-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
18868 lines (16884 loc) · 973 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.2.7.2-alpha - 2015-0?-??
Changes in version 0.2.7.1-alpha - 2015-05-12
Tor 0.2.7.1-alpha is the first alpha release in its series. It
includes numerous small features and bugfixes against previous Tor
versions, and numerous small infrastructure improvements. The most
notable features are several new ways for controllers to interact with
the hidden services subsystem.
o New system requirements:
- Tor no longer includes workarounds to support Libevent versions
before 1.3e. Libevent 2.0 or later is recommended. Closes
ticket 15248.
o Major features (controller):
- Add the ADD_ONION and DEL_ONION commands that allow the creation
and management of hidden services via the controller. Closes
ticket 6411.
- New "GETINFO onions/current" and "GETINFO onions/detached"
commands to get information about hidden services created via the
controller. Part of ticket 6411.
- New HSFETCH command to launch a request for a hidden service
descriptor. Closes ticket 14847.
- New HSPOST command to upload a hidden service descriptor. Closes
ticket 3523. Patch by "DonnchaC".
o Major bugfixes (hidden services):
- Revert commit that made directory authorities assign the HSDir
flag to relay without a DirPort; this was bad because such relays
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
on tor-0.2.6.3-alpha.
o Minor features (clock-jump tolerance):
- Recover better when our clock jumps back many hours, like might
happen for Tails or Whonix users who start with a very wrong
hardware clock, use Tor to discover a more accurate time, and then
fix their clock. Resolves part of ticket 8766.
o Minor features (command-line interface):
- Make --hash-password imply --hush to prevent unnecessary noise.
Closes ticket 15542. Patch from "cypherpunks".
- Print a warning whenever we find a relative file path being used
as torrc option. Resolves issue 14018.
o Minor features (controller):
- Add DirAuthority lines for default directory authorities to the
output of the "GETINFO config/defaults" command if not already
present. Implements ticket 14840.
- Controllers can now use "GETINFO hs/client/desc/id/..." to
retrieve items from the client's hidden service descriptor cache.
Closes ticket 14845.
- Implement a new controller command "GETINFO status/fresh-relay-
descs" to fetch a descriptor/extrainfo pair that was generated on
demand just for the controller's use. Implements ticket 14784.
o Minor features (DoS-resistance):
- Make it harder for attackers to overload hidden services with
introductions, by blocking multiple introduction requests on the
same circuit. Resolves ticket 15515.
o Minor features (geoip):
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the April 8 2015 Maxmind GeoLite2
Country database.
o Minor features (HS popularity countermeasure):
- To avoid leaking HS popularity, don't cycle the introduction point
when we've handled a fixed number of INTRODUCE2 cells but instead
cycle it when a random number of introductions is reached, thus
making it more difficult for an attacker to find out the amount of
clients that have used the introduction point for a specific HS.
Closes ticket 15745.
o Minor features (logging):
- Include the Tor version in all LD_BUG log messages, since people
tend to cut and paste those into the bugtracker. Implements
ticket 15026.
o Minor features (pluggable transports):
- When launching managed pluggable transports on Linux systems,
attempt to have the kernel deliver a SIGTERM on tor exit if the
pluggable transport process is still running. Resolves
ticket 15471.
- When launching managed pluggable transports, setup a valid open
stdin in the child process that can be used to detect if tor has
terminated. The "TOR_PT_EXIT_ON_STDIN_CLOSE" environment variable
can be used by implementations to detect this new behavior.
Resolves ticket 15435.
o Minor features (testing):
- Add a test to verify that the compiler does not eliminate our
memwipe() implementation. Closes ticket 15377.
- Add make rule `check-changes` to verify the format of changes
files. Closes ticket 15180.
- Add unit tests for control_event_is_interesting(). Add a compile-
time check that the number of events doesn't exceed the capacity
of control_event_t.event_mask. Closes ticket 15431, checks for
bugs similar to 13085. Patch by "teor".
- Command-line argument tests moved to Stem. Resolves ticket 14806.
- Integrate the ntor, backtrace, and zero-length keys tests into the
automake test suite. Closes ticket 15344.
- Remove assertions during builds to determine Tor's test coverage.
We don't want to trigger these even in assertions, so including
them artificially makes our branch coverage look worse than it is.
This patch provides the new test-stem-full and coverage-html-full
configure options. Implements ticket 15400.
o Minor bugfixes (build):
- Improve out-of-tree builds by making non-standard rules work and
clean up additional files and directories. Fixes bug 15053; bugfix
on 0.2.7.0-alpha.
o Minor bugfixes (command-line interface):
- When "--quiet" is provided along with "--validate-config", do not
write anything to stdout on success. Fixes bug 14994; bugfix
on 0.2.3.3-alpha.
