ChangeLog 1.62 MB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
Changes in version 0.4.2.1-alpha - 2019-09-??

  o Major features (developer tools):
    - Our best-practices tracker now integrates with our include-checker tool
      to keep track of the layering violations that we have not yet fixed.
      We hope to reduce this number over time to improve Tor's modularity.
      Closes ticket 31176.

  o Major features (onion service v3, denial of service):
    - Add onion service introduction denial of service defenses. They consist of
      rate limiting client introduction at the intro point using parameters that
      can be sent by the service within the ESTABLISH_INTRO cell. If the cell
      extension for this is not used, the intro point will honor the consensus
      parameters. Closes ticket 30924.

  o Major bugfixes (circuit build, guard):
    - When considering upgrading circuits from "waiting for guard" to "open",
      always ignore the ones that are mark for close. Else, we can end up in
      the situation where a subsystem is notified of that circuit opening but
      still marked for close leading to undesirable behavior. Fixes bug 30871;
      bugfix on 0.3.0.1-alpha.

  o Major bugfixes (crash, android):
    - Tolerate systems (including some Android installations) where madvise
      and MADV_DONTDUMP are available at build-time, but not at run time.
      Previously, these systems would notice a failed syscall and abort.
      Fixes bug 31570; bugfix on 0.4.1.1-alpha.

  o Major bugfixes (crash, Linux):
    - Tolerate systems (including some Linux installations) where madvise
      and/or MADV_DONTFORK are available at build-time, but not at run time.
      Previously, these systems would notice a failed syscall and abort.
      Fixes bug 31696; bugfix on 0.4.1.1-alpha.

  o Minor feature (onion service v3):
    - Do not allow single hop client to fetch or post an HS descriptor from an
      HSDir. Closes ticket 24964;

  o Minor feature (onion service):
    - Disallow single hop clients to introduce directly at the introduction
      point. We've removed Tor2web a while back and rendezvous are blocked at
      the relays. This is to remove load off the network from spammy clients.
      Close ticket 24963.

  o Minor feature (token bucket):
    - Implement a generic token bucket that uses a single counter. This will be
      useful for the anti-DoS onion service work. Closes ticket 30687.

  o Minor features (best practices tracker):
    - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments
      to practracker from the environment. We may want this for
      continuous integration. Closes ticket 31309.
    - Give a warning rather than an error when a practracker exception is
      violated by a small amount; add a --list-overbroad option to
      practracker that lists exceptions that are stricter than they need to
      be, and provide an environment variable for disabling
      practracker. Closes ticekt 30752.

  o Minor features (build system):
    - Add --disable-manpage and --disable-html-manual options to configure
      script. This will enable shortening build times by not building
      documentation. Resolves issue 19381.

  o Minor features (compilation):
    - Log a more useful error message when we are compiling and one of the
      compile-time hardening options we have selected can be linked but
      not executed. Closes ticket 27530.

  o Minor features (configuration):
    - The configuration code has been extended to allow splitting
      configuration data across multiple objects. Previously, all
      configuration data needed to be kept in a single object, which
      tended to become bloated.  Closes ticket 31240.

  o Minor features (continuous integration):
    - When running CI builds on Travis, put some random data in ~/.torrc,
      to make sure no tests are dependent on default Tor configuration.
      Resolves issue 30102.

  o Minor features (debugging):
    - Log a nonfatal assertion failure if we encounter a configuration
      line whose command is "CLEAR" but which has a nonempty value.
      This should be impossible, according to the rules of our
      configuration line parsing. Closes ticket 31529.

  o Minor features (development tools):
    - Our best-practices tracker now looks at headers as well as
      C files. Closes ticket 31175.

  o Minor features (git hooks):
    - Our pre-commit git hook now checks for a special file
      before running practracker, so that practracker only runs on branches
      that are based on master. Since the pre-push hook calls the pre-commit
      hook, practracker will also only run before pushes of branches based
      on master.
      Closes ticket 30979.

  o Minor features (git scripts):
    - Add a "--" command-line argument, to
      separate git-push-all.sh script arguments from arguments that are passed
      through to git push. Closes ticket 31314.
    - Add a -r <remote-name> argument to git-push-all.sh, so the script can
      push test branches to a personal remote. Closes ticket 31314.
    - Add a -t <test-branch-prefix> argument to git-merge-forward.sh and
      git-push-all.sh, which makes these scripts create, merge forward, and
      push test branches. Closes ticket 31314.
    - Add a -u argument to git-merge-forward.sh, so that the script can re-use
      existing test branches after a merge failure and fix.
      Closes ticket 31314.
    - Add a TOR_GIT_PUSH env var, which sets the default git push command and
      arguments for git-push-all.sh. Closes ticket 31314.
    - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the script
      push master and maint branches with a delay between each branch. These
      delays trigger the CI jobs in a set order, which should show the most
      likely failures first. Also make pushes atomic by default, and make
      the script pass any command-line arguments to git push.
      Closes ticket 29879.
    - Call the shellcheck script from the pre-commit hook.
      Closes ticket 30967.
    - Skip pushing test branches that are the same as a remote
      maint/release/master branch in git-push-all.sh by default. Add a -s
      argument, so git-push-all.sh can push all test branches.
      Closes ticket 31314.

  o Minor features (IPv6, logging):
    - Log IPv6 addresses as well as IPv4 addresses, when describing
      routerinfos, routerstatuses, and nodes. Closes ticket 21003.

  o Minor features (recommended packages):
    - No longer include recommended packages in votes as detailed in proposal
      301. The RecommendedPackages torrc option is deprecated and will no
      longer have any effect. "package" lines will still be considered when
      computing consensuses for consensus methods that include them. Fixes
      ticket 29738.

  o Minor features (stem tests):
    - Change "make test-stem" so it only runs the stem tests that use tor.
      This change makes test-stem faster and more reliable.
      Closes ticket 31554.

  o Minor features (testing):
    - Add a script to invoke "tor --dump-config" and "tor --verify-config"
      with various configuration options, and see whether tor's resulting
      configuration or error messages are what we expect. Use it for
      integration testing of our +Option and /Option flags.
      Closes ticket 31637.
    - Improve test coverage for our existing configuration parsing and
      management API. Closes ticket 30893.

  o Minor features (tests):
    - Add integration tests to make sure that practracker gives the outputs
      we expect. Closes ticket 31477.
    - The practracker tests are now run as part of the Tor test suite.
      Closes ticket 31304.

  o Minor bugfixes (best practices tracker):
    - Fix a few issues in the best-practices script, including tests, tab
      tolerance, error reporting, and directory-exclusion logic. Fixes bug
      29746; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (chutney, makefiles, documentation):
    - "make test-network-all" shows the warnings from each test-network.sh
      run on the console, so developers see new warnings early. Improve the
      documentation for this feature, and rename a Makefile variable so the
      code is self-documenting. Fixes bug 30455; bugfix on 0.3.0.4-rc.

  o Minor bugfixes (compilation):
    - Add more stub functions to fix compilation on Android with LTO, when
      --disable-module-dirauth is used. Previously, these compilation
      settings would make the compiler look for functions that didn't exist.
      Fixes bug 31552; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (configuration):
    - Invalid floating-point values in the configuration file are now
      detected treated as errors in the configuration. Previously, they
      were ignored and treated as zero. Fixes bug 31475; bugfix on
      0.0.1.

  o Minor bugfixes (coverity compliance):
    - Add an assertion when parsing a BEGIN cell so that coverity can be sure
      that we are not about to dereference a NULL address.
      Fixes bug 31026; bugfix on 0.2.4.7-alpha.  This is CID
      1447296.

  o Minor bugfixes (coverity):
    - In our siphash implementation, when building for coverity, use memcpy
      in place of a switch statement, so that coverity can tell we are not
      accessing out-of-bounds memory. Fixes bug 31025; bugfix on
      0.2.8.1-alpha.  This is tracked as CID 1447293 and 1447295.

  o Minor bugfixes (coverity, tests):
    - Fix several coverity warnings from our unit tests. Fixes bug 31030;
      bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha.

  o Minor bugfixes (developer tooling):
    - Only log git script changes in post-merge script when merge was to the
      master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (directory authorities):
    - Return a distinct status when formatting annotations fails.
      Fixes bug 30780; bugfix on 0.2.0.8-alpha.

  o Minor bugfixes (error handling):
    - On abort, try harder to flush the output buffers of log messages. On
      some platforms (macOS), log messages can be discarded when the process
      terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - Report the tor version whenever an assertion fails. Previously, we only
      reported the Tor version on some crashes, and some non-fatal assertions.
      Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - When tor aborts due to an error, close log file descriptors before
      aborting. Closing the logs makes some OSes flush log file buffers,
      rather than deleting buffered log lines. Fixes bug 31594;
      bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (git hooks):
    - Remove a duplicate call to practracker from the pre-push hook.
      The pre-push hook already calls the pre-commit hook, which calls
      practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (git scripts):
    - Stop hard-coding the bash path in the git scripts. Some OSes don't
      have bash in /usr/bin, others have an ancient bash at this path.
      Fixes bug 30840; bugfix on 0.4.0.1-alpha.
    - Stop hard-coding the tor master branch name and worktree path in the
      git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (guards):
    - When tor is missing descriptors for some primary entry guards, make the
      log message less alarming. It's normal for descriptors to expire, as long
      as tor fetches new ones soon after. Fixes bug 31657;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (ipv6):
    - We check for private IPv6 address alongside their IPv4 equivalents when
      authorities check descriptors. Previously, we only checked for private
      IPv4 addresses. Fixes bug 31088; bugfix on 0.2.3.21-rc. Patch by Neel
      Chauhan.
    - When parsing microdescriptors, we should check the IPv6 exit policy
      alongside IPv4. Previously, we checked both exit policies for only
      router info structures, while microdescriptors were IPv4-only. Fixes
      bug 27284; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Change log level of message "Hash of session info was not as expected"
      to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha.
    - Fix a code issue that would have broken our parsing of log
      domains as soon as we had 33 of them.  Fortunately, we still
      only have 29.  Fixes bug 31451; bugfix on 0.4.1.4-rc.

  o Minor bugfixes (memory management):
    - Stop leaking a small amount of memory in nt_service_install(), in
      unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha.
      Patch by Xiaoyin Liu.

  o Minor bugfixes (networking, IP addresses):
    - When parsing addreses via Tor's internal DNS lookup API, reject IPv4
      addresses in square brackets, and accept IPv6 addresses in square
      brackets. This change completes the work started in 23082, making
      address parsing consistent between tor's internal DNS lookup and address
      parsing APIs. Fixes bug 30721; bugfix on 0.2.1.5-alpha.
    - When parsing addreses via Tor's internal address:port parsing and
      DNS lookup APIs, require IPv6 addresses with ports to have square
      brackets. But allow IPv6 addresses without ports, whether or not they
      have square brackets. Fixes bug 30721; bugfix on 0.2.1.5-alpha.

  o Minor bugfixes (onion service v3):
    - When purging the client descriptor cache, always also close any
      introduction point circuits associated with it. This avoids picking those
      when connecting to them later while not having the descriptor to complete
      the introduction. Fixes bug 30921; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion services):
    - In the hs_ident_circuit_t data structure, remove the unused field
      circuit_type and the respective argument in hs_ident_circuit_new().
      This field is set by clients (for introduction) and services (for
      introduction and rendezvous) but is never used afterwards. Fixes
      bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (operator tools):
    - Make tor-print-ed-signing-cert(1) print certificate expiration date in
      RFC 1123 and UNIX timestamp formats, to make output machine readable.
      Fixes bug 31012; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (practracker):
    - When running check-best-practices, only consider files in the
      src subdirectory.  Previously we had recursively considered
      all subdirectories, which made us get confused by the
      temporary directories made by "make distcheck".  Fixes bug
      31578; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (rust):
    - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463;
      bugfix on 0.3.5.4-alpha.
    - Raise the minimum rustc version to 1.31.0, as checked by configure
      and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (sendme, code structure):
    - Rename the trunnel SENDME file definition from sendme.trunnel to
      sendme_cell.trunnel to avoid having twice sendme.{c|h} in the repository.
      Fixes bug 30769; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (statistics):
    - Stop removing the ed25519 signature if the extra info file is too big.
      If the signature data was removed, but the keyword was kept, this could
      result in an unparseable extra info file. Fixes bug 30958;
      bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (subsystems):
    - Make the subsystem init order match the subsystem module dependencies.
      Call windows process security APIs as early as possible. Init log before
      network and time, so that network and time can use logging.
      Fixes bug 31615; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Teach the util/socketpair_ersatz test to work correctly when we
      have no network stack configured. Fixes bug 30804; bugfix on
      0.2.5.1-alpha.

  o Minor bugfixes (v2 single onion services):
    - Always retry v2 single onion service intro and rend circuits with a
      3-hop path. Previously, v2 single onion services used a 3-hop path
      when rend circuits were retried after a remote or delayed failure,
      but a 1-hop path for immediate retries. Fixes bug 23818;
      bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (v3 single onion services):
    - Always retry v3 single onion service intro and rend circuits with a
      3-hop path. Previously, v3 single onion services used a 3-hop path
      when rend circuits were retried after a remote or delayed failure,
      but a 1-hop path for immediate retries. Fixes bug 23818;
      bugfix on 0.3.2.1-alpha.
    - Make v3 single onion services fall back to a 3-hop intro, when there
      all intro points are unreachable via a 1-hop path. Previously, v3
      single onion services failed when all intro nodes were unreachable
      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

  o Code simplification and refactoring:
    - Eliminate some uses of lower-level control reply abstractions,
      primarily in the onion_helper functions. Closes ticket 30889.
    - Extract our variable manipulation code from confparse.c to a new
      lower-level typedvar.h module. Closes ticket 30864.
    - Improve documentation in circuit padding subsystem. Patch by Tobias
      Pulls. Closes ticket 31113.
    - Lower another layer of object management from confparse.c to
      a more general tool.  Now typed structure members are accessible
      via an abstract type. Implements ticket 30914.
    - Move our backend logic for working with configuration and state
      files into a lower-level library, since in no longer depends on
      any tor-specific functionality. Closes ticket 31626.
    - Numerous simplifications in configuration-handling logic:
      remove duplicated macro definitions, replace magical names
      with flags, and refactor "TestingTorNetwork" to use the
      same default-option logic as the rest of Tor.
      Closes ticket 30935.
    - Replace our ad-hoc set of flags for configuration variables and
      configuration variable types with fine-grained orthogonal flags
      corresponding to the actual behavior we want. Closes ticket 31625.
    - Rework bootstrap tracking to use the new publish-subscribe
      subsystem. Closes ticket 29976.
    - Rewrite format_node_description() and router_get_verbose_nickname() to
      use strlcpy() and strlcat(). The previous implementation used memcpy()
      and pointer arithmetic, which was error-prone.
      Closes ticket 31545. This is CID 1452819.
    - Split extrainfo_dump_to_string() into smaller functions.
      Closes ticket 30956.
    - Use the ptrdiff_t type consistently for expressing variable offsets and
      pointer differences.  Previously we incorrectly (but harmlessly) used
      int and sometimes off_t for these cases.  Closes ticket 31532.
    - Use the subsystems mechanism to manage the main event loop code.
      Closes ticket 30806.
    - Various simplifications and minor improvements to the circuit padding
      machines. Patch by Tobias Pulls. Closes tickets 31112 and 31098.

  o Documentation (hard-coded directories):
    - Improve the documentation for the DirAuthority and FallbackDir torrc
      options. Closes ticket 30955.

  o Documentation (tor.1 man page):
    - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; bugfix on
      0.2.2.9-alpha.

  o Documentation:
    - Include an example usage for IPv6 ORPort in our sample torrc.
      Closes ticket 31320; patch from Ali Raheem.
    - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html
      so that operators would no longer have to host it themselves.
      Closes ticket 31089.

  o New system requirements (build system):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows system.
      Closes 31673;

  o Removed features:
    - Remove torctl.in from contrib/dist directory. Resolves ticket 30550.

  o Testing:
    - Run shellcheck for all non-third-party shell scripts that are shipped
      with Tor. Closes ticket 29533.
    - When checking shell scripts, ignore any user-created directories.
      Closes ticket 30967.


403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
Changes in version 0.4.1.5 - 2019-08-20
  This is the first stable release in the 0.4.1.x series. This series
  adds experimental circuit-level padding, authenticated SENDME cells to
  defend against certain attacks, and several performance improvements
  to save on CPU consumption. It fixes bugs in bootstrapping and v3
  onion services. It also includes numerous smaller features and
  bugfixes on earlier versions.

  Per our support policy, we will support the 0.4.1.x series for nine
  months, or until three months after the release of a stable 0.4.2.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.4.1.4-rc. For a complete list of changes
  since 0.4.0.5, see the ReleaseNotes file.

  o Directory authority changes:
    - The directory authority "dizum" has a new IP address. Closes
      ticket 31406.

  o Minor features (circuit padding logging):
    - Demote noisy client-side warn logs about circuit padding to
      protocol warnings. Add additional log messages and circuit ID
      fields to help with bug 30992 and any other future issues.

  o Minor bugfixes (circuit padding negotiation):
    - Bump the circuit padding protocol version to explicitly signify
      that the HS setup machine support is finalized in 0.4.1.x-stable.
      This also means that 0.4.1.x-alpha clients will not negotiate
      padding with 0.4.1.x-stable relays, and 0.4.1.x-stable clients
      will not negotiate padding with 0.4.1.x-alpha relays (or 0.4.0.x
      relays). Fixes bug 31356; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (circuit padding):
    - Ignore non-padding cells on padding circuits. This addresses
      various warning messages from subsystems that were not expecting
      padding circuits. Fixes bug 30942; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (clock skew detection):
    - Don't believe clock skew results from NETINFO cells that appear to
      arrive before we sent the VERSIONS cells they are responding to.
      Previously, we would accept them up to 3 minutes "in the past".
      Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compatibility, standards compliance):
    - Fix a bug that would invoke undefined behavior on certain
      operating systems when trying to asprintf() a string exactly
      INT_MAX bytes long. We don't believe this is exploitable, but it's
      better to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha.
      Found and fixed by Tobias Stoeckmann.

  o Minor bugfixes (compilation warning):
    - Fix a compilation warning on Windows about casting a function
      pointer for GetTickCount64(). Fixes bug 31374; bugfix
      on 0.2.9.1-alpha.

  o Minor bugfixes (compilation):
    - Avoid using labs() on time_t, which can cause compilation warnings
      on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (distribution):
    - Do not ship any temporary files found in the
      scripts/maint/practracker directory. Fixes bug 31311; bugfix
      on 0.4.1.1-alpha.

  o Testing (continuous integration):
    - In Travis, make stem log a controller trace to the console, and
      tail stem's tor log after failure. Closes ticket 30591.
    - In Travis, only run the stem tests that use a tor binary. Closes
      ticket 30694.


475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
Changes in version 0.4.1.4-rc - 2019-07-25
  Tor 0.4.1.4-rc fixes a few bugs from previous versions of Tor, and
  updates to a new list of fallback directories. If no new bugs are
  found, the next release in the 0.4.1.x serious should be stable.

  o Major bugfixes (circuit build, guard):
    - When considering upgrading circuits from "waiting for guard" to
      "open", always ignore circuits that are marked for close. Otherwise,
      we can end up in the situation where a subsystem is notified that
      a closing circuit has just opened, leading to undesirable
      behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

  o Minor features (continuous integration):
    - Our Travis configuration now uses Chutney to run some network
      integration tests automatically. Closes ticket 29280.

  o Minor features (fallback directory list):
    - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
      in December 2018 (of which ~122 were still functional), with a
      list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
      in June 2019. Closes ticket 28795.

  o Minor bugfixes (circuit padding):
    - On relays, properly check that a padding machine is absent before
      logging a warning about it being absent. Fixes bug 30649; bugfix
500
      on 0.4.0.1-alpha.
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
    - Add two NULL checks in unreachable places to silence Coverity (CID
      144729 and 1447291) and better future-proof ourselves. Fixes bug
      31024; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (crash on exit):
    - Avoid a set of possible code paths that could try to use freed
      memory in routerlist_free() while Tor was exiting. Fixes bug
      31003; bugfix on 0.1.2.2-alpha.

  o Minor bugfixes (logging):
    - Fix a conflict between the flag used for messaging-domain log
      messages, and the LD_NO_MOCK testing flag. Fixes bug 31080; bugfix
      on 0.4.1.1-alpha.

  o Minor bugfixes (memory leaks):
    - Fix a trivial memory leak when parsing an invalid value from a
      download schedule in the configuration. Fixes bug 30894; bugfix
      on 0.3.4.1-alpha.

  o Code simplification and refactoring:
    - Remove some dead code from circpad_machine_remove_token() to fix
      some Coverity warnings (CID 1447298). Fixes bug 31027; bugfix
      on 0.4.1.1-alpha.


526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
Changes in version 0.4.1.3-alpha - 2019-06-25
  Tor 0.4.1.3-alpha resolves numerous bugs left over from the previous
  alpha, most of them from earlier release series.

  o Major bugfixes (Onion service reachability):
    - Properly clean up the introduction point map when circuits change
      purpose from onion service circuits to pathbias, measurement, or
      other circuit types. This should fix some service-side instances
      of introduction point failure. Fixes bug 29034; bugfix
      on 0.3.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2
      Country database. Closes ticket 30852.

  o Minor features (logging):
    - Give a more useful assertion failure message if we think we have
      minherit() but we fail to make a region non-inheritable. Give a
      compile-time warning if our support for minherit() is incomplete.
      Closes ticket 30686.

  o Minor bugfixes (circuit isolation):
    - Fix a logic error that prevented the SessionGroup sub-option from
      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (continuous integration):
    - Allow the test-stem job to fail in Travis, because it sometimes
      hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
    - Skip test_rebind on macOS in Travis, because it is unreliable on
      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
      variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (directory authorities):
    - Stop crashing after parsing an unknown descriptor purpose
      annotation. We think this bug can only be triggered by modifying a
      local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.

  o Minor bugfixes (pluggable transports):
    - When running as a bridge with pluggable transports, always publish
      pluggable transport information in our extrainfo descriptor, even
      if ExtraInfoStatistics is 0. This information is needed by
      BridgeDB. Fixes bug 30956; bugfix on 0.4.1.1-alpha.

  o Documentation:
    - Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md.
      Closes ticket 30630.


575
Changes in version 0.4.1.2-alpha - 2019-06-06
Nick Mathewson's avatar
Nick Mathewson committed
576
577
578
  Tor 0.4.1.2-alpha resolves numerous bugs--some of them from the
  previous alpha, and some much older. It also contains minor testing
  improvements, and an improvement to the security of our authenticated
Nick Mathewson's avatar
Nick Mathewson committed
579
  SENDME implementation.
580
581

  o Major bugfixes (bridges):
Nick Mathewson's avatar
Nick Mathewson committed
582
583
584
585
586
587
588
589
590
591
    - Consider our directory information to have changed when our list
      of bridges changes. Previously, Tor would not re-compute the
      status of its directory information when bridges changed, and
      therefore would not realize that it was no longer able to build
      circuits. Fixes part of bug 29875.
    - Do not count previously configured working bridges towards our
      total of working bridges. Previously, when Tor's list of bridges
      changed, it would think that the old bridges were still usable,
      and delay fetching router descriptors for the new ones. Fixes part
      of bug 29875; bugfix on 0.3.0.1-alpha.
592

Nick Mathewson's avatar
Nick Mathewson committed
593
594
595
596
597
598
  o Major bugfixes (flow control, SENDME):
    - Decrement the stream-level package window after packaging a cell.
      Previously, it was done inside a log_debug() call, meaning that if
      debug logs were not enabled, the decrement would never happen, and
      thus the window would be out of sync with the other end point.
      Fixes bug 30628; bugfix on 0.4.1.1-alpha.
599

Nick Mathewson's avatar
Nick Mathewson committed
600
  o Major bugfixes (onion service reachability):
Nick Mathewson's avatar
Nick Mathewson committed
601
602
    - Properly clean up the introduction point map and associated state
      when circuits change purpose from onion service circuits to
Nick Mathewson's avatar
Nick Mathewson committed
603
604
605
      pathbias, measurement, or other circuit types. This may fix some
      instances of introduction point failure. Fixes bug 29034; bugfix
      on 0.3.2.1-alpha.
606
607

  o Minor features (authenticated SENDME):
Nick Mathewson's avatar
Nick Mathewson committed
608
    - Ensure that there is enough randomness on every circuit to prevent
Nick Mathewson's avatar
Nick Mathewson committed
609
610
611
612
613
      an attacker from successfully predicting the hashes they will need
      to include in authenticated SENDME cells. At a random interval, if
      we have not sent randomness already, we now leave some extra space
      at the end of a cell that we can fill with random bytes. Closes
      ticket 26846.
614
615

  o Minor features (continuous integration):
Nick Mathewson's avatar
Nick Mathewson committed
616
617
618
    - When running coverage builds on Travis, we now set
      TOR_TEST_RNG_SEED, to avoid RNG-based coverage differences. Part
      of ticket 28878.
619
620

  o Minor features (maintenance):
Nick Mathewson's avatar
Nick Mathewson committed
621
622
    - Add a new "make autostyle" target that developers can use to apply
      all automatic Tor style and consistency conversions to the
623
624
625
626
627
628
      codebase. Closes ticket 30539.

  o Minor features (testing):
    - The circuitpadding tests now use a reproducible RNG implementation,
      so that if a test fails, we can learn why. Part of ticket 28878.
    - Tor's tests now support an environment variable, TOR_TEST_RNG_SEED,
Nick Mathewson's avatar
Nick Mathewson committed
629
630
      to set the RNG seed for tests that use a reproducible RNG. Part of
      ticket 28878.
631
    - When running tests in coverage mode, take additional care to make
Nick Mathewson's avatar
Nick Mathewson committed
632
633
      our coverage deterministic, so that we can accurately track
      changes in code coverage. Closes ticket 30519.
634
635

  o Minor bugfixes (configuration, proxies):
Nick Mathewson's avatar
Nick Mathewson committed
636
637
    - Fix a bug that prevented us from supporting SOCKS5 proxies that
      want authentication along with configured (but unused!)
638
639
640
641
      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

  o Minor bugfixes (controller):
    - POSTDESCRIPTOR requests should work again. Previously, they were
Nick Mathewson's avatar
Nick Mathewson committed
642
643
      broken if a "purpose=" flag was specified. Fixes bug 30580; bugfix
      on 0.4.1.1-alpha.
644
    - Repair the HSFETCH command so that it works again. Previously, it
Nick Mathewson's avatar
Nick Mathewson committed
645
646
      expected a body when it shouldn't have. Fixes bug 30646; bugfix
      on 0.4.1.1-alpha.
647
648

  o Minor bugfixes (developer tooling):
Nick Mathewson's avatar
Nick Mathewson committed
649
650
651
    - Fix pre-push hook to allow fixup and squash commits when pushing
      to non-upstream git remote. Fixes bug 30286; bugfix
      on 0.4.0.1-alpha.
652
653

  o Minor bugfixes (directory authority):
Nick Mathewson's avatar
Nick Mathewson committed
654
655
656
    - Move the "bandwidth-file-headers" line in directory authority
      votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
      on 0.3.5.1-alpha.
657
658
659
660
661
662
663
664

  o Minor bugfixes (NetBSD):
    - Fix usage of minherit() on NetBSD and other platforms that define
      MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug
      30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell.

  o Minor bugfixes (out-of-memory handler):
    - When purging the DNS cache because of an out-of-memory condition,
Nick Mathewson's avatar
Nick Mathewson committed
665
      try purging just the older entries at first. Previously, we would
Nick Mathewson's avatar
Nick Mathewson committed
666
667
      always purge the whole thing. Fixes bug 29617; bugfix
      on 0.3.5.1-alpha.
668
669

  o Minor bugfixes (portability):
Nick Mathewson's avatar
Nick Mathewson committed
670
671
672
673
674
675
    - Avoid crashing in our tor_vasprintf() implementation on systems
      that define neither vasprintf() nor _vscprintf(). (This bug has
      been here long enough that we question whether people are running
      Tor on such systems, but we're applying the fix out of caution.)
      Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
      Tobias Stoeckmann.
676
677

  o Minor bugfixes (shutdown, libevent, memory safety):
Nick Mathewson's avatar
Nick Mathewson committed
678
679
680
681
682
    - Avoid use-after-free bugs when shutting down, by making sure that
      we shut down libevent only after shutting down all of its users.
      We believe these are harmless in practice, since they only occur
      on the shutdown path, and do not involve any attacker-controlled
      data. Fixes bug 30629; bugfix on 0.4.1.1-alpha.
683
684

  o Minor bugfixes (static analysis):
Nick Mathewson's avatar
Nick Mathewson committed
685
    - Fix several spurious Coverity warnings about the unit tests, to
Nick Mathewson's avatar
Nick Mathewson committed
686
687
      lower our chances of missing real warnings in the future. Fixes
      bug 30150; bugfix on 0.3.5.1-alpha and various other Tor versions.
688
689
690
691
692
693
694

  o Testing:
    - Specify torrc paths (with empty files) when launching tor in
      integration tests; refrain from reading user and system torrcs.
      Resolves issue 29702.


695
Changes in version 0.4.1.1-alpha - 2019-05-22
696
697
698
699
700
701
  This is the first alpha in the 0.4.1.x series. It introduces
  lightweight circuit padding to make some onion-service circuits harder
  to distinguish, includes a new "authenticated SENDME" feature to make
  certain denial-of-service attacks more difficult, and improves
  performance in several areas.

702
  o Major features (circuit padding):
703
704
705
706
707
708
709
710
    - Onion service clients now add padding cells at the start of their
      INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic
      look more like general purpose Exit traffic. The overhead for this
      is 2 extra cells in each direction for RENDEZVOUS circuits, and 1
      extra upstream cell and 10 downstream cells for INTRODUCE
      circuits. This feature is only enabled when also supported by the
      circuit's middle node. (Clients may specify fixed middle nodes
      with the MiddleNodes option, and may force-disable this feature
711
      with the CircuitPadding option.) Closes ticket 28634.
712
713
714
715
716
717
718
719
720
721
722

  o Major features (code organization):
    - Tor now includes a generic publish-subscribe message-passing
      subsystem that we can use to organize intermodule dependencies. We
      hope to use this to reduce dependencies between modules that don't
      need to be related, and to generally simplify our codebase. Closes
      ticket 28226.

  o Major features (controller protocol):
    - Controller commands are now parsed using a generalized parsing
      subsystem. Previously, each controller command was responsible for
723
724
      parsing its own input, which led to strange inconsistencies.
      Closes ticket 30091.
725
726

  o Major features (flow control):
727
728
    - Implement authenticated SENDMEs as detailed in proposal 289. A
      SENDME cell now includes the digest of the traffic that it
729
730
731
732
733
      acknowledges, so that once an end point receives the SENDME, it
      can confirm the other side's knowledge of the previous cells that
      were sent, and prevent certain types of denial-of-service attacks.
      This behavior is controlled by two new consensus parameters: see
      the proposal for more details. Fixes ticket 26288.
734
735

  o Major features (performance):
736
737
738
    - Our node selection algorithm now excludes nodes in linear time.
      Previously, the algorithm was quadratic, which could slow down
      heavily used onion services. Closes ticket 30307.
739

740
741
742
743
744
745
746
  o Major features (performance, RNG):
    - Tor now constructs a fast secure pseudorandom number generator for
      each thread, to use when performance is critical. This PRNG is
      based on AES-CTR, using a buffering construction similar to
      libottery and the (newer) OpenBSD arc4random() code. It
      outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for
      small outputs. Although we believe it to be cryptographically
747
748
      strong, we are only using it when necessary for performance.
      Implements tickets 29023 and 29536.
749

750
  o Major bugfixes (onion service v3):
751
752
753
754
755
756
    - Fix an unreachable bug in which an introduction point could try to
      send an INTRODUCE_ACK with a status code that Trunnel would refuse
      to encode, leading the relay to assert(). We've consolidated the
      ABI values into Trunnel now. Fixes bug 30454; bugfix
      on 0.3.0.1-alpha.
    - Clients can now handle unknown status codes from INTRODUCE_ACK
757
758
759
760
761
      cells. (The NACK behavior will stay the same.) This will allow us
      to extend status codes in the future without breaking the normal
      client behavior. Fixes another part of bug 30454; bugfix
      on 0.3.0.1-alpha.

762
  o Minor features (circuit padding):
763
    - We now use a fast PRNG when scheduling circuit padding. Part of
764
      ticket 28636.
765
766
767
768
769
    - Allow the padding machine designer to pick the edges of their
      histogram instead of trying to compute them automatically using an
      exponential formula. Resolves some undefined behavior in the case
      of small histograms and allows greater flexibility on machine
      design. Closes ticket 29298; bugfix on 0.4.0.1-alpha.
770
771
    - Allow circuit padding machines to hold a circuit open until they
      are done padding it. Closes ticket 28780.
772
773

  o Minor features (compile-time modules):
774
775
    - Add a "--list-modules" command to print a list of which compile-
      time modules are enabled. Closes ticket 30452.
776
777
778
779
780

  o Minor features (continuous integration):
    - Remove sudo configuration lines from .travis.yml as they are no
      longer needed with current Travis build environment. Resolves
      issue 30213.
781
    - In Travis, show stem's tor log after failure. Closes ticket 30234.
782
783

  o Minor features (controller):
784
785
    - Add onion service version 3 support to the HSFETCH command.
      Previously, only version 2 onion services were supported. Closes
786
      ticket 25417. Patch by Neel Chauhan.
787
788
789
790

  o Minor features (debugging):
    - Introduce tor_assertf() and tor_assertf_nonfatal() to enable
      logging of additional information during assert failure. Now we
791
792
      can use format strings to include information for trouble
      shooting. Resolves ticket 29662.
793
794

  o Minor features (defense in depth):
795
796
797
798
799
800
801
802
803
    - In smartlist_remove_keeporder(), set unused pointers to NULL, in
      case a bug causes them to be used later. Closes ticket 30176.
      Patch from Tobias Stoeckmann.
    - Tor now uses a cryptographically strong PRNG even for decisions
      that we do not believe are security-sensitive. Previously, for
      performance reasons, we had used a trivially predictable linear
      congruential generator algorithm for certain load-balancing and
      statistical sampling decisions. Now we use our fast RNG in those
      cases. Closes ticket 29542.
804

805
  o Minor features (developer tools):
806
    - Tor's "practracker" test script now checks for files and functions
807
808
809
810
811
812
813
814
      that seem too long and complicated. Existing overlong functions
      and files are accepted for now, but should eventually be
      refactored. Closes ticket 29221.
    - Add some scripts used for git maintenance to scripts/git. Closes
      ticket 29391.
    - Call practracker from pre-push and pre-commit git hooks to let
      developers know if they made any code style violations. Closes
      ticket 30051.
815
    - Add a script to check that each header has a well-formed and
816
      unique guard macro. Closes ticket 29756.
817
818
819
820
821
822
823
824
825
826
827
828

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2
      Country database. Closes ticket 30522.

  o Minor features (HTTP tunnel):
    - Return an informative web page when the HTTPTunnelPort is used as
      an HTTP proxy. Closes ticket 27821, patch by "eighthave".

  o Minor features (IPv6, v3 onion services):
    - Make v3 onion services put IPv6 addresses in service descriptors.
      Before this change, service descriptors only contained IPv4
829
      addresses. Implements 26992.
830
831

  o Minor features (modularity):
832
833
    - The "--disable-module-dirauth" compile-time option now disables
      even more dirauth-only code. Closes ticket 30345.
834
835
836
837
838
839
840

  o Minor features (performance):
    - Use OpenSSL's implementations of SHA3 when available (in OpenSSL
      1.1.1 and later), since they tend to be faster than tiny-keccak.
      Closes ticket 28837.

  o Minor features (testing):
841
842
    - Tor's unit test code now contains helper functions to replace the
      PRNG with a deterministic or reproducible version for testing.
843
      Previously, various tests implemented this in various ways.
844
      Implements ticket 29732.
845
846
847
    - We now have a script, cov-test-determinism.sh, to identify places
      where our unit test coverage has become nondeterministic. Closes
      ticket 29436.
848
849
    - Check that representative subsets of values of `int` and `unsigned
      int` can be represented by `void *`. Resolves issue 29537.
850
851

  o Minor bugfixes (bridge authority):
852
853
854
855
    - Bridge authorities now set bridges as running or non-running when
      about to dump their status to a file. Previously, they set bridges
      as running in response to a GETINFO command, but those shouldn't
      modify data structures. Fixes bug 24490; bugfix on 0.2.0.13-alpha.
856
      Patch by Neel Chauhan.
857

858
  o Minor bugfixes (channel padding statistics):
859
860
    - Channel padding write totals and padding-enabled totals are now
      counted properly in relay extrainfo descriptors. Fixes bug 29231;
861
      bugfix on 0.3.1.1-alpha.
862
863

  o Minor bugfixes (circuit padding):
864
865
    - Add a "CircuitPadding" torrc option to disable circuit padding.
      Fixes bug 28693; bugfix on 0.4.0.1-alpha.
866
867
    - Allow circuit padding machines to specify that they do not
      contribute much overhead, and provide consensus flags and torrc
868
869
870
      options to force clients to only use these low overhead machines.
      Fixes bug 29203; bugfix on 0.4.0.1-alpha.
    - Provide a consensus parameter to fully disable circuit padding, to
871
872
      be used in emergency network overload situations. Fixes bug 30173;
      bugfix on 0.4.0.1-alpha.
873
874
875
876
877
878
879
880
    - The circuit padding subsystem will no longer schedule padding if
      dormant mode is enabled. Fixes bug 28636; bugfix on 0.4.0.1-alpha.
    - Inspect a circuit-level cell queue before sending padding, to
      avoid sending padding while too much data is already queued. Fixes
      bug 29204; bugfix on 0.4.0.1-alpha.
    - Avoid calling monotime_absolute_usec() in circuit padding machines
      that do not use token removal or circuit RTT estimation. Fixes bug
      29085; bugfix on 0.4.0.1-alpha.
881

882
  o Minor bugfixes (compilation, unusual configurations):
883
884
885
    - Avoid failures when building with the ALL_BUGS_ARE_FATAL option
      due to missing declarations of abort(), and prevent other such
      failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.
886
887

  o Minor bugfixes (controller protocol):
888
889
890
891
    - Teach the controller parser to distinguish an object preceded by
      an argument list from one without. Previously, it couldn't
      distinguish an argument list from the first line of a multiline
      object. Fixes bug 29984; bugfix on 0.2.3.8-alpha.
892

893
  o Minor bugfixes (directory authority, ipv6):
894
    - Directory authorities with IPv6 support now always mark themselves
895
      as reachable via IPv6. Fixes bug 24338; bugfix on 0.2.4.1-alpha.
896
      Patch by Neel Chauhan.
897
898

  o Minor bugfixes (documentation):
899
900
901
902
    - Improve the documentation for using MapAddress with ".exit". Fixes
      bug 30109; bugfix on 0.1.0.1-rc.
    - Improve the monotonic time module and function documentation to
      explain what "monotonic" actually means, and document some results
903
904
905
906
907
908
      that have surprised people. Fixes bug 29640; bugfix
      on 0.2.9.1-alpha.
    - Use proper formatting when providing an example on quoting options
      that contain whitespace. Fixes bug 29635; bugfix on 0.2.3.18-rc.

  o Minor bugfixes (logging):
909
910
911
912
    - Do not log a warning when running with an OpenSSL version other
      than the one Tor was compiled with, if the two versions should be
      compatible. Previously, we would warn whenever the version was
      different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.
913
    - Warn operators when the MyFamily option is set but ContactInfo is
914
915
916
917
      missing, as the latter should be set too. Fixes bug 25110; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leak):
918
919
920
    - Avoid a minor memory leak that could occur on relays when failing
      to create a "keys" directory. Fixes bug 30148; bugfix
      on 0.3.3.1-alpha.
921
922
923
924
925

  o Minor bugfixes (onion services):
    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
      implemenation) when failing to load an onion service client
      authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
926
927
928
929
    - When refusing to launch a controller's HSFETCH request because of
      rate-limiting, respond to the controller with a new response,
      "QUERY_RATE_LIMITED". Previously, we would log QUERY_NO_HSDIR for
      this case. Fixes bug 28269; bugfix on 0.3.1.1-alpha. Patch by
930
931
      Neel Chauhan.
    - When relaunching a circuit to a rendezvous service, mark the
932
      circuit as needing high-uptime routers as appropriate. Fixes bug
933
      17357; bugfix on 0.1.0.1-rc. Patch by Neel Chauhan.
934
935
936
937
    - Stop ignoring IPv6 link specifiers sent to v3 onion services.
      (IPv6 support for v3 onion services is still incomplete: see
      ticket 23493 for details.) Fixes bug 23588; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.
938
939

  o Minor bugfixes (onion services, performance):
940
941
    - When building circuits to onion services, call tor_addr_parse()
      less often. Previously, we called tor_addr_parse() in
942
      circuit_is_acceptable() even if its output wasn't used. This
943
      change should improve performance when building circuits. Fixes
944
      bug 22210; bugfix on 0.2.8.12. Patch by Neel Chauhan.
945
946

  o Minor bugfixes (performance):
947
    - When checking whether a node is a bridge, use a fast check to make
948
      sure that its identity is set. Previously, we used a constant-time
949
950
      check, which is not necessary in this case. Fixes bug 30308;
      bugfix on 0.3.5.1-alpha.
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966

  o Minor bugfixes (pluggable transports):
    - Tor now sets TOR_PT_EXIT_ON_STDIN_CLOSE=1 for client transports as
      well as servers. Fixes bug 25614; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (probability distributions):
    - Refactor and improve parts of the probability distribution code
      that made Coverity complain. Fixes bug 29805; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (python):
    - Stop assuming that /usr/bin/python3 exists. For scripts that work
      with python2, use /usr/bin/python. Otherwise, use /usr/bin/env
      python3. Fixes bug 29913; bugfix on 0.2.5.3-alpha.

  o Minor bugfixes (relay):
967
968
969
    - When running as a relay, if IPv6Exit is set to 1 while ExitRelay
      is auto, act as if ExitRelay is 1. Previously, we would ignore
      IPv6Exit if ExitRelay was 0 or auto. Fixes bug 29613; bugfix on
970
971
972
973
974
975
976
977
978
      0.3.5.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (stats):
    - When ExtraInfoStatistics is 0, stop including bandwidth usage
      statistics, GeoIPFile hashes, ServerTransportPlugin lines, and
      bridge statistics by country in extra-info documents. Fixes bug
      29018; bugfix on 0.2.4.1-alpha.

  o Minor bugfixes (testing):
979
980
    - Call setrlimit() to disable core dumps in test_bt_cl.c. Previously
      we used `ulimit -c` in test_bt.sh, which violates POSIX shell
981
982
983
984
985
986
      compatibility. Fixes bug 29061; bugfix on 0.3.5.1-alpha.
    - Fix some incorrect code in the v3 onion service unit tests. Fixes
      bug 29243; bugfix on 0.3.2.1-alpha.
    - In the "routerkeys/*" tests, check the return values of mkdir()
      for possible failures. Fixes bug 29939; bugfix on 0.2.7.2-alpha.
      Found by Coverity as CID 1444254.
987
988
989
990
    - Split test_utils_general() into several smaller test functions.
      This makes it easier to perform resource deallocation on assert
      failure, and fixes Coverity warnings CID 1444117 and CID 1444118.
      Fixes bug 29823; bugfix on 0.2.9.1-alpha.
991

992
993
994
995
996
  o Minor bugfixes (tor-resolve):
    - Fix a memory leak in tor-resolve that could happen if Tor gave it
      a malformed SOCKS response. (Memory leaks in tor-resolve don't
      actually matter, but it's good to fix them anyway.) Fixes bug
      30151; bugfix on 0.4.0.1-alpha.
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012

  o Code simplification and refactoring:
    - Abstract out the low-level formatting of replies on the control
      port. Implements ticket 30007.
    - Add several assertions in an attempt to fix some Coverity
      warnings. Closes ticket 30149.
    - Introduce a connection_dir_buf_add() helper function that checks
      for compress_state of dir_connection_t and automatically writes a
      string to directory connection with or without compression.
      Resolves issue 28816.
    - Make the base32_decode() API return the number of bytes written,
      for consistency with base64_decode(). Closes ticket 28913.
    - Move most relay-only periodic events out of mainloop.c into the
      relay subsystem. Closes ticket 30414.
    - Refactor and encapsulate parts of the codebase that manipulate
      crypt_path_t objects. Resolves issue 30236.
1013
    - Refactor several places in our code that Coverity incorrectly
1014
      believed might have memory leaks. Closes ticket 30147.
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
    - Remove redundant return values in crypto_format, and the
      associated return value checks elsewhere in the code. Make the
      implementations in crypto_format consistent, and remove redundant
      code. Resolves ticket 29660.
    - Rename tor_mem_is_zero() to fast_mem_is_zero(), to emphasize that
      it is not a constant-time function. Closes ticket 30309.
    - Replace hs_desc_link_specifier_t with link_specifier_t, and remove
      all hs_desc_link_specifier_t-specific code. Fixes bug 22781;
      bugfix on 0.3.2.1-alpha.
    - Simplify v3 onion service link specifier handling code. Fixes bug
      23576; bugfix on 0.3.2.1-alpha.
1026
1027
1028
1029
1030
1031
1032
1033
1034
    - Split crypto_digest.c into NSS code, OpenSSL code, and shared
      code. Resolves ticket 29108.
    - Split control.c into several submodules, in preparation for
      distributing its current responsibilities throughout the codebase.
      Closes ticket 29894.
    - Start to move responsibility for knowing about periodic events to
      the appropriate subsystems, so that the mainloop doesn't need to
      know all the periodic events in the rest of the codebase.
      Implements tickets 30293 and 30294.
1035
1036
1037

  o Documentation:
    - Document how to find git commits and tags for bug fixes in
1038
      CodingStandards.md. Update some file documentation. Closes
1039
      ticket 30261.
1040
1041

  o Removed features:
1042
    - Remove the linux-tor-prio.sh script from contrib/operator-tools
1043
      directory. Resolves issue 29434.
1044
    - Remove the obsolete OpenSUSE initscript. Resolves issue 30076.
1045
1046
1047
1048
    - Remove the obsolete script at contrib/dist/tor.sh.in. Resolves
      issue 30075.

  o Code simplification and refactoring (shell scripts):
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
    - Clean up many of our shell scripts to fix shellcheck warnings.
      These include autogen.sh (ticket 26069), test_keygen.sh (ticket
      29062), test_switch_id.sh (ticket 29065), test_rebind.sh (ticket
      29063), src/test/fuzz/minimize.sh (ticket 30079), test_rust.sh
      (ticket 29064), torify (ticket 29070), asciidoc-helper.sh (29926),
      fuzz_multi.sh (30077), fuzz_static_testcases.sh (ticket 29059),
      nagios-check-tor-authority-cert (ticket 29071),
      src/test/fuzz/fixup_filenames.sh (ticket 30078), test-network.sh
      (ticket 29060), test_key_expiration.sh (ticket 30002),
      zero_length_keys.sh (ticket 29068), and test_workqueue_*.sh
      (ticket 29067).
1060
1061
1062

  o Testing (chutney):
    - In "make test-network-all", test IPv6-only v3 single onion
1063
1064
      services, using the chutney network single-onion-v23-ipv6-md.
      Closes ticket 27251.
1065
1066


1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
Changes in version 0.4.0.5 - 2019-05-02
  This is the first stable release in the 0.4.0.x series. It contains
  improvements for power management and bootstrap reporting, as well as
  preliminary backend support for circuit padding to prevent some kinds
  of traffic analysis. It also continues our work in refactoring Tor for
  long-term maintainability.

  Per our support policy, we will support the 0.4.0.x series for nine
  months, or until three months after the release of a stable 0.4.1.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.4.0.4-rc. For a complete list of changes
  since 0.3.5.7, see the ReleaseNotes file.

  o Minor features (continuous integration):
    - In Travis, tell timelimit to use stem's backtrace signals, and
      launch python directly from timelimit, so python receives the
      signals from timelimit, rather than make. Closes ticket 30117.

  o Minor features (diagnostic):
    - Add more diagnostic log messages in an attempt to solve the issue
      of NUL bytes appearing in a microdescriptor cache. Related to
      ticket 28223.

  o Minor features (testing):
    - Use the approx_time() function when setting the "Expires" header
      in directory replies, to make them more testable. Needed for
      ticket 30001.

  o Minor bugfixes (rust):
    - Abort on panic in all build profiles, instead of potentially
      unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (shellcheck):
    - Look for scripts in their correct locations during "make
      shellcheck". Previously we had looked in the wrong place during
      out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Check the time in the "Expires" header using approx_time(). Fixes
      bug 30001; bugfix on 0.4.0.4-rc.

  o Minor bugfixes (UI):
    - Lower log level of unlink() errors during bootstrap. Fixes bug
      29930; bugfix on 0.4.0.1-alpha.


1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
Changes in version 0.4.0.4-rc - 2019-04-11
  Tor 0.4.0.4-rc is the first release candidate in its series; it fixes
  several bugs from earlier versions, including some that had affected
  stability, and one that prevented relays from working with NSS.

  o Major bugfixes (NSS, relay):
    - When running with NSS, disable TLS 1.2 ciphersuites that use
      SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
      these ciphersuites don't work -- which caused relays to fail to
      handshake with one another when these ciphersuites were enabled.
      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

  o Minor features (bandwidth authority):
    - Make bandwidth authorities ignore relays that are reported in the
      bandwidth file with the flag "vote=0". This change allows us to
      report unmeasured relays for diagnostic reasons without including
      their bandwidth in the bandwidth authorities' vote. Closes
      ticket 29806.
    - When a directory authority is using a bandwidth file to obtain the
      bandwidth values that will be included in the next vote, serve
      this bandwidth file at /tor/status-vote/next/bandwidth. Closes
      ticket 21377.

  o Minor features (circuit padding):
    - Stop warning about undefined behavior in the probability
      distribution tests. Float division by zero may technically be
      undefined behavior in C, but it's well defined in IEEE 754.
      Partial backport of 29298. Closes ticket 29527; bugfix
      on 0.4.0.1-alpha.

  o Minor features (continuous integration):
    - On Travis Rust builds, cleanup Rust registry and refrain from
      caching the "target/" directory to speed up builds. Resolves
      issue 29962.

  o Minor features (dormant mode):
    - Add a DormantCanceledByStartup option to tell Tor that it should
      treat a startup event as cancelling any previous dormant state.
      Integrators should use this option with caution: it should only be
      used if Tor is being started because of something that the user
      did, and not if Tor is being automatically started in the
      background. Closes ticket 29357.

  o Minor features (geoip):
    - Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2
      Country database. Closes ticket 29992.

  o Minor features (NSS, diagnostic):
    - Try to log an error from NSS (if there is any) and a more useful
      description of our situation if we are using NSS and a call to
      SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.

  o Minor bugfixes (security):
    - Fix a potential double free bug when reading huge bandwidth files.
      The issue is not exploitable in the current Tor network because
      the vulnerable code is only reached when directory authorities
      read bandwidth files, but bandwidth files come from a trusted
      source (usually the authorities themselves). Furthermore, the
      issue is only exploitable in rare (non-POSIX) 32-bit architectures,
      which are not used by any of the current authorities. Fixes bug
      30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
      Tobias Stoeckmann.
    - Verify in more places that we are not about to create a buffer
      with more than INT_MAX bytes, to avoid possible OOB access in the
      event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
      fixed by Tobias Stoeckmann.

  o Minor bugfix (continuous integration):
    - Reset coverage state on disk after Travis CI has finished. This
      should prevent future coverage merge errors from causing the test
      suite for the "process" subsystem to fail. The process subsystem
      was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
      on 0.2.9.15.
    - Terminate test-stem if it takes more than 9.5 minutes to run.
      (Travis terminates the job after 10 minutes of no output.)
      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (bootstrap reporting):
    - During bootstrap reporting, correctly distinguish pluggable
      transports from plain proxies. Fixes bug 28925; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (C correctness):
    - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
      29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
      CID 1444119.

  o Minor bugfixes (circuitpadding testing):
    - Minor tweaks to avoid rare test failures related to timers and
      monotonic time. Fixes bug 29500; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (directory authorities):
    - Actually include the bandwidth-file-digest line in directory
      authority votes. Fixes bug 29959; bugfix on 0.4.0.2-alpha.

  o Minor bugfixes (logging):
    - On Windows, when errors cause us to reload a consensus from disk,
      tell the user that we are retrying at log level "notice".
      Previously we only logged this information at "info", which was
      confusing because the errors themselves were logged at "warning".
      Improves previous fix for 28614. Fixes bug 30004; bugfix
      on 0.4.0.2-alpha.

  o Minor bugfixes (pluggable transports):
    - Restore old behavior when it comes to discovering the path of a
      given Pluggable Transport executable file. A change in
      0.4.0.1-alpha had broken this behavior on paths containing a
      space. Fixes bug 29874; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a
      recent test-network.sh to use new chutney features in CI. Fixes
      bug 29703; bugfix on 0.2.9.1-alpha.
    - Fix a test failure on Windows caused by an unexpected "BUG"
      warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix
      on 0.2.9.3-alpha.

  o Minor bugfixes (TLS protocol):
    - When classifying a client's selection of TLS ciphers, if the
      client ciphers are not yet available, do not cache the result.
      Previously, we had cached the unavailability of the cipher list
      and never looked again, which in turn led us to assume that the
      client only supported the ancient V1 link protocol. This, in turn,
      was causing Stem integration tests to stall in some cases. Fixes
      bug 30021; bugfix on 0.2.4.8-alpha.

  o Code simplification and refactoring:
    - Introduce a connection_dir_buf_add() helper function that detects
      whether compression is in use, and adds a string accordingly.
      Resolves issue 28816.
    - Refactor handle_get_next_bandwidth() to use
      connection_dir_buf_add(). Implements ticket 29897.

  o Documentation:
    - Clarify that Tor performs stream isolation among *Port listeners
      by default. Resolves issue 29121.


1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
Changes in version 0.4.0.3-alpha - 2019-03-22
  Tor 0.4.0.3-alpha is the third in its series; it fixes several small
  bugs from earlier versions.

  o Minor features (address selection):
    - Treat the subnet 100.64.0.0/10 as public for some purposes;
      private for others. This subnet is the RFC 6598 (Carrier Grade
      NAT) IP range, and is deployed by many ISPs as an alternative to
      RFC 1918 that does not break existing internal networks. Tor now
      blocks SOCKS and control ports on these addresses and warns users
      if client ports or ExtORPorts are listening on a RFC 6598 address.
      Closes ticket 28525. Patch by Neel Chauhan.

  o Minor features (geoip):
    - Update geoip and geoip6 to the March 4 2019 Maxmind GeoLite2
      Country database. Closes ticket 29666.

  o Minor bugfixes (circuitpadding):
    - Inspect the circuit-level cell queue before sending padding, to
      avoid sending padding when too much data is queued. Fixes bug
      29204; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (logging):
    - Correct a misleading error message when IPv4Only or IPv6Only is
      used but the resolved address can not be interpreted as an address
      of the specified IP version. Fixes bug 13221; bugfix on
      0.2.3.9-alpha. Patch from Kris Katterjohn.
    - Log the correct port number for listening sockets when "auto" is
      used to let Tor pick the port number. Previously, port 0 was
      logged instead of the actual port number. Fixes bug 29144; bugfix
      on 0.3.5.1-alpha. Patch from Kris Katterjohn.
    - Stop logging a BUG() warning when Tor is waiting for exit
      descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (memory management):
    - Refactor the shared random state's memory management so that it
      actually takes ownership of the shared random value pointers.
      Fixes bug 29706; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (memory management, testing):
    - Stop leaking parts of the shared random state in the shared-random
      unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (pluggable transports):
    - Fix an assertion failure crash bug when a pluggable transport is
      terminated during the bootstrap phase. Fixes bug 29562; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (Rust, protover):
    - Add a missing "Padding" value to the Rust implementation of
      protover. Fixes bug 29631; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (single onion services):
    - Allow connections to single onion services to remain idle without
      being disconnected. Previously, relays acting as rendezvous points
      for single onion services were mistakenly closing idle rendezvous
      circuits after 60 seconds, thinking that they were unused
      directory-fetching circuits that had served their purpose. Fixes
      bug 29665; bugfix on 0.2.1.26.

  o Minor bugfixes (stats):
    - When ExtraInfoStatistics is 0, stop including PaddingStatistics in
      relay and bridge extra-info documents. Fixes bug 29017; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (testing):
    - Downgrade some LOG_ERR messages in the address/* tests to
      warnings. The LOG_ERR messages were occurring when we had no
      configured network. We were failing the unit tests, because we
      backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug
      29530; bugfix on 0.3.5.8.
    - Fix our gcov wrapper script to look for object files at the
      correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.
    - Decrease the false positive rate of stochastic probability
      distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (Windows, CI):
    - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit
      Windows Server 2012 R2 job. The remaining 2 jobs still provide
      coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set
      fast_finish, so failed jobs terminate the build immediately. Fixes
      bug 29601; bugfix on 0.3.5.4-alpha.


1337
Changes in version 0.3.5.8 - 2019-02-21
Roger Dingledine's avatar
Roger Dingledine committed
1338
  Tor 0.3.5.8 backports several fixes from later releases, including fixes
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
  for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x
  releases.

  It also includes a fix for a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Major bugfixes (networking, backport from 0.4.0.2-alpha):
    - Gracefully handle empty username/password fields in SOCKS5
Roger Dingledine's avatar
Roger Dingledine committed
1357
      username/password auth message and allow SOCKS5 handshake to
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
      continue. Previously, we had rejected these handshakes, breaking
      certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

  o Minor features (compilation, backport from 0.4.0.2-alpha):
    - Compile correctly when OpenSSL is built with engine support
      disabled, or with deprecated APIs disabled. Closes ticket 29026.
      Patches from "Mangix".

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor features (testing, backport from 0.4.0.2-alpha):
    - Treat all unexpected ERR and BUG messages as test failures. Closes
      ticket 28668.

  o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha):
    - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
      connection waiting for a descriptor that we actually have in the
      cache. It turns out that this can actually happen, though it is
      rare. Now, tor will recover and retry the descriptor. Fixes bug
      28669; bugfix on 0.3.2.4-alpha.

  o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha):
    - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
      IPv6 socket was bound using an address family of AF_INET instead
      of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
      Kris Katterjohn.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha):
    - Select guards even if the consensus has expired, as long as the
      consensus is still reasonably live. Fixes bug 24661; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.0.1-alpha):
    - Compile correctly on OpenBSD; previously, we were missing some
      headers required in order to detect it properly. Fixes bug 28938;
      bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (documentation, backport from 0.4.0.2-alpha):
    - Describe the contents of the v3 onion service client authorization
      files correctly: They hold public keys, not private keys. Fixes
      bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

  o Minor bugfixes (logging, backport from 0.4.0.1-alpha):
    - Rework rep_hist_log_link_protocol_counts() to iterate through all
      link protocol versions when logging incoming/outgoing connection
      counts. Tor no longer skips version 5, and we won't have to
      remember to update this function when new link protocol version is
      developed. Fixes bug 28920; bugfix on 0.2.6.10.

  o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
    - Log more information at "warning" level when unable to read a
      private key; log more information at "info" level when unable to
      read a public key. We had warnings here before, but they were lost
      during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (misc, backport from 0.4.0.2-alpha):
    - The amount of total available physical memory is now determined
      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
      when it is defined and a 64-bit variant is not available. Fixes
      bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
      than one private key for a hidden service. Fixes bug 29040; bugfix
      on 0.3.5.1-alpha.
    - In hs_cache_store_as_client() log an HSDesc we failed to parse at
      "debug" level. Tor used to log it as a warning, which caused very
      long log lines to appear for some users. Fixes bug 29135; bugfix
      on 0.3.2.1-alpha.
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.

  o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha):
    - Mark outdated dirservers when Tor only has a reasonably live
      consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.

  o Minor bugfixes (tests, backport from 0.4.0.2-alpha):
    - Detect and suppress "bug" warnings from the util/time test on
      Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
    - Do not log an error-level message if we fail to find an IPv6
      network interface from the unit tests. Fixes bug 29160; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (usability, backport from 0.4.0.1-alpha):
    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
      Some users took this phrasing to mean that the mentioned guard was
      under their control or responsibility, which it is not. Fixes bug
      28895; bugfix on Tor 0.3.0.1-alpha.


Changes in version 0.3.4.11 - 2019-02-21
  Tor 0.3.4.11 is the third stable release in its series.  It includes
  a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and
  later. All Tor instances running an affected release should upgrade to
  0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.


Changes in version 0.3.3.12 - 2019-02-21
  Tor 0.3.3.12 fixes a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  This release marks the end of support for the Tor 0.3.3.x series. We
  recommend that users switch to either the Tor 0.3.4 series (supported
  until at least 10 June 2019), or the Tor 0.3.5 series, which will
  receive long-term support until at least 1 Feb 2022.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.


Changes in version 0.4.0.2-alpha - 2019-02-21
  Tor 0.4.0.2-alpha is the second alpha in its series; it fixes several
  bugs from earlier versions, including several that had broken
  backward compatibility.

  It also includes a fix for a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Major bugfixes (networking):
    - Gracefully handle empty username/password fields in SOCKS5
      username/password auth messsage and allow SOCKS5 handshake to
      continue. Previously, we had rejected these handshakes, breaking
      certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

  o Major bugfixes (windows, startup):
    - When reading a consensus file from disk, detect whether it was
      written in text mode, and re-read it in text mode if so. Always
      write consensus files in binary mode so that we can map them into
      memory later. Previously, we had written in text mode, which
      confused us when we tried to map the file on windows. Fixes bug
      28614; bugfix on 0.4.0.1-alpha.

  o Minor features (compilation):
    - Compile correctly when OpenSSL is built with engine support
      disabled, or with deprecated APIs disabled. Closes ticket 29026.
      Patches from "Mangix".

  o Minor features (developer tooling):
    - Check that bugfix versions in changes files look like Tor versions
      from the versions spec. Warn when bugfixes claim to be on a future
      release. Closes ticket 27761.
Roger Dingledine's avatar
Roger Dingledine committed
1564
    - Provide a git pre-commit hook that disallows committing if we have
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
      any failures in our code and changelog formatting checks. It is
      now available in scripts/maint/pre-commit.git-hook. Implements
      feature 28976.

  o Minor features (directory authority):
    - When a directory authority is using a bandwidth file to obtain
      bandwidth values, include the digest of that file in the vote.
      Closes ticket 26698.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor features (testing):
    - Treat all unexpected ERR and BUG messages as test failures. Closes
      ticket 28668.

  o Minor bugfixes (build, compatibility, rust):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (compilation):
    - Fix compilation warnings in test_circuitpadding.c. Fixes bug
      29169; bugfix on 0.4.0.1-alpha.
    - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
      29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (documentation):
    - Describe the contents of the v3 onion service client authorization
      files correctly: They hold public keys, not private keys. Fixes
      bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

  o Minor bugfixes (linux seccomp sandbox):
    - Fix startup crash when experimental sandbox support is enabled.
      Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber.

  o Minor bugfixes (logging):
    - Avoid logging that we are relaxing a circuit timeout when that
      timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
    - Log more information at "warning" level when unable to read a
      private key; log more information at "info" level when unable to
      read a public key. We had warnings here before, but they were lost
      during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (misc):
    - The amount of total available physical memory is now determined
      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
      when it is defined and a 64-bit variant is not available. Fixes
      bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (onion services):
    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
      than one private key for a hidden service. Fixes bug 29040; bugfix
      on 0.3.5.1-alpha.
    - In hs_cache_store_as_client() log an HSDesc we failed to parse at
      "debug" level. Tor used to log it as a warning, which caused very
      long log lines to appear for some users. Fixes bug 29135; bugfix
      on 0.3.2.1-alpha.
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.

  o Minor bugfixes (scheduler):
    - When re-adding channels to the pending list, check the correct
      channel's sched_heap_idx. This issue has had no effect in mainline
      Tor, but could have led to bugs down the road in improved versions
      of our circuit scheduling code. Fixes bug 29508; bugfix
      on 0.3.2.10.

  o Minor bugfixes (tests):
    - Fix intermittent failures on an adaptive padding test. Fixes one
      case of bug 29122; bugfix on 0.4.0.1-alpha.
    - Disable an unstable circuit-padding test that was failing
      intermittently because of an ill-defined small histogram. Such
      histograms will be allowed again after 29298 is implemented. Fixes
      a second case of bug 29122; bugfix on 0.4.0.1-alpha.
    - Detect and suppress "bug" warnings from the util/time test on
      Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
    - Do not log an error-level message if we fail to find an IPv6
      network interface from the unit tests. Fixes bug 29160; bugfix
      on 0.2.7.3-rc.

  o Documentation:
    - In the manpage entry describing MapAddress torrc setting, use
      example IP addresses from ranges specified for use in documentation
      by RFC 5737. Resolves issue 28623.

  o Removed features:
    - Remove the old check-tor script. Resolves issue 29072.


1658
Changes in version 0.4.0.1-alpha - 2019-01-18
Nick Mathewson's avatar
Nick Mathewson committed
1659
1660
1661
1662
1663
1664
  Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It
  introduces improved features for power and bandwidth conservation,
  more accurate reporting of bootstrap progress for user interfaces, and
  an experimental backend for an exciting new adaptive padding feature.
  There is also the usual assortment of bugfixes and minor features, all
  described below.
1665
1666
1667
1668

  o Major features (battery management, client, dormant mode):
    - When Tor is running as a client, and it is unused for a long time,
      it can now enter a "dormant" state. When Tor is dormant, it avoids
Nick Mathewson's avatar
Nick Mathewson committed
1669
1670
1671
1672
      network and CPU activity until it is reawoken either by a user
      request or by a controller command. For more information, see the
      configuration options starting with "Dormant". Implements tickets
      2149 and 28335.
1673
    - The client's memory of whether it is "dormant", and how long it
1674
      has spent idle, persists across invocations. Implements
1675
1676
1677
1678
1679
      ticket 28624.
    - There is a DormantOnFirstStartup option that integrators can use
      if they expect that in many cases, Tor will be installed but
      not used.

Nick Mathewson's avatar
Nick Mathewson committed
1680
1681
1682
1683
1684
1685
1686
  o Major features (bootstrap reporting):
    - When reporting bootstrap progress, report the first connection
      uniformly, regardless of whether it's a connection for building
      application circuits. This allows finer-grained reporting of early
      progress than previously possible, with the improvements of ticket
      27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
    - When reporting bootstrap progress, treat connecting to a proxy or
1687
1688
1689
      pluggable transport as separate from having successfully used that
      proxy or pluggable transport to connect to a relay. Closes tickets
      27100 and 28884.
1690
1691
1692
1693
1694
1695
1696
1697

  o Major features (circuit padding):
    - Implement preliminary support for the circuit padding portion of
      Proposal 254. The implementation supports Adaptive Padding (aka
      WTF-PAD) state machines for use between experimental clients and
      relays. Support is also provided for APE-style state machines that
      use probability distributions instead of histograms to specify
      inter-packet delay. At the moment, Tor does not provide any
Nick Mathewson's avatar
Nick Mathewson committed
1698
1699
      padding state machines that are used in normal operation: for now,
      this feature exists solely for experimentation. Closes
1700
1701
1702
1703
1704
      ticket 28142.

  o Major features (refactoring):
    - Tor now uses an explicit list of its own subsystems when
      initializing and shutting down. Previously, these systems were
1705
1706
      managed implicitly in various places throughout the codebase.
      (There may still be some subsystems using the old system.) Closes
1707
1708
      ticket 28330.

Nick Mathewson's avatar
Nick Mathewson committed
1709
  o Minor features (bootstrap reporting):
1710
    - When reporting bootstrap progress, stop distinguishing between
1711
1712
1713
1714
      situations where only internal paths are available and situations
      where external paths are available. Previously, Tor would often
      erroneously report that it had only internal paths. Closes
      ticket 27402.
1715

Nick Mathewson's avatar
Nick Mathewson committed
1716
  o Minor features (continuous integration):
1717
1718
1719
1720
1721
1722
1723
1724
1725
    - Log Python version during each Travis CI job. Resolves
      issue 28551.

  o Minor features (controller):
    - Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP.
      Implements ticket 28843.

  o Minor features (developer tooling):
    - Provide a git hook script to prevent "fixup!" and "squash!"
Nick Mathewson's avatar
Nick Mathewson committed
1726
1727
      commits from ending up in the master branch, as scripts/main/pre-
      push.git-hook. Closes ticket 27993.
1728
1729
1730

  o Minor features (directory authority):
    - Directory authorities support a new consensus algorithm, under
Nick Mathewson's avatar
Nick Mathewson committed
1731
1732
1733
1734
      which the family lines in microdescriptors are encoded in a
      canonical form. This change makes family lines more compressible
      in transit, and on the client. Closes ticket 28266; implements
      proposal 298.
1735
1736
1737
1738

  o Minor features (directory authority, relay):
    - Authorities now vote on a "StaleDesc" flag to indicate that a
      relay's descriptor is so old that the relay should upload again
Nick Mathewson's avatar
Nick Mathewson committed
1739
1740
      soon. Relays treat this flag as a signal to upload a new
      descriptor. This flag will eventually let us remove the
1741
1742
      'published' date from routerstatus entries, and make our consensus
      diffs much smaller. Closes ticket 26770; implements proposal 293.
1743
1744
1745
1746
1747
1748

  o Minor features (fallback directory mirrors):
    - Update the fallback whitelist based on operator opt-ins and opt-
      outs. Closes ticket 24805, patch by Phoul.

  o Minor features (FreeBSD):
Nick Mathewson's avatar
Nick Mathewson committed
1749
1750
1751
    - On FreeBSD-based systems, warn relay operators if the
      "net.inet.ip.random_id" sysctl (IP ID randomization) is disabled.
      Closes ticket 28518.
1752
1753

  o Minor features (HTTP standards compliance):
Nick Mathewson's avatar
Nick Mathewson committed
1754
1755
1756
    - Stop sending the header "Content-type: application/octet-stream"
      along with transparently compressed documents: this confused
      browsers. Closes ticket 28100.
1757

Nick Mathewson's avatar
Nick Mathewson committed
1758
1759
  o Minor features (IPv6):
    - We add an option ClientAutoIPv6ORPort, to make clients randomly
1760
1761
      prefer a node's IPv4 or IPv6 ORPort. The random preference is set
      every time a node is loaded from a new consensus or bridge config.
Nick Mathewson's avatar
Nick Mathewson committed
1762
1763
1764
1765
1766
1767
1768
      We expect that this option will enable clients to bootstrap more
      quickly without having to determine whether they support IPv4,
      IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
    - When using addrs_in_same_network_family(), avoid choosing circuit
      paths that pass through the same IPv6 subnet more than once.
      Previously, we only checked IPv4 subnets. Closes ticket 24393.
      Patch by Neel Chauhan.
1769
1770

  o Minor features (log messages):
1771
1772
    - Improve log message in v3 onion services that could print out
      negative revision counters. Closes ticket 27707. Patch
Nick Mathewson's avatar
Nick Mathewson committed
1773
      by "ffmancera".
1774
1775

  o Minor features (memory usage):
Nick Mathewson's avatar
Nick Mathewson committed
1776
1777
    - Save memory by storing microdescriptor family lists with a more
      compact representation. Closes ticket 27359.
1778
    - Tor clients now use mmap() to read consensus files from disk, so
Nick Mathewson's avatar
Nick Mathewson committed
1779
1780
      that they no longer need keep the full text of a consensus in
      memory when parsing it or applying a diff. Closes ticket 27244.
1781
1782
1783
1784

  o Minor features (parsing):
    - Directory authorities now validate that router descriptors and
      ExtraInfo documents are in a valid subset of UTF-8, and reject
Nick Mathewson's avatar
Nick Mathewson committed
1785
      them if they are not. Closes ticket 27367.
1786
1787

  o Minor features (performance):
Nick Mathewson's avatar
Nick Mathewson committed
1788
    - Cache the results of summarize_protocol_flags(), so that we don't
1789
1790
1791
1792
      have to parse the same protocol-versions string over and over.
      This should save us a huge number of malloc calls on startup, and
      may reduce memory fragmentation with some allocators. Closes
      ticket 27225.
1793
1794
1795
1796
1797
1798
1799
    - Remove a needless memset() call from get_token_arguments, thereby
      speeding up the tokenization of directory objects by about 20%.
      Closes ticket 28852.
    - Replace parse_short_policy() with a faster implementation, to
      improve microdescriptor parsing time. Closes ticket 28853.
    - Speed up directory parsing a little by avoiding use of the non-
      inlined strcmp_len() function. Closes ticket 28856.
Nick Mathewson's avatar
Nick Mathewson committed
1800
    - Speed up microdescriptor parsing by about 30%, to help improve
1801
1802
1803
1804
1805
1806
      startup time. Closes ticket 28839.

  o Minor features (pluggable transports):
    - Add support for emitting STATUS updates to Tor's control port from
      a pluggable transport process. Closes ticket 28846.
    - Add support for logging to Tor's logging subsystem from a
1807
      pluggable transport process. Closes ticket 28180.
1808
1809

  o Minor features (process management):
Nick Mathewson's avatar
Nick Mathewson committed
1810
    - Add a new process API for handling child processes. This new API
1811
1812
      allows Tor to have bi-directional communication with child
      processes on both Unix and Windows. Closes ticket 28179.
Nick Mathewson's avatar
Nick Mathewson committed
1813
    - Use the subsystem manager to initialize and shut down the process
1814
1815
1816
1817
1818
1819
1820
1821
      module. Closes ticket 28847.

  o Minor features (relay):
    - When listing relay families, list them in canonical form including
      the relay's own identity, and try to give a more useful set of
      warnings. Part of ticket 28266 and proposal 298.

  o Minor features (required protocols):
Nick Mathewson's avatar
Nick Mathewson committed
1822
1823
1824
1825
1826
1827
1828
    - Before exiting because of a missing required protocol, Tor will
      now check the publication time of the consensus, and not exit
      unless the consensus is newer than the Tor program's own release
      date. Previously, Tor would not check the consensus publication
      time, and so might exit because of a missing protocol that might
      no longer be required in a current consensus. Implements proposal
      297; closes ticket 27735.
1829
1830

  o Minor features (testing):
Nick Mathewson's avatar
Nick Mathewson committed
1831
1832
1833
1834
1835
1836
1837
1838
1839
    - Allow a HeartbeatPeriod of less than 30 minutes in testing Tor
      networks. Closes ticket 28840. Patch by Rob Jansen.

  o Minor bugfixes (client, clock skew):
    - Bootstrap successfully even when Tor's clock is behind the clocks
      on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
    - Select guards even if the consensus has expired, as long as the
      consensus is still reasonably live. Fixes bug 24661; bugfix
      on 0.3.0.1-alpha.
1840
1841

  o Minor bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
1842
1843
1844
    - Compile correctly on OpenBSD; previously, we were missing some
      headers required in order to detect it properly. Fixes bug 28938;
      bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
1845
1846
1847
1848
1849

  o Minor bugfixes (directory clients):
    - Mark outdated dirservers when Tor only has a reasonably live
      consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
1850
1851
1852
1853
  o Minor bugfixes (directory mirrors):
    - Even when a directory mirror's clock is behind the clocks on the
      authorities, we now allow the mirror to serve "future"
      consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.
1854
1855

  o Minor bugfixes (DNS):
Nick Mathewson's avatar
Nick Mathewson committed
1856
1857
1858
    - Gracefully handle an empty or absent resolve.conf file by falling
      back to using "localhost" as a DNS server (and hoping it works).
      Previously, we would just stop running as an exit. Fixes bug
1859
1860
1861
      21900; bugfix on 0.2.1.10-alpha.

  o Minor bugfixes (guards):
1862
1863
1864
1865
1866
    - In count_acceptable_nodes(), the minimum number is now one bridge
      or guard node, and two non-guard nodes for a circuit. Previously,
      we had added up the sum of all nodes with a descriptor, but that
      could cause us to build failing circuits when we had either too
      many bridges or not enough guard nodes. Fixes bug 25885; bugfix on
1867
      0.2.3.1-alpha. Patch by Neel Chauhan.
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877

  o Minor bugfixes (IPv6):
    - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
      IPv6 socket was bound using an address family of AF_INET instead
      of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
      Kris Katterjohn.

  o Minor bugfixes (logging):
    - Rework rep_hist_log_link_protocol_counts() to iterate through all
      link protocol versions when logging incoming/outgoing connection
Nick Mathewson's avatar
Nick Mathewson committed
1878
      counts. Tor no longer skips version 5, and we won't have to
1879
1880
1881
1882
1883
1884
1885
1886
1887
      remember to update this function when new link protocol version is
      developed. Fixes bug 28920; bugfix on 0.2.6.10.

  o Minor bugfixes (networking):
    - Introduce additional checks into tor_addr_parse() to reject
      certain incorrect inputs that previously were not detected. Fixes
      bug 23082; bugfix on 0.2.0.10-alpha.

  o Minor bugfixes (onion service v3, client):
1888
1889
1890
1891
1892
    - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
      connection waiting for a descriptor that we actually have in the
      cache. It turns out that this can actually happen, though it is
      rare. Now, tor will recover and retry the descriptor. Fixes bug
      28669; bugfix on 0.3.2.4-alpha.
1893
1894
1895

  o Minor bugfixes (periodic events):
    - Refrain from calling routerlist_remove_old_routers() from
1896
1897
      check_descriptor_callback(). Instead, create a new hourly periodic
      event. Fixes bug 27929; bugfix on 0.2.8.1-alpha.
1898
1899

  o Minor bugfixes (pluggable transports):
Nick Mathewson's avatar
Nick Mathewson committed
1900
1901
    - Make sure that data is continously read from standard output and
      standard error pipes of a pluggable transport child-process, to
1902
1903
      avoid deadlocking when a pipe's buffer is full. Fixes bug 26360;
      bugfix on 0.2.3.6-alpha.
1904
1905
1906

  o Minor bugfixes (unit tests):
    - Instead of relying on hs_free_all() to clean up all onion service
Nick Mathewson's avatar
Nick Mathewson committed
1907
1908
1909
      objects in test_build_descriptors(), we now deallocate them one by
      one. This lets Coverity know that we are not leaking memory there
      and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha.
1910
1911

  o Minor bugfixes (usability):
Nick Mathewson's avatar
Nick Mathewson committed
1912
1913
1914
    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
      Some users took this phrasing to mean that the mentioned guard was
      under their control or responsibility, which it is not. Fixes bug
1915
1916
1917
1918
1919
      28895; bugfix on Tor 0.3.0.1-alpha.

  o Code simplification and refactoring:
    - Reimplement NETINFO cell parsing and generation to rely on
      trunnel-generated wire format handling code. Closes ticket 27325.
1920
    - Remove unnecessary unsafe code from the Rust macro "cstr!". Closes
1921
1922
1923
1924
1925
1926
1927
1928
      ticket 28077.
    - Rework SOCKS wire format handling to rely on trunnel-generated
      parsing/generation code. Resolves ticket 27620.
    - Split out bootstrap progress reporting from control.c into a
      separate file. Part of ticket 27402.
    - The .may_include files that we use to describe our directory-by-
      directory dependency structure now describe a noncircular
      dependency graph over the directories that they cover. Our
Nick Mathewson's avatar
Nick Mathewson committed
1929
1930
      checkIncludes.py tool now enforces this noncircularity. Closes
      ticket 28362.
1931
1932

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
1933
    - Mention that you cannot add a new onion service if Tor is already
1934
      running with Sandbox enabled. Closes ticket 28560.
1935
    - Improve ControlPort documentation. Mention that it accepts
Nick Mathewson's avatar
Nick Mathewson committed
1936
      address:port pairs, and can be used multiple times. Closes
1937
1938
1939
1940
      ticket 28805.
    - Document the exact output of "tor --version". Closes ticket 28889.

  o Removed features:
Nick Mathewson's avatar
Nick Mathewson committed
1941
    - Stop responding to the 'GETINFO status/version/num-concurring' and
1942
1943
1944
1945
1946
1947
1948
1949
      'GETINFO status/version/num-versioning' control port commands, as
      those were deprecated back in 0.2.0.30. Also stop listing them in
      output of 'GETINFO info/names'. Resolves ticket 28757.
    - The scripts used to generate and maintain the list of fallback
      directories have been extracted into a new "fallback-scripts"
      repository. Closes ticket 27914.

  o Testing:
Nick Mathewson's avatar
Nick Mathewson committed
1950
    - Run shellcheck for scripts in the in scripts/ directory. Closes
1951
      ticket 28058.
Nick Mathewson's avatar
Nick Mathewson committed
1952
    - Add unit tests for tokenize_string() and get_next_token()
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
      functions. Resolves ticket 27625.

  o Code simplification and refactoring (onion service v3):
    - Consolidate the authorized client descriptor cookie computation
      code from client and service into one function. Closes
      ticket 27549.

  o Code simplification and refactoring (shell scripts):
    - Cleanup scan-build.sh to silence shellcheck warnings. Closes
      ticket 28007.
    - Fix issues that shellcheck found in chutney-git-bisect.sh.
      Resolves ticket 28006.
    - Fix issues that shellcheck found in updateRustDependencies.sh.
      Resolves ticket 28012.
    - Fix shellcheck warnings in cov-diff script. Resolves issue 28009.
    - Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011.
    - Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010.
    - Fix shellcheck warnings in scripts/test/coverage. Resolves
      issue 28008.


1974
Changes in version 0.3.3.11 - 2019-01-07
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
  Tor 0.3.3.11 backports numerous fixes from later versions of Tor.
  numerous fixes, including an important fix for anyone using OpenSSL
  1.1.1. Anyone running an earlier version of Tor 0.3.3 should upgrade
  to this version, or to a later series.

  As a reminder, support the Tor 0.3.3 series will end on 22 Feb 2019.
  We anticipate that this will be the last release of Tor 0.3.3, unless
  some major bug is before then. Some time between now and then, users
  should switch to either the Tor 0.3.4 series (supported until at least
  10 June 2019), or the Tor 0.3.5 series, which will receive long-term
  support until at least 1 Feb 2022.

  o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
    - Fix our usage of named groups when running as a TLS 1.3 client in
      OpenSSL 1.1.1. Previously, we only initialized EC groups when
      running as a relay, which caused clients to fail to negotiate TLS
      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
      support was added).

  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
    - Fix a use-after-free error that could be caused by passing Tor an
      impossible set of options that would fail during options_act().
      Fixes bug 27708; bugfix on 0.3.3.1-alpha.

  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
    - Only run one online rust build in Travis, to reduce network
      errors. Skip offline rust builds on Travis for Linux gcc, because
      they're redundant. Implements ticket 27252.
    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
      Linux with default settings, because all the non-default builds
      use gcc on Linux. Implements ticket 27252.

  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
    - Use the Travis Homebrew addon to install packages on macOS during
      Travis CI. The package list is the same, but the Homebrew addon
      does not do a `brew update` by default. Implements ticket 27738.

  o Minor features (fallback directory list, backport from 0.3.5.6-rc):
    - Replace the 150 fallbacks originally introduced in Tor
      0.3.3.1-alpha in January 2018 (of which ~115 were still
      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
      removed) generated in December 2018. Closes ticket 24803.

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 29012.

  o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
      key export function from handling long labels. When this bug is
      detected, Tor will disable TLS 1.3. We recommend upgrading to a
      version of OpenSSL without this bug when it becomes available.
      Closes ticket 28973.

  o Minor bugfixes (relay statistics, backport from 0.3.5.7):
    - Update relay descriptor on bandwidth changes only when the uptime
      is smaller than 24h, in order to reduce the efficiency of guard
      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

  o Minor bugfixes (C correctness, backport from 0.3.5.4-alpha):
    - Avoid undefined behavior in an end-of-string check when parsing
      the BEGIN line in a directory object. Fixes bug 28202; bugfix
      on 0.2.0.3-alpha.

  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
    - Rewrite our assertion macros so that they no longer suppress the
      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix

  o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
    - Initialize a variable unconditionally in aes_new_cipher(), since
      some compilers cannot tell that we always initialize it before
      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (directory authority, backport from 0.3.5.4-alpha):
    - Log additional info when we get a relay that shares an ed25519 ID
      with a different relay, instead making a BUG() warning. Fixes bug
      27800; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
    - When a user requests a group-readable DataDirectory, give it to
      them. Previously, when the DataDirectory and the CacheDirectory
      were the same, the default setting (0) for
      CacheDirectoryGroupReadable would override the setting for
      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
    - When the onion service directory can't be created or has the wrong
      permissions, do not log a stack trace. Fixes bug 27335; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
    - Close all SOCKS request (for the same .onion) if the newly fetched
      descriptor is unusable. Before that, we would close only the first
      one leaving the other hanging and let to time out by themselves.
      Fixes bug 27410; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    - Don't warn so loudly when Tor is unable to decode