluded nodes. Bugfix on
|
|
0.1.0.1-rc.
|
|
- We never cannibalize a circuit that had excluded nodes on it, even
|
|
if StrictNodes is 0. Bugfix on 0.1.0.1-rc.
|
|
- Revert a change where we would be laxer about attaching streams to
|
|
circuits than when building the circuits. This was meant to prevent
|
|
a set of bugs where streams were never attachable, but our improved
|
|
code here should make this unnecessary. Bugfix on 0.2.2.7-alpha.
|
|
- Keep track of how many times we launch a new circuit to handle a
|
|
given stream. Too many launches could indicate an inconsistency
|
|
between our "launch a circuit to handle this stream" logic and our
|
|
"attach this stream to one of the available circuits" logic.
|
|
- Improve log messages related to excluded nodes.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a spurious warning when moving from a short month to a long
|
|
month on relays with month-based BandwidthAccounting. Bugfix on
|
|
0.2.2.17-alpha; fixes bug 3020.
|
|
- When a client finds that an origin circuit has run out of 16-bit
|
|
stream IDs, we now mark it as unusable for new streams. Previously,
|
|
we would try to close the entire circuit. Bugfix on 0.0.6.
|
|
- Add a forgotten cast that caused a compile warning on OS X 10.6.
|
|
Bugfix on 0.2.2.24-alpha.
|
|
- Be more careful about reporting the correct error from a failed
|
|
connect() system call. Under some circumstances, it was possible to
|
|
look at an incorrect value for errno when sending the end reason.
|
|
Bugfix on 0.1.0.1-rc.
|
|
- Correctly handle an "impossible" overflow cases in connection byte
|
|
counting, where we write or read more than 4GB on an edge connection
|
|
in a single second. Bugfix on 0.1.2.8-beta.
|
|
- Correct the warning displayed when a rendezvous descriptor exceeds
|
|
the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
|
|
John Brooks.
|
|
- Clients and hidden services now use HSDir-flagged relays for hidden
|
|
service descriptor downloads and uploads even if the relays have no
|
|
DirPort set and the client has disabled TunnelDirConns. This will
|
|
eventually allow us to give the HSDir flag to relays with no
|
|
DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha.
|
|
- Downgrade "no current certificates known for authority" message from
|
|
Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha.
|
|
- Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug
|
|
2917. Bugfix on 0.1.1.1-alpha.
|
|
- Only limit the lengths of single HS descriptors, even when multiple
|
|
HS descriptors are published to an HSDir relay in a single POST
|
|
operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir.
|
|
- Write the current time into the LastWritten line in our state file,
|
|
rather than the time from the previous write attempt. Also, stop
|
|
trying to use a time of -1 in our log statements. Fixes bug 3039;
|
|
bugfix on 0.2.2.14-alpha.
|
|
- Be more consistent in our treatment of file system paths. "~" should
|
|
get expanded to the user's home directory in the Log config option.
|
|
Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the
|
|
feature for the -f and --DataDirectory options.
|
|
|
|
o Minor features:
|
|
- Make sure every relay writes a state file at least every 12 hours.
|
|
Previously, a relay could go for weeks without writing its state
|
|
file, and on a crash could lose its bandwidth history, capacity
|
|
estimates, client country statistics, and so on. Addresses bug 3012.
|
|
- Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
|
|
Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such
|
|
clients are already deprecated because of security bugs.
|
|
- Don't allow v0 hidden service authorities to act as clients.
|
|
Required by fix for bug 3000.
|
|
- Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
|
|
by fix for bug 3000.
|
|
- Ensure that no empty [dirreq-](read|write)-history lines are added
|
|
to an extrainfo document. Implements ticket 2497.
|
|
|
|
o Code simplification and refactoring:
|
|
- Remove workaround code to handle directory responses from servers
|
|
that had bug 539 (they would send HTTP status 503 responses _and_
|
|
send a body too). Since only server versions before
|
|
0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to
|
|
keep the workaround in place.
|
|
- Remove the old 'fuzzy time' logic. It was supposed to be used for
|
|
handling calculations where we have a known amount of clock skew and
|
|
an allowed amount of unknown skew. But we only used it in three
|
|
places, and we never adjusted the known/unknown skew values. This is
|
|
still something we might want to do someday, but if we do, we'll
|
|
want to do it differently.
|
|
- Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
|
|
None of the cases where we did this before were wrong, but by making
|
|
this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
|
|
- Use GetTempDir to find the proper temporary directory location on
|
|
Windows when generating temporary files for the unit tests. Patch by
|
|
Gisle Vanem.
|
|
|
|
|
|
Changes in version 0.2.2.24-alpha - 2011-04-08
|
|
Tor 0.2.2.24-alpha fixes a variety of bugs, including a big bug that
|
|
prevented Tor clients from effectively using "multihomed" bridges,
|
|
that is, bridges that listen on multiple ports or IP addresses so users
|
|
can continue to use some of their addresses even if others get blocked.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug where bridge users who configure the non-canonical
|
|
address of a bridge automatically switch to its canonical
|
|
address. If a bridge listens at more than one address, it should be
|
|
able to advertise those addresses independently and any non-blocked
|
|
addresses should continue to work. Bugfix on Tor 0.2.0.x. Fixes
|
|
bug 2510.
|
|
- If you configured Tor to use bridge A, and then quit and
|
|
configured Tor to use bridge B instead, it would happily continue
|
|
to use bridge A if it's still reachable. While this behavior is
|
|
a feature if your goal is connectivity, in some scenarios it's a
|
|
dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511.
|
|
- Directory authorities now use data collected from their own
|
|
uptime observations when choosing whether to assign the HSDir flag
|
|
to relays, instead of trusting the uptime value the relay reports in
|
|
its descriptor. This change helps prevent an attack where a small
|
|
set of nodes with frequently-changing identity keys can blackhole
|
|
a hidden service. (Only authorities need upgrade; others will be
|
|
fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709.
|
|
|
|
o Minor bugfixes:
|
|
- When we restart our relay, we might get a successful connection
|
|
from the outside before we've started our reachability tests,
|
|
triggering a warning: "ORPort found reachable, but I have no
|
|
routerinfo yet. Failing to inform controller of success." This
|
|
bug was harmless unless Tor is running under a controller
|
|
like Vidalia, in which case the controller would never get a
|
|
REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
|
|
fixes bug 1172.
|
|
- Make directory authorities more accurate at recording when
|
|
relays that have failed several reachability tests became
|
|
unreachable, so we can provide more accuracy at assigning Stable,
|
|
Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716.
|
|
- Fix an issue that prevented static linking of libevent on
|
|
some platforms (notably Linux). Fixes bug 2698; bugfix on
|
|
versions 0.2.1.23/0.2.2.8-alpha (the versions introducing
|
|
the --with-static-libevent configure option).
|
|
- We now ask the other side of a stream (the client or the exit)
|
|
for more data on that stream when the amount of queued data on
|
|
that stream dips low enough. Previously, we wouldn't ask the
|
|
other side for more data until either it sent us more data (which
|
|
it wasn't supposed to do if it had exhausted its window!) or we
|
|
had completely flushed all our queued data. This flow control fix
|
|
should improve throughput. Fixes bug 2756; bugfix on the earliest
|
|
released versions of Tor (svn commit r152).
|
|
- Avoid a double-mark-for-free warning when failing to attach a
|
|
transparent proxy connection. (We thought we had fixed this in
|
|
0.2.2.23-alpha, but it turns out our fix was checking the wrong
|
|
connection.) Fixes bug 2757; bugfix on 0.1.2.1-alpha (the original
|
|
bug) and 0.2.2.23-alpha (the incorrect fix).
|
|
- When warning about missing zlib development packages during compile,
|
|
give the correct package names. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Directory authorities now log the source of a rejected POSTed v3
|
|
networkstatus vote.
|
|
- Make compilation with clang possible when using
|
|
--enable-gcc-warnings by removing two warning options that clang
|
|
hasn't implemented yet and by fixing a few warnings. Implements
|
|
ticket 2696.
|
|
- When expiring circuits, use microsecond timers rather than
|
|
one-second timers. This can avoid an unpleasant situation where a
|
|
circuit is launched near the end of one second and expired right
|
|
near the beginning of the next, and prevent fluctuations in circuit
|
|
timeout values.
|
|
- Use computed circuit-build timeouts to decide when to launch
|
|
parallel introduction circuits for hidden services. (Previously,
|
|
we would retry after 15 seconds.)
|
|
- Update to the April 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Packaging fixes:
|
|
- Create the /var/run/tor directory on startup on OpenSUSE if it is
|
|
not already created. Patch from Andreas Stieger. Fixes bug 2573.
|
|
|
|
o Documentation changes:
|
|
- Modernize the doxygen configuration file slightly. Fixes bug 2707.
|
|
- Resolve all doxygen warnings except those for missing documentation.
|
|
Fixes bug 2705.
|
|
- Add doxygen documentation for more functions, fields, and types.
|
|
|
|
|
|
Changes in version 0.2.2.23-alpha - 2011-03-08
|
|
Tor 0.2.2.23-alpha lets relays record their bandwidth history so when
|
|
they restart they don't lose their bandwidth capacity estimate. This
|
|
release also fixes a diverse set of user-facing bugs, ranging from
|
|
relays overrunning their rate limiting to clients falsely warning about
|
|
clock skew to bridge descriptor leaks by our bridge directory authority.
|
|
|
|
o Major bugfixes:
|
|
- Stop sending a CLOCK_SKEW controller status event whenever
|
|
we fetch directory information from a relay that has a wrong clock.
|
|
Instead, only inform the controller when it's a trusted authority
|
|
that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
|
|
the rest of bug 1074.
|
|
- Fix an assert in parsing router descriptors containing IPv6
|
|
addresses. This one took down the directory authorities when
|
|
somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
|
|
- Make the bridge directory authority refuse to answer directory
|
|
requests for "all" descriptors. It used to include bridge
|
|
descriptors in its answer, which was a major information leak.
|
|
Found by "piebeer". Bugfix on 0.2.0.3-alpha.
|
|
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
|
|
Tor would ignore their RelayBandwidthBurst setting,
|
|
potentially using more bandwidth than expected. Bugfix on
|
|
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
|
|
- Ignore and warn if the user mistakenly sets "PublishServerDescriptor
|
|
hidserv" in her torrc. The 'hidserv' argument never controlled
|
|
publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Major features:
|
|
- Relays now save observed peak bandwidth throughput rates to their
|
|
state file (along with total usage, which was already saved)
|
|
so that they can determine their correct estimated bandwidth on
|
|
restart. Resolves bug 1863, where Tor relays would reset their
|
|
estimated bandwidth to 0 after restarting.
|
|
- Directory authorities now take changes in router IP address and
|
|
ORPort into account when determining router stability. Previously,
|
|
if a router changed its IP or ORPort, the authorities would not
|
|
treat it as having any downtime for the purposes of stability
|
|
calculation, whereas clients would experience downtime since the
|
|
change could take a while to propagate to them. Resolves issue 1035.
|
|
- Enable Address Space Layout Randomization (ASLR) and Data Execution
|
|
Prevention (DEP) by default on Windows to make it harder for
|
|
attackers to exploit vulnerabilities. Patch from John Brooks.
|
|
|
|
o Minor bugfixes (on 0.2.1.x and earlier):
|
|
- Fix a rare crash bug that could occur when a client was configured
|
|
with a large number of bridges. Fixes bug 2629; bugfix on
|
|
0.2.1.2-alpha. Bugfix by trac user "shitlei".
|
|
- Avoid a double mark-for-free warning when failing to attach a
|
|
transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes
|
|
bug 2279.
|
|
- Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378;
|
|
found by "cypherpunks". This bug was introduced before the first
|
|
Tor release, in svn commit r110.
|
|
- Country codes aren't supported in EntryNodes until 0.2.3.x, so
|
|
don't mention them in the manpage. Fixes bug 2450; issue
|
|
spotted by keb and G-Lo.
|
|
- Fix a bug in bandwidth history state parsing that could have been
|
|
triggered if a future version of Tor ever changed the timing
|
|
granularity at which bandwidth history is measured. Bugfix on
|
|
Tor 0.1.1.11-alpha.
|
|
- When a relay decides that its DNS is too broken for it to serve
|
|
as an exit server, it advertised itself as a non-exit, but
|
|
continued to act as an exit. This could create accidental
|
|
partitioning opportunities for users. Instead, if a relay is
|
|
going to advertise reject *:* as its exit policy, it should
|
|
really act with exit policy "reject *:*". Fixes bug 2366.
|
|
Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac.
|
|
- In the special case where you configure a public exit relay as your
|
|
bridge, Tor would be willing to use that exit relay as the last
|
|
hop in your circuit as well. Now we fail that circuit instead.
|
|
Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer".
|
|
- Fix a bug with our locking implementation on Windows that couldn't
|
|
correctly detect when a file was already locked. Fixes bug 2504,
|
|
bugfix on 0.2.1.6-alpha.
|
|
- Fix IPv6-related connect() failures on some platforms (BSD, OS X).
|
|
Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by
|
|
"piebeer".
|
|
- Set target port in get_interface_address6() correctly. Bugfix
|
|
on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660.
|
|
- Directory authorities are now more robust to hops back in time
|
|
when calculating router stability. Previously, if a run of uptime
|
|
or downtime appeared to be negative, the calculation could give
|
|
incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing
|
|
bug 1035.
|
|
- Fix an assert that got triggered when using the TestingTorNetwork
|
|
configuration option and then issuing a GETINFO config-text control
|
|
command. Fixes bug 2250; bugfix on 0.2.1.2-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.2.x):
|
|
- Clients should not weight BadExit nodes as Exits in their node
|
|
selection. Similarly, directory authorities should not count BadExit
|
|
bandwidth as Exit bandwidth when computing bandwidth-weights.
|
|
Bugfix on 0.2.2.10-alpha; fixes bug 2203.
|
|
- Correctly clear our dir_read/dir_write history when there is an
|
|
error parsing any bw history value from the state file. Bugfix on
|
|
Tor 0.2.2.15-alpha.
|
|
- Resolve a bug in verifying signatures of directory objects
|
|
with digests longer than SHA1. Bugfix on 0.2.2.20-alpha.
|
|
Fixes bug 2409. Found by "piebeer".
|
|
- Bridge authorities no longer crash on SIGHUP when they try to
|
|
publish their relay descriptor to themselves. Fixes bug 2572. Bugfix
|
|
on 0.2.2.22-alpha.
|
|
|
|
o Minor features:
|
|
- Log less aggressively about circuit timeout changes, and improve
|
|
some other circuit timeout messages. Resolves bug 2004.
|
|
- Log a little more clearly about the times at which we're no longer
|
|
accepting new connections. Resolves bug 2181.
|
|
- Reject attempts at the client side to open connections to private
|
|
IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with
|
|
a randomly chosen exit node. Attempts to do so are always
|
|
ill-defined, generally prevented by exit policies, and usually
|
|
in error. This will also help to detect loops in transparent
|
|
proxy configurations. You can disable this feature by setting
|
|
"ClientRejectInternalAddresses 0" in your torrc.
|
|
- Always treat failure to allocate an RSA key as an unrecoverable
|
|
allocation error.
|
|
- Update to the March 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor features (log subsystem):
|
|
- Add documentation for configuring logging at different severities in
|
|
different log domains. We've had this feature since 0.2.1.1-alpha,
|
|
but for some reason it never made it into the manpage. Fixes
|
|
bug 2215.
|
|
- Make it simpler to specify "All log domains except for A and B".
|
|
Previously you needed to say "[*,~A,~B]". Now you can just say
|
|
"[~A,~B]".
|
|
- Add a "LogMessageDomains 1" option to include the domains of log
|
|
messages along with the messages. Without this, there's no way
|
|
to use log domains without reading the source or doing a lot
|
|
of guessing.
|
|
|
|
o Packaging changes:
|
|
- Stop shipping the Tor specs files and development proposal documents
|
|
in the tarball. They are now in a separate git repository at
|
|
git://git.torproject.org/torspec.git
|
|
|
|
|
|
Changes in version 0.2.1.30 - 2011-02-23
|
|
Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
|
|
change is a slight tweak to Tor's TLS handshake that makes relays
|
|
and bridges that run this new version reachable from Iran again.
|
|
We don't expect this tweak will win the arms race long-term, but it
|
|
buys us time until we roll out a better solution.
|
|
|
|
o Major bugfixes:
|
|
- Stop sending a CLOCK_SKEW controller status event whenever
|
|
we fetch directory information from a relay that has a wrong clock.
|
|
Instead, only inform the controller when it's a trusted authority
|
|
that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
|
|
the rest of bug 1074.
|
|
- Fix a bounds-checking error that could allow an attacker to
|
|
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
|
|
Found by "piebeer".
|
|
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
|
|
Tor would ignore their RelayBandwidthBurst setting,
|
|
potentially using more bandwidth than expected. Bugfix on
|
|
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
|
|
- Ignore and warn if the user mistakenly sets "PublishServerDescriptor
|
|
hidserv" in her torrc. The 'hidserv' argument never controlled
|
|
publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Adjust our TLS Diffie-Hellman parameters to match those used by
|
|
Apache's mod_ssl.
|
|
- Update to the February 1 2011 Maxmind GeoLite Country database.
|
|
|
|
o Minor bugfixes:
|
|
- Check for and reject overly long directory certificates and
|
|
directory tokens before they have a chance to hit any assertions.
|
|
Bugfix on 0.2.1.28. Found by "doorss".
|
|
- Bring the logic that gathers routerinfos and assesses the
|
|
acceptability of circuits into line. This prevents a Tor OP from
|
|
getting locked in a cycle of choosing its local OR as an exit for a
|
|
path (due to a .exit request) and then rejecting the circuit because
|
|
its OR is not listed yet. It also prevents Tor clients from using an
|
|
OR running in the same instance as an exit (due to a .exit request)
|
|
if the OR does not meet the same requirements expected of an OR
|
|
running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
|
|
|
|
o Packaging changes:
|
|
- Stop shipping the Tor specs files and development proposal documents
|
|
in the tarball. They are now in a separate git repository at
|
|
git://git.torproject.org/torspec.git
|
|
- Do not include Git version tags as though they are SVN tags when
|
|
generating a tarball from inside a repository that has switched
|
|
between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
|
|
|
|
|
|
Changes in version 0.2.2.22-alpha - 2011-01-25
|
|
Tor 0.2.2.22-alpha fixes a few more less-critical security issues. The
|
|
main other change is a slight tweak to Tor's TLS handshake that makes
|
|
relays and bridges that run this new version reachable from Iran again.
|
|
We don't expect this tweak will win the arms race long-term, but it
|
|
will buy us a bit more time until we roll out a better solution.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bounds-checking error that could allow an attacker to
|
|
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
|
|
Found by "piebeer".
|
|
- Don't assert when changing from bridge to relay or vice versa
|
|
via the controller. The assert happened because we didn't properly
|
|
initialize our keys in this case. Bugfix on 0.2.2.18-alpha; fixes
|
|
bug 2433. Reported by bastik.
|
|
|
|
o Minor features:
|
|
- Adjust our TLS Diffie-Hellman parameters to match those used by
|
|
Apache's mod_ssl.
|
|
- Provide a log message stating which geoip file we're parsing
|
|
instead of just stating that we're parsing the geoip file.
|
|
Implements ticket 2432.
|
|
|
|
o Minor bugfixes:
|
|
- Check for and reject overly long directory certificates and
|
|
directory tokens before they have a chance to hit any assertions.
|
|
Bugfix on 0.2.1.28 / 0.2.2.20-alpha. Found by "doorss".
|
|
|
|
|
|
Changes in version 0.2.2.21-alpha - 2011-01-15
|
|
Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which
|
|
continues our recent code security audit work. The main fix resolves
|
|
a remote heap overflow vulnerability that can allow remote code
|
|
execution (CVE-2011-0427). Other fixes address a variety of assert
|
|
and crash bugs, most of which we think are hard to exploit remotely.
|
|
|
|
o Major bugfixes (security), also included in 0.2.1.29:
|
|
- Fix a heap overflow bug where an adversary could cause heap
|
|
corruption. This bug probably allows remote code execution
|
|
attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
|
|
0.1.2.10-rc.
|
|
- Prevent a denial-of-service attack by disallowing any
|
|
zlib-compressed data whose compression factor is implausibly
|
|
high. Fixes part of bug 2324; reported by "doorss".
|
|
- Zero out a few more keys in memory before freeing them. Fixes
|
|
bug 2384 and part of bug 2385. These key instances found by
|
|
"cypherpunks", based on Andrew Case's report about being able
|
|
to find sensitive data in Tor's memory space if you have enough
|
|
permissions. Bugfix on 0.0.2pre9.
|
|
|
|
o Major bugfixes (crashes), also included in 0.2.1.29:
|
|
- Prevent calls to Libevent from inside Libevent log handlers.
|
|
This had potential to cause a nasty set of crashes, especially
|
|
if running Libevent with debug logging enabled, and running
|
|
Tor with a controller watching for low-severity log messages.
|
|
Bugfix on 0.1.0.2-rc. Fixes bug 2190.
|
|
- Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
|
|
underflow errors there too. Fixes the other part of bug 2324.
|
|
- Fix a bug where we would assert if we ever had a
|
|
cached-descriptors.new file (or another file read directly into
|
|
memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
|
|
on 0.2.1.25. Found by doorss.
|
|
- Fix some potential asserts and parsing issues with grossly
|
|
malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
|
|
Found by doorss.
|
|
|
|
o Minor bugfixes (other), also included in 0.2.1.29:
|
|
- Fix a bug with handling misformed replies to reverse DNS lookup
|
|
requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
|
|
bug reported by doorss.
|
|
- Fix compilation on mingw when a pthreads compatibility library
|
|
has been installed. (We don't want to use it, so we shouldn't
|
|
be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
|
|
- Fix a bug where we would declare that we had run out of virtual
|
|
addresses when the address space was only half-exhausted. Bugfix
|
|
on 0.1.2.1-alpha.
|
|
- Correctly handle the case where AutomapHostsOnResolve is set but
|
|
no virtual addresses are available. Fixes bug 2328; bugfix on
|
|
0.1.2.1-alpha. Bug found by doorss.
|
|
- Correctly handle wrapping around when we run out of virtual
|
|
address space. Found by cypherpunks; bugfix on 0.2.0.5-alpha.
|
|
|
|
o Minor features, also included in 0.2.1.29:
|
|
- Update to the January 1 2011 Maxmind GeoLite Country database.
|
|
- Introduce output size checks on all of our decryption functions.
|
|
|
|
o Build changes, also included in 0.2.1.29:
|
|
- Tor does not build packages correctly with Automake 1.6 and earlier;
|
|
added a check to Makefile.am to make sure that we're building with
|
|
Automake 1.7 or later.
|
|
- The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
|
|
because we built it with a too-old version of automake. Thus that
|
|
release broke ./configure --enable-openbsd-malloc, which is popular
|
|
among really fast exit relays on Linux.
|
|
|
|
o Major bugfixes, new in 0.2.2.21-alpha:
|
|
- Prevent crash/heap corruption when the cbtnummodes consensus
|
|
parameter is set to 0 or large values. Fixes bug 2317; bugfix
|
|
on 0.2.2.14-alpha.
|
|
|
|
o Major features, new in 0.2.2.21-alpha:
|
|
- Introduce minimum/maximum values that clients will believe
|
|
from the consensus. Now we'll have a better chance to avoid crashes
|
|
or worse when a consensus param has a weird value.
|
|
|
|
o Minor features, new in 0.2.2.21-alpha:
|
|
- Make sure to disable DirPort if running as a bridge. DirPorts aren't
|
|
used on bridges, and it makes bridge scanning somewhat easier.
|
|
- If writing the state file to disk fails, wait up to an hour before
|
|
retrying again, rather than trying again each second. Fixes bug
|
|
2346; bugfix on Tor 0.1.1.3-alpha.
|
|
- Make Libevent log messages get delivered to controllers later,
|
|
and not from inside the Libevent log handler. This prevents unsafe
|
|
reentrant Libevent calls while still letting the log messages
|
|
get through.
|
|
- Detect platforms that brokenly use a signed size_t, and refuse to
|
|
build there. Found and analyzed by doorss and rransom.
|
|
- Fix a bunch of compile warnings revealed by mingw with gcc 4.5.
|
|
Resolves bug 2314.
|
|
|
|
o Minor bugfixes, new in 0.2.2.21-alpha:
|
|
- Handle SOCKS messages longer than 128 bytes long correctly, rather
|
|
than waiting forever for them to finish. Fixes bug 2330; bugfix
|
|
on 0.2.0.16-alpha. Found by doorss.
|
|
- Add assertions to check for overflow in arguments to
|
|
base32_encode() and base32_decode(); fix a signed-unsigned
|
|
comparison there too. These bugs are not actually reachable in Tor,
|
|
but it's good to prevent future errors too. Found by doorss.
|
|
- Correctly detect failures to create DNS requests when using Libevent
|
|
versions before v2. (Before Libevent 2, we used our own evdns
|
|
implementation. Its return values for Libevent's evdns_resolve_*()
|
|
functions are not consistent with those from Libevent.) Fixes bug
|
|
2363; bugfix on 0.2.2.6-alpha. Found by "lodger".
|
|
|
|
o Documentation, new in 0.2.2.21-alpha:
|
|
- Document the default socks host and port (127.0.0.1:9050) for
|
|
tor-resolve.
|
|
|
|
|
|
Changes in version 0.2.1.29 - 2011-01-15
|
|
Tor 0.2.1.29 continues our recent code security audit work. The main
|
|
fix resolves a remote heap overflow vulnerability that can allow remote
|
|
code execution. Other fixes address a variety of assert and crash bugs,
|
|
most of which we think are hard to exploit remotely.
|
|
|
|
o Major bugfixes (security):
|
|
- Fix a heap overflow bug where an adversary could cause heap
|
|
corruption. This bug probably allows remote code execution
|
|
attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
|
|
0.1.2.10-rc.
|
|
- Prevent a denial-of-service attack by disallowing any
|
|
zlib-compressed data whose compression factor is implausibly
|
|
high. Fixes part of bug 2324; reported by "doorss".
|
|
- Zero out a few more keys in memory before freeing them. Fixes
|
|
bug 2384 and part of bug 2385. These key instances found by
|
|
"cypherpunks", based on Andrew Case's report about being able
|
|
to find sensitive data in Tor's memory space if you have enough
|
|
permissions. Bugfix on 0.0.2pre9.
|
|
|
|
o Major bugfixes (crashes):
|
|
- Prevent calls to Libevent from inside Libevent log handlers.
|
|
This had potential to cause a nasty set of crashes, especially
|
|
if running Libevent with debug logging enabled, and running
|
|
Tor with a controller watching for low-severity log messages.
|
|
Bugfix on 0.1.0.2-rc. Fixes bug 2190.
|
|
- Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
|
|
underflow errors there too. Fixes the other part of bug 2324.
|
|
- Fix a bug where we would assert if we ever had a
|
|
cached-descriptors.new file (or another file read directly into
|
|
memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
|
|
on 0.2.1.25. Found by doorss.
|
|
- Fix some potential asserts and parsing issues with grossly
|
|
malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
|
|
Found by doorss.
|
|
|
|
o Minor bugfixes (other):
|
|
- Fix a bug with handling misformed replies to reverse DNS lookup
|
|
requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
|
|
bug reported by doorss.
|
|
- Fix compilation on mingw when a pthreads compatibility library
|
|
has been installed. (We don't want to use it, so we shouldn't
|
|
be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
|
|
- Fix a bug where we would declare that we had run out of virtual
|
|
addresses when the address space was only half-exhausted. Bugfix
|
|
on 0.1.2.1-alpha.
|
|
- Correctly handle the case where AutomapHostsOnResolve is set but
|
|
no virtual addresses are available. Fixes bug 2328; bugfix on
|
|
0.1.2.1-alpha. Bug found by doorss.
|
|
- Correctly handle wrapping around to when we run out of virtual
|
|
address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
|
|
- The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
|
|
because we built it with a too-old version of automake. Thus that
|
|
release broke ./configure --enable-openbsd-malloc, which is popular
|
|
among really fast exit relays on Linux.
|
|
|
|
o Minor features:
|
|
- Update to the January 1 2011 Maxmind GeoLite Country database.
|
|
- Introduce output size checks on all of our decryption functions.
|
|
|
|
o Build changes:
|
|
- Tor does not build packages correctly with Automake 1.6 and earlier;
|
|
added a check to Makefile.am to make sure that we're building with
|
|
Automake 1.7 or later.
|
|
|
|
|
|
Changes in version 0.2.2.20-alpha - 2010-12-17
|
|
Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely
|
|
exploitable bugs. We also fix a variety of other significant bugs,
|
|
change the IP address for one of our directory authorities, and update
|
|
the minimum version that Tor relays must run to join the network.
|
|
|
|
o Major bugfixes:
|
|
- Fix a remotely exploitable bug that could be used to crash instances
|
|
of Tor remotely by overflowing on the heap. Remote-code execution
|
|
hasn't been confirmed, but can't be ruled out. Everyone should
|
|
upgrade. Bugfix on the 0.1.1 series and later.
|
|
- Fix a bug that could break accounting on 64-bit systems with large
|
|
time_t values, making them hibernate for impossibly long intervals.
|
|
Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper.
|
|
- Fix a logic error in directory_fetches_from_authorities() that
|
|
would cause all _non_-exits refusing single-hop-like circuits
|
|
to fetch from authorities, when we wanted to have _exits_ fetch
|
|
from authorities. Fixes more of 2097. Bugfix on 0.2.2.16-alpha;
|
|
fix by boboper.
|
|
- Fix a stream fairness bug that would cause newer streams on a given
|
|
circuit to get preference when reading bytes from the origin or
|
|
destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was
|
|
introduced before the first Tor release, in svn revision r152.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address and ports for gabelmoo (v3 directory authority).
|
|
|
|
o Minor bugfixes:
|
|
- Avoid crashes when AccountingMax is set on clients. Fixes bug 2235.
|
|
Bugfix on 0.2.2.18-alpha. Diagnosed by boboper.
|
|
- Fix an off-by-one error in calculating some controller command
|
|
argument lengths. Fortunately, this mistake is harmless since
|
|
the controller code does redundant NUL termination too. Found by
|
|
boboper. Bugfix on 0.1.1.1-alpha.
|
|
- Do not dereference NULL if a bridge fails to build its
|
|
extra-info descriptor. Found by an anonymous commenter on
|
|
Trac. Bugfix on 0.2.2.19-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the December 1 2010 Maxmind GeoLite Country database.
|
|
- Directory authorities now reject relays running any versions of
|
|
Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have
|
|
known bugs that keep RELAY_EARLY cells from working on rendezvous
|
|
circuits. Followup to fix for bug 2081.
|
|
- Directory authorities now reject relays running any version of Tor
|
|
older than 0.2.0.26-rc. That version is the earliest that fetches
|
|
current directory information correctly. Fixes bug 2156.
|
|
- Report only the top 10 ports in exit-port stats in order not to
|
|
exceed the maximum extra-info descriptor length of 50 KB. Implements
|
|
task 2196.
|
|
|
|
|
|
Changes in version 0.2.1.28 - 2010-12-17
|
|
Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
|
|
exploitable bugs. We also took this opportunity to change the IP address
|
|
for one of our directory authorities, and to update the geoip database
|
|
we ship.
|
|
|
|
o Major bugfixes:
|
|
- Fix a remotely exploitable bug that could be used to crash instances
|
|
of Tor remotely by overflowing on the heap. Remote-code execution
|
|
hasn't been confirmed, but can't be ruled out. Everyone should
|
|
upgrade. Bugfix on the 0.1.1 series and later.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address and ports for gabelmoo (v3 directory authority).
|
|
|
|
o Minor features:
|
|
- Update to the December 1 2010 Maxmind GeoLite Country database.
|
|
|
|
|
|
Changes in version 0.2.1.27 - 2010-11-23
|
|
Yet another OpenSSL security patch broke its compatibility with Tor:
|
|
Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
|
|
also took this opportunity to fix several crash bugs, integrate a new
|
|
directory authority, and update the bundled GeoIP database.
|
|
|
|
o Major bugfixes:
|
|
- Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
|
|
No longer set the tlsext_host_name extension on server SSL objects;
|
|
but continue to set it on client SSL objects. Our goal in setting
|
|
it was to imitate a browser, not a vhosting server. Fixes bug 2204;
|
|
bugfix on 0.2.1.1-alpha.
|
|
- Do not log messages to the controller while shrinking buffer
|
|
freelists. Doing so would sometimes make the controller connection
|
|
try to allocate a buffer chunk, which would mess up the internals
|
|
of the freelist and cause an assertion failure. Fixes bug 1125;
|
|
fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
|
|
- Learn our external IP address when we're a relay or bridge, even if
|
|
we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
|
|
where we introduced bridge relays that don't need to publish to
|
|
be useful. Fixes bug 2050.
|
|
- Do even more to reject (and not just ignore) annotations on
|
|
router descriptors received anywhere but from the cache. Previously
|
|
we would ignore such annotations at first, but cache them to disk
|
|
anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
|
|
- When you're using bridges and your network goes away and your
|
|
bridges get marked as down, recover when you attempt a new socks
|
|
connection (if the network is back), rather than waiting up to an
|
|
hour to try fetching new descriptors for your bridges. Bugfix on
|
|
0.2.0.3-alpha; fixes bug 1981.
|
|
|
|
o Major features:
|
|
- Move to the November 2010 Maxmind GeoLite country db (rather
|
|
than the June 2009 ip-to-country GeoIP db) for our statistics that
|
|
count how many users relays are seeing from each country. Now we'll
|
|
have more accurate data, especially for many African countries.
|
|
|
|
o New directory authorities:
|
|
- Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
|
|
authority.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an assertion failure that could occur in directory caches or
|
|
bridge users when using a very short voting interval on a testing
|
|
network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
|
|
0.2.0.8-alpha.
|
|
- Enforce multiplicity rules when parsing annotations. Bugfix on
|
|
0.2.0.8-alpha. Found by piebeer.
|
|
- Allow handshaking OR connections to take a full KeepalivePeriod
|
|
seconds to handshake. Previously, we would close them after
|
|
IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
|
|
were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
|
|
for analysis help.
|
|
- When building with --enable-gcc-warnings on OpenBSD, disable
|
|
warnings in system headers. This makes --enable-gcc-warnings
|
|
pass on OpenBSD 4.8.
|
|
|
|
o Minor features:
|
|
- Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
|
|
and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
|
|
stream ending reason for this case: END_STREAM_REASON_NOROUTE.
|
|
Servers can start sending this code when enough clients recognize
|
|
it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
|
|
- Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
|
|
Patch from mingw-san.
|
|
|
|
o Removed files:
|
|
- Remove the old debian/ directory from the main Tor distribution.
|
|
The official Tor-for-debian git repository lives at the URL
|
|
https://git.torproject.org/debian/tor.git
|
|
- Stop shipping the old doc/website/ directory in the tarball. We
|
|
changed the website format in late 2010, and what we shipped in
|
|
0.2.1.26 really wasn't that useful anyway.
|
|
|
|
|
|
Changes in version 0.2.2.19-alpha - 2010-11-22
|
|
Yet another OpenSSL security patch broke its compatibility with Tor:
|
|
Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b.
|
|
|
|
o Major bugfixes:
|
|
- Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
|
|
No longer set the tlsext_host_name extension on server SSL objects;
|
|
but continue to set it on client SSL objects. Our goal in setting
|
|
it was to imitate a browser, not a vhosting server. Fixes bug 2204;
|
|
bugfix on 0.2.1.1-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Try harder not to exceed the maximum length of 50 KB when writing
|
|
statistics to extra-info descriptors. This bug was triggered by very
|
|
fast relays reporting exit-port, entry, and dirreq statistics.
|
|
Reported by Olaf Selke. Bugfix on 0.2.2.1-alpha. Fixes bug 2183.
|
|
- Publish a router descriptor even if generating an extra-info
|
|
descriptor fails. Previously we would not publish a router
|
|
descriptor without an extra-info descriptor; this can cause fast
|
|
exit relays collecting exit-port statistics to drop from the
|
|
consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195.
|
|
|
|
|
|
Changes in version 0.2.2.18-alpha - 2010-11-16
|
|
Tor 0.2.2.18-alpha fixes several crash bugs that have been nagging
|
|
us lately, makes unpublished bridge relays able to detect their IP
|
|
address, and fixes a wide variety of other bugs to get us much closer
|
|
to a stable release.
|
|
|
|
o Major bugfixes:
|
|
- Do even more to reject (and not just ignore) annotations on
|
|
router descriptors received anywhere but from the cache. Previously
|
|
we would ignore such annotations at first, but cache them to disk
|
|
anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
|
|
- Do not log messages to the controller while shrinking buffer
|
|
freelists. Doing so would sometimes make the controller connection
|
|
try to allocate a buffer chunk, which would mess up the internals
|
|
of the freelist and cause an assertion failure. Fixes bug 1125;
|
|
fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
|
|
- Learn our external IP address when we're a relay or bridge, even if
|
|
we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
|
|
where we introduced bridge relays that don't need to publish to
|
|
be useful. Fixes bug 2050.
|
|
- Maintain separate TLS contexts and certificates for incoming and
|
|
outgoing connections in bridge relays. Previously we would use the
|
|
same TLS contexts and certs for incoming and outgoing connections.
|
|
Bugfix on 0.2.0.3-alpha; addresses bug 988.
|
|
- Maintain separate identity keys for incoming and outgoing TLS
|
|
contexts in bridge relays. Previously we would use the same
|
|
identity keys for incoming and outgoing TLS contexts. Bugfix on
|
|
0.2.0.3-alpha; addresses the other half of bug 988.
|
|
- Avoid an assertion failure when we as an authority receive a
|
|
duplicate upload of a router descriptor that we already have,
|
|
but which we previously considered an obsolete descriptor.
|
|
Fixes another case of bug 1776. Bugfix on 0.2.2.16-alpha.
|
|
- Avoid a crash bug triggered by looking at a dangling pointer while
|
|
setting the network status consensus. Found by Robert Ransom.
|
|
Bugfix on 0.2.2.17-alpha. Fixes bug 2097.
|
|
- Fix a logic error where servers that _didn't_ act as exits would
|
|
try to keep their server lists more aggressively up to date than
|
|
exits, when it was supposed to be the other way around. Bugfix
|
|
on 0.2.2.17-alpha.
|
|
|
|
o Minor bugfixes (on Tor 0.2.1.x and earlier):
|
|
- When we're trying to guess whether we know our IP address as
|
|
a relay, we would log various ways that we failed to guess
|
|
our address, but never log that we ended up guessing it
|
|
successfully. Now add a log line to help confused and anxious
|
|
relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534.
|
|
- Bring the logic that gathers routerinfos and assesses the
|
|
acceptability of circuits into line. This prevents a Tor OP from
|
|
getting locked in a cycle of choosing its local OR as an exit for a
|
|
path (due to a .exit request) and then rejecting the circuit because
|
|
its OR is not listed yet. It also prevents Tor clients from using an
|
|
OR running in the same instance as an exit (due to a .exit request)
|
|
if the OR does not meet the same requirements expected of an OR
|
|
running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
|
|
- Correctly describe errors that occur when generating a TLS object.
|
|
Previously we would attribute them to a failure while generating a
|
|
TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes
|
|
bug 1994.
|
|
- Enforce multiplicity rules when parsing annotations. Bugfix on
|
|
0.2.0.8-alpha. Found by piebeer.
|
|
- Fix warnings that newer versions of autoconf produced during
|
|
./autogen.sh. These warnings appear to be harmless in our case,
|
|
but they were extremely verbose. Fixes bug 2020.
|
|
|
|
o Minor bugfixes (on Tor 0.2.2.x):
|
|
- Enable protection of small arrays whenever we build with gcc
|
|
hardening features, not only when also building with warnings
|
|
enabled. Fixes bug 2031; bugfix on 0.2.2.14-alpha. Reported by keb.
|
|
|
|
o Minor features:
|
|
- Make hidden services work better in private Tor networks by not
|
|
requiring any uptime to join the hidden service descriptor
|
|
DHT. Implements ticket 2088.
|
|
- Rate-limit the "your application is giving Tor only an IP address"
|
|
warning. Addresses bug 2000; bugfix on 0.0.8pre2.
|
|
- When AllowSingleHopExits is set, print a warning to explain to the
|
|
relay operator why most clients are avoiding her relay.
|
|
- Update to the November 1 2010 Maxmind GeoLite Country database.
|
|
|
|
o Code simplifications and refactoring:
|
|
- When we fixed bug 1038 we had to put in a restriction not to send
|
|
RELAY_EARLY cells on rend circuits. This was necessary as long
|
|
as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were
|
|
active. Now remove this obsolete check. Resolves bug 2081.
|
|
- Some options used different conventions for uppercasing of acronyms
|
|
when comparing manpage and source. Fix those in favor of the
|
|
manpage, as it makes sense to capitalize acronyms.
|
|
- Remove the torrc.complete file. It hasn't been kept up to date
|
|
and users will have better luck checking out the manpage.
|
|
- Remove the obsolete "NoPublish" option; it has been flagged
|
|
as obsolete and has produced a warning since 0.1.1.18-rc.
|
|
- Remove everything related to building the expert bundle for OS X.
|
|
It has confused many users, doesn't work right on OS X 10.6,
|
|
and is hard to get rid of once installed. Resolves bug 1274.
|
|
|
|
|
|
Changes in version 0.2.2.17-alpha - 2010-09-30
|
|
Tor 0.2.2.17-alpha introduces a feature to make it harder for clients
|
|
to use one-hop circuits (which can put the exit relays at higher risk,
|
|
plus unbalance the network); fixes a big bug in bandwidth accounting
|
|
for relays that want to limit their monthly bandwidth use; fixes a
|
|
big pile of bugs in how clients tolerate temporary network failure;
|
|
and makes our adaptive circuit build timeout feature (which improves
|
|
client performance if your network is fast while not breaking things
|
|
if your network is slow) better handle bad networks.
|
|
|
|
o Major features:
|
|
- Exit relays now try harder to block exit attempts from unknown
|
|
relays, to make it harder for people to use them as one-hop proxies
|
|
a la tortunnel. Controlled by the refuseunknownexits consensus
|
|
parameter (currently enabled), or you can override it on your
|
|
relay with the RefuseUnknownExits torrc option. Resolves bug 1751.
|
|
|
|
o Major bugfixes (0.2.1.x and earlier):
|
|
- Fix a bug in bandwidth accounting that could make us use twice
|
|
the intended bandwidth when our interval start changes due to
|
|
daylight saving time. Now we tolerate skew in stored vs computed
|
|
interval starts: if the start of the period changes by no more than
|
|
50% of the period's duration, we remember bytes that we transferred
|
|
in the old period. Fixes bug 1511; bugfix on 0.0.9pre5.
|
|
- Always search the Windows system directory for system DLLs, and
|
|
nowhere else. Bugfix on 0.1.1.23; fixes bug 1954.
|
|
- When you're using bridges and your network goes away and your
|
|
bridges get marked as down, recover when you attempt a new socks
|
|
connection (if the network is back), rather than waiting up to an
|
|
hour to try fetching new descriptors for your bridges. Bugfix on
|
|
0.2.0.3-alpha; fixes bug 1981.
|
|
|
|
o Major bugfixes (on 0.2.2.x):
|
|
- Fix compilation on Windows. Bugfix on 0.2.2.16-alpha; related to
|
|
bug 1797.
|
|
- Fix a segfault that could happen when operating a bridge relay with
|
|
no GeoIP database set. Fixes bug 1964; bugfix on 0.2.2.15-alpha.
|
|
- The consensus bandwidth-weights (used by clients to choose fast
|
|
relays) entered an unexpected edge case in September where
|
|
Exits were much scarcer than Guards, resulting in bad weight
|
|
recommendations. Now we compute them using new constraints that
|
|
should succeed in all cases. Also alter directory authorities to
|
|
not include the bandwidth-weights line if they fail to produce
|
|
valid values. Fixes bug 1952; bugfix on 0.2.2.10-alpha.
|
|
- When weighting bridges during path selection, we used to trust
|
|
the bandwidths they provided in their descriptor, only capping them
|
|
at 10MB/s. This turned out to be problematic for two reasons:
|
|
Bridges could claim to handle a lot more traffic then they
|
|
actually would, thus making more clients pick them and have a
|
|
pretty effective DoS attack. The other issue is that new bridges
|
|
that might not have a good estimate for their bw capacity yet
|
|
would not get used at all unless no other bridges are available
|
|
to a client. Fixes bug 1912; bugfix on 0.2.2.7-alpha.
|
|
|
|
o Major bugfixes (on the circuit build timeout feature, 0.2.2.x):
|
|
- Ignore cannibalized circuits when recording circuit build times.
|
|
This should provide for a minor performance improvement for hidden
|
|
service users using 0.2.2.14-alpha, and should remove two spurious
|
|
notice log messages. Bugfix on 0.2.2.14-alpha; fixes bug 1740.
|
|
- Simplify the logic that causes us to decide if the network is
|
|
unavailable for purposes of recording circuit build times. If we
|
|
receive no cells whatsoever for the entire duration of a circuit's
|
|
full measured lifetime, the network is probably down. Also ignore
|
|
one-hop directory fetching circuit timeouts when calculating our
|
|
circuit build times. These changes should hopefully reduce the
|
|
cases where we see ridiculous circuit build timeouts for people
|
|
with spotty wireless connections. Fixes part of bug 1772; bugfix
|
|
on 0.2.2.2-alpha.
|
|
- Prevent the circuit build timeout from becoming larger than
|
|
the maximum build time we have ever seen. Also, prevent the time
|
|
period for measurement circuits from becoming larger than twice that
|
|
value. Fixes the other part of bug 1772; bugfix on 0.2.2.2-alpha.
|
|
|
|
o Minor features:
|
|
- When we run out of directory information such that we can't build
|
|
circuits, but then get enough that we can build circuits, log when
|
|
we actually construct a circuit, so the user has a better chance of
|
|
knowing what's going on. Fixes bug 1362.
|
|
- Be more generous with how much bandwidth we'd use up (with
|
|
accounting enabled) before entering "soft hibernation". Previously,
|
|
we'd refuse new connections and circuits once we'd used up 95% of
|
|
our allotment. Now, we use up 95% of our allotment, AND make sure
|
|
that we have no more than 500MB (or 3 hours of expected traffic,
|
|
whichever is lower) remaining before we enter soft hibernation.
|
|
- If we've configured EntryNodes and our network goes away and/or all
|
|
our entrynodes get marked down, optimistically retry them all when
|
|
a new socks application request appears. Fixes bug 1882.
|
|
- Add some more defensive programming for architectures that can't
|
|
handle unaligned integer accesses. We don't know of any actual bugs
|
|
right now, but that's the best time to fix them. Fixes bug 1943.
|
|
- Support line continuations in the torrc config file. If a line
|
|
ends with a single backslash character, the newline is ignored, and
|
|
the configuration value is treated as continuing on the next line.
|
|
Resolves bug 1929.
|
|
|
|
o Minor bugfixes (on 0.2.1.x and earlier):
|
|
- For bandwidth accounting, calculate our expected bandwidth rate
|
|
based on the time during which we were active and not in
|
|
soft-hibernation during the last interval. Previously, we were
|
|
also considering the time spent in soft-hibernation. If this
|
|
was a long time, we would wind up underestimating our bandwidth
|
|
by a lot, and skewing our wakeup time towards the start of the
|
|
accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5.
|
|
|
|
o Minor bugfixes (on 0.2.2.x):
|
|
- Resume generating CIRC FAILED REASON=TIMEOUT control port messages,
|
|
which were disabled by the circuit build timeout changes in
|
|
0.2.2.14-alpha. Bugfix on 0.2.2.14-alpha; fixes bug 1739.
|
|
- Make sure we don't warn about missing bandwidth weights when
|
|
choosing bridges or other relays not in the consensus. Bugfix on
|
|
0.2.2.10-alpha; fixes bug 1805.
|
|
- In our logs, do not double-report signatures from unrecognized
|
|
authorities both as "from unknown authority" and "not
|
|
present". Fixes bug 1956, bugfix on 0.2.2.16-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.16-alpha - 2010-09-17
|
|
Tor 0.2.2.16-alpha fixes a variety of old stream fairness bugs (most
|
|
evident at exit relays), and also continues to resolve all the little
|
|
bugs that have been filling up trac lately.
|
|
|
|
o Major bugfixes (stream-level fairness):
|
|
- When receiving a circuit-level SENDME for a blocked circuit, try
|
|
to package cells fairly from all the streams that had previously
|
|
been blocked on that circuit. Previously, we had started with the
|
|
oldest stream, and allowed each stream to potentially exhaust
|
|
the circuit's package window. This gave older streams on any
|
|
given circuit priority over newer ones. Fixes bug 1937. Detected
|
|
originally by Camilo Viecco. This bug was introduced before the
|
|
first Tor release, in svn commit r152: it is the new winner of
|
|
the longest-lived bug prize.
|
|
- When the exit relay got a circuit-level sendme cell, it started
|
|
reading on the exit streams, even if had 500 cells queued in the
|
|
circuit queue already, so the circuit queue just grew and grew in
|
|
some cases. We fix this by not re-enabling reading on receipt of a
|
|
sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix
|
|
on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by
|
|
"yetonetime".
|
|
- Newly created streams were allowed to read cells onto circuits,
|
|
even if the circuit's cell queue was blocked and waiting to drain.
|
|
This created potential unfairness, as older streams would be
|
|
blocked, but newer streams would gladly fill the queue completely.
|
|
We add code to detect this situation and prevent any stream from
|
|
getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially
|
|
fixes bug 1298.
|
|
|
|
o Minor features:
|
|
- Update to the September 1 2010 Maxmind GeoLite Country database.
|
|
- Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is
|
|
not. This would lead to a cookie that is still not group readable.
|
|
Closes bug 1843. Suggested by katmagic.
|
|
- When logging a rate-limited warning, we now mention how many messages
|
|
got suppressed since the last warning.
|
|
- Add new "perconnbwrate" and "perconnbwburst" consensus params to
|
|
do individual connection-level rate limiting of clients. The torrc
|
|
config options with the same names trump the consensus params, if
|
|
both are present. Replaces the old "bwconnrate" and "bwconnburst"
|
|
consensus params which were broken from 0.2.2.7-alpha through
|
|
0.2.2.14-alpha. Closes bug 1947.
|
|
- When a router changes IP address or port, authorities now launch
|
|
a new reachability test for it. Implements ticket 1899.
|
|
- Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad,
|
|
2 no signature, 4 required" messages about consensus signatures
|
|
easier to read, and make sure they get logged at the same severity
|
|
as the messages explaining which keys are which. Fixes bug 1290.
|
|
- Don't warn when we have a consensus that we can't verify because
|
|
of missing certificates, unless those certificates are ones
|
|
that we have been trying and failing to download. Fixes bug 1145.
|
|
- If you configure your bridge with a known identity fingerprint,
|
|
and the bridge authority is unreachable (as it is in at least
|
|
one country now), fall back to directly requesting the descriptor
|
|
from the bridge. Finishes the feature started in 0.2.0.10-alpha;
|
|
closes bug 1138.
|
|
- When building with --enable-gcc-warnings on OpenBSD, disable
|
|
warnings in system headers. This makes --enable-gcc-warnings
|
|
pass on OpenBSD 4.8.
|
|
|
|
o Minor bugfixes (on 0.2.1.x and earlier):
|
|
- Authorities will now attempt to download consensuses if their
|
|
own efforts to make a live consensus have failed. This change
|
|
means authorities that restart will fetch a valid consensus, and
|
|
it means authorities that didn't agree with the current consensus
|
|
will still fetch and serve it if it has enough signatures. Bugfix
|
|
on 0.2.0.9-alpha; fixes bug 1300.
|
|
- Ensure DNS requests launched by "RESOLVE" commands from the
|
|
controller respect the __LeaveStreamsUnattached setconf options. The
|
|
same goes for requests launched via DNSPort or transparent
|
|
proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525.
|
|
- Allow handshaking OR connections to take a full KeepalivePeriod
|
|
seconds to handshake. Previously, we would close them after
|
|
IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
|
|
were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
|
|
for analysis help.
|
|
- Rate-limit "Failed to hand off onionskin" warnings.
|
|
- Never relay a cell for a circuit we have already destroyed.
|
|
Between marking a circuit as closeable and finally closing it,
|
|
it may have been possible for a few queued cells to get relayed,
|
|
even though they would have been immediately dropped by the next
|
|
OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha.
|
|
- Never queue a cell for a circuit that's already been marked
|
|
for close.
|
|
- Never vote for a server as "Running" if we have a descriptor for
|
|
it claiming to be hibernating, and that descriptor was published
|
|
more recently than our last contact with the server. Bugfix on
|
|
0.2.0.3-alpha; fixes bug 911.
|
|
- Squash a compile warning on OpenBSD. Reported by Tas; fixes
|
|
bug 1848.
|
|
|
|
o Minor bugfixes (on 0.2.2.x):
|
|
- Fix a regression introduced in 0.2.2.7-alpha that marked relays
|
|
down if a directory fetch fails and you've configured either
|
|
bridges or EntryNodes. The intent was to mark the relay as down
|
|
_unless_ you're using bridges or EntryNodes, since if you are
|
|
then you could quickly run out of entry points.
|
|
- Fix the Windows directory-listing code. A bug introduced in
|
|
0.2.2.14-alpha could make Windows directory servers forget to load
|
|
some of their cached v2 networkstatus files.
|
|
- Really allow clients to use relays as bridges. Fixes bug 1776;
|
|
bugfix on 0.2.2.15-alpha.
|
|
- Demote a warn to info that happens when the CellStatistics option
|
|
was just enabled. Bugfix on 0.2.2.15-alpha; fixes bug 1921.
|
|
Reported by Moritz Bartl.
|
|
- On Windows, build correctly either with or without Unicode support.
|
|
This is necessary so that Tor can support fringe platforms like
|
|
Windows 98 (which has no Unicode), or Windows CE (which has no
|
|
non-Unicode). Bugfix on 0.2.2.14-alpha; fixes bug 1797.
|
|
|
|
o Testing
|
|
- Add a unit test for cross-platform directory-listing code.
|
|
|
|
|
|
Changes in version 0.2.2.15-alpha - 2010-08-18
|
|
Tor 0.2.2.15-alpha fixes a big bug in hidden service availability,
|
|
fixes a variety of other bugs that were preventing performance
|
|
experiments from moving forward, fixes several bothersome memory leaks,
|
|
and generally closes a lot of smaller bugs that have been filling up
|
|
trac lately.
|
|
|
|
o Major bugfixes:
|
|
- Stop assigning the HSDir flag to relays that disable their
|
|
DirPort (and thus will refuse to answer directory requests). This
|
|
fix should dramatically improve the reachability of hidden services:
|
|
hidden services and hidden service clients pick six HSDir relays
|
|
to store and retrieve the hidden service descriptor, and currently
|
|
about half of the HSDir relays will refuse to work. Bugfix on
|
|
0.2.0.10-alpha; fixes part of bug 1693.
|
|
- The PerConnBWRate and Burst config options, along with the
|
|
bwconnrate and bwconnburst consensus params, initialized each conn's
|
|
token bucket values only when the connection is established. Now we
|
|
update them if the config options change, and update them every time
|
|
we get a new consensus. Otherwise we can encounter an ugly edge
|
|
case where we initialize an OR conn to client-level bandwidth,
|
|
but then later the relay joins the consensus and we leave it
|
|
throttled. Bugfix on 0.2.2.7-alpha; fixes bug 1830.
|
|
- Fix a regression that caused Tor to rebind its ports if it receives
|
|
SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919.
|
|
|
|
o Major features:
|
|
- Lower the maximum weighted-fractional-uptime cutoff to 98%. This
|
|
should give us approximately 40-50% more Guard-flagged nodes,
|
|
improving the anonymity the Tor network can provide and also
|
|
decreasing the dropoff in throughput that relays experience when
|
|
they first get the Guard flag.
|
|
- Allow enabling or disabling the *Statistics config options while
|
|
Tor is running.
|
|
|
|
o Minor features:
|
|
- Update to the August 1 2010 Maxmind GeoLite Country database.
|
|
- Have the controller interface give a more useful message than
|
|
"Internal Error" in response to failed GETINFO requests.
|
|
- Warn when the same option is provided more than once in a torrc
|
|
file, on the command line, or in a single SETCONF statement, and
|
|
the option is one that only accepts a single line. Closes bug 1384.
|
|
- Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
|
|
Patch from mingw-san.
|
|
- Add support for the country code "{??}" in torrc options like
|
|
ExcludeNodes, to indicate all routers of unknown country. Closes
|
|
bug 1094.
|
|
- Relays report the number of bytes spent on answering directory
|
|
requests in extra-info descriptors similar to {read,write}-history.
|
|
Implements enhancement 1790.
|
|
|
|
o Minor bugfixes (on 0.2.1.x and earlier):
|
|
- Complain if PublishServerDescriptor is given multiple arguments that
|
|
include 0 or 1. This configuration will be rejected in the future.
|
|
Bugfix on 0.2.0.1-alpha; closes bug 1107.
|
|
- Disallow BridgeRelay 1 and ORPort 0 at once in the configuration.
|
|
Bugfix on 0.2.0.13-alpha; closes bug 928.
|
|
- Change "Application request when we're believed to be offline."
|
|
notice to "Application request when we haven't used client
|
|
functionality lately.", to clarify that it's not an error. Bugfix
|
|
on 0.0.9.3; fixes bug 1222.
|
|
- Fix a bug in the controller interface where "GETINFO ns/asdaskljkl"
|
|
would return "551 Internal error" rather than "552 Unrecognized key
|
|
ns/asdaskljkl". Bugfix on 0.1.2.3-alpha.
|
|
- Users can't configure a regular relay to be their bridge. It didn't
|
|
work because when Tor fetched the bridge descriptor, it found
|
|
that it already had it, and didn't realize that the purpose of the
|
|
descriptor had changed. Now we replace routers with a purpose other
|
|
than bridge with bridge descriptors when fetching them. Bugfix on
|
|
0.1.1.9-alpha. Bug 1776 not yet fixed because now we immediately
|
|
refetch the descriptor with router purpose 'general', disabling
|
|
it as a bridge.
|
|
- Fix a rare bug in rend_fn unit tests: we would fail a test when
|
|
a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix
|
|
on 0.2.0.10-alpha; fixes bug 1808.
|
|
- Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
|
|
and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
|
|
stream ending reason for this case: END_STREAM_REASON_NOROUTE.
|
|
Servers can start sending this code when enough clients recognize
|
|
it. Also update the spec to reflect this new reason. Bugfix on
|
|
0.1.0.1-rc; fixes part of bug 1793.
|
|
- Delay geoip stats collection by bridges for 6 hours, not 2 hours,
|
|
when we switch from being a public relay to a bridge. Otherwise
|
|
there will still be clients that see the relay in their consensus,
|
|
and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes bug
|
|
932 even more.
|
|
- Instead of giving an assertion failure on an internal mismatch
|
|
on estimated freelist size, just log a BUG warning and try later.
|
|
Mitigates but does not fix bug 1125.
|
|
- Fix an assertion failure that could occur in caches or bridge users
|
|
when using a very short voting interval on a testing network.
|
|
Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on 0.2.0.8-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.2.x):
|
|
- Alter directory authorities to always consider Exit-flagged nodes
|
|
as potential Guard nodes in their votes. The actual decision to
|
|
use Exits as Guards is done in the consensus bandwidth weights.
|
|
Fixes bug 1294; bugfix on 0.2.2.10-alpha.
|
|
- When the controller is reporting the purpose of circuits that
|
|
didn't finish building before the circuit build timeout, it was
|
|
printing UNKNOWN_13. Now print EXPIRED. Bugfix on 0.2.2.14-alpha.
|
|
- Our libevent version parsing code couldn't handle versions like
|
|
1.4.14b-stable and incorrectly warned the user about using an
|
|
old and broken version of libevent. Treat 1.4.14b-stable like
|
|
1.4.14-stable when parsing the version. Fixes bug 1731; bugfix
|
|
on 0.2.2.1-alpha.
|
|
- Don't use substitution references like $(VAR:MOD) when
|
|
$(asciidoc_files) is empty -- make(1) on NetBSD transforms
|
|
'$(:x)' to 'x' rather than the empty string. This bites us in
|
|
doc/ when configured with --disable-asciidoc. Bugfix on
|
|
0.2.2.9-alpha; fixes bug 1773.
|
|
- Remove a spurious hidden service server-side log notice about
|
|
"Ancient non-dirty circuits". Bugfix on 0.2.2.14-alpha; fixes
|
|
bug 1741.
|
|
- Fix compilation with --with-dmalloc set. Bugfix on 0.2.2.6-alpha;
|
|
fixes bug 1832.
|
|
- Correctly report written bytes on linked connections. Found while
|
|
implementing 1790. Bugfix on 0.2.2.4-alpha.
|
|
- Fix three memory leaks: one in circuit_build_times_parse_state(),
|
|
one in dirvote_add_signatures_to_pending_consensus(), and one every
|
|
time we parse a v3 network consensus. Bugfixes on 0.2.2.14-alpha,
|
|
0.2.2.6-alpha, and 0.2.2.10-alpha respectively; fixes bug 1831.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Take a first step towards making or.h smaller by splitting out
|
|
function definitions for all source files in src/or/. Leave
|
|
structures and defines in or.h for now.
|
|
- Remove a bunch of unused function declarations as well as a block of
|
|
#if 0'd code from the unit tests. Closes bug 1824.
|
|
- New unit tests for exit-port history statistics; refactored exit
|
|
statistics code to be more easily tested.
|
|
- Remove the old debian/ directory from the main Tor distribution.
|
|
The official Tor-for-debian git repository lives at the URL
|
|
https://git.torproject.org/debian/tor.git
|
|
|
|
|
|
Changes in version 0.2.2.14-alpha - 2010-07-12
|
|
Tor 0.2.2.14-alpha greatly improves client-side handling of
|
|
circuit build timeouts, which are used to estimate speed and improve
|
|
performance. We also move to a much better GeoIP database, port Tor to
|
|
Windows CE, introduce new compile flags that improve code security,
|
|
add an eighth v3 directory authority, and address a lot of more
|
|
minor issues.
|
|
|
|
o Major bugfixes:
|
|
- Tor directory authorities no longer crash when started with a
|
|
cached-microdesc-consensus file in their data directory. Bugfix
|
|
on 0.2.2.6-alpha; fixes bug 1532.
|
|
- Treat an unset $HOME like an empty $HOME rather than triggering an
|
|
assert. Bugfix on 0.0.8pre1; fixes bug 1522.
|
|
- Ignore negative and large circuit build timeout values that can
|
|
happen during a suspend or hibernate. These values caused various
|
|
asserts to fire. Bugfix on 0.2.2.2-alpha; fixes bug 1245.
|
|
- Alter calculation of Pareto distribution parameter 'Xm' for
|
|
Circuit Build Timeout learning to use the weighted average of the
|
|
top N=3 modes (because we have three entry guards). Considering
|
|
multiple modes should improve the timeout calculation in some cases,
|
|
and prevent extremely high timeout values. Bugfix on 0.2.2.2-alpha;
|
|
fixes bug 1335.
|
|
- Alter calculation of Pareto distribution parameter 'Alpha' to use a
|
|
right censored distribution model. This approach improves over the
|
|
synthetic timeout generation approach that was producing insanely
|
|
high timeout values. Now we calculate build timeouts using truncated
|
|
times. Bugfix on 0.2.2.2-alpha; fixes bugs 1245 and 1335.
|
|
- Do not close circuits that are under construction when they reach
|
|
the circuit build timeout. Instead, leave them building (but do not
|
|
use them) for up until the time corresponding to the 95th percentile
|
|
on the Pareto CDF or 60 seconds, whichever is greater. This is done
|
|
to provide better data for the new Pareto model. This percentile
|
|
can be controlled by the consensus.
|
|
|
|
o Major features:
|
|
- Move to the June 2010 Maxmind GeoLite country db (rather than the
|
|
June 2009 ip-to-country GeoIP db) for our statistics that count
|
|
how many users relays are seeing from each country. Now we have
|
|
more accurate data for many African countries.
|
|
- Port Tor to build and run correctly on Windows CE systems, using
|
|
the wcecompat library. Contributed by Valerio Lupi.
|
|
- New "--enable-gcc-hardening" ./configure flag (off by default)
|
|
to turn on gcc compile time hardening options. It ensures
|
|
that signed ints have defined behavior (-fwrapv), enables
|
|
-D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection
|
|
with canaries (-fstack-protector-all), turns on ASLR protection if
|
|
supported by the kernel (-fPIE, -pie), and adds additional security
|
|
related warnings. Verified to work on Mac OS X and Debian Lenny.
|
|
- New "--enable-linker-hardening" ./configure flag (off by default)
|
|
to turn on ELF specific hardening features (relro, now). This does
|
|
not work with Mac OS X or any other non-ELF binary format.
|
|
|
|
o New directory authorities:
|
|
- Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
|
|
authority.
|
|
|
|
o Minor features:
|
|
- New config option "WarnUnsafeSocks 0" disables the warning that
|
|
occurs whenever Tor receives a socks handshake using a version of
|
|
the socks protocol that can only provide an IP address (rather
|
|
than a hostname). Setups that do DNS locally over Tor are fine,
|
|
and we shouldn't spam the logs in that case.
|
|
- Convert the HACKING file to asciidoc, and add a few new sections
|
|
to it, explaining how we use Git, how we make changelogs, and
|
|
what should go in a patch.
|
|
- Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port
|
|
event, to give information on the current rate of circuit timeouts
|
|
over our stored history.
|
|
- Add ability to disable circuit build time learning via consensus
|
|
parameter and via a LearnCircuitBuildTimeout config option. Also
|
|
automatically disable circuit build time calculation if we are
|
|
either a AuthoritativeDirectory, or if we fail to write our state
|
|
file. Fixes bug 1296.
|
|
- More gracefully handle corrupt state files, removing asserts
|
|
in favor of saving a backup and resetting state.
|
|
- Rename the "log.h" header to "torlog.h" so as to conflict with fewer
|
|
system headers.
|
|
|
|
o Minor bugfixes:
|
|
- Build correctly on OSX with zlib 1.2.4 and higher with all warnings
|
|
enabled.
|
|
- When a2x fails, mention that the user could disable manpages instead
|
|
of trying to fix their asciidoc installation.
|
|
- Where available, use Libevent 2.0's periodic timers so that our
|
|
once-per-second cleanup code gets called even more closely to
|
|
once per second than it would otherwise. Fixes bug 943.
|
|
- If you run a bridge that listens on multiple IP addresses, and
|
|
some user configures a bridge address that uses a different IP
|
|
address than your bridge writes in its router descriptor, and the
|
|
user doesn't specify an identity key, their Tor would discard the
|
|
descriptor because "it isn't one of our configured bridges", and
|
|
fail to bootstrap. Now believe the descriptor and bootstrap anyway.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- If OpenSSL fails to make a duplicate of a private or public key, log
|
|
an error message and try to exit cleanly. May help with debugging
|
|
if bug 1209 ever remanifests.
|
|
- Save a couple bytes in memory allocation every time we escape
|
|
certain characters in a string. Patch from Florian Zumbiehl.
|
|
- Make it explicit that we don't cannibalize one-hop circuits. This
|
|
happens in the wild, but doesn't turn out to be a problem because
|
|
we fortunately don't use those circuits. Many thanks to outofwords
|
|
for the initial analysis and to swissknife who confirmed that
|
|
two-hop circuits are actually created.
|
|
- Make directory mirrors report non-zero dirreq-v[23]-shares again.
|
|
Fixes bug 1564; bugfix on 0.2.2.9-alpha.
|
|
- Eliminate a case where a circuit build time warning was displayed
|
|
after network connectivity resumed. Bugfix on 0.2.2.2-alpha.
|
|
|
|
|
|
Changes in version 0.2.1.26 - 2010-05-02
|
|
Tor 0.2.1.26 addresses the recent connection and memory overload
|
|
problems we've been seeing on relays, especially relays with their
|
|
DirPort open. If your relay has been crashing, or you turned it off
|
|
because it used too many resources, give this release a try.
|
|
|
|
This release also fixes yet another instance of broken OpenSSL libraries
|
|
that was causing some relays to drop out of the consensus.
|
|
|
|
o Major bugfixes:
|
|
- Teach relays to defend themselves from connection overload. Relays
|
|
now close idle circuits early if it looks like they were intended
|
|
for directory fetches. Relays are also more aggressive about closing
|
|
TLS connections that have no circuits on them. Such circuits are
|
|
unlikely to be re-used, and tens of thousands of them were piling
|
|
up at the fast relays, causing the relays to run out of sockets
|
|
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
|
|
their directory fetches over TLS).
|
|
- Fix SSL renegotiation behavior on OpenSSL versions like on Centos
|
|
that claim to be earlier than 0.9.8m, but which have in reality
|
|
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
|
|
behavior. Possible fix for some cases of bug 1346.
|
|
- Directory mirrors were fetching relay descriptors only from v2
|
|
directory authorities, rather than v3 authorities like they should.
|
|
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
|
|
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
|
|
|
|
o Minor bugfixes:
|
|
- Finally get rid of the deprecated and now harmful notion of "clique
|
|
mode", where directory authorities maintain TLS connections to
|
|
every other relay.
|
|
|
|
o Testsuite fixes:
|
|
- In the util/threads test, no longer free the test_mutex before all
|
|
worker threads have finished. Bugfix on 0.2.1.6-alpha.
|
|
- The master thread could starve the worker threads quite badly on
|
|
certain systems, causing them to run only partially in the allowed
|
|
window. This resulted in test failures. Now the master thread sleeps
|
|
occasionally for a few microseconds while the two worker-threads
|
|
compete for the mutex. Bugfix on 0.2.0.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.13-alpha - 2010-04-24
|
|
Tor 0.2.2.13-alpha addresses the recent connection and memory overload
|
|
problems we've been seeing on relays, especially relays with their
|
|
DirPort open. If your relay has been crashing, or you turned it off
|
|
because it used too many resources, give this release a try.
|
|
|
|
o Major bugfixes:
|
|
- Teach relays to defend themselves from connection overload. Relays
|
|
now close idle circuits early if it looks like they were intended
|
|
for directory fetches. Relays are also more aggressive about closing
|
|
TLS connections that have no circuits on them. Such circuits are
|
|
unlikely to be re-used, and tens of thousands of them were piling
|
|
up at the fast relays, causing the relays to run out of sockets
|
|
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
|
|
their directory fetches over TLS).
|
|
|
|
o Minor features:
|
|
- Finally get rid of the deprecated and now harmful notion of "clique
|
|
mode", where directory authorities maintain TLS connections to
|
|
every other relay.
|
|
- Directory authorities now do an immediate reachability check as soon
|
|
as they hear about a new relay. This change should slightly reduce
|
|
the time between setting up a relay and getting listed as running
|
|
in the consensus. It should also improve the time between setting
|
|
up a bridge and seeing use by bridge users.
|
|
- Directory authorities no longer launch a TLS connection to every
|
|
relay as they startup. Now that we have 2k+ descriptors cached,
|
|
the resulting network hiccup is becoming a burden. Besides,
|
|
authorities already avoid voting about Running for the first half
|
|
hour of their uptime.
|
|
|
|
|
|
Changes in version 0.2.2.12-alpha - 2010-04-20
|
|
Tor 0.2.2.12-alpha fixes a critical bug in how directory authorities
|
|
handle and vote on descriptors. It was causing relays to drop out of
|
|
the consensus.
|
|
|
|
o Major bugfixes:
|
|
- Many relays have been falling out of the consensus lately because
|
|
not enough authorities know about their descriptor for them to get
|
|
a majority of votes. When we deprecated the v2 directory protocol,
|
|
we got rid of the only way that v3 authorities can hear from each
|
|
other about other descriptors. Now authorities examine every v3
|
|
vote for new descriptors, and fetch them from that authority. Bugfix
|
|
on 0.2.1.23.
|
|
- Fix two typos in tor_vasprintf() that broke the compile on Windows,
|
|
and a warning in or.h related to bandwidth_weight_rule_t that
|
|
prevented clean compile on OS X. Fixes bug 1363; bugfix on
|
|
0.2.2.11-alpha.
|
|
- Fix a segfault on relays when DirReqStatistics is enabled
|
|
and 24 hours pass. Bug found by keb. Fixes bug 1365; bugfix on
|
|
0.2.2.11-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Demote a confusing TLS warning that relay operators might get when
|
|
someone tries to talk to their OrPort. It is neither the operator's
|
|
fault nor can they do anything about it. Fixes bug 1364; bugfix
|
|
on 0.2.0.14-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.11-alpha - 2010-04-15
|
|
Tor 0.2.2.11-alpha fixes yet another instance of broken OpenSSL
|
|
libraries that was causing some relays to drop out of the consensus.
|
|
|
|
o Major bugfixes:
|
|
- Directory mirrors were fetching relay descriptors only from v2
|
|
directory authorities, rather than v3 authorities like they should.
|
|
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
|
|
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
|
|
- Fix a parsing error that made every possible value of
|
|
CircPriorityHalflifeMsec get treated as "1 msec". Bugfix
|
|
on 0.2.2.7-alpha. Rename CircPriorityHalflifeMsec to
|
|
CircuitPriorityHalflifeMsec, so authorities can tell newer relays
|
|
about the option without breaking older ones.
|
|
- Fix SSL renegotiation behavior on OpenSSL versions like on Centos
|
|
that claim to be earlier than 0.9.8m, but which have in reality
|
|
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
|
|
behavior. Possible fix for some cases of bug 1346.
|
|
|
|
o Minor features:
|
|
- Experiment with a more aggressive approach to preventing clients
|
|
from making one-hop exit streams. Exit relays who want to try it
|
|
out can set "RefuseUnknownExits 1" in their torrc, and then look
|
|
for "Attempt by %s to open a stream" log messages. Let us know
|
|
how it goes!
|
|
- Add support for statically linking zlib by specifying
|
|
--enable-static-zlib, to go with our support for statically linking
|
|
openssl and libevent. Resolves bug 1358.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a segfault that happens whenever a Tor client that is using
|
|
libevent2's bufferevents gets a hup signal. Bugfix on 0.2.2.5-alpha;
|
|
fixes bug 1341.
|
|
- When we cleaned up the contrib/tor-exit-notice.html file, we left
|
|
out the first line. Fixes bug 1295.
|
|
- When building the manpage from a tarball, we required asciidoc, but
|
|
the asciidoc -> roff/html conversion was already done for the
|
|
tarball. Make 'make' complain only when we need asciidoc (either
|
|
because we're compiling directly from git, or because we altered
|
|
the asciidoc manpage in the tarball). Bugfix on 0.2.2.9-alpha.
|
|
- When none of the directory authorities vote on any params, Tor
|
|
segfaulted when trying to make the consensus from the votes. We
|
|
didn't trigger the bug in practice, because authorities do include
|
|
params in their votes. Bugfix on 0.2.2.10-alpha; fixes bug 1322.
|
|
|
|
o Testsuite fixes:
|
|
- In the util/threads test, no longer free the test_mutex before all
|
|
worker threads have finished. Bugfix on 0.2.1.6-alpha.
|
|
- The master thread could starve the worker threads quite badly on
|
|
certain systems, causing them to run only partially in the allowed
|
|
window. This resulted in test failures. Now the master thread sleeps
|
|
occasionally for a few microseconds while the two worker-threads
|
|
compete for the mutex. Bugfix on 0.2.0.1-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.10-alpha - 2010-03-07
|
|
Tor 0.2.2.10-alpha fixes a regression introduced in 0.2.2.9-alpha that
|
|
could prevent relays from guessing their IP address correctly. It also
|
|
starts the groundwork for another client-side performance boost, since
|
|
currently we're not making efficient use of relays that have both the
|
|
Guard flag and the Exit flag.
|
|
|
|
o Major bugfixes:
|
|
- Fix a regression from our patch for bug 1244 that caused relays
|
|
to guess their IP address incorrectly if they didn't set Address
|
|
in their torrc and/or their address fails to resolve. Bugfix on
|
|
0.2.2.9-alpha; fixes bug 1269.
|
|
|
|
o Major features (performance):
|
|
- Directory authorities now compute consensus weightings that instruct
|
|
clients how to weight relays flagged as Guard, Exit, Guard+Exit,
|
|
and no flag. Clients that use these weightings will distribute
|
|
network load more evenly across these different relay types. The
|
|
weightings are in the consensus so we can change them globally in
|
|
the future. Extra thanks to "outofwords" for finding some nasty
|
|
security bugs in the first implementation of this feature.
|
|
|
|
o Minor features (performance):
|
|
- Always perform router selections using weighted relay bandwidth,
|
|
even if we don't need a high capacity circuit at the time. Non-fast
|
|
circuits now only differ from fast ones in that they can use relays
|
|
not marked with the Fast flag. This "feature" could turn out to
|
|
be a horrible bug; we should investigate more before it goes into
|
|
a stable release.
|
|
|
|
o Minor features:
|
|
- Allow disabling building of the manpages. Skipping the manpage
|
|
speeds up the build considerably.
|
|
|
|
o Minor bugfixes (on 0.2.2.x):
|
|
- Fix a memleak in the EXTENDCIRCUIT logic. Spotted by coverity.
|
|
Bugfix on 0.2.2.9-alpha.
|
|
- Disallow values larger than INT32_MAX for PerConnBWRate|Burst
|
|
config option. Bugfix on 0.2.2.7-alpha.
|
|
- Ship the asciidoc-helper file in the tarball, so that people can
|
|
build from source if they want to, and touching the .1.txt files
|
|
doesn't break the build. Bugfix on 0.2.2.9-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.1.x or earlier):
|
|
- Fix a dereference-then-NULL-check sequence when publishing
|
|
descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
|
|
bug 1255.
|
|
- Fix another dereference-then-NULL-check sequence. Bugfix on
|
|
0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
|
|
- Make sure we treat potentially not NUL-terminated strings correctly.
|
|
Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Fix some urls in the exit notice file and make it XHTML1.1 strict
|
|
compliant. Based on a patch from Christian Kujau.
|
|
- Don't use sed in asciidoc-helper anymore.
|
|
- Make the build process fail if asciidoc cannot be found and
|
|
building with asciidoc isn't disabled.
|
|
|
|
|
|
Changes in version 0.2.2.9-alpha - 2010-02-22
|
|
Tor 0.2.2.9-alpha makes Tor work again on the latest OS X, updates the
|
|
location of a directory authority, and cleans up a bunch of small bugs.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for dannenberg (v3 directory authority), and
|
|
remove moria2 (obsolete v1, v2 directory authority and v0 hidden
|
|
service directory authority) from the list.
|
|
|
|
o Major bugfixes:
|
|
- Make Tor work again on the latest OS X: when deciding whether to
|
|
use strange flags to turn TLS renegotiation on, detect the OpenSSL
|
|
version at run-time, not compile time. We need to do this because
|
|
Apple doesn't update its dev-tools headers when it updates its
|
|
libraries in a security patch.
|
|
- Fix a potential buffer overflow in lookup_last_hid_serv_request()
|
|
that could happen on 32-bit platforms with 64-bit time_t. Also fix
|
|
a memory leak when requesting a hidden service descriptor we've
|
|
requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
|
|
by aakova.
|
|
- Authorities could be tricked into giving out the Exit flag to relays
|
|
that didn't allow exiting to any ports. This bug could screw
|
|
with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug
|
|
1238. Bug discovered by Martin Kowalczyk.
|
|
- When freeing a session key, zero it out completely. We only zeroed
|
|
the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
|
|
patched by ekir. Fixes bug 1254.
|
|
|
|
o Minor bugfixes:
|
|
- Fix static compilation by listing the openssl libraries in the right
|
|
order. Bugfix on Tor 0.2.2.8-alpha; fixes bug 1237.
|
|
- Resume handling .exit hostnames in a special way: originally we
|
|
stripped the .exit part and used the requested exit relay. In
|
|
0.2.2.1-alpha we stopped treating them in any special way, meaning
|
|
if you use a .exit address then Tor will pass it on to the exit
|
|
relay. Now we reject the .exit stream outright, since that behavior
|
|
might be more expected by the user. Found and diagnosed by Scott
|
|
Bennett and Downie on or-talk.
|
|
- Don't spam the controller with events when we have no file
|
|
descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting
|
|
for log messages was already solved from bug 748.)
|
|
- Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by
|
|
"memcpyfail".
|
|
- Make the DNSPort option work with libevent 2.x. Don't alter the
|
|
behavior for libevent 1.x. Fixes bug 1143. Found by SwissTorExit.
|
|
- Emit a GUARD DROPPED controller event for a case we missed.
|
|
- Make more fields in the controller protocol case-insensitive, since
|
|
control-spec.txt said they were.
|
|
- Refactor resolve_my_address() to not use gethostbyname() anymore.
|
|
Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
|
|
- Fix a spec conformance issue: the network-status-version token
|
|
must be the first token in a v3 consensus or vote. Discovered by
|
|
parakeep. Bugfix on 0.2.0.3-alpha.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Generate our manpage and HTML documentation using Asciidoc. This
|
|
change should make it easier to maintain the documentation, and
|
|
produce nicer HTML.
|
|
- Remove the --enable-iphone option. According to reports from Marco
|
|
Bonetti, Tor builds fine without any special tweaking on recent
|
|
iPhone SDK versions.
|
|
- Removed some unnecessary files from the source distribution. The
|
|
AUTHORS file has now been merged into the people page on the
|
|
website. The roadmaps and design doc can now be found in the
|
|
projects directory in svn.
|
|
- Enabled various circuit build timeout constants to be controlled
|
|
by consensus parameters. Also set better defaults for these
|
|
parameters based on experimentation on broadband and simulated
|
|
high latency links.
|
|
|
|
o Minor features:
|
|
- The 'EXTENDCIRCUIT' control port command can now be used with
|
|
a circ id of 0 and no path. This feature will cause Tor to build
|
|
a new 'fast' general purpose circuit using its own path selection
|
|
algorithms.
|
|
- Added a BUILDTIMEOUT_SET controller event to describe changes
|
|
to the circuit build timeout.
|
|
- Future-proof the controller protocol a bit by ignoring keyword
|
|
arguments we do not recognize.
|
|
- Expand homedirs passed to tor-checkkey. This should silence a
|
|
coverity complaint about passing a user-supplied string into
|
|
open() without checking it.
|
|
|
|
|
|
Changes in version 0.2.1.25 - 2010-03-16
|
|
Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could
|
|
prevent relays from guessing their IP address correctly. It also fixes
|
|
several minor potential security bugs.
|
|
|
|
o Major bugfixes:
|
|
- Fix a regression from our patch for bug 1244 that caused relays
|
|
to guess their IP address incorrectly if they didn't set Address
|
|
in their torrc and/or their address fails to resolve. Bugfix on
|
|
0.2.1.23; fixes bug 1269.
|
|
- When freeing a session key, zero it out completely. We only zeroed
|
|
the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
|
|
patched by ekir. Fixes bug 1254.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a dereference-then-NULL-check sequence when publishing
|
|
descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
|
|
bug 1255.
|
|
- Fix another dereference-then-NULL-check sequence. Bugfix on
|
|
0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
|
|
- Make sure we treat potentially not NUL-terminated strings correctly.
|
|
Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.
|
|
|
|
|
|
|
|
Changes in version 0.2.1.24 - 2010-02-21
|
|
Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
|
|
for sure!
|
|
|
|
o Minor bugfixes:
|
|
- Work correctly out-of-the-box with even more vendor-patched versions
|
|
of OpenSSL. In particular, make it so Debian and OS X don't need
|
|
customized patches to run/build.
|
|
|
|
|
|
Changes in version 0.2.1.23 - 2010-02-13
|
|
Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
|
|
again on the latest OS X, and updates the location of a directory
|
|
authority.
|
|
|
|
o Major bugfixes (performance):
|
|
- We were selecting our guards uniformly at random, and then weighting
|
|
which of our guards we'd use uniformly at random. This imbalance
|
|
meant that Tor clients were severely limited on throughput (and
|
|
probably latency too) by the first hop in their circuit. Now we
|
|
select guards weighted by currently advertised bandwidth. We also
|
|
automatically discard guards picked using the old algorithm. Fixes
|
|
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
|
|
|
|
o Major bugfixes:
|
|
- Make Tor work again on the latest OS X: when deciding whether to
|
|
use strange flags to turn TLS renegotiation on, detect the OpenSSL
|
|
version at run-time, not compile time. We need to do this because
|
|
Apple doesn't update its dev-tools headers when it updates its
|
|
libraries in a security patch.
|
|
- Fix a potential buffer overflow in lookup_last_hid_serv_request()
|
|
that could happen on 32-bit platforms with 64-bit time_t. Also fix
|
|
a memory leak when requesting a hidden service descriptor we've
|
|
requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
|
|
by aakova.
|
|
|
|
o Directory authority changes:
|
|
- Change IP address for dannenberg (v3 directory authority), and
|
|
remove moria2 (obsolete v1, v2 directory authority and v0 hidden
|
|
service directory authority) from the list.
|
|
|
|
o Minor bugfixes:
|
|
- Refactor resolve_my_address() to not use gethostbyname() anymore.
|
|
Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
|
|
|
|
o Minor features:
|
|
- Avoid a mad rush at the beginning of each month when each client
|
|
rotates half of its guards. Instead we spread the rotation out
|
|
throughout the month, but we still avoid leaving a precise timestamp
|
|
in the state file about when we first picked the guard. Improves
|
|
over the behavior introduced in 0.1.2.17.
|
|
|
|
|
|
Changes in version 0.2.2.8-alpha - 2010-01-26
|
|
Tor 0.2.2.8-alpha fixes a crash bug in 0.2.2.7-alpha that has been
|
|
causing bridge relays to disappear. If you're running a bridge,
|
|
please upgrade.
|
|
|
|
o Major bugfixes:
|
|
- Fix a memory corruption bug on bridges that occured during the
|
|
inclusion of stats data in extra-info descriptors. Also fix the
|
|
interface for geoip_get_bridge_stats* to prevent similar bugs in
|
|
the future. Diagnosis by Tas, patch by Karsten and Sebastian.
|
|
Fixes bug 1208; bugfix on 0.2.2.7-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Ignore OutboundBindAddress when connecting to localhost.
|
|
Connections to localhost need to come _from_ localhost, or else
|
|
local servers (like DNS and outgoing HTTP/SOCKS proxies) will often
|
|
refuse to listen.
|
|
|
|
|
|
Changes in version 0.2.2.7-alpha - 2010-01-19
|
|
Tor 0.2.2.7-alpha fixes a huge client-side performance bug, as well
|
|
as laying the groundwork for further relay-side performance fixes. It
|
|
also starts cleaning up client behavior with respect to the EntryNodes,
|
|
ExitNodes, and StrictNodes config options.
|
|
|
|
This release also rotates two directory authority keys, due to a
|
|
security breach of some of the Torproject servers.
|
|
|
|
o Directory authority changes:
|
|
- Rotate keys (both v3 identity and relay identity) for moria1
|
|
and gabelmoo.
|
|
|
|
o Major features (performance):
|
|
- We were selecting our guards uniformly at random, and then weighting
|
|
which of our guards we'd use uniformly at random. This imbalance
|
|
meant that Tor clients were severely limited on throughput (and
|
|
probably latency too) by the first hop in their circuit. Now we
|
|
select guards weighted by currently advertised bandwidth. We also
|
|
automatically discard guards picked using the old algorithm. Fixes
|
|
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
|
|
- When choosing which cells to relay first, relays can now favor
|
|
circuits that have been quiet recently, to provide lower latency
|
|
for low-volume circuits. By default, relays enable or disable this
|
|
feature based on a setting in the consensus. You can override
|
|
this default by using the new "CircuitPriorityHalflife" config
|
|
option. Design and code by Ian Goldberg, Can Tang, and Chris
|
|
Alexander.
|
|
- Add separate per-conn write limiting to go with the per-conn read
|
|
limiting. We added a global write limit in Tor 0.1.2.5-alpha,
|
|
but never per-conn write limits.
|
|
- New consensus params "bwconnrate" and "bwconnburst" to let us
|
|
rate-limit client connections as they enter the network. It's
|
|
controlled in the consensus so we can turn it on and off for
|
|
experiments. It's starting out off. Based on proposal 163.
|
|
|
|
o Major features (relay selection options):
|
|
- Switch to a StrictNodes config option, rather than the previous
|
|
"StrictEntryNodes" / "StrictExitNodes" separation that was missing a
|
|
"StrictExcludeNodes" option.
|
|
- If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes
|
|
change during a config reload, mark and discard all our origin
|
|
circuits. This fix should address edge cases where we change the
|
|
config options and but then choose a circuit that we created before
|
|
the change.
|
|
- If EntryNodes or ExitNodes are set, be more willing to use an
|
|
unsuitable (e.g. slow or unstable) circuit. The user asked for it,
|
|
they get it.
|
|
- Make EntryNodes config option much more aggressive even when
|
|
StrictNodes is not set. Before it would prepend your requested
|
|
entrynodes to your list of guard nodes, but feel free to use others
|
|
after that. Now it chooses only from your EntryNodes if any of
|
|
those are available, and only falls back to others if a) they're
|
|
all down and b) StrictNodes is not set.
|
|
- Now we refresh your entry guards from EntryNodes at each consensus
|
|
fetch -- rather than just at startup and then they slowly rot as
|
|
the network changes.
|
|
|
|
o Major bugfixes:
|
|
- Stop bridge directory authorities from answering dbg-stability.txt
|
|
directory queries, which would let people fetch a list of all
|
|
bridge identities they track. Bugfix on 0.2.1.6-alpha.
|
|
|
|
o Minor features:
|
|
- Log a notice when we get a new control connection. Now it's easier
|
|
for security-conscious users to recognize when a local application
|
|
is knocking on their controller door. Suggested by bug 1196.
|
|
- New config option "CircuitStreamTimeout" to override our internal
|
|
timeout schedule for how many seconds until we detach a stream from
|
|
a circuit and try a new circuit. If your network is particularly
|
|
slow, you might want to set this to a number like 60.
|
|
- New controller command "getinfo config-text". It returns the
|
|
contents that Tor would write if you send it a SAVECONF command,
|
|
so the controller can write the file to disk itself.
|
|
- New options for SafeLogging to allow scrubbing only log messages
|
|
generated while acting as a relay.
|
|
- Ship the bridges spec file in the tarball too.
|
|
- Avoid a mad rush at the beginning of each month when each client
|
|
rotates half of its guards. Instead we spread the rotation out
|
|
throughout the month, but we still avoid leaving a precise timestamp
|
|
in the state file about when we first picked the guard. Improves
|
|
over the behavior introduced in 0.1.2.17.
|
|
|
|
o Minor bugfixes (compiling):
|
|
- Fix compilation on OS X 10.3, which has a stub mlockall() but
|
|
hides it. Bugfix on 0.2.2.6-alpha.
|
|
- Fix compilation on Solaris by removing support for the
|
|
DisableAllSwap config option. Solaris doesn't have an rlimit for
|
|
mlockall, so we cannot use it safely. Fixes bug 1198; bugfix on
|
|
0.2.2.6-alpha.
|
|
|
|
o Minor bugfixes (crashes):
|
|
- Do not segfault when writing buffer stats when we haven't observed
|
|
a single circuit to report about. Found by Fabian Lanze. Bugfix on
|
|
0.2.2.1-alpha.
|
|
- If we're in the pathological case where there's no exit bandwidth
|
|
but there is non-exit bandwidth, or no guard bandwidth but there
|
|
is non-guard bandwidth, don't crash during path selection. Bugfix
|
|
on 0.2.0.3-alpha.
|
|
- Fix an impossible-to-actually-trigger buffer overflow in relay
|
|
descriptor generation. Bugfix on 0.1.0.15.
|
|
|
|
o Minor bugfixes (privacy):
|
|
- Fix an instance where a Tor directory mirror might accidentally
|
|
log the IP address of a misbehaving Tor client. Bugfix on
|
|
0.1.0.1-rc.
|
|
- Don't list Windows capabilities in relay descriptors. We never made
|
|
use of them, and maybe it's a bad idea to publish them. Bugfix
|
|
on 0.1.1.8-alpha.
|
|
|
|
o Minor bugfixes (other):
|
|
- Resolve an edge case in path weighting that could make us misweight
|
|
our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1.
|
|
- Fix statistics on client numbers by country as seen by bridges that
|
|
were broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour
|
|
intervals instead of variable 12-to-48-hour intervals.
|
|
- After we free an internal connection structure, overwrite it
|
|
with a different memory value than we use for overwriting a freed
|
|
internal circuit structure. Should help with debugging. Suggested
|
|
by bug 1055.
|
|
- Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m
|
|
too.
|
|
|
|
o Removed features:
|
|
- Remove the HSAuthorityRecordStats option that version 0 hidden
|
|
service authorities could have used to track statistics of overall
|
|
hidden service usage.
|
|
|
|
|
|
Changes in version 0.2.1.22 - 2010-01-19
|
|
Tor 0.2.1.22 fixes a critical privacy problem in bridge directory
|
|
authorities -- it would tell you its whole history of bridge descriptors
|
|
if you make the right directory request. This stable update also
|
|
rotates two of the seven v3 directory authority keys and locations.
|
|
|
|
o Directory authority changes:
|
|
- Rotate keys (both v3 identity and relay identity) for moria1
|
|
and gabelmoo.
|
|
|
|
o Major bugfixes:
|
|
- Stop bridge directory authorities from answering dbg-stability.txt
|
|
directory queries, which would let people fetch a list of all
|
|
bridge identities they track. Bugfix on 0.2.1.6-alpha.
|
|
|
|
|
|
Changes in version 0.2.1.21 - 2009-12-21
|
|
Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL
|
|
library. If you use Tor on Linux / Unix and you're getting SSL
|
|
renegotiation errors, upgrading should help. We also recommend an
|
|
upgrade if you're an exit relay.
|
|
|
|
o Major bugfixes:
|
|
- Work around a security feature in OpenSSL 0.9.8l that prevents our
|
|
handshake from working unless we explicitly tell OpenSSL that we
|
|
are using SSL renegotiation safely. We are, of course, but OpenSSL
|
|
0.9.8l won't work unless we say we are.
|
|
- Avoid crashing if the client is trying to upload many bytes and the
|
|
circuit gets torn down at the same time, or if the flip side
|
|
happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
|
|
|
|
o Minor bugfixes:
|
|
- Do not refuse to learn about authority certs and v2 networkstatus
|
|
documents that are older than the latest consensus. This bug might
|
|
have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
|
|
Spotted and fixed by xmux.
|
|
- Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
|
|
trigger platform-specific option misparsing case found by Coverity
|
|
Scan.
|
|
- Fix a compilation warning on Fedora 12 by removing an impossible-to-
|
|
trigger assert. Fixes bug 1173.
|
|
|
|
|
|
Changes in version 0.2.2.6-alpha - 2009-11-19
|
|
Tor 0.2.2.6-alpha lays the groundwork for many upcoming features:
|
|
support for the new lower-footprint "microdescriptor" directory design,
|
|
future-proofing our consensus format against new hash functions or
|
|
other changes, and an Android port. It also makes Tor compatible with
|
|
the upcoming OpenSSL 0.9.8l release, and fixes a variety of bugs.
|
|
|
|
o Major features:
|
|
- Directory authorities can now create, vote on, and serve multiple
|
|
parallel formats of directory data as part of their voting process.
|
|
Partially implements Proposal 162: "Publish the consensus in
|
|
multiple flavors".
|
|
- Directory authorities can now agree on and publish small summaries
|
|
of router information that clients can use in place of regular
|
|
server descriptors. This transition will eventually allow clients
|
|
to use far less bandwidth for downloading information about the
|
|
network. Begins the implementation of Proposal 158: "Clients
|
|
download consensus + microdescriptors".
|
|
- The directory voting system is now extensible to use multiple hash
|
|
algorithms for signatures and resource selection. Newer formats
|
|
are signed with SHA256, with a possibility for moving to a better
|
|
hash algorithm in the future.
|
|
- New DisableAllSwap option. If set to 1, Tor will attempt to lock all
|
|
current and future memory pages via mlockall(). On supported
|
|
platforms (modern Linux and probably BSD but not Windows or OS X),
|
|
this should effectively disable any and all attempts to page out
|
|
memory. This option requires that you start your Tor as root --
|
|
if you use DisableAllSwap, please consider using the User option
|
|
to properly reduce the privileges of your Tor.
|
|
- Numerous changes, bugfixes, and workarounds from Nathan Freitas
|
|
to help Tor build correctly for Android phones.
|
|
|
|
o Major bugfixes:
|
|
- Work around a security feature in OpenSSL 0.9.8l that prevents our
|
|
handshake from working unless we explicitly tell OpenSSL that we
|
|
are using SSL renegotiation safely. We are, but OpenSSL 0.9.8l
|
|
won't work unless we say we are.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a crash bug when trying to initialize the evdns module in
|
|
Libevent 2. Bugfix on 0.2.1.16-rc.
|
|
- Stop logging at severity 'warn' when some other Tor client tries
|
|
to establish a circuit with us using weak DH keys. It's a protocol
|
|
violation, but that doesn't mean ordinary users need to hear about
|
|
it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
|
|
- Do not refuse to learn about authority certs and v2 networkstatus
|
|
documents that are older than the latest consensus. This bug might
|
|
have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
|
|
Spotted and fixed by xmux.
|
|
- Fix numerous small code-flaws found by Coverity Scan Rung 3.
|
|
- If all authorities restart at once right before a consensus vote,
|
|
nobody will vote about "Running", and clients will get a consensus
|
|
with no usable relays. Instead, authorities refuse to build a
|
|
consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
|
|
- If your relay can't keep up with the number of incoming create
|
|
cells, it would log one warning per failure into your logs. Limit
|
|
warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
|
|
- Bridges now use "reject *:*" as their default exit policy. Bugfix
|
|
on 0.2.0.3-alpha; fixes bug 1113.
|
|
- Fix a memory leak on directory authorities during voting that was
|
|
introduced in 0.2.2.1-alpha. Found via valgrind.
|
|
|
|
|
|
Changes in version 0.2.1.20 - 2009-10-15
|
|
Tor 0.2.1.20 fixes a crash bug when you're accessing many hidden
|
|
services at once, prepares for more performance improvements, and
|
|
fixes a bunch of smaller bugs.
|
|
|
|
The Windows and OS X bundles also include a more recent Vidalia,
|
|
and switch from Privoxy to Polipo.
|
|
|
|
The OS X installers are now drag and drop. It's best to un-install
|
|
Tor/Vidalia and then install this new bundle, rather than upgrade. If
|
|
you want to upgrade, you'll need to update the paths for Tor and Polipo
|
|
in the Vidalia Settings window.
|
|
|
|
o Major bugfixes:
|
|
- Send circuit or stream sendme cells when our window has decreased
|
|
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
|
|
by Karsten when testing the "reduce circuit window" performance
|
|
patch. Bugfix on the 54th commit on Tor -- from July 2002,
|
|
before the release of Tor 0.0.0. This is the new winner of the
|
|
oldest-bug prize.
|
|
- Fix a remotely triggerable memory leak when a consensus document
|
|
contains more than one signature from the same voter. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Avoid segfault in rare cases when finishing an introduction circuit
|
|
as a client and finding out that we don't have an introduction key
|
|
for it. Fixes bug 1073. Reported by Aaron Swartz.
|
|
|
|
o Major features:
|
|
- Tor now reads the "circwindow" parameter out of the consensus,
|
|
and uses that value for its circuit package window rather than the
|
|
default of 1000 cells. Begins the implementation of proposal 168.
|
|
|
|
o New directory authorities:
|
|
- Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
|
|
authority.
|
|
- Move moria1 and tonga to alternate IP addresses.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a signed/unsigned compile warning in 0.2.1.19.
|
|
- Fix possible segmentation fault on directory authorities. Bugfix on
|
|
0.2.1.14-rc.
|
|
- Fix an extremely rare infinite recursion bug that could occur if
|
|
we tried to log a message after shutting down the log subsystem.
|
|
Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
|
|
- Fix an obscure bug where hidden services on 64-bit big-endian
|
|
systems might mis-read the timestamp in v3 introduce cells, and
|
|
refuse to connect back to the client. Discovered by "rotor".
|
|
Bugfix on 0.2.1.6-alpha.
|
|
- We were triggering a CLOCK_SKEW controller status event whenever
|
|
we connect via the v2 connection protocol to any relay that has
|
|
a wrong clock. Instead, we should only inform the controller when
|
|
it's a trusted authority that claims our clock is wrong. Bugfix
|
|
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
|
|
- We were telling the controller about CHECKING_REACHABILITY and
|
|
REACHABILITY_FAILED status events whenever we launch a testing
|
|
circuit or notice that one has failed. Instead, only tell the
|
|
controller when we want to inform the user of overall success or
|
|
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
|
|
by SwissTorExit.
|
|
- Don't warn when we're using a circuit that ends with a node
|
|
excluded in ExcludeExitNodes, but the circuit is not used to access
|
|
the outside world. This should help fix bug 1090. Bugfix on
|
|
0.2.1.6-alpha.
|
|
- Work around a small memory leak in some versions of OpenSSL that
|
|
stopped the memory used by the hostname TLS extension from being
|
|
freed.
|
|
|
|
o Minor features:
|
|
- Add a "getinfo status/accepted-server-descriptor" controller
|
|
command, which is the recommended way for controllers to learn
|
|
whether our server descriptor has been successfully received by at
|
|
least on directory authority. Un-recommend good-server-descriptor
|
|
getinfo and status events until we have a better design for them.
|
|
|
|
|
|
Changes in version 0.2.2.5-alpha - 2009-10-11
|
|
Tor 0.2.2.5-alpha fixes a few compile problems in 0.2.2.4-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.
|
|
|
|
o Directory authorities:
|
|
- Temporarily (just for this release) move dizum to an alternate
|
|
IP address.
|
|
|
|
|
|
Changes in version 0.2.2.4-alpha - 2009-10-10
|
|
Tor 0.2.2.4-alpha fixes more crash bugs in 0.2.2.2-alpha. It also
|
|
introduces a new unit test framework, shifts directry authority
|
|
addresses around to reduce the impact from recent blocking events,
|
|
and fixes a few smaller bugs.
|
|
|
|
o Major bugfixes:
|
|
- Fix several more asserts in the circuit_build_times code, for
|
|
example one that causes Tor to fail to start once we have
|
|
accumulated 5000 build times in the state file. Bugfixes on
|
|
0.2.2.2-alpha; fixes bug 1108.
|
|
|
|
o New directory authorities:
|
|
- Move moria1 and Tonga to alternate IP addresses.
|
|
|
|
o Minor features:
|
|
- Log SSL state transitions at debug level during handshake, and
|
|
include SSL states in error messages. This may help debug future
|
|
SSL handshake issues.
|
|
- Add a new "Handshake" log domain for activities that happen
|
|
during the TLS handshake.
|
|
- Revert to the "June 3 2009" ip-to-country file. The September one
|
|
seems to have removed most US IP addresses.
|
|
- Directory authorities now reject Tor relays with versions less than
|
|
0.1.2.14. This step cuts out four relays from the current network,
|
|
none of which are very big.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a couple of smaller issues with gathering statistics. Bugfixes
|
|
on 0.2.2.1-alpha.
|
|
- Fix two memory leaks in the error case of
|
|
circuit_build_times_parse_state(). Bugfix on 0.2.2.2-alpha.
|
|
- Don't count one-hop circuits when we're estimating how long it
|
|
takes circuits to build on average. Otherwise we'll set our circuit
|
|
build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
|
|
- Directory authorities no longer change their opinion of, or vote on,
|
|
whether a router is Running, unless they have themselves been
|
|
online long enough to have some idea. Bugfix on 0.2.0.6-alpha.
|
|
Fixes bug 1023.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Revise our unit tests to use the "tinytest" framework, so we
|
|
can run tests in their own processes, have smarter setup/teardown
|
|
code, and so on. The unit test code has moved to its own
|
|
subdirectory, and has been split into multiple modules.
|
|
|
|
|
|
Changes in version 0.2.2.3-alpha - 2009-09-23
|
|
Tor 0.2.2.3-alpha fixes a few crash bugs in 0.2.2.2-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix an overzealous assert in our new circuit build timeout code.
|
|
Bugfix on 0.2.2.2-alpha; fixes bug 1103.
|
|
|
|
o Minor bugfixes:
|
|
- If the networkstatus consensus tells us that we should use a
|
|
negative circuit package window, ignore it. Otherwise we'll
|
|
believe it and then trigger an assert. Bugfix on 0.2.2.2-alpha.
|
|
|
|
|
|
Changes in version 0.2.2.2-alpha - 2009-09-21
|
|
Tor 0.2.2.2-alpha introduces our latest performance improvement for
|
|
clients: Tor tracks the average time it takes to build a circuit, and
|
|
avoids using circuits that take too long to build. For fast connections,
|
|
this feature can cut your expected latency in half. For slow or flaky
|
|
connections, it could ruin your Tor experience. Let us know if it does!
|
|
|
|
o Major features:
|
|
- Tor now tracks how long it takes to build client-side circuits
|
|
over time, and adapts its timeout to local network performance.
|
|
Since a circuit that takes a long time to build will also provide
|
|
bad performance, we get significant latency improvements by
|
|
discarding the slowest 20% of circuits. Specifically, Tor creates
|
|
circuits more aggressively than usual until it has enough data
|
|
points for a good timeout estimate. Implements proposal 151.
|
|
We are especially looking for reports (good and bad) from users with
|
|
both EDGE and broadband connections that can move from broadband
|
|
to EDGE and find out if the build-time data in the .tor/state gets
|
|
reset without loss of Tor usability. You should also see a notice
|
|
log message telling you that Tor has reset its timeout.
|
|
- Directory authorities can now vote on arbitary integer values as
|
|
part of the consensus process. This is designed to help set
|
|
network-wide parameters. Implements proposal 167.
|
|
- Tor now reads the "circwindow" parameter out of the consensus,
|
|
and uses that value for its circuit package window rather than the
|
|
default of 1000 cells. Begins the implementation of proposal 168.
|
|
|
|
o Major bugfixes:
|
|
- Fix a remotely triggerable memory leak when a consensus document
|
|
contains more than one signature from the same voter. Bugfix on
|
|
0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an extremely rare infinite recursion bug that could occur if
|
|
we tried to log a message after shutting down the log subsystem.
|
|
Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
|
|
- Fix parsing for memory or time units given without a space between
|
|
the number and the unit. Bugfix on 0.2.2.1-alpha; fixes bug 1076.
|
|
- A networkstatus vote must contain exactly one signature. Spec
|
|
conformance issue. Bugfix on 0.2.0.3-alpha.
|
|
- Fix an obscure bug where hidden services on 64-bit big-endian
|
|
systems might mis-read the timestamp in v3 introduce cells, and
|
|
refuse to connect back to the client. Discovered by "rotor".
|
|
Bugfix on 0.2.1.6-alpha.
|
|
- We were triggering a CLOCK_SKEW controller status event whenever
|
|
we connect via the v2 connection protocol to any relay that has
|
|
a wrong clock. Instead, we should only inform the controller when
|
|
it's a trusted authority that claims our clock is wrong. Bugfix
|
|
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
|
|
- We were telling the controller about CHECKING_REACHABILITY and
|
|
REACHABILITY_FAILED status events whenever we launch a testing
|
|
circuit or notice that one has failed. Instead, only tell the
|
|
controller when we want to inform the user of overall success or
|
|
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
|
|
by SwissTorExit.
|
|
- Don't warn when we're using a circuit that ends with a node
|
|
excluded in ExcludeExitNodes, but the circuit is not used to access
|
|
the outside world. This should help fix bug 1090, but more problems
|
|
remain. Bugfix on 0.2.1.6-alpha.
|
|
- Work around a small memory leak in some versions of OpenSSL that
|
|
stopped the memory used by the hostname TLS extension from being
|
|
freed.
|
|
- Make our 'torify' script more portable; if we have only one of
|
|
'torsocks' or 'tsocks' installed, don't complain to the user;
|
|
and explain our warning about tsocks better.
|
|
|
|
o Minor features:
|
|
- Add a "getinfo status/accepted-server-descriptor" controller
|
|
command, which is the recommended way for controllers to learn
|
|
whether our server descriptor has been successfully received by at
|
|
least on directory authority. Un-recommend good-server-descriptor
|
|
getinfo and status events until we have a better design for them.
|
|
- Update to the "September 4 2009" ip-to-country file.
|
|
|
|
|
|
Changes in version 0.2.2.1-alpha - 2009-08-26
|
|
Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows
|
|
Tor clients to bootstrap on networks where only port 80 is reachable,
|
|
makes it more straightforward to support hardware crypto accelerators,
|
|
and starts the groundwork for gathering stats safely at relays.
|
|
|
|
o Security fixes:
|
|
- Start the process of disabling ".exit" address notation, since it
|
|
can be used for a variety of esoteric application-level attacks
|
|
on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix
|
|
on 0.0.9rc5.
|
|
|
|
o New directory authorities:
|
|
- Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
|
|
authority.
|
|
|
|
o Major features:
|
|
- New AccelName and AccelDir options add support for dynamic OpenSSL
|
|
hardware crypto acceleration engines.
|
|
- Tor now supports tunneling all of its outgoing connections over
|
|
a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy
|
|
configuration options. Code by Christopher Davis.
|
|
|
|
o Major bugfixes:
|
|
- Send circuit or stream sendme cells when our window has decreased
|
|
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
|
|
by Karsten when testing the "reduce circuit window" performance
|
|
patch. Bugfix on the 54th commit on Tor -- from July 2002,
|
|
before the release of Tor 0.0.0. This is the new winner of the
|
|
oldest-bug prize.
|
|
|
|
o New options for gathering stats safely:
|
|
- Directory mirrors that set "DirReqStatistics 1" write statistics
|
|
about directory requests to disk every 24 hours. As compared to the
|
|
--enable-geoip-stats flag in 0.2.1.x, there are a few improvements:
|
|
1) stats are written to disk exactly every 24 hours; 2) estimated
|
|
shares of v2 and v3 requests are determined as mean values, not at
|
|
the end of a measurement period; 3) unresolved requests are listed
|
|
with country code '??'; 4) directories also measure download times.
|
|
- Exit nodes that set "ExitPortStatistics 1" write statistics on the
|
|
number of exit streams and transferred bytes per port to disk every
|
|
24 hours.
|
|
- Relays that set "CellStatistics 1" write statistics on how long
|
|
cells spend in their circuit queues to disk every 24 hours.
|
|
- Entry nodes that set "EntryStatistics 1" write statistics on the
|
|
rough number and origins of connecting clients to disk every 24
|
|
hours.
|
|
- Relays that write any of the above statistics to disk and set
|
|
"ExtraInfoStatistics 1" include the past 24 hours of statistics in
|
|
their extra-info documents.
|
|
|
|
o Minor features:
|
|
- New --digests command-line switch to output the digests of the
|
|
source files Tor was built with.
|
|
- The "torify" script now uses torsocks where available.
|
|
- The memarea code now uses a sentinel value at the end of each area
|
|
to make sure nothing writes beyond the end of an area. This might
|
|
help debug some conceivable causes of bug 930.
|
|
- Time and memory units in the configuration file can now be set to
|
|
fractional units. For example, "2.5 GB" is now a valid value for
|
|
AccountingMax.
|
|
- Certain Tor clients (such as those behind check.torproject.org) may
|
|
want to fetch the consensus in an extra early manner. To enable this
|
|
a user may now set FetchDirInfoExtraEarly to 1. This also depends on
|
|
setting FetchDirInfoEarly to 1. Previous behavior will stay the same
|
|
as only certain clients who must have this information sooner should
|
|
set this option.
|
|
- Instead of adding the svn revision to the Tor version string, report
|
|
the git commit (when we're building from a git checkout).
|
|
|
|
o Minor bugfixes:
|
|
- If any of the v3 certs we download are unparseable, we should
|
|
actually notice the failure so we don't retry indefinitely. Bugfix
|
|
on 0.2.0.x; reported by "rotator".
|
|
- If the cached cert file is unparseable, warn but don't exit.
|
|
- Fix possible segmentation fault on directory authorities. Bugfix on
|
|
0.2.1.14-rc.
|
|
- When Tor fails to parse a descriptor of any kind, dump it to disk.
|
|
Might help diagnosing bug 1051.
|
|
|
|
o Deprecated and removed features:
|
|
- The controller no longer accepts the old obsolete "addr-mappings/"
|
|
or "unregistered-servers-" GETINFO values.
|
|
- Hidden services no longer publish version 0 descriptors, and clients
|
|
do not request or use version 0 descriptors. However, the old hidden
|
|
service authorities still accept and serve version 0 descriptors
|
|
when contacted by older hidden services/clients.
|
|
- The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now
|
|
always on; using them is necessary for correct forward-compatible
|
|
controllers.
|
|
- Remove support for .noconnect style addresses. Nobody was using
|
|
them, and they provided another avenue for detecting Tor users
|
|
via application-level web tricks.
|
|
|
|
o Packaging changes:
|
|
- Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
|
|
installer bundles. See
|
|
https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHANGELOG
|
|
for details of what's new in Vidalia 0.2.3.
|
|
- Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
|
|
- OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
|
|
configuration file, rather than the old Privoxy.
|
|
- OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
|
|
x86-only for better compatibility with OS X 10.6, aka Snow Leopard.
|
|
- OS X Tor Expert Bundle: Tor is compiled as x86-only for
|
|
better compatibility with OS X 10.6, aka Snow Leopard.
|
|
- OS X Vidalia Bundle: The multi-package installer is now replaced
|
|
by a simple drag and drop to the /Applications folder. This change
|
|
occurred with the upgrade to Vidalia 0.2.3.
|
|
|
|
|
|
Changes in version 0.2.1.19 - 2009-07-28
|
|
Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
|
|
services on Tor 0.2.1.3-alpha through 0.2.1.18.
|
|
|
|
o Major bugfixes:
|
|
- Make accessing hidden services on 0.2.1.x work right again.
|
|
Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
|
|
part of patch provided by "optimist".
|
|
|
|
o Minor features:
|
|
- When a relay/bridge is writing out its identity key fingerprint to
|
|
the "fingerprint" file and to its logs, write it without spaces. Now
|
|
it will look like the fingerprints in our bridges documentation,
|
|
and confuse fewer users.
|
|
|
|
o Minor bugfixes:
|
|
- Relays no longer publish a new server descriptor if they change
|
|
their MaxAdvertisedBandwidth config option but it doesn't end up
|
|
changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
|
|
fixes bug 1026. Patch from Sebastian.
|
|
- Avoid leaking memory every time we get a create cell but we have
|
|
so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
|
|
fixes bug 1034. Reported by BarkerJr.
|
|
|
|
|
|
Changes in version 0.2.1.18 - 2009-07-24
|
|
Tor 0.2.1.18 lays the foundations for performance improvements,
|
|
adds status events to help users diagnose bootstrap problems, adds
|
|
optional authentication/authorization for hidden services, fixes a
|
|
variety of potential anonymity problems, and includes a huge pile of
|
|
other features and bug fixes.
|
|
|
|
o Build fixes:
|
|
- Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
|
|
|
|
|
|
Changes in version 0.2.1.17-rc - 2009-07-07
|
|
Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
|
|
candidate for the 0.2.1.x series. It lays the groundwork for further
|
|
client performance improvements, and also fixes a big bug with directory
|
|
authorities that were causing them to assign Guard and Stable flags
|
|
poorly.
|
|
|
|
The Windows bundles also finally include the geoip database that we
|
|
thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
|
|
should actually install Torbutton rather than giving you a cryptic
|
|
failure message (oops).
|
|
|
|
o Major features:
|
|
- Clients now use the bandwidth values in the consensus, rather than
|
|
the bandwidth values in each relay descriptor. This approach opens
|
|
the door to more accurate bandwidth estimates once the directory
|
|
authorities start doing active measurements. Implements more of
|
|
proposal 141.
|
|
|
|
o Major bugfixes:
|
|
- When Tor clients restart after 1-5 days, they discard all their
|
|
cached descriptors as too old, but they still use the cached
|
|
consensus document. This approach is good for robustness, but
|
|
bad for performance: since they don't know any bandwidths, they
|
|
end up choosing at random rather than weighting their choice by
|
|
speed. Fixed by the above feature of putting bandwidths in the
|
|
consensus. Bugfix on 0.2.0.x.
|
|
- Directory authorities were neglecting to mark relays down in their
|
|
internal histories if the relays fall off the routerlist without
|
|
ever being found unreachable. So there were relays in the histories
|
|
that haven't been seen for eight months, and are listed as being
|
|
up for eight months. This wreaked havoc on the "median wfu"
|
|
and "median mtbf" calculations, in turn making Guard and Stable
|
|
flags very wrong, hurting network performance. Fixes bugs 696 and
|
|
969. Bugfix on 0.2.0.6-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Serve the DirPortFrontPage page even when we have been approaching
|
|
our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
|
|
- The control port would close the connection before flushing long
|
|
replies, such as the network consensus, if a QUIT command was issued
|
|
before the reply had completed. Now, the control port flushes all
|
|
pending replies before closing the connection. Also fixed a spurious
|
|
warning when a QUIT command is issued after a malformed or rejected
|
|
AUTHENTICATE command, but before the connection was closed. Patch
|
|
by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
|
|
- When we can't find an intro key for a v2 hidden service descriptor,
|
|
fall back to the v0 hidden service descriptor and log a bug message.
|
|
Workaround for bug 1024.
|
|
- Fix a log message that did not respect the SafeLogging option.
|
|
Resolves bug 1027.
|
|
|
|
o Minor features:
|
|
- If we're a relay and we change our IP address, be more verbose
|
|
about the reason that made us change. Should help track down
|
|
further bugs for relays on dynamic IP addresses.
|
|
|
|
|
|
Changes in version 0.2.0.35 - 2009-06-24
|
|
o Security fix:
|
|
- Avoid crashing in the presence of certain malformed descriptors.
|
|
Found by lark, and by automated fuzzing.
|
|
- Fix an edge case where a malicious exit relay could convince a
|
|
controller that the client's DNS question resolves to an internal IP
|
|
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
|
|
|
o Major bugfixes:
|
|
- Finally fix the bug where dynamic-IP relays disappear when their
|
|
IP address changes: directory mirrors were mistakenly telling
|
|
them their old address if they asked via begin_dir, so they
|
|
never got an accurate answer about their new address, so they
|
|
just vanished after a day. For belt-and-suspenders, relays that
|
|
don't set Address in their config now avoid using begin_dir for
|
|
all direct connections. Should fix bugs 827, 883, and 900.
|
|
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
|
that would occur on some exit nodes when DNS failures and timeouts
|
|
occurred in certain patterns. Fix for bug 957.
|
|
|
|
o Minor bugfixes:
|
|
- When starting with a cache over a few days old, do not leak
|
|
memory for the obsolete router descriptors in it. Bugfix on
|
|
0.2.0.33; fixes bug 672.
|
|
- Hidden service clients didn't use a cached service descriptor that
|
|
was older than 15 minutes, but wouldn't fetch a new one either,
|
|
because there was already one in the cache. Now, fetch a v2
|
|
descriptor unless the same descriptor was added to the cache within
|
|
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
|
|
|
|
|
Changes in version 0.2.1.16-rc - 2009-06-20
|
|
Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
|
|
a bunch of minor bugs.
|
|
|
|
o Security fixes:
|
|
- Fix an edge case where a malicious exit relay could convince a
|
|
controller that the client's DNS question resolves to an internal IP
|
|
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
|
|
|
|
o Major performance improvements (on 0.2.0.x):
|
|
- Disable and refactor some debugging checks that forced a linear scan
|
|
over the whole server-side DNS cache. These accounted for over 50%
|
|
of CPU time on a relatively busy exit node's gprof profile. Found
|
|
by Jacob.
|
|
- Disable some debugging checks that appeared in exit node profile
|
|
data.
|
|
|
|
o Minor features:
|
|
- Update to the "June 3 2009" ip-to-country file.
|
|
- Do not have tor-resolve automatically refuse all .onion addresses;
|
|
if AutomapHostsOnResolve is set in your torrc, this will work fine.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Log correct error messages for DNS-related network errors on
|
|
Windows.
|
|
- Fix a race condition that could cause crashes or memory corruption
|
|
when running as a server with a controller listening for log
|
|
messages.
|
|
- Avoid crashing when we have a policy specified in a DirPolicy or
|
|
SocksPolicy or ReachableAddresses option with ports set on it,
|
|
and we re-load the policy. May fix bug 996.
|
|
- Hidden service clients didn't use a cached service descriptor that
|
|
was older than 15 minutes, but wouldn't fetch a new one either,
|
|
because there was already one in the cache. Now, fetch a v2
|
|
descriptor unless the same descriptor was added to the cache within
|
|
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Don't warn users about low port and hibernation mix when they
|
|
provide a *ListenAddress directive to fix that. Bugfix on
|
|
0.2.1.15-rc.
|
|
- When switching back and forth between bridge mode, do not start
|
|
gathering GeoIP data until two hours have passed.
|
|
- Do not complain that the user has requested an excluded node as
|
|
an exit when the node is not really an exit. This could happen
|
|
because the circuit was for testing, or an introduction point.
|
|
Fix for bug 984.
|
|
|
|
|
|
Changes in version 0.2.1.15-rc - 2009-05-25
|
|
Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
|
|
series. It fixes a major bug on fast exit relays, as well as a variety
|
|
of more minor bugs.
|
|
|
|
o Major bugfixes (on 0.2.0.x):
|
|
- Fix a timing-dependent, allocator-dependent, DNS-related crash bug
|
|
that would occur on some exit nodes when DNS failures and timeouts
|
|
occurred in certain patterns. Fix for bug 957.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Actually return -1 in the error case for read_bandwidth_usage().
|
|
Harmless bug, since we currently don't care about the return value
|
|
anywhere. Bugfix on 0.2.0.9-alpha.
|
|
- Provide a more useful log message if bug 977 (related to buffer
|
|
freelists) ever reappears, and do not crash right away.
|
|
- Fix an assertion failure on 64-bit platforms when we allocated
|
|
memory right up to the end of a memarea, then realigned the memory
|
|
one step beyond the end. Fixes a possible cause of bug 930.
|
|
- Protect the count of open sockets with a mutex, so we can't
|
|
corrupt it when two threads are closing or opening sockets at once.
|
|
Fix for bug 939. Bugfix on 0.2.0.1-alpha.
|
|
- Don't allow a bridge to publish its router descriptor to a
|
|
non-bridge directory authority. Fixes part of bug 932.
|
|
- When we change to or from being a bridge, reset our counts of
|
|
client usage by country. Fixes bug 932.
|
|
- Fix a bug that made stream bandwidth get misreported to the
|
|
controller.
|
|
- Stop using malloc_usable_size() to use more area than we had
|
|
actually allocated: it was safe, but made valgrind really unhappy.
|
|
- Fix a memory leak when v3 directory authorities load their keys
|
|
and cert from disk. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Fix use of freed memory when deciding to mark a non-addable
|
|
descriptor as never-downloadable. Bugfix on 0.2.1.9-alpha.
|
|
|
|
|
|
Changes in version 0.2.1.14-rc - 2009-04-12
|
|
Tor 0.2.1.14-rc marks the first release candidate for the 0.2.1.x
|
|
series. It begins fixing some major performance problems, and also
|
|
finally addresses the bug that was causing relays on dynamic IP
|
|
addresses to fall out of the directory.
|
|
|
|
o Major features:
|
|
- Clients replace entry guards that were chosen more than a few months
|
|
ago. This change should significantly improve client performance,
|
|
especially once more people upgrade, since relays that have been
|
|
a guard for a long time are currently overloaded.
|
|
|
|
o Major bugfixes (on 0.2.0):
|
|
- Finally fix the bug where dynamic-IP relays disappear when their
|
|
IP address changes: directory mirrors were mistakenly telling
|
|
them their old address if they asked via begin_dir, so they
|
|
never got an accurate answer about their new address, so they
|
|
just vanished after a day. For belt-and-suspenders, relays that
|
|
don't set Address in their config now avoid using begin_dir for
|
|
all direct connections. Should fix bugs 827, 883, and 900.
|
|
- Relays were falling out of the networkstatus consensus for
|
|
part of a day if they changed their local config but the
|
|
authorities discarded their new descriptor as "not sufficiently
|
|
different". Now directory authorities accept a descriptor as changed
|
|
if bandwidthrate or bandwidthburst changed. Partial fix for bug 962;
|
|
patch by Sebastian.
|
|
- Avoid crashing in the presence of certain malformed descriptors.
|
|
Found by lark, and by automated fuzzing.
|
|
|
|
o Minor features:
|
|
- When generating circuit events with verbose nicknames for
|
|
controllers, try harder to look up nicknames for routers on a
|
|
circuit. (Previously, we would look in the router descriptors we had
|
|
for nicknames, but not in the consensus.) Partial fix for bug 941.
|
|
- If the bridge config line doesn't specify a port, assume 443.
|
|
This makes bridge lines a bit smaller and easier for users to
|
|
understand.
|
|
- Raise the minimum bandwidth to be a relay from 20000 bytes to 20480
|
|
bytes (aka 20KB/s), to match our documentation. Also update
|
|
directory authorities so they always assign the Fast flag to relays
|
|
with 20KB/s of capacity. Now people running relays won't suddenly
|
|
find themselves not seeing any use, if the network gets faster
|
|
on average.
|
|
- Update to the "April 3 2009" ip-to-country file.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid trying to print raw memory to the logs when we decide to
|
|
give up on downloading a given relay descriptor. Bugfix on
|
|
0.2.1.9-alpha.
|
|
- In tor-resolve, when the Tor client to use is specified by
|
|
<hostname>:<port>, actually use the specified port rather than
|
|
defaulting to 9050. Bugfix on 0.2.1.6-alpha.
|
|
- Make directory usage recording work again. Bugfix on 0.2.1.6-alpha.
|
|
- When starting with a cache over a few days old, do not leak
|
|
memory for the obsolete router descriptors in it. Bugfix on
|
|
0.2.0.33.
|
|
- Avoid double-free on list of successfully uploaded hidden
|
|
service discriptors. Fix for bug 948. Bugfix on 0.2.1.6-alpha.
|
|
- Change memarea_strndup() implementation to work even when
|
|
duplicating a string at the end of a page. This bug was
|
|
harmless for now, but could have meant crashes later. Fix by
|
|
lark. Bugfix on 0.2.1.1-alpha.
|
|
- Limit uploaded directory documents to be 16M rather than 500K.
|
|
The directory authorities were refusing v3 consensus votes from
|
|
other authorities, since the votes are now 504K. Fixes bug 959;
|
|
bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
|
|
- Directory authorities should never send a 503 "busy" response to
|
|
requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
|
|
bug 959.
|
|
|
|
|
|
Changes in version 0.2.1.13-alpha - 2009-03-09
|
|
Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
|
|
cleanups. We're finally getting close to a release candidate.
|
|
|
|
o Major bugfixes:
|
|
- Correctly update the list of which countries we exclude as
|
|
exits, when the GeoIP file is loaded or reloaded. Diagnosed by
|
|
lark. Bugfix on 0.2.1.6-alpha.
|
|
|
|
o Minor bugfixes (on 0.2.0.x and earlier):
|
|
- Automatically detect MacOSX versions earlier than 10.4.0, and
|
|
disable kqueue from inside Tor when running with these versions.
|
|
We previously did this from the startup script, but that was no
|
|
help to people who didn't use the startup script. Resolves bug 863.
|
|
- When we had picked an exit node for a connection, but marked it as
|
|
"optional", and it turned out we had no onion key for the exit,
|
|
stop wanting that exit and try again. This situation may not
|
|
be possible now, but will probably become feasible with proposal
|
|
158. Spotted by rovv. Fixes another case of bug 752.
|
|
- Clients no longer cache certificates for authorities they do not
|
|
recognize. Bugfix on 0.2.0.9-alpha.
|
|
- When we can't transmit a DNS request due to a network error, retry
|
|
it after a while, and eventually transmit a failing response to
|
|
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
|
|
- If the controller claimed responsibility for a stream, but that
|
|
stream never finished making its connection, it would live
|
|
forever in circuit_wait state. Now we close it after SocksTimeout
|
|
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
|
|
- Drop begin cells to a hidden service if they come from the middle
|
|
of a circuit. Patch from lark.
|
|
- When we erroneously receive two EXTEND cells for the same circuit
|
|
ID on the same connection, drop the second. Patch from lark.
|
|
- Fix a crash that occurs on exit nodes when a nameserver request
|
|
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
|
|
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
|
|
bug 929.
|
|
- Do not assume that a stack-allocated character array will be
|
|
64-bit aligned on platforms that demand that uint64_t access is
|
|
aligned. Possible fix for bug 604.
|
|
- Parse dates and IPv4 addresses in a locale- and libc-independent
|
|
manner, to avoid platform-dependent behavior on malformed input.
|
|
- Build correctly when configured to build outside the main source
|
|
path. Patch from Michael Gold.
|
|
- We were already rejecting relay begin cells with destination port
|
|
of 0. Now also reject extend cells with destination port or address
|
|
of 0. Suggested by lark.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Don't re-extend introduction circuits if we ran out of RELAY_EARLY
|
|
cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
|
|
- If we're an exit node, scrub the IP address to which we are exiting
|
|
in the logs. Bugfix on 0.2.1.8-alpha.
|
|
|
|
o Minor features:
|
|
- On Linux, use the prctl call to re-enable core dumps when the user
|
|
is option is set.
|
|
- New controller event NEWCONSENSUS that lists the networkstatus
|
|
lines for every recommended relay. Now controllers like Torflow
|
|
can keep up-to-date on which relays they should be using.
|
|
- Update to the "February 26 2009" ip-to-country file.
|
|
|
|
|
|
Changes in version 0.2.0.34 - 2009-02-08
|
|
Tor 0.2.0.34 features several more security-related fixes. You should
|
|
upgrade, especially if you run an exit relay (remote crash) or a
|
|
directory authority (remote infinite loop), or you're on an older
|
|
(pre-XP) or not-recently-patched Windows (remote exploit).
|
|
|
|
This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
|
|
have many known flaws, and nobody should be using them. You should
|
|
upgrade. If you're using a Linux or BSD and its packages are obsolete,
|
|
stop using those packages and upgrade anyway.
|
|
|
|
o Security fixes:
|
|
- Fix an infinite-loop bug on handling corrupt votes under certain
|
|
circumstances. Bugfix on 0.2.0.8-alpha.
|
|
- Fix a temporary DoS vulnerability that could be performed by
|
|
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
|
|
- Avoid a potential crash on exit nodes when processing malformed
|
|
input. Remote DoS opportunity. Bugfix on 0.2.0.33.
|
|
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
|
|
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compilation on systems where time_t is a 64-bit integer.
|
|
Patch from Matthias Drochner.
|
|
- Don't consider expiring already-closed client connections. Fixes
|
|
bug 893. Bugfix on 0.0.2pre20.
|
|
|
|
|
|
Changes in version 0.2.1.12-alpha - 2009-02-08
|
|
Tor 0.2.1.12-alpha features several more security-related fixes. You
|
|
should upgrade, especially if you run an exit relay (remote crash) or
|
|
a directory authority (remote infinite loop), or you're on an older
|
|
(pre-XP) or not-recently-patched Windows (remote exploit). It also
|
|
includes a big pile of minor bugfixes and cleanups.
|
|
|
|
o Security fixes:
|
|
- Fix an infinite-loop bug on handling corrupt votes under certain
|
|
circumstances. Bugfix on 0.2.0.8-alpha.
|
|
- Fix a temporary DoS vulnerability that could be performed by
|
|
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
|
|
- Avoid a potential crash on exit nodes when processing malformed
|
|
input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Let controllers actually ask for the "clients_seen" event for
|
|
getting usage summaries on bridge relays. Bugfix on 0.2.1.10-alpha;
|
|
reported by Matt Edman.
|
|
- Fix a compile warning on OSX Panther. Fixes bug 913; bugfix against
|
|
0.2.1.11-alpha.
|
|
- Fix a bug in address parsing that was preventing bridges or hidden
|
|
service targets from being at IPv6 addresses.
|
|
- Solve a bug that kept hardware crypto acceleration from getting
|
|
enabled when accounting was turned on. Fixes bug 907. Bugfix on
|
|
0.0.9pre6.
|
|
- Remove a bash-ism from configure.in to build properly on non-Linux
|
|
platforms. Bugfix on 0.2.1.1-alpha.
|
|
- Fix code so authorities _actually_ send back X-Descriptor-Not-New
|
|
headers. Bugfix on 0.2.0.10-alpha.
|
|
- Don't consider expiring already-closed client connections. Fixes
|
|
bug 893. Bugfix on 0.0.2pre20.
|
|
- Fix another interesting corner-case of bug 891 spotted by rovv:
|
|
Previously, if two hosts had different amounts of clock drift, and
|
|
one of them created a new connection with just the wrong timing,
|
|
the other might decide to deprecate the new connection erroneously.
|
|
Bugfix on 0.1.1.13-alpha.
|
|
- Resolve a very rare crash bug that could occur when the user forced
|
|
a nameserver reconfiguration during the middle of a nameserver
|
|
probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
|
|
- Support changing value of ServerDNSRandomizeCase during SIGHUP.
|
|
Bugfix on 0.2.1.7-alpha.
|
|
- If we're using bridges and our network goes away, be more willing
|
|
to forgive our bridges and try again when we get an application
|
|
request. Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- Support platforms where time_t is 64 bits long. (Congratulations,
|
|
NetBSD!) Patch from Matthias Drochner.
|
|
- Add a 'getinfo status/clients-seen' controller command, in case
|
|
controllers want to hear clients_seen events but connect late.
|
|
|
|
o Build changes:
|
|
- Disable GCC's strict alias optimization by default, to avoid the
|
|
likelihood of its introducing subtle bugs whenever our code violates
|
|
the letter of C99's alias rules.
|
|
|
|
|
|
Changes in version 0.2.0.33 - 2009-01-21
|
|
Tor 0.2.0.33 fixes a variety of bugs that were making relays less
|
|
useful to users. It also finally fixes a bug where a relay or client
|
|
that's been off for many days would take a long time to bootstrap.
|
|
|
|
This update also fixes an important security-related bug reported by
|
|
Ilja van Sprundel. You should upgrade. (We'll send out more details
|
|
about the bug once people have had some time to upgrade.)
|
|
|
|
o Security fixes:
|
|
- Fix a heap-corruption bug that may be remotely triggerable on
|
|
some platforms. Reported by Ilja van Sprundel.
|
|
|
|
o Major bugfixes:
|
|
- When a stream at an exit relay is in state "resolving" or
|
|
"connecting" and it receives an "end" relay cell, the exit relay
|
|
would silently ignore the end cell and not close the stream. If
|
|
the client never closes the circuit, then the exit relay never
|
|
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
|
|
reported by "wood".
|
|
- When sending CREATED cells back for a given circuit, use a 64-bit
|
|
connection ID to find the right connection, rather than an addr:port
|
|
combination. Now that we can have multiple OR connections between
|
|
the same ORs, it is no longer possible to use addr:port to uniquely
|
|
identify a connection.
|
|
- Bridge relays that had DirPort set to 0 would stop fetching
|
|
descriptors shortly after startup, and then briefly resume
|
|
after a new bandwidth test and/or after publishing a new bridge
|
|
descriptor. Bridge users that try to bootstrap from them would
|
|
get a recent networkstatus but would get descriptors from up to
|
|
18 hours earlier, meaning most of the descriptors were obsolete
|
|
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
|
|
- Prevent bridge relays from serving their 'extrainfo' document
|
|
to anybody who asks, now that extrainfo docs include potentially
|
|
sensitive aggregated client geoip summaries. Bugfix on
|
|
0.2.0.13-alpha.
|
|
- If the cached networkstatus consensus is more than five days old,
|
|
discard it rather than trying to use it. In theory it could be
|
|
useful because it lists alternate directory mirrors, but in practice
|
|
it just means we spend many minutes trying directory mirrors that
|
|
are long gone from the network. Also discard router descriptors as
|
|
we load them if they are more than five days old, since the onion
|
|
key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
|
|
|
|
o Minor bugfixes:
|
|
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
|
|
could make gcc generate non-functional binary search code. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- Build correctly on platforms without socklen_t.
|
|
- Compile without warnings on solaris.
|
|
- Avoid potential crash on internal error during signature collection.
|
|
Fixes bug 864. Patch from rovv.
|
|
- Correct handling of possible malformed authority signing key
|
|
certificates with internal signature types. Fixes bug 880.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Fix a hard-to-trigger resource leak when logging credential status.
|
|
CID 349.
|
|
- When we can't initialize DNS because the network is down, do not
|
|
automatically stop Tor from starting. Instead, we retry failed
|
|
dns_init() every 10 minutes, and change the exit policy to reject
|
|
*:* until one succeeds. Fixes bug 691.
|
|
- Use 64 bits instead of 32 bits for connection identifiers used with
|
|
the controller protocol, to greatly reduce risk of identifier reuse.
|
|
- When we're choosing an exit node for a circuit, and we have
|
|
no pending streams, choose a good general exit rather than one that
|
|
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
|
|
- Fix another case of assuming, when a specific exit is requested,
|
|
that we know more than the user about what hosts it allows.
|
|
Fixes one case of bug 752. Patch from rovv.
|
|
- Clip the MaxCircuitDirtiness config option to a minimum of 10
|
|
seconds. Warn the user if lower values are given in the
|
|
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
|
|
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
|
|
user if lower values are given in the configuration. Bugfix on
|
|
0.1.1.17-rc. Patch by Sebastian.
|
|
- Fix a memory leak when we decline to add a v2 rendezvous descriptor to
|
|
the cache because we already had a v0 descriptor with the same ID.
|
|
Bugfix on 0.2.0.18-alpha.
|
|
- Fix a race condition when freeing keys shared between main thread
|
|
and CPU workers that could result in a memory leak. Bugfix on
|
|
0.1.0.1-rc. Fixes bug 889.
|
|
- Send a valid END cell back when a client tries to connect to a
|
|
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
|
|
840. Patch from rovv.
|
|
- Check which hops rendezvous stream cells are associated with to
|
|
prevent possible guess-the-streamid injection attacks from
|
|
intermediate hops. Fixes another case of bug 446. Based on patch
|
|
from rovv.
|
|
- If a broken client asks a non-exit router to connect somewhere,
|
|
do not even do the DNS lookup before rejecting the connection.
|
|
Fixes another case of bug 619. Patch from rovv.
|
|
- When a relay gets a create cell it can't decrypt (e.g. because it's
|
|
using the wrong onion key), we were dropping it and letting the
|
|
client time out. Now actually answer with a destroy cell. Fixes
|
|
bug 904. Bugfix on 0.0.2pre8.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Do not throw away existing introduction points on SIGHUP. Bugfix on
|
|
0.0.6pre1. Patch by Karsten. Fixes bug 874.
|
|
|
|
o Minor features:
|
|
- Report the case where all signatures in a detached set are rejected
|
|
differently than the case where there is an error handling the
|
|
detached set.
|
|
- When we realize that another process has modified our cached
|
|
descriptors, print out a more useful error message rather than
|
|
triggering an assertion. Fixes bug 885. Patch from Karsten.
|
|
- Implement the 0x20 hack to better resist DNS poisoning: set the
|
|
case on outgoing DNS requests randomly, and reject responses that do
|
|
not match the case correctly. This logic can be disabled with the
|
|
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
|
|
of servers that do not reliably preserve case in replies. See
|
|
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
|
|
for more info.
|
|
- Check DNS replies for more matching fields to better resist DNS
|
|
poisoning.
|
|
- Never use OpenSSL compression: it wastes RAM and CPU trying to
|
|
compress cells, which are basically all encrypted, compressed, or
|
|
both.
|
|
|
|
|
|
Changes in version 0.2.1.11-alpha - 2009-01-20
|
|
Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a
|
|
week it will take a long time to bootstrap again" bug. It also fixes
|
|
an important security-related bug reported by Ilja van Sprundel. You
|
|
should upgrade. (We'll send out more details about the bug once people
|
|
have had some time to upgrade.)
|
|
|
|
o Security fixes:
|
|
- Fix a heap-corruption bug that may be remotely triggerable on
|
|
some platforms. Reported by Ilja van Sprundel.
|
|
|
|
o Major bugfixes:
|
|
- Discard router descriptors as we load them if they are more than
|
|
five days old. Otherwise if Tor is off for a long time and then
|
|
starts with cached descriptors, it will try to use the onion
|
|
keys in those obsolete descriptors when building circuits. Bugfix
|
|
on 0.2.0.x. Fixes bug 887.
|
|
|
|
o Minor features:
|
|
- Try to make sure that the version of Libevent we're running with
|
|
is binary-compatible with the one we built with. May address bug
|
|
897 and others.
|
|
- Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
|
|
for bug 905. Bugfix on 0.2.1.7-alpha.
|
|
- Add a new --enable-local-appdata configuration switch to change
|
|
the default location of the datadir on win32 from APPDATA to
|
|
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
|
|
entirely. Patch from coderman.
|
|
|
|
o Minor bugfixes:
|
|
- Make outbound DNS packets respect the OutboundBindAddress setting.
|
|
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
|
|
- When our circuit fails at the first hop (e.g. we get a destroy
|
|
cell back), avoid using that OR connection anymore, and also
|
|
tell all the one-hop directory requests waiting for it that they
|
|
should fail. Bugfix on 0.2.1.3-alpha.
|
|
- In the torify(1) manpage, mention that tsocks will leak your
|
|
DNS requests.
|
|
|
|
|
|
Changes in version 0.2.1.10-alpha - 2009-01-06
|
|
Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that
|
|
would make the bridge relay not so useful if it had DirPort set to 0,
|
|
and one that could let an attacker learn a little bit of information
|
|
about the bridge's users), and a bug that would cause your Tor relay
|
|
to ignore a circuit create request it can't decrypt (rather than reply
|
|
with an error). It also fixes a wide variety of other bugs.
|
|
|
|
o Major bugfixes:
|
|
- If the cached networkstatus consensus is more than five days old,
|
|
discard it rather than trying to use it. In theory it could
|
|
be useful because it lists alternate directory mirrors, but in
|
|
practice it just means we spend many minutes trying directory
|
|
mirrors that are long gone from the network. Helps bug 887 a bit;
|
|
bugfix on 0.2.0.x.
|
|
- Bridge relays that had DirPort set to 0 would stop fetching
|
|
descriptors shortly after startup, and then briefly resume
|
|
after a new bandwidth test and/or after publishing a new bridge
|
|
descriptor. Bridge users that try to bootstrap from them would
|
|
get a recent networkstatus but would get descriptors from up to
|
|
18 hours earlier, meaning most of the descriptors were obsolete
|
|
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
|
|
- Prevent bridge relays from serving their 'extrainfo' document
|
|
to anybody who asks, now that extrainfo docs include potentially
|
|
sensitive aggregated client geoip summaries. Bugfix on
|
|
0.2.0.13-alpha.
|
|
|
|
o Minor features:
|
|
- New controller event "clients_seen" to report a geoip-based summary
|
|
of which countries we've seen clients from recently. Now controllers
|
|
like Vidalia can show bridge operators that they're actually making
|
|
a difference.
|
|
- Build correctly against versions of OpenSSL 0.9.8 or later built
|
|
without support for deprecated functions.
|
|
- Update to the "December 19 2008" ip-to-country file.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Authorities now vote for the Stable flag for any router whose
|
|
weighted MTBF is at least 5 days, regardless of the mean MTBF.
|
|
- Do not remove routers as too old if we do not have any consensus
|
|
document. Bugfix on 0.2.0.7-alpha.
|
|
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
|
|
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
|
|
- When an exit relay resolves a stream address to a local IP address,
|
|
do not just keep retrying that same exit relay over and
|
|
over. Instead, just close the stream. Addresses bug 872. Bugfix
|
|
on 0.2.0.32. Patch from rovv.
|
|
- If a hidden service sends us an END cell, do not consider
|
|
retrying the connection; just close it. Patch from rovv.
|
|
- When we made bridge authorities stop serving bridge descriptors over
|
|
unencrypted links, we also broke DirPort reachability testing for
|
|
bridges. So bridges with a non-zero DirPort were printing spurious
|
|
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
|
|
- When a relay gets a create cell it can't decrypt (e.g. because it's
|
|
using the wrong onion key), we were dropping it and letting the
|
|
client time out. Now actually answer with a destroy cell. Fixes
|
|
bug 904. Bugfix on 0.0.2pre8.
|
|
- Squeeze 2-5% out of client performance (according to oprofile) by
|
|
improving the implementation of some policy-manipulation functions.
|
|
|
|
o Minor bugfixes (on 0.2.1.x):
|
|
- Make get_interface_address() function work properly again; stop
|
|
guessing the wrong parts of our address as our address.
|
|
- Do not cannibalize a circuit if we're out of RELAY_EARLY cells to
|
|
send on that circuit. Otherwise we might violate the proposal-110
|
|
limit. Bugfix on 0.2.1.3-alpha. Partial fix for bug 878. Diagnosis
|
|
thanks to Karsten.
|
|
- When we're sending non-EXTEND cells to the first hop in a circuit,
|
|
for example to use an encrypted directory connection, we don't need
|
|
to use RELAY_EARLY cells: the first hop knows what kind of cell
|
|
it is, and nobody else can even see the cell type. Conserving
|
|
RELAY_EARLY cells makes it easier to cannibalize circuits like
|
|
this later.
|
|
- Stop logging nameserver addresses in reverse order.
|
|
- If we are retrying a directory download slowly over and over, do
|
|
not automatically give up after the 254th failure. Bugfix on
|
|
0.2.1.9-alpha.
|
|
- Resume reporting accurate "stream end" reasons to the local control
|
|
port. They were lost in the changes for Proposal 148. Bugfix on
|
|
0.2.1.9-alpha.
|
|
|
|
o Deprecated and removed features:
|
|
- The old "tor --version --version" command, which would print out
|
|
the subversion "Id" of most of the source files, is now removed. It
|
|
turned out to be less useful than we'd expected, and harder to
|
|
maintain.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Change our header file guard macros to be less likely to conflict
|
|
with system headers. Adam Langley noticed that we were conflicting
|
|
with log.h on Android.
|
|
- Tool-assisted documentation cleanup. Nearly every function or
|
|
static variable in Tor should have its own documentation now.
|
|
|
|
|
|
Changes in version 0.2.1.9-alpha - 2008-12-25
|
|
Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.
|
|
|
|
o New directory authorities:
|
|
- gabelmoo (the authority run by Karsten Loesing) now has a new
|
|
IP address.
|
|
|
|
o Security fixes:
|
|
- Never use a connection with a mismatched address to extend a
|
|
circuit, unless that connection is canonical. A canonical
|
|
connection is one whose address is authenticated by the router's
|
|
identity key, either in a NETINFO cell or in a router descriptor.
|
|
- Avoid a possible memory corruption bug when receiving hidden service
|
|
descriptors. Bugfix on 0.2.1.6-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix a logic error that would automatically reject all but the first
|
|
configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for
|
|
part of bug 813/868. Bug spotted by coderman.
|
|
- When a stream at an exit relay is in state "resolving" or
|
|
"connecting" and it receives an "end" relay cell, the exit relay
|
|
would silently ignore the end cell and not close the stream. If
|
|
the client never closes the circuit, then the exit relay never
|
|
closes the TCP connection. Bug introduced in 0.1.2.1-alpha;
|
|
reported by "wood".
|
|
- When we can't initialize DNS because the network is down, do not
|
|
automatically stop Tor from starting. Instead, retry failed
|
|
dns_init() every 10 minutes, and change the exit policy to reject
|
|
*:* until one succeeds. Fixes bug 691.
|
|
|
|
o Minor features:
|
|
- Give a better error message when an overzealous init script says
|
|
"sudo -u username tor --user username". Makes Bug 882 easier for
|
|
users to diagnose.
|
|
- When a directory authority gives us a new guess for our IP address,
|
|
log which authority we used. Hopefully this will help us debug
|
|
the recent complaints about bad IP address guesses.
|
|
- Detect svn revision properly when we're using git-svn.
|
|
- Try not to open more than one descriptor-downloading connection
|
|
to an authority at once. This should reduce load on directory
|
|
authorities. Fixes bug 366.
|
|
- Add cross-certification to newly generated certificates, so that
|
|
a signing key is enough information to look up a certificate.
|
|
Partial implementation of proposal 157.
|
|
- Start serving certificates by <identity digest, signing key digest>
|
|
pairs. Partial implementation of proposal 157.
|
|
- Clients now never report any stream end reason except 'MISC'.
|
|
Implements proposal 148.
|
|
- On platforms with a maximum syslog string length, truncate syslog
|
|
messages to that length ourselves, rather than relying on the
|
|
system to do it for us.
|
|
- Optimize out calls to time(NULL) that occur for every IO operation,
|
|
or for every cell. On systems where time() is a slow syscall,
|
|
this fix will be slightly helpful.
|
|
- Exit servers can now answer resolve requests for ip6.arpa addresses.
|
|
- When we download a descriptor that we then immediately (as
|
|
a directory authority) reject, do not retry downloading it right
|
|
away. Should save some bandwidth on authorities. Fix for bug
|
|
888. Patch by Sebastian Hahn.
|
|
- When a download gets us zero good descriptors, do not notify
|
|
Tor that new directory information has arrived.
|
|
- Avoid some nasty corner cases in the logic for marking connections
|
|
as too old or obsolete or noncanonical for circuits. Partial
|
|
bugfix on bug 891.
|
|
|
|
o Minor features (controller):
|
|
- New CONSENSUS_ARRIVED event to note when a new consensus has
|
|
been fetched and validated.
|
|
- When we realize that another process has modified our cached
|
|
descriptors file, print out a more useful error message rather
|
|
than triggering an assertion. Fixes bug 885. Patch from Karsten.
|
|
- Add an internal-use-only __ReloadTorrcOnSIGHUP option for
|
|
controllers to prevent SIGHUP from reloading the
|
|
configuration. Fixes bug 856.
|
|
|
|
o Minor bugfixes:
|
|
- Resume using the correct "REASON=" stream when telling the
|
|
controller why we closed a stream. Bugfix in 0.2.1.1-alpha.
|
|
- When a canonical connection appears later in our internal list
|
|
than a noncanonical one for a given OR ID, always use the
|
|
canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
|
|
Spotted by rovv.
|
|
- Clip the MaxCircuitDirtiness config option to a minimum of 10
|
|
seconds. Warn the user if lower values are given in the
|
|
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
|
|
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
|
|
user if lower values are given in the configuration. Bugfix on
|
|
0.1.1.17-rc. Patch by Sebastian.
|
|
- Fix a race condition when freeing keys shared between main thread
|
|
and CPU workers that could result in a memory leak. Bugfix on
|
|
0.1.0.1-rc. Fixes bug 889.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Do not throw away existing introduction points on SIGHUP (bugfix on
|
|
0.0.6pre1); also, do not stall hidden services because we're
|
|
throwing away introduction points; bugfix on 0.2.1.7-alpha. Spotted
|
|
by John Brooks. Patch by Karsten. Fixes bug 874.
|
|
- Fix a memory leak when we decline to add a v2 rendezvous
|
|
descriptor to the cache because we already had a v0 descriptor
|
|
with the same ID. Bugfix on 0.2.0.18-alpha.
|
|
|
|
o Deprecated and removed features:
|
|
- RedirectExits has been removed. It was deprecated since
|
|
0.2.0.3-alpha.
|
|
- Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
|
|
has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
|
|
- Cell pools are now always enabled; --disable-cell-pools is ignored.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Rename the confusing or_is_obsolete field to the more appropriate
|
|
is_bad_for_new_circs, and move it to or_connection_t where it
|
|
belongs.
|
|
- Move edge-only flags from connection_t to edge_connection_t: not
|
|
only is this better coding, but on machines of plausible alignment,
|
|
it should save 4-8 bytes per connection_t. "Every little bit helps."
|
|
- Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
|
|
for consistency; keep old option working for backward compatibility.
|
|
- Simplify the code for finding connections to use for a circuit.
|
|
|
|
|
|
Changes in version 0.2.1.8-alpha - 2008-12-08
|
|
Tor 0.2.1.8-alpha fixes some crash bugs in earlier alpha releases,
|
|
builds better on unusual platforms like Solaris and old OS X, and
|
|
fixes a variety of other issues.
|
|
|
|
o Major features:
|
|
- New DirPortFrontPage option that takes an html file and publishes
|
|
it as "/" on the DirPort. Now relay operators can provide a
|
|
disclaimer without needing to set up a separate webserver. There's
|
|
a sample disclaimer in contrib/tor-exit-notice.html.
|
|
|
|
o Security fixes:
|
|
- When the client is choosing entry guards, now it selects at most
|
|
one guard from a given relay family. Otherwise we could end up with
|
|
all of our entry points into the network run by the same operator.
|
|
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix a DOS opportunity during the voting signature collection process
|
|
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
|
|
- Fix a possible segfault when establishing an exit connection. Bugfix
|
|
on 0.2.1.5-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Get file locking working on win32. Bugfix on 0.2.1.6-alpha. Fixes
|
|
bug 859.
|
|
- Made Tor a little less aggressive about deleting expired
|
|
certificates. Partial fix for bug 854.
|
|
- Stop doing unaligned memory access that generated bus errors on
|
|
sparc64. Bugfix on 0.2.0.10-alpha. Fix for bug 862.
|
|
- Fix a crash bug when changing EntryNodes from the controller. Bugfix
|
|
on 0.2.1.6-alpha. Fix for bug 867. Patched by Sebastian.
|
|
- Make USR2 log-level switch take effect immediately. Bugfix on
|
|
0.1.2.8-beta.
|
|
- If one win32 nameserver fails to get added, continue adding the
|
|
rest, and don't automatically fail.
|
|
- Use fcntl() for locking when flock() is not available. Should fix
|
|
compilation on Solaris. Should fix Bug 873. Bugfix on 0.2.1.6-alpha.
|
|
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
|
|
could make gcc generate non-functional binary search code. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- Build correctly on platforms without socklen_t.
|
|
- Avoid potential crash on internal error during signature collection.
|
|
Fixes bug 864. Patch from rovv.
|
|
- Do not use C's stdio library for writing to log files. This will
|
|
improve logging performance by a minute amount, and will stop
|
|
leaking fds when our disk is full. Fixes bug 861.
|
|
- Stop erroneous use of O_APPEND in cases where we did not in fact
|
|
want to re-seek to the end of a file before every last write().
|
|
- Correct handling of possible malformed authority signing key
|
|
certificates with internal signature types. Fixes bug 880. Bugfix
|
|
on 0.2.0.3-alpha.
|
|
- Fix a hard-to-trigger resource leak when logging credential status.
|
|
CID 349.
|
|
|
|
o Minor features:
|
|
- Directory mirrors no longer fetch the v1 directory or
|
|
running-routers files. They are obsolete, and nobody asks for them
|
|
anymore. This is the first step to making v1 authorities obsolete.
|
|
|
|
o Minor features (controller):
|
|
- Return circuit purposes in response to GETINFO circuit-status. Fixes
|
|
bug 858.
|
|
|
|
|
|
Changes in version 0.2.0.32 - 2008-11-20
|
|
Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
|
|
packages (and maybe other packages) noticed by Theo de Raadt, fixes
|
|
a smaller security flaw that might allow an attacker to access local
|
|
services, further improves hidden service performance, and fixes a
|
|
variety of other issues.
|
|
|
|
o Security fixes:
|
|
- The "User" and "Group" config options did not clear the
|
|
supplementary group entries for the Tor process. The "User" option
|
|
is now more robust, and we now set the groups to the specified
|
|
user's primary group. The "Group" option is now ignored. For more
|
|
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
|
|
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
|
|
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
|
|
- The "ClientDNSRejectInternalAddresses" config option wasn't being
|
|
consistently obeyed: if an exit relay refuses a stream because its
|
|
exit policy doesn't allow it, we would remember what IP address
|
|
the relay said the destination address resolves to, even if it's
|
|
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
|
|
|
|
o Major bugfixes:
|
|
- Fix a DOS opportunity during the voting signature collection process
|
|
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- When fetching v0 and v2 rendezvous service descriptors in parallel,
|
|
we were failing the whole hidden service request when the v0
|
|
descriptor fetch fails, even if the v2 fetch is still pending and
|
|
might succeed. Similarly, if the last v2 fetch fails, we were
|
|
failing the whole hidden service request even if a v0 fetch is
|
|
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
|
|
- When extending a circuit to a hidden service directory to upload a
|
|
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
|
|
requests failed, because the router descriptor has not been
|
|
downloaded yet. In these cases, do not attempt to upload the
|
|
rendezvous descriptor, but wait until the router descriptor is
|
|
downloaded and retry. Likewise, do not attempt to fetch a rendezvous
|
|
descriptor from a hidden service directory for which the router
|
|
descriptor has not yet been downloaded. Fixes bug 767. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix several infrequent memory leaks spotted by Coverity.
|
|
- When testing for libevent functions, set the LDFLAGS variable
|
|
correctly. Found by Riastradh.
|
|
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
|
|
bootstrapping with tunneled directory connections. Bugfix on
|
|
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
|
|
- When asked to connect to A.B.exit:80, if we don't know the IP for A
|
|
and we know that server B rejects most-but-not all connections to
|
|
port 80, we would previously reject the connection. Now, we assume
|
|
the user knows what they were asking for. Fixes bug 752. Bugfix
|
|
on 0.0.9rc5. Diagnosed by BarkerJr.
|
|
- If we overrun our per-second write limits a little, count this as
|
|
having used up our write allocation for the second, and choke
|
|
outgoing directory writes. Previously, we had only counted this when
|
|
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
|
|
Bugfix on 0.2.0.x (??).
|
|
- Remove the old v2 directory authority 'lefkada' from the default
|
|
list. It has been gone for many months.
|
|
- Stop doing unaligned memory access that generated bus errors on
|
|
sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
|
|
- Make USR2 log-level switch take effect immediately. Bugfix on
|
|
0.1.2.8-beta.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
|
|
0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
|
|
|
|
|
|
Changes in version 0.2.1.7-alpha - 2008-11-08
|
|
Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
|
|
packages (and maybe other packages) noticed by Theo de Raadt, fixes
|
|
a smaller security flaw that might allow an attacker to access local
|
|
services, adds better defense against DNS poisoning attacks on exit
|
|
relays, further improves hidden service performance, and fixes a
|
|
variety of other issues.
|
|
|
|
o Security fixes:
|
|
- The "ClientDNSRejectInternalAddresses" config option wasn't being
|
|
consistently obeyed: if an exit relay refuses a stream because its
|
|
exit policy doesn't allow it, we would remember what IP address
|
|
the relay said the destination address resolves to, even if it's
|
|
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
|
|
- The "User" and "Group" config options did not clear the
|
|
supplementary group entries for the Tor process. The "User" option
|
|
is now more robust, and we now set the groups to the specified
|
|
user's primary group. The "Group" option is now ignored. For more
|
|
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
|
|
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
|
|
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
|
|
- Do not use or believe expired v3 authority certificates. Patch
|
|
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
|
|
|
|
o Minor features:
|
|
- Now NodeFamily and MyFamily config options allow spaces in
|
|
identity fingerprints, so it's easier to paste them in.
|
|
Suggested by Lucky Green.
|
|
- Implement the 0x20 hack to better resist DNS poisoning: set the
|
|
case on outgoing DNS requests randomly, and reject responses that do
|
|
not match the case correctly. This logic can be disabled with the
|
|
ServerDNSRandomizeCase setting, if you are using one of the 0.3%
|
|
of servers that do not reliably preserve case in replies. See
|
|
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
|
|
for more info.
|
|
- Preserve case in replies to DNSPort requests in order to support
|
|
the 0x20 hack for resisting DNS poisoning attacks.
|
|
|
|
o Hidden service performance improvements:
|
|
- When the client launches an introduction circuit, retry with a
|
|
new circuit after 30 seconds rather than 60 seconds.
|
|
- Launch a second client-side introduction circuit in parallel
|
|
after a delay of 15 seconds (based on work by Christian Wilms).
|
|
- Hidden services start out building five intro circuits rather
|
|
than three, and when the first three finish they publish a service
|
|
descriptor using those. Now we publish our service descriptor much
|
|
faster after restart.
|
|
|
|
o Minor bugfixes:
|
|
- Minor fix in the warning messages when you're having problems
|
|
bootstrapping; also, be more forgiving of bootstrap problems when
|
|
we're still making incremental progress on a given bootstrap phase.
|
|
- When we're choosing an exit node for a circuit, and we have
|
|
no pending streams, choose a good general exit rather than one that
|
|
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
|
|
- Send a valid END cell back when a client tries to connect to a
|
|
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
|
|
840. Patch from rovv.
|
|
- If a broken client asks a non-exit router to connect somewhere,
|
|
do not even do the DNS lookup before rejecting the connection.
|
|
Fixes another case of bug 619. Patch from rovv.
|
|
- Fix another case of assuming, when a specific exit is requested,
|
|
that we know more than the user about what hosts it allows.
|
|
Fixes another case of bug 752. Patch from rovv.
|
|
- Check which hops rendezvous stream cells are associated with to
|
|
prevent possible guess-the-streamid injection attacks from
|
|
intermediate hops. Fixes another case of bug 446. Based on patch
|
|
from rovv.
|
|
- Avoid using a negative right-shift when comparing 32-bit
|
|
addresses. Possible fix for bug 845 and bug 811.
|
|
- Make the assert_circuit_ok() function work correctly on circuits that
|
|
have already been marked for close.
|
|
- Fix read-off-the-end-of-string error in unit tests when decoding
|
|
introduction points.
|
|
- Fix uninitialized size field for memory area allocation: may improve
|
|
memory performance during directory parsing.
|
|
- Treat duplicate certificate fetches as failures, so that we do
|
|
not try to re-fetch an expired certificate over and over and over.
|
|
- Do not say we're fetching a certificate when we'll in fact skip it
|
|
because of a pending download.
|
|
|
|
|
|
Changes in version 0.2.1.6-alpha - 2008-09-30
|
|
Tor 0.2.1.6-alpha further improves performance and robustness of
|
|
hidden services, starts work on supporting per-country relay selection,
|
|
and fixes a variety of smaller issues.
|
|
|
|
o Major features:
|
|
- Implement proposal 121: make it possible to build hidden services
|
|
that only certain clients are allowed to connect to. This is
|
|
enforced at several points, so that unauthorized clients are unable
|
|
to send INTRODUCE cells to the service, or even (depending on the
|
|
type of authentication) to learn introduction points. This feature
|
|
raises the bar for certain kinds of active attacks against hidden
|
|
services. Code by Karsten Loesing.
|
|
- Relays now store and serve v2 hidden service descriptors by default,
|
|
i.e., the new default value for HidServDirectoryV2 is 1. This is
|
|
the last step in proposal 114, which aims to make hidden service
|
|
lookups more reliable.
|
|
- Start work to allow node restrictions to include country codes. The
|
|
syntax to exclude nodes in a country with country code XX is
|
|
"ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
|
|
refinement to decide what config options should take priority if
|
|
you ask to both use a particular node and exclude it.
|
|
- Allow ExitNodes list to include IP ranges and country codes, just
|
|
like the Exclude*Nodes lists. Patch from Robert Hogan.
|
|
|
|
o Major bugfixes:
|
|
- Fix a bug when parsing ports in tor_addr_port_parse() that caused
|
|
Tor to fail to start if you had it configured to use a bridge
|
|
relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
|
|
- When extending a circuit to a hidden service directory to upload a
|
|
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
|
|
requests failed, because the router descriptor had not been
|
|
downloaded yet. In these cases, we now wait until the router
|
|
descriptor is downloaded, and then retry. Likewise, clients
|
|
now skip over a hidden service directory if they don't yet have
|
|
its router descriptor, rather than futilely requesting it and
|
|
putting mysterious complaints in the logs. Fixes bug 767. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- When fetching v0 and v2 rendezvous service descriptors in parallel,
|
|
we were failing the whole hidden service request when the v0
|
|
descriptor fetch fails, even if the v2 fetch is still pending and
|
|
might succeed. Similarly, if the last v2 fetch fails, we were
|
|
failing the whole hidden service request even if a v0 fetch is
|
|
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
|
|
- DNS replies need to have names matching their requests, but
|
|
these names should be in the questions section, not necessarily
|
|
in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the "September 1 2008" ip-to-country file.
|
|
- Allow ports 465 and 587 in the default exit policy again. We had
|
|
rejected them in 0.1.0.15, because back in 2005 they were commonly
|
|
misconfigured and ended up as spam targets. We hear they are better
|
|
locked down these days.
|
|
- Use a lockfile to make sure that two Tor processes are not
|
|
simultaneously running with the same datadir.
|
|
- Serve the latest v3 networkstatus consensus via the control
|
|
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
|
|
- Better logging about stability/reliability calculations on directory
|
|
servers.
|
|
- Drop the requirement to have an open dir port for storing and
|
|
serving v2 hidden service descriptors.
|
|
- Directory authorities now serve a /tor/dbg-stability.txt URL to
|
|
help debug WFU and MTBF calculations.
|
|
- Implement most of Proposal 152: allow specialized servers to permit
|
|
single-hop circuits, and clients to use those servers to build
|
|
single-hop circuits when using a specialized controller. Patch
|
|
from Josh Albrecht. Resolves feature request 768.
|
|
- Add a -p option to tor-resolve for specifying the SOCKS port: some
|
|
people find host:port too confusing.
|
|
- Make TrackHostExit mappings expire a while after their last use, not
|
|
after their creation. Patch from Robert Hogan.
|
|
- Provide circuit purposes along with circuit events to the controller.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
|
|
Reported by Tas.
|
|
- Fixed some memory leaks -- some quite frequent, some almost
|
|
impossible to trigger -- based on results from Coverity.
|
|
- When testing for libevent functions, set the LDFLAGS variable
|
|
correctly. Found by Riastradh.
|
|
- Fix an assertion bug in parsing policy-related options; possible fix
|
|
for bug 811.
|
|
- Catch and report a few more bootstrapping failure cases when Tor
|
|
fails to establish a TCP connection. Cleanup on 0.2.1.x.
|
|
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
|
|
bootstrapping with tunneled directory connections. Bugfix on
|
|
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
|
|
- When asked to connect to A.B.exit:80, if we don't know the IP for A
|
|
and we know that server B rejects most-but-not all connections to
|
|
port 80, we would previously reject the connection. Now, we assume
|
|
the user knows what they were asking for. Fixes bug 752. Bugfix
|
|
on 0.0.9rc5. Diagnosed by BarkerJr.
|
|
- If we are not using BEGIN_DIR cells, don't attempt to contact hidden
|
|
service directories if they have no advertised dir port. Bugfix
|
|
on 0.2.0.10-alpha.
|
|
- If we overrun our per-second write limits a little, count this as
|
|
having used up our write allocation for the second, and choke
|
|
outgoing directory writes. Previously, we had only counted this when
|
|
we had met our limits precisely. Fixes bug 824. Patch by rovv.
|
|
Bugfix on 0.2.0.x (??).
|
|
- Avoid a "0 divided by 0" calculation when calculating router uptime
|
|
at directory authorities. Bugfix on 0.2.0.8-alpha.
|
|
- Make DNS resolved controller events into "CLOSED", not
|
|
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
|
|
bug 807.
|
|
- Fix a bug where an unreachable relay would establish enough
|
|
reachability testing circuits to do a bandwidth test -- if
|
|
we already have a connection to the middle hop of the testing
|
|
circuit, then it could establish the last hop by using the existing
|
|
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
|
|
circuits no longer use entry guards in 0.2.1.3-alpha.
|
|
- If we have correct permissions on $datadir, we complain to stdout
|
|
and fail to start. But dangerous permissions on
|
|
$datadir/cached-status/ would cause us to open a log and complain
|
|
there. Now complain to stdout and fail to start in both cases. Fixes
|
|
bug 820, reported by seeess.
|
|
- Remove the old v2 directory authority 'lefkada' from the default
|
|
list. It has been gone for many months.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Revise the connection_new functions so that a more typesafe variant
|
|
exists. This will work better with Coverity, and let us find any
|
|
actual mistakes we're making here.
|
|
- Refactor unit testing logic so that dmalloc can be used sensibly
|
|
with unit tests to check for memory leaks.
|
|
- Move all hidden-service related fields from connection and circuit
|
|
structure to substructures: this way they won't eat so much memory.
|
|
|
|
|
|
Changes in version 0.2.0.31 - 2008-09-03
|
|
Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
|
|
a big bug we're seeing where in rare cases traffic from one Tor stream
|
|
gets mixed into another stream, and fixes a variety of smaller issues.
|
|
|
|
o Major bugfixes:
|
|
- Make sure that two circuits can never exist on the same connection
|
|
with the same circuit ID, even if one is marked for close. This
|
|
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
|
|
- Relays now reject risky extend cells: if the extend cell includes
|
|
a digest of all zeroes, or asks to extend back to the relay that
|
|
sent the extend cell, tear down the circuit. Ideas suggested
|
|
by rovv.
|
|
- If not enough of our entry guards are available so we add a new
|
|
one, we might use the new one even if it overlapped with the
|
|
current circuit's exit relay (or its family). Anonymity bugfix
|
|
pointed out by rovv.
|
|
|
|
o Minor bugfixes:
|
|
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
|
|
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
|
|
- Correctly detect the presence of the linux/netfilter_ipv4.h header
|
|
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
|
|
- Pick size of default geoip filename string correctly on windows.
|
|
Fixes bug 806. Bugfix on 0.2.0.30.
|
|
- Make the autoconf script accept the obsolete --with-ssl-dir
|
|
option as an alias for the actually-working --with-openssl-dir
|
|
option. Fix the help documentation to recommend --with-openssl-dir.
|
|
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
|
|
- When using the TransPort option on OpenBSD, and using the User
|
|
option to change UID and drop privileges, make sure to open
|
|
/dev/pf before dropping privileges. Fixes bug 782. Patch from
|
|
Christopher Davis. Bugfix on 0.1.2.1-alpha.
|
|
- Try to attach connections immediately upon receiving a RENDEZVOUS2
|
|
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
|
|
on the client side when connecting to a hidden service. Bugfix
|
|
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
|
|
- When closing an application-side connection because its circuit is
|
|
getting torn down, generate the stream event correctly. Bugfix on
|
|
0.1.2.x. Anonymous patch.
|
|
|
|
|
|
Changes in version 0.2.1.5-alpha - 2008-08-31
|
|
Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
|
|
in a lot of the infrastructure for adding authorization to hidden
|
|
services, lays the groundwork for having clients read their load
|
|
balancing information out of the networkstatus consensus rather than
|
|
the individual router descriptors, addresses two potential anonymity
|
|
issues, and fixes a variety of smaller issues.
|
|
|
|
o Major features:
|
|
- Convert many internal address representations to optionally hold
|
|
IPv6 addresses.
|
|
- Generate and accept IPv6 addresses in many protocol elements.
|
|
- Make resolver code handle nameservers located at ipv6 addresses.
|
|
- Begin implementation of proposal 121 ("Client authorization for
|
|
hidden services"): configure hidden services with client
|
|
authorization, publish descriptors for them, and configure
|
|
authorization data for hidden services at clients. The next
|
|
step is to actually access hidden services that perform client
|
|
authorization.
|
|
- More progress toward proposal 141: Network status consensus
|
|
documents and votes now contain bandwidth information for each
|
|
router and a summary of that router's exit policy. Eventually this
|
|
will be used by clients so that they do not have to download every
|
|
known descriptor before building circuits.
|
|
|
|
o Major bugfixes (on 0.2.0.x and before):
|
|
- When sending CREATED cells back for a given circuit, use a 64-bit
|
|
connection ID to find the right connection, rather than an addr:port
|
|
combination. Now that we can have multiple OR connections between
|
|
the same ORs, it is no longer possible to use addr:port to uniquely
|
|
identify a connection.
|
|
- Relays now reject risky extend cells: if the extend cell includes
|
|
a digest of all zeroes, or asks to extend back to the relay that
|
|
sent the extend cell, tear down the circuit. Ideas suggested
|
|
by rovv.
|
|
- If not enough of our entry guards are available so we add a new
|
|
one, we might use the new one even if it overlapped with the
|
|
current circuit's exit relay (or its family). Anonymity bugfix
|
|
pointed out by rovv.
|
|
|
|
o Minor bugfixes:
|
|
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
|
|
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
|
|
- When using the TransPort option on OpenBSD, and using the User
|
|
option to change UID and drop privileges, make sure to open /dev/pf
|
|
before dropping privileges. Fixes bug 782. Patch from Christopher
|
|
Davis. Bugfix on 0.1.2.1-alpha.
|
|
- Correctly detect the presence of the linux/netfilter_ipv4.h header
|
|
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
|
|
- Add a missing safe_str() call for a debug log message.
|
|
- Use 64 bits instead of 32 bits for connection identifiers used with
|
|
the controller protocol, to greatly reduce risk of identifier reuse.
|
|
- Make the autoconf script accept the obsolete --with-ssl-dir
|
|
option as an alias for the actually-working --with-openssl-dir
|
|
option. Fix the help documentation to recommend --with-openssl-dir.
|
|
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Rate-limit too-many-sockets messages: when they happen, they happen
|
|
a lot. Resolves bug 748.
|
|
- Resist DNS poisoning a little better by making sure that names in
|
|
answer sections match.
|
|
- Print the SOCKS5 error message string as well as the error code
|
|
when a tor-resolve request fails. Patch from Jacob.
|
|
|
|
|
|
Changes in version 0.2.1.4-alpha - 2008-08-04
|
|
Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.
|
|
|
|
o Major bugfixes:
|
|
- The address part of exit policies was not correctly written
|
|
to router descriptors. This generated router descriptors that failed
|
|
their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
|
|
on 0.2.1.3-alpha.
|
|
- Tor triggered a false assert when extending a circuit to a relay
|
|
but we already have a connection open to that relay. Noticed by
|
|
phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a hidden service logging bug: in some edge cases, the router
|
|
descriptor of a previously picked introduction point becomes
|
|
obsolete and we need to give up on it rather than continually
|
|
complaining that it has become obsolete. Observed by xiando. Bugfix
|
|
on 0.2.1.3-alpha.
|
|
|
|
o Removed features:
|
|
- Take out the TestVia config option, since it was a workaround for
|
|
a bug that was fixed in Tor 0.1.1.21.
|
|
|
|
|
|
Changes in version 0.2.1.3-alpha - 2008-08-03
|
|
Tor 0.2.1.3-alpha implements most of the pieces to prevent
|
|
infinite-length circuit attacks (see proposal 110); fixes a bug that
|
|
might cause exit relays to corrupt streams they send back; allows
|
|
address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
|
|
ExcludeExitNodes config options; and fixes a big pile of bugs.
|
|
|
|
o Bootstrapping bugfixes (on 0.2.1.x-alpha):
|
|
- Send a bootstrap problem "warn" event on the first problem if the
|
|
reason is NO_ROUTE (that is, our network is down).
|
|
|
|
o Major features:
|
|
- Implement most of proposal 110: The first K cells to be sent
|
|
along a circuit are marked as special "early" cells; only K "early"
|
|
cells will be allowed. Once this code is universal, we can block
|
|
certain kinds of DOS attack by requiring that EXTEND commands must
|
|
be sent using an "early" cell.
|
|
|
|
o Major bugfixes:
|
|
- Try to attach connections immediately upon receiving a RENDEZVOUS2
|
|
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
|
|
on the client side when connecting to a hidden service. Bugfix
|
|
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
|
|
- Ensure that two circuits can never exist on the same connection
|
|
with the same circuit ID, even if one is marked for close. This
|
|
is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
|
|
|
|
o Minor features:
|
|
- When relays do their initial bandwidth measurement, don't limit
|
|
to just our entry guards for the test circuits. Otherwise we tend
|
|
to have multiple test circuits going through a single entry guard,
|
|
which makes our bandwidth test less accurate. Fixes part of bug 654;
|
|
patch contributed by Josh Albrecht.
|
|
- Add an ExcludeExitNodes option so users can list a set of nodes
|
|
that should be be excluded from the exit node position, but
|
|
allowed elsewhere. Implements proposal 151.
|
|
- Allow address patterns (e.g., 255.128.0.0/16) to appear in
|
|
ExcludeNodes and ExcludeExitNodes lists.
|
|
- Change the implementation of ExcludeNodes and ExcludeExitNodes to
|
|
be more efficient. Formerly it was quadratic in the number of
|
|
servers; now it should be linear. Fixes bug 509.
|
|
- Save 16-22 bytes per open circuit by moving the n_addr, n_port,
|
|
and n_conn_id_digest fields into a separate structure that's
|
|
only needed when the circuit has not yet attached to an n_conn.
|
|
|
|
o Minor bugfixes:
|
|
- Change the contrib/tor.logrotate script so it makes the new
|
|
logs as "_tor:_tor" rather than the default, which is generally
|
|
"root:wheel". Fixes bug 676, reported by Serge Koksharov.
|
|
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
|
|
warnings (occasionally), but it can also cause the compiler to
|
|
eliminate error-checking code. Suggested by Peter Gutmann.
|
|
- When a hidden service is giving up on an introduction point candidate
|
|
that was not included in the last published rendezvous descriptor,
|
|
don't reschedule publication of the next descriptor. Fixes bug 763.
|
|
Bugfix on 0.0.9.3.
|
|
- Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
|
|
HiddenServiceExcludeNodes as obsolete: they never worked properly,
|
|
and nobody claims to be using them. Fixes bug 754. Bugfix on
|
|
0.1.0.1-rc. Patch from Christian Wilms.
|
|
- Fix a small alignment and memory-wasting bug on buffer chunks.
|
|
Spotted by rovv.
|
|
|
|
o Minor bugfixes (controller):
|
|
- When closing an application-side connection because its circuit
|
|
is getting torn down, generate the stream event correctly.
|
|
Bugfix on 0.1.2.x. Anonymous patch.
|
|
|
|
o Removed features:
|
|
- Remove all backward-compatibility code to support relays running
|
|
versions of Tor so old that they no longer work at all on the
|
|
Tor network.
|
|
|
|
|
|
Changes in version 0.2.0.30 - 2008-07-15
|
|
o Minor bugfixes:
|
|
- Stop using __attribute__((nonnull)) with GCC: it can give us useful
|
|
warnings (occasionally), but it can also cause the compiler to
|
|
eliminate error-checking code. Suggested by Peter Gutmann.
|
|
|
|
|
|
Changes in version 0.2.0.29-rc - 2008-07-08
|
|
Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
|
|
hidden-service performance bugs, and fixes a bunch of smaller bugs.
|
|
|
|
o Major bugfixes:
|
|
- If you have more than one bridge but don't know their keys,
|
|
you would only launch a request for the descriptor of the first one
|
|
on your list. (Tor considered launching requests for the others, but
|
|
found that it already had a connection on the way for $0000...0000
|
|
so it didn't open another.) Bugfix on 0.2.0.x.
|
|
- If you have more than one bridge but don't know their keys, and the
|
|
connection to one of the bridges failed, you would cancel all
|
|
pending bridge connections. (After all, they all have the same
|
|
digest.) Bugfix on 0.2.0.x.
|
|
- When a hidden service was trying to establish an introduction point,
|
|
and Tor had built circuits preemptively for such purposes, we
|
|
were ignoring all the preemptive circuits and launching a new one
|
|
instead. Bugfix on 0.2.0.14-alpha.
|
|
- When a hidden service was trying to establish an introduction point,
|
|
and Tor *did* manage to reuse one of the preemptively built
|
|
circuits, it didn't correctly remember which one it used,
|
|
so it asked for another one soon after, until there were no
|
|
more preemptive circuits, at which point it launched one from
|
|
scratch. Bugfix on 0.0.9.x.
|
|
- Make directory servers include the X-Your-Address-Is: http header in
|
|
their responses even for begin_dir conns. Now clients who only
|
|
ever use begin_dir connections still have a way to learn their IP
|
|
address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.
|
|
|
|
o Minor bugfixes:
|
|
- Fix a macro/CPP interaction that was confusing some compilers:
|
|
some GCCs don't like #if/#endif pairs inside macro arguments.
|
|
Fixes bug 707.
|
|
- Fix macro collision between OpenSSL 0.9.8h and Windows headers.
|
|
Fixes bug 704; fix from Steven Murdoch.
|
|
- When opening /dev/null in finish_daemonize(), do not pass the
|
|
O_CREAT flag. Fortify was complaining, and correctly so. Fixes
|
|
bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
|
|
- Correctly detect transparent proxy support on Linux hosts that
|
|
require in.h to be included before netfilter_ipv4.h. Patch
|
|
from coderman.
|
|
- Disallow session resumption attempts during the renegotiation
|
|
stage of the v2 handshake protocol. Clients should never be trying
|
|
session resumption at this point, but apparently some did, in
|
|
ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
|
|
found by Geoff Goodell.
|
|
|
|
|
|
Changes in version 0.2.1.2-alpha - 2008-06-20
|
|
Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
|
|
make it easier to set up your own private Tor network; fixes several
|
|
big bugs with using more than one bridge relay; fixes a big bug with
|
|
offering hidden services quickly after Tor starts; and uses a better
|
|
API for reporting potential bootstrapping problems to the controller.
|
|
|
|
o Major features:
|
|
- New TestingTorNetwork config option to allow adjustment of
|
|
previously constant values that, while reasonable, could slow
|
|
bootstrapping. Implements proposal 135. Patch from Karsten.
|
|
|
|
o Major bugfixes:
|
|
- If you have more than one bridge but don't know their digests,
|
|
you would only learn a request for the descriptor of the first one
|
|
on your list. (Tor considered launching requests for the others, but
|
|
found that it already had a connection on the way for $0000...0000
|
|
so it didn't open another.) Bugfix on 0.2.0.x.
|
|
- If you have more than one bridge but don't know their digests,
|
|
and the connection to one of the bridges failed, you would cancel
|
|
all pending bridge connections. (After all, they all have the
|
|
same digest.) Bugfix on 0.2.0.x.
|
|
- When establishing a hidden service, introduction points that
|
|
originate from cannibalized circuits are completely ignored and not
|
|
included in rendezvous service descriptors. This might be another
|
|
reason for delay in making a hidden service available. Bugfix
|
|
from long ago (0.0.9.x?)
|
|
|
|
o Minor features:
|
|
- Allow OpenSSL to use dynamic locks if it wants.
|
|
- When building a consensus, do not include routers that are down.
|
|
This will cut down 30% to 40% on consensus size. Implements
|
|
proposal 138.
|
|
- In directory authorities' approved-routers files, allow
|
|
fingerprints with or without space.
|
|
- Add a "GETINFO /status/bootstrap-phase" controller option, so the
|
|
controller can query our current bootstrap state in case it attaches
|
|
partway through and wants to catch up.
|
|
- Send an initial "Starting" bootstrap status event, so we have a
|
|
state to start out in.
|
|
|
|
o Minor bugfixes:
|
|
- Asking for a conditional consensus at .../consensus/<fingerprints>
|
|
would crash a dirserver if it did not already have a
|
|
consensus. Bugfix on 0.2.1.1-alpha.
|
|
- Clean up some macro/CPP interactions: some GCC versions don't like
|
|
#if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
|
|
0.2.0.x.
|
|
|
|
o Bootstrapping bugfixes (on 0.2.1.1-alpha):
|
|
- Directory authorities shouldn't complain about bootstrapping
|
|
problems just because they do a lot of reachability testing and
|
|
some of the connection attempts fail.
|
|
- Start sending "count" and "recommendation" key/value pairs in
|
|
bootstrap problem status events, so the controller can hear about
|
|
problems even before Tor decides they're worth reporting for sure.
|
|
- If you're using bridges, generate "bootstrap problem" warnings
|
|
as soon as you run out of working bridges, rather than waiting
|
|
for ten failures -- which will never happen if you have less than
|
|
ten bridges.
|
|
- If we close our OR connection because there's been a circuit
|
|
pending on it for too long, we were telling our bootstrap status
|
|
events "REASON=NONE". Now tell them "REASON=TIMEOUT".
|
|
|
|
|
|
Changes in version 0.2.1.1-alpha - 2008-06-13
|
|
Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
|
|
were making the Tor process bloat especially on Linux; makes our TLS
|
|
handshake blend in better; sends "bootstrap phase" status events to
|
|
the controller, so it can keep the user informed of progress (and
|
|
problems) fetching directory information and establishing circuits;
|
|
and adds a variety of smaller features.
|
|
|
|
o Major features:
|
|
- More work on making our TLS handshake blend in: modify the list
|
|
of ciphers advertised by OpenSSL in client mode to even more
|
|
closely resemble a common web browser. We cheat a little so that
|
|
we can advertise ciphers that the locally installed OpenSSL doesn't
|
|
know about.
|
|
- Start sending "bootstrap phase" status events to the controller,
|
|
so it can keep the user informed of progress fetching directory
|
|
information and establishing circuits. Also inform the controller
|
|
if we think we're stuck at a particular bootstrap phase. Implements
|
|
proposal 137.
|
|
- Resume using OpenSSL's RAND_poll() for better (and more portable)
|
|
cross-platform entropy collection again. We used to use it, then
|
|
stopped using it because of a bug that could crash systems that
|
|
called RAND_poll when they had a lot of fds open. It looks like the
|
|
bug got fixed in late 2006. Our new behavior is to call RAND_poll()
|
|
at startup, and to call RAND_poll() when we reseed later only if
|
|
we have a non-buggy OpenSSL version.
|
|
|
|
o Major bugfixes:
|
|
- When we choose to abandon a new entry guard because we think our
|
|
older ones might be better, close any circuits pending on that
|
|
new entry guard connection. This fix should make us recover much
|
|
faster when our network is down and then comes back. Bugfix on
|
|
0.1.2.8-beta; found by lodger.
|
|
|
|
o Memory fixes and improvements:
|
|
- Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
|
|
to avoid unused RAM in buffer chunks and memory pools.
|
|
- Speed up parsing and cut down on memory fragmentation by using
|
|
stack-style allocations for parsing directory objects. Previously,
|
|
this accounted for over 40% of allocations from within Tor's code
|
|
on a typical directory cache.
|
|
- Use a Bloom filter rather than a digest-based set to track which
|
|
descriptors we need to keep around when we're cleaning out old
|
|
router descriptors. This speeds up the computation significantly,
|
|
and may reduce fragmentation.
|
|
- Reduce the default smartlist size from 32 to 16; it turns out that
|
|
most smartlists hold around 8-12 elements tops.
|
|
- Make dumpstats() log the fullness and size of openssl-internal
|
|
buffers.
|
|
- If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
|
|
patch to their OpenSSL, turn it on to save memory on servers. This
|
|
patch will (with any luck) get included in a mainline distribution
|
|
before too long.
|
|
- Never use OpenSSL compression: it wastes RAM and CPU trying to
|
|
compress cells, which are basically all encrypted, compressed,
|
|
or both.
|
|
|
|
o Minor bugfixes:
|
|
- Stop reloading the router list from disk for no reason when we
|
|
run out of reachable directory mirrors. Once upon a time reloading
|
|
it would set the 'is_running' flag back to 1 for them. It hasn't
|
|
done that for a long time.
|
|
- In very rare situations new hidden service descriptors were
|
|
published earlier than 30 seconds after the last change to the
|
|
service. (We currently think that a hidden service descriptor
|
|
that's been stable for 30 seconds is worth publishing.)
|
|
|
|
o Minor features:
|
|
- Allow separate log levels to be configured for different logging
|
|
domains. For example, this allows one to log all notices, warnings,
|
|
or errors, plus all memory management messages of level debug or
|
|
higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
|
|
- Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
|
|
and stop using a warning that had become unfixably verbose under
|
|
GCC 4.3.
|
|
- New --hush command-line option similar to --quiet. While --quiet
|
|
disables all logging to the console on startup, --hush limits the
|
|
output to messages of warning and error severity.
|
|
- Servers support a new URL scheme for consensus downloads that
|
|
allows the client to specify which authorities are trusted.
|
|
The server then only sends the consensus if the client will trust
|
|
it. Otherwise a 404 error is sent back. Clients use this
|
|
new scheme when the server supports it (meaning it's running
|
|
0.2.1.1-alpha or later). Implements proposal 134.
|
|
- New configure/torrc options (--enable-geoip-stats,
|
|
DirRecordUsageByCountry) to record how many IPs we've served
|
|
directory info to in each country code, how many status documents
|
|
total we've sent to each country code, and what share of the total
|
|
directory requests we should expect to see.
|
|
- Use the TLS1 hostname extension to more closely resemble browser
|
|
behavior.
|
|
- Lots of new unit tests.
|
|
- Add a macro to implement the common pattern of iterating through
|
|
two parallel lists in lockstep.
|
|
|
|
|
|
Changes in version 0.2.0.28-rc - 2008-06-13
|
|
Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
|
|
performance bug, and fixes a bunch of smaller bugs.
|
|
|
|
o Anonymity fixes:
|
|
- Fix a bug where, when we were choosing the 'end stream reason' to
|
|
put in our relay end cell that we send to the exit relay, Tor
|
|
clients on Windows were sometimes sending the wrong 'reason'. The
|
|
anonymity problem is that exit relays may be able to guess whether
|
|
the client is running Windows, thus helping partition the anonymity
|
|
set. Down the road we should stop sending reasons to exit relays,
|
|
or otherwise prevent future versions of this bug.
|
|
|
|
o Major bugfixes:
|
|
- While setting up a hidden service, some valid introduction circuits
|
|
were overlooked and abandoned. This might be the reason for
|
|
the long delay in making a hidden service available. Bugfix on
|
|
0.2.0.14-alpha.
|
|
|
|
o Minor features:
|
|
- Update to the "June 9 2008" ip-to-country file.
|
|
- Run 'make test' as part of 'make dist', so we stop releasing so
|
|
many development snapshots that fail their unit tests.
|
|
|
|
o Minor bugfixes:
|
|
- When we're checking if we have enough dir info for each relay
|
|
to begin establishing circuits, make sure that we actually have
|
|
the descriptor listed in the consensus, not just any descriptor.
|
|
Bugfix on 0.1.2.x.
|
|
- Bridge relays no longer print "xx=0" in their extrainfo document
|
|
for every single country code in the geoip db. Bugfix on
|
|
0.2.0.27-rc.
|
|
- Only warn when we fail to load the geoip file if we were planning to
|
|
include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
|
|
- If we change our MaxAdvertisedBandwidth and then reload torrc,
|
|
Tor won't realize it should publish a new relay descriptor. Fixes
|
|
bug 688, reported by mfr. Bugfix on 0.1.2.x.
|
|
- When we haven't had any application requests lately, don't bother
|
|
logging that we have expired a bunch of descriptors. Bugfix
|
|
on 0.1.2.x.
|
|
- Make relay cells written on a connection count as non-padding when
|
|
tracking how long a connection has been in use. Bugfix on
|
|
0.2.0.1-alpha. Spotted by lodger.
|
|
- Fix unit tests in 0.2.0.27-rc.
|
|
- Fix compile on Windows.
|
|
|
|
|
|
Changes in version 0.2.0.27-rc - 2008-06-03
|
|
Tor 0.2.0.27-rc adds a few features we left out of the earlier
|
|
release candidates. In particular, we now include an IP-to-country
|
|
GeoIP database, so controllers can easily look up what country a
|
|
given relay is in, and so bridge relays can give us some sanitized
|
|
summaries about which countries are making use of bridges. (See proposal
|
|
126-geoip-fetching.txt for details.)
|
|
|
|
o Major features:
|
|
- Include an IP-to-country GeoIP file in the tarball, so bridge
|
|
relays can report sanitized summaries of the usage they're seeing.
|
|
|
|
o Minor features:
|
|
- Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
|
|
Robert Hogan. Fixes the first part of bug 681.
|
|
- Make bridge authorities never serve extrainfo docs.
|
|
- Add support to detect Libevent versions in the 1.4.x series
|
|
on mingw.
|
|
- Fix build on gcc 4.3 with --enable-gcc-warnings set.
|
|
- Include a new contrib/tor-exit-notice.html file that exit relay
|
|
operators can put on their website to help reduce abuse queries.
|
|
|
|
o Minor bugfixes:
|
|
- When tunneling an encrypted directory connection, and its first
|
|
circuit fails, do not leave it unattached and ask the controller
|
|
to deal. Fixes the second part of bug 681.
|
|
- Make bridge authorities correctly expire old extrainfo documents
|
|
from time to time.
|
|
|
|
|
|
Changes in version 0.2.0.26-rc - 2008-05-13
|
|
Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
|
|
in Debian's OpenSSL packages. All users running any 0.2.0.x version
|
|
should upgrade, whether they're running Debian or not.
|
|
|
|
o Major security fixes:
|
|
- Use new V3 directory authority keys on the tor26, gabelmoo, and
|
|
moria1 V3 directory authorities. The old keys were generated with
|
|
a vulnerable version of Debian's OpenSSL package, and must be
|
|
considered compromised. Other authorities' keys were not generated
|
|
with an affected version of OpenSSL.
|
|
|
|
o Major bugfixes:
|
|
- List authority signatures as "unrecognized" based on DirServer
|
|
lines, not on cert cache. Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- Add a new V3AuthUseLegacyKey option to make it easier for
|
|
authorities to change their identity keys if they have to.
|
|
|
|
|
|
Changes in version 0.2.0.25-rc - 2008-04-23
|
|
Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.
|
|
|
|
o Major bugfixes:
|
|
- Remember to initialize threading before initializing logging.
|
|
Otherwise, many BSD-family implementations will crash hard on
|
|
startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.
|
|
|
|
o Minor bugfixes:
|
|
- Authorities correctly free policies on bad servers on
|
|
exit. Fixes bug 672. Bugfix on 0.2.0.x.
|
|
|
|
|
|
Changes in version 0.2.0.24-rc - 2008-04-22
|
|
Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
|
|
v3 directory authority, makes relays with dynamic IP addresses and no
|
|
DirPort notice more quickly when their IP address changes, fixes a few
|
|
rare crashes and memory leaks, and fixes a few other miscellaneous bugs.
|
|
|
|
o New directory authorities:
|
|
- Take lefkada out of the list of v3 directory authorities, since
|
|
it has been down for months.
|
|
- Set up dizum (run by Alex de Joode) as the new sixth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Detect address changes more quickly on non-directory mirror
|
|
relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.
|
|
|
|
o Minor features (security):
|
|
- Reject requests for reverse-dns lookup of names that are in
|
|
a private address space. Patch from lodger.
|
|
- Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
|
|
from lodger.
|
|
|
|
o Minor bugfixes (crashes):
|
|
- Avoid a rare assert that can trigger when Tor doesn't have much
|
|
directory information yet and it tries to fetch a v2 hidden
|
|
service descriptor. Fixes bug 651, reported by nwf.
|
|
- Initialize log mutex before initializing dmalloc. Otherwise,
|
|
running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
|
|
- Use recursive pthread mutexes in order to avoid deadlock when
|
|
logging debug-level messages to a controller. Bug spotted by nwf,
|
|
bugfix on 0.2.0.16-alpha.
|
|
|
|
o Minor bugfixes (resource management):
|
|
- Keep address policies from leaking memory: start their refcount
|
|
at 1, not 2. Bugfix on 0.2.0.16-alpha.
|
|
- Free authority certificates on exit, so they don't look like memory
|
|
leaks. Bugfix on 0.2.0.19-alpha.
|
|
- Free static hashtables for policy maps and for TLS connections on
|
|
shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
|
|
- Avoid allocating extra space when computing consensuses on 64-bit
|
|
platforms. Bug spotted by aakova.
|
|
|
|
o Minor bugfixes (misc):
|
|
- Do not read the configuration file when we've only been told to
|
|
generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
|
|
based on patch from Sebastian Hahn.
|
|
- Exit relays that are used as a client can now reach themselves
|
|
using the .exit notation, rather than just launching an infinite
|
|
pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
|
|
- When attempting to open a logfile fails, tell us why.
|
|
- Fix a dumb bug that was preventing us from knowing that we should
|
|
preemptively build circuits to handle expected directory requests.
|
|
Fixes bug 660. Bugfix on 0.1.2.x.
|
|
- Warn less verbosely about clock skew from netinfo cells from
|
|
untrusted sources. Fixes bug 663.
|
|
- Make controller stream events for DNS requests more consistent,
|
|
by adding "new stream" events for DNS requests, and removing
|
|
spurious "stream closed" events" for cached reverse resolves.
|
|
Patch from mwenge. Fixes bug 646.
|
|
- Correctly notify one-hop connections when a circuit build has
|
|
failed. Possible fix for bug 669. Found by lodger.
|
|
|
|
|
|
Changes in version 0.2.0.23-rc - 2008-03-24
|
|
Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
|
|
makes bootstrapping faster if the first directory mirror you contact
|
|
is down. The bundles also include the new Vidalia 0.1.2 release.
|
|
|
|
o Major bugfixes:
|
|
- When a tunneled directory request is made to a directory server
|
|
that's down, notice after 30 seconds rather than 120 seconds. Also,
|
|
fail any begindir streams that are pending on it, so they can
|
|
retry elsewhere. This was causing multi-minute delays on bootstrap.
|
|
|
|
|
|
Changes in version 0.2.0.22-rc - 2008-03-18
|
|
Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
|
|
enables encrypted directory connections by default for non-relays, fixes
|
|
some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
|
|
other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
|
|
|
|
o Major features:
|
|
- Enable encrypted directory connections by default for non-relays,
|
|
so censor tools that block Tor directory connections based on their
|
|
plaintext patterns will no longer work. This means Tor works in
|
|
certain censored countries by default again.
|
|
|
|
o Major bugfixes:
|
|
- Make sure servers always request certificates from clients during
|
|
TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
|
|
- Do not enter a CPU-eating loop when a connection is closed in
|
|
the middle of client-side TLS renegotiation. Fixes bug 622. Bug
|
|
diagnosed by lodger; bugfix on 0.2.0.20-rc.
|
|
- Fix assertion failure that could occur when a blocked circuit
|
|
became unblocked, and it had pending client DNS requests. Bugfix
|
|
on 0.2.0.1-alpha. Fixes bug 632.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- Generate "STATUS_SERVER" events rather than misspelled
|
|
"STATUS_SEVER" events. Caught by mwenge.
|
|
- When counting the number of bytes written on a TLS connection,
|
|
look at the BIO actually used for writing to the network, not
|
|
at the BIO used (sometimes) to buffer data for the network.
|
|
Looking at different BIOs could result in write counts on the
|
|
order of ULONG_MAX. Fixes bug 614.
|
|
- On Windows, correctly detect errors when listing the contents of
|
|
a directory. Fix from lodger.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Downgrade "sslv3 alert handshake failure" message to INFO.
|
|
- If we set RelayBandwidthRate and RelayBandwidthBurst very high but
|
|
left BandwidthRate and BandwidthBurst at the default, we would be
|
|
silently limited by those defaults. Now raise them to match the
|
|
RelayBandwidth* values.
|
|
- Fix the SVK version detection logic to work correctly on a branch.
|
|
- Make --enable-openbsd-malloc work correctly on Linux with alpha
|
|
CPUs. Fixes bug 625.
|
|
- Logging functions now check that the passed severity is sane.
|
|
- Use proper log levels in the testsuite call of
|
|
get_interface_address6().
|
|
- When using a nonstandard malloc, do not use the platform values for
|
|
HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
|
|
- Make the openbsd malloc code use 8k pages on alpha CPUs and
|
|
16k pages on ia64.
|
|
- Detect mismatched page sizes when using --enable-openbsd-malloc.
|
|
- Avoid double-marked-for-close warning when certain kinds of invalid
|
|
.in-addr.arpa addresses are passed to the DNSPort. Part of a fix
|
|
for bug 617. Bugfix on 0.2.0.1-alpha.
|
|
- Make sure that the "NULL-means-reject *:*" convention is followed by
|
|
all the policy manipulation functions, avoiding some possible crash
|
|
bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
|
|
- Fix the implementation of ClientDNSRejectInternalAddresses so that it
|
|
actually works, and doesn't warn about every single reverse lookup.
|
|
Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features:
|
|
- Only log guard node status when guard node status has changed.
|
|
- Downgrade the 3 most common "INFO" messages to "DEBUG". This will
|
|
make "INFO" 75% less verbose.
|
|
|
|
|
|
Changes in version 0.2.0.21-rc - 2008-03-02
|
|
Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
|
|
makes Tor work well with Vidalia again, fixes a rare assert bug,
|
|
and fixes a pair of more minor bugs. The bundles also include Vidalia
|
|
0.1.0 and Torbutton 1.1.16.
|
|
|
|
o Major bugfixes:
|
|
- The control port should declare that it requires password auth
|
|
when HashedControlSessionPassword is set too. Patch from Matt Edman;
|
|
bugfix on 0.2.0.20-rc. Fixes bug 615.
|
|
- Downgrade assert in connection_buckets_decrement() to a log message.
|
|
This may help us solve bug 614, and in any case will make its
|
|
symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
|
|
- We were sometimes miscounting the number of bytes read from the
|
|
network, causing our rate limiting to not be followed exactly.
|
|
Bugfix on 0.2.0.16-alpha. Reported by lodger.
|
|
|
|
o Minor bugfixes:
|
|
- Fix compilation with OpenSSL 0.9.8 and 0.9.8a. All other supported
|
|
OpenSSL versions should have been working fine. Diagnosis and patch
|
|
from lodger, Karsten Loesing, and Sebastian Hahn. Fixes bug 616.
|
|
Bugfix on 0.2.0.20-rc.
|
|
|
|
|
|
Changes in version 0.2.0.20-rc - 2008-02-24
|
|
Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
|
|
makes more progress towards normalizing Tor's TLS handshake, makes
|
|
hidden services work better again, helps relays bootstrap if they don't
|
|
know their IP address, adds optional support for linking in openbsd's
|
|
allocator or tcmalloc, allows really fast relays to scale past 15000
|
|
sockets, and fixes a bunch of minor bugs reported by Veracode.
|
|
|
|
o Major features:
|
|
- Enable the revised TLS handshake based on the one designed by
|
|
Steven Murdoch in proposal 124, as revised in proposal 130. It
|
|
includes version negotiation for OR connections as described in
|
|
proposal 105. The new handshake is meant to be harder for censors
|
|
to fingerprint, and it adds the ability to detect certain kinds of
|
|
man-in-the-middle traffic analysis attacks. The version negotiation
|
|
feature will allow us to improve Tor's link protocol more safely
|
|
in the future.
|
|
- Choose which bridge to use proportional to its advertised bandwidth,
|
|
rather than uniformly at random. This should speed up Tor for
|
|
bridge users. Also do this for people who set StrictEntryNodes.
|
|
- When a TrackHostExits-chosen exit fails too many times in a row,
|
|
stop using it. Bugfix on 0.1.2.x; fixes bug 437.
|
|
|
|
o Major bugfixes:
|
|
- Resolved problems with (re-)fetching hidden service descriptors.
|
|
Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
|
|
and 0.2.0.19-alpha.
|
|
- If we only ever used Tor for hidden service lookups or posts, we
|
|
would stop building circuits and start refusing connections after
|
|
24 hours, since we falsely believed that Tor was dormant. Reported
|
|
by nwf; bugfix on 0.1.2.x.
|
|
- Servers that don't know their own IP address should go to the
|
|
authorities for their first directory fetch, even if their DirPort
|
|
is off or if they don't know they're reachable yet. This will help
|
|
them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
|
|
- When counting the number of open sockets, count not only the number
|
|
of sockets we have received from the socket() call, but also
|
|
the number we've gotten from accept() and socketpair(). This bug
|
|
made us fail to count all sockets that we were using for incoming
|
|
connections. Bugfix on 0.2.0.x.
|
|
- Fix code used to find strings within buffers, when those strings
|
|
are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
|
|
- Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
|
|
- Add a new __HashedControlSessionPassword option for controllers
|
|
to use for one-off session password hashes that shouldn't get
|
|
saved to disk by SAVECONF --- Vidalia users were accumulating a
|
|
pile of HashedControlPassword lines in their torrc files, one for
|
|
each time they had restarted Tor and then clicked Save. Make Tor
|
|
automatically convert "HashedControlPassword" to this new option but
|
|
only when it's given on the command line. Partial fix for bug 586.
|
|
|
|
o Minor features (performance):
|
|
- Tune parameters for cell pool allocation to minimize amount of
|
|
RAM overhead used.
|
|
- Add OpenBSD malloc code from phk as an optional malloc
|
|
replacement on Linux: some glibc libraries do very poorly
|
|
with Tor's memory allocation patterns. Pass
|
|
--enable-openbsd-malloc to get the replacement malloc code.
|
|
- Add a --with-tcmalloc option to the configure script to link
|
|
against tcmalloc (if present). Does not yet search for
|
|
non-system include paths.
|
|
- Stop imposing an arbitrary maximum on the number of file descriptors
|
|
used for busy servers. Bug reported by Olaf Selke; patch from
|
|
Sebastian Hahn.
|
|
|
|
o Minor features (other):
|
|
- When SafeLogging is disabled, log addresses along with all TLS
|
|
errors.
|
|
- When building with --enable-gcc-warnings, check for whether Apple's
|
|
warning "-Wshorten-64-to-32" is available.
|
|
- Add a --passphrase-fd argument to the tor-gencert command for
|
|
scriptability.
|
|
|
|
o Minor bugfixes (memory leaks and code problems):
|
|
- We were leaking a file descriptor if Tor started with a zero-length
|
|
cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
|
|
- Detect size overflow in zlib code. Reported by Justin Ferguson and
|
|
Dan Kaminsky.
|
|
- We were comparing the raw BridgePassword entry with a base64'ed
|
|
version of it, when handling a "/tor/networkstatus-bridges"
|
|
directory request. Now compare correctly. Noticed by Veracode.
|
|
- Recover from bad tracked-since value in MTBF-history file.
|
|
Should fix bug 537.
|
|
- Alter the code that tries to recover from unhandled write
|
|
errors, to not try to flush onto a socket that's given us
|
|
unhandled errors. Bugfix on 0.1.2.x.
|
|
- Make Unix controlsockets work correctly on OpenBSD. Patch from
|
|
tup. Bugfix on 0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (other):
|
|
- If we have an extra-info document for our server, always make
|
|
it available on the control port, even if we haven't gotten
|
|
a copy of it from an authority yet. Patch from mwenge.
|
|
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
|
|
- Directory mirrors no longer include a guess at the client's IP
|
|
address if the connection appears to be coming from the same /24
|
|
network; it was producing too many wrong guesses.
|
|
- Make the new hidden service code respect the SafeLogging setting.
|
|
Bugfix on 0.2.0.x. Patch from Karsten.
|
|
- When starting as an authority, do not overwrite all certificates
|
|
cached from other authorities. Bugfix on 0.2.0.x. Fixes bug 606.
|
|
- If we're trying to flush the last bytes on a connection (for
|
|
example, when answering a directory request), reset the
|
|
time-to-give-up timeout every time we manage to write something
|
|
on the socket. Bugfix on 0.1.2.x.
|
|
- Change the behavior of "getinfo status/good-server-descriptor"
|
|
so it doesn't return failure when any authority disappears.
|
|
- Even though the man page said that "TrackHostExits ." should
|
|
work, nobody had ever implemented it. Bugfix on 0.1.0.x.
|
|
- Report TLS "zero return" case as a "clean close" and "IO error"
|
|
as a "close". Stop calling closes "unexpected closes": existing
|
|
Tors don't use SSL_close(), so having a connection close without
|
|
the TLS shutdown handshake is hardly unexpected.
|
|
- Send NAMESERVER_STATUS messages for a single failed nameserver
|
|
correctly.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove the tor_strpartition function: its logic was confused,
|
|
and it was only used for one thing that could be implemented far
|
|
more easily.
|
|
|
|
|
|
Changes in version 0.2.0.19-alpha - 2008-02-09
|
|
Tor 0.2.0.19-alpha makes more progress towards normalizing Tor's TLS
|
|
handshake, makes path selection for relays more secure and IP address
|
|
guessing more robust, and generally fixes a lot of bugs in preparation
|
|
for calling the 0.2.0 branch stable.
|
|
|
|
o Major features:
|
|
- Do not include recognizeable strings in the commonname part of
|
|
Tor's x509 certificates.
|
|
|
|
o Major bugfixes:
|
|
- If we're a relay, avoid picking ourselves as an introduction point,
|
|
a rendezvous point, or as the final hop for internal circuits. Bug
|
|
reported by taranis and lodger. Bugfix on 0.1.2.x.
|
|
- Patch from "Andrew S. Lists" to catch when we contact a directory
|
|
mirror at IP address X and he says we look like we're coming from
|
|
IP address X. Bugfix on 0.1.2.x.
|
|
|
|
o Minor features (security):
|
|
- Be more paranoid about overwriting sensitive memory on free(),
|
|
as a defensive programming tactic to ensure forward secrecy.
|
|
|
|
o Minor features (directory authority):
|
|
- Actually validate the options passed to AuthDirReject,
|
|
AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
|
|
- Reject router descriptors with out-of-range bandwidthcapacity or
|
|
bandwidthburst values.
|
|
|
|
o Minor features (controller):
|
|
- Reject controller commands over 1MB in length. This keeps rogue
|
|
processes from running us out of memory.
|
|
|
|
o Minor features (misc):
|
|
- Give more descriptive well-formedness errors for out-of-range
|
|
hidden service descriptor/protocol versions.
|
|
- Make memory debugging information describe more about history
|
|
of cell allocation, so we can help reduce our memory use.
|
|
|
|
o Deprecated features (controller):
|
|
- The status/version/num-versioning and status/version/num-concurring
|
|
GETINFO options are no longer useful in the v3 directory protocol:
|
|
treat them as deprecated, and warn when they're used.
|
|
|
|
o Minor bugfixes:
|
|
- When our consensus networkstatus has been expired for a while, stop
|
|
being willing to build circuits using it. Fixes bug 401. Bugfix
|
|
on 0.1.2.x.
|
|
- Directory caches now fetch certificates from all authorities
|
|
listed in a networkstatus consensus, even when they do not
|
|
recognize them. Fixes bug 571. Bugfix on 0.2.0.x.
|
|
- When connecting to a bridge without specifying its key, insert
|
|
the connection into the identity-to-connection map as soon as
|
|
a key is learned. Fixes bug 574. Bugfix on 0.2.0.x.
|
|
- Detect versions of OS X where malloc_good_size() is present in the
|
|
library but never actually declared. Resolves bug 587. Bugfix
|
|
on 0.2.0.x.
|
|
- Stop incorrectly truncating zlib responses to directory authority
|
|
signature download requests. Fixes bug 593. Bugfix on 0.2.0.x.
|
|
- Stop recommending that every server operator send mail to tor-ops.
|
|
Resolves bug 597. Bugfix on 0.1.2.x.
|
|
- Don't trigger an assert if we start a directory authority with a
|
|
private IP address (like 127.0.0.1).
|
|
- Avoid possible failures when generating a directory with routers
|
|
with over-long versions strings, or too many flags set. Bugfix
|
|
on 0.1.2.x.
|
|
- If an attempt to launch a DNS resolve request over the control
|
|
port fails because we have overrun the limit on the number of
|
|
connections, tell the controller that the request has failed.
|
|
- Avoid using too little bandwidth when our clock skips a few
|
|
seconds. Bugfix on 0.1.2.x.
|
|
- Fix shell error when warning about missing packages in configure
|
|
script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x.
|
|
- Do not become confused when receiving a spurious VERSIONS-like
|
|
cell from a confused v1 client. Bugfix on 0.2.0.x.
|
|
- Re-fetch v2 (as well as v0) rendezvous descriptors when all
|
|
introduction points for a hidden service have failed. Patch from
|
|
Karsten Loesing. Bugfix on 0.2.0.x.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove some needless generality from cpuworker code, for improved
|
|
type-safety.
|
|
- Stop overloading the circuit_t.onionskin field for both "onionskin
|
|
from a CREATE cell that we are waiting for a cpuworker to be
|
|
assigned" and "onionskin from an EXTEND cell that we are going to
|
|
send to an OR as soon as we are connected". Might help with bug 600.
|
|
- Add an in-place version of aes_crypt() so that we can avoid doing a
|
|
needless memcpy() call on each cell payload.
|
|
|
|
|
|
Changes in version 0.2.0.18-alpha - 2008-01-25
|
|
Tor 0.2.0.18-alpha adds a sixth v3 directory authority run by CCC,
|
|
fixes a big memory leak in 0.2.0.17-alpha, and adds new config options
|
|
that can warn or reject connections to ports generally associated with
|
|
vulnerable-plaintext protocols.
|
|
|
|
o New directory authorities:
|
|
- Set up dannenberg (run by CCC) as the sixth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Fix a major memory leak when attempting to use the v2 TLS
|
|
handshake code. Bugfix on 0.2.0.x; fixes bug 589.
|
|
- We accidentally enabled the under-development v2 TLS handshake
|
|
code, which was causing log entries like "TLS error while
|
|
renegotiating handshake". Disable it again. Resolves bug 590.
|
|
- We were computing the wrong Content-Length: header for directory
|
|
responses that need to be compressed on the fly, causing clients
|
|
asking for those items to always fail. Bugfix on 0.2.0.x; partially
|
|
fixes bug 593.
|
|
|
|
o Major features:
|
|
- Avoid going directly to the directory authorities even if you're a
|
|
relay, if you haven't found yourself reachable yet or if you've
|
|
decided not to advertise your dirport yet. Addresses bug 556.
|
|
- If we've gone 12 hours since our last bandwidth check, and we
|
|
estimate we have less than 50KB bandwidth capacity but we could
|
|
handle more, do another bandwidth test.
|
|
- New config options WarnPlaintextPorts and RejectPlaintextPorts so
|
|
Tor can warn and/or refuse connections to ports commonly used with
|
|
vulnerable-plaintext protocols. Currently we warn on ports 23,
|
|
109, 110, and 143, but we don't reject any.
|
|
|
|
o Minor bugfixes:
|
|
- When we setconf ClientOnly to 1, close any current OR and Dir
|
|
listeners. Reported by mwenge.
|
|
- When we get a consensus that's been signed by more people than
|
|
we expect, don't log about it; it's not a big deal. Reported
|
|
by Kyle Williams.
|
|
|
|
o Minor features:
|
|
- Don't answer "/tor/networkstatus-bridges" directory requests if
|
|
the request isn't encrypted.
|
|
- Make "ClientOnly 1" config option disable directory ports too.
|
|
- Patches from Karsten Loesing to make v2 hidden services more
|
|
robust: work even when there aren't enough HSDir relays available;
|
|
retry when a v2 rend desc fetch fails; but don't retry if we
|
|
already have a usable v0 rend desc.
|
|
|
|
|
|
Changes in version 0.2.0.17-alpha - 2008-01-17
|
|
Tor 0.2.0.17-alpha makes the tarball build cleanly again (whoops).
|
|
|
|
o Compile fixes:
|
|
- Make the tor-gencert man page get included correctly in the tarball.
|
|
|
|
|
|
Changes in version 0.2.0.16-alpha - 2008-01-17
|
|
Tor 0.2.0.16-alpha adds a fifth v3 directory authority run by Karsten
|
|
Loesing, and generally cleans up a lot of features and minor bugs.
|
|
|
|
o New directory authorities:
|
|
- Set up gabelmoo (run by Karsten Loesing) as the fifth v3 directory
|
|
authority.
|
|
|
|
o Major performance improvements:
|
|
- Switch our old ring buffer implementation for one more like that
|
|
used by free Unix kernels. The wasted space in a buffer with 1mb
|
|
of data will now be more like 8k than 1mb. The new implementation
|
|
also avoids realloc();realloc(); patterns that can contribute to
|
|
memory fragmentation.
|
|
|
|
o Minor features:
|
|
- Configuration files now accept C-style strings as values. This
|
|
helps encode characters not allowed in the current configuration
|
|
file format, such as newline or #. Addresses bug 557.
|
|
- Although we fixed bug 539 (where servers would send HTTP status 503
|
|
responses _and_ send a body too), there are still servers out
|
|
there that haven't upgraded. Therefore, make clients parse such
|
|
bodies when they receive them.
|
|
- When we're not serving v2 directory information, there is no reason
|
|
to actually keep any around. Remove the obsolete files and directory
|
|
on startup if they are very old and we aren't going to serve them.
|
|
|
|
o Minor performance improvements:
|
|
- Reference-count and share copies of address policy entries; only 5%
|
|
of them were actually distinct.
|
|
- Never walk through the list of logs if we know that no log is
|
|
interested in a given message.
|
|
|
|
o Minor bugfixes:
|
|
- When an authority has not signed a consensus, do not try to
|
|
download a nonexistent "certificate with key 00000000". Bugfix
|
|
on 0.2.0.x. Fixes bug 569.
|
|
- Fix a rare assert error when we're closing one of our threads:
|
|
use a mutex to protect the list of logs, so we never write to the
|
|
list as it's being freed. Bugfix on 0.1.2.x. Fixes the very rare
|
|
bug 575, which is kind of the revenge of bug 222.
|
|
- Patch from Karsten Loesing to complain less at both the client
|
|
and the relay when a relay used to have the HSDir flag but doesn't
|
|
anymore, and we try to upload a hidden service descriptor.
|
|
- Stop leaking one cert per TLS context. Fixes bug 582. Bugfix on
|
|
0.2.0.15-alpha.
|
|
- Do not try to download missing certificates until we have tried
|
|
to check our fallback consensus. Fixes bug 583.
|
|
- Make bridges round reported GeoIP stats info up to the nearest
|
|
estimate, not down. Now we can distinguish between "0 people from
|
|
this country" and "1 person from this country".
|
|
- Avoid a spurious free on base64 failure. Bugfix on 0.1.2.
|
|
- Avoid possible segfault if key generation fails in
|
|
crypto_pk_hybrid_encrypt. Bugfix on 0.2.0.
|
|
- Avoid segfault in the case where a badly behaved v2 versioning
|
|
directory sends a signed networkstatus with missing client-versions.
|
|
Bugfix on 0.1.2.
|
|
- Avoid segfaults on certain complex invocations of
|
|
router_get_by_hexdigest(). Bugfix on 0.1.2.
|
|
- Correct bad index on array access in parse_http_time(). Bugfix
|
|
on 0.2.0.
|
|
- Fix possible bug in vote generation when server versions are present
|
|
but client versions are not.
|
|
- Fix rare bug on REDIRECTSTREAM control command when called with no
|
|
port set: it could erroneously report an error when none had
|
|
happened.
|
|
- Avoid bogus crash-prone, leak-prone tor_realloc when we're
|
|
compressing large objects and find ourselves with more than 4k
|
|
left over. Bugfix on 0.2.0.
|
|
- Fix a small memory leak when setting up a hidden service.
|
|
- Fix a few memory leaks that could in theory happen under bizarre
|
|
error conditions.
|
|
- Fix an assert if we post a general-purpose descriptor via the
|
|
control port but that descriptor isn't mentioned in our current
|
|
network consensus. Bug reported by Jon McLachlan; bugfix on
|
|
0.2.0.9-alpha.
|
|
|
|
o Minor features (controller):
|
|
- Get NS events working again. Patch from tup.
|
|
- The GETCONF command now escapes and quotes configuration values
|
|
that don't otherwise fit into the torrc file.
|
|
- The SETCONF command now handles quoted values correctly.
|
|
|
|
o Minor features (directory authorities):
|
|
- New configuration options to override default maximum number of
|
|
servers allowed on a single IP address. This is important for
|
|
running a test network on a single host.
|
|
- Actually implement the -s option to tor-gencert.
|
|
- Add a manual page for tor-gencert.
|
|
|
|
o Minor features (bridges):
|
|
- Bridge authorities no longer serve bridge descriptors over
|
|
unencrypted connections.
|
|
|
|
o Minor features (other):
|
|
- Add hidden services and DNSPorts to the list of things that make
|
|
Tor accept that it has running ports. Change starting Tor with no
|
|
ports from a fatal error to a warning; we might change it back if
|
|
this turns out to confuse anybody. Fixes bug 579.
|
|
|
|
|
|
Changes in version 0.1.2.19 - 2008-01-17
|
|
Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
|
|
exit policy a little bit more conservative so it's safer to run an
|
|
exit relay on a home system, and fixes a variety of smaller issues.
|
|
|
|
o Security fixes:
|
|
- Exit policies now reject connections that are addressed to a
|
|
relay's public (external) IP address too, unless
|
|
ExitPolicyRejectPrivate is turned off. We do this because too
|
|
many relays are running nearby to services that trust them based
|
|
on network address.
|
|
|
|
o Major bugfixes:
|
|
- When the clock jumps forward a lot, do not allow the bandwidth
|
|
buckets to become negative. Fixes bug 544.
|
|
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
|
|
on every successful resolve. Reported by Mike Perry.
|
|
- Purge old entries from the "rephist" database and the hidden
|
|
service descriptor database even when DirPort is zero.
|
|
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
|
|
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
|
|
crashing or mis-answering these requests.
|
|
- When we decide to send a 503 response to a request for servers, do
|
|
not then also send the server descriptors: this defeats the whole
|
|
purpose. Fixes bug 539.
|
|
|
|
o Minor bugfixes:
|
|
- Changing the ExitPolicyRejectPrivate setting should cause us to
|
|
rebuild our server descriptor.
|
|
- Fix handling of hex nicknames when answering controller requests for
|
|
networkstatus by name, or when deciding whether to warn about
|
|
unknown routers in a config option. (Patch from mwenge.)
|
|
- Fix a couple of hard-to-trigger autoconf problems that could result
|
|
in really weird results on platforms whose sys/types.h files define
|
|
nonstandard integer types.
|
|
- Don't try to create the datadir when running --verify-config or
|
|
--hash-password. Resolves bug 540.
|
|
- If we were having problems getting a particular descriptor from the
|
|
directory caches, and then we learned about a new descriptor for
|
|
that router, we weren't resetting our failure count. Reported
|
|
by lodger.
|
|
- Although we fixed bug 539 (where servers would send HTTP status 503
|
|
responses _and_ send a body too), there are still servers out there
|
|
that haven't upgraded. Therefore, make clients parse such bodies
|
|
when they receive them.
|
|
- Run correctly on systems where rlim_t is larger than unsigned long.
|
|
This includes some 64-bit systems.
|
|
- Run correctly on platforms (like some versions of OS X 10.5) where
|
|
the real limit for number of open files is OPEN_FILES, not rlim_max
|
|
from getrlimit(RLIMIT_NOFILES).
|
|
- Avoid a spurious free on base64 failure.
|
|
- Avoid segfaults on certain complex invocations of
|
|
router_get_by_hexdigest().
|
|
- Fix rare bug on REDIRECTSTREAM control command when called with no
|
|
port set: it could erroneously report an error when none had
|
|
happened.
|
|
|
|
|
|
Changes in version 0.2.0.15-alpha - 2007-12-25
|
|
Tor 0.2.0.14-alpha and 0.2.0.15-alpha fix a bunch of bugs with the
|
|
features added in 0.2.0.13-alpha.
|
|
|
|
o Major bugfixes:
|
|
- Fix several remotely triggerable asserts based on DirPort requests
|
|
for a v2 or v3 networkstatus object before we were prepared. This
|
|
was particularly bad for 0.2.0.13 and later bridge relays, who
|
|
would never have a v2 networkstatus and would thus always crash
|
|
when used. Bugfixes on 0.2.0.x.
|
|
- Estimate the v3 networkstatus size more accurately, rather than
|
|
estimating it at zero bytes and giving it artificially high priority
|
|
compared to other directory requests. Bugfix on 0.2.0.x.
|
|
|
|
o Minor bugfixes:
|
|
- Fix configure.in logic for cross-compilation.
|
|
- When we load a bridge descriptor from the cache, and it was
|
|
previously unreachable, mark it as retriable so we won't just
|
|
ignore it. Also, try fetching a new copy immediately. Bugfixes
|
|
on 0.2.0.13-alpha.
|
|
- The bridge GeoIP stats were counting other relays, for example
|
|
self-reachability and authority-reachability tests.
|
|
|
|
o Minor features:
|
|
- Support compilation to target iPhone; patch from cjacker huang.
|
|
To build for iPhone, pass the --enable-iphone option to configure.
|
|
|
|
|
|
Changes in version 0.2.0.14-alpha - 2007-12-23
|
|
o Major bugfixes:
|
|
- Fix a crash on startup if you install Tor 0.2.0.13-alpha fresh
|
|
without a datadirectory from a previous Tor install. Reported
|
|
by Zax.
|
|
- Fix a crash when we fetch a descriptor that turns out to be
|
|
unexpected (it used to be in our networkstatus when we started
|
|
fetching it, but it isn't in our current networkstatus), and we
|
|
aren't using bridges. Bugfix on 0.2.0.x.
|
|
- Fix a crash when accessing hidden services: it would work the first
|
|
time you use a given introduction point for your service, but
|
|
on subsequent requests we'd be using garbage memory. Fixed by
|
|
Karsten Loesing. Bugfix on 0.2.0.13-alpha.
|
|
- Fix a crash when we load a bridge descriptor from disk but we don't
|
|
currently have a Bridge line for it in our torrc. Bugfix on
|
|
0.2.0.13-alpha.
|
|
|
|
o Major features:
|
|
- If bridge authorities set BridgePassword, they will serve a
|
|
snapshot of known bridge routerstatuses from their DirPort to
|
|
anybody who knows that password. Unset by default.
|
|
|
|
o Minor bugfixes:
|
|
- Make the unit tests build again.
|
|
- Make "GETINFO/desc-annotations/id/<OR digest>" actually work.
|
|
- Make PublishServerDescriptor default to 1, so the default doesn't
|
|
have to change as we invent new directory protocol versions.
|
|
- Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to
|
|
be included unless sys/time.h is already included. Fixes
|
|
bug 553. Bugfix on 0.2.0.x.
|
|
- If we receive a general-purpose descriptor and then receive an
|
|
identical bridge-purpose descriptor soon after, don't discard
|
|
the next one as a duplicate.
|
|
|
|
o Minor features:
|
|
- If BridgeRelay is set to 1, then the default for
|
|
PublishServerDescriptor is now "bridge" rather than "v2,v3".
|
|
- If the user sets RelayBandwidthRate but doesn't set
|
|
RelayBandwidthBurst, then make them equal rather than erroring out.
|
|
|
|
|
|
Changes in version 0.2.0.13-alpha - 2007-12-21
|
|
Tor 0.2.0.13-alpha adds a fourth v3 directory authority run by Geoff
|
|
Goodell, fixes many more bugs, and adds a lot of infrastructure for
|
|
upcoming features.
|
|
|
|
o New directory authorities:
|
|
- Set up lefkada (run by Geoff Goodell) as the fourth v3 directory
|
|
authority.
|
|
|
|
o Major bugfixes:
|
|
- Only update guard status (usable / not usable) once we have
|
|
enough directory information. This was causing us to always pick
|
|
two new guards on startup (bugfix on 0.2.0.9-alpha), and it was
|
|
causing us to discard all our guards on startup if we hadn't been
|
|
running for a few weeks (bugfix on 0.1.2.x). Fixes bug 448.
|
|
- Purge old entries from the "rephist" database and the hidden
|
|
service descriptor databases even when DirPort is zero. Bugfix
|
|
on 0.1.2.x.
|
|
- We were ignoring our RelayBandwidthRate for the first 30 seconds
|
|
after opening a circuit -- even a relayed circuit. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
|
|
requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
|
|
crashing or mis-answering these types of requests.
|
|
- Relays were publishing their server descriptor to v1 and v2
|
|
directory authorities, but they didn't try publishing to v3-only
|
|
authorities. Fix this; and also stop publishing to v1 authorities.
|
|
Bugfix on 0.2.0.x.
|
|
- When we were reading router descriptors from cache, we were ignoring
|
|
the annotations -- so for example we were reading in bridge-purpose
|
|
descriptors as general-purpose descriptors. Bugfix on 0.2.0.8-alpha.
|
|
- When we decided to send a 503 response to a request for servers, we
|
|
were then also sending the server descriptors: this defeats the
|
|
whole purpose. Fixes bug 539; bugfix on 0.1.2.x.
|
|
|
|
o Major features:
|
|
- Bridge relays now behave like clients with respect to time
|
|
intervals for downloading new consensus documents -- otherwise they
|
|
stand out. Bridge users now wait until the end of the interval,
|
|
so their bridge relay will be sure to have a new consensus document.
|
|
- Three new config options (AlternateDirAuthority,
|
|
AlternateBridgeAuthority, and AlternateHSAuthority) that let the
|
|
user selectively replace the default directory authorities by type,
|
|
rather than the all-or-nothing replacement that DirServer offers.
|
|
- Tor can now be configured to read a GeoIP file from disk in one
|
|
of two formats. This can be used by controllers to map IP addresses
|
|
to countries. Eventually, it may support exit-by-country.
|
|
- When possible, bridge relays remember which countries users
|
|
are coming from, and report aggregate information in their
|
|
extra-info documents, so that the bridge authorities can learn
|
|
where Tor is blocked.
|
|
- Bridge directory authorities now do reachability testing on the
|
|
bridges they know. They provide router status summaries to the
|
|
controller via "getinfo ns/purpose/bridge", and also dump summaries
|
|
to a file periodically.
|
|
- Stop fetching directory info so aggressively if your DirPort is
|
|
on but your ORPort is off; stop fetching v2 dir info entirely.
|
|
You can override these choices with the new FetchDirInfoEarly
|
|
config option.
|
|
|
|
o Minor bugfixes:
|
|
- The fix in 0.2.0.12-alpha cleared the "hsdir" flag in v3 network
|
|
consensus documents when there are too many relays at a single
|
|
IP address. Now clear it in v2 network status documents too, and
|
|
also clear it in routerinfo_t when the relay is no longer listed
|
|
in the relevant networkstatus document.
|
|
- Don't crash if we get an unexpected value for the
|
|
PublishServerDescriptor config option. Reported by Matt Edman;
|
|
bugfix on 0.2.0.9-alpha.
|
|
- Our new v2 hidden service descriptor format allows descriptors
|
|
that have no introduction points. But Tor crashed when we tried
|
|
to build a descriptor with no intro points (and it would have
|
|
crashed if we had tried to parse one). Bugfix on 0.2.0.x; patch
|
|
by Karsten Loesing.
|
|
- Fix building with dmalloc 5.5.2 with glibc.
|
|
- Reject uploaded descriptors and extrainfo documents if they're
|
|
huge. Otherwise we'll cache them all over the network and it'll
|
|
clog everything up. Reported by Aljosha Judmayer.
|
|
- Check for presence of s6_addr16 and s6_addr32 fields in in6_addr
|
|
via autoconf. Should fix compile on solaris. Bugfix on 0.2.0.x.
|
|
- When the DANGEROUS_VERSION controller status event told us we're
|
|
running an obsolete version, it used the string "OLD" to describe
|
|
it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
|
|
"OBSOLETE" in both cases. Bugfix on 0.1.2.x.
|
|
- If we can't expand our list of entry guards (e.g. because we're
|
|
using bridges or we have StrictEntryNodes set), don't mark relays
|
|
down when they fail a directory request. Otherwise we're too quick
|
|
to mark all our entry points down. Bugfix on 0.1.2.x.
|
|
- Fix handling of hex nicknames when answering controller requests for
|
|
networkstatus by name, or when deciding whether to warn about unknown
|
|
routers in a config option. Bugfix on 0.1.2.x. (Patch from mwenge.)
|
|
- Fix a couple of hard-to-trigger autoconf problems that could result
|
|
in really weird results on platforms whose sys/types.h files define
|
|
nonstandard integer types. Bugfix on 0.1.2.x.
|
|
- Fix compilation with --disable-threads set. Bugfix on 0.2.0.x.
|
|
- Don't crash on name lookup when we have no current consensus. Fixes
|
|
bug 538; bugfix on 0.2.0.x.
|
|
- Only Tors that want to mirror the v2 directory info should
|
|
create the "cached-status" directory in their datadir. (All Tors
|
|
used to create it.) Bugfix on 0.2.0.9-alpha.
|
|
- Directory authorities should only automatically download Extra Info
|
|
documents if they're v1, v2, or v3 authorities. Bugfix on 0.1.2.x.
|
|
|
|
o Minor features:
|
|
- On the USR1 signal, when dmalloc is in use, log the top 10 memory
|
|
consumers. (We already do this on HUP.)
|
|
- Authorities and caches fetch the v2 networkstatus documents
|
|
less often, now that v3 is encouraged.
|
|
- Add a new config option BridgeRelay that specifies you want to
|
|
be a bridge relay. Right now the only difference is that it makes
|
|
you answer begin_dir requests, and it makes you cache dir info,
|
|
even if your DirPort isn't on.
|
|
- Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
|
|
ask about source, timestamp of arrival, purpose, etc. We need
|
|
something like this to help Vidalia not do GeoIP lookups on bridge
|
|
addresses.
|
|
- Allow multiple HashedControlPassword config lines, to support
|
|
multiple controller passwords.
|
|
- Authorities now decide whether they're authoritative for a given
|
|
router based on the router's purpose.
|
|
- New config options AuthDirBadDir and AuthDirListBadDirs for
|
|
authorities to mark certain relays as "bad directories" in the
|
|
networkstatus documents. Also supports the "!baddir" directive in
|
|
the approved-routers file.
|
|
|
|
|
|
Changes in version 0.2.0.12-alpha - 2007-11-16
|
|
This twelfth development snapshot fixes some more build problems as
|
|
well as a few minor bugs.
|
|
|
|
o Compile fixes:
|
|
- Make it build on OpenBSD again. Patch from tup.
|
|
- Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes
|
|
package-building for Red Hat, OS X, etc.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- Changing the ExitPolicyRejectPrivate setting should cause us to
|
|
rebuild our server descriptor.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- When we're lacking a consensus, don't try to perform rendezvous
|
|
operations. Reported by Karsten Loesing.
|
|
- Fix a small memory leak whenever we decide against using a
|
|
newly picked entry guard. Reported by Mike Perry.
|
|
- When authorities detected more than two relays running on the same
|
|
IP address, they were clearing all the status flags but forgetting
|
|
to clear the "hsdir" flag. So clients were being told that a
|
|
given relay was the right choice for a v2 hsdir lookup, yet they
|
|
never had its descriptor because it was marked as 'not running'
|
|
in the consensus.
|
|
- If we're trying to fetch a bridge descriptor and there's no way
|
|
the bridge authority could help us (for example, we don't know
|
|
a digest, or there is no bridge authority), don't be so eager to
|
|
fall back to asking the bridge authority.
|
|
- If we're using bridges or have strictentrynodes set, and our
|
|
chosen exit is in the same family as all our bridges/entry guards,
|
|
then be flexible about families.
|
|
|
|
o Minor features:
|
|
- When we negotiate a v2 link-layer connection (not yet implemented),
|
|
accept RELAY_EARLY cells and turn them into RELAY cells if we've
|
|
negotiated a v1 connection for their next step. Initial code for
|
|
proposal 110.
|
|
|
|
|
|
Changes in version 0.2.0.11-alpha - 2007-11-12
|
|
This eleventh development snapshot fixes some build problems with
|
|
the previous snapshot. It also includes a more secure-by-default exit
|
|
policy for relays, fixes an enormous memory leak for exit relays, and
|
|
fixes another bug where servers were falling out of the directory list.
|
|
|
|
o Security fixes:
|
|
- Exit policies now reject connections that are addressed to a
|
|
relay's public (external) IP address too, unless
|
|
ExitPolicyRejectPrivate is turned off. We do this because too
|
|
many relays are running nearby to services that trust them based
|
|
on network address. Bugfix on 0.1.2.x.
|
|
|
|
o Major bugfixes:
|
|
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
|
|
on every successful resolve. Reported by Mike Perry; bugfix
|
|
on 0.1.2.x.
|
|
- On authorities, never downgrade to old router descriptors simply
|
|
because they're listed in the consensus. This created a catch-22
|
|
where we wouldn't list a new descriptor because there was an
|
|
old one in the consensus, and we couldn't get the new one in the
|
|
consensus because we wouldn't list it. Possible fix for bug 548.
|
|
Also, this might cause bug 543 to appear on authorities; if so,
|
|
we'll need a band-aid for that. Bugfix on 0.2.0.9-alpha.
|
|
|
|
o Packaging fixes on 0.2.0.10-alpha:
|
|
- We were including instructions about what to do with the
|
|
src/config/fallback-consensus file, but we weren't actually
|
|
including it in the tarball. Disable all of that for now.
|
|
|
|
o Minor features:
|
|
- Allow people to say PreferTunnelledDirConns rather than
|
|
PreferTunneledDirConns, for those alternate-spellers out there.
|
|
|
|
o Minor bugfixes:
|
|
- Don't reevaluate all the information from our consensus document
|
|
just because we've downloaded a v2 networkstatus that we intend
|
|
to cache. Fixes bug 545; bugfix on 0.2.0.x.
|
|
|
|
|
|
Changes in version 0.2.0.10-alpha - 2007-11-10
|
|
This tenth development snapshot adds a third v3 directory authority
|
|
run by Mike Perry, adds most of Karsten Loesing's new hidden service
|
|
descriptor format, fixes a bad crash bug and new bridge bugs introduced
|
|
in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation,
|
|
fixes some minor memory leaks in previous 0.2.0.x snapshots, and
|
|
addresses many more minor issues.
|
|
|
|
o New directory authorities:
|
|
- Set up ides (run by Mike Perry) as the third v3 directory authority.
|
|
|
|
o Major features:
|
|
- Allow tunnelled directory connections to ask for an encrypted
|
|
"begin_dir" connection or an anonymized "uses a full Tor circuit"
|
|
connection independently. Now we can make anonymized begin_dir
|
|
connections for (e.g.) more secure hidden service posting and
|
|
fetching.
|
|
- More progress on proposal 114: code from Karsten Loesing to
|
|
implement new hidden service descriptor format.
|
|
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
|
|
accommodate the growing number of servers that use the default
|
|
and are reaching it.
|
|
- Directory authorities use a new formula for selecting which nodes
|
|
to advertise as Guards: they must be in the top 7/8 in terms of
|
|
how long we have known about them, and above the median of those
|
|
nodes in terms of weighted fractional uptime.
|
|
- Make "not enough dir info yet" warnings describe *why* Tor feels
|
|
it doesn't have enough directory info yet.
|
|
|
|
o Major bugfixes:
|
|
- Stop servers from crashing if they set a Family option (or
|
|
maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
|
|
by Fabian Keil.
|
|
- Make bridge users work again -- the move to v3 directories in
|
|
0.2.0.9-alpha had introduced a number of bugs that made bridges
|
|
no longer work for clients.
|
|
- When the clock jumps forward a lot, do not allow the bandwidth
|
|
buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544.
|
|
|
|
o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha):
|
|
- When the consensus lists a router descriptor that we previously were
|
|
mirroring, but that we considered non-canonical, reload the
|
|
descriptor as canonical. This fixes bug 543 where Tor servers
|
|
would start complaining after a few days that they don't have
|
|
enough directory information to build a circuit.
|
|
- Consider replacing the current consensus when certificates arrive
|
|
that make the pending consensus valid. Previously, we were only
|
|
considering replacement when the new certs _didn't_ help.
|
|
- Fix an assert error on startup if we didn't already have the
|
|
consensus and certs cached in our datadirectory: we were caching
|
|
the consensus in consensus_waiting_for_certs but then free'ing it
|
|
right after.
|
|
- Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad
|
|
Request) if we need more v3 certs but we've already got pending
|
|
requests for all of them.
|
|
- Correctly back off from failing certificate downloads. Fixes
|
|
bug 546.
|
|
- Authorities don't vote on the Running flag if they have been running
|
|
for less than 30 minutes themselves. Fixes bug 547, where a newly
|
|
started authority would vote that everyone was down.
|
|
|
|
o New requirements:
|
|
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
|
|
it, it had no AES, and it hasn't seen any security patches since
|
|
2004.
|
|
|
|
o Minor features:
|
|
- Clients now hold circuitless TLS connections open for 1.5 times
|
|
MaxCircuitDirtiness (15 minutes), since it is likely that they'll
|
|
rebuild a new circuit over them within that timeframe. Previously,
|
|
they held them open only for KeepalivePeriod (5 minutes).
|
|
- Use "If-Modified-Since" to avoid retrieving consensus
|
|
networkstatuses that we already have.
|
|
- When we have no consensus, check FallbackNetworkstatusFile (defaults
|
|
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
|
|
we start knowing some directory caches.
|
|
- When we receive a consensus from the future, warn about skew.
|
|
- Improve skew reporting: try to give the user a better log message
|
|
about how skewed they are, and how much this matters.
|
|
- When we have a certificate for an authority, believe that
|
|
certificate's claims about the authority's IP address.
|
|
- New --quiet command-line option to suppress the default console log.
|
|
Good in combination with --hash-password.
|
|
- Authorities send back an X-Descriptor-Not-New header in response to
|
|
an accepted-but-discarded descriptor upload. Partially implements
|
|
fix for bug 535.
|
|
- Make the log message for "tls error. breaking." more useful.
|
|
- Better log messages about certificate downloads, to attempt to
|
|
track down the second incarnation of bug 546.
|
|
|
|
o Minor features (bridges):
|
|
- If bridge users set UpdateBridgesFromAuthority, but the digest
|
|
they ask for is a 404 from the bridge authority, they now fall
|
|
back to trying the bridge directly.
|
|
- Bridges now use begin_dir to publish their server descriptor to
|
|
the bridge authority, even when they haven't set TunnelDirConns.
|
|
|
|
o Minor features (controller):
|
|
- When reporting clock skew, and we know that the clock is _at least
|
|
as skewed_ as some value, but we don't know the actual value,
|
|
report the value as a "minimum skew."
|
|
|
|
o Utilities:
|
|
- Update linux-tor-prio.sh script to allow QoS based on the uid of
|
|
the Tor process. Patch from Marco Bonetti with tweaks from Mike
|
|
Perry.
|
|
|
|
o Minor bugfixes:
|
|
- Refuse to start if both ORPort and UseBridges are set. Bugfix
|
|
on 0.2.0.x, suggested by Matt Edman.
|
|
- Don't stop fetching descriptors when FetchUselessDescriptors is
|
|
set, even if we stop asking for circuits. Bugfix on 0.1.2.x;
|
|
reported by tup and ioerror.
|
|
- Better log message on vote from unknown authority.
|
|
- Don't log "Launching 0 request for 0 router" message.
|
|
|
|
o Minor bugfixes (memory leaks):
|
|
- Stop leaking memory every time we parse a v3 certificate. Bugfix
|
|
on 0.2.0.1-alpha.
|
|
- Stop leaking memory every time we load a v3 certificate. Bugfix
|
|
on 0.2.0.1-alpha. Fixes bug 536.
|
|
- Stop leaking a cached networkstatus on exit. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Stop leaking voter information every time we free a consensus.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking signed data every time we check a voter signature.
|
|
Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking a signature every time we fail to parse a consensus or
|
|
a vote. Bugfix on 0.2.0.3-alpha.
|
|
- Stop leaking v2_download_status_map on shutdown. Bugfix on
|
|
0.2.0.9-alpha.
|
|
- Stop leaking conn->nickname every time we make a connection to a
|
|
Tor relay without knowing its expected identity digest (e.g. when
|
|
using bridges). Bugfix on 0.2.0.3-alpha.
|
|
|
|
- Minor bugfixes (portability):
|
|
- Run correctly on platforms where rlim_t is larger than unsigned
|
|
long, and/or where the real limit for number of open files is
|
|
OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In
|
|
particular, these may be needed for OS X 10.5.
|
|
|
|
|
|
Changes in version 0.1.2.18 - 2007-10-28
|
|
Tor 0.1.2.18 fixes many problems including crash bugs, problems with
|
|
hidden service introduction that were causing huge delays, and a big
|
|
bug that was causing some servers to disappear from the network status
|
|
lists for a few hours each day.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a connection is shut down abruptly because of something that
|
|
happened inside connection_flushed_some(), do not call
|
|
connection_finished_flushing(). Should fix bug 451:
|
|
"connection_stop_writing: Assertion conn->write_event failed"
|
|
Bugfix on 0.1.2.7-alpha.
|
|
- Fix possible segfaults in functions called from
|
|
rend_process_relay_cell().
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Hidden services were choosing introduction points uniquely by
|
|
hexdigest, but when constructing the hidden service descriptor
|
|
they merely wrote the (potentially ambiguous) nickname.
|
|
- Clients now use the v2 intro format for hidden service
|
|
connections: they specify their chosen rendezvous point by identity
|
|
digest rather than by (potentially ambiguous) nickname. These
|
|
changes could speed up hidden service connections dramatically.
|
|
|
|
o Major bugfixes (other):
|
|
- Stop publishing a new server descriptor just because we get a
|
|
HUP signal. This led (in a roundabout way) to some servers getting
|
|
dropped from the networkstatus lists for a few hours each day.
|
|
- When looking for a circuit to cannibalize, consider family as well
|
|
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
|
|
circuit cannibalization).
|
|
- When a router wasn't listed in a new networkstatus, we were leaving
|
|
the flags for that router alone -- meaning it remained Named,
|
|
Running, etc -- even though absence from the networkstatus means
|
|
that it shouldn't be considered to exist at all anymore. Now we
|
|
clear all the flags for routers that fall out of the networkstatus
|
|
consensus. Fixes bug 529.
|
|
|
|
o Minor bugfixes:
|
|
- Don't try to access (or alter) the state file when running
|
|
--list-fingerprint or --verify-config or --hash-password. Resolves
|
|
bug 499.
|
|
- When generating information telling us how to extend to a given
|
|
router, do not try to include the nickname if it is
|
|
absent. Resolves bug 467.
|
|
- Fix a user-triggerable segfault in expand_filename(). (There isn't
|
|
a way to trigger this remotely.)
|
|
- When sending a status event to the controller telling it that an
|
|
OR address is reachable, set the port correctly. (Previously we
|
|
were reporting the dir port.)
|
|
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
|
|
command. Bugfix on 0.1.2.17.
|
|
- When loading bandwidth history, do not believe any information in
|
|
the future. Fixes bug 434.
|
|
- When loading entry guard information, do not believe any information
|
|
in the future.
|
|
- When we have our clock set far in the future and generate an
|
|
onion key, then re-set our clock to be correct, we should not stop
|
|
the onion key from getting rotated.
|
|
- On some platforms, accept() can return a broken address. Detect
|
|
this more quietly, and deal accordingly. Fixes bug 483.
|
|
- It's not actually an error to find a non-pending entry in the DNS
|
|
cache when canceling a pending resolve. Don't log unless stuff
|
|
is fishy. Resolves bug 463.
|
|
- Don't reset trusted dir server list when we set a configuration
|
|
option. Patch from Robert Hogan.
|
|
- Don't try to create the datadir when running --verify-config or
|
|
--hash-password. Resolves bug 540.
|
|
|
|
|
|
Changes in version 0.2.0.9-alpha - 2007-10-24
|
|
This ninth development snapshot switches clients to the new v3 directory
|
|
system; allows servers to be listed in the network status even when they
|
|
have the same nickname as a registered server; and fixes many other
|
|
bugs including a big one that was causing some servers to disappear
|
|
from the network status lists for a few hours each day.
|
|
|
|
o Major features (directory system):
|
|
- Clients now download v3 consensus networkstatus documents instead
|
|
of v2 networkstatus documents. Clients and caches now base their
|
|
opinions about routers on these consensus documents. Clients only
|
|
download router descriptors listed in the consensus.
|
|
- Authorities now list servers who have the same nickname as
|
|
a different named server, but list them with a new flag,
|
|
"Unnamed". Now we can list servers that happen to pick the same
|
|
nickname as a server that registered two years ago and then
|
|
disappeared. Partially implements proposal 122.
|
|
- If the consensus lists a router as "Unnamed", the name is assigned
|
|
to a different router: do not identify the router by that name.
|
|
Partially implements proposal 122.
|
|
- Authorities can now come to a consensus on which method to use to
|
|
compute the consensus. This gives us forward compatibility.
|
|
|
|
o Major bugfixes:
|
|
- Stop publishing a new server descriptor just because we HUP or
|
|
when we find our DirPort to be reachable but won't actually publish
|
|
it. New descriptors without any real changes are dropped by the
|
|
authorities, and can screw up our "publish every 18 hours" schedule.
|
|
Bugfix on 0.1.2.x.
|
|
- When a router wasn't listed in a new networkstatus, we were leaving
|
|
the flags for that router alone -- meaning it remained Named,
|
|
Running, etc -- even though absence from the networkstatus means
|
|
that it shouldn't be considered to exist at all anymore. Now we
|
|
clear all the flags for routers that fall out of the networkstatus
|
|
consensus. Fixes bug 529; bugfix on 0.1.2.x.
|
|
- Fix awful behavior in DownloadExtraInfo option where we'd fetch
|
|
extrainfo documents and then discard them immediately for not
|
|
matching the latest router. Bugfix on 0.2.0.1-alpha.
|
|
|
|
o Minor features (v3 directory protocol):
|
|
- Allow tor-gencert to generate a new certificate without replacing
|
|
the signing key.
|
|
- Allow certificates to include an address.
|
|
- When we change our directory-cache settings, reschedule all voting
|
|
and download operations.
|
|
- Reattempt certificate downloads immediately on failure, as long as
|
|
we haven't failed a threshold number of times yet.
|
|
- Delay retrying consensus downloads while we're downloading
|
|
certificates to verify the one we just got. Also, count getting a
|
|
consensus that we already have (or one that isn't valid) as a failure,
|
|
and count failing to get the certificates after 20 minutes as a
|
|
failure.
|
|
- Build circuits and download descriptors even if our consensus is a
|
|
little expired. (This feature will go away once authorities are
|
|
more reliable.)
|
|
|
|
o Minor features (router descriptor cache):
|
|
- If we find a cached-routers file that's been sitting around for more
|
|
than 28 days unmodified, then most likely it's a leftover from
|
|
when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
|
|
routers anyway.
|
|
- When we (as a cache) download a descriptor because it was listed
|
|
in a consensus, remember when the consensus was supposed to expire,
|
|
and don't expire the descriptor until then.
|
|
|
|
o Minor features (performance):
|
|
- Call routerlist_remove_old_routers() much less often. This should
|
|
speed startup, especially on directory caches.
|
|
- Don't try to launch new descriptor downloads quite so often when we
|
|
already have enough directory information to build circuits.
|
|
- Base64 decoding was actually showing up on our profile when parsing
|
|
the initial descriptor file; switch to an in-process all-at-once
|
|
implementation that's about 3.5x times faster than calling out to
|
|
OpenSSL.
|
|
|
|
o Minor features (compilation):
|
|
- Detect non-ASCII platforms (if any still exist) and refuse to
|
|
build there: some of our code assumes that 'A' is 65 and so on.
|
|
|
|
o Minor bugfixes (v3 directory authorities, bugfixes on 0.2.0.x):
|
|
- Make the "next period" votes into "current period" votes immediately
|
|
after publishing the consensus; avoid a heisenbug that made them
|
|
stick around indefinitely.
|
|
- When we discard a vote as a duplicate, do not report this as
|
|
an error.
|
|
- Treat missing v3 keys or certificates as an error when running as a
|
|
v3 directory authority.
|
|
- When we're configured to be a v3 authority, but we're only listed
|
|
as a non-v3 authority in our DirServer line for ourself, correct
|
|
the listing.
|
|
- If an authority doesn't have a qualified hostname, just put
|
|
its address in the vote. This fixes the problem where we referred to
|
|
"moria on moria:9031."
|
|
- Distinguish between detached signatures for the wrong period, and
|
|
detached signatures for a divergent vote.
|
|
- Fix a small memory leak when computing a consensus.
|
|
- When there's no concensus, we were forming a vote every 30
|
|
minutes, but writing the "valid-after" line in our vote based
|
|
on our configured V3AuthVotingInterval: so unless the intervals
|
|
matched up, we immediately rejected our own vote because it didn't
|
|
start at the voting interval that caused us to construct a vote.
|
|
|
|
o Minor bugfixes (v3 directory protocol, bugfixes on 0.2.0.x):
|
|
- Delete unverified-consensus when the real consensus is set.
|
|
- Consider retrying a consensus networkstatus fetch immediately
|
|
after one fails: don't wait 60 seconds to notice.
|
|
- When fetching a consensus as a cache, wait until a newer consensus
|
|
should exist before trying to replace the current one.
|
|
- Use a more forgiving schedule for retrying failed consensus
|
|
downloads than for other types.
|
|
|
|
o Minor bugfixes (other directory issues):
|
|
- Correct the implementation of "download votes by digest." Bugfix on
|
|
0.2.0.8-alpha.
|
|
- Authorities no longer send back "400 you're unreachable please fix
|
|
it" errors to Tor servers that aren't online all the time. We're
|
|
supposed to tolerate these servers now. Bugfix on 0.1.2.x.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Don't reset trusted dir server list when we set a configuration
|
|
option. Patch from Robert Hogan; bugfix on 0.1.2.x.
|
|
- Respond to INT and TERM SIGNAL commands before we execute the
|
|
signal, in case the signal shuts us down. We had a patch in
|
|
0.1.2.1-alpha that tried to do this by queueing the response on
|
|
the connection's buffer before shutting down, but that really
|
|
isn't the same thing at all. Bug located by Matt Edman.
|
|
|
|
o Minor bugfixes (misc):
|
|
- Correctly check for bad options to the "PublishServerDescriptor"
|
|
config option. Bugfix on 0.2.0.1-alpha; reported by Matt Edman.
|
|
- Stop leaking memory on failing case of base32_decode, and make
|
|
it accept upper-case letters. Bugfixes on 0.2.0.7-alpha.
|
|
- Don't try to download extrainfo documents when we're trying to
|
|
fetch enough directory info to build a circuit: having enough
|
|
info should get priority. Bugfix on 0.2.0.x.
|
|
- Don't complain that "your server has not managed to confirm that its
|
|
ports are reachable" if we haven't been able to build any circuits
|
|
yet. Bug found by spending four hours without a v3 consensus. Bugfix
|
|
on 0.1.2.x.
|
|
- Detect the reason for failing to mmap a descriptor file we just
|
|
wrote, and give a more useful log message. Fixes bug 533. Bugfix
|
|
on 0.1.2.x.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Remove support for the old bw_accounting file: we've been storing
|
|
bandwidth accounting information in the state file since
|
|
0.1.2.5-alpha. This may result in bandwidth accounting errors
|
|
if you try to upgrade from 0.1.1.x or earlier, or if you try to
|
|
downgrade to 0.1.1.x or earlier.
|
|
- New convenience code to locate a file within the DataDirectory.
|
|
- Move non-authority functionality out of dirvote.c.
|
|
- Refactor the arguments for router_pick_{directory_|trusteddir}server
|
|
so that they all take the same named flags.
|
|
|
|
o Utilities
|
|
- Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
|
|
Unix users an easy way to script their Tor process (e.g. by
|
|
adjusting bandwidth based on the time of the day).
|
|
|
|
|
|
Changes in version 0.2.0.8-alpha - 2007-10-12
|
|
This eighth development snapshot fixes a crash bug that's been bothering
|
|
us since February 2007, lets bridge authorities store a list of bridge
|
|
descriptors they've seen, gets v3 directory voting closer to working,
|
|
starts caching v3 directory consensus documents on directory mirrors,
|
|
and fixes a variety of smaller issues including some minor memory leaks.
|
|
|
|
o Major features (router descriptor cache):
|
|
- Store routers in a file called cached-descriptors instead of in
|
|
cached-routers. Initialize cached-descriptors from cached-routers
|
|
if the old format is around. The new format allows us to store
|
|
annotations along with descriptors.
|
|
- Use annotations to record the time we received each descriptor, its
|
|
source, and its purpose.
|
|
- Disable the SETROUTERPURPOSE controller command: it is now
|
|
obsolete.
|
|
- Controllers should now specify cache=no or cache=yes when using
|
|
the +POSTDESCRIPTOR command.
|
|
- Bridge authorities now write bridge descriptors to disk, meaning
|
|
we can export them to other programs and begin distributing them
|
|
to blocked users.
|
|
|
|
o Major features (directory authorities):
|
|
- When a v3 authority is missing votes or signatures, it now tries
|
|
to fetch them.
|
|
- Directory authorities track weighted fractional uptime as well as
|
|
weighted mean-time-between failures. WFU is suitable for deciding
|
|
whether a node is "usually up", while MTBF is suitable for deciding
|
|
whether a node is "likely to stay up." We need both, because
|
|
"usually up" is a good requirement for guards, while "likely to
|
|
stay up" is a good requirement for long-lived connections.
|
|
|
|
o Major features (v3 directory system):
|
|
- Caches now download v3 network status documents as needed,
|
|
and download the descriptors listed in them.
|
|
- All hosts now attempt to download and keep fresh v3 authority
|
|
certificates, and re-attempt after failures.
|
|
- More internal-consistency checks for vote parsing.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a connection is shut down abruptly because of something that
|
|
happened inside connection_flushed_some(), do not call
|
|
connection_finished_flushing(). Should fix bug 451. Bugfix on
|
|
0.1.2.7-alpha.
|
|
|
|
o Major bugfixes (performance):
|
|
- Fix really bad O(n^2) performance when parsing a long list of
|
|
routers: Instead of searching the entire list for an "extra-info "
|
|
string which usually wasn't there, once for every routerinfo
|
|
we read, just scan lines forward until we find one we like.
|
|
Bugfix on 0.2.0.1.
|
|
- When we add data to a write buffer in response to the data on that
|
|
write buffer getting low because of a flush, do not consider the
|
|
newly added data as a candidate for immediate flushing, but rather
|
|
make it wait until the next round of writing. Otherwise, we flush
|
|
and refill recursively, and a single greedy TLS connection can
|
|
eat all of our bandwidth. Bugfix on 0.1.2.7-alpha.
|
|
|
|
o Minor features (v3 authority system):
|
|
- Add more ways for tools to download the votes that lead to the
|
|
current consensus.
|
|
- Send a 503 when low on bandwidth and a vote, consensus, or
|
|
certificate is requested.
|
|
- If-modified-since is now implemented properly for all kinds of
|
|
certificate requests.
|
|
|
|
o Minor bugfixes (network statuses):
|
|
- Tweak the implementation of proposal 109 slightly: allow at most
|
|
two Tor servers on the same IP address, except if it's the location
|
|
of a directory authority, in which case allow five. Bugfix on
|
|
0.2.0.3-alpha.
|
|
|
|
o Minor bugfixes (controller):
|
|
- When sending a status event to the controller telling it that an
|
|
OR address is reachable, set the port correctly. (Previously we
|
|
were reporting the dir port.) Bugfix on 0.1.2.x.
|
|
|
|
o Minor bugfixes (v3 directory system):
|
|
- Fix logic to look up a cert by its signing key digest. Bugfix on
|
|
0.2.0.7-alpha.
|
|
- Only change the reply to a vote to "OK" if it's not already
|
|
set. This gets rid of annoying "400 OK" log messages, which may
|
|
have been masking some deeper issue. Bugfix on 0.2.0.7-alpha.
|
|
- When we get a valid consensus, recompute the voting schedule.
|
|
- Base the valid-after time of a vote on the consensus voting
|
|
schedule, not on our preferred schedule.
|
|
- Make the return values and messages from signature uploads and
|
|
downloads more sensible.
|
|
- Fix a memory leak when serving votes and consensus documents, and
|
|
another when serving certificates.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Use a slightly simpler string hashing algorithm (copying Python's
|
|
instead of Java's) and optimize our digest hashing algorithm to take
|
|
advantage of 64-bit platforms and to remove some possibly-costly
|
|
voodoo.
|
|
- Fix a minor memory leak whenever we parse guards from our state
|
|
file. Bugfix on 0.2.0.7-alpha.
|
|
- Fix a minor memory leak whenever we write out a file. Bugfix on
|
|
0.2.0.7-alpha.
|
|
- Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
|
|
command. Bugfix on 0.2.0.5-alpha.
|
|
|
|
o Minor bugfixes (portability):
|
|
- On some platforms, accept() can return a broken address. Detect
|
|
this more quietly, and deal accordingly. Fixes bug 483.
|
|
- Stop calling tor_strlower() on uninitialized memory in some cases.
|
|
Bugfix in 0.2.0.7-alpha.
|
|
|
|
o Minor bugfixes (usability):
|
|
- Treat some 403 responses from directory servers as INFO rather than
|
|
WARN-severity events.
|
|
- It's not actually an error to find a non-pending entry in the DNS
|
|
cache when canceling a pending resolve. Don't log unless stuff is
|
|
fishy. Resolves bug 463.
|
|
|
|
o Minor bugfixes (anonymity):
|
|
- Never report that we've used more bandwidth than we're willing to
|
|
relay: it leaks how much non-relay traffic we're using. Resolves
|
|
bug 516.
|
|
- When looking for a circuit to cannibalize, consider family as well
|
|
as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
|
|
circuit cannibalization).
|
|
|
|
o Code simplifications and refactoring:
|
|
- Make a bunch of functions static. Remove some dead code.
|
|
- Pull out about a third of the really big routerlist.c; put it in a
|
|
new module, networkstatus.c.
|
|
- Merge the extra fields in local_routerstatus_t back into
|
|
routerstatus_t: we used to need one routerstatus_t for each
|
|
authority's opinion, plus a local_routerstatus_t for the locally
|
|
computed consensus opinion. To save space, we put the locally
|
|
modified fields into local_routerstatus_t, and only the common
|
|
stuff into routerstatus_t. But once v3 directories are in use,
|
|
clients and caches will no longer need to hold authority opinions;
|
|
thus, the rationale for keeping the types separate is now gone.
|
|
- Make the code used to reschedule and reattempt downloads more
|
|
uniform.
|
|
- Turn all 'Are we a directory server/mirror?' logic into a call to
|
|
dirserver_mode().
|
|
- Remove the code to generate the oldest (v1) directory format.
|
|
The code has been disabled since 0.2.0.5-alpha.
|
|
|
|
|
|
Changes in version 0.2.0.7-alpha - 2007-09-21
|
|
This seventh development snapshot makes bridges work again, makes bridge
|
|
authorities work for the first time, fixes two huge performance flaws
|
|
in hidden services, and fixes a variety of minor issues.
|
|
|
|
o New directory authorities:
|
|
- Set up moria1 and tor26 as the first v3 directory authorities. See
|
|
doc/spec/dir-spec.txt for details on the new directory design.
|
|
|
|
o Major bugfixes (crashes):
|
|
- Fix possible segfaults in functions called from
|
|
rend_process_relay_cell(). Bugfix on 0.1.2.x.
|
|
|
|
o Major bugfixes (bridges):
|
|
- Fix a bug that made servers send a "404 Not found" in response to
|
|
attempts to fetch their server descriptor. This caused Tor servers
|
|
to take many minutes to establish reachability for their DirPort,
|
|
and it totally crippled bridges. Bugfix on 0.2.0.5-alpha.
|
|
- Make "UpdateBridgesFromAuthority" torrc option work: when bridge
|
|
users configure that and specify a bridge with an identity
|
|
fingerprint, now they will lookup the bridge descriptor at the
|
|
default bridge authority via a one-hop tunnel, but once circuits
|
|
are established they will switch to a three-hop tunnel for later
|
|
connections to the bridge authority. Bugfix in 0.2.0.3-alpha.
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Hidden services were choosing introduction points uniquely by
|
|
hexdigest, but when constructing the hidden service descriptor
|
|
they merely wrote the (potentially ambiguous) nickname.
|
|
- Clients now use the v2 intro format for hidden service
|
|
connections: they specify their chosen rendezvous point by identity
|
|
digest rather than by (potentially ambiguous) nickname. Both
|
|
are bugfixes on 0.1.2.x, and they could speed up hidden service
|
|
connections dramatically. Thanks to Karsten Loesing.
|
|
|
|
o Minor features (security):
|
|
- As a client, do not believe any server that tells us that an
|
|
address maps to an internal address space.
|
|
- Make it possible to enable HashedControlPassword and
|
|
CookieAuthentication at the same time.
|
|
|
|
o Minor features (guard nodes):
|
|
- Tag every guard node in our state file with the version that
|
|
we believe added it, or with our own version if we add it. This way,
|
|
if a user temporarily runs an old version of Tor and then switches
|
|
back to a new one, she doesn't automatically lose her guards.
|
|
|
|
o Minor features (speed):
|
|
- When implementing AES counter mode, update only the portions of the
|
|
counter buffer that need to change, and don't keep separate
|
|
network-order and host-order counters when they are the same (i.e.,
|
|
on big-endian hosts.)
|
|
|
|
o Minor features (controller):
|
|
- Accept LF instead of CRLF on controller, since some software has a
|
|
hard time generating real Internet newlines.
|
|
- Add GETINFO values for the server status events
|
|
"REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
|
|
Robert Hogan.
|
|
|
|
o Removed features:
|
|
- Routers no longer include bandwidth-history lines in their
|
|
descriptors; this information is already available in extra-info
|
|
documents, and including it in router descriptors took up 60%
|
|
(!) of compressed router descriptor downloads. Completes
|
|
implementation of proposal 104.
|
|
- Remove the contrib scripts ExerciseServer.py, PathDemo.py,
|
|
and TorControl.py, as they use the old v0 controller protocol,
|
|
and are obsoleted by TorFlow anyway.
|
|
- Drop support for v1 rendezvous descriptors, since we never used
|
|
them anyway, and the code has probably rotted by now. Based on
|
|
patch from Karsten Loesing.
|
|
- On OSX, stop warning the user that kqueue support in libevent is
|
|
"experimental", since it seems to have worked fine for ages.
|
|
|
|
o Minor bugfixes:
|
|
- When generating information telling us how to extend to a given
|
|
router, do not try to include the nickname if it is absent. Fixes
|
|
bug 467. Bugfix on 0.2.0.3-alpha.
|
|
- Fix a user-triggerable (but not remotely-triggerable) segfault
|
|
in expand_filename(). Bugfix on 0.1.2.x.
|
|
- Fix a memory leak when freeing incomplete requests from DNSPort.
|
|
Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha.
|
|
- Don't try to access (or alter) the state file when running
|
|
--list-fingerprint or --verify-config or --hash-password. (Resolves
|
|
bug 499.) Bugfix on 0.1.2.x.
|
|
- Servers used to decline to publish their DirPort if their
|
|
BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth
|
|
were below a threshold. Now they only look at BandwidthRate and
|
|
RelayBandwidthRate. Bugfix on 0.1.2.x.
|
|
- Remove an optimization in the AES counter-mode code that assumed
|
|
that the counter never exceeded 2^68. When the counter can be set
|
|
arbitrarily as an IV (as it is by Karsten's new hidden services
|
|
code), this assumption no longer holds. Bugfix on 0.1.2.x.
|
|
- Resume listing "AUTHORITY" flag for authorities in network status.
|
|
Bugfix on 0.2.0.3-alpha; reported by Alex de Joode.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Revamp file-writing logic so we don't need to have the entire
|
|
contents of a file in memory at once before we write to disk. Tor,
|
|
meet stdio.
|
|
- Turn "descriptor store" into a full-fledged type.
|
|
- Move all NT services code into a separate source file.
|
|
- Unify all code that computes medians, percentile elements, etc.
|
|
- Get rid of a needless malloc when parsing address policies.
|
|
|
|
|
|
Changes in version 0.1.2.17 - 2007-08-30
|
|
Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
|
|
X bundles. Vidalia 0.0.14 makes authentication required for the
|
|
ControlPort in the default configuration, which addresses important
|
|
security risks. Everybody who uses Vidalia (or another controller)
|
|
should upgrade.
|
|
|
|
In addition, this Tor update fixes major load balancing problems with
|
|
path selection, which should speed things up a lot once many people
|
|
have upgraded.
|
|
|
|
o Major bugfixes (security):
|
|
- We removed support for the old (v0) control protocol. It has been
|
|
deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
|
|
become more of a headache than it's worth.
|
|
|
|
o Major bugfixes (load balancing):
|
|
- When choosing nodes for non-guard positions, weight guards
|
|
proportionally less, since they already have enough load. Patch
|
|
from Mike Perry.
|
|
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
|
|
will allow fast Tor servers to get more attention.
|
|
- When we're upgrading from an old Tor version, forget our current
|
|
guards and pick new ones according to the new weightings. These
|
|
three load balancing patches could raise effective network capacity
|
|
by a factor of four. Thanks to Mike Perry for measurements.
|
|
|
|
o Major bugfixes (stream expiration):
|
|
- Expire not-yet-successful application streams in all cases if
|
|
they've been around longer than SocksTimeout. Right now there are
|
|
some cases where the stream will live forever, demanding a new
|
|
circuit every 15 seconds. Fixes bug 454; reported by lodger.
|
|
|
|
o Minor features (controller):
|
|
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
|
|
is valid before any authentication has been received. It tells
|
|
a controller what kind of authentication is expected, and what
|
|
protocol is spoken. Implements proposal 119.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Save on most routerlist_assert_ok() calls in routerlist.c, thus
|
|
greatly speeding up loading cached-routers from disk on startup.
|
|
- Disable sentinel-based debugging for buffer code: we squashed all
|
|
the bugs that this was supposed to detect a long time ago, and now
|
|
its only effect is to change our buffer sizes from nice powers of
|
|
two (which platform mallocs tend to like) to values slightly over
|
|
powers of two (which make some platform mallocs sad).
|
|
|
|
o Minor bugfixes (misc):
|
|
- If exit bandwidth ever exceeds one third of total bandwidth, then
|
|
use the correct formula to weight exit nodes when choosing paths.
|
|
Based on patch from Mike Perry.
|
|
- Choose perfectly fairly among routers when choosing by bandwidth and
|
|
weighting by fraction of bandwidth provided by exits. Previously, we
|
|
would choose with only approximate fairness, and correct ourselves
|
|
if we ran off the end of the list.
|
|
- If we require CookieAuthentication but we fail to write the
|
|
cookie file, we would warn but not exit, and end up in a state
|
|
where no controller could authenticate. Now we exit.
|
|
- If we require CookieAuthentication, stop generating a new cookie
|
|
every time we change any piece of our config.
|
|
- Refuse to start with certain directory authority keys, and
|
|
encourage people using them to stop.
|
|
- Terminate multi-line control events properly. Original patch
|
|
from tup.
|
|
- Fix a minor memory leak when we fail to find enough suitable
|
|
servers to choose a circuit.
|
|
- Stop leaking part of the descriptor when we run into a particularly
|
|
unparseable piece of it.
|
|
|
|
|
|
Changes in version 0.2.0.6-alpha - 2007-08-26
|
|
This sixth development snapshot features a new Vidalia version in the
|
|
Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for
|
|
the ControlPort in the default configuration, which addresses important
|
|
security risks.
|
|
|
|
In addition, this snapshot fixes major load balancing problems
|
|
with path selection, which should speed things up a lot once many
|
|
people have upgraded. The directory authorities also use a new
|
|
mean-time-between-failure approach to tracking which servers are stable,
|
|
rather than just looking at the most recent uptime.
|
|
|
|
o New directory authorities:
|
|
- Set up Tonga as the default bridge directory authority.
|
|
|
|
o Major features:
|
|
- Directory authorities now track servers by weighted
|
|
mean-times-between-failures. When we have 4 or more days of data,
|
|
use measured MTBF rather than declared uptime to decide whether
|
|
to call a router Stable. Implements proposal 108.
|
|
|
|
o Major bugfixes (load balancing):
|
|
- When choosing nodes for non-guard positions, weight guards
|
|
proportionally less, since they already have enough load. Patch
|
|
from Mike Perry.
|
|
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
|
|
will allow fast Tor servers to get more attention.
|
|
- When we're upgrading from an old Tor version, forget our current
|
|
guards and pick new ones according to the new weightings. These
|
|
three load balancing patches could raise effective network capacity
|
|
by a factor of four. Thanks to Mike Perry for measurements.
|
|
|
|
o Major bugfixes (descriptor parsing):
|
|
- Handle unexpected whitespace better in malformed descriptors. Bug
|
|
found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x.
|
|
|
|
o Minor features:
|
|
- There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
|
|
GETINFO for Torstat to use until it can switch to using extrainfos.
|
|
- Optionally (if built with -DEXPORTMALLINFO) export the output
|
|
of mallinfo via http, as tor/mallinfo.txt. Only accessible
|
|
from localhost.
|
|
|
|
o Minor bugfixes:
|
|
- Do not intermix bridge routers with controller-added
|
|
routers. (Bugfix on 0.2.0.x)
|
|
- Do not fail with an assert when accept() returns an unexpected
|
|
address family. Addresses but does not wholly fix bug 483. (Bugfix
|
|
on 0.2.0.x)
|
|
- Let directory authorities startup even when they can't generate
|
|
a descriptor immediately, e.g. because they don't know their
|
|
address.
|
|
- Stop putting the authentication cookie in a file called "0"
|
|
in your working directory if you don't specify anything for the
|
|
new CookieAuthFile option. Reported by Matt Edman.
|
|
- Make it possible to read the PROTOCOLINFO response in a way that
|
|
conforms to our control-spec. Reported by Matt Edman.
|
|
- Fix a minor memory leak when we fail to find enough suitable
|
|
servers to choose a circuit. Bugfix on 0.1.2.x.
|
|
- Stop leaking part of the descriptor when we run into a particularly
|
|
unparseable piece of it. Bugfix on 0.1.2.x.
|
|
- Unmap the extrainfo cache file on exit.
|
|
|
|
|
|
Changes in version 0.2.0.5-alpha - 2007-08-19
|
|
This fifth development snapshot fixes compilation on Windows again;
|
|
fixes an obnoxious client-side bug that slowed things down and put
|
|
extra load on the network; gets us closer to using the v3 directory
|
|
voting scheme; makes it easier for Tor controllers to use cookie-based
|
|
authentication; and fixes a variety of other bugs.
|
|
|
|
o Removed features:
|
|
- Version 1 directories are no longer generated in full. Instead,
|
|
authorities generate and serve "stub" v1 directories that list
|
|
no servers. This will stop Tor versions 0.1.0.x and earlier from
|
|
working, but (for security reasons) nobody should be running those
|
|
versions anyway.
|
|
|
|
o Major bugfixes (compilation, 0.2.0.x):
|
|
- Try to fix Win32 compilation again: improve checking for IPv6 types.
|
|
- Try to fix MSVC compilation: build correctly on platforms that do
|
|
not define s6_addr16 or s6_addr32.
|
|
- Fix compile on platforms without getaddrinfo: bug found by Li-Hui
|
|
Zhou.
|
|
|
|
o Major bugfixes (stream expiration):
|
|
- Expire not-yet-successful application streams in all cases if
|
|
they've been around longer than SocksTimeout. Right now there are
|
|
some cases where the stream will live forever, demanding a new
|
|
circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454;
|
|
reported by lodger.
|
|
|
|
o Minor features (directory servers):
|
|
- When somebody requests a list of statuses or servers, and we have
|
|
none of those, return a 404 rather than an empty 200.
|
|
|
|
o Minor features (directory voting):
|
|
- Store v3 consensus status consensuses on disk, and reload them
|
|
on startup.
|
|
|
|
o Minor features (security):
|
|
- Warn about unsafe ControlPort configurations.
|
|
- Refuse to start with certain directory authority keys, and
|
|
encourage people using them to stop.
|
|
|
|
o Minor features (controller):
|
|
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
|
|
is valid before any authentication has been received. It tells
|
|
a controller what kind of authentication is expected, and what
|
|
protocol is spoken. Implements proposal 119.
|
|
- New config option CookieAuthFile to choose a new location for the
|
|
cookie authentication file, and config option
|
|
CookieAuthFileGroupReadable to make it group-readable.
|
|
|
|
o Minor features (unit testing):
|
|
- Add command-line arguments to unit-test executable so that we can
|
|
invoke any chosen test from the command line rather than having
|
|
to run the whole test suite at once; and so that we can turn on
|
|
logging for the unit tests.
|
|
|
|
o Minor bugfixes (on 0.1.2.x):
|
|
- If we require CookieAuthentication but we fail to write the
|
|
cookie file, we would warn but not exit, and end up in a state
|
|
where no controller could authenticate. Now we exit.
|
|
- If we require CookieAuthentication, stop generating a new cookie
|
|
every time we change any piece of our config.
|
|
- When loading bandwidth history, do not believe any information in
|
|
the future. Fixes bug 434.
|
|
- When loading entry guard information, do not believe any information
|
|
in the future.
|
|
- When we have our clock set far in the future and generate an
|
|
onion key, then re-set our clock to be correct, we should not stop
|
|
the onion key from getting rotated.
|
|
- Clean up torrc sample config file.
|
|
- Do not automatically run configure from autogen.sh. This
|
|
non-standard behavior tended to annoy people who have built other
|
|
programs.
|
|
|
|
o Minor bugfixes (on 0.2.0.x):
|
|
- Fix a bug with AutomapHostsOnResolve that would always cause
|
|
the second request to fail. Bug reported by Kate. Bugfix on
|
|
0.2.0.3-alpha.
|
|
- Fix a bug in ADDRMAP controller replies that would sometimes
|
|
try to print a NULL. Patch from tup.
|
|
- Read v3 directory authority keys from the right location.
|
|
- Numerous bugfixes to directory voting code.
|
|
|
|
|
|
Changes in version 0.1.2.16 - 2007-08-01
|
|
Tor 0.1.2.16 fixes a critical security vulnerability that allows a
|
|
remote attacker in certain situations to rewrite the user's torrc
|
|
configuration file. This can completely compromise anonymity of users
|
|
in most configurations, including those running the Vidalia bundles,
|
|
TorK, etc. Or worse.
|
|
|
|
o Major security fixes:
|
|
- Close immediately after missing authentication on control port;
|
|
do not allow multiple authentication attempts.
|
|
|
|
|
|
Changes in version 0.2.0.4-alpha - 2007-08-01
|
|
This fourth development snapshot fixes a critical security vulnerability
|
|
for most users, specifically those running Vidalia, TorK, etc. Everybody
|
|
should upgrade to either 0.1.2.16 or 0.2.0.4-alpha.
|
|
|
|
o Major security fixes:
|
|
- Close immediately after missing authentication on control port;
|
|
do not allow multiple authentication attempts.
|
|
|
|
o Major bugfixes (compilation):
|
|
- Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already
|
|
defined there.
|
|
|
|
o Minor features (performance):
|
|
- Be even more aggressive about releasing RAM from small
|
|
empty buffers. Thanks to our free-list code, this shouldn't be too
|
|
performance-intensive.
|
|
- Disable sentinel-based debugging for buffer code: we squashed all
|
|
the bugs that this was supposed to detect a long time ago, and
|
|
now its only effect is to change our buffer sizes from nice
|
|
powers of two (which platform mallocs tend to like) to values
|
|
slightly over powers of two (which make some platform mallocs sad).
|
|
- Log malloc statistics from mallinfo() on platforms where it
|
|
exists.
|
|
|
|
|
|
Changes in version 0.2.0.3-alpha - 2007-07-29
|
|
This third development snapshot introduces new experimental
|
|
blocking-resistance features and a preliminary version of the v3
|
|
directory voting design, and includes many other smaller features
|
|
and bugfixes.
|
|
|
|
o Major features:
|
|
- The first pieces of our "bridge" design for blocking-resistance
|
|
are implemented. People can run bridge directory authorities;
|
|
people can run bridges; and people can configure their Tor clients
|
|
with a set of bridges to use as the first hop into the Tor network.
|
|
See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for
|
|
details.
|
|
- Create listener connections before we setuid to the configured
|
|
User and Group. Now non-Windows users can choose port values
|
|
under 1024, start Tor as root, and have Tor bind those ports
|
|
before it changes to another UID. (Windows users could already
|
|
pick these ports.)
|
|
- Added a new ConstrainedSockets config option to set SO_SNDBUF and
|
|
SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
|
|
on "vserver" accounts. (Patch from coderman.)
|
|
- Be even more aggressive about separating local traffic from relayed
|
|
traffic when RelayBandwidthRate is set. (Refines proposal 111.)
|
|
|
|
o Major features (experimental):
|
|
- First cut of code for "v3 dir voting": directory authorities will
|
|
vote on a common network status document rather than each publishing
|
|
their own opinion. This code needs more testing and more corner-case
|
|
handling before it's ready for use.
|
|
|
|
o Security fixes:
|
|
- Directory authorities now call routers Fast if their bandwidth is
|
|
at least 100KB/s, and consider their bandwidth adequate to be a
|
|
Guard if it is at least 250KB/s, no matter the medians. This fix
|
|
complements proposal 107. [Bugfix on 0.1.2.x]
|
|
- Directory authorities now never mark more than 3 servers per IP as
|
|
Valid and Running. (Implements proposal 109, by Kevin Bauer and
|
|
Damon McCoy.)
|
|
- Minor change to organizationName and commonName generation
|
|
procedures in TLS certificates during Tor handshakes, to invalidate
|
|
some earlier censorware approaches. This is not a long-term
|
|
solution, but applying it will give us a bit of time to look into
|
|
the epidemiology of countermeasures as they spread.
|
|
|
|
o Major bugfixes (directory):
|
|
- Rewrite directory tokenization code to never run off the end of
|
|
a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]
|
|
|
|
o Minor features (controller):
|
|
- Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
|
|
match requests to applications. (Patch from Robert Hogan.)
|
|
- Report address and port correctly on connections to DNSPort. (Patch
|
|
from Robert Hogan.)
|
|
- Add a RESOLVE command to launch hostname lookups. (Original patch
|
|
from Robert Hogan.)
|
|
- Add GETINFO status/enough-dir-info to let controllers tell whether
|
|
Tor has downloaded sufficient directory information. (Patch
|
|
from Tup.)
|
|
- You can now use the ControlSocket option to tell Tor to listen for
|
|
controller connections on Unix domain sockets on systems that
|
|
support them. (Patch from Peter Palfrader.)
|
|
- STREAM NEW events are generated for DNSPort requests and for
|
|
tunneled directory connections. (Patch from Robert Hogan.)
|
|
- New "GETINFO address-mappings/*" command to get address mappings
|
|
with expiry information. "addr-mappings/*" is now deprecated.
|
|
(Patch from Tup.)
|
|
|
|
o Minor features (misc):
|
|
- Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
|
|
from croup.)
|
|
- The tor-gencert tool for v3 directory authorities now creates all
|
|
files as readable to the file creator only, and write-protects
|
|
the authority identity key.
|
|
- When dumping memory usage, list bytes used in buffer memory
|
|
free-lists.
|
|
- When running with dmalloc, dump more stats on hup and on exit.
|
|
- Directory authorities now fail quickly and (relatively) harmlessly
|
|
if they generate a network status document that is somehow
|
|
malformed.
|
|
|
|
o Traffic load balancing improvements:
|
|
- If exit bandwidth ever exceeds one third of total bandwidth, then
|
|
use the correct formula to weight exit nodes when choosing paths.
|
|
(Based on patch from Mike Perry.)
|
|
- Choose perfectly fairly among routers when choosing by bandwidth and
|
|
weighting by fraction of bandwidth provided by exits. Previously, we
|
|
would choose with only approximate fairness, and correct ourselves
|
|
if we ran off the end of the list. [Bugfix on 0.1.2.x]
|
|
|
|
o Performance improvements:
|
|
- Be more aggressive with freeing buffer RAM or putting it on the
|
|
memory free lists.
|
|
- Use Critical Sections rather than Mutexes for synchronizing threads
|
|
on win32; Mutexes are heavier-weight, and designed for synchronizing
|
|
between processes.
|
|
|
|
o Deprecated and removed features:
|
|
- RedirectExits is now deprecated.
|
|
- Stop allowing address masks that do not correspond to bit prefixes.
|
|
We have warned about these for a really long time; now it's time
|
|
to reject them. (Patch from croup.)
|
|
|
|
o Minor bugfixes (directory):
|
|
- Fix another crash bug related to extra-info caching. (Bug found by
|
|
Peter Palfrader.) [Bugfix on 0.2.0.2-alpha]
|
|
- Directories no longer return a "304 not modified" when they don't
|
|
have the networkstatus the client asked for. Also fix a memory
|
|
leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha]
|
|
- We had accidentally labelled 0.1.2.x directory servers as not
|
|
suitable for begin_dir requests, and had labelled no directory
|
|
servers as suitable for uploading extra-info documents. [Bugfix
|
|
on 0.2.0.1-alpha]
|
|
|
|
o Minor bugfixes (dns):
|
|
- Fix a crash when DNSPort is set more than once. (Patch from Robert
|
|
Hogan.) [Bugfix on 0.2.0.2-alpha]
|
|
- Add DNSPort connections to the global connection list, so that we
|
|
can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
|
|
on 0.2.0.2-alpha]
|
|
- Fix a dangling reference that could lead to a crash when DNSPort is
|
|
changed or closed (Patch from Robert Hogan.) [Bugfix on
|
|
0.2.0.2-alpha]
|
|
|
|
o Minor bugfixes (controller):
|
|
- Provide DNS expiry times in GMT, not in local time. For backward
|
|
compatibility, ADDRMAP events only provide GMT expiry in an extended
|
|
field. "GETINFO address-mappings" always does the right thing.
|
|
- Use CRLF line endings properly in NS events.
|
|
- Terminate multi-line control events properly. (Original patch
|
|
from tup.) [Bugfix on 0.1.2.x-alpha]
|
|
- Do not include spaces in SOURCE_ADDR fields in STREAM
|
|
events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha]
|
|
|
|
|
|
Changes in version 0.1.2.15 - 2007-07-17
|
|
Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
|
|
problems, fixes compilation on BSD, and fixes a variety of other
|
|
bugs. Everybody should upgrade.
|
|
|
|
o Major bugfixes (compilation):
|
|
- Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
|
|
|
|
o Major bugfixes (crashes):
|
|
- Try even harder not to dereference the first character after
|
|
an mmap(). Reported by lodger.
|
|
- Fix a crash bug in directory authorities when we re-number the
|
|
routerlist while inserting a new router.
|
|
- When the cached-routers file is an even multiple of the page size,
|
|
don't run off the end and crash. (Fixes bug 455; based on idea
|
|
from croup.)
|
|
- Fix eventdns.c behavior on Solaris: It is critical to include
|
|
orconfig.h _before_ sys/types.h, so that we can get the expected
|
|
definition of _FILE_OFFSET_BITS.
|
|
|
|
o Major bugfixes (security):
|
|
- Fix a possible buffer overrun when using BSD natd support. Bug
|
|
found by croup.
|
|
- When sending destroy cells from a circuit's origin, don't include
|
|
the reason for tearing down the circuit. The spec says we didn't,
|
|
and now we actually don't. Reported by lodger.
|
|
- Keep streamids from different exits on a circuit separate. This
|
|
bug may have allowed other routers on a given circuit to inject
|
|
cells into streams. Reported by lodger; fixes bug 446.
|
|
- If there's a never-before-connected-to guard node in our list,
|
|
never choose any guards past it. This way we don't expand our
|
|
guard list unless we need to.
|
|
|
|
o Minor bugfixes (guard nodes):
|
|
- Weight guard selection by bandwidth, so that low-bandwidth nodes
|
|
don't get overused as guards.
|
|
|
|
o Minor bugfixes (directory):
|
|
- Correctly count the number of authorities that recommend each
|
|
version. Previously, we were under-counting by 1.
|
|
- Fix a potential crash bug when we load many server descriptors at
|
|
once and some of them make others of them obsolete. Fixes bug 458.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Stop tearing down the whole circuit when the user asks for a
|
|
connection to a port that the hidden service didn't configure.
|
|
Resolves bug 444.
|
|
|
|
o Minor bugfixes (misc):
|
|
- On Windows, we were preventing other processes from reading
|
|
cached-routers while Tor was running. Reported by janbar.
|
|
- Fix a possible (but very unlikely) bug in picking routers by
|
|
bandwidth. Add a log message to confirm that it is in fact
|
|
unlikely. Patch from lodger.
|
|
- Backport a couple of memory leak fixes.
|
|
- Backport miscellaneous cosmetic bugfixes.
|
|
|
|
|
|
Changes in version 0.2.0.2-alpha - 2007-06-02
|
|
o Major bugfixes on 0.2.0.1-alpha:
|
|
- Fix an assertion failure related to servers without extra-info digests.
|
|
Resolves bugs 441 and 442.
|
|
|
|
o Minor features (directory):
|
|
- Support "If-Modified-Since" when answering HTTP requests for
|
|
directories, running-routers documents, and network-status documents.
|
|
(There's no need to support it for router descriptors, since those
|
|
are downloaded by descriptor digest.)
|
|
|
|
o Minor build issues:
|
|
- Clear up some MIPSPro compiler warnings.
|
|
- When building from a tarball on a machine that happens to have SVK
|
|
installed, report the micro-revision as whatever version existed
|
|
in the tarball, not as "x".
|
|
|
|
|
|
Changes in version 0.2.0.1-alpha - 2007-06-01
|
|
This early development snapshot provides new features for people running
|
|
Tor as both a client and a server (check out the new RelayBandwidth
|
|
config options); lets Tor run as a DNS proxy; and generally moves us
|
|
forward on a lot of fronts.
|
|
|
|
o Major features, server usability:
|
|
- New config options RelayBandwidthRate and RelayBandwidthBurst:
|
|
a separate set of token buckets for relayed traffic. Right now
|
|
relayed traffic is defined as answers to directory requests, and
|
|
OR connections that don't have any local circuits on them.
|
|
|
|
o Major features, client usability:
|
|
- A client-side DNS proxy feature to replace the need for
|
|
dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
|
|
for DNS requests on port 9999, use the Tor network to resolve them
|
|
anonymously, and send the reply back like a regular DNS server.
|
|
The code still only implements a subset of DNS.
|
|
- Make PreferTunneledDirConns and TunnelDirConns work even when
|
|
we have no cached directory info. This means Tor clients can now
|
|
do all of their connections protected by TLS.
|
|
|
|
o Major features, performance and efficiency:
|
|
- Directory authorities accept and serve "extra info" documents for
|
|
routers. These documents contain fields from router descriptors
|
|
that aren't usually needed, and that use a lot of excess
|
|
bandwidth. Once these fields are removed from router descriptors,
|
|
the bandwidth savings should be about 60%. [Partially implements
|
|
proposal 104.]
|
|
- Servers upload extra-info documents to any authority that accepts
|
|
them. Authorities (and caches that have been configured to download
|
|
extra-info documents) download them as needed. [Partially implements
|
|
proposal 104.]
|
|
- Change the way that Tor buffers data that it is waiting to write.
|
|
Instead of queueing data cells in an enormous ring buffer for each
|
|
client->OR or OR->OR connection, we now queue cells on a separate
|
|
queue for each circuit. This lets us use less slack memory, and
|
|
will eventually let us be smarter about prioritizing different kinds
|
|
of traffic.
|
|
- Use memory pools to allocate cells with better speed and memory
|
|
efficiency, especially on platforms where malloc() is inefficient.
|
|
- Stop reading on edge connections when their corresponding circuit
|
|
buffers are full; start again as the circuits empty out.
|
|
|
|
o Major features, other:
|
|
- Add an HSAuthorityRecordStats option that hidden service authorities
|
|
can use to track statistics of overall hidden service usage without
|
|
logging information that would be very useful to an attacker.
|
|
- Start work implementing multi-level keys for directory authorities:
|
|
Add a standalone tool to generate key certificates. (Proposal 103.)
|
|
|
|
o Security fixes:
|
|
- Directory authorities now call routers Stable if they have an
|
|
uptime of at least 30 days, even if that's not the median uptime
|
|
in the network. Implements proposal 107, suggested by Kevin Bauer
|
|
and Damon McCoy.
|
|
|
|
o Minor fixes (resource management):
|
|
- Count the number of open sockets separately from the number
|
|
of active connection_t objects. This will let us avoid underusing
|
|
our allocated connection limit.
|
|
- We no longer use socket pairs to link an edge connection to an
|
|
anonymous directory connection or a DirPort test connection.
|
|
Instead, we track the link internally and transfer the data
|
|
in-process. This saves two sockets per "linked" connection (at the
|
|
client and at the server), and avoids the nasty Windows socketpair()
|
|
workaround.
|
|
- Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
|
|
for every single inactive connection_t. Free items from the
|
|
4k/16k-buffer free lists when they haven't been used for a while.
|
|
|
|
o Minor features (build):
|
|
- Make autoconf search for libevent, openssl, and zlib consistently.
|
|
- Update deprecated macros in configure.in.
|
|
- When warning about missing headers, tell the user to let us
|
|
know if the compile succeeds anyway, so we can downgrade the
|
|
warning.
|
|
- Include the current subversion revision as part of the version
|
|
string: either fetch it directly if we're in an SVN checkout, do
|
|
some magic to guess it if we're in an SVK checkout, or use
|
|
the last-detected version if we're building from a .tar.gz.
|
|
Use this version consistently in log messages.
|
|
|
|
o Minor features (logging):
|
|
- Always prepend "Bug: " to any log message about a bug.
|
|
- Put a platform string (e.g. "Linux i686") in the startup log
|
|
message, so when people paste just their logs, we know if it's
|
|
OpenBSD or Windows or what.
|
|
- When logging memory usage, break down memory used in buffers by
|
|
buffer type.
|
|
|
|
o Minor features (directory system):
|
|
- New config option V2AuthoritativeDirectory that all directory
|
|
authorities should set. This will let future authorities choose
|
|
not to serve V2 directory information.
|
|
- Directory authorities allow multiple router descriptors and/or extra
|
|
info documents to be uploaded in a single go. This will make
|
|
implementing proposal 104 simpler.
|
|
|
|
o Minor features (controller):
|
|
- Add a new config option __DisablePredictedCircuits designed for
|
|
use by the controller, when we don't want Tor to build any circuits
|
|
preemptively.
|
|
- Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
|
|
so we can exit from the middle of the circuit.
|
|
- Implement "getinfo status/circuit-established".
|
|
- Implement "getinfo status/version/..." so a controller can tell
|
|
whether the current version is recommended, and whether any versions
|
|
are good, and how many authorities agree. (Patch from shibz.)
|
|
|
|
o Minor features (hidden services):
|
|
- Allow multiple HiddenServicePort directives with the same virtual
|
|
port; when they occur, the user is sent round-robin to one
|
|
of the target ports chosen at random. Partially fixes bug 393 by
|
|
adding limited ad-hoc round-robining.
|
|
|
|
o Minor features (other):
|
|
- More unit tests.
|
|
- Add a new AutomapHostsOnResolve option: when it is enabled, any
|
|
resolve request for hosts matching a given pattern causes Tor to
|
|
generate an internal virtual address mapping for that host. This
|
|
allows DNSPort to work sensibly with hidden service users. By
|
|
default, .exit and .onion addresses are remapped; the list of
|
|
patterns can be reconfigured with AutomapHostsSuffixes.
|
|
- Add an "-F" option to tor-resolve to force a resolve for a .onion
|
|
address. Thanks to the AutomapHostsOnResolve option, this is no
|
|
longer a completely silly thing to do.
|
|
- If Tor is invoked from something that isn't a shell (e.g. Vidalia),
|
|
now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
|
|
- Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
|
|
minus 1 byte: the actual maximum declared bandwidth.
|
|
|
|
o Removed features:
|
|
- Removed support for the old binary "version 0" controller protocol.
|
|
This has been deprecated since 0.1.1, and warnings have been issued
|
|
since 0.1.2. When we encounter a v0 control message, we now send
|
|
back an error and close the connection.
|
|
- Remove the old "dns worker" server DNS code: it hasn't been default
|
|
since 0.1.2.2-alpha, and all the servers seem to be using the new
|
|
eventdns code.
|
|
|
|
o Minor bugfixes (portability):
|
|
- Even though Windows is equally happy with / and \ as path separators,
|
|
try to use \ consistently on Windows and / consistently on Unix: it
|
|
makes the log messages nicer.
|
|
- Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
|
|
- Read resolv.conf files correctly on platforms where read() returns
|
|
partial results on small file reads.
|
|
|
|
o Minor bugfixes (directory):
|
|
- Correctly enforce that elements of directory objects do not appear
|
|
more often than they are allowed to appear.
|
|
- When we are reporting the DirServer line we just parsed, we were
|
|
logging the second stanza of the key fingerprint, not the first.
|
|
|
|
o Minor bugfixes (logging):
|
|
- When we hit an EOF on a log (probably because we're shutting down),
|
|
don't try to remove the log from the list: just mark it as
|
|
unusable. (Bulletproofs against bug 222.)
|
|
|
|
o Minor bugfixes (other):
|
|
- In the exitlist script, only consider the most recently published
|
|
server descriptor for each server. Also, when the user requests
|
|
a list of servers that _reject_ connections to a given address,
|
|
explicitly exclude the IPs that also have servers that accept
|
|
connections to that address. (Resolves bug 405.)
|
|
- Stop allowing hibernating servers to be "stable" or "fast".
|
|
- On Windows, we were preventing other processes from reading
|
|
cached-routers while Tor was running. (Reported by janbar)
|
|
- Make the NodeFamilies config option work. (Reported by
|
|
lodger -- it has never actually worked, even though we added it
|
|
in Oct 2004.)
|
|
- Check return values from pthread_mutex functions.
|
|
- Don't save non-general-purpose router descriptors to the disk cache,
|
|
because we have no way of remembering what their purpose was when
|
|
we restart.
|
|
- Add even more asserts to hunt down bug 417.
|
|
- Build without verbose warnings even on (not-yet-released) gcc 4.2.
|
|
- Fix a possible (but very unlikely) bug in picking routers by bandwidth.
|
|
Add a log message to confirm that it is in fact unlikely.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Make 'getinfo fingerprint' return a 551 error if we're not a
|
|
server, so we match what the control spec claims we do. Reported
|
|
by daejees.
|
|
- Fix a typo in an error message when extendcircuit fails that
|
|
caused us to not follow the \r\n-based delimiter protocol. Reported
|
|
by daejees.
|
|
|
|
o Code simplifications and refactoring:
|
|
- Stop passing around circuit_t and crypt_path_t pointers that are
|
|
implicit in other procedure arguments.
|
|
- Drop the old code to choke directory connections when the
|
|
corresponding OR connections got full: thanks to the cell queue
|
|
feature, OR conns don't get full any more.
|
|
- Make dns_resolve() handle attaching connections to circuits
|
|
properly, so the caller doesn't have to.
|
|
- Rename wants_to_read and wants_to_write to read/write_blocked_on_bw.
|
|
- Keep the connection array as a dynamic smartlist_t, rather than as
|
|
a fixed-sized array. This is important, as the number of connections
|
|
is becoming increasingly decoupled from the number of sockets.
|
|
|
|
|
|
Changes in version 0.1.2.14 - 2007-05-25
|
|
Tor 0.1.2.14 changes the addresses of two directory authorities (this
|
|
change especially affects those who serve or use hidden services),
|
|
and fixes several other crash- and security-related bugs.
|
|
|
|
o Directory authority changes:
|
|
- Two directory authorities (moria1 and moria2) just moved to new
|
|
IP addresses. This change will particularly affect those who serve
|
|
or use hidden services.
|
|
|
|
o Major bugfixes (crashes):
|
|
- If a directory server runs out of space in the connection table
|
|
as it's processing a begin_dir request, it will free the exit stream
|
|
but leave it attached to the circuit, leading to unpredictable
|
|
behavior. (Reported by seeess, fixes bug 425.)
|
|
- Fix a bug in dirserv_remove_invalid() that would cause authorities
|
|
to corrupt memory under some really unlikely scenarios.
|
|
- Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
|
|
- Avoid segfaults when reading from mmaped descriptor file. (Reported
|
|
by lodger.)
|
|
|
|
o Major bugfixes (security):
|
|
- When choosing an entry guard for a circuit, avoid using guards
|
|
that are in the same family as the chosen exit -- not just guards
|
|
that are exactly the chosen exit. (Reported by lodger.)
|
|
|
|
o Major bugfixes (resource management):
|
|
- If a directory authority is down, skip it when deciding where to get
|
|
networkstatus objects or descriptors. Otherwise we keep asking
|
|
every 10 seconds forever. Fixes bug 384.
|
|
- Count it as a failure if we fetch a valid network-status but we
|
|
don't want to keep it. Otherwise we'll keep fetching it and keep
|
|
not wanting to keep it. Fixes part of bug 422.
|
|
- If all of our dirservers have given us bad or no networkstatuses
|
|
lately, then stop hammering them once per minute even when we
|
|
think they're failed. Fixes another part of bug 422.
|
|
|
|
o Minor bugfixes:
|
|
- Actually set the purpose correctly for descriptors inserted with
|
|
purpose=controller.
|
|
- When we have k non-v2 authorities in our DirServer config,
|
|
we ignored the last k authorities in the list when updating our
|
|
network-statuses.
|
|
- Correctly back-off from requesting router descriptors that we are
|
|
having a hard time downloading.
|
|
- Read resolv.conf files correctly on platforms where read() returns
|
|
partial results on small file reads.
|
|
- Don't rebuild the entire router store every time we get 32K of
|
|
routers: rebuild it when the journal gets very large, or when
|
|
the gaps in the store get very large.
|
|
|
|
o Minor features:
|
|
- When routers publish SVN revisions in their router descriptors,
|
|
authorities now include those versions correctly in networkstatus
|
|
documents.
|
|
- Warn when using a version of libevent before 1.3b to run a server on
|
|
OSX or BSD: these versions interact badly with userspace threads.
|
|
|
|
|
|
Changes in version 0.1.2.13 - 2007-04-24
|
|
This release features some major anonymity fixes, such as safer path
|
|
selection; better client performance; faster bootstrapping, better
|
|
address detection, and better DNS support for servers; write limiting as
|
|
well as read limiting to make servers easier to run; and a huge pile of
|
|
other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
|
|
|
|
Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
|
|
of the Freenode IRC network, remembering his patience and vision for
|
|
free speech on the Internet.
|
|
|
|
o Minor fixes:
|
|
- Fix a memory leak when we ask for "all" networkstatuses and we
|
|
get one we don't recognize.
|
|
- Add more asserts to hunt down bug 417.
|
|
- Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
|
|
|
|
|
|
Changes in version 0.1.2.12-rc - 2007-03-16
|
|
o Major bugfixes:
|
|
- Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
|
|
directory information requested inside Tor connections (i.e. via
|
|
begin_dir cells). It only triggered when the same connection was
|
|
serving other data at the same time. Reported by seeess.
|
|
|
|
o Minor bugfixes:
|
|
- When creating a circuit via the controller, send a 'launched'
|
|
event when we're done, so we follow the spec better.
|
|
|
|
|
|
Changes in version 0.1.2.11-rc - 2007-03-15
|
|
o Minor bugfixes (controller), reported by daejees:
|
|
- Correct the control spec to match how the code actually responds
|
|
to 'getinfo addr-mappings/*'.
|
|
- The control spec described a GUARDS event, but the code
|
|
implemented a GUARD event. Standardize on GUARD, but let people
|
|
ask for GUARDS too.
|
|
|
|
|
|
Changes in version 0.1.2.10-rc - 2007-03-07
|
|
o Major bugfixes (Windows):
|
|
- Do not load the NT services library functions (which may not exist)
|
|
just to detect if we're a service trying to shut down. Now we run
|
|
on Win98 and friends again.
|
|
|
|
o Minor bugfixes (other):
|
|
- Clarify a couple of log messages.
|
|
- Fix a misleading socks5 error number.
|
|
|
|
|
|
Changes in version 0.1.2.9-rc - 2007-03-02
|
|
o Major bugfixes (Windows):
|
|
- On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead
|
|
of the usual GCC "%llu". This prevents a bug when saving 64-bit
|
|
int configuration values: the high-order 32 bits would get
|
|
truncated. In particular, we were being bitten by the default
|
|
MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400
|
|
and maybe also bug 397.)
|
|
|
|
o Minor bugfixes (performance):
|
|
- Use OpenSSL's AES implementation on platforms where it's faster.
|
|
This could save us as much as 10% CPU usage.
|
|
|
|
o Minor bugfixes (server):
|
|
- Do not rotate onion key immediately after setting it for the first
|
|
time.
|
|
|
|
o Minor bugfixes (directory authorities):
|
|
- Stop calling servers that have been hibernating for a long time
|
|
"stable". Also, stop letting hibernating or obsolete servers affect
|
|
uptime and bandwidth cutoffs.
|
|
- Stop listing hibernating servers in the v1 directory.
|
|
|
|
o Minor bugfixes (hidden services):
|
|
- Upload hidden service descriptors slightly less often, to reduce
|
|
load on authorities.
|
|
|
|
o Minor bugfixes (other):
|
|
- Fix an assert that could trigger if a controller quickly set then
|
|
cleared EntryNodes. Bug found by Udo van den Heuvel.
|
|
- On architectures where sizeof(int)>4, still clamp declarable bandwidth
|
|
to INT32_MAX.
|
|
- Fix a potential race condition in the rpm installer. Found by
|
|
Stefan Nordhausen.
|
|
- Try to fix eventdns warnings once and for all: do not treat a dns rcode
|
|
of 2 as indicating that the server is completely bad; it sometimes
|
|
means that the server is just bad for the request in question. (may fix
|
|
the last of bug 326.)
|
|
- Disable encrypted directory connections when we don't have a server
|
|
descriptor for the destination. We'll get this working again in
|
|
the 0.2.0 branch.
|
|
|
|
|
|
Changes in version 0.1.2.8-beta - 2007-02-26
|
|
o Major bugfixes (crashes):
|
|
- Stop crashing when the controller asks us to resetconf more than
|
|
one config option at once. (Vidalia 0.0.11 does this.)
|
|
- Fix a crash that happened on Win98 when we're given command-line
|
|
arguments: don't try to load NT service functions from advapi32.dll
|
|
except when we need them. (Bug introduced in 0.1.2.7-alpha;
|
|
resolves bug 389.)
|
|
- Fix a longstanding obscure crash bug that could occur when
|
|
we run out of DNS worker processes. (Resolves bug 390.)
|
|
|
|
o Major bugfixes (hidden services):
|
|
- Correctly detect whether hidden service descriptor downloads are
|
|
in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
|
|
|
|
o Major bugfixes (accounting):
|
|
- When we start during an accounting interval before it's time to wake
|
|
up, remember to wake up at the correct time. (May fix bug 342.)
|
|
|
|
o Minor bugfixes (controller):
|
|
- Give the controller END_STREAM_REASON_DESTROY events _before_ we
|
|
clear the corresponding on_circuit variable, and remember later
|
|
that we don't need to send a redundant CLOSED event. Resolves part
|
|
3 of bug 367.
|
|
- Report events where a resolve succeeded or where we got a socks
|
|
protocol error correctly, rather than calling both of them
|
|
"INTERNAL".
|
|
- Change reported stream target addresses to IP consistently when
|
|
we finally get the IP from an exit node.
|
|
- Send log messages to the controller even if they happen to be very
|
|
long.
|
|
|
|
o Minor bugfixes (other):
|
|
- Display correct results when reporting which versions are
|
|
recommended, and how recommended they are. (Resolves bug 383.)
|
|
- Improve our estimates for directory bandwidth to be less random:
|
|
guess that an unrecognized directory will have the average bandwidth
|
|
from all known directories, not that it will have the average
|
|
bandwidth from those directories earlier than it on the list.
|
|
- If we start a server with ClientOnly 1, then set ClientOnly to 0
|
|
and hup, stop triggering an assert based on an empty onion_key.
|
|
- On platforms with no working mmap() equivalent, don't warn the
|
|
user when cached-routers doesn't exist.
|
|
- Warn the user when mmap() [or its equivalent] fails for some reason
|
|
other than file-not-found.
|
|
- Don't warn the user when cached-routers.new doesn't exist: that's
|
|
perfectly fine when starting up for the first time.
|
|
- When EntryNodes are configured, rebuild the guard list to contain,
|
|
in order: the EntryNodes that were guards before; the rest of the
|
|
EntryNodes; the nodes that were guards before.
|
|
- Mask out all signals in sub-threads; only the libevent signal
|
|
handler should be processing them. This should prevent some crashes
|
|
on some machines using pthreads. (Patch from coderman.)
|
|
- Fix switched arguments on memset in the implementation of
|
|
tor_munmap() for systems with no mmap() call.
|
|
- When Tor receives a router descriptor that it asked for, but
|
|
no longer wants (because it has received fresh networkstatuses
|
|
in the meantime), do not warn the user. Cache the descriptor if
|
|
we're a cache; drop it if we aren't.
|
|
- Make earlier entry guards _really_ get retried when the network
|
|
comes back online.
|
|
- On a malformed DNS reply, always give an error to the corresponding
|
|
DNS request.
|
|
- Build with recent libevents on platforms that do not define the
|
|
nonstandard types "u_int8_t" and friends.
|
|
|
|
o Minor features (controller):
|
|
- Warn the user when an application uses the obsolete binary v0
|
|
control protocol. We're planning to remove support for it during
|
|
the next development series, so it's good to give people some
|
|
advance warning.
|
|
- Add STREAM_BW events to report per-entry-stream bandwidth
|
|
use. (Patch from Robert Hogan.)
|
|
- Rate-limit SIGNEWNYM signals in response to controllers that
|
|
impolitely generate them for every single stream. (Patch from
|
|
mwenge; closes bug 394.)
|
|
- Make REMAP stream events have a SOURCE (cache or exit), and
|
|
make them generated in every case where we get a successful
|
|
connected or resolved cell.
|
|
|
|
o Minor bugfixes (performance):
|
|
- Call router_have_min_dir_info half as often. (This is showing up in
|
|
some profiles, but not others.)
|
|
- When using GCC, make log_debug never get called at all, and its
|
|
arguments never get evaluated, when no debug logs are configured.
|
|
(This is showing up in some profiles, but not others.)
|
|
|
|
o Minor features:
|
|
- Remove some never-implemented options. Mark PathlenCoinWeight as
|
|
obsolete.
|
|
- Implement proposal 106: Stop requiring clients to have well-formed
|
|
certificates; stop checking nicknames in certificates. (Clients
|
|
have certificates so that they can look like Tor servers, but in
|
|
the future we might want to allow them to look like regular TLS
|
|
clients instead. Nicknames in certificates serve no purpose other
|
|
than making our protocol easier to recognize on the wire.)
|
|
- Revise messages on handshake failure again to be even more clear about
|
|
which are incoming connections and which are outgoing.
|
|
- Discard any v1 directory info that's over 1 month old (for
|
|
directories) or over 1 week old (for running-routers lists).
|
|
- Do not warn when individual nodes in the configuration's EntryNodes,
|
|
ExitNodes, etc are down: warn only when all possible nodes
|
|
are down. (Fixes bug 348.)
|
|
- Always remove expired routers and networkstatus docs before checking
|
|
whether we have enough information to build circuits. (Fixes
|
|
bug 373.)
|
|
- Put a lower-bound on MaxAdvertisedBandwidth.
|
|
|
|
|
|
Changes in version 0.1.2.7-alpha - 2007-02-06
|
|
o Major bugfixes (rate limiting):
|
|
- Servers decline directory requests much more aggressively when
|
|
they're low on bandwidth. Otherwise they end up queueing more and
|
|
more directory responses, which can't be good for latency.
|
|
- But never refuse directory requests from local addresses.
|
|
- Fix a memory leak when sending a 503 response for a networkstatus
|
|
request.
|
|
- Be willing to read or write on local connections (e.g. controller
|
|
connections) even when the global rate limiting buckets are empty.
|
|
- If our system clock jumps back in time, don't publish a negative
|
|
uptime in the descriptor. Also, don't let the global rate limiting
|
|
buckets go absurdly negative.
|
|
- Flush local controller connection buffers periodically as we're
|
|
writing to them, so we avoid queueing 4+ megabytes of data before
|
|
trying to flush.
|
|
|
|
o Major bugfixes (NT services):
|
|
- Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
|
|
command-line flag so that admins can override the default by saying
|
|
"tor --service install --user "SomeUser"". This will not affect
|
|
existing installed services. Also, warn the user that the service
|
|
will look for its configuration file in the service user's
|
|
%appdata% directory. (We can't do the 'hardwire the user's appdata
|
|
directory' trick any more, since we may not have read access to that
|
|
directory.)
|
|
|
|
o Major bugfixes (other):
|
|
- Previously, we would cache up to 16 old networkstatus documents
|
|
indefinitely, if they came from nontrusted authorities. Now we
|
|
discard them if they are more than 10 days old.
|
|
- Fix a crash bug in the presence of DNS hijacking (reported by Andrew
|
|
Del Vecchio).
|
|
- Detect and reject malformed DNS responses containing circular
|
|
pointer loops.
|
|
- If exits are rare enough that we're not marking exits as guards,
|
|
ignore exit bandwidth when we're deciding the required bandwidth
|
|
to become a guard.
|
|
- When we're handling a directory connection tunneled over Tor,
|
|
don't fill up internal memory buffers with all the data we want
|
|
to tunnel; instead, only add it if the OR connection that will
|
|
eventually receive it has some room for it. (This can lead to
|
|
slowdowns in tunneled dir connections; a better solution will have
|
|
to wait for 0.2.0.)
|
|
|
|
o Minor bugfixes (dns):
|
|
- Add some defensive programming to eventdns.c in an attempt to catch
|
|
possible memory-stomping bugs.
|
|
- Detect and reject DNS replies containing IPv4 or IPv6 records with
|
|
an incorrect number of bytes. (Previously, we would ignore the
|
|
extra bytes.)
|
|
- Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
|
|
in the correct order, and doesn't crash.
|
|
- Free memory held in recently-completed DNS lookup attempts on exit.
|
|
This was not a memory leak, but may have been hiding memory leaks.
|
|
- Handle TTL values correctly on reverse DNS lookups.
|
|
- Treat failure to parse resolv.conf as an error.
|
|
|
|
o Minor bugfixes (other):
|
|
- Fix crash with "tor --list-fingerprint" (reported by seeess).
|
|
- When computing clock skew from directory HTTP headers, consider what
|
|
time it was when we finished asking for the directory, not what
|
|
time it is now.
|
|
- Expire socks connections if they spend too long waiting for the
|
|
handshake to finish. Previously we would let them sit around for
|
|
days, if the connecting application didn't close them either.
|
|
- And if the socks handshake hasn't started, don't send a
|
|
"DNS resolve socks failed" handshake reply; just close it.
|
|
- Stop using C functions that OpenBSD's linker doesn't like.
|
|
- Don't launch requests for descriptors unless we have networkstatuses
|
|
from at least half of the authorities. This delays the first
|
|
download slightly under pathological circumstances, but can prevent
|
|
us from downloading a bunch of descriptors we don't need.
|
|
- Do not log IPs with TLS failures for incoming TLS
|
|
connections. (Fixes bug 382.)
|
|
- If the user asks to use invalid exit nodes, be willing to use
|
|
unstable ones.
|
|
- Stop using the reserved ac_cv namespace in our configure script.
|
|
- Call stat() slightly less often; use fstat() when possible.
|
|
- Refactor the way we handle pending circuits when an OR connection
|
|
completes or fails, in an attempt to fix a rare crash bug.
|
|
- Only rewrite a conn's address based on X-Forwarded-For: headers
|
|
if it's a parseable public IP address; and stop adding extra quotes
|
|
to the resulting address.
|
|
|
|
o Major features:
|
|
- Weight directory requests by advertised bandwidth. Now we can
|
|
let servers enable write limiting but still allow most clients to
|
|
succeed at their directory requests. (We still ignore weights when
|
|
choosing a directory authority; I hope this is a feature.)
|
|
|
|
o Minor features:
|
|
- Create a new file ReleaseNotes which was the old ChangeLog. The
|
|
new ChangeLog file now includes the summaries for all development
|
|
versions too.
|
|
- Check for addresses with invalid characters at the exit as well
|
|
as at the client, and warn less verbosely when they fail. You can
|
|
override this by setting ServerDNSAllowNonRFC953Addresses to 1.
|
|
- Adapt a patch from goodell to let the contrib/exitlist script
|
|
take arguments rather than require direct editing.
|
|
- Inform the server operator when we decide not to advertise a
|
|
DirPort due to AccountingMax enabled or a low BandwidthRate. It
|
|
was confusing Zax, so now we're hopefully more helpful.
|
|
- Bring us one step closer to being able to establish an encrypted
|
|
directory tunnel without knowing a descriptor first. Still not
|
|
ready yet. As part of the change, now assume we can use a
|
|
create_fast cell if we don't know anything about a router.
|
|
- Allow exit nodes to use nameservers running on ports other than 53.
|
|
- Servers now cache reverse DNS replies.
|
|
- Add an --ignore-missing-torrc command-line option so that we can
|
|
get the "use sensible defaults if the configuration file doesn't
|
|
exist" behavior even when specifying a torrc location on the command
|
|
line.
|
|
|
|
o Minor features (controller):
|
|
- Track reasons for OR connection failure; make these reasons
|
|
available via the controller interface. (Patch from Mike Perry.)
|
|
- Add a SOCKS_BAD_HOSTNAME client status event so controllers
|
|
can learn when clients are sending malformed hostnames to Tor.
|
|
- Clean up documentation for controller status events.
|
|
- Add a REMAP status to stream events to note that a stream's
|
|
address has changed because of a cached address or a MapAddress
|
|
directive.
|
|
|
|
|
|
Changes in version 0.1.2.6-alpha - 2007-01-09
|
|
o Major bugfixes:
|
|
- Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS
|
|
connection handles more than 4 gigs in either direction, we crash.
|
|
- Fix an assert error introduced in 0.1.2.5-alpha: if we're an
|
|
advertised exit node, somebody might try to exit from us when
|
|
we're bootstrapping and before we've built our descriptor yet.
|
|
Refuse the connection rather than crashing.
|
|
|
|
o Minor bugfixes:
|
|
- Warn if we (as a server) find that we've resolved an address that we
|
|
weren't planning to resolve.
|
|
- Warn that using select() on any libevent version before 1.1 will be
|
|
unnecessarily slow (even for select()).
|
|
- Flush ERR-level controller status events just like we currently
|
|
flush ERR-level log events, so that a Tor shutdown doesn't prevent
|
|
the controller from learning about current events.
|
|
|
|
o Minor features (more controller status events):
|
|
- Implement EXTERNAL_ADDRESS server status event so controllers can
|
|
learn when our address changes.
|
|
- Implement BAD_SERVER_DESCRIPTOR server status event so controllers
|
|
can learn when directories reject our descriptor.
|
|
- Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers
|
|
can learn when a client application is speaking a non-socks protocol
|
|
to our SocksPort.
|
|
- Implement DANGEROUS_SOCKS client status event so controllers
|
|
can learn when a client application is leaking DNS addresses.
|
|
- Implement BUG general status event so controllers can learn when
|
|
Tor is unhappy about its internal invariants.
|
|
- Implement CLOCK_SKEW general status event so controllers can learn
|
|
when Tor thinks the system clock is set incorrectly.
|
|
- Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR
|
|
server status events so controllers can learn when their descriptors
|
|
are accepted by a directory.
|
|
- Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED}
|
|
server status events so controllers can learn about Tor's progress in
|
|
deciding whether it's reachable from the outside.
|
|
- Implement BAD_LIBEVENT general status event so controllers can learn
|
|
when we have a version/method combination in libevent that needs to
|
|
be changed.
|
|
- Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED,
|
|
and DNS_USELESS server status events so controllers can learn
|
|
about changes to DNS server status.
|
|
|
|
o Minor features (directory):
|
|
- Authorities no longer recommend exits as guards if this would shift
|
|
too much load to the exit nodes.
|
|
|
|
|
|
Changes in version 0.1.2.5-alpha - 2007-01-06
|
|
o Major features:
|
|
- Enable write limiting as well as read limiting. Now we sacrifice
|
|
capacity if we're pushing out lots of directory traffic, rather
|
|
than overrunning the user's intended bandwidth limits.
|
|
- Include TLS overhead when counting bandwidth usage; previously, we
|
|
would count only the bytes sent over TLS, but not the bytes used
|
|
to send them.
|
|
- Support running the Tor service with a torrc not in the same
|
|
directory as tor.exe and default to using the torrc located in
|
|
the %appdata%\Tor\ of the user who installed the service. Patch
|
|
from Matt Edman.
|
|
- Servers now check for the case when common DNS requests are going to
|
|
wildcarded addresses (i.e. all getting the same answer), and change
|
|
their exit policy to reject *:* if it's happening.
|
|
- Implement BEGIN_DIR cells, so we can connect to the directory
|
|
server via TLS to do encrypted directory requests rather than
|
|
plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
|
|
config options if you like.
|
|
|
|
o Minor features (config and docs):
|
|
- Start using the state file to store bandwidth accounting data:
|
|
the bw_accounting file is now obsolete. We'll keep generating it
|
|
for a while for people who are still using 0.1.2.4-alpha.
|
|
- Try to batch changes to the state file so that we do as few
|
|
disk writes as possible while still storing important things in
|
|
a timely fashion.
|
|
- The state file and the bw_accounting file get saved less often when
|
|
the AvoidDiskWrites config option is set.
|
|
- Make PIDFile work on Windows (untested).
|
|
- Add internal descriptions for a bunch of configuration options:
|
|
accessible via controller interface and in comments in saved
|
|
options files.
|
|
- Reject *:563 (NNTPS) in the default exit policy. We already reject
|
|
NNTP by default, so this seems like a sensible addition.
|
|
- Clients now reject hostnames with invalid characters. This should
|
|
avoid some inadvertent info leaks. Add an option
|
|
AllowNonRFC953Hostnames to disable this behavior, in case somebody
|
|
is running a private network with hosts called @, !, and #.
|
|
- Add a maintainer script to tell us which options are missing
|
|
documentation: "make check-docs".
|
|
- Add a new address-spec.txt document to describe our special-case
|
|
addresses: .exit, .onion, and .noconnnect.
|
|
|
|
o Minor features (DNS):
|
|
- Ongoing work on eventdns infrastructure: now it has dns server
|
|
and ipv6 support. One day Tor will make use of it.
|
|
- Add client-side caching for reverse DNS lookups.
|
|
- Add support to tor-resolve tool for reverse lookups and SOCKS5.
|
|
- When we change nameservers or IP addresses, reset and re-launch
|
|
our tests for DNS hijacking.
|
|
|
|
o Minor features (directory):
|
|
- Authorities now specify server versions in networkstatus. This adds
|
|
about 2% to the size of compressed networkstatus docs, and allows
|
|
clients to tell which servers support BEGIN_DIR and which don't.
|
|
The implementation is forward-compatible with a proposed future
|
|
protocol version scheme not tied to Tor versions.
|
|
- DirServer configuration lines now have an orport= option so
|
|
clients can open encrypted tunnels to the authorities without
|
|
having downloaded their descriptors yet. Enabled for moria1,
|
|
moria2, tor26, and lefkada now in the default configuration.
|
|
- Directory servers are more willing to send a 503 "busy" if they
|
|
are near their write limit, especially for v1 directory requests.
|
|
Now they can use their limited bandwidth for actual Tor traffic.
|
|
- Clients track responses with status 503 from dirservers. After a
|
|
dirserver has given us a 503, we try not to use it until an hour has
|
|
gone by, or until we have no dirservers that haven't given us a 503.
|
|
- When we get a 503 from a directory, and we're not a server, we don't
|
|
count the failure against the total number of failures allowed
|
|
for the thing we're trying to download.
|
|
- Report X-Your-Address-Is correctly from tunneled directory
|
|
connections; don't report X-Your-Address-Is when it's an internal
|
|
address; and never believe reported remote addresses when they're
|
|
internal.
|
|
- Protect against an unlikely DoS attack on directory servers.
|
|
- Add a BadDirectory flag to network status docs so that authorities
|
|
can (eventually) tell clients about caches they believe to be
|
|
broken.
|
|
|
|
o Minor features (controller):
|
|
- Have GETINFO dir/status/* work on hosts with DirPort disabled.
|
|
- Reimplement GETINFO so that info/names stays in sync with the
|
|
actual keys.
|
|
- Implement "GETINFO fingerprint".
|
|
- Implement "SETEVENTS GUARD" so controllers can get updates on
|
|
entry guard status as it changes.
|
|
|
|
o Minor features (clean up obsolete pieces):
|
|
- Remove some options that have been deprecated since at least
|
|
0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
|
|
SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
|
|
to set log options.
|
|
- We no longer look for identity and onion keys in "identity.key" and
|
|
"onion.key" -- these were replaced by secret_id_key and
|
|
secret_onion_key in 0.0.8pre1.
|
|
- We no longer require unrecognized directory entries to be
|
|
preceded by "opt".
|
|
|
|
o Major bugfixes (security):
|
|
- Stop sending the HttpProxyAuthenticator string to directory
|
|
servers when directory connections are tunnelled through Tor.
|
|
- Clients no longer store bandwidth history in the state file.
|
|
- Do not log introduction points for hidden services if SafeLogging
|
|
is set.
|
|
- When generating bandwidth history, round down to the nearest
|
|
1k. When storing accounting data, round up to the nearest 1k.
|
|
- When we're running as a server, remember when we last rotated onion
|
|
keys, so that we will rotate keys once they're a week old even if
|
|
we never stay up for a week ourselves.
|
|
|
|
o Major bugfixes (other):
|
|
- Fix a longstanding bug in eventdns that prevented the count of
|
|
timed-out resolves from ever being reset. This bug caused us to
|
|
give up on a nameserver the third time it timed out, and try it
|
|
10 seconds later... and to give up on it every time it timed out
|
|
after that.
|
|
- Take out the '5 second' timeout from the connection retry
|
|
schedule. Now the first connect attempt will wait a full 10
|
|
seconds before switching to a new circuit. Perhaps this will help
|
|
a lot. Based on observations from Mike Perry.
|
|
- Fix a bug on the Windows implementation of tor_mmap_file() that
|
|
would prevent the cached-routers file from ever loading. Reported
|
|
by John Kimble.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an assert failure when a directory authority sets
|
|
AuthDirRejectUnlisted and then receives a descriptor from an
|
|
unlisted router. Reported by seeess.
|
|
- Avoid a double-free when parsing malformed DirServer lines.
|
|
- Fix a bug when a BSD-style PF socket is first used. Patch from
|
|
Fabian Keil.
|
|
- Fix a bug in 0.1.2.2-alpha that prevented clients from asking
|
|
to resolve an address at a given exit node even when they ask for
|
|
it by name.
|
|
- Servers no longer ever list themselves in their "family" line,
|
|
even if configured to do so. This makes it easier to configure
|
|
family lists conveniently.
|
|
- When running as a server, don't fall back to 127.0.0.1 when no
|
|
nameservers are configured in /etc/resolv.conf; instead, make the
|
|
user fix resolv.conf or specify nameservers explicitly. (Resolves
|
|
bug 363.)
|
|
- Stop accepting certain malformed ports in configured exit policies.
|
|
- Don't re-write the fingerprint file every restart, unless it has
|
|
changed.
|
|
- Stop warning when a single nameserver fails: only warn when _all_ of
|
|
our nameservers have failed. Also, when we only have one nameserver,
|
|
raise the threshold for deciding that the nameserver is dead.
|
|
- Directory authorities now only decide that routers are reachable
|
|
if their identity keys are as expected.
|
|
- When the user uses bad syntax in the Log config line, stop
|
|
suggesting other bad syntax as a replacement.
|
|
- Correctly detect ipv6 DNS capability on OpenBSD.
|
|
|
|
o Minor bugfixes (controller):
|
|
- Report the circuit number correctly in STREAM CLOSED events. Bug
|
|
reported by Mike Perry.
|
|
- Do not report bizarre values for results of accounting GETINFOs
|
|
when the last second's write or read exceeds the allotted bandwidth.
|
|
- Report "unrecognized key" rather than an empty string when the
|
|
controller tries to fetch a networkstatus that doesn't exist.
|
|
|
|
|
|
Changes in version 0.1.1.26 - 2006-12-14
|
|
o Security bugfixes:
|
|
- Stop sending the HttpProxyAuthenticator string to directory
|
|
servers when directory connections are tunnelled through Tor.
|
|
- Clients no longer store bandwidth history in the state file.
|
|
- Do not log introduction points for hidden services if SafeLogging
|
|
is set.
|
|
|
|
o Minor bugfixes:
|
|
- Fix an assert failure when a directory authority sets
|
|
AuthDirRejectUnlisted and then receives a descriptor from an
|
|
unlisted router (reported by seeess).
|
|
|
|
|
|
Changes in version 0.1.2.4-alpha - 2006-12-03
|
|
o Major features:
|
|
- Add support for using natd; this allows FreeBSDs earlier than
|
|
5.1.2 to have ipfw send connections through Tor without using
|
|
SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
|
|
|
|
o Minor features:
|
|
- Make all connections to addresses of the form ".noconnect"
|
|
immediately get closed. This lets application/controller combos
|
|
successfully test whether they're talking to the same Tor by
|
|
watching for STREAM events.
|
|
- Make cross.sh cross-compilation script work even when autogen.sh
|
|
hasn't been run. (Patch from Michael Mohr.)
|
|
- Statistics dumped by -USR2 now include a breakdown of public key
|
|
operations, for profiling.
|
|
|
|
o Major bugfixes:
|
|
- Fix a major leak when directory authorities parse their
|
|
approved-routers list, a minor memory leak when we fail to pick
|
|
an exit node, and a few rare leaks on errors.
|
|
- Handle TransPort connections even when the server sends data before
|
|
the client sends data. Previously, the connection would just hang
|
|
until the client sent data. (Patch from tup based on patch from
|
|
Zajcev Evgeny.)
|
|
- Avoid assert failure when our cached-routers file is empty on
|
|
startup.
|
|
|
|
o Minor bugfixes:
|
|
- Don't log spurious warnings when we see a circuit close reason we
|
|
don't recognize; it's probably just from a newer version of Tor.
|
|
- Have directory authorities allow larger amounts of drift in uptime
|
|
without replacing the server descriptor: previously, a server that
|
|
restarted every 30 minutes could have 48 "interesting" descriptors
|
|
per day.
|
|
- Start linking to the Tor specification and Tor reference manual
|
|
correctly in the Windows installer.
|
|
- Add Vidalia to the OS X uninstaller script, so when we uninstall
|
|
Tor/Privoxy we also uninstall Vidalia.
|
|
- Resume building on Irix64, and fix a lot of warnings from its
|
|
MIPSpro C compiler.
|
|
- Don't corrupt last_guessed_ip in router_new_address_suggestion()
|
|
when we're running as a client.
|
|
|
|
|
|
Changes in version 0.1.1.25 - 2006-11-04
|
|
o Major bugfixes:
|
|
- When a client asks us to resolve (rather than connect to)
|
|
an address, and we have a cached answer, give them the cached
|
|
answer. Previously, we would give them no answer at all.
|
|
- We were building exactly the wrong circuits when we predict
|
|
hidden service requirements, meaning Tor would have to build all
|
|
its circuits on demand.
|
|
- If none of our live entry guards have a high uptime, but we
|
|
require a guard with a high uptime, try adding a new guard before
|
|
we give up on the requirement. This patch should make long-lived
|
|
connections more stable on average.
|
|
- When testing reachability of our DirPort, don't launch new
|
|
tests when there's already one in progress -- unreachable
|
|
servers were stacking up dozens of testing streams.
|
|
|
|
o Security bugfixes:
|
|
- When the user sends a NEWNYM signal, clear the client-side DNS
|
|
cache too. Otherwise we continue to act on previous information.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a memory corruption bug when creating a hash table for
|
|
the first time.
|
|
- Avoid possibility of controller-triggered crash when misusing
|
|
certain commands from a v0 controller on platforms that do not
|
|
handle printf("%s",NULL) gracefully.
|
|
- Avoid infinite loop on unexpected controller input.
|
|
- Don't log spurious warnings when we see a circuit close reason we
|
|
don't recognize; it's probably just from a newer version of Tor.
|
|
- Add Vidalia to the OS X uninstaller script, so when we uninstall
|
|
Tor/Privoxy we also uninstall Vidalia.
|
|
|
|
|
|
Changes in version 0.1.2.3-alpha - 2006-10-29
|
|
o Minor features:
|
|
- Prepare for servers to publish descriptors less often: never
|
|
discard a descriptor simply for being too old until either it is
|
|
recommended by no authorities, or until we get a better one for
|
|
the same router. Make caches consider retaining old recommended
|
|
routers for even longer.
|
|
- If most authorities set a BadExit flag for a server, clients
|
|
don't think of it as a general-purpose exit. Clients only consider
|
|
authorities that advertise themselves as listing bad exits.
|
|
- Directory servers now provide 'Pragma: no-cache' and 'Expires'
|
|
headers for content, so that we can work better in the presence of
|
|
caching HTTP proxies.
|
|
- Allow authorities to list nodes as bad exits by fingerprint or by
|
|
address.
|
|
|
|
o Minor features, controller:
|
|
- Add a REASON field to CIRC events; for backward compatibility, this
|
|
field is sent only to controllers that have enabled the extended
|
|
event format. Also, add additional reason codes to explain why
|
|
a given circuit has been destroyed or truncated. (Patches from
|
|
Mike Perry)
|
|
- Add a REMOTE_REASON field to extended CIRC events to tell the
|
|
controller about why a remote OR told us to close a circuit.
|
|
- Stream events also now have REASON and REMOTE_REASON fields,
|
|
working much like those for circuit events.
|
|
- There's now a GETINFO ns/... field so that controllers can ask Tor
|
|
about the current status of a router.
|
|
- A new event type "NS" to inform a controller when our opinion of
|
|
a router's status has changed.
|
|
- Add a GETINFO events/names and GETINFO features/names so controllers
|
|
can tell which events and features are supported.
|
|
- A new CLEARDNSCACHE signal to allow controllers to clear the
|
|
client-side DNS cache without expiring circuits.
|
|
|
|
o Security bugfixes:
|
|
- When the user sends a NEWNYM signal, clear the client-side DNS
|
|
cache too. Otherwise we continue to act on previous information.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid sending junk to controllers or segfaulting when a controller
|
|
uses EVENT_NEW_DESC with verbose nicknames.
|
|
- Stop triggering asserts if the controller tries to extend hidden
|
|
service circuits (reported by mwenge).
|
|
- Avoid infinite loop on unexpected controller input.
|
|
- When the controller does a "GETINFO network-status", tell it
|
|
about even those routers whose descriptors are very old, and use
|
|
long nicknames where appropriate.
|
|
- Change NT service functions to be loaded on demand. This lets us
|
|
build with MinGW without breaking Tor for Windows 98 users.
|
|
- Do DirPort reachability tests less often, since a single test
|
|
chews through many circuits before giving up.
|
|
- In the hidden service example in torrc.sample, stop recommending
|
|
esoteric and discouraged hidden service options.
|
|
- When stopping an NT service, wait up to 10 sec for it to actually
|
|
stop. Patch from Matt Edman; resolves bug 295.
|
|
- Fix handling of verbose nicknames with ORCONN controller events:
|
|
make them show up exactly when requested, rather than exactly when
|
|
not requested.
|
|
- When reporting verbose nicknames in entry_guards_getinfo(), avoid
|
|
printing a duplicate "$" in the keys we send (reported by mwenge).
|
|
- Correctly set maximum connection limit on Cygwin. (This time
|
|
for sure!)
|
|
- Try to detect Windows correctly when cross-compiling.
|
|
- Detect the size of the routers file correctly even if it is
|
|
corrupted (on systems without mmap) or not page-aligned (on systems
|
|
with mmap). This bug was harmless.
|
|
- Sometimes we didn't bother sending a RELAY_END cell when an attempt
|
|
to open a stream fails; now we do in more cases. This should
|
|
make clients able to find a good exit faster in some cases, since
|
|
unhandleable requests will now get an error rather than timing out.
|
|
- Resolve two memory leaks when rebuilding the on-disk router cache
|
|
(reported by fookoowa).
|
|
- Clean up minor code warnings suggested by the MIPSpro C compiler,
|
|
and reported by some Centos users.
|
|
- Controller signals now work on non-Unix platforms that don't define
|
|
SIGUSR1 and SIGUSR2 the way we expect.
|
|
- Patch from Michael Mohr to contrib/cross.sh, so it checks more
|
|
values before failing, and always enables eventdns.
|
|
- Libevent-1.2 exports, but does not define in its headers, strlcpy.
|
|
Try to fix this in configure.in by checking for most functions
|
|
before we check for libevent.
|
|
|
|
|
|
Changes in version 0.1.2.2-alpha - 2006-10-07
|
|
o Major features:
|
|
- Make our async eventdns library on-by-default for Tor servers,
|
|
and plan to deprecate the separate dnsworker threads.
|
|
- Add server-side support for "reverse" DNS lookups (using PTR
|
|
records so clients can determine the canonical hostname for a given
|
|
IPv4 address). Only supported by servers using eventdns; servers
|
|
now announce in their descriptors whether they support eventdns.
|
|
- Specify and implement client-side SOCKS5 interface for reverse DNS
|
|
lookups (see doc/socks-extensions.txt).
|
|
- Add a BEGIN_DIR relay cell type for an easier in-protocol way to
|
|
connect to directory servers through Tor. Previously, clients needed
|
|
to find Tor exits to make private connections to directory servers.
|
|
- Avoid choosing Exit nodes for entry or middle hops when the
|
|
total bandwidth available from non-Exit nodes is much higher than
|
|
the total bandwidth available from Exit nodes.
|
|
- Workaround for name servers (like Earthlink's) that hijack failing
|
|
DNS requests and replace the no-such-server answer with a "helpful"
|
|
redirect to an advertising-driven search portal. Also work around
|
|
DNS hijackers who "helpfully" decline to hijack known-invalid
|
|
RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
|
|
lets you turn it off.
|
|
- Send out a burst of long-range padding cells once we've established
|
|
that we're reachable. Spread them over 4 circuits, so hopefully
|
|
a few will be fast. This exercises our bandwidth and bootstraps
|
|
us into the directory more quickly.
|
|
|
|
o New/improved config options:
|
|
- Add new config option "ResolvConf" to let the server operator
|
|
choose an alternate resolve.conf file when using eventdns.
|
|
- Add an "EnforceDistinctSubnets" option to control our "exclude
|
|
servers on the same /16" behavior. It's still on by default; this
|
|
is mostly for people who want to operate private test networks with
|
|
all the machines on the same subnet.
|
|
- If one of our entry guards is on the ExcludeNodes list, or the
|
|
directory authorities don't think it's a good guard, treat it as
|
|
if it were unlisted: stop using it as a guard, and throw it off
|
|
the guards list if it stays that way for a long time.
|
|
- Allow directory authorities to be marked separately as authorities
|
|
for the v1 directory protocol, the v2 directory protocol, and
|
|
as hidden service directories, to make it easier to retire old
|
|
authorities. V1 authorities should set "HSAuthoritativeDir 1"
|
|
to continue being hidden service authorities too.
|
|
- Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
|
|
|
|
o Minor features, controller:
|
|
- Fix CIRC controller events so that controllers can learn the
|
|
identity digests of non-Named servers used in circuit paths.
|
|
- Let controllers ask for more useful identifiers for servers. Instead
|
|
of learning identity digests for un-Named servers and nicknames
|
|
for Named servers, the new identifiers include digest, nickname,
|
|
and indication of Named status. Off by default; see control-spec.txt
|
|
for more information.
|
|
- Add a "getinfo address" controller command so it can display Tor's
|
|
best guess to the user.
|
|
- New controller event to alert the controller when our server
|
|
descriptor has changed.
|
|
- Give more meaningful errors on controller authentication failure.
|
|
|
|
o Minor features, other:
|
|
- When asked to resolve a hostname, don't use non-exit servers unless
|
|
requested to do so. This allows servers with broken DNS to be
|
|
useful to the network.
|
|
- Divide eventdns log messages into warn and info messages.
|
|
- Reserve the nickname "Unnamed" for routers that can't pick
|
|
a hostname: any router can call itself Unnamed; directory
|
|
authorities will never allocate Unnamed to any particular router;
|
|
clients won't believe that any router is the canonical Unnamed.
|
|
- Only include function names in log messages for info/debug messages.
|
|
For notice/warn/err, the content of the message should be clear on
|
|
its own, and printing the function name only confuses users.
|
|
- Avoid some false positives during reachability testing: don't try
|
|
to test via a server that's on the same /24 as us.
|
|
- If we fail to build a circuit to an intended enclave, and it's
|
|
not mandatory that we use that enclave, stop wanting it.
|
|
- When eventdns is enabled, allow multithreaded builds on NetBSD and
|
|
OpenBSD. (We had previously disabled threads on these platforms
|
|
because they didn't have working thread-safe resolver functions.)
|
|
|
|
o Major bugfixes, anonymity/security:
|
|
- If a client asked for a server by name, and there's a named server
|
|
in our network-status but we don't have its descriptor yet, we
|
|
could return an unnamed server instead.
|
|
- Fix NetBSD bug that could allow someone to force uninitialized RAM
|
|
to be sent to a server's DNS resolver. This only affects NetBSD
|
|
and other platforms that do not bounds-check tolower().
|
|
- Reject (most) attempts to use Tor circuits with length one. (If
|
|
many people start using Tor as a one-hop proxy, exit nodes become
|
|
a more attractive target for compromise.)
|
|
- Just because your DirPort is open doesn't mean people should be
|
|
able to remotely teach you about hidden service descriptors. Now
|
|
only accept rendezvous posts if you've got HSAuthoritativeDir set.
|
|
|
|
o Major bugfixes, other:
|
|
- Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
|
|
- When a client asks the server to resolve (not connect to)
|
|
an address, and it has a cached answer, give them the cached answer.
|
|
Previously, the server would give them no answer at all.
|
|
- Allow really slow clients to not hang up five minutes into their
|
|
directory downloads (suggested by Adam J. Richter).
|
|
- We were building exactly the wrong circuits when we anticipated
|
|
hidden service requirements, meaning Tor would have to build all
|
|
its circuits on demand.
|
|
- Avoid crashing when we mmap a router cache file of size 0.
|
|
- When testing reachability of our DirPort, don't launch new
|
|
tests when there's already one in progress -- unreachable
|
|
servers were stacking up dozens of testing streams.
|
|
|
|
o Minor bugfixes, correctness:
|
|
- If we're a directory mirror and we ask for "all" network status
|
|
documents, we would discard status documents from authorities
|
|
we don't recognize.
|
|
- Avoid a memory corruption bug when creating a hash table for
|
|
the first time.
|
|
- Avoid controller-triggered crash when misusing certain commands
|
|
from a v0 controller on platforms that do not handle
|
|
printf("%s",NULL) gracefully.
|
|
- Don't crash when a controller sends a third argument to an
|
|
"extendcircuit" request.
|
|
- Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
|
response; fix error code when "getinfo dir/status/" fails.
|
|
- Avoid crash when telling controller stream-status and a stream
|
|
is detached.
|
|
- Patch from Adam Langley to fix assert() in eventdns.c.
|
|
- Fix a debug log message in eventdns to say "X resolved to Y"
|
|
instead of "X resolved to X".
|
|
- Make eventdns give strings for DNS errors, not just error numbers.
|
|
- Track unreachable entry guards correctly: don't conflate
|
|
'unreachable by us right now' with 'listed as down by the directory
|
|
authorities'. With the old code, if a guard was unreachable by
|
|
us but listed as running, it would clog our guard list forever.
|
|
- Behave correctly in case we ever have a network with more than
|
|
2GB/s total advertised capacity.
|
|
- Make TrackExitHosts case-insensitive, and fix the behavior of
|
|
".suffix" TrackExitHosts items to avoid matching in the middle of
|
|
an address.
|
|
- Finally fix the openssl warnings from newer gccs that believe that
|
|
ignoring a return value is okay, but casting a return value and
|
|
then ignoring it is a sign of madness.
|
|
- Prevent the contrib/exitlist script from printing the same
|
|
result more than once.
|
|
- Patch from Steve Hildrey: Generate network status correctly on
|
|
non-versioning dirservers.
|
|
- Don't listen to the X-Your-Address-Is hint if you did the lookup
|
|
via Tor; otherwise you'll think you're the exit node's IP address.
|
|
|
|
o Minor bugfixes, performance:
|
|
- Two small performance improvements on parsing descriptors.
|
|
- Major performance improvement on inserting descriptors: change
|
|
algorithm from O(n^2) to O(n).
|
|
- Make the common memory allocation path faster on machines where
|
|
malloc(0) returns a pointer.
|
|
- Start remembering X-Your-Address-Is directory hints even if you're
|
|
a client, so you can become a server more smoothly.
|
|
- Avoid duplicate entries on MyFamily line in server descriptor.
|
|
|
|
o Packaging, features:
|
|
- Remove architecture from OS X builds. The official builds are
|
|
now universal binaries.
|
|
- The Debian package now uses --verify-config when (re)starting,
|
|
to distinguish configuration errors from other errors.
|
|
- Update RPMs to require libevent 1.1b.
|
|
|
|
o Packaging, bugfixes:
|
|
- Patches so Tor builds with MinGW on Windows.
|
|
- Patches so Tor might run on Cygwin again.
|
|
- Resume building on non-gcc compilers and ancient gcc. Resume
|
|
building with the -O0 compile flag. Resume building cleanly on
|
|
Debian woody.
|
|
- Run correctly on OS X platforms with case-sensitive filesystems.
|
|
- Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
|
|
- Add autoconf checks so Tor can build on Solaris x86 again.
|
|
|
|
o Documentation
|
|
- Documented (and renamed) ServerDNSSearchDomains and
|
|
ServerDNSResolvConfFile options.
|
|
- Be clearer that the *ListenAddress directives can be repeated
|
|
multiple times.
|
|
|
|
|
|
Changes in version 0.1.1.24 - 2006-09-29
|
|
o Major bugfixes:
|
|
- Allow really slow clients to not hang up five minutes into their
|
|
directory downloads (suggested by Adam J. Richter).
|
|
- Fix major performance regression from 0.1.0.x: instead of checking
|
|
whether we have enough directory information every time we want to
|
|
do something, only check when the directory information has changed.
|
|
This should improve client CPU usage by 25-50%.
|
|
- Don't crash if, after a server has been running for a while,
|
|
it can't resolve its hostname.
|
|
|
|
o Minor bugfixes:
|
|
- Allow Tor to start when RunAsDaemon is set but no logs are set.
|
|
- Don't crash when the controller receives a third argument to an
|
|
"extendcircuit" request.
|
|
- Controller protocol fixes: fix encoding in "getinfo addr-mappings"
|
|
response; fix error code when "getinfo dir/status/" fails.
|
|
- Fix configure.in to not produce broken configure files with
|
|
more recent versions of autoconf. Thanks to Clint for his auto*
|
|
voodoo.
|
|
- Fix security bug on NetBSD that could allow someone to force
|
|
uninitialized RAM to be sent to a server's DNS resolver. This
|
|
only affects NetBSD and other platforms that do not bounds-check
|
|
tolower().
|
|
- Warn user when using libevent 1.1a or earlier with win32 or kqueue
|
|
methods: these are known to be buggy.
|
|
- If we're a directory mirror and we ask for "all" network status
|
|
documents, we would discard status documents from authorities
|
|
we don't recognize.
|
|
|
|
|
|
Changes in version 0.1.2.1-alpha - 2006-08-27
|
|
o Major features:
|
|
- Add "eventdns" async dns library from Adam Langley, tweaked to
|
|
build on OSX and Windows. Only enabled if you pass the
|
|
--enable-eventdns argument to configure.
|
|
- Allow servers with no hostname or IP address to learn their
|
|
IP address by asking the directory authorities. This code only
|
|
kicks in when you would normally have exited with a "no address"
|
|
error. Nothing's authenticated, so use with care.
|
|
- Rather than waiting a fixed amount of time between retrying
|
|
application connections, we wait only 5 seconds for the first,
|
|
10 seconds for the second, and 15 seconds for each retry after
|
|
that. Hopefully this will improve the expected user experience.
|
|
- Patch from Tup to add support for transparent AP connections:
|
|
this basically bundles the functionality of trans-proxy-tor
|
|
into the Tor mainline. Now hosts with compliant pf/netfilter
|
|
implementations can redirect TCP connections straight to Tor
|
|
without diverting through SOCKS. Needs docs.
|
|
- Busy directory servers save lots of memory by spooling server
|
|
descriptors, v1 directories, and v2 networkstatus docs to buffers
|
|
as needed rather than en masse. Also mmap the cached-routers
|
|
files, so we don't need to keep the whole thing in memory too.
|
|
- Automatically avoid picking more than one node from the same
|
|
/16 network when constructing a circuit.
|
|
- Revise and clean up the torrc.sample that we ship with; add
|
|
a section for BandwidthRate and BandwidthBurst.
|
|
|
|
o Minor features:
|
|
- Split circuit_t into origin_circuit_t and or_circuit_t, and
|
|
split connection_t into edge, or, dir, control, and base structs.
|
|
These will save quite a bit of memory on busy servers, and they'll
|
|
also help us track down bugs in the code and bugs in the spec.
|
|
- Experimentally re-enable kqueue on OSX when using libevent 1.1b
|
|
or later. Log when we are doing this, so we can diagnose it when
|
|
it fails. (Also, recommend libevent 1.1b for kqueue and
|
|
win32 methods; deprecate libevent 1.0b harder; make libevent
|
|
recommendation system saner.)
|
|
- Start being able to build universal binaries on OS X (thanks
|
|
to Phobos).
|
|
- Export the default exit policy via the control port, so controllers
|
|
don't need to guess what it is / will be later.
|
|
- Add a man page entry for ProtocolWarnings.
|
|
- Add TestVia config option to the man page.
|
|
- Remove even more protocol-related warnings from Tor server logs,
|
|
such as bad TLS handshakes and malformed begin cells.
|
|
- Stop fetching descriptors if you're not a dir mirror and you
|
|
haven't tried to establish any circuits lately. [This currently
|
|
causes some dangerous behavior, because when you start up again
|
|
you'll use your ancient server descriptors.]
|
|
- New DirPort behavior: if you have your dirport set, you download
|
|
descriptors aggressively like a directory mirror, whether or not
|
|
your ORPort is set.
|
|
- Get rid of the router_retry_connections notion. Now routers
|
|
no longer try to rebuild long-term connections to directory
|
|
authorities, and directory authorities no longer try to rebuild
|
|
long-term connections to all servers. We still don't hang up
|
|
connections in these two cases though -- we need to look at it
|
|
more carefully to avoid flapping, and we likely need to wait til
|
|
0.1.1.x is obsolete.
|
|
- Drop compatibility with obsolete Tors that permit create cells
|
|
to have the wrong circ_id_type.
|
|
- Re-enable per-connection rate limiting. Get rid of the "OP
|
|
bandwidth" concept. Lay groundwork for "bandwidth classes" --
|
|
separate global buckets that apply depending on what sort of conn
|
|
it is.
|
|
- Start publishing one minute or so after we find our ORPort
|
|
to be reachable. This will help reduce the number of descriptors
|
|
we have for ourselves floating around, since it's quite likely
|
|
other things (e.g. DirPort) will change during that minute too.
|
|
- Fork the v1 directory protocol into its own spec document,
|
|
and mark dir-spec.txt as the currently correct (v2) spec.
|
|
|
|
o Major bugfixes:
|
|
- When we find our DirPort to be reachable, publish a new descriptor
|
|
so we'll tell the world (reported by pnx).
|
|
- Publish a new descriptor after we hup/reload. This is important
|
|
if our config has changed such that we'll want to start advertising
|
|
our DirPort now, etc.
|
|
- Allow Tor to start when RunAsDaemon is set but no logs are set.
|
|
- When we have a state file we cannot parse, tell the user and
|
|
move it aside. Now we avoid situations where the user starts
|
|
Tor in 1904, Tor writes a state file with that timestamp in it,
|
|
the user fixes her clock, and Tor refuses to start.
|
|
- Fix configure.in to not produce broken configure files with
|
|
more recent versions of autoconf. Thanks to Clint for his auto*
|
|
voodoo.
|
|
- "tor --verify-config" now exits with -1(255) or 0 depending on
|
|
whether the config options are bad or good.
|
|
- Resolve bug 321 when using dnsworkers: append a period to every
|
|
address we resolve at the exit node, so that we do not accidentally
|
|
pick up local addresses, and so that failing searches are retried
|
|
in the resolver search domains. (This is already solved for
|
|
eventdns.) (This breaks Blossom servers for now.)
|
|
- If we are using an exit enclave and we can't connect, e.g. because
|
|
its webserver is misconfigured to not listen on localhost, then
|
|
back off and try connecting from somewhere else before we fail.
|
|
|
|
o Minor bugfixes:
|
|
- Start compiling on MinGW on Windows (patches from Mike Chiussi).
|
|
- Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
|
|
- Fix bug 314: Tor clients issued "unsafe socks" warnings even
|
|
when the IP address is mapped through MapAddress to a hostname.
|
|
- Start passing "ipv4" hints to getaddrinfo(), so servers don't do
|
|
useless IPv6 DNS resolves.
|
|
- Patch suggested by Karsten Loesing: respond to SIGNAL command
|
|
before we execute the signal, in case the signal shuts us down.
|
|
- Clean up AllowInvalidNodes man page entry.
|
|
- Claim a commonname of Tor, rather than TOR, in TLS handshakes.
|
|
- Add more asserts to track down an assert error on a windows Tor
|
|
server with connection_add being called with socket == -1.
|
|
- Handle reporting OR_CONN_EVENT_NEW events to the controller.
|
|
- Fix misleading log messages: an entry guard that is "unlisted",
|
|
as well as not known to be "down" (because we've never heard
|
|
of it), is not therefore "up".
|
|
- Remove code to special-case "-cvs" ending, since it has not
|
|
actually mattered since 0.0.9.
|
|
- Make our socks5 handling more robust to broken socks clients:
|
|
throw out everything waiting on the buffer in between socks
|
|
handshake phases, since they can't possibly (so the theory
|
|
goes) have predicted what we plan to respond to them.
|
|
|
|
|
|
Changes in version 0.1.1.23 - 2006-07-30
|
|
o Major bugfixes:
|
|
- Fast Tor servers, especially exit nodes, were triggering asserts
|
|
due to a bug in handling the list of pending DNS resolves. Some
|
|
bugs still remain here; we're hunting them.
|
|
- Entry guards could crash clients by sending unexpected input.
|
|
- More fixes on reachability testing: if you find yourself reachable,
|
|
then don't ever make any client requests (so you stop predicting
|
|
circuits), then hup or have your clock jump, then later your IP
|
|
changes, you won't think circuits are working, so you won't try to
|
|
test reachability, so you won't publish.
|
|
|
|
o Minor bugfixes:
|
|
- Avoid a crash if the controller does a resetconf firewallports
|
|
and then a setconf fascistfirewall=1.
|
|
- Avoid an integer underflow when the dir authority decides whether
|
|
a router is stable: we might wrongly label it stable, and compute
|
|
a slightly wrong median stability, when a descriptor is published
|
|
later than now.
|
|
- Fix a place where we might trigger an assert if we can't build our
|
|
own server descriptor yet.
|
|
|
|
|
|
Changes in version 0.1.1.22 - 2006-07-05
|
|
o Major bugfixes:
|
|
- Fix a big bug that was causing servers to not find themselves
|
|
reachable if they changed IP addresses. Since only 0.1.1.22+
|
|
servers can do reachability testing correctly, now we automatically
|
|
make sure to test via one of these.
|
|
- Fix to allow clients and mirrors to learn directory info from
|
|
descriptor downloads that get cut off partway through.
|
|
- Directory authorities had a bug in deciding if a newly published
|
|
descriptor was novel enough to make everybody want a copy -- a few
|
|
servers seem to be publishing new descriptors many times a minute.
|
|
o Minor bugfixes:
|
|
- Fix a rare bug that was causing some servers to complain about
|
|
"closing wedged cpuworkers" and skip some circuit create requests.
|
|
- Make the Exit flag in directory status documents actually work.
|
|
|
|
|
|
Changes in version 0.1.1.21 - 2006-06-10
|
|
o Crash and assert fixes from 0.1.1.20:
|
|
- Fix a rare crash on Tor servers that have enabled hibernation.
|
|
- Fix a seg fault on startup for Tor networks that use only one
|
|
directory authority.
|
|
- Fix an assert from a race condition that occurs on Tor servers
|
|
while exiting, where various threads are trying to log that they're
|
|
exiting, and delete the logs, at the same time.
|
|
- Make our unit tests pass again on certain obscure platforms.
|
|
|
|
o Other fixes:
|
|
- Add support for building SUSE RPM packages.
|
|
- Speed up initial bootstrapping for clients: if we are making our
|
|
first ever connection to any entry guard, then don't mark it down
|
|
right after that.
|
|
- When only one Tor server in the network is labelled as a guard,
|
|
and we've already picked him, we would cycle endlessly picking him
|
|
again, being unhappy about it, etc. Now we specifically exclude
|
|
current guards when picking a new guard.
|
|
- Servers send create cells more reliably after the TLS connection
|
|
is established: we were sometimes forgetting to send half of them
|
|
when we had more than one pending.
|
|
- If we get a create cell that asks us to extend somewhere, but the
|
|
Tor server there doesn't match the expected digest, we now send
|
|
a destroy cell back, rather than silently doing nothing.
|
|
- Make options->RedirectExit work again.
|
|
- Make cookie authentication for the controller work again.
|
|
- Stop being picky about unusual characters in the arguments to
|
|
mapaddress. It's none of our business.
|
|
- Add a new config option "TestVia" that lets you specify preferred
|
|
middle hops to use for test circuits. Perhaps this will let me
|
|
debug the reachability problems better.
|
|
|
|
o Log / documentation fixes:
|
|
- If we're a server and some peer has a broken TLS certificate, don't
|
|
log about it unless ProtocolWarnings is set, i.e., we want to hear
|
|
about protocol violations by others.
|
|
- Fix spelling of VirtualAddrNetwork in man page.
|
|
- Add a better explanation at the top of the autogenerated torrc file
|
|
about what happened to our old torrc.
|
|
|
|
|
|
Changes in version 0.1.1.20 - 2006-05-23
|
|
o Bugfixes:
|
|
- Downgrade a log severity where servers complain that they're
|
|
invalid.
|
|
- Avoid a compile warning on FreeBSD.
|
|
- Remove string size limit on NEWDESC messages; solve bug 291.
|
|
- Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon
|
|
more thoroughly when we're running on windows.
|
|
|
|
|
|
Changes in version 0.1.1.19-rc - 2006-05-03
|
|
o Minor bugs:
|
|
- Regenerate our local descriptor if it's dirty and we try to use
|
|
it locally (e.g. if it changes during reachability detection).
|
|
- If we setconf our ORPort to 0, we continued to listen on the
|
|
old ORPort and receive connections.
|
|
- Avoid a second warning about machine/limits.h on Debian
|
|
GNU/kFreeBSD.
|
|
- Be willing to add our own routerinfo into the routerlist.
|
|
Now authorities will include themselves in their directories
|
|
and network-statuses.
|
|
- Stop trying to upload rendezvous descriptors to every
|
|
directory authority: only try the v1 authorities.
|
|
- Servers no longer complain when they think they're not
|
|
registered with the directory authorities. There were too many
|
|
false positives.
|
|
- Backport dist-rpm changes so rpms can be built without errors.
|
|
|
|
o Features:
|
|
- Implement an option, VirtualAddrMask, to set which addresses
|
|
get handed out in response to mapaddress requests. This works
|
|
around a bug in tsocks where 127.0.0.0/8 is never socksified.
|
|
|
|
|
|
Changes in version 0.1.1.18-rc - 2006-04-10
|
|
o Major fixes:
|
|
- Work harder to download live network-statuses from all the
|
|
directory authorities we know about. Improve the threshold
|
|
decision logic so we're more robust to edge cases.
|
|
- When fetching rendezvous descriptors, we were willing to ask
|
|
v2 authorities too, which would always return 404.
|
|
|
|
o Minor fixes:
|
|
- Stop listing down or invalid nodes in the v1 directory. This will
|
|
reduce its bulk by about 1/3, and reduce load on directory
|
|
mirrors.
|
|
- When deciding whether a router is Fast or Guard-worthy, consider
|
|
his advertised BandwidthRate and not just the BandwidthCapacity.
|
|
- No longer ship INSTALL and README files -- they are useless now.
|
|
- Force rpmbuild to behave and honor target_cpu.
|
|
- Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
|
|
- Start to include translated versions of the tor-doc-*.html
|
|
files, along with the screenshots. Still needs more work.
|
|
- Start sending back 512 and 451 errors if mapaddress fails,
|
|
rather than not sending anything back at all.
|
|
- When we fail to bind or listen on an incoming or outgoing
|
|
socket, we should close it before failing. otherwise we just
|
|
leak it. (thanks to weasel for finding.)
|
|
- Allow "getinfo dir/status/foo" to work, as long as your DirPort
|
|
is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
|
|
- Make NoPublish (even though deprecated) work again.
|
|
- Fix a minor security flaw where a versioning auth dirserver
|
|
could list a recommended version many times in a row to make
|
|
clients more convinced that it's recommended.
|
|
- Fix crash bug if there are two unregistered servers running
|
|
with the same nickname, one of them is down, and you ask for
|
|
them by nickname in your EntryNodes or ExitNodes. Also, try
|
|
to pick the one that's running rather than an arbitrary one.
|
|
- Fix an infinite loop we could hit if we go offline for too long.
|
|
- Complain when we hit WSAENOBUFS on recv() or write() too.
|
|
Perhaps this will help us hunt the bug.
|
|
- If you're not a versioning dirserver, don't put the string
|
|
"client-versions \nserver-versions \n" in your network-status.
|
|
- Lower the minimum required number of file descriptors to 1000,
|
|
so we can have some overhead for Valgrind on Linux, where the
|
|
default ulimit -n is 1024.
|
|
|
|
o New features:
|
|
- Add tor.dizum.com as the fifth authoritative directory server.
|
|
- Add a new config option FetchUselessDescriptors, off by default,
|
|
for when you plan to run "exitlist" on your client and you want
|
|
to know about even the non-running descriptors.
|
|
|
|
|
|
Changes in version 0.1.1.17-rc - 2006-03-28
|
|
o Major fixes:
|
|
- Clients and servers since 0.1.1.10-alpha have been expiring
|
|
connections whenever they are idle for 5 minutes and they *do*
|
|
have circuits on them. Oops. With this new version, clients will
|
|
discard their previous entry guard choices and avoid choosing
|
|
entry guards running these flawed versions.
|
|
- Fix memory leak when uncompressing concatenated zlib streams. This
|
|
was causing substantial leaks over time on Tor servers.
|
|
- The v1 directory was including servers as much as 48 hours old,
|
|
because that's how the new routerlist->routers works. Now only
|
|
include them if they're 20 hours old or less.
|
|
|
|
o Minor fixes:
|
|
- Resume building on irix64, netbsd 2.0, etc.
|
|
- On non-gcc compilers (e.g. solaris), use "-g -O" instead of
|
|
"-Wall -g -O2".
|
|
- Stop writing the "router.desc" file, ever. Nothing uses it anymore,
|
|
and it is confusing some users.
|
|
- Mirrors stop caching the v1 directory so often.
|
|
- Make the max number of old descriptors that a cache will hold
|
|
rise with the number of directory authorities, so we can scale.
|
|
- Change our win32 uname() hack to be more forgiving about what
|
|
win32 versions it thinks it's found.
|
|
|
|
o New features:
|
|
- Add lefkada.eecs.harvard.edu as a fourth authoritative directory
|
|
server.
|
|
- When the controller's *setconf commands fail, collect an error
|
|
message in a string and hand it back to the controller.
|
|
- Make the v2 dir's "Fast" flag based on relative capacity, just
|
|
like "Stable" is based on median uptime. Name everything in the
|
|
top 7/8 Fast, and only the top 1/2 gets to be a Guard.
|
|
- Log server fingerprint on startup, so new server operators don't
|
|
have to go hunting around their filesystem for it.
|
|
- Return a robots.txt on our dirport to discourage google indexing.
|
|
- Let the controller ask for GETINFO dir/status/foo so it can ask
|
|
directly rather than connecting to the dir port. Only works when
|
|
dirport is set for now.
|
|
|
|
o New config options rather than constants in the code:
|
|
- SocksTimeout: How long do we let a socks connection wait
|
|
unattached before we fail it?
|
|
- CircuitBuildTimeout: Cull non-open circuits that were born
|
|
at least this many seconds ago.
|
|
- CircuitIdleTimeout: Cull open clean circuits that were born
|
|
at least this many seconds ago.
|
|
|
|
|
|
Changes in version 0.1.1.16-rc - 2006-03-18
|
|
o Bugfixes on 0.1.1.15-rc:
|
|
- Fix assert when the controller asks to attachstream a connect-wait
|
|
or resolve-wait stream.
|
|
- Now do address rewriting when the controller asks us to attach
|
|
to a particular circuit too. This will let Blossom specify
|
|
"moria2.exit" without having to learn what moria2's IP address is.
|
|
- Make the "tor --verify-config" command-line work again, so people
|
|
can automatically check if their torrc will parse.
|
|
- Authoritative dirservers no longer require an open connection from
|
|
a server to consider him "reachable". We need this change because
|
|
when we add new auth dirservers, old servers won't know not to
|
|
hang up on them.
|
|
- Let Tor build on Sun CC again.
|
|
- Fix an off-by-one buffer size in dirserv.c that magically never
|
|
hit our three authorities but broke sjmurdoch's own tor network.
|
|
- If we as a directory mirror don't know of any v1 directory
|
|
authorities, then don't try to cache any v1 directories.
|
|
- Stop warning about unknown servers in our family when they are
|
|
given as hex digests.
|
|
- Stop complaining as quickly to the server operator that he
|
|
hasn't registered his nickname/key binding.
|
|
- Various cleanups so we can add new V2 Auth Dirservers.
|
|
- Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
|
|
reflect the updated flags in our v2 dir protocol.
|
|
- Resume allowing non-printable characters for exit streams (both
|
|
for connecting and for resolving). Now we tolerate applications
|
|
that don't follow the RFCs. But continue to block malformed names
|
|
at the socks side.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix assert bug in close_logs(): when we close and delete logs,
|
|
remove them all from the global "logfiles" list.
|
|
- Fix minor integer overflow in calculating when we expect to use up
|
|
our bandwidth allocation before hibernating.
|
|
- Fix a couple of bugs in OpenSSL detection. Also, deal better when
|
|
there are multiple SSLs installed with different versions.
|
|
- When we try to be a server and Address is not explicitly set and
|
|
our hostname resolves to a private IP address, try to use an
|
|
interface address if it has a public address. Now Windows machines
|
|
that think of themselves as localhost can work by default.
|
|
|
|
o New features:
|
|
- Let the controller ask for GETINFO dir/server/foo so it can ask
|
|
directly rather than connecting to the dir port.
|
|
- Let the controller tell us about certain router descriptors
|
|
that it doesn't want Tor to use in circuits. Implement
|
|
SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
|
|
- New config option SafeSocks to reject all application connections
|
|
using unsafe socks protocols. Defaults to off.
|
|
|
|
|
|
Changes in version 0.1.1.15-rc - 2006-03-11
|
|
o Bugfixes and cleanups:
|
|
- When we're printing strings from the network, don't try to print
|
|
non-printable characters. This protects us against shell escape
|
|
sequence exploits, and also against attacks to fool humans into
|
|
misreading their logs.
|
|
- Fix a bug where Tor would fail to establish any connections if you
|
|
left it off for 24 hours and then started it: we were happy with
|
|
the obsolete network statuses, but they all referred to router
|
|
descriptors that were too old to fetch, so we ended up with no
|
|
valid router descriptors.
|
|
- Fix a seg fault in the controller's "getinfo orconn-status"
|
|
command while listing status on incoming handshaking connections.
|
|
Introduce a status name "NEW" for these connections.
|
|
- If we get a linelist or linelist_s config option from the torrc
|
|
(e.g. ExitPolicy) and it has no value, warn and skip rather than
|
|
silently resetting it to its default.
|
|
- Don't abandon entry guards until they've been down or gone for
|
|
a whole month.
|
|
- Cleaner and quieter log messages.
|
|
|
|
o New features:
|
|
- New controller signal NEWNYM that makes new application requests
|
|
use clean circuits.
|
|
- Add a new circuit purpose 'controller' to let the controller ask
|
|
for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
|
|
controller command to let you specify the purpose if you're
|
|
starting a new circuit. Add a new SETCIRCUITPURPOSE controller
|
|
command to let you change a circuit's purpose after it's been
|
|
created.
|
|
- Accept "private:*" in routerdesc exit policies; not generated yet
|
|
because older Tors do not understand it.
|
|
- Add BSD-style contributed startup script "rc.subr" from Peter
|
|
Thoenen.
|
|
|
|
|
|
Changes in version 0.1.1.14-alpha - 2006-02-20
|
|
o Bugfixes on 0.1.1.x:
|
|
- Don't die if we ask for a stdout or stderr log (even implicitly)
|
|
and we're set to RunAsDaemon -- just warn.
|
|
- We still had a few bugs in the OR connection rotation code that
|
|
caused directory servers to slowly aggregate connections to other
|
|
fast Tor servers. This time for sure!
|
|
- Make log entries on Win32 include the name of the function again.
|
|
- We were treating a pair of exit policies if they were equal even
|
|
if one said accept and the other said reject -- causing us to
|
|
not always publish a new descriptor since we thought nothing
|
|
had changed.
|
|
- Retry pending server downloads as well as pending networkstatus
|
|
downloads when we unexpectedly get a socks request.
|
|
- We were ignoring the IS_FAST flag in the directory status,
|
|
meaning we were willing to pick trivial-bandwidth nodes for "fast"
|
|
connections.
|
|
- If the controller's SAVECONF command fails (e.g. due to file
|
|
permissions), let the controller know that it failed.
|
|
|
|
o Features:
|
|
- If we're trying to be a Tor server and running Windows 95/98/ME
|
|
as a server, explain that we'll likely crash.
|
|
- When we're a server, a client asks for an old-style directory,
|
|
and our write bucket is empty, don't give it to him. This way
|
|
small servers can continue to serve the directory *sometimes*,
|
|
without getting overloaded.
|
|
- Compress exit policies even more -- look for duplicate lines
|
|
and remove them.
|
|
- Clients now honor the "guard" flag in the router status when
|
|
picking entry guards, rather than looking at is_fast or is_stable.
|
|
- Retain unrecognized lines in $DATADIR/state file, so that we can
|
|
be forward-compatible.
|
|
- Generate 18.0.0.0/8 address policy format in descs when we can;
|
|
warn when the mask is not reducible to a bit-prefix.
|
|
- Let the user set ControlListenAddress in the torrc. This can be
|
|
dangerous, but there are some cases (like a secured LAN) where it
|
|
makes sense.
|
|
- Split ReachableAddresses into ReachableDirAddresses and
|
|
ReachableORAddresses, so we can restrict Dir conns to port 80
|
|
and OR conns to port 443.
|
|
- Now we can target arch and OS in rpm builds (contributed by
|
|
Phobos). Also make the resulting dist-rpm filename match the
|
|
target arch.
|
|
- New config options to help controllers: FetchServerDescriptors
|
|
and FetchHidServDescriptors for whether to fetch server
|
|
info and hidserv info or let the controller do it, and
|
|
PublishServerDescriptor and PublishHidServDescriptors.
|
|
- Also let the controller set the __AllDirActionsPrivate config
|
|
option if you want all directory fetches/publishes to happen via
|
|
Tor (it assumes your controller bootstraps your circuits).
|
|
|
|
|
|
Changes in version 0.1.0.17 - 2006-02-17
|
|
o Crash bugfixes on 0.1.0.x:
|
|
- When servers with a non-zero DirPort came out of hibernation,
|
|
sometimes they would trigger an assert.
|
|
|
|
o Other important bugfixes:
|
|
- On platforms that don't have getrlimit (like Windows), we were
|
|
artificially constraining ourselves to a max of 1024
|
|
connections. Now just assume that we can handle as many as 15000
|
|
connections. Hopefully this won't cause other problems.
|
|
|
|
o Backported features:
|
|
- When we're a server, a client asks for an old-style directory,
|
|
and our write bucket is empty, don't give it to him. This way
|
|
small servers can continue to serve the directory *sometimes*,
|
|
without getting overloaded.
|
|
- Whenever you get a 503 in response to a directory fetch, try
|
|
once more. This will become important once servers start sending
|
|
503's whenever they feel busy.
|
|
- Fetch a new directory every 120 minutes, not every 40 minutes.
|
|
Now that we have hundreds of thousands of users running the old
|
|
directory algorithm, it's starting to hurt a lot.
|
|
- Bump up the period for forcing a hidden service descriptor upload
|
|
from 20 minutes to 1 hour.
|
|
|
|
|
|
Changes in version 0.1.1.13-alpha - 2006-02-09
|
|
o Crashes in 0.1.1.x:
|
|
- When you tried to setconf ORPort via the controller, Tor would
|
|
crash. So people using TorCP to become a server were sad.
|
|
- Solve (I hope) the stack-smashing bug that we were seeing on fast
|
|
servers. The problem appears to be something do with OpenSSL's
|
|
random number generation, or how we call it, or something. Let me
|
|
know if the crashes continue.
|
|
- Turn crypto hardware acceleration off by default, until we find
|
|
somebody smart who can test it for us. (It appears to produce
|
|
seg faults in at least some cases.)
|
|
- Fix a rare assert error when we've tried all intro points for
|
|
a hidden service and we try fetching the service descriptor again:
|
|
"Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
|
|
|
|
o Major fixes:
|
|
- Fix a major load balance bug: we were round-robining in 16 KB
|
|
chunks, and servers with bandwidthrate of 20 KB, while downloading
|
|
a 600 KB directory, would starve their other connections. Now we
|
|
try to be a bit more fair.
|
|
- Dir authorities and mirrors were never expiring the newest
|
|
descriptor for each server, causing memory and directory bloat.
|
|
- Fix memory-bloating and connection-bloating bug on servers: We
|
|
were never closing any connection that had ever had a circuit on
|
|
it, because we were checking conn->n_circuits == 0, yet we had a
|
|
bug that let it go negative.
|
|
- Make Tor work using squid as your http proxy again -- squid
|
|
returns an error if you ask for a URL that's too long, and it uses
|
|
a really generic error message. Plus, many people are behind a
|
|
transparent squid so they don't even realize it.
|
|
- On platforms that don't have getrlimit (like Windows), we were
|
|
artificially constraining ourselves to a max of 1024
|
|
connections. Now just assume that we can handle as many as 15000
|
|
connections. Hopefully this won't cause other problems.
|
|
- Add a new config option ExitPolicyRejectPrivate which defaults to
|
|
1. This means all exit policies will begin with rejecting private
|
|
addresses, unless the server operator explicitly turns it off.
|
|
|
|
o Major features:
|
|
- Clients no longer download descriptors for non-running
|
|
descriptors.
|
|
- Before we add new directory authorities, we should make it
|
|
clear that only v1 authorities should receive/publish hidden
|
|
service descriptors.
|
|
|
|
o Minor features:
|
|
- As soon as we've fetched some more directory info, immediately
|
|
try to download more server descriptors. This way we don't have
|
|
a 10 second pause during initial bootstrapping.
|
|
- Remove even more loud log messages that the server operator can't
|
|
do anything about.
|
|
- When we're running an obsolete or un-recommended version, make
|
|
the log message more clear about what the problem is and what
|
|
versions *are* still recommended.
|
|
- Provide a more useful warn message when our onion queue gets full:
|
|
the CPU is too slow or the exit policy is too liberal.
|
|
- Don't warn when we receive a 503 from a dirserver/cache -- this
|
|
will pave the way for them being able to refuse if they're busy.
|
|
- When we fail to bind a listener, try to provide a more useful
|
|
log message: e.g., "Is Tor already running?"
|
|
- Adjust tor-spec to parameterize cell and key lengths. Now Ian
|
|
Goldberg can prove things about our handshake protocol more
|
|
easily.
|
|
- MaxConn has been obsolete for a while now. Document the ConnLimit
|
|
config option, which is a *minimum* number of file descriptors
|
|
that must be available else Tor refuses to start.
|
|
- Apply Matt Ghali's --with-syslog-facility patch to ./configure
|
|
if you log to syslog and want something other than LOG_DAEMON.
|
|
- Make dirservers generate a separate "guard" flag to mean,
|
|
"would make a good entry guard". Make clients parse it and vote
|
|
on it. Not used by clients yet.
|
|
- Implement --with-libevent-dir option to ./configure. Also, improve
|
|
search techniques to find libevent, and use those for openssl too.
|
|
- Bump the default bandwidthrate to 3 MB, and burst to 6 MB
|
|
- Only start testing reachability once we've established a
|
|
circuit. This will make startup on dirservers less noisy.
|
|
- Don't try to upload hidden service descriptors until we have
|
|
established a circuit.
|
|
- Fix the controller's "attachstream 0" command to treat conn like
|
|
it just connected, doing address remapping, handling .exit and
|
|
.onion idioms, and so on. Now we're more uniform in making sure
|
|
that the controller hears about new and closing connections.
|
|
|
|
|
|
Changes in version 0.1.1.12-alpha - 2006-01-11
|
|
o Bugfixes on 0.1.1.x:
|
|
- The fix to close duplicate server connections was closing all
|
|
Tor client connections if they didn't establish a circuit
|
|
quickly enough. Oops.
|
|
- Fix minor memory issue (double-free) that happened on exit.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Tor didn't warn when it failed to open a log file.
|
|
|
|
|
|
Changes in version 0.1.1.11-alpha - 2006-01-10
|
|
o Crashes in 0.1.1.x:
|
|
- Include all the assert/crash fixes from 0.1.0.16.
|
|
- If you start Tor and then quit very quickly, there were some
|
|
races that tried to free things that weren't allocated yet.
|
|
- Fix a rare memory stomp if you're running hidden services.
|
|
- Fix segfault when specifying DirServer in config without nickname.
|
|
- Fix a seg fault when you finish connecting to a server but at
|
|
that moment you dump his server descriptor.
|
|
- Extendcircuit and Attachstream controller commands would
|
|
assert/crash if you don't give them enough arguments.
|
|
- Fix an assert error when we're out of space in the connection_list
|
|
and we try to post a hidden service descriptor (reported by weasel).
|
|
- If you specify a relative torrc path and you set RunAsDaemon in
|
|
your torrc, then it chdir()'s to the new directory. If you HUP,
|
|
it tries to load the new torrc location, fails, and exits.
|
|
The fix: no longer allow a relative path to torrc using -f.
|
|
|
|
o Major features:
|
|
- Implement "entry guards": automatically choose a handful of entry
|
|
nodes and stick with them for all circuits. Only pick new guards
|
|
when the ones you have are unsuitable, and if the old guards
|
|
become suitable again, switch back. This will increase security
|
|
dramatically against certain end-point attacks. The EntryNodes
|
|
config option now provides some hints about which entry guards you
|
|
want to use most; and StrictEntryNodes means to only use those.
|
|
- New directory logic: download by descriptor digest, not by
|
|
fingerprint. Caches try to download all listed digests from
|
|
authorities; clients try to download "best" digests from caches.
|
|
This avoids partitioning and isolating attacks better.
|
|
- Make the "stable" router flag in network-status be the median of
|
|
the uptimes of running valid servers, and make clients pay
|
|
attention to the network-status flags. Thus the cutoff adapts
|
|
to the stability of the network as a whole, making IRC, IM, etc
|
|
connections more reliable.
|
|
|
|
o Major fixes:
|
|
- Tor servers with dynamic IP addresses were needing to wait 18
|
|
hours before they could start doing reachability testing using
|
|
the new IP address and ports. This is because they were using
|
|
the internal descriptor to learn what to test, yet they were only
|
|
rebuilding the descriptor once they decided they were reachable.
|
|
- Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients
|
|
to download certain server descriptors, throw them away, and then
|
|
fetch them again after 30 minutes. Now mirrors throw away these
|
|
server descriptors so clients can't get them.
|
|
- We were leaving duplicate connections to other ORs open for a week,
|
|
rather than closing them once we detect a duplicate. This only
|
|
really affected authdirservers, but it affected them a lot.
|
|
- Spread the authdirservers' reachability testing over the entire
|
|
testing interval, so we don't try to do 500 TLS's at once every
|
|
20 minutes.
|
|
|
|
o Minor fixes:
|
|
- If the network is down, and we try to connect to a conn because
|
|
we have a circuit in mind, and we timeout (30 seconds) because the
|
|
network never answers, we were expiring the circuit, but we weren't
|
|
obsoleting the connection or telling the entry_guards functions.
|
|
- Some Tor servers process billions of cells per day. These statistics
|
|
need to be uint64_t's.
|
|
- Check for integer overflows in more places, when adding elements
|
|
to smartlists. This could possibly prevent a buffer overflow
|
|
on malicious huge inputs. I don't see any, but I haven't looked
|
|
carefully.
|
|
- ReachableAddresses kept growing new "reject *:*" lines on every
|
|
setconf/reload.
|
|
- When you "setconf log" via the controller, it should remove all
|
|
logs. We were automatically adding back in a "log notice stdout".
|
|
- Newly bootstrapped Tor networks couldn't establish hidden service
|
|
circuits until they had nodes with high uptime. Be more tolerant.
|
|
- We were marking servers down when they could not answer every piece
|
|
of the directory request we sent them. This was far too harsh.
|
|
- Fix the torify (tsocks) config file to not use Tor for localhost
|
|
connections.
|
|
- Directory authorities now go to the proper authority when asking for
|
|
a networkstatus, even when they want a compressed one.
|
|
- Fix a harmless bug that was causing Tor servers to log
|
|
"Got an end because of misc error, but we're not an AP. Closing."
|
|
- Authorities were treating their own descriptor changes as cosmetic,
|
|
meaning the descriptor available in the network-status and the
|
|
descriptor that clients downloaded were different.
|
|
- The OS X installer was adding a symlink for tor_resolve but
|
|
the binary was called tor-resolve (reported by Thomas Hardly).
|
|
- Workaround a problem with some http proxies where they refuse GET
|
|
requests that specify "Content-Length: 0" (reported by Adrian).
|
|
- Fix wrong log message when you add a "HiddenServiceNodes" config
|
|
line without any HiddenServiceDir line (reported by Chris Thomas).
|
|
|
|
o Minor features:
|
|
- Write the TorVersion into the state file so we have a prayer of
|
|
keeping forward and backward compatibility.
|
|
- Revive the FascistFirewall config option rather than eliminating it:
|
|
now it's a synonym for ReachableAddresses *:80,*:443.
|
|
- Clients choose directory servers from the network status lists,
|
|
not from their internal list of router descriptors. Now they can
|
|
go to caches directly rather than needing to go to authorities
|
|
to bootstrap.
|
|
- Directory authorities ignore router descriptors that have only
|
|
cosmetic differences: do this for 0.1.0.x servers now too.
|
|
- Add a new flag to network-status indicating whether the server
|
|
can answer v2 directory requests too.
|
|
- Authdirs now stop whining so loudly about bad descriptors that
|
|
they fetch from other dirservers. So when there's a log complaint,
|
|
it's for sure from a freshly uploaded descriptor.
|
|
- Reduce memory requirements in our structs by changing the order
|
|
of fields.
|
|
- There used to be two ways to specify your listening ports in a
|
|
server descriptor: on the "router" line and with a separate "ports"
|
|
line. Remove support for the "ports" line.
|
|
- New config option "AuthDirRejectUnlisted" for auth dirservers as
|
|
a panic button: if we get flooded with unusable servers we can
|
|
revert to only listing servers in the approved-routers file.
|
|
- Auth dir servers can now mark a fingerprint as "!reject" or
|
|
"!invalid" in the approved-routers file (as its nickname), to
|
|
refuse descriptors outright or include them but marked as invalid.
|
|
- Servers store bandwidth history across restarts/crashes.
|
|
- Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
|
|
get a better idea of why their circuits failed. Not used yet.
|
|
- Directory mirrors now cache up to 16 unrecognized network-status
|
|
docs. Now we can add new authdirservers and they'll be cached too.
|
|
- When picking a random directory, prefer non-authorities if any
|
|
are known.
|
|
- New controller option "getinfo desc/all-recent" to fetch the
|
|
latest server descriptor for every router that Tor knows about.
|
|
|
|
|
|
Changes in version 0.1.0.16 - 2006-01-02
|
|
o Crash bugfixes on 0.1.0.x:
|
|
- On Windows, build with a libevent patch from "I-M Weasel" to avoid
|
|
corrupting the heap, losing FDs, or crashing when we need to resize
|
|
the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
|
|
- It turns out sparc64 platforms crash on unaligned memory access
|
|
too -- so detect and avoid this.
|
|
- Handle truncated compressed data correctly (by detecting it and
|
|
giving an error).
|
|
- Fix possible-but-unlikely free(NULL) in control.c.
|
|
- When we were closing connections, there was a rare case that
|
|
stomped on memory, triggering seg faults and asserts.
|
|
- Avoid potential infinite recursion when building a descriptor. (We
|
|
don't know that it ever happened, but better to fix it anyway.)
|
|
- We were neglecting to unlink marked circuits from soon-to-close OR
|
|
connections, which caused some rare scribbling on freed memory.
|
|
- Fix a memory stomping race bug when closing the joining point of two
|
|
rendezvous circuits.
|
|
- Fix an assert in time parsing found by Steven Murdoch.
|
|
|
|
o Other bugfixes on 0.1.0.x:
|
|
- When we're doing reachability testing, provide more useful log
|
|
messages so the operator knows what to expect.
|
|
- Do not check whether DirPort is reachable when we are suppressing
|
|
advertising it because of hibernation.
|
|
- When building with -static or on Solaris, we sometimes needed -ldl.
|
|
- When we're deciding whether a stream has enough circuits around
|
|
that can handle it, count the freshly dirty ones and not the ones
|
|
that are so dirty they won't be able to handle it.
|
|
- When we're expiring old circuits, we had a logic error that caused
|
|
us to close new rendezvous circuits rather than old ones.
|
|
- Give a more helpful log message when you try to change ORPort via
|
|
the controller: you should upgrade Tor if you want that to work.
|
|
- We were failing to parse Tor versions that start with "Tor ".
|
|
- Tolerate faulty streams better: when a stream fails for reason
|
|
exitpolicy, stop assuming that the router is lying about his exit
|
|
policy. When a stream fails for reason misc, allow it to retry just
|
|
as if it was resolvefailed. When a stream has failed three times,
|
|
reset its failure count so we can try again and get all three tries.
|
|
|
|
|
|
Changes in version 0.1.1.10-alpha - 2005-12-11
|
|
o Correctness bugfixes on 0.1.0.x:
|
|
- On Windows, build with a libevent patch from "I-M Weasel" to avoid
|
|
corrupting the heap, losing FDs, or crashing when we need to resize
|
|
the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
|
|
- Stop doing the complex voodoo overkill checking for insecure
|
|
Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
|
|
- When we were closing connections, there was a rare case that
|
|
stomped on memory, triggering seg faults and asserts.
|
|
- We were neglecting to unlink marked circuits from soon-to-close OR
|
|
connections, which caused some rare scribbling on freed memory.
|
|
- When we're deciding whether a stream has enough circuits around
|
|
that can handle it, count the freshly dirty ones and not the ones
|
|
that are so dirty they won't be able to handle it.
|
|
- Recover better from TCP connections to Tor servers that are
|
|
broken but don't tell you (it happens!); and rotate TLS
|
|
connections once a week.
|
|
- When we're expiring old circuits, we had a logic error that caused
|
|
us to close new rendezvous circuits rather than old ones.
|
|
- Fix a scary-looking but apparently harmless bug where circuits
|
|
would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
|
|
servers, and never switch to state CIRCUIT_STATE_OPEN.
|
|
- When building with -static or on Solaris, we sometimes needed to
|
|
build with -ldl.
|
|
- Give a useful message when people run Tor as the wrong user,
|
|
rather than telling them to start chowning random directories.
|
|
- We were failing to inform the controller about new .onion streams.
|
|
|
|
o Security bugfixes on 0.1.0.x:
|
|
- Refuse server descriptors if the fingerprint line doesn't match
|
|
the included identity key. Tor doesn't care, but other apps (and
|
|
humans) might actually be trusting the fingerprint line.
|
|
- We used to kill the circuit when we receive a relay command we
|
|
don't recognize. Now we just drop it.
|
|
- Start obeying our firewall options more rigorously:
|
|
. If we can't get to a dirserver directly, try going via Tor.
|
|
. Don't ever try to connect (as a client) to a place our
|
|
firewall options forbid.
|
|
. If we specify a proxy and also firewall options, obey the
|
|
firewall options even when we're using the proxy: some proxies
|
|
can only proxy to certain destinations.
|
|
- Fix a bug found by Lasse Overlier: when we were making internal
|
|
circuits (intended to be cannibalized later for rendezvous and
|
|
introduction circuits), we were picking them so that they had
|
|
useful exit nodes. There was no need for this, and it actually
|
|
aids some statistical attacks.
|
|
- Start treating internal circuits and exit circuits separately.
|
|
It's important to keep them separate because internal circuits
|
|
have their last hops picked like middle hops, rather than like
|
|
exit hops. So exiting on them will break the user's expectations.
|
|
|
|
o Bugfixes on 0.1.1.x:
|
|
- Take out the mis-feature where we tried to detect IP address
|
|
flapping for people with DynDNS, and chose not to upload a new
|
|
server descriptor sometimes.
|
|
- Try to be compatible with OpenSSL 0.9.6 again.
|
|
- Log fix: when the controller is logging about .onion addresses,
|
|
sometimes it didn't include the ".onion" part of the address.
|
|
- Don't try to modify options->DirServers internally -- if the
|
|
user didn't specify any, just add the default ones directly to
|
|
the trusted dirserver list. This fixes a bug where people running
|
|
controllers would use SETCONF on some totally unrelated config
|
|
option, and Tor would start yelling at them about changing their
|
|
DirServer lines.
|
|
- Let the controller's redirectstream command specify a port, in
|
|
case the controller wants to change that too.
|
|
- When we requested a pile of server descriptors, we sometimes
|
|
accidentally launched a duplicate request for the first one.
|
|
- Bugfix for trackhostexits: write down the fingerprint of the
|
|
chosen exit, not its nickname, because the chosen exit might not
|
|
be verified.
|
|
- When parsing foo.exit, if foo is unknown, and we are leaving
|
|
circuits unattached, set the chosen_exit field and leave the
|
|
address empty. This matters because controllers got confused
|
|
otherwise.
|
|
- Directory authorities no longer try to download server
|
|
descriptors that they know they will reject.
|
|
|
|
o Features and updates:
|
|
- Replace balanced trees with hash tables: this should make stuff
|
|
significantly faster.
|
|
- Resume using the AES counter-mode implementation that we ship,
|
|
rather than OpenSSL's. Ours is significantly faster.
|
|
- Many other CPU and memory improvements.
|
|
- Add a new config option FastFirstHopPK (on by default) so clients
|
|
do a trivial crypto handshake for their first hop, since TLS has
|
|
already taken care of confidentiality and authentication.
|
|
- Add a new config option TestSocks so people can see if their
|
|
applications are using socks4, socks4a, socks5-with-ip, or
|
|
socks5-with-hostname. This way they don't have to keep mucking
|
|
with tcpdump and wondering if something got cached somewhere.
|
|
- Warn when listening on a public address for socks. I suspect a
|
|
lot of people are setting themselves up as open socks proxies,
|
|
and they have no idea that jerks on the Internet are using them,
|
|
since they simply proxy the traffic into the Tor network.
|
|
- Add "private:*" as an alias in configuration for policies. Now
|
|
you can simplify your exit policy rather than needing to list
|
|
every single internal or nonroutable network space.
|
|
- Add a new controller event type that allows controllers to get
|
|
all server descriptors that were uploaded to a router in its role
|
|
as authoritative dirserver.
|
|
- Start shipping socks-extensions.txt, tor-doc-unix.html,
|
|
tor-doc-server.html, and stylesheet.css in the tarball.
|
|
- Stop shipping tor-doc.html in the tarball.
|
|
|
|
|
|
Changes in version 0.1.1.9-alpha - 2005-11-15
|
|
o Usability improvements:
|
|
- Start calling it FooListenAddress rather than FooBindAddress,
|
|
since few of our users know what it means to bind an address
|
|
or port.
|
|
- Reduce clutter in server logs. We're going to try to make
|
|
them actually usable now. New config option ProtocolWarnings that
|
|
lets you hear about how _other Tors_ are breaking the protocol. Off
|
|
by default.
|
|
- Divide log messages into logging domains. Once we put some sort
|
|
of interface on this, it will let people looking at more verbose
|
|
log levels specify the topics they want to hear more about.
|
|
- Make directory servers return better http 404 error messages
|
|
instead of a generic "Servers unavailable".
|
|
- Check for even more Windows version flags when writing the platform
|
|
string in server descriptors, and note any we don't recognize.
|
|
- Clean up more of the OpenSSL memory when exiting, so we can detect
|
|
memory leaks better.
|
|
- Make directory authorities be non-versioning, non-naming by
|
|
default. Now we can add new directory servers without requiring
|
|
their operators to pay close attention.
|
|
- When logging via syslog, include the pid whenever we provide
|
|
a log entry. Suggested by Todd Fries.
|
|
|
|
o Performance improvements:
|
|
- Directory servers now silently throw away new descriptors that
|
|
haven't changed much if the timestamps are similar. We do this to
|
|
tolerate older Tor servers that upload a new descriptor every 15
|
|
minutes. (It seemed like a good idea at the time.)
|
|
- Inline bottleneck smartlist functions; use fast versions by default.
|
|
- Add a "Map from digest to void*" abstraction digestmap_t so we
|
|
can do less hex encoding/decoding. Use it in router_get_by_digest()
|
|
to resolve a performance bottleneck.
|
|
- Allow tor_gzip_uncompress to extract as much as possible from
|
|
truncated compressed data. Try to extract as many
|
|
descriptors as possible from truncated http responses (when
|
|
DIR_PURPOSE_FETCH_ROUTERDESC).
|
|
- Make circ->onionskin a pointer, not a static array. moria2 was using
|
|
125000 circuit_t's after it had been up for a few weeks, which
|
|
translates to 20+ megs of wasted space.
|
|
- The private half of our EDH handshake keys are now chosen out
|
|
of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
|
|
|
|
o Security improvements:
|
|
- Start making directory caches retain old routerinfos, so soon
|
|
clients can start asking by digest of descriptor rather than by
|
|
fingerprint of server.
|
|
- Add half our entropy from RAND_poll in OpenSSL. This knows how
|
|
to use egd (if present), openbsd weirdness (if present), vms/os2
|
|
weirdness (if we ever port there), and more in the future.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Do round-robin writes of at most 16 kB per write. This might be
|
|
more fair on loaded Tor servers, and it might resolve our Windows
|
|
crash bug. It might also slow things down.
|
|
- Our TLS handshakes were generating a single public/private
|
|
keypair for the TLS context, rather than making a new one for
|
|
each new connections. Oops. (But we were still rotating them
|
|
periodically, so it's not so bad.)
|
|
- When we were cannibalizing a circuit with a particular exit
|
|
node in mind, we weren't checking to see if that exit node was
|
|
already present earlier in the circuit. Oops.
|
|
- When a Tor server's IP changes (e.g. from a dyndns address),
|
|
upload a new descriptor so clients will learn too.
|
|
- Really busy servers were keeping enough circuits open on stable
|
|
connections that they were wrapping around the circuit_id
|
|
space. (It's only two bytes.) This exposed a bug where we would
|
|
feel free to reuse a circuit_id even if it still exists but has
|
|
been marked for close. Try to fix this bug. Some bug remains.
|
|
- If we would close a stream early (e.g. it asks for a .exit that
|
|
we know would refuse it) but the LeaveStreamsUnattached config
|
|
option is set by the controller, then don't close it.
|
|
|
|
o Bugfixes on 0.1.1.8-alpha:
|
|
- Fix a big pile of memory leaks, some of them serious.
|
|
- Do not try to download a routerdesc if we would immediately reject
|
|
it as obsolete.
|
|
- Resume inserting a newline between all router descriptors when
|
|
generating (old style) signed directories, since our spec says
|
|
we do.
|
|
- When providing content-type application/octet-stream for
|
|
server descriptors using .z, we were leaving out the
|
|
content-encoding header. Oops. (Everything tolerated this just
|
|
fine, but that doesn't mean we need to be part of the problem.)
|
|
- Fix a potential seg fault in getconf and getinfo using version 1
|
|
of the controller protocol.
|
|
- Avoid crash: do not check whether DirPort is reachable when we
|
|
are suppressing it because of hibernation.
|
|
- Make --hash-password not crash on exit.
|
|
|
|
|
|
Changes in version 0.1.1.8-alpha - 2005-10-07
|
|
o New features (major):
|
|
- Clients don't download or use the directory anymore. Now they
|
|
download and use network-statuses from the trusted dirservers,
|
|
and fetch individual server descriptors as needed from mirrors.
|
|
See dir-spec.txt for all the gory details.
|
|
- Be more conservative about whether to advertise our DirPort.
|
|
The main change is to not advertise if we're running at capacity
|
|
and either a) we could hibernate or b) our capacity is low and
|
|
we're using a default DirPort.
|
|
- Use OpenSSL's AES when OpenSSL has version 0.9.7 or later.
|
|
|
|
o New features (minor):
|
|
- Try to be smart about when to retry network-status and
|
|
server-descriptor fetches. Still needs some tuning.
|
|
- Stop parsing, storing, or using running-routers output (but
|
|
mirrors still cache and serve it).
|
|
- Consider a threshold of versioning dirservers (dirservers who have
|
|
an opinion about which Tor versions are still recommended) before
|
|
deciding whether to warn the user that he's obsolete.
|
|
- Dirservers can now reject/invalidate by key and IP, with the
|
|
config options "AuthDirInvalid" and "AuthDirReject". This is
|
|
useful since currently we automatically list servers as running
|
|
and usable even if we know they're jerks.
|
|
- Provide dire warnings to any users who set DirServer; move it out
|
|
of torrc.sample and into torrc.complete.
|
|
- Add MyFamily to torrc.sample in the server section.
|
|
- Add nicknames to the DirServer line, so we can refer to them
|
|
without requiring all our users to memorize their IP addresses.
|
|
- When we get an EOF or a timeout on a directory connection, note
|
|
how many bytes of serverdesc we are dropping. This will help
|
|
us determine whether it is smart to parse incomplete serverdesc
|
|
responses.
|
|
- Add a new function to "change pseudonyms" -- that is, to stop
|
|
using any currently-dirty circuits for new streams, so we don't
|
|
link new actions to old actions. Currently it's only called on
|
|
HUP (or SIGNAL RELOAD).
|
|
- On sighup, if UseHelperNodes changed to 1, use new circuits.
|
|
- Start using RAND_bytes rather than RAND_pseudo_bytes from
|
|
OpenSSL. Also, reseed our entropy every hour, not just at
|
|
startup. And entropy in 512-bit chunks, not 160-bit chunks.
|
|
|
|
o Fixes on 0.1.1.7-alpha:
|
|
- Nobody ever implemented EVENT_ADDRMAP for control protocol
|
|
version 0, so don't let version 0 controllers ask for it.
|
|
- If you requested something with too many newlines via the
|
|
v1 controller protocol, you could crash tor.
|
|
- Fix a number of memory leaks, including some pretty serious ones.
|
|
- Re-enable DirPort testing again, so Tor servers will be willing
|
|
to advertise their DirPort if it's reachable.
|
|
- On TLS handshake, only check the other router's nickname against
|
|
its expected nickname if is_named is set.
|
|
|
|
o Fixes forward-ported from 0.1.0.15:
|
|
- Don't crash when we don't have any spare file descriptors and we
|
|
try to spawn a dns or cpu worker.
|
|
- Make the numbers in read-history and write-history into uint64s,
|
|
so they don't overflow and publish negatives in the descriptor.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- For the OS X package's modified privoxy config file, comment
|
|
out the "logfile" line so we don't log everything passed
|
|
through privoxy.
|
|
- We were whining about using socks4 or socks5-with-local-lookup
|
|
even when it's an IP in the "virtual" range we designed exactly
|
|
for this case.
|
|
- We were leaking some memory every time the client changes IPs.
|
|
- Never call free() on tor_malloc()d memory. This will help us
|
|
use dmalloc to detect memory leaks.
|
|
- Check for named servers when looking them up by nickname;
|
|
warn when we'recalling a non-named server by its nickname;
|
|
don't warn twice about the same name.
|
|
- Try to list MyFamily elements by key, not by nickname, and warn
|
|
if we've not heard of the server.
|
|
- Make windows platform detection (uname equivalent) smarter.
|
|
- It turns out sparc64 doesn't like unaligned access either.
|
|
|
|
|
|
Changes in version 0.1.0.15 - 2005-09-23
|
|
o Bugfixes on 0.1.0.x:
|
|
- Reject ports 465 and 587 (spam targets) in default exit policy.
|
|
- Don't crash when we don't have any spare file descriptors and we
|
|
try to spawn a dns or cpu worker.
|
|
- Get rid of IgnoreVersion undocumented config option, and make us
|
|
only warn, never exit, when we're running an obsolete version.
|
|
- Don't try to print a null string when your server finds itself to
|
|
be unreachable and the Address config option is empty.
|
|
- Make the numbers in read-history and write-history into uint64s,
|
|
so they don't overflow and publish negatives in the descriptor.
|
|
- Fix a minor memory leak in smartlist_string_remove().
|
|
- We were only allowing ourselves to upload a server descriptor at
|
|
most every 20 minutes, even if it changed earlier than that.
|
|
- Clean up log entries that pointed to old URLs.
|
|
|
|
|
|
Changes in version 0.1.1.7-alpha - 2005-09-14
|
|
o Fixes on 0.1.1.6-alpha:
|
|
- Exit servers were crashing when people asked them to make a
|
|
connection to an address not in their exit policy.
|
|
- Looking up a non-existent stream for a v1 control connection would
|
|
cause a segfault.
|
|
- Fix a seg fault if we ask a dirserver for a descriptor by
|
|
fingerprint but he doesn't know about him.
|
|
- SETCONF was appending items to linelists, not clearing them.
|
|
- SETCONF SocksBindAddress killed Tor if it fails to bind. Now back
|
|
out and refuse the setconf if it would fail.
|
|
- Downgrade the dirserver log messages when whining about
|
|
unreachability.
|
|
|
|
o New features:
|
|
- Add Peter Palfrader's check-tor script to tor/contrib/
|
|
It lets you easily check whether a given server (referenced by
|
|
nickname) is reachable by you.
|
|
- Numerous changes to move towards client-side v2 directories. Not
|
|
enabled yet.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- If the user gave tor an odd number of command-line arguments,
|
|
we were silently ignoring the last one. Now we complain and fail.
|
|
[This wins the oldest-bug prize -- this bug has been present since
|
|
November 2002, as released in Tor 0.0.0.]
|
|
- Do not use unaligned memory access on alpha, mips, or mipsel.
|
|
It *works*, but is very slow, so we treat them as if it doesn't.
|
|
- Retry directory requests if we fail to get an answer we like
|
|
from a given dirserver (we were retrying before, but only if
|
|
we fail to connect).
|
|
- When writing the RecommendedVersions line, sort them first.
|
|
- When the client asked for a rendezvous port that the hidden
|
|
service didn't want to provide, we were sending an IP address
|
|
back along with the end cell. Fortunately, it was zero. But stop
|
|
that anyway.
|
|
- Correct "your server is reachable" log entries to indicate that
|
|
it was self-testing that told us so.
|
|
|
|
|
|
Changes in version 0.1.1.6-alpha - 2005-09-09
|
|
o Fixes on 0.1.1.5-alpha:
|
|
- We broke fascistfirewall in 0.1.1.5-alpha. Oops.
|
|
- Fix segfault in unit tests in 0.1.1.5-alpha. Oops.
|
|
- Fix bug with tor_memmem finding a match at the end of the string.
|
|
- Make unit tests run without segfaulting.
|
|
- Resolve some solaris x86 compile warnings.
|
|
- Handle duplicate lines in approved-routers files without warning.
|
|
- Fix bug where as soon as a server refused any requests due to his
|
|
exit policy (e.g. when we ask for localhost and he tells us that's
|
|
127.0.0.1 and he won't do it), we decided he wasn't obeying his
|
|
exit policy using him for any exits.
|
|
- Only do openssl hardware accelerator stuff if openssl version is
|
|
at least 0.9.7.
|
|
|
|
o New controller features/fixes:
|
|
- Add a "RESETCONF" command so you can set config options like
|
|
AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
|
|
a config option in the torrc with no value, then it clears it
|
|
entirely (rather than setting it to its default).
|
|
- Add a "GETINFO config-file" to tell us where torrc is.
|
|
- Avoid sending blank lines when GETINFO replies should be empty.
|
|
- Add a QUIT command for the controller (for using it manually).
|
|
- Fix a bug in SAVECONF that was adding default dirservers and
|
|
other redundant entries to the torrc file.
|
|
|
|
o Start on the new directory design:
|
|
- Generate, publish, cache, serve new network-status format.
|
|
- Publish individual descriptors (by fingerprint, by "all", and by
|
|
"tell me yours").
|
|
- Publish client and server recommended versions separately.
|
|
- Allow tor_gzip_uncompress() to handle multiple concatenated
|
|
compressed strings. Serve compressed groups of router
|
|
descriptors. The compression logic here could be more
|
|
memory-efficient.
|
|
- Distinguish v1 authorities (all currently trusted directories)
|
|
from v2 authorities (all trusted directories).
|
|
- Change DirServers config line to note which dirs are v1 authorities.
|
|
- Add configuration option "V1AuthoritativeDirectory 1" which
|
|
moria1, moria2, and tor26 should set.
|
|
- Remove option when getting directory cache to see whether they
|
|
support running-routers; they all do now. Replace it with one
|
|
to see whether caches support v2 stuff.
|
|
|
|
o New features:
|
|
- Dirservers now do their own external reachability testing of each
|
|
Tor server, and only list them as running if they've been found to
|
|
be reachable. We also send back warnings to the server's logs if
|
|
it uploads a descriptor that we already believe is unreachable.
|
|
- Implement exit enclaves: if we know an IP address for the
|
|
destination, and there's a running Tor server at that address
|
|
which allows exit to the destination, then extend the circuit to
|
|
that exit first. This provides end-to-end encryption and end-to-end
|
|
authentication. Also, if the user wants a .exit address or enclave,
|
|
use 4 hops rather than 3, and cannibalize a general circ for it
|
|
if you can.
|
|
- Permit transitioning from ORPort=0 to ORPort!=0, and back, from the
|
|
controller. Also, rotate dns and cpu workers if the controller
|
|
changes options that will affect them; and initialize the dns
|
|
worker cache tree whether or not we start out as a server.
|
|
- Only upload a new server descriptor when options change, 18
|
|
hours have passed, uptime is reset, or bandwidth changes a lot.
|
|
- Check [X-]Forwarded-For headers in HTTP requests when generating
|
|
log messages. This lets people run dirservers (and caches) behind
|
|
Apache but still know which IP addresses are causing warnings.
|
|
|
|
o Config option changes:
|
|
- Replace (Fascist)Firewall* config options with a new
|
|
ReachableAddresses option that understands address policies.
|
|
For example, "ReachableAddresses *:80,*:443"
|
|
- Get rid of IgnoreVersion undocumented config option, and make us
|
|
only warn, never exit, when we're running an obsolete version.
|
|
- Make MonthlyAccountingStart config option truly obsolete now.
|
|
|
|
o Fixes on 0.1.0.x:
|
|
- Reject ports 465 and 587 in the default exit policy, since
|
|
people have started using them for spam too.
|
|
- It turns out we couldn't bootstrap a network since we added
|
|
reachability detection in 0.1.0.1-rc. Good thing the Tor network
|
|
has never gone down. Add an AssumeReachable config option to let
|
|
servers and dirservers bootstrap. When we're trying to build a
|
|
high-uptime or high-bandwidth circuit but there aren't enough
|
|
suitable servers, try being less picky rather than simply failing.
|
|
- Our logic to decide if the OR we connected to was the right guy
|
|
was brittle and maybe open to a mitm for unverified routers.
|
|
- We weren't cannibalizing circuits correctly for
|
|
CIRCUIT_PURPOSE_C_ESTABLISH_REND and
|
|
CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
|
|
build those from scratch. This should make hidden services faster.
|
|
- Predict required circuits better, with an eye toward making hidden
|
|
services faster on the service end.
|
|
- Retry streams if the exit node sends back a 'misc' failure. This
|
|
should result in fewer random failures. Also, after failing
|
|
from resolve failed or misc, reset the num failures, so we give
|
|
it a fair shake next time we try.
|
|
- Clean up the rendezvous warn log msgs, and downgrade some to info.
|
|
- Reduce severity on logs about dns worker spawning and culling.
|
|
- When we're shutting down and we do something like try to post a
|
|
server descriptor or rendezvous descriptor, don't complain that
|
|
we seem to be unreachable. Of course we are, we're shutting down.
|
|
- Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
|
|
We don't use them yet, but maybe one day our DNS resolver will be
|
|
able to discover them.
|
|
- Make ContactInfo mandatory for authoritative directory servers.
|
|
- Require server descriptors to list IPv4 addresses -- hostnames
|
|
are no longer allowed. This also fixes some potential security
|
|
problems with people providing hostnames as their address and then
|
|
preferentially resolving them to partition users.
|
|
- Change log line for unreachability to explicitly suggest /etc/hosts
|
|
as the culprit. Also make it clearer what IP address and ports we're
|
|
testing for reachability.
|
|
- Put quotes around user-supplied strings when logging so users are
|
|
more likely to realize if they add bad characters (like quotes)
|
|
to the torrc.
|
|
- Let auth dir servers start without specifying an Address config
|
|
option.
|
|
- Make unit tests (and other invocations that aren't the real Tor)
|
|
run without launching listeners, creating subdirectories, and so on.
|
|
|
|
|
|
Changes in version 0.1.1.5-alpha - 2005-08-08
|
|
o Bugfixes included in 0.1.0.14.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
|
|
torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
|
|
it would silently using ignore the 6668.
|
|
|
|
|
|
Changes in version 0.1.0.14 - 2005-08-08
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix the other half of the bug with crypto handshakes
|
|
(CVE-2005-2643).
|
|
- Fix an assert trigger if you send a 'signal term' via the
|
|
controller when it's listening for 'event info' messages.
|
|
|
|
|
|
Changes in version 0.1.1.4-alpha - 2005-08-04
|
|
o Bugfixes included in 0.1.0.13.
|
|
|
|
o Features:
|
|
- Improve tor_gettimeofday() granularity on windows.
|
|
- Make clients regenerate their keys when their IP address changes.
|
|
- Implement some more GETINFO goodness: expose helper nodes, config
|
|
options, getinfo keys.
|
|
|
|
|
|
Changes in version 0.1.0.13 - 2005-08-04
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix a critical bug in the security of our crypto handshakes.
|
|
- Fix a size_t underflow in smartlist_join_strings2() that made
|
|
it do bad things when you hand it an empty smartlist.
|
|
- Fix Windows installer to ship Tor license (thanks to Aphex for
|
|
pointing out this oversight) and put a link to the doc directory
|
|
in the start menu.
|
|
- Explicitly set no-unaligned-access for sparc: it turns out the
|
|
new gcc's let you compile broken code, but that doesn't make it
|
|
not-broken.
|
|
|
|
|
|
Changes in version 0.1.1.3-alpha - 2005-07-23
|
|
o Bugfixes on 0.1.1.2-alpha:
|
|
- Fix a bug in handling the controller's "post descriptor"
|
|
function.
|
|
- Fix several bugs in handling the controller's "extend circuit"
|
|
function.
|
|
- Fix a bug in handling the controller's "stream status" event.
|
|
- Fix an assert failure if we have a controller listening for
|
|
circuit events and we go offline.
|
|
- Re-allow hidden service descriptors to publish 0 intro points.
|
|
- Fix a crash when generating your hidden service descriptor if
|
|
you don't have enough intro points already.
|
|
|
|
o New features on 0.1.1.2-alpha:
|
|
- New controller function "getinfo accounting", to ask how
|
|
many bytes we've used in this time period.
|
|
- Experimental support for helper nodes: a lot of the risk from
|
|
a small static adversary comes because users pick new random
|
|
nodes every time they rebuild a circuit. Now users will try to
|
|
stick to the same small set of entry nodes if they can. Not
|
|
enabled by default yet.
|
|
|
|
o Bugfixes on 0.1.0.12:
|
|
- If you're an auth dir server, always publish your dirport,
|
|
even if you haven't yet found yourself to be reachable.
|
|
- Fix a size_t underflow in smartlist_join_strings2() that made
|
|
it do bad things when you hand it an empty smartlist.
|
|
|
|
|
|
Changes in version 0.1.0.12 - 2005-07-18
|
|
o New directory servers:
|
|
- tor26 has changed IP address.
|
|
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix a possible double-free in tor_gzip_uncompress().
|
|
- When --disable-threads is set, do not search for or link against
|
|
pthreads libraries.
|
|
- Don't trigger an assert if an authoritative directory server
|
|
claims its dirport is 0.
|
|
- Fix bug with removing Tor as an NT service: some people were
|
|
getting "The service did not return an error." Thanks to Matt
|
|
Edman for the fix.
|
|
|
|
|
|
Changes in version 0.1.1.2-alpha - 2005-07-15
|
|
o New directory servers:
|
|
- tor26 has changed IP address.
|
|
|
|
o Bugfixes on 0.1.0.x, crashes/leaks:
|
|
- Port the servers-not-obeying-their-exit-policies fix from
|
|
0.1.0.11.
|
|
- Fix an fd leak in start_daemon().
|
|
- On Windows, you can't always reopen a port right after you've
|
|
closed it. So change retry_listeners() to only close and re-open
|
|
ports that have changed.
|
|
- Fix a possible double-free in tor_gzip_uncompress().
|
|
|
|
o Bugfixes on 0.1.0.x, usability:
|
|
- When tor_socketpair() fails in Windows, give a reasonable
|
|
Windows-style errno back.
|
|
- Let people type "tor --install" as well as "tor -install" when
|
|
they
|
|
want to make it an NT service.
|
|
- NT service patch from Matt Edman to improve error messages.
|
|
- When the controller asks for a config option with an abbreviated
|
|
name, give the full name in our response.
|
|
- Correct the man page entry on TrackHostExitsExpire.
|
|
- Looks like we were never delivering deflated (i.e. compressed)
|
|
running-routers lists, even when asked. Oops.
|
|
- When --disable-threads is set, do not search for or link against
|
|
pthreads libraries.
|
|
|
|
o Bugfixes on 0.1.1.x:
|
|
- Fix a seg fault with autodetecting which controller version is
|
|
being used.
|
|
|
|
o Features:
|
|
- New hidden service descriptor format: put a version in it, and
|
|
let people specify introduction/rendezvous points that aren't
|
|
in "the directory" (which is subjective anyway).
|
|
- Allow the DEBUG controller event to work again. Mark certain log
|
|
entries as "don't tell this to controllers", so we avoid cycles.
|
|
|
|
|
|
Changes in version 0.1.0.11 - 2005-06-30
|
|
o Bugfixes on 0.1.0.x:
|
|
- Fix major security bug: servers were disregarding their
|
|
exit policies if clients behaved unexpectedly.
|
|
- Make OS X init script check for missing argument, so we don't
|
|
confuse users who invoke it incorrectly.
|
|
- Fix a seg fault in "tor --hash-password foo".
|
|
- The MAPADDRESS control command was broken.
|
|
|
|
|
|
Changes in version 0.1.1.1-alpha - 2005-06-29
|
|
o Bugfixes:
|
|
- Make OS X init script check for missing argument, so we don't
|
|
confuse users who invoke it incorrectly.
|
|
- Fix a seg fault in "tor --hash-password foo".
|
|
- Fix a possible way to DoS dirservers.
|
|
- When we complain that your exit policy implicitly allows local or
|
|
private address spaces, name them explicitly so operators can
|
|
fix it.
|
|
- Make the log message less scary when all the dirservers are
|
|
temporarily unreachable.
|
|
- We were printing the number of idle dns workers incorrectly when
|
|
culling them.
|
|
|
|
o Features:
|
|
- Revised controller protocol (version 1) that uses ascii rather
|
|
than binary. Add supporting libraries in python and java so you
|
|
can use the controller from your applications without caring how
|
|
our protocol works.
|
|
- Spiffy new support for crypto hardware accelerators. Can somebody
|
|
test this?
|
|
|
|
|
|
Changes in version 0.0.9.10 - 2005-06-16
|
|
o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
|
|
- Refuse relay cells that claim to have a length larger than the
|
|
maximum allowed. This prevents a potential attack that could read
|
|
arbitrary memory (e.g. keys) from an exit server's process
|
|
(CVE-2005-2050).
|
|
|
|
|
|
Changes in version 0.1.0.10 - 2005-06-14
|
|
o Allow a few EINVALs from libevent before dying. Warn on kqueue with
|
|
libevent before 1.1a.
|
|
|
|
|
|
Changes in version 0.1.0.9-rc - 2005-06-09
|
|
o Bugfixes:
|
|
- Reset buf->highwater every time buf_shrink() is called, not just on
|
|
a successful shrink. This was causing significant memory bloat.
|
|
- Fix buffer overflow when checking hashed passwords.
|
|
- Security fix: if seeding the RNG on Win32 fails, quit.
|
|
- Allow seeding the RNG on Win32 even when you're not running as
|
|
Administrator.
|
|
- Disable threading on Solaris too. Something is wonky with it,
|
|
cpuworkers, and reentrant libs.
|
|
- Reenable the part of the code that tries to flush as soon as an
|
|
OR outbuf has a full TLS record available. Perhaps this will make
|
|
OR outbufs not grow as huge except in rare cases, thus saving lots
|
|
of CPU time plus memory.
|
|
- Reject malformed .onion addresses rather then passing them on as
|
|
normal web requests.
|
|
- Adapt patch from Adam Langley: fix possible memory leak in
|
|
tor_lookup_hostname().
|
|
- Initialize libevent later in the startup process, so the logs are
|
|
already established by the time we start logging libevent warns.
|
|
- Use correct errno on win32 if libevent fails.
|
|
- Check and warn about known-bad/slow libevent versions.
|
|
- Pay more attention to the ClientOnly config option.
|
|
- Have torctl.in/tor.sh.in check for location of su binary (needed
|
|
on FreeBSD)
|
|
- Correct/add man page entries for LongLivedPorts, ExitPolicy,
|
|
KeepalivePeriod, ClientOnly, NoPublish, HttpProxy, HttpsProxy,
|
|
HttpProxyAuthenticator
|
|
- Stop warning about sigpipes in the logs. We're going to
|
|
pretend that getting these occassionally is normal and fine.
|
|
- Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in
|
|
certain
|
|
installer screens; and don't put stuff into StartupItems unless
|
|
the user asks you to.
|
|
- Require servers that use the default dirservers to have public IP
|
|
addresses. We have too many servers that are configured with private
|
|
IPs and their admins never notice the log entries complaining that
|
|
their descriptors are being rejected.
|
|
- Add OSX uninstall instructions. An actual uninstall script will
|
|
come later.
|
|
|
|
|
|
Changes in version 0.1.0.8-rc - 2005-05-23
|
|
o Bugfixes:
|
|
- It turns out that kqueue on OS X 10.3.9 was causing kernel
|
|
panics. Disable kqueue on all OS X Tors.
|
|
- Fix RPM: remove duplicate line accidentally added to the rpm
|
|
spec file.
|
|
- Disable threads on openbsd too, since its gethostaddr is not
|
|
reentrant either.
|
|
- Tolerate libevent 0.8 since it still works, even though it's
|
|
ancient.
|
|
- Enable building on Red Hat 9.0 again.
|
|
- Allow the middle hop of the testing circuit to be running any
|
|
version, now that most of them have the bugfix to let them connect
|
|
to unknown servers. This will allow reachability testing to work
|
|
even when 0.0.9.7-0.0.9.9 become obsolete.
|
|
- Handle relay cells with rh.length too large. This prevents
|
|
a potential attack that could read arbitrary memory (maybe even
|
|
keys) from the exit server's process.
|
|
- We screwed up the dirport reachability testing when we don't yet
|
|
have a cached version of the directory. Hopefully now fixed.
|
|
- Clean up router_load_single_router() (used by the controller),
|
|
so it doesn't seg fault on error.
|
|
- Fix a minor memory leak when somebody establishes an introduction
|
|
point at your Tor server.
|
|
- If a socks connection ends because read fails, don't warn that
|
|
you're not sending a socks reply back.
|
|
|
|
o Features:
|
|
- Add HttpProxyAuthenticator config option too, that works like
|
|
the HttpsProxyAuthenticator config option.
|
|
- Encode hashed controller passwords in hex instead of base64,
|
|
to make it easier to write controllers.
|
|
|
|
|
|
Changes in version 0.1.0.7-rc - 2005-05-17
|
|
o Bugfixes:
|
|
- Fix a bug in the OS X package installer that prevented it from
|
|
installing on Tiger.
|
|
- Fix a script bug in the OS X package installer that made it
|
|
complain during installation.
|
|
- Find libevent even if it's hiding in /usr/local/ and your
|
|
CFLAGS and LDFLAGS don't tell you to look there.
|
|
- Be able to link with libevent as a shared library (the default
|
|
after 1.0d), even if it's hiding in /usr/local/lib and even
|
|
if you haven't added /usr/local/lib to your /etc/ld.so.conf,
|
|
assuming you're running gcc. Otherwise fail and give a useful
|
|
error message.
|
|
- Fix a bug in the RPM packager: set home directory for _tor to
|
|
something more reasonable when first installing.
|
|
- Free a minor amount of memory that is still reachable on exit.
|
|
|
|
|
|
Changes in version 0.1.0.6-rc - 2005-05-14
|
|
o Bugfixes:
|
|
- Implement --disable-threads configure option. Disable threads on
|
|
netbsd by default, because it appears to have no reentrant resolver
|
|
functions.
|
|
- Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent
|
|
release (1.1) detects and disables kqueue if it's broken.
|
|
- Append default exit policy before checking for implicit internal
|
|
addresses. Now we don't log a bunch of complaints on startup
|
|
when using the default exit policy.
|
|
- Some people were putting "Address " in their torrc, and they had
|
|
a buggy resolver that resolved " " to 0.0.0.0. Oops.
|
|
- If DataDir is ~/.tor, and that expands to /.tor, then default to
|
|
LOCALSTATEDIR/tor instead.
|
|
- Fix fragmented-message bug in TorControl.py.
|
|
- Resolve a minor bug which would prevent unreachable dirports
|
|
from getting suppressed in the published descriptor.
|
|
- When the controller gave us a new descriptor, we weren't resolving
|
|
it immediately, so Tor would think its address was 0.0.0.0 until
|
|
we fetched a new directory.
|
|
- Fix an uppercase/lowercase case error in suppressing a bogus
|
|
libevent warning on some Linuxes.
|
|
|
|
o Features:
|
|
- Begin scrubbing sensitive strings from logs by default. Turn off
|
|
the config option SafeLogging if you need to do debugging.
|
|
- Switch to a new buffer management algorithm, which tries to avoid
|
|
reallocing and copying quite as much. In first tests it looks like
|
|
it uses *more* memory on average, but less cpu.
|
|
- First cut at support for "create-fast" cells. Clients can use
|
|
these when extending to their first hop, since the TLS already
|
|
provides forward secrecy and authentication. Not enabled on
|
|
clients yet.
|
|
- When dirservers refuse a router descriptor, we now log its
|
|
contactinfo, platform, and the poster's IP address.
|
|
- Call tor_free_all instead of connections_free_all after forking, to
|
|
save memory on systems that need to fork.
|
|
- Whine at you if you're a server and you don't set your contactinfo.
|
|
- Implement --verify-config command-line option to check if your torrc
|
|
is valid without actually launching Tor.
|
|
- Rewrite address "serifos.exit" to "localhost.serifos.exit"
|
|
rather than just rejecting it.
|
|
|
|
|
|
Changes in version 0.1.0.5-rc - 2005-04-27
|
|
o Bugfixes:
|
|
- Stop trying to print a null pointer if an OR conn fails because
|
|
we didn't like its cert.
|
|
o Features:
|
|
- Switch our internal buffers implementation to use a ring buffer,
|
|
to hopefully improve performance for fast servers a lot.
|
|
- Add HttpsProxyAuthenticator support (basic auth only), based
|
|
on patch from Adam Langley.
|
|
- Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
|
|
the fast servers that have been joining lately.
|
|
- Give hidden service accesses extra time on the first attempt,
|
|
since 60 seconds is often only barely enough. This might improve
|
|
robustness more.
|
|
- Improve performance for dirservers: stop re-parsing the whole
|
|
directory every time you regenerate it.
|
|
- Add more debugging info to help us find the weird dns freebsd
|
|
pthreads bug; cleaner debug messages to help track future issues.
|
|
|
|
|
|
Changes in version 0.0.9.9 - 2005-04-23
|
|
o Bugfixes on 0.0.9.x:
|
|
- If unofficial Tor clients connect and send weird TLS certs, our
|
|
Tor server triggers an assert. This release contains a minimal
|
|
backport from the broader fix that we put into 0.1.0.4-rc.
|
|
|
|
|
|
Changes in version 0.1.0.4-rc - 2005-04-23
|
|
o Bugfixes:
|
|
- If unofficial Tor clients connect and send weird TLS certs, our
|
|
Tor server triggers an assert. Stop asserting, and start handling
|
|
TLS errors better in other situations too.
|
|
- When the controller asks us to tell it about all the debug-level
|
|
logs, it turns out we were generating debug-level logs while
|
|
telling it about them, which turns into a bad loop. Now keep
|
|
track of whether you're sending a debug log to the controller,
|
|
and don't log when you are.
|
|
- Fix the "postdescriptor" feature of the controller interface: on
|
|
non-complete success, only say "done" once.
|
|
o Features:
|
|
- Clients are now willing to load balance over up to 2mB, not 1mB,
|
|
of advertised bandwidth capacity.
|
|
- Add a NoPublish config option, so you can be a server (e.g. for
|
|
testing running Tor servers in other Tor networks) without
|
|
publishing your descriptor to the primary dirservers.
|
|
|
|
|
|
Changes in version 0.1.0.3-rc - 2005-04-08
|
|
o Improvements on 0.1.0.2-rc:
|
|
- Client now retries when streams end early for 'hibernating' or
|
|
'resource limit' reasons, rather than failing them.
|
|
- More automated handling for dirserver operators:
|
|
- Automatically approve nodes running 0.1.0.2-rc or later,
|
|
now that the the reachability detection stuff is working.
|
|
- Now we allow two unverified servers with the same nickname
|
|
but different keys. But if a nickname is verified, only that
|
|
nickname+key are allowed.
|
|
- If you're an authdirserver connecting to an address:port,
|
|
and it's not the OR you were expecting, forget about that
|
|
descriptor. If he *was* the one you were expecting, then forget
|
|
about all other descriptors for that address:port.
|
|
- Allow servers to publish descriptors from 12 hours in the future.
|
|
Corollary: only whine about clock skew from the dirserver if
|
|
he's a trusted dirserver (since now even verified servers could
|
|
have quite wrong clocks).
|
|
- Adjust maximum skew and age for rendezvous descriptors: let skew
|
|
be 48 hours rather than 90 minutes.
|
|
- Efficiency improvements:
|
|
- Keep a big splay tree of (circid,orconn)->circuit mappings to make
|
|
it much faster to look up a circuit for each relay cell.
|
|
- Remove most calls to assert_all_pending_dns_resolves_ok(),
|
|
since they're eating our cpu on exit nodes.
|
|
- Stop wasting time doing a case insensitive comparison for every
|
|
dns name every time we do any lookup. Canonicalize the names to
|
|
lowercase and be done with it.
|
|
- Start sending 'truncated' cells back rather than destroy cells,
|
|
if the circuit closes in front of you. This means we won't have
|
|
to abandon partially built circuits.
|
|
- Only warn once per nickname from add_nickname_list_to_smartlist
|
|
per failure, so an entrynode or exitnode choice that's down won't
|
|
yell so much.
|
|
- Put a note in the torrc about abuse potential with the default
|
|
exit policy.
|
|
- Revise control spec and implementation to allow all log messages to
|
|
be sent to controller with their severities intact (suggested by
|
|
Matt Edman). Update TorControl to handle new log event types.
|
|
- Provide better explanation messages when controller's POSTDESCRIPTOR
|
|
fails.
|
|
- Stop putting nodename in the Platform string in server descriptors.
|
|
It doesn't actually help, and it is confusing/upsetting some people.
|
|
|
|
o Bugfixes on 0.1.0.2-rc:
|
|
- We were printing the host mask wrong in exit policies in server
|
|
descriptors. This isn't a critical bug though, since we were still
|
|
obeying the exit policy internally.
|
|
- Fix Tor when compiled with libevent but without pthreads: move
|
|
connection_unregister() from _connection_free() to
|
|
connection_free().
|
|
- Fix an assert trigger (already fixed in 0.0.9.x): when we have
|
|
the rare mysterious case of accepting a conn on 0.0.0.0:0, then
|
|
when we look through the connection array, we'll find any of the
|
|
cpu/dnsworkers. This is no good.
|
|
|
|
o Bugfixes on 0.0.9.8:
|
|
- Fix possible bug on threading platforms (e.g. win32) which was
|
|
leaking a file descriptor whenever a cpuworker or dnsworker died.
|
|
- When using preferred entry or exit nodes, ignore whether the
|
|
circuit wants uptime or capacity. They asked for the nodes, they
|
|
get the nodes.
|
|
- chdir() to your datadirectory at the *end* of the daemonize process,
|
|
not the beginning. This was a problem because the first time you
|
|
run tor, if your datadir isn't there, and you have runasdaemon set
|
|
to 1, it will try to chdir to it before it tries to create it. Oops.
|
|
- Handle changed router status correctly when dirserver reloads
|
|
fingerprint file. We used to be dropping all unverified descriptors
|
|
right then. The bug was hidden because we would immediately
|
|
fetch a directory from another dirserver, which would include the
|
|
descriptors we just dropped.
|
|
- When we're connecting to an OR and he's got a different nickname/key
|
|
than we were expecting, only complain loudly if we're an OP or a
|
|
dirserver. Complaining loudly to the OR admins just confuses them.
|
|
- Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
|
|
artificially capped at 500kB.
|
|
|
|
|
|
Changes in version 0.0.9.8 - 2005-04-07
|
|
o Bugfixes on 0.0.9.x:
|
|
- We have a bug that I haven't found yet. Sometimes, very rarely,
|
|
cpuworkers get stuck in the 'busy' state, even though the cpuworker
|
|
thinks of itself as idle. This meant that no new circuits ever got
|
|
established. Here's a workaround to kill any cpuworker that's been
|
|
busy for more than 100 seconds.
|
|
|
|
|
|
Changes in version 0.1.0.2-rc - 2005-04-01
|
|
o Bugfixes on 0.1.0.1-rc:
|
|
- Fixes on reachability detection:
|
|
- Don't check for reachability while hibernating.
|
|
- If ORPort is reachable but DirPort isn't, still publish the
|
|
descriptor, but zero out DirPort until it's found reachable.
|
|
- When building testing circs for ORPort testing, use only
|
|
high-bandwidth nodes, so fewer circuits fail.
|
|
- Complain about unreachable ORPort separately from unreachable
|
|
DirPort, so the user knows what's going on.
|
|
- Make sure we only conclude ORPort reachability if we didn't
|
|
initiate the conn. Otherwise we could falsely conclude that
|
|
we're reachable just because we connected to the guy earlier
|
|
and he used that same pipe to extend to us.
|
|
- Authdirservers shouldn't do ORPort reachability detection,
|
|
since they're in clique mode, so it will be rare to find a
|
|
server not already connected to them.
|
|
- When building testing circuits, always pick middle hops running
|
|
Tor 0.0.9.7, so we avoid the "can't extend to unknown routers"
|
|
bug. (This is a kludge; it will go away when 0.0.9.x becomes
|
|
obsolete.)
|
|
- When we decide we're reachable, actually publish our descriptor
|
|
right then.
|
|
- Fix bug in redirectstream in the controller.
|
|
- Fix the state descriptor strings so logs don't claim edge streams
|
|
are in a different state than they actually are.
|
|
- Use recent libevent features when possible (this only really affects
|
|
win32 and osx right now, because the new libevent with these
|
|
features hasn't been released yet). Add code to suppress spurious
|
|
libevent log msgs.
|
|
- Prevent possible segfault in connection_close_unattached_ap().
|
|
- Fix newlines on torrc in win32.
|
|
- Improve error msgs when tor-resolve fails.
|
|
|
|
o Improvements on 0.0.9.x:
|
|
- New experimental script tor/contrib/ExerciseServer.py (needs more
|
|
work) that uses the controller interface to build circuits and
|
|
fetch pages over them. This will help us bootstrap servers that
|
|
have lots of capacity but haven't noticed it yet.
|
|
- New experimental script tor/contrib/PathDemo.py (needs more work)
|
|
that uses the controller interface to let you choose whole paths
|
|
via addresses like
|
|
"<hostname>.<path,separated by dots>.<length of path>.path"
|
|
- When we've connected to an OR and handshaked but didn't like
|
|
the result, we were closing the conn without sending destroy
|
|
cells back for pending circuits. Now send those destroys.
|
|
|
|
|
|
Changes in version 0.0.9.7 - 2005-04-01
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix another race crash bug (thanks to Glenn Fink for reporting).
|
|
- Compare identity to identity, not to nickname, when extending to
|
|
a router not already in the directory. This was preventing us from
|
|
extending to unknown routers. Oops.
|
|
- Make sure to create OS X Tor user in <500 range, so we aren't
|
|
creating actual system users.
|
|
- Note where connection-that-hasn't-sent-end was marked, and fix
|
|
a few really loud instances of this harmless bug (it's fixed more
|
|
in 0.1.0.x).
|
|
|
|
|
|
Changes in version 0.1.0.1-rc - 2005-03-28
|
|
o New features:
|
|
- Add reachability testing. Your Tor server will automatically try
|
|
to see if its ORPort and DirPort are reachable from the outside,
|
|
and it won't upload its descriptor until it decides they are.
|
|
- Handle unavailable hidden services better. Handle slow or busy
|
|
hidden services better.
|
|
- Add support for CONNECTing through https proxies, with "HttpsProxy"
|
|
config option.
|
|
- New exit policy: accept most low-numbered ports, rather than
|
|
rejecting most low-numbered ports.
|
|
- More Tor controller support (still experimental). See
|
|
http://tor.eff.org/doc/control-spec.txt for all the new features,
|
|
including signals to emulate unix signals from any platform;
|
|
redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
|
|
closestream; closecircuit; etc.
|
|
- Make nt services work and start on startup on win32 (based on
|
|
patch by Matt Edman).
|
|
- Add a new AddressMap config directive to rewrite incoming socks
|
|
addresses. This lets you, for example, declare an implicit
|
|
required exit node for certain sites.
|
|
- Add a new TrackHostExits config directive to trigger addressmaps
|
|
for certain incoming socks addresses -- for sites that break when
|
|
your exit keeps changing (based on patch by Mike Perry).
|
|
- Redo the client-side dns cache so it's just an addressmap too.
|
|
- Notice when our IP changes, and reset stats/uptime/reachability.
|
|
- When an application is using socks5, give him the whole variety of
|
|
potential socks5 responses (connect refused, host unreachable, etc),
|
|
rather than just "success" or "failure".
|
|
- A more sane version numbering system. See
|
|
http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
|
|
- New contributed script "exitlist": a simple python script to
|
|
parse directories and find Tor nodes that exit to listed
|
|
addresses/ports.
|
|
- New contributed script "privoxy-tor-toggle" to toggle whether
|
|
Privoxy uses Tor. Seems to be configured for Debian by default.
|
|
- Report HTTP reasons to client when getting a response from directory
|
|
servers -- so you can actually know what went wrong.
|
|
- New config option MaxAdvertisedBandwidth which lets you advertise
|
|
a low bandwidthrate (to not attract as many circuits) while still
|
|
allowing a higher bandwidthrate in reality.
|
|
|
|
o Robustness/stability fixes:
|
|
- Make Tor use Niels Provos's libevent instead of its current
|
|
poll-but-sometimes-select mess. This will let us use faster async
|
|
cores (like epoll, kpoll, and /dev/poll), and hopefully work better
|
|
on Windows too.
|
|
- pthread support now too. This was forced because when we forked,
|
|
we ended up wasting a lot of duplicate ram over time. Also switch
|
|
to foo_r versions of some library calls to allow reentry and
|
|
threadsafeness.
|
|
- Better handling for heterogeneous / unreliable nodes:
|
|
- Annotate circuits w/ whether they aim to contain high uptime nodes
|
|
and/or high capacity nodes. When building circuits, choose
|
|
appropriate nodes.
|
|
- This means that every single node in an intro rend circuit,
|
|
not just the last one, will have a minimum uptime.
|
|
- New config option LongLivedPorts to indicate application streams
|
|
that will want high uptime circuits.
|
|
- Servers reset uptime when a dir fetch entirely fails. This
|
|
hopefully reflects stability of the server's network connectivity.
|
|
- If somebody starts his tor server in Jan 2004 and then fixes his
|
|
clock, don't make his published uptime be a year.
|
|
- Reset published uptime when you wake up from hibernation.
|
|
- Introduce a notion of 'internal' circs, which are chosen without
|
|
regard to the exit policy of the last hop. Intro and rendezvous
|
|
circs must be internal circs, to avoid leaking information. Resolve
|
|
and connect streams can use internal circs if they want.
|
|
- New circuit pooling algorithm: make sure to have enough circs around
|
|
to satisfy any predicted ports, and also make sure to have 2 internal
|
|
circs around if we've required internal circs lately (and with high
|
|
uptime if we've seen that lately too).
|
|
- Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
|
|
which describes how often we retry making new circuits if current
|
|
ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
|
|
how long we're willing to make use of an already-dirty circuit.
|
|
- Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
|
|
circ as necessary, if there are any completed ones lying around
|
|
when we try to launch one.
|
|
- Make hidden services try to establish a rendezvous for 30 seconds,
|
|
rather than for n (where n=3) attempts to build a circuit.
|
|
- Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
|
|
"ShutdownWaitLength".
|
|
- Try to be more zealous about calling connection_edge_end when
|
|
things go bad with edge conns in connection.c.
|
|
- Revise tor-spec to add more/better stream end reasons.
|
|
- Revise all calls to connection_edge_end to avoid sending "misc",
|
|
and to take errno into account where possible.
|
|
|
|
o Bug fixes:
|
|
- Fix a race condition that can trigger an assert, when we have a
|
|
pending create cell and an OR connection fails right then.
|
|
- Fix several double-mark-for-close bugs, e.g. where we were finding
|
|
a conn for a cell even if that conn is already marked for close.
|
|
- Make sequence of log messages when starting on win32 with no config
|
|
file more reasonable.
|
|
- When choosing an exit node for a new non-internal circ, don't take
|
|
into account whether it'll be useful for any pending x.onion
|
|
addresses -- it won't.
|
|
- Turn addr_policy_compare from a tristate to a quadstate; this should
|
|
help address our "Ah, you allow 1.2.3.4:80. You are a good choice
|
|
for google.com" problem.
|
|
- Make "platform" string in descriptor more accurate for Win32 servers,
|
|
so it's not just "unknown platform".
|
|
- Fix an edge case in parsing config options (thanks weasel).
|
|
If they say "--" on the commandline, it's not an option.
|
|
- Reject odd-looking addresses at the client (e.g. addresses that
|
|
contain a colon), rather than having the server drop them because
|
|
they're malformed.
|
|
- tor-resolve requests were ignoring .exit if there was a working circuit
|
|
they could use instead.
|
|
- REUSEADDR on normal platforms means you can rebind to the port
|
|
right after somebody else has let it go. But REUSEADDR on win32
|
|
means to let you bind to the port _even when somebody else
|
|
already has it bound_! So, don't do that on Win32.
|
|
- Change version parsing logic: a version is "obsolete" if it is not
|
|
recommended and (1) there is a newer recommended version in the
|
|
same series, or (2) there are no recommended versions in the same
|
|
series, but there are some recommended versions in a newer series.
|
|
A version is "new" if it is newer than any recommended version in
|
|
the same series.
|
|
- Stop most cases of hanging up on a socks connection without sending
|
|
the socks reject.
|
|
|
|
o Helpful fixes:
|
|
- Require BandwidthRate to be at least 20kB/s for servers.
|
|
- When a dirserver causes you to give a warn, mention which dirserver
|
|
it was.
|
|
- New config option DirAllowPrivateAddresses for authdirservers.
|
|
Now by default they refuse router descriptors that have non-IP or
|
|
private-IP addresses.
|
|
- Stop publishing socksport in the directory, since it's not
|
|
actually meant to be public. For compatibility, publish a 0 there
|
|
for now.
|
|
- Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
|
|
smart" value, that is low for servers and high for clients.
|
|
- If our clock jumps forward by 100 seconds or more, assume something
|
|
has gone wrong with our network and abandon all not-yet-used circs.
|
|
- Warn when exit policy implicitly allows local addresses.
|
|
- If we get an incredibly skewed timestamp from a dirserver mirror
|
|
that isn't a verified OR, don't warn -- it's probably him that's
|
|
wrong.
|
|
- Since we ship our own Privoxy on OS X, tweak it so it doesn't write
|
|
cookies to disk and doesn't log each web request to disk. (Thanks
|
|
to Brett Carrington for pointing this out.)
|
|
- When a client asks us for a dir mirror and we don't have one,
|
|
launch an attempt to get a fresh one.
|
|
- If we're hibernating and we get a SIGINT, exit immediately.
|
|
- Add --with-dmalloc ./configure option, to track memory leaks.
|
|
- And try to free all memory on closing, so we can detect what
|
|
we're leaking.
|
|
- Cache local dns resolves correctly even when they're .exit
|
|
addresses.
|
|
- Give a better warning when some other server advertises an
|
|
ORPort that is actually an apache running ssl.
|
|
- Add "opt hibernating 1" to server descriptor to make it clearer
|
|
whether the server is hibernating.
|
|
|
|
|
|
Changes in version 0.0.9.6 - 2005-03-24
|
|
o Bugfixes on 0.0.9.x (crashes and asserts):
|
|
- Add new end stream reasons to maintainance branch. Fix bug where
|
|
reason (8) could trigger an assert. Prevent bug from recurring.
|
|
- Apparently win32 stat wants paths to not end with a slash.
|
|
- Fix assert triggers in assert_cpath_layer_ok(), where we were
|
|
blowing away the circuit that conn->cpath_layer points to, then
|
|
checking to see if the circ is well-formed. Backport check to make
|
|
sure we dont use the cpath on a closed connection.
|
|
- Prevent circuit_resume_edge_reading_helper() from trying to package
|
|
inbufs for marked-for-close streams.
|
|
- Don't crash on hup if your options->address has become unresolvable.
|
|
- Some systems (like OS X) sometimes accept() a connection and tell
|
|
you the remote host is 0.0.0.0:0. If this happens, due to some
|
|
other mis-features, we get confused; so refuse the conn for now.
|
|
|
|
o Bugfixes on 0.0.9.x (other):
|
|
- Fix harmless but scary "Unrecognized content encoding" warn message.
|
|
- Add new stream error reason: TORPROTOCOL reason means "you are not
|
|
speaking a version of Tor I understand; say bye-bye to your stream."
|
|
- Be willing to cache directories from up to ROUTER_MAX_AGE seconds
|
|
into the future, now that we are more tolerant of skew. This
|
|
resolves a bug where a Tor server would refuse to cache a directory
|
|
because all the directories it gets are too far in the future;
|
|
yet the Tor server never logs any complaints about clock skew.
|
|
- Mac packaging magic: make man pages useable, and do not overwrite
|
|
existing torrc files.
|
|
- Make OS X log happily to /var/log/tor/tor.log
|
|
|
|
|
|
Changes in version 0.0.9.5 - 2005-02-22
|
|
o Bugfixes on 0.0.9.x:
|
|
- Fix an assert race at exit nodes when resolve requests fail.
|
|
- Stop picking unverified dir mirrors--it only leads to misery.
|
|
- Patch from Matt Edman to make NT services work better. Service
|
|
support is still not compiled into the executable by default.
|
|
- Patch from Dmitri Bely so the Tor service runs better under
|
|
the win32 SYSTEM account.
|
|
- Make tor-resolve actually work (?) on Win32.
|
|
- Fix a sign bug when getrlimit claims to have 4+ billion
|
|
file descriptors available.
|
|
- Stop refusing to start when bandwidthburst == bandwidthrate.
|
|
- When create cells have been on the onion queue more than five
|
|
seconds, just send back a destroy and take them off the list.
|
|
|
|
|
|
Changes in version 0.0.9.4 - 2005-02-03
|
|
o Bugfixes on 0.0.9:
|
|
- Fix an assert bug that took down most of our servers: when
|
|
a server claims to have 1 GB of bandwidthburst, don't
|
|
freak out.
|
|
- Don't crash as badly if we have spawned the max allowed number
|
|
of dnsworkers, or we're out of file descriptors.
|
|
- Block more file-sharing ports in the default exit policy.
|
|
- MaxConn is now automatically set to the hard limit of max
|
|
file descriptors we're allowed (ulimit -n), minus a few for
|
|
logs, etc.
|
|
- Give a clearer message when servers need to raise their
|
|
ulimit -n when they start running out of file descriptors.
|
|
- SGI Compatibility patches from Jan Schaumann.
|
|
- Tolerate a corrupt cached directory better.
|
|
- When a dirserver hasn't approved your server, list which one.
|
|
- Go into soft hibernation after 95% of the bandwidth is used,
|
|
not 99%. This is especially important for daily hibernators who
|
|
have a small accounting max. Hopefully it will result in fewer
|
|
cut connections when the hard hibernation starts.
|
|
- Load-balance better when using servers that claim more than
|
|
800kB/s of capacity.
|
|
- Make NT services work (experimental, only used if compiled in).
|
|
|
|
|
|
Changes in version 0.0.9.3 - 2005-01-21
|
|
o Bugfixes on 0.0.9:
|
|
- Backport the cpu use fixes from main branch, so busy servers won't
|
|
need as much processor time.
|
|
- Work better when we go offline and then come back, or when we
|
|
run Tor at boot before the network is up. We do this by
|
|
optimistically trying to fetch a new directory whenever an
|
|
application request comes in and we think we're offline -- the
|
|
human is hopefully a good measure of when the network is back.
|
|
- Backport some minimal hidserv bugfixes: keep rend circuits open as
|
|
long as you keep using them; actually publish hidserv descriptors
|
|
shortly after they change, rather than waiting 20-40 minutes.
|
|
- Enable Mac startup script by default.
|
|
- Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
|
|
- When you update AllowUnverifiedNodes or FirewallPorts via the
|
|
controller's setconf feature, we were always appending, never
|
|
resetting.
|
|
- When you update HiddenServiceDir via setconf, it was screwing up
|
|
the order of reading the lines, making it fail.
|
|
- Do not rewrite a cached directory back to the cache; otherwise we
|
|
will think it is recent and not fetch a newer one on startup.
|
|
- Workaround for webservers that lie about Content-Encoding: Tor
|
|
now tries to autodetect compressed directories and compression
|
|
itself. This lets us Proxypass dir fetches through apache.
|
|
|
|
|
|
Changes in version 0.0.9.2 - 2005-01-04
|
|
o Bugfixes on 0.0.9 (crashes and asserts):
|
|
- Fix an assert on startup when the disk is full and you're logging
|
|
to a file.
|
|
- If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
|
|
style address, then we'd crash.
|
|
- Fix an assert trigger when the running-routers string we get from
|
|
a dirserver is broken.
|
|
- Make worker threads start and run on win32. Now win32 servers
|
|
may work better.
|
|
- Bandaid (not actually fix, but now it doesn't crash) an assert
|
|
where the dns worker dies mysteriously and the main Tor process
|
|
doesn't remember anything about the address it was resolving.
|
|
|
|
o Bugfixes on 0.0.9 (Win32):
|
|
- Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
|
|
name out of the warning/assert messages.
|
|
- Fix a superficial "unhandled error on read" bug on win32.
|
|
- The win32 installer no longer requires a click-through for our
|
|
license, since our Free Software license grants rights but does not
|
|
take any away.
|
|
- Win32: When connecting to a dirserver fails, try another one
|
|
immediately. (This was already working for non-win32 Tors.)
|
|
- Stop trying to parse $HOME on win32 when hunting for default
|
|
DataDirectory.
|
|
- Make tor-resolve.c work on win32 by calling network_init().
|
|
|
|
o Bugfixes on 0.0.9 (other):
|
|
- Make 0.0.9.x build on Solaris again.
|
|
- Due to a fencepost error, we were blowing away the \n when reporting
|
|
confvalue items in the controller. So asking for multiple config
|
|
values at once couldn't work.
|
|
- When listing circuits that are pending on an opening OR connection,
|
|
if we're an OR we were listing circuits that *end* at us as
|
|
being pending on every listener, dns/cpu worker, etc. Stop that.
|
|
- Dirservers were failing to create 'running-routers' or 'directory'
|
|
strings if we had more than some threshold of routers. Fix them so
|
|
they can handle any number of routers.
|
|
- Fix a superficial "Duplicate mark for close" bug.
|
|
- Stop checking for clock skew for OR connections, even for servers.
|
|
- Fix a fencepost error that was chopping off the last letter of any
|
|
nickname that is the maximum allowed nickname length.
|
|
- Update URLs in log messages so they point to the new website.
|
|
- Fix a potential problem in mangling server private keys while
|
|
writing to disk (not triggered yet, as far as we know).
|
|
- Include the licenses for other free software we include in Tor,
|
|
now that we're shipping binary distributions more regularly.
|
|
|
|
|
|
Changes in version 0.0.9.1 - 2004-12-15
|
|
o Bugfixes on 0.0.9:
|
|
- Make hibernation actually work.
|
|
- Make HashedControlPassword config option work.
|
|
- When we're reporting event circuit status to a controller,
|
|
don't use the stream status code.
|
|
|
|
|
|
Changes in version 0.0.9 - 2004-12-12
|
|
o Cleanups:
|
|
- Clean up manpage and torrc.sample file.
|
|
- Clean up severities and text of log warnings.
|
|
o Mistakes:
|
|
- Make servers trigger an assert when they enter hibernation.
|
|
|
|
|
|
Changes in version 0.0.9rc7 - 2004-12-08
|
|
o Bugfixes on 0.0.9rc:
|
|
- Fix a stack-trashing crash when an exit node begins hibernating.
|
|
- Avoid looking at unallocated memory while considering which
|
|
ports we need to build circuits to cover.
|
|
- Stop a sigpipe: when an 'end' cell races with eof from the app,
|
|
we shouldn't hold-open-until-flush if the eof arrived first.
|
|
- Fix a bug with init_cookie_authentication() in the controller.
|
|
- When recommending new-format log lines, if the upper bound is
|
|
LOG_ERR, leave it implicit.
|
|
|
|
o Bugfixes on 0.0.8.1:
|
|
- Fix a whole slew of memory leaks.
|
|
- Fix isspace() and friends so they still make Solaris happy
|
|
but also so they don't trigger asserts on win32.
|
|
- Fix parse_iso_time on platforms without strptime (eg win32).
|
|
- win32: tolerate extra "readable" events better.
|
|
- win32: when being multithreaded, leave parent fdarray open.
|
|
- Make unit tests work on win32.
|
|
|
|
|
|
Changes in version 0.0.9rc6 - 2004-12-06
|
|
o Bugfixes on 0.0.9pre:
|
|
- Clean up some more integer underflow opportunities (not exploitable
|
|
we think).
|
|
- While hibernating, hup should not regrow our listeners.
|
|
- Send an end to the streams we close when we hibernate, rather
|
|
than just chopping them off.
|
|
- React to eof immediately on non-open edge connections.
|
|
|
|
o Bugfixes on 0.0.8.1:
|
|
- Calculate timeout for waiting for a connected cell from the time
|
|
we sent the begin cell, not from the time the stream started. If
|
|
it took a long time to establish the circuit, we would time out
|
|
right after sending the begin cell.
|
|
- Fix router_compare_addr_to_addr_policy: it was not treating a port
|
|
of * as always matching, so we were picking reject *:* nodes as
|
|
exit nodes too. Oops.
|
|
|
|
o Features:
|
|
- New circuit building strategy: keep a list of ports that we've
|
|
used in the past 6 hours, and always try to have 2 circuits open
|
|
or on the way that will handle each such port. Seed us with port
|
|
80 so web users won't complain that Tor is "slow to start up".
|
|
- Make kill -USR1 dump more useful stats about circuits.
|
|
- When warning about retrying or giving up, print the address, so
|
|
the user knows which one it's talking about.
|
|
- If you haven't used a clean circuit in an hour, throw it away,
|
|
just to be on the safe side. (This means after 6 hours a totally
|
|
unused Tor client will have no circuits open.)
|
|
|
|
|
|
Changes in version 0.0.9rc5 - 2004-12-01
|
|
o Bugfixes on 0.0.8.1:
|
|
- Disallow NDEBUG. We don't ever want anybody to turn off debug.
|
|
- Let resolve conns retry/expire also, rather than sticking around
|
|
forever.
|
|
- If we are using select, make sure we stay within FD_SETSIZE.
|
|
|
|
o Bugfixes on 0.0.9pre:
|
|
- Fix integer underflow in tor_vsnprintf() that may be exploitable,
|
|
but doesn't seem to be currently; thanks to Ilja van Sprundel for
|
|
finding it.
|
|
- If anybody set DirFetchPostPeriod, give them StatusFetchPeriod
|
|
instead. Impose minima and maxima for all *Period options; impose
|
|
even tighter maxima for fetching if we are a caching dirserver.
|
|
Clip rather than rejecting.
|
|
- Fetch cached running-routers from servers that serve it (that is,
|
|
authdirservers and servers running 0.0.9rc5-cvs or later.)
|
|
|
|
o Features:
|
|
- Accept *:706 (silc) in default exit policy.
|
|
- Implement new versioning format for post 0.1.
|
|
- Support "foo.nickname.exit" addresses, to let Alice request the
|
|
address "foo" as viewed by exit node "nickname". Based on a patch
|
|
by Geoff Goodell.
|
|
- Make tor --version --version dump the cvs Id of every file.
|
|
|
|
|
|
Changes in version 0.0.9rc4 - 2004-11-28
|
|
o Bugfixes on 0.0.8.1:
|
|
- Make windows sockets actually non-blocking (oops), and handle
|
|
win32 socket errors better.
|
|
|
|
o Bugfixes on 0.0.9rc1:
|
|
- Actually catch the -USR2 signal.
|
|
|
|
|
|
Changes in version 0.0.9rc3 - 2004-11-25
|
|
o Bugfixes on 0.0.8.1:
|
|
- Flush the log file descriptor after we print "Tor opening log file",
|
|
so we don't see those messages days later.
|
|
|
|
o Bugfixes on 0.0.9rc1:
|
|
- Make tor-resolve work again.
|
|
- Avoid infinite loop in tor-resolve if tor hangs up on it.
|
|
- Fix an assert trigger for clients/servers handling resolves.
|
|
|
|
|
|
Changes in version 0.0.9rc2 - 2004-11-24
|
|
o Bugfixes on 0.0.9rc1:
|
|
- I broke socks5 support while fixing the eof bug.
|
|
- Allow unitless bandwidths and intervals; they default to bytes
|
|
and seconds.
|
|
- New servers don't start out hibernating; they are active until
|
|
they run out of bytes, so they have a better estimate of how
|
|
long it takes, and so their operators can know they're working.
|
|
|
|
|
|
Changes in version 0.0.9rc1 - 2004-11-23
|
|
o Bugfixes on 0.0.8.1:
|
|
- Finally fix a bug that's been plaguing us for a year:
|
|
With high load, circuit package window was reaching 0. Whenever
|
|
we got a circuit-level sendme, we were reading a lot on each
|
|
socket, but only writing out a bit. So we would eventually reach
|
|
eof. This would be noticed and acted on even when there were still
|
|
bytes sitting in the inbuf.
|
|
- When poll() is interrupted, we shouldn't believe the revents values.
|
|
|
|
o Bugfixes on 0.0.9pre6:
|
|
- Fix hibernate bug that caused pre6 to be broken.
|
|
- Don't keep rephist info for routers that haven't had activity for
|
|
24 hours. (This matters now that clients have keys, since we track
|
|
them too.)
|
|
- Never call close_temp_logs while validating log options.
|
|
- Fix backslash-escaping on tor.sh.in and torctl.in.
|
|
|
|
o Features:
|
|
- Implement weekly/monthly/daily accounting: now you specify your
|
|
hibernation properties by
|
|
AccountingMax N bytes|KB|MB|GB|TB
|
|
AccountingStart day|week|month [day] HH:MM
|
|
Defaults to "month 1 0:00".
|
|
- Let bandwidth and interval config options be specified as 5 bytes,
|
|
kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
|
|
- kill -USR2 now moves all logs to loglevel debug (kill -HUP to
|
|
get back to normal.)
|
|
- If your requested entry or exit node has advertised bandwidth 0,
|
|
pick it anyway.
|
|
- Be more greedy about filling up relay cells -- we try reading again
|
|
once we've processed the stuff we read, in case enough has arrived
|
|
to fill the last cell completely.
|
|
- Apply NT service patch from Osamu Fujino. Still needs more work.
|
|
|
|
|
|
Changes in version 0.0.9pre6 - 2004-11-15
|
|
o Bugfixes on 0.0.8.1:
|
|
- Fix assert failure on malformed socks4a requests.
|
|
- Use identity comparison, not nickname comparison, to choose which
|
|
half of circuit-ID-space each side gets to use. This is needed
|
|
because sometimes we think of a router as a nickname, and sometimes
|
|
as a hex ID, and we can't predict what the other side will do.
|
|
- Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
|
|
write() call will fail and we handle it there.
|
|
- Add a FAST_SMARTLIST define to optionally inline smartlist_get
|
|
and smartlist_len, which are two major profiling offenders.
|
|
|
|
o Bugfixes on 0.0.9pre5:
|
|
- Fix a bug in read_all that was corrupting config files on windows.
|
|
- When we're raising the max number of open file descriptors to
|
|
'unlimited', don't log that we just raised it to '-1'.
|
|
- Include event code with events, as required by control-spec.txt.
|
|
- Don't give a fingerprint when clients do --list-fingerprint:
|
|
it's misleading, because it will never be the same again.
|
|
- Stop using strlcpy in tor_strndup, since it was slowing us
|
|
down a lot.
|
|
- Remove warn on startup about missing cached-directory file.
|
|
- Make kill -USR1 work again.
|
|
- Hibernate if we start tor during the "wait for wakeup-time" phase
|
|
of an accounting interval. Log our hibernation plans better.
|
|
- Authoritative dirservers now also cache their directory, so they
|
|
have it on start-up.
|
|
|
|
o Features:
|
|
- Fetch running-routers; cache running-routers; compress
|
|
running-routers; serve compressed running-routers.z
|
|
- Add NSI installer script contributed by J Doe.
|
|
- Commit VC6 and VC7 workspace/project files.
|
|
- Commit a tor.spec for making RPM files, with help from jbash.
|
|
- Add contrib/torctl.in contributed by Glenn Fink.
|
|
- Implement the control-spec's SAVECONF command, to write your
|
|
configuration to torrc.
|
|
- Get cookie authentication for the controller closer to working.
|
|
- Include control-spec.txt in the tarball.
|
|
- When set_conf changes our server descriptor, upload a new copy.
|
|
But don't upload it too often if there are frequent changes.
|
|
- Document authentication config in man page, and document signals
|
|
we catch.
|
|
- Clean up confusing parts of man page and torrc.sample.
|
|
- Make expand_filename handle ~ and ~username.
|
|
- Use autoconf to enable largefile support where necessary. Use
|
|
ftello where available, since ftell can fail at 2GB.
|
|
- Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
|
|
log more informatively.
|
|
- Give a slightly more useful output for "tor -h".
|
|
- Refuse application socks connections to port 0.
|
|
- Check clock skew for verified servers, but allow unverified
|
|
servers and clients to have any clock skew.
|
|
- Break DirFetchPostPeriod into:
|
|
- DirFetchPeriod for fetching full directory,
|
|
- StatusFetchPeriod for fetching running-routers,
|
|
- DirPostPeriod for posting server descriptor,
|
|
- RendPostPeriod for posting hidden service descriptors.
|
|
- Make sure the hidden service descriptors are at a random offset
|
|
from each other, to hinder linkability.
|
|
|
|
|
|
Changes in version 0.0.9pre5 - 2004-11-09
|
|
o Bugfixes on 0.0.9pre4:
|
|
- Fix a seg fault in unit tests (doesn't affect main program).
|
|
- Fix an assert bug where a hidden service provider would fail if
|
|
the first hop of his rendezvous circuit was down.
|
|
- Hidden service operators now correctly handle version 1 style
|
|
INTRODUCE1 cells (nobody generates them still, so not a critical
|
|
bug).
|
|
- If do_hup fails, actually notice.
|
|
- Handle more errnos from accept() without closing the listener.
|
|
Some OpenBSD machines were closing their listeners because
|
|
they ran out of file descriptors.
|
|
- Send resolve cells to exit routers that are running a new
|
|
enough version of the resolve code to work right.
|
|
- Better handling of winsock includes on non-MSV win32 compilers.
|
|
- Some people had wrapped their tor client/server in a script
|
|
that would restart it whenever it died. This did not play well
|
|
with our "shut down if your version is obsolete" code. Now people
|
|
don't fetch a new directory if their local cached version is
|
|
recent enough.
|
|
- Make our autogen.sh work on ksh as well as bash.
|
|
|
|
o Major Features:
|
|
- Hibernation: New config option "AccountingMaxKB" lets you
|
|
set how many KBytes per month you want to allow your server to
|
|
consume. Rather than spreading those bytes out evenly over the
|
|
month, we instead hibernate for some of the month and pop up
|
|
at a deterministic time, work until the bytes are consumed, then
|
|
hibernate again. Config option "MonthlyAccountingStart" lets you
|
|
specify which day of the month your billing cycle starts on.
|
|
- Control interface: a separate program can now talk to your
|
|
client/server over a socket, and get/set config options, receive
|
|
notifications of circuits and streams starting/finishing/dying,
|
|
bandwidth used, etc. The next step is to get some GUIs working.
|
|
Let us know if you want to help out. See doc/control-spec.txt .
|
|
- Ship a contrib/tor-control.py as an example script to interact
|
|
with the control port.
|
|
- "tor --hash-password zzyxz" will output a salted password for
|
|
use in authenticating to the control interface.
|
|
- New log format in config:
|
|
"Log minsev[-maxsev] stdout|stderr|syslog" or
|
|
"Log minsev[-maxsev] file /var/foo"
|
|
|
|
o Minor Features:
|
|
- DirPolicy config option, to let people reject incoming addresses
|
|
from their dirserver.
|
|
- "tor --list-fingerprint" will list your identity key fingerprint
|
|
and then exit.
|
|
- Add "pass" target for RedirectExit, to make it easier to break
|
|
out of a sequence of RedirectExit rules.
|
|
- Clients now generate a TLS cert too, in preparation for having
|
|
them act more like real nodes.
|
|
- Ship src/win32/ in the tarball, so people can use it to build.
|
|
- Make old win32 fall back to CWD if SHGetSpecialFolderLocation
|
|
is broken.
|
|
- New "router-status" line in directory, to better bind each verified
|
|
nickname to its identity key.
|
|
- Deprecate unofficial config option abbreviations, and abbreviations
|
|
not on the command line.
|
|
- Add a pure-C tor-resolve implementation.
|
|
- Use getrlimit and friends to ensure we can reach MaxConn (currently
|
|
1024) file descriptors.
|
|
|
|
o Code security improvements, inspired by Ilja:
|
|
- Replace sprintf with snprintf. (I think they were all safe, but
|
|
hey.)
|
|
- Replace strcpy/strncpy with strlcpy in more places.
|
|
- Avoid strcat; use snprintf or strlcat instead.
|
|
- snprintf wrapper with consistent (though not C99) overflow behavior.
|
|
|
|
|
|
Changes in version 0.0.9pre4 - 2004-10-17
|
|
o Bugfixes on 0.0.9pre3:
|
|
- If the server doesn't specify an exit policy, use the real default
|
|
exit policy, not reject *:*.
|
|
- Ignore fascistfirewall when uploading/downloading hidden service
|
|
descriptors, since we go through Tor for those; and when using
|
|
an HttpProxy, since we assume it can reach them all.
|
|
- When looking for an authoritative dirserver, use only the ones
|
|
configured at boot. Don't bother looking in the directory.
|
|
- The rest of the fix for get_default_conf_file() on older win32.
|
|
- Make 'Routerfile' config option obsolete.
|
|
|
|
o Features:
|
|
- New 'MyFamily nick1,...' config option for a server to
|
|
specify other servers that shouldn't be used in the same circuit
|
|
with it. Only believed if nick1 also specifies us.
|
|
- New 'NodeFamily nick1,nick2,...' config option for a client to
|
|
specify nodes that it doesn't want to use in the same circuit.
|
|
- New 'Redirectexit pattern address:port' config option for a
|
|
server to redirect exit connections, e.g. to a local squid.
|
|
|
|
|
|
Changes in version 0.0.9pre3 - 2004-10-13
|
|
o Bugfixes on 0.0.8.1:
|
|
- Better torrc example lines for dirbindaddress and orbindaddress.
|
|
- Improved bounds checking on parsed ints (e.g. config options and
|
|
the ones we find in directories.)
|
|
- Better handling of size_t vs int, so we're more robust on 64
|
|
bit platforms.
|
|
- Fix the rest of the bug where a newly started OR would appear
|
|
as unverified even after we've added his fingerprint and hupped
|
|
the dirserver.
|
|
- Fix a bug from 0.0.7: when read() failed on a stream, we would
|
|
close it without sending back an end. So 'connection refused'
|
|
would simply be ignored and the user would get no response.
|
|
|
|
o Bugfixes on 0.0.9pre2:
|
|
- Serving the cached-on-disk directory to people is bad. We now
|
|
provide no directory until we've fetched a fresh one.
|
|
- Workaround for bug on windows where cached-directories get crlf
|
|
corruption.
|
|
- Make get_default_conf_file() work on older windows too.
|
|
- If we write a *:* exit policy line in the descriptor, don't write
|
|
any more exit policy lines.
|
|
|
|
o Features:
|
|
- Use only 0.0.9pre1 and later servers for resolve cells.
|
|
- Make the dirservers file obsolete.
|
|
- Include a dir-signing-key token in directories to tell the
|
|
parsing entity which key is being used to sign.
|
|
- Remove the built-in bulky default dirservers string.
|
|
- New config option "Dirserver %s:%d [fingerprint]", which can be
|
|
repeated as many times as needed. If no dirservers specified,
|
|
default to moria1,moria2,tor26.
|
|
- Make moria2 advertise a dirport of 80, so people behind firewalls
|
|
will be able to get a directory.
|
|
- Http proxy support
|
|
- Dirservers translate requests for http://%s:%d/x to /x
|
|
- You can specify "HttpProxy %s[:%d]" and all dir fetches will
|
|
be routed through this host.
|
|
- Clients ask for /tor/x rather than /x for new enough dirservers.
|
|
This way we can one day coexist peacefully with apache.
|
|
- Clients specify a "Host: %s%d" http header, to be compatible
|
|
with more proxies, and so running squid on an exit node can work.
|
|
|
|
|
|
Changes in version 0.0.8.1 - 2004-10-13
|
|
o Bugfixes:
|
|
- Fix a seg fault that can be triggered remotely for Tor
|
|
clients/servers with an open dirport.
|
|
- Fix a rare assert trigger, where routerinfos for entries in
|
|
our cpath would expire while we're building the path.
|
|
- Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
- Fix a rare seg fault for people running hidden services on
|
|
intermittent connections.
|
|
- Fix a bug in parsing opt keywords with objects.
|
|
- Fix a stale pointer assert bug when a stream detaches and
|
|
reattaches.
|
|
- Fix a string format vulnerability (probably not exploitable)
|
|
in reporting stats locally.
|
|
- Fix an assert trigger: sometimes launching circuits can fail
|
|
immediately, e.g. because too many circuits have failed recently.
|
|
- Fix a compile warning on 64 bit platforms.
|
|
|
|
|
|
Changes in version 0.0.9pre2 - 2004-10-03
|
|
o Bugfixes:
|
|
- Make fetching a cached directory work for 64-bit platforms too.
|
|
- Make zlib.h a required header, not an optional header.
|
|
|
|
|
|
Changes in version 0.0.9pre1 - 2004-10-01
|
|
o Bugfixes:
|
|
- Stop using separate defaults for no-config-file and
|
|
empty-config-file. Now you have to explicitly turn off SocksPort,
|
|
if you don't want it open.
|
|
- Fix a bug in OutboundBindAddress so it (hopefully) works.
|
|
- Improve man page to mention more of the 0.0.8 features.
|
|
- Fix a rare seg fault for people running hidden services on
|
|
intermittent connections.
|
|
- Change our file IO stuff (especially wrt OpenSSL) so win32 is
|
|
happier.
|
|
- Fix more dns related bugs: send back resolve_failed and end cells
|
|
more reliably when the resolve fails, rather than closing the
|
|
circuit and then trying to send the cell. Also attach dummy resolve
|
|
connections to a circuit *before* calling dns_resolve(), to fix
|
|
a bug where cached answers would never be sent in RESOLVED cells.
|
|
- When we run out of disk space, or other log writing error, don't
|
|
crash. Just stop logging to that log and continue.
|
|
- We were starting to daemonize before we opened our logs, so if
|
|
there were any problems opening logs, we would complain to stderr,
|
|
which wouldn't work, and then mysteriously exit.
|
|
- Fix a rare bug where sometimes a verified OR would connect to us
|
|
before he'd uploaded his descriptor, which would cause us to
|
|
assign conn->nickname as though he's unverified. Now we look through
|
|
the fingerprint list to see if he's there.
|
|
- Fix a rare assert trigger, where routerinfos for entries in
|
|
our cpath would expire while we're building the path.
|
|
|
|
o Features:
|
|
- Clients can ask dirservers for /dir.z to get a compressed version
|
|
of the directory. Only works for servers running 0.0.9, of course.
|
|
- Make clients cache directories and use them to seed their router
|
|
lists at startup. This means clients have a datadir again.
|
|
- Configuration infrastructure support for warning on obsolete
|
|
options.
|
|
- Respond to content-encoding headers by trying to uncompress as
|
|
appropriate.
|
|
- Reply with a deflated directory when a client asks for "dir.z".
|
|
We could use allow-encodings instead, but allow-encodings isn't
|
|
specified in HTTP 1.0.
|
|
- Raise the max dns workers from 50 to 100.
|
|
- Discourage people from setting their dirfetchpostperiod more often
|
|
than once per minute.
|
|
- Protect dirservers from overzealous descriptor uploading -- wait
|
|
10 seconds after directory gets dirty, before regenerating.
|
|
|
|
|
|
Changes in version 0.0.8 - 2004-08-25
|
|
o Port it to SunOS 5.9 / Athena
|
|
|
|
|
|
Changes in version 0.0.8rc2 - 2004-08-20
|
|
o Make it compile on cygwin again.
|
|
o When picking unverified routers, skip those with low uptime and/or
|
|
low bandwidth, depending on what properties you care about.
|
|
|
|
|
|
Changes in version 0.0.8rc1 - 2004-08-18
|
|
o Changes from 0.0.7.3:
|
|
- Bugfixes:
|
|
- Fix assert triggers: if the other side returns an address 0.0.0.0,
|
|
don't put it into the client dns cache.
|
|
- If a begin failed due to exit policy, but we believe the IP address
|
|
should have been allowed, switch that router to exitpolicy reject *:*
|
|
until we get our next directory.
|
|
- Features:
|
|
- Clients choose nodes proportional to advertised bandwidth.
|
|
- Avoid using nodes with low uptime as introduction points.
|
|
- Handle servers with dynamic IP addresses: don't replace
|
|
options->Address with the resolved one at startup, and
|
|
detect our address right before we make a routerinfo each time.
|
|
- 'FascistFirewall' option to pick dirservers and ORs on specific
|
|
ports; plus 'FirewallPorts' config option to tell FascistFirewall
|
|
which ports are open. (Defaults to 80,443)
|
|
- Be more aggressive about trying to make circuits when the network
|
|
has changed (e.g. when you unsuspend your laptop).
|
|
- Check for time skew on http headers; report date in response to
|
|
"GET /".
|
|
- If the entrynode config line has only one node, don't pick it as
|
|
an exitnode.
|
|
- Add strict{entry|exit}nodes config options. If set to 1, then
|
|
we refuse to build circuits that don't include the specified entry
|
|
or exit nodes.
|
|
- OutboundBindAddress config option, to bind to a specific
|
|
IP address for outgoing connect()s.
|
|
- End truncated log entries (e.g. directories) with "[truncated]".
|
|
|
|
o Patches to 0.0.8preX:
|
|
- Bugfixes:
|
|
- Patches to compile and run on win32 again (maybe)?
|
|
- Fix crash when looking for ~/.torrc with no $HOME set.
|
|
- Fix a race bug in the unit tests.
|
|
- Handle verified/unverified name collisions better when new
|
|
routerinfo's arrive in a directory.
|
|
- Sometimes routers were getting entered into the stats before
|
|
we'd assigned their identity_digest. Oops.
|
|
- Only pick and establish intro points after we've gotten a
|
|
directory.
|
|
- Features:
|
|
- AllowUnverifiedNodes config option to let circuits choose no-name
|
|
routers in entry,middle,exit,introduction,rendezvous positions.
|
|
Allow middle and rendezvous positions by default.
|
|
- Add a man page for tor-resolve.
|
|
|
|
|
|
Changes in version 0.0.7.3 - 2004-08-12
|
|
o Stop dnsworkers from triggering an assert failure when you
|
|
ask them to resolve the host "".
|
|
|
|
|
|
Changes in version 0.0.8pre3 - 2004-08-09
|
|
o Changes from 0.0.7.2:
|
|
- Allow multiple ORs with same nickname in routerlist -- now when
|
|
people give us one identity key for a nickname, then later
|
|
another, we don't constantly complain until the first expires.
|
|
- Remember used bandwidth (both in and out), and publish 15-minute
|
|
snapshots for the past day into our descriptor.
|
|
- You can now fetch $DIRURL/running-routers to get just the
|
|
running-routers line, not the whole descriptor list. (But
|
|
clients don't use this yet.)
|
|
- When people mistakenly use Tor as an http proxy, point them
|
|
at the tor-doc.html rather than the INSTALL.
|
|
- Remove our mostly unused -- and broken -- hex_encode()
|
|
function. Use base16_encode() instead. (Thanks to Timo Lindfors
|
|
for pointing out this bug.)
|
|
- Rotate onion keys every 12 hours, not every 2 hours, so we have
|
|
fewer problems with people using the wrong key.
|
|
- Change the default exit policy to reject the default edonkey,
|
|
kazaa, gnutella ports.
|
|
- Add replace_file() to util.[ch] to handle win32's rename().
|
|
|
|
o Changes from 0.0.8preX:
|
|
- Fix two bugs in saving onion keys to disk when rotating, so
|
|
hopefully we'll get fewer people using old onion keys.
|
|
- Fix an assert error that was making SocksPolicy not work.
|
|
- Be willing to expire routers that have an open dirport -- it's
|
|
just the authoritative dirservers we want to not forget.
|
|
- Reject tor-resolve requests for .onion addresses early, so we
|
|
don't build a whole rendezvous circuit and then fail.
|
|
- When you're warning a server that he's unverified, don't cry
|
|
wolf unpredictably.
|
|
- Fix a race condition: don't try to extend onto a connection
|
|
that's still handshaking.
|
|
- For servers in clique mode, require the conn to be open before
|
|
you'll choose it for your path.
|
|
- Fix some cosmetic bugs about duplicate mark-for-close, lack of
|
|
end relay cell, etc.
|
|
- Measure bandwidth capacity over the last 24 hours, not just 12
|
|
- Bugfix: authoritative dirservers were making and signing a new
|
|
directory for each client, rather than reusing the cached one.
|
|
|
|
|
|
Changes in version 0.0.8pre2 - 2004-08-04
|
|
o Changes from 0.0.7.2:
|
|
- Security fixes:
|
|
- Check directory signature _before_ you decide whether you're
|
|
you're running an obsolete version and should exit.
|
|
- Check directory signature _before_ you parse the running-routers
|
|
list to decide who's running or verified.
|
|
- Bugfixes and features:
|
|
- Check return value of fclose while writing to disk, so we don't
|
|
end up with broken files when servers run out of disk space.
|
|
- Log a warning if the user uses an unsafe socks variant, so people
|
|
are more likely to learn about privoxy or socat.
|
|
- Dirservers now include RFC1123-style dates in the HTTP headers,
|
|
which one day we will use to better detect clock skew.
|
|
|
|
o Changes from 0.0.8pre1:
|
|
- Make it compile without warnings again on win32.
|
|
- Log a warning if you're running an unverified server, to let you
|
|
know you might want to get it verified.
|
|
- Only pick a default nickname if you plan to be a server.
|
|
|
|
|
|
Changes in version 0.0.8pre1 - 2004-07-23
|
|
o Bugfixes:
|
|
- Made our unit tests compile again on OpenBSD 3.5, and tor
|
|
itself compile again on OpenBSD on a sparc64.
|
|
- We were neglecting milliseconds when logging on win32, so
|
|
everything appeared to happen at the beginning of each second.
|
|
|
|
o Protocol changes:
|
|
- 'Extend' relay cell payloads now include the digest of the
|
|
intended next hop's identity key. Now we can verify that we're
|
|
extending to the right router, and also extend to routers we
|
|
hadn't heard of before.
|
|
|
|
o Features:
|
|
- Tor nodes can now act as relays (with an advertised ORPort)
|
|
without being manually verified by the dirserver operators.
|
|
- Uploaded descriptors of unverified routers are now accepted
|
|
by the dirservers, and included in the directory.
|
|
- Verified routers are listed by nickname in the running-routers
|
|
list; unverified routers are listed as "$<fingerprint>".
|
|
- We now use hash-of-identity-key in most places rather than
|
|
nickname or addr:port, for improved security/flexibility.
|
|
- To avoid Sybil attacks, paths still use only verified servers.
|
|
But now we have a chance to play around with hybrid approaches.
|
|
- Nodes track bandwidth usage to estimate capacity (not used yet).
|
|
- ClientOnly option for nodes that never want to become servers.
|
|
- Directory caching.
|
|
- "AuthoritativeDir 1" option for the official dirservers.
|
|
- Now other nodes (clients and servers) will cache the latest
|
|
directory they've pulled down.
|
|
- They can enable their DirPort to serve it to others.
|
|
- Clients will pull down a directory from any node with an open
|
|
DirPort, and check the signature/timestamp correctly.
|
|
- Authoritative dirservers now fetch directories from other
|
|
authdirservers, to stay better synced.
|
|
- Running-routers list tells who's down also, along with noting
|
|
if they're verified (listed by nickname) or unverified (listed
|
|
by hash-of-key).
|
|
- Allow dirservers to serve running-router list separately.
|
|
This isn't used yet.
|
|
- ORs connect-on-demand to other ORs
|
|
- If you get an extend cell to an OR you're not connected to,
|
|
connect, handshake, and forward the create cell.
|
|
- The authoritative dirservers stay connected to everybody,
|
|
and everybody stays connected to 0.0.7 servers, but otherwise
|
|
clients/servers expire unused connections after 5 minutes.
|
|
- When servers get a sigint, they delay 30 seconds (refusing new
|
|
connections) then exit. A second sigint causes immediate exit.
|
|
- File and name management:
|
|
- Look for .torrc if no CONFDIR "torrc" is found.
|
|
- If no datadir is defined, then choose, make, and secure ~/.tor
|
|
as datadir.
|
|
- If torrc not found, exitpolicy reject *:*.
|
|
- Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
|
|
- If no nickname is defined, derive default from hostname.
|
|
- Rename secret key files, e.g. identity.key -> secret_id_key,
|
|
to discourage people from mailing their identity key to tor-ops.
|
|
- Refuse to build a circuit before the directory has arrived --
|
|
it won't work anyway, since you won't know the right onion keys
|
|
to use.
|
|
- Try other dirservers immediately if the one you try is down. This
|
|
should tolerate down dirservers better now.
|
|
- Parse tor version numbers so we can do an is-newer-than check
|
|
rather than an is-in-the-list check.
|
|
- New socks command 'resolve', to let us shim gethostbyname()
|
|
locally.
|
|
- A 'tor_resolve' script to access the socks resolve functionality.
|
|
- A new socks-extensions.txt doc file to describe our
|
|
interpretation and extensions to the socks protocols.
|
|
- Add a ContactInfo option, which gets published in descriptor.
|
|
- Publish OR uptime in descriptor (and thus in directory) too.
|
|
- Write tor version at the top of each log file
|
|
- New docs in the tarball:
|
|
- tor-doc.html.
|
|
- Document that you should proxy your SSL traffic too.
|
|
|
|
|
|
Changes in version 0.0.7.2 - 2004-07-07
|
|
o A better fix for the 0.0.0.0 problem, that will hopefully
|
|
eliminate the remaining related assertion failures.
|
|
|
|
|
|
Changes in version 0.0.7.1 - 2004-07-04
|
|
o When an address resolves to 0.0.0.0, treat it as a failed resolve,
|
|
since internally we use 0.0.0.0 to signify "not yet resolved".
|
|
|
|
|
|
Changes in version 0.0.7 - 2004-06-07
|
|
o Updated the man page to reflect the new features.
|
|
|
|
|
|
Changes in version 0.0.7rc2 - 2004-06-06
|
|
o Changes from 0.0.7rc1:
|
|
- Make it build on Win32 again.
|
|
o Changes from 0.0.6.2:
|
|
- Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
|
|
settings too.
|
|
|
|
|
|
Changes in version 0.0.7rc1 - 2004-06-02
|
|
o Bugfixes:
|
|
- On sighup, we were adding another log without removing the first
|
|
one. So log messages would get duplicated n times for n sighups.
|
|
- Several cases of using a connection after we'd freed it. The
|
|
problem was that connections that are pending resolve are in both
|
|
the pending_resolve tree, and also the circuit's resolving_streams
|
|
list. When you want to remove one, you must remove it from both.
|
|
- Fix a double-mark-for-close where an end cell arrived for a
|
|
resolving stream, and then the resolve failed.
|
|
- Check directory signatures based on name of signer, not on whom
|
|
we got the directory from. This will let us cache directories more
|
|
easily.
|
|
o Features:
|
|
- Crank up some of our constants to handle more users.
|
|
|
|
|
|
Changes in version 0.0.7pre1 - 2004-06-02
|
|
o Fixes for crashes and other obnoxious bugs:
|
|
- Fix an epipe bug: sometimes when directory connections failed
|
|
to connect, we would give them a chance to flush before closing
|
|
them.
|
|
- When we detached from a circuit because of resolvefailed, we
|
|
would immediately try the same circuit twice more, and then
|
|
give up on the resolve thinking we'd tried three different
|
|
exit nodes.
|
|
- Limit the number of intro circuits we'll attempt to build for a
|
|
hidden service per 15-minute period.
|
|
- Check recommended-software string *early*, before actually parsing
|
|
the directory. Thus we can detect an obsolete version and exit,
|
|
even if the new directory format doesn't parse.
|
|
o Fixes for security bugs:
|
|
- Remember which nodes are dirservers when you startup, and if a
|
|
random OR enables his dirport, don't automatically assume he's
|
|
a trusted dirserver.
|
|
o Other bugfixes:
|
|
- Directory connections were asking the wrong poll socket to
|
|
start writing, and not asking themselves to start writing.
|
|
- When we detached from a circuit because we sent a begin but
|
|
didn't get a connected, we would use it again the first time;
|
|
but after that we would correctly switch to a different one.
|
|
- Stop warning when the first onion decrypt attempt fails; they
|
|
will sometimes legitimately fail now that we rotate keys.
|
|
- Override unaligned-access-ok check when $host_cpu is ia64 or
|
|
arm. Apparently they allow it but the kernel whines.
|
|
- Dirservers try to reconnect periodically too, in case connections
|
|
have failed.
|
|
- Fix some memory leaks in directory servers.
|
|
- Allow backslash in Win32 filenames.
|
|
- Made Tor build complain-free on FreeBSD, hopefully without
|
|
breaking other BSD builds. We'll see.
|
|
o Features:
|
|
- Doxygen markup on all functions and global variables.
|
|
- Make directory functions update routerlist, not replace it. So
|
|
now directory disagreements are not so critical a problem.
|
|
- Remove the upper limit on number of descriptors in a dirserver's
|
|
directory (not that we were anywhere close).
|
|
- Allow multiple logfiles at different severity ranges.
|
|
- Allow *BindAddress to specify ":port" rather than setting *Port
|
|
separately. Allow multiple instances of each BindAddress config
|
|
option, so you can bind to multiple interfaces if you want.
|
|
- Allow multiple exit policy lines, which are processed in order.
|
|
Now we don't need that huge line with all the commas in it.
|
|
- Enable accept/reject policies on SOCKS connections, so you can bind
|
|
to 0.0.0.0 but still control who can use your OP.
|
|
|
|
|
|
Changes in version 0.0.6.2 - 2004-05-16
|
|
o Our integrity-checking digest was checking only the most recent cell,
|
|
not the previous cells like we'd thought.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
|
|
|
|
Changes in version 0.0.6.1 - 2004-05-06
|
|
o Fix two bugs in our AES counter-mode implementation (this affected
|
|
onion-level stream encryption, but not TLS-level). It turns
|
|
out we were doing something much more akin to a 16-character
|
|
polyalphabetic cipher. Oops.
|
|
Thanks to Stefan Mark for finding the flaw!
|
|
o Retire moria3 as a directory server, and add tor26 as a directory
|
|
server.
|
|
|
|
|
|
Changes in version 0.0.6 - 2004-05-02
|
|
[version bump only]
|
|
|
|
|
|
Changes in version 0.0.6rc4 - 2004-05-01
|
|
o Update the built-in dirservers list to use the new directory format
|
|
o Fix a rare seg fault: if a node offering a hidden service attempts
|
|
to build a circuit to Alice's rendezvous point and fails before it
|
|
reaches the last hop, it retries with a different circuit, but
|
|
then dies.
|
|
o Handle windows socket errors correctly.
|
|
|
|
|
|
Changes in version 0.0.6rc3 - 2004-04-28
|
|
o Don't expire non-general excess circuits (if we had enough
|
|
circuits open, we were expiring rendezvous circuits -- even
|
|
when they had a stream attached. oops.)
|
|
o Fetch randomness from /dev/urandom better (not via fopen/fread)
|
|
o Better debugging for tls errors
|
|
o Some versions of openssl have an SSL_pending function that erroneously
|
|
returns bytes when there is a non-application record pending.
|
|
o Set Content-Type on the directory and hidserv descriptor.
|
|
o Remove IVs from cipher code, since AES-ctr has none.
|
|
o Win32 fixes. Tor now compiles on win32 with no warnings/errors.
|
|
o We were using an array of length zero in a few places.
|
|
o win32's gethostbyname can't resolve an IP to an IP.
|
|
o win32's close can't close a socket.
|
|
|
|
|
|
Changes in version 0.0.6rc2 - 2004-04-26
|
|
o Fix a bug where we were closing tls connections intermittently.
|
|
It turns out openssl keeps its errors around -- so if an error
|
|
happens, and you don't ask about it, and then another openssl
|
|
operation happens and succeeds, and you ask if there was an error,
|
|
it tells you about the first error. Fun fun.
|
|
o Fix a bug that's been lurking since 27 may 03 (!)
|
|
When passing back a destroy cell, we would use the wrong circ id.
|
|
'Mostly harmless', but still worth fixing.
|
|
o Since we don't support truncateds much, don't bother sending them;
|
|
just close the circ.
|
|
o check for <machine/limits.h> so we build on NetBSD again (I hope).
|
|
o don't crash if a conn that sent a begin has suddenly lost its circuit
|
|
(this was quite rare).
|
|
|
|
|
|
Changes in version 0.0.6rc1 - 2004-04-25
|
|
o We now rotate link (tls context) keys and onion keys.
|
|
o CREATE cells now include oaep padding, so you can tell
|
|
if you decrypted them correctly.
|
|
o Add bandwidthburst to server descriptor.
|
|
o Directories now say which dirserver signed them.
|
|
o Use a tor_assert macro that logs failed assertions too.
|
|
|
|
|
|
Changes in version 0.0.6pre5 - 2004-04-18
|
|
o changes from 0.0.6pre4:
|
|
- make tor build on broken freebsd 5.2 installs
|
|
- fix a failed assert when you try an intro point, get a nack, and try
|
|
a second one and it works.
|
|
- when alice uses a port that the hidden service doesn't accept,
|
|
it now sends back an end cell (denied by exit policy). otherwise
|
|
alice would just have to wait to time out.
|
|
- fix another rare bug: when we had tried all the intro
|
|
points for a hidden service, we fetched the descriptor
|
|
again, but we left our introcirc thinking it had already
|
|
sent an intro, so it kept waiting for a response...
|
|
- bugfix: when you sleep your hidden-service laptop, as soon
|
|
as it wakes up it tries to upload a service descriptor, but
|
|
socketpair fails for some reason (localhost not up yet?).
|
|
now we simply give up on that upload, and we'll try again later.
|
|
i'd still like to find the bug though.
|
|
- if an intro circ waiting for an ack dies before getting one, then
|
|
count it as a nack
|
|
- we were reusing stale service descriptors and refetching usable
|
|
ones. oops.
|
|
|
|
|
|
Changes in version 0.0.6pre4 - 2004-04-14
|
|
o changes from 0.0.6pre3:
|
|
- when bob fails to connect to the rendezvous point, and his
|
|
circ didn't fail because of the rendezvous point itself, then
|
|
he retries a couple of times
|
|
- we expire introduction and rendezvous circs more thoroughly
|
|
(sometimes they were hanging around forever)
|
|
- we expire unattached rendezvous streams that have been around
|
|
too long (they were sticking around forever).
|
|
- fix a measly fencepost error that was crashing everybody with
|
|
a strict glibc.
|
|
|
|
|
|
Changes in version 0.0.6pre3 - 2004-04-14
|
|
o changes from 0.0.6pre2:
|
|
- make hup work again
|
|
- fix some memory leaks for dirservers
|
|
- allow more skew in rendezvous descriptor timestamps, to help
|
|
handle people like blanu who don't know what time it is
|
|
- normal circs are 3 hops, but some rend/intro circs are 4, if
|
|
the initiator doesn't get to choose the last hop
|
|
- send acks for introductions, so alice can know whether to try
|
|
again
|
|
- bob publishes intro points more correctly
|
|
o changes from 0.0.5:
|
|
- fix an assert trigger that's been plaguing us since the days
|
|
of 0.0.2prexx (thanks weasel!)
|
|
- retry stream correctly when we fail to connect because of
|
|
exit-policy-reject (should try another) or can't-resolve-address
|
|
(also should try another, because dns on random internet servers
|
|
is flaky).
|
|
- when we hup a dirserver and we've *removed* a server from the
|
|
approved-routers list, now we remove that server from the
|
|
in-memory directories too
|
|
|
|
|
|
Changes in version 0.0.6pre2 - 2004-04-08
|
|
o We fixed our base32 implementation. Now it works on all architectures.
|
|
|
|
|
|
Changes in version 0.0.6pre1 - 2004-04-08
|
|
o Features:
|
|
- Hidden services and rendezvous points are implemented. Go to
|
|
http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
|
|
hidden services. (This only works via a socks4a proxy such as
|
|
Privoxy, and currently it's quite slow.)
|
|
|
|
|
|
Changes in version 0.0.5 - 2004-03-30
|
|
[version bump only]
|
|
|
|
|
|
Changes in version 0.0.5rc3 - 2004-03-29
|
|
o Install torrc as torrc.sample -- we no longer clobber your
|
|
torrc. (Woo!)
|
|
o Re-enable recommendedversion checking (we broke it in rc2, oops)
|
|
o Add in a 'notice' log level for things the operator should hear
|
|
but that aren't warnings
|
|
|
|
|
|
Changes in version 0.0.5rc2 - 2004-03-29
|
|
o Hold socks connection open until reply is flushed (if possible)
|
|
o Make exit nodes resolve IPs to IPs immediately, rather than asking
|
|
the dns farm to do it.
|
|
o Fix c99 aliasing warnings in rephist.c
|
|
o Don't include server descriptors that are older than 24 hours in the
|
|
directory.
|
|
o Give socks 'reject' replies their whole 15s to attempt to flush,
|
|
rather than seeing the 60s timeout and assuming the flush had failed.
|
|
o Clean automake droppings from the cvs repository
|
|
|
|
|
|
Changes in version 0.0.5rc1 - 2004-03-28
|
|
o Fix mangled-state bug in directory fetching (was causing sigpipes).
|
|
o Only build circuits after we've fetched the directory: clients were
|
|
using only the directory servers before they'd fetched a directory.
|
|
This also means longer startup time; so it goes.
|
|
o Fix an assert trigger where an OP would fail to handshake, and we'd
|
|
expect it to have a nickname.
|
|
o Work around a tsocks bug: do a socks reject when AP connection dies
|
|
early, else tsocks goes into an infinite loop.
|
|
|
|
|
|
Changes in version 0.0.4 - 2004-03-26
|
|
o When connecting to a dirserver or OR and the network is down,
|
|
we would crash.
|
|
|
|
|
|
Changes in version 0.0.3 - 2004-03-26
|
|
o Warn and fail if server chose a nickname with illegal characters
|
|
o Port to Solaris and Sparc:
|
|
- include missing header fcntl.h
|
|
- have autoconf find -lsocket -lnsl automatically
|
|
- deal with hardware word alignment
|
|
- make uname() work (solaris has a different return convention)
|
|
- switch from using signal() to sigaction()
|
|
o Preliminary work on reputation system:
|
|
- Keep statistics on success/fail of connect attempts; they're published
|
|
by kill -USR1 currently.
|
|
- Add a RunTesting option to try to learn link state by creating test
|
|
circuits, even when SocksPort is off.
|
|
- Remove unused open circuits when there are too many.
|
|
|
|
|
|
Changes in version 0.0.2 - 2004-03-19
|
|
- Include strlcpy and strlcat for safer string ops
|
|
- define INADDR_NONE so we compile (but still not run) on solaris
|
|
|
|
|
|
Changes in version 0.0.2pre27 - 2004-03-14
|
|
o Bugfixes:
|
|
- Allow internal tor networks (we were rejecting internal IPs,
|
|
now we allow them if they're set explicitly).
|
|
- And fix a few endian issues.
|
|
|
|
|
|
Changes in version 0.0.2pre26 - 2004-03-14
|
|
o New features:
|
|
- If a stream times out after 15s without a connected cell, don't
|
|
try that circuit again: try a new one.
|
|
- Retry streams at most 4 times. Then give up.
|
|
- When a dirserver gets a descriptor from an unknown router, it
|
|
logs its fingerprint (so the dirserver operator can choose to
|
|
accept it even without mail from the server operator).
|
|
- Inform unapproved servers when we reject their descriptors.
|
|
- Make tor build on Windows again. It works as a client, who knows
|
|
about as a server.
|
|
- Clearer instructions in the torrc for how to set up a server.
|
|
- Be more efficient about reading fd's when our global token bucket
|
|
(used for rate limiting) becomes empty.
|
|
o Bugfixes:
|
|
- Stop asserting that computers always go forward in time. It's
|
|
simply not true.
|
|
- When we sent a cell (e.g. destroy) and then marked an OR connection
|
|
expired, we might close it before finishing a flush if the other
|
|
side isn't reading right then.
|
|
- Don't allow dirservers to start if they haven't defined
|
|
RecommendedVersions
|
|
- We were caching transient dns failures. Oops.
|
|
- Prevent servers from publishing an internal IP as their address.
|
|
- Address a strcat vulnerability in circuit.c
|
|
|
|
|
|
Changes in version 0.0.2pre25 - 2004-03-04
|
|
o New features:
|
|
- Put the OR's IP in its router descriptor, not its fqdn. That way
|
|
we'll stop being stalled by gethostbyname for nodes with flaky dns,
|
|
e.g. poblano.
|
|
o Bugfixes:
|
|
- If the user typed in an address that didn't resolve, the server
|
|
crashed.
|
|
|
|
|
|
Changes in version 0.0.2pre24 - 2004-03-03
|
|
o Bugfixes:
|
|
- Fix an assertion failure in dns.c, where we were trying to dequeue
|
|
a pending dns resolve even if it wasn't pending
|
|
- Fix a spurious socks5 warning about still trying to write after the
|
|
connection is finished.
|
|
- Hold certain marked_for_close connections open until they're finished
|
|
flushing, rather than losing bytes by closing them too early.
|
|
- Correctly report the reason for ending a stream
|
|
- Remove some duplicate calls to connection_mark_for_close
|
|
- Put switch_id and start_daemon earlier in the boot sequence, so it
|
|
will actually try to chdir() to options.DataDirectory
|
|
- Make 'make test' exit(1) if a test fails; fix some unit tests
|
|
- Make tor fail when you use a config option it doesn't know about,
|
|
rather than warn and continue.
|
|
- Make --version work
|
|
- Bugfixes on the rpm spec file and tor.sh, so it's more up to date
|
|
|
|
|
|
Changes in version 0.0.2pre23 - 2004-02-29
|
|
o New features:
|
|
- Print a statement when the first circ is finished, so the user
|
|
knows it's working.
|
|
- If a relay cell is unrecognized at the end of the circuit,
|
|
send back a destroy. (So attacks to mutate cells are more
|
|
clearly thwarted.)
|
|
- New config option 'excludenodes' to avoid certain nodes for circuits.
|
|
- When it daemonizes, it chdir's to the DataDirectory rather than "/",
|
|
so you can collect coredumps there.
|
|
o Bugfixes:
|
|
- Fix a bug in tls flushing where sometimes data got wedged and
|
|
didn't flush until more data got sent. Hopefully this bug was
|
|
a big factor in the random delays we were seeing.
|
|
- Make 'connected' cells include the resolved IP, so the client
|
|
dns cache actually gets populated.
|
|
- Disallow changing from ORPort=0 to ORPort>0 on hup.
|
|
- When we time-out on a stream and detach from the circuit, send an
|
|
end cell down it first.
|
|
- Only warn about an unknown router (in exitnodes, entrynodes,
|
|
excludenodes) after we've fetched a directory.
|
|
|
|
|
|
Changes in version 0.0.2pre22 - 2004-02-26
|
|
o New features:
|
|
- Servers publish less revealing uname information in descriptors.
|
|
- More memory tracking and assertions, to crash more usefully when
|
|
errors happen.
|
|
- If the default torrc isn't there, just use some default defaults.
|
|
Plus provide an internal dirservers file if they don't have one.
|
|
- When the user tries to use Tor as an http proxy, give them an http
|
|
501 failure explaining that we're a socks proxy.
|
|
- Dump a new router.desc on hup, to help confused people who change
|
|
their exit policies and then wonder why router.desc doesn't reflect
|
|
it.
|
|
- Clean up the generic tor.sh init script that we ship with.
|
|
o Bugfixes:
|
|
- If the exit stream is pending on the resolve, and a destroy arrives,
|
|
then the stream wasn't getting removed from the pending list. I
|
|
think this was the one causing recent server crashes.
|
|
- Use a more robust poll on OSX 10.3, since their poll is flaky.
|
|
- When it couldn't resolve any dirservers, it was useless from then on.
|
|
Now it reloads the RouterFile (or default dirservers) if it has no
|
|
dirservers.
|
|
- Move the 'tor' binary back to /usr/local/bin/ -- it turns out
|
|
many users don't even *have* a /usr/local/sbin/.
|
|
|
|
|
|
Changes in version 0.0.2pre21 - 2004-02-18
|
|
o New features:
|
|
- There's a ChangeLog file that actually reflects the changelog.
|
|
- There's a 'torify' wrapper script, with an accompanying
|
|
tor-tsocks.conf, that simplifies the process of using tsocks for
|
|
tor. It even has a man page.
|
|
- The tor binary gets installed to sbin rather than bin now.
|
|
- Retry streams where the connected cell hasn't arrived in 15 seconds
|
|
- Clean up exit policy handling -- get the default out of the torrc,
|
|
so we can update it without forcing each server operator to fix
|
|
his/her torrc.
|
|
- Allow imaps and pop3s in default exit policy
|
|
o Bugfixes:
|
|
- Prevent picking middleman nodes as the last node in the circuit
|
|
|
|
|
|
Changes in version 0.0.2pre20 - 2004-01-30
|
|
o New features:
|
|
- We now have a deb package, and it's in debian unstable. Go to
|
|
it, apt-getters. :)
|
|
- I've split the TotalBandwidth option into BandwidthRate (how many
|
|
bytes per second you want to allow, long-term) and
|
|
BandwidthBurst (how many bytes you will allow at once before the cap
|
|
kicks in). This better token bucket approach lets you, say, set
|
|
BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
|
|
performance while not exceeding your monthly bandwidth quota.
|
|
- Push out a tls record's worth of data once you've got it, rather
|
|
than waiting until you've read everything waiting to be read. This
|
|
may improve performance by pipelining better. We'll see.
|
|
- Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
|
|
from failed circuits (if they haven't been connected yet) and attach
|
|
to new ones.
|
|
- Expire old streams that haven't managed to connect. Some day we'll
|
|
have them reattach to new circuits instead.
|
|
|
|
o Bugfixes:
|
|
- Fix several memory leaks that were causing servers to become bloated
|
|
after a while.
|
|
- Fix a few very rare assert triggers. A few more remain.
|
|
- Setuid to User _before_ complaining about running as root.
|
|
|
|
|
|
Changes in version 0.0.2pre19 - 2004-01-07
|
|
o Bugfixes:
|
|
- Fix deadlock condition in dns farm. We were telling a child to die by
|
|
closing the parent's file descriptor to him. But newer children were
|
|
inheriting the open file descriptor from the parent, and since they
|
|
weren't closing it, the socket never closed, so the child never read
|
|
eof, so he never knew to exit. Similarly, dns workers were holding
|
|
open other sockets, leading to all sorts of chaos.
|
|
- New cleaner daemon() code for forking and backgrounding.
|
|
- If you log to a file, it now prints an entry at the top of the
|
|
logfile so you know it's working.
|
|
- The onionskin challenge length was 30 bytes longer than necessary.
|
|
- Started to patch up the spec so it's not quite so out of date.
|
|
|
|
|
|
Changes in version 0.0.2pre18 - 2004-01-02
|
|
o Bugfixes:
|
|
- Fix endian issues with the 'integrity' field in the relay header.
|
|
- Fix a potential bug where connections in state
|
|
AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
|
|
|
|
|
|
Changes in version 0.0.2pre17 - 2003-12-30
|
|
o Bugfixes:
|
|
- Made --debuglogfile (or any second log file, actually) work.
|
|
- Resolved an edge case in get_unique_circ_id_by_conn where a smart
|
|
adversary could force us into an infinite loop.
|
|
|
|
o Features:
|
|
- Each onionskin handshake now includes a hash of the computed key,
|
|
to prove the server's identity and help perfect forward secrecy.
|
|
- Changed cell size from 256 to 512 bytes (working toward compatibility
|
|
with MorphMix).
|
|
- Changed cell length to 2 bytes, and moved it to the relay header.
|
|
- Implemented end-to-end integrity checking for the payloads of
|
|
relay cells.
|
|
- Separated streamid from 'recognized' (otherwise circuits will get
|
|
messed up when we try to have streams exit from the middle). We
|
|
use the integrity-checking to confirm that a cell is addressed to
|
|
this hop.
|
|
- Randomize the initial circid and streamid values, so an adversary who
|
|
breaks into a node can't learn how many circuits or streams have
|
|
been made so far.
|
|
|
|
|
|
Changes in version 0.0.2pre16 - 2003-12-14
|
|
o Bugfixes:
|
|
- Fixed a bug that made HUP trigger an assert
|
|
- Fixed a bug where a circuit that immediately failed wasn't being
|
|
counted as a failed circuit in counting retries.
|
|
|
|
o Features:
|
|
- Now we close the circuit when we get a truncated cell: otherwise we're
|
|
open to an anonymity attack where a bad node in the path truncates
|
|
the circuit and then we open streams at him.
|
|
- Add port ranges to exit policies
|
|
- Add a conservative default exit policy
|
|
- Warn if you're running tor as root
|
|
- on HUP, retry OR connections and close/rebind listeners
|
|
- options.EntryNodes: try these nodes first when picking the first node
|
|
- options.ExitNodes: if your best choices happen to include any of
|
|
your preferred exit nodes, you choose among just those preferred
|
|
exit nodes.
|
|
- options.ExcludedNodes: nodes that are never picked in path building
|
|
|
|
|
|
Changes in version 0.0.2pre15 - 2003-12-03
|
|
o Robustness and bugfixes:
|
|
- Sometimes clients would cache incorrect DNS resolves, which would
|
|
really screw things up.
|
|
- An OP that goes offline would slowly leak all its sockets and stop
|
|
working.
|
|
- A wide variety of bugfixes in exit node selection, exit policy
|
|
handling, and processing pending streams when a new circuit is
|
|
established.
|
|
- Pick nodes for a path only from those the directory says are up
|
|
- Choose randomly from all running dirservers, not always the first one
|
|
- Increase allowed http header size for directory fetch.
|
|
- Stop writing to stderr (if we're daemonized it will be closed).
|
|
- Enable -g always, so cores will be more useful to me.
|
|
- Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
|
|
|
|
o Documentation:
|
|
- Wrote a man page. It lists commonly used options.
|
|
|
|
o Configuration:
|
|
- Change default loglevel to warn.
|
|
- Make PidFile default to null rather than littering in your CWD.
|
|
- OnionRouter config option is now obsolete. Instead it just checks
|
|
ORPort>0.
|
|
- Moved to a single unified torrc file for both clients and servers.
|
|
|
|
|
|
Changes in version 0.0.2pre14 - 2003-11-29
|
|
o Robustness and bugfixes:
|
|
- Force the admin to make the DataDirectory himself
|
|
- to get ownership/permissions right
|
|
- so clients no longer make a DataDirectory and then never use it
|
|
- fix bug where a client who was offline for 45 minutes would never
|
|
pull down a directory again
|
|
- fix (or at least hide really well) the dns assert bug that was
|
|
causing server crashes
|
|
- warnings and improved robustness wrt clockskew for certs
|
|
- use the native daemon(3) to daemonize, when available
|
|
- exit if bind() fails
|
|
- exit if neither socksport nor orport is defined
|
|
- include our own tor_timegm (Win32 doesn't have its own)
|
|
- bugfix for win32 with lots of connections
|
|
- fix minor bias in PRNG
|
|
- make dirserver more robust to corrupt cached directory
|
|
|
|
o Documentation:
|
|
- Wrote the design document (woo)
|
|
|
|
o Circuit building and exit policies:
|
|
- Circuits no longer try to use nodes that the directory has told them
|
|
are down.
|
|
- Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
|
|
bitcounts (18.0.0.0/8).
|
|
- Make AP connections standby for a circuit if no suitable circuit
|
|
exists, rather than failing
|
|
- Circuits choose exit node based on addr/port, exit policies, and
|
|
which AP connections are standing by
|
|
- Bump min pathlen from 2 to 3
|
|
- Relay end cells have a payload to describe why the stream ended.
|
|
- If the stream failed because of exit policy, try again with a new
|
|
circuit.
|
|
- Clients have a dns cache to remember resolved addresses.
|
|
- Notice more quickly when we have no working circuits
|
|
|
|
o Configuration:
|
|
- APPort is now called SocksPort
|
|
- SocksBindAddress, ORBindAddress, DirBindAddress let you configure
|
|
where to bind
|
|
- RecommendedVersions is now a config variable rather than
|
|
hardcoded (for dirservers)
|
|
- Reloads config on HUP
|
|
- Usage info on -h or --help
|
|
- If you set User and Group config vars, it'll setu/gid to them.
|
|
|
|
|
|
Changes in version 0.0.2pre13 - 2003-10-19
|
|
o General stability:
|
|
- SSL_write no longer fails when it returns WANTWRITE and the number
|
|
of bytes in the buf has changed by the next SSL_write call.
|
|
- Fix segfault fetching directory when network is down
|
|
- Fix a variety of minor memory leaks
|
|
- Dirservers reload the fingerprints file on HUP, so I don't have
|
|
to take down the network when I approve a new router
|
|
- Default server config file has explicit Address line to specify fqdn
|
|
|
|
o Buffers:
|
|
- Buffers grow and shrink as needed (Cut process size from 20M to 2M)
|
|
- Make listener connections not ever alloc bufs
|
|
|
|
o Autoconf improvements:
|
|
- don't clobber an external CFLAGS in ./configure
|
|
- Make install now works
|
|
- create var/lib/tor on make install
|
|
- autocreate a tor.sh initscript to help distribs
|
|
- autocreate the torrc and sample-server-torrc with correct paths
|
|
|
|
o Log files and Daemonizing now work:
|
|
- If --DebugLogFile is specified, log to it at -l debug
|
|
- If --LogFile is specified, use it instead of commandline
|
|
- If --RunAsDaemon is set, tor forks and backgrounds on startup
|
|
|