- When complaining about bad arguments to "--dump-config", use
stderr, not stdout.
o Minor bugfixes (configuration, unit tests):
- Only add the default fallback directories when the DirAuthorities,
AlternateDirAuthority, and FallbackDir directory config options
are set to their defaults. The default fallback directory list is
currently empty, this fix will only change tor's behavior when it
has default fallback directories. Includes unit tests for
consider_adding_dir_servers(). Fixes bug 15642; bugfix on
90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor".
o Minor bugfixes (correctness):
- For correctness, avoid modifying a constant string in
handle_control_postdescriptor. Fixes bug 15546; bugfix
on 0.1.1.16-rc.
- Remove side-effects from tor_assert() calls. This was harmless,
because we never disable assertions, but it is bad style and
unnecessary. Fixes bug 15211; bugfix on 0.2.5.5, 0.2.2.36,
and 0.2.0.10.
o Minor bugfixes (hidden service):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
a client authorized hidden service. Fixes bug 15823; bugfix
on 0.2.1.6-alpha.
- Remove an extraneous newline character from the end of hidden
service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (interface):
- Print usage information for --dump-config when it is used without
an argument. Also, fix the error message to use different wording
and add newline at the end. Fixes bug 15541; bugfix
on 0.2.5.1-alpha.
o Minor bugfixes (logs):
- When building Tor under Clang, do not include an extra set of
parentheses in log messages that include function names. Fixes bug
15269; bugfix on every released version of Tor when compiled with
recent enough Clang.
o Minor bugfixes (network):
- When attempting to use fallback technique for network interface
lookup, disregard loopback and multicast addresses since they are
unsuitable for public communications.
o Minor bugfixes (statistics):
- Disregard the ConnDirectionStatistics torrc options when Tor is
not a relay since in that mode of operation no sensible data is
being collected and because Tor might run into measurement hiccups
when running as a client for some time, then becoming a relay.
Fixes bug 15604; bugfix on 0.2.2.35.
o Minor bugfixes (test networks):
- When self-testing reachability, use ExtendAllowPrivateAddresses to
determine if local/private addresses imply reachability. The
previous fix used TestingTorNetwork, which implies
ExtendAllowPrivateAddresses, but this excluded rare configurations
where ExtendAllowPrivateAddresses is set but TestingTorNetwork is
not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
issue discovered by CJ Ess.
o Minor bugfixes (testing):
- Check for matching value in server response in ntor_ref.py. Fixes
bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
by "joelanders".
- Set the severity correctly when testing
get_interface_addresses_ifaddrs() and
get_interface_addresses_win32(), so that the tests fail gracefully
instead of triggering an assertion. Fixes bug 15759; bugfix on
0.2.6.3-alpha. Reported by Nicolas Derive.
o Code simplification and refactoring:
- Move the hacky fallback code out of get_interface_address6() into
separate function and get it covered with unit-tests. Resolves
ticket 14710.
- Refactor hidden service client-side cache lookup to intelligently
report its various failure cases, and disentangle failure cases
involving a lack of introduction points. Closes ticket 14391.
- Use our own Base64 encoder instead of OpenSSL's, to allow more
control over the output. Part of ticket 15652.
o Documentation:
- Improve the descriptions of statistics-related torrc options in
the manpage to describe rationale and possible uses cases. Fixes
issue 15550.
- Improve the layout and formatting of ./configure --help messages.
Closes ticket 15024. Patch from "cypherpunks".
- Standardize on the term "server descriptor" in the manual page.
Previously, we had used "router descriptor", "server descriptor",
and "relay descriptor" interchangeably. Part of ticket 14987.
o Removed code:
- Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
and always use the internal Base64 decoder. The internal decoder
has been part of tor since tor-0.2.0.10-alpha, and no one should
be using the OpenSSL one. Part of ticket 15652.
- Remove the 'tor_strclear()' function; use memwipe() instead.
Closes ticket 14922.
o Removed features:
- Remove the (seldom-used) DynamicDHGroups feature. For anti-
fingerprinting we now recommend pluggable transports; for forward-
secrecy in TLS, we now use the P-256 group. Closes ticket 13736.
- Remove the undocumented "--digests" command-line option. It
complicated our build process, caused subtle build issues on
multiple platforms, and is now redundant since we started
including git version identifiers. Closes ticket 14742.
- Tor no longer contains checks for ancient directory cache versions
that didn't know about microdescriptors.
- Tor no longer contains workarounds for stat files generated by
super-old versions of Tor that didn't choose guards sensibly.
Changes in version 0.2.4.27 - 2015-04-06
Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that
could be used by an attacker to crash hidden services, or crash clients
visiting hidden services. Hidden services should upgrade as soon as
possible; clients should upgrade whenever packages become available.
This release also backports a simple improvement to make hidden
services a bit less vulnerable to denial-of-service attacks.
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
Changes in version 0.2.6.7 - 2015-04-06
Tor 0.2.6.7 fixes two security issues that could be used by an
attacker to crash hidden services, or crash clients visiting hidden
services. Hidden services should upgrade as soon as possible; clients
should upgrade whenever packages become available.
This release also contains two simple improvements to make hidden
services a bit less vulnerable to denial-of-service attacks.
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
- Decrease the amount of reattempts that a hidden service performs
when its rendezvous circuits fail. This reduces the computational
cost for running a hidden service under heavy load. Resolves
ticket 11447.
Changes in version 0.2.6.6 - 2015-03-24
Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
It adds numerous safety, security, correctness, and performance
improvements. Client programs can be configured to use more kinds of
sockets, AutomapHosts works better, the multithreading backend is
improved, cell transmission is refactored, test coverage is much
higher, more denial-of-service attacks are handled, guard selection is
improved to handle long-term guards better, pluggable transports
should work a bit better, and some annoying hidden service performance
bugs should be addressed.
o Minor bugfixes (portability):
- Use the correct datatype in the SipHash-2-4 function to prevent
compilers from assuming any sort of alignment. Fixes bug 15436;
bugfix on 0.2.5.3-alpha.
Changes in version 0.2.6.5-rc - 2015-03-18
Tor 0.2.6.5-rc is the second and (hopefully) last release candidate in
the 0.2.6. It fixes a small number of bugs found in 0.2.6.4-rc.
o Major bugfixes (client):
- Avoid crashing when making certain configuration option changes on
clients. Fixes bug 15245; bugfix on 0.2.6.3-alpha. Reported
by "anonym".
o Major bugfixes (pluggable transports):
- Initialize the extended OR Port authentication cookie before
launching pluggable transports. This prevents a race condition
that occured when server-side pluggable transports would cache the
authentication cookie before it has been (re)generated. Fixes bug
15240; bugfix on 0.2.5.1-alpha.
o Major bugfixes (portability):
- Do not crash on startup when running on Solaris. Fixes a bug
related to our fix for 9495; bugfix on 0.2.6.1-alpha. Reported
by "ruebezahl".
o Minor features (heartbeat):
- On relays, report how many connections we negotiated using each
version of the Tor link protocols. This information will let us
know if removing support for very old versions of the Tor
protocols is harming the network. Closes ticket 15212.
o Code simplification and refactoring:
- Refactor main loop to extract the 'loop' part. This makes it
easier to run Tor under Shadow. Closes ticket 15176.
Changes in version 0.2.5.11 - 2015-03-17
Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
It backports several bugfixes from the 0.2.6 branch, including a
couple of medium-level security fixes for relays and exit nodes.
It also updates the list of directory authorities.
o Directory authority changes:
- Remove turtles as a directory authority.
- Add longclaw as a new (v3) directory authority. This implements
ticket 13296. This keeps the directory authority count at 9.
- The directory authority Faravahar has a new IP address. This
closes ticket 14487.
o Major bugfixes (crash, OSX, security):
- Fix a remote denial-of-service opportunity caused by a bug in
OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
in OSX 10.9.
o Major bugfixes (relay, stability, possible security):
- Fix a bug that could lead to a relay crashing with an assertion
failure if a buffer of exactly the wrong layout was passed to
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
0.2.0.10-alpha. Patch from 'cypherpunks'.
- Do not assert if the 'data' pointer on a buffer is advanced to the
very end of the buffer; log a BUG message instead. Only assert if
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
o Major bugfixes (exit node stability):
- Fix an assertion failure that could occur under high DNS load.
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
diagnosed and fixed by "cypherpunks".
o Major bugfixes (Linux seccomp2 sandbox):
- Upon receiving sighup with the seccomp2 sandbox enabled, do not
crash during attempts to call wait4. Fixes bug 15088; bugfix on
0.2.5.1-alpha. Patch from "sanic".
o Minor features (controller):
- New "GETINFO bw-event-cache" to get information about recent
bandwidth events. Closes ticket 14128. Useful for controllers to
get recent bandwidth history after the fix for ticket 13988.
o Minor features (geoip):
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (client, automapping):
- Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
no value follows the option. Fixes bug 14142; bugfix on
0.2.4.7-alpha. Patch by "teor".
- Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
14195; bugfix on 0.1.0.1-rc.
o Minor bugfixes (compilation):
- Build without warnings with the stock OpenSSL srtp.h header, which
has a duplicate declaration of SSL_get_selected_srtp_profile().
Fixes bug 14220; this is OpenSSL's bug, not ours.
o Minor bugfixes (directory authority):
- Allow directory authorities to fetch more data from one another if
they find themselves missing lots of votes. Previously, they had
been bumping against the 10 MB queued data limit. Fixes bug 14261;
bugfix on 0.1.2.5-alpha.
- Enlarge the buffer to read bwauth generated files to avoid an
issue when parsing the file in dirserv_read_measured_bandwidths().
Fixes bug 14125; bugfix on 0.2.2.1-alpha.
o Minor bugfixes (statistics):
- Increase period over which bandwidth observations are aggregated
from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
o Minor bugfixes (preventative security, C safety):
- When reading a hexadecimal, base-32, or base-64 encoded value from
a string, always overwrite the whole output buffer. This prevents
some bugs where we would look at (but fortunately, not reveal)
uninitialized memory on the stack. Fixes bug 14013; bugfix on all
versions of Tor.
Changes in version 0.2.4.26 - 2015-03-17
Tor 0.2.4.26 includes an updated list of directory authorities. It
also backports a couple of stability and security bugfixes from 0.2.5
and beyond.
o Directory authority changes:
- Remove turtles as a directory authority.
- Add longclaw as a new (v3) directory authority. This implements
ticket 13296. This keeps the directory authority count at 9.
- The directory authority Faravahar has a new IP address. This
closes ticket 14487.
o Major bugfixes (exit node stability, also in 0.2.6.3-alpha):
- Fix an assertion failure that could occur under high DNS load.
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
diagnosed and fixed by "cypherpunks".
o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc):
- Fix a bug that could lead to a relay crashing with an assertion
failure if a buffer of exactly the wrong layout was passed to
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
0.2.0.10-alpha. Patch from 'cypherpunks'.
- Do not assert if the 'data' pointer on a buffer is advanced to the
very end of the buffer; log a BUG message instead. Only assert if
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
o Minor features (geoip):
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
Country database.
Changes in version 0.2.6.4-rc - 2015-03-09
Tor 0.2.6.4-alpha fixes an issue in the directory code that an
attacker might be able to use in order to crash certain Tor
directories. It also resolves some minor issues left over from, or
introduced in, Tor 0.2.6.3-alpha or earlier.
o Major bugfixes (crash, OSX, security):
- Fix a remote denial-of-service opportunity caused by a bug in
OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
in OSX 10.9.
o Major bugfixes (relay, stability, possible security):
- Fix a bug that could lead to a relay crashing with an assertion
failure if a buffer of exactly the wrong layout is passed to
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
0.2.0.10-alpha. Patch from "cypherpunks".
- Do not assert if the 'data' pointer on a buffer is advanced to the
very end of the buffer; log a BUG message instead. Only assert if
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
o Major bugfixes (FreeBSD IPFW transparent proxy):
- Fix address detection with FreeBSD transparent proxies, when
"TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
on 0.2.5.4-alpha.
o Major bugfixes (Linux seccomp2 sandbox):
- Pass IPPROTO_TCP rather than 0 to socket(), so that the Linux
seccomp2 sandbox doesn't fail. Fixes bug 14989; bugfix
on 0.2.6.3-alpha.
- Allow AF_UNIX hidden services to be used with the seccomp2
sandbox. Fixes bug 15003; bugfix on 0.2.6.3-alpha.
- Upon receiving sighup with the seccomp2 sandbox enabled, do not
crash during attempts to call wait4. Fixes bug 15088; bugfix on
0.2.5.1-alpha. Patch from "sanic".
o Minor features (controller):
- Messages about problems in the bootstrap process now include
information about the server we were trying to connect to when we
noticed the problem. Closes ticket 15006.
o Minor features (geoip):
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
Country database.
o Minor features (logs):
- Quiet some log messages in the heartbeat and at startup. Closes
ticket 14950.
o Minor bugfixes (certificate handling):
- If an authority operator accidentally makes a signing certificate
with a future publication time, do not discard its real signing
certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
- Remove any old authority certificates that have been superseded
for at least two days. Previously, we would keep superseded
certificates until they expired, if they were published close in
time to the certificate that superseded them. Fixes bug 11454;
bugfix on 0.2.1.8-alpha.
o Minor bugfixes (compilation):
- Fix a compilation warning on s390. Fixes bug 14988; bugfix
on 0.2.5.2-alpha.
- Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix
on 0.2.6.2-alpha.
o Minor bugfixes (testing):
- Fix endianness issues in unit test for resolve_my_address() to
have it pass on big endian systems. Fixes bug 14980; bugfix on
Tor 0.2.6.3-alpha.
- Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
- When running the new 'make test-stem' target, use the configured
python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch
from "cypherpunks".
- When running the zero-length-keys tests, do not use the default
torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported
by "reezer".
o Directory authority IP change:
- The directory authority Faravahar has a new IP address. This
closes ticket 14487.
o Removed code:
- Remove some lingering dead code that once supported mempools.
Mempools were disabled by default in 0.2.5, and removed entirely
in 0.2.6.3-alpha. Closes more of ticket 14848; patch
by "cypherpunks".
Changes in version 0.2.6.3-alpha - 2015-02-19
Tor 0.2.6.3-alpha is the third (and hopefully final) alpha release in
the 0.2.6.x series. It introduces support for more kinds of sockets,
makes it harder to accidentally run an exit, improves our
multithreading backend, incorporates several fixes for the
AutomapHostsOnResolve option, and fixes numerous other bugs besides.
If no major regressions or security holes are found in this version,
the next version will be a release candidate.
o Deprecated versions:
- Tor relays older than 0.2.4.18-rc are no longer allowed to
advertise themselves on the network. Closes ticket 13555.
o Major features (security, unix domain sockets):
- Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk
applications can reach Tor without having to create AF_INET or
AF_INET6 sockets, meaning they can completely disable their
ability to make non-Tor network connections. To create a socket of
this type, use "SocksPort unix:/path/to/socket". Implements
ticket 12585.
- Support mapping hidden service virtual ports to AF_UNIX sockets.
The syntax is "HiddenServicePort 80 unix:/path/to/socket".
Implements ticket 11485.
o Major features (changed defaults):
- Prevent relay operators from unintentionally running exits: When a
relay is configured as an exit node, we now warn the user unless
the "ExitRelay" option is set to 1. We warn even more loudly if
the relay is configured with the default exit policy, since this
can indicate accidental misconfiguration. Setting "ExitRelay 0"
stops Tor from running as an exit relay. Closes ticket 10067.
o Major features (directory system):
- When downloading server- or microdescriptors from a directory
server, we no longer launch multiple simultaneous requests to the
same server. This reduces load on the directory servers,
especially when directory guards are in use. Closes ticket 9969.
- When downloading server- or microdescriptors over a tunneled
connection, do not limit the length of our requests to what the
Squid proxy is willing to handle. Part of ticket 9969.
- Authorities can now vote on the correct digests and latest
versions for different software packages. This allows packages
that include Tor to use the Tor authority system as a way to get
notified of updates and their correct digests. Implements proposal
227. Closes ticket 10395.
o Major features (guards):
- Introduce the Guardfraction feature to improves load balancing on
guard nodes. Specifically, it aims to reduce the traffic gap that
guard nodes experience when they first get the Guard flag. This is
a required step if we want to increase the guard lifetime to 9
months or greater. Closes ticket 9321.
o Major features (performance):
- Make the CPU worker implementation more efficient by avoiding the
kernel and lengthening pipelines. The original implementation used
sockets to transfer data from the main thread to the workers, and
didn't allow any thread to be assigned more than a single piece of
work at once. The new implementation avoids communications
overhead by making requests in shared memory, avoiding kernel IO
where possible, and keeping more requests in flight at once.
Implements ticket 9682.
o Major features (relay):
- Raise the minimum acceptable configured bandwidth rate for bridges
to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were
20 KiB/sec.) Closes ticket 13822.
o Major bugfixes (exit node stability):
- Fix an assertion failure that could occur under high DNS load.
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
diagnosed and fixed by "cypherpunks".
o Major bugfixes (mixed relay-client operation):
- When running as a relay and client at the same time (not
recommended), if we decide not to use a new guard because we want
to retry older guards, only close the locally-originating circuits
passing through that guard. Previously we would close all the
circuits through that guard. Fixes bug 9819; bugfix on
0.2.1.1-alpha. Reported by "skruffy".
o Minor features (build):
- New --disable-system-torrc compile-time option to prevent Tor from
looking for the system-wide torrc or torrc-defaults files.
Resolves ticket 13037.
o Minor features (controller):
- Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller
events so controllers can observe circuit isolation inputs. Closes
ticket 8405.
- ControlPort now supports the unix:/path/to/socket syntax as an
alternative to the ControlSocket option, for consistency with
SocksPort and HiddenServicePort. Closes ticket 14451.
- New "GETINFO bw-event-cache" to get information about recent
bandwidth events. Closes ticket 14128. Useful for controllers to
get recent bandwidth history after the fix for ticket 13988.
o Minor features (Denial of service resistance):
- Count the total number of bytes used storing hidden service
descriptors against the value of MaxMemInQueues. If we're low on
memory, and more than 20% of our memory is used holding hidden
service descriptors, free them until no more than 10% of our
memory holds hidden service descriptors. Free the least recently
fetched descriptors first. Resolves ticket 13806.
- When we have recently been under memory pressure (over 3/4 of
MaxMemInQueues is allocated), then allocate smaller zlib objects
for small requests. Closes ticket 11791.
o Minor features (geoip):
- Update geoip and geoip6 files to the January 7 2015 Maxmind
GeoLite2 Country database.
o Minor features (guard nodes):
- Reduce the time delay before saving guard status to disk from 10
minutes to 30 seconds (or from one hour to 10 minutes if
AvoidDiskWrites is set). Closes ticket 12485.
o Minor features (hidden service):
- Make Sybil attacks against hidden services harder by changing the
minimum time required to get the HSDir flag from 25 hours up to 96
hours. Addresses ticket 14149.
- New option "HiddenServiceAllowUnknownPorts" to allow hidden
services to disable the anti-scanning feature introduced in
0.2.6.2-alpha. With this option not set, a connection to an
unlisted port closes the circuit. With this option set, only a
RELAY_DONE cell is sent. Closes ticket 14084.
o Minor features (interface):
- Implement "-f -" command-line option to read torrc configuration
from standard input, if you don't want to store the torrc file in
the file system. Implements feature 13865.
o Minor features (logging):
- Add a count of unique clients to the bridge heartbeat message.
Resolves ticket 6852.
- Suppress "router info incompatible with extra info" message when
reading extrainfo documents from cache. (This message got loud
around when we closed bug 9812 in 0.2.6.2-alpha.) Closes
ticket 13762.
- Elevate hidden service authorized-client message from DEBUG to
INFO. Closes ticket 14015.
o Minor features (stability):
- Add assertions in our hash-table iteration code to check for
corrupted values that could cause infinite loops. Closes
ticket 11737.
o Minor features (systemd):
- Various improvements and modernizations in systemd hardening
support. Closes ticket 13805. Patch from Craig Andrews.
o Minor features (testing networks):
- Drop the minimum RendPostPeriod on a testing network to 5 seconds,
and the default on a testing network to 2 minutes. Drop the
MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but
keep the default on a testing network at 30 seconds. This reduces
HS bootstrap time to around 25 seconds. Also, change the default
time in test-network.sh to match. Closes ticket 13401. Patch
by "teor".
- Create TestingDirAuthVoteHSDir to correspond to
TestingDirAuthVoteExit/Guard. Ensures that authorities vote the
HSDir flag for the listed relays regardless of uptime or ORPort
connectivity. Respects the value of VoteOnHidServDirectoriesV2.
Partial implementation for ticket 14067. Patch by "teor".
o Minor features (tor2web mode):
- Introduce the config option Tor2webRendezvousPoints, which allows
clients in Tor2webMode to select a specific Rendezvous Point to be
used in HS circuits. This might allow better performance for
Tor2Web nodes. Implements ticket 12844.
o Minor bugfixes (client DNS):
- Report the correct cached DNS expiration times on SOCKS port or in
DNS replies. Previously, we would report everything as "never
expires." Fixes bug 14193; bugfix on 0.2.3.17-beta.
- Avoid a small memory leak when we find a cached answer for a
reverse DNS lookup in a client-side DNS cache. (Remember, client-
side DNS caching is off by default, and is not recommended.) Fixes
bug 14259; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (client, automapping):
- Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
no value follows the option. Fixes bug 14142; bugfix on
0.2.4.7-alpha. Patch by "teor".
- Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
14195; bugfix on 0.1.0.1-rc.
- Prevent changes to other options from removing the wildcard value
"." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix
on 0.2.0.1-alpha.
- Allow MapAddress and AutomapHostsOnResolve to work together when
an address is mapped into another address type (like .onion) that
must be automapped at resolve time. Fixes bug 7555; bugfix
on 0.2.0.1-alpha.
o Minor bugfixes (client, bridges):
- When we are using bridges and we had a network connectivity
problem, only retry connecting to our currently configured
bridges, not all bridges we know about and remember using. Fixes
bug 14216; bugfix on 0.2.2.17-alpha.
o Minor bugfixes (client, IPv6):
- Reject socks requests to literal IPv6 addresses when IPv6Traffic
flag is not set; and not because the NoIPv4Traffic flag was set.
Previously we'd looked at the NoIPv4Traffic flag for both types of
literal addresses. Fixes bug 14280; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (compilation):
- The address of an array in the middle of a structure will always
be non-NULL. clang recognises this and complains. Disable the
tautologous and redundant check to silence this warning. Fixes bug
14001; bugfix on 0.2.1.2-alpha.
- Avoid warnings when building with systemd 209 or later. Fixes bug
14072; bugfix on 0.2.6.2-alpha. Patch from "h.venev".
- Compile correctly with (unreleased) OpenSSL 1.1.0 headers.
Addresses ticket 14188.
- Build without warnings with the stock OpenSSL srtp.h header, which
has a duplicate declaration of SSL_get_selected_srtp_profile().
Fixes bug 14220; this is OpenSSL's bug, not ours.
- Do not compile any code related to Tor2Web mode when Tor2Web mode
is not enabled at compile time. Previously, this code was included
in a disabled state. See discussion on ticket 12844.
- Remove the --disable-threads configure option again. It was
accidentally partially reintroduced in 29ac883606d6d. Fixes bug
14819; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (controller):
- Report "down" in response to the "GETINFO entry-guards" command
when relays are down with an unreachable_since value. Previously,
we would report "up". Fixes bug 14184; bugfix on 0.1.2.2-alpha.
- Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug
14116; bugfix on 0.2.2.9-alpha.
- Add a code for the END_CIRC_REASON_IP_NOW_REDUNDANT circuit close
reason. Fixes bug 14207; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (directory authority):
- Allow directory authorities to fetch more data from one another if
they find themselves missing lots of votes. Previously, they had
been bumping against the 10 MB queued data limit. Fixes bug 14261;
bugfix on 0.1.2.5-alpha.
- Do not attempt to download extrainfo documents which we will be
unable to validate with a matching server descriptor. Fixes bug
13762; bugfix on 0.2.0.1-alpha.
- Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the
control port. Fixes bug 14953; bugfix on 0.2.0.1-alpha.
- Enlarge the buffer to read bwauth generated files to avoid an
issue when parsing the file in dirserv_read_measured_bandwidths().
Fixes bug 14125; bugfix on 0.2.2.1-alpha.
o Minor bugfixes (file handling):
- Stop failing when key files are zero-length. Instead, generate new
keys, and overwrite the empty key files. Fixes bug 13111; bugfix
on all versions of Tor. Patch by "teor".
- Stop generating a fresh .old RSA onion key file when the .old file
is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
- Avoid overwriting .old key files with empty key files.
- Skip loading zero-length extrainfo store, router store, stats,
state, and key files.
- Avoid crashing when trying to reload a torrc specified as a
relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix
on 0.2.3.11-alpha.
o Minor bugfixes (hidden services):
- Close the introduction circuit when we have no more usable intro
points, instead of waiting for it to time out. This also ensures
that no follow-up HS descriptor fetch is triggered when the
circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
- When fetching a hidden service descriptor for a down service that
was recently up, do not keep refetching until we try the same
replica twice in a row. Fixes bug 14219; bugfix on 0.2.0.10-alpha.
- Successfully launch Tor with a nonexistent hidden service
directory. Our fix for bug 13942 didn't catch this case. Fixes bug
14106; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (logging):
- Avoid crashing when there are more log domains than entries in
domain_list. Bugfix on 0.2.3.1-alpha.
- Add a string representation for LD_SCHED. Fixes bug 14740; bugfix
on 0.2.6.1-alpha.
- Don't log messages to stdout twice when starting up. Fixes bug
13993; bugfix on 0.2.6.1-alpha.
o Minor bugfixes (parsing):
- Stop accepting milliseconds (or other junk) at the end of
descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
- Support two-number and three-number version numbers correctly, in
case we change the Tor versioning system in the future. Fixes bug
13661; bugfix on 0.0.8pre1.
o Minor bugfixes (path counting):
- When deciding whether the consensus lists any exit nodes, count
the number listed in the consensus, not the number we have
descriptors for. Fixes part of bug 14918; bugfix on 0.2.6.2-alpha.
- When deciding whether we have any exit nodes, only examine
ExitNodes when the ExitNodes option is actually set. Fixes part of
bug 14918; bugfix on 0.2.6.2-alpha.
- Get rid of redundant and possibly scary warnings that we are
missing directory information while we bootstrap. Fixes part of
bug 14918; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (portability):
- Fix the ioctl()-based network interface lookup code so that it
will work on systems that have variable-length struct ifreq, for
example Mac OS X.
- Fix scheduler compilation on targets where char is unsigned. Fixes
bug 14764; bugfix on 0.2.6.2-alpha. Reported by Christian Kujau.
o Minor bugfixes (sandbox):
- Allow glibc fatal errors to be sent to stderr before Tor exits.
Previously, glibc would try to write them to /dev/tty, and the
sandbox would trap the call and make Tor exit prematurely. Fixes
bug 14759; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (shutdown):
- When shutting down, always call event_del() on lingering read or
write events before freeing them. Otherwise, we risk double-frees
or read-after-frees in event_base_free(). Fixes bug 12985; bugfix
on 0.1.0.2-rc.
o Minor bugfixes (small memory leaks):
- Avoid leaking memory when using IPv6 virtual address mappings.
Fixes bug 14123; bugfix on 0.2.4.7-alpha. Patch by Tom van
der Woerdt.
o Minor bugfixes (statistics):
- Increase period over which bandwidth observations are aggregated
from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
o Minor bugfixes (systemd support):
- Fix detection and operation of systemd watchdog. Fixes part of bug
14141; bugfix on 0.2.6.2-alpha. Patch from Tomasz Torcz.
- Run correctly under systemd with the RunAsDaemon option set. Fixes
part of bug 14141; bugfix on 0.2.5.7-rc. Patch from Tomasz Torcz.
- Inform the systemd supervisor about more changes in the Tor
process status. Implements part of ticket 14141. Patch from
Tomasz Torcz.
- Cause the "--disable-systemd" option to actually disable systemd
support. Fixes bug 14350; bugfix on 0.2.6.2-alpha. Patch
from "blueness".
o Minor bugfixes (TLS):
- Check more thoroughly throughout the TLS code for possible
unlogged TLS errors. Possible diagnostic or fix for bug 13319.
o Minor bugfixes (transparent proxy):
- Use getsockname, not getsockopt, to retrieve the address for a
TPROXY-redirected connection. Fixes bug 13796; bugfix
on 0.2.5.2-alpha.
o Code simplification and refactoring:
- Move fields related to isolating and configuring client ports into
a shared structure. Previously, they were duplicated across
port_cfg_t, listener_connection_t, and edge_connection_t. Failure
to copy them correctly had been the cause of at least one bug in
the past. Closes ticket 8546.
- Refactor the get_interface_addresses_raw() doom-function into
multiple smaller and simpler subfunctions. Cover the resulting
subfunctions with unit-tests. Fixes a significant portion of
issue 12376.
- Remove workaround in dirserv_thinks_router_is_hs_dir() that was
only for version <= 0.2.2.24 which is now deprecated. Closes
ticket 14202.
- Remove a test for a long-defunct broken version-one
directory server.
o Documentation:
- Adding section on OpenBSD to our TUNING document. Thanks to mmcc
for writing the OpenBSD-specific tips. Resolves ticket 13702.
- Make the tor-resolve documentation match its help string and its
options. Resolves part of ticket 14325.
- Log a more useful error message from tor-resolve when failing to
look up a hidden service address. Resolves part of ticket 14325.
o Downgraded warnings:
- Don't warn when we've attempted to contact a relay using the wrong
ntor onion key. Closes ticket 9635.
o Removed features:
- To avoid confusion with the "ExitRelay" option, "ExitNode" is no
longer silently accepted as an alias for "ExitNodes".
- The --enable-mempool and --enable-buf-freelists options, which
were originally created to work around bad malloc implementations,
no longer exist. They were off-by-default in 0.2.5. Closes
ticket 14848.
o Testing:
- Make the checkdir/perms test complete successfully even if the
global umask is not 022. Fixes bug 14215; bugfix on 0.2.6.2-alpha.
- Test that tor does not fail when key files are zero-length. Check
that tor generates new keys, and overwrites the empty key files.
- Test that tor generates new keys when keys are missing
(existing behavior).
- Test that tor does not overwrite key files that already contain
data (existing behavior). Tests bug 13111. Patch by "teor".
- New "make test-stem" target to run stem integration tests.
Requires that the "STEM_SOURCE_DIR" environment variable be set.
Closes ticket 14107.
- Make the test_cmdline_args.py script work correctly on Windows.
Patch from Gisle Vanem.
- Move the slower unit tests into a new "./src/test/test-slow"
binary that can be run independently of the other tests. Closes
ticket 13243.
- Avoid undefined behavior when sampling huge values from the
Laplace distribution. This made unittests fail on Raspberry Pi.
Bug found by Device. Fixes bug 14090; bugfix on 0.2.6.2-alpha.
Changes in version 0.2.6.2-alpha - 2014-12-31
Tor 0.2.6.2-alpha is the second alpha release in the 0.2.6.x series.
It introduces a major new backend for deciding when to send cells on
channels, which should lead down the road to big performance
increases. It contains security and statistics features for better
work on hidden services, and numerous bugfixes.
This release contains many new unit tests, along with major
performance improvements for running testing networks using Chutney.
Thanks to a series of patches contributed by "teor", testing networks
should now bootstrap in seconds, rather than minutes.
o Major features (relay, infrastructure):
- Complete revision of the code that relays use to decide which cell
to send next. Formerly, we selected the best circuit to write on
each channel, but we didn't select among channels in any
sophisticated way. Now, we choose the best circuits globally from
among those whose channels are ready to deliver traffic.
This patch implements a new inter-cmux comparison API, a global
high/low watermark mechanism and a global scheduler loop for
transmission prioritization across all channels as well as among
circuits on one channel. This schedule is currently tuned to
(tolerantly) avoid making changes in network performance, but it
should form the basis for major circuit performance increases in
the future. Code by Andrea; tuning by Rob Jansen; implements
ticket 9262.
o Major features (hidden services):
- Make HS port scanning more difficult by immediately closing the
circuit when a user attempts to connect to a nonexistent port.
Closes ticket 13667.
- Add a HiddenServiceStatistics option that allows Tor relays to
gather and publish statistics about the overall size and volume of
hidden service usage. Specifically, when this option is turned on,
an HSDir will publish an approximate number of hidden services
that have published descriptors to it the past 24 hours. Also, if
a relay has acted as a hidden service rendezvous point, it will
publish the approximate amount of rendezvous cells it has relayed
the past 24 hours. The statistics themselves are obfuscated so
that the exact values cannot be derived. For more details see
proposal 238, "Better hidden service stats from Tor relays". This
feature is currently disabled by default. Implements feature 13192.
o Major bugfixes (client, automap):
- Repair automapping with IPv6 addresses. This automapping should
have worked previously, but one piece of debugging code that we
inserted to detect a regression actually caused the regression to
manifest itself again. Fixes bug 13811 and bug 12831; bugfix on
0.2.4.7-alpha. Diagnosed and fixed by Francisco Blas
Izquierdo Riera.
o Major bugfixes (hidden services):
- When closing an introduction circuit that was opened in parallel
with others, don't mark the introduction point as unreachable.
Previously, the first successful connection to an introduction
point would make the other introduction points get marked as
having timed out. Fixes bug 13698; bugfix on 0.0.6rc2.
o Directory authority changes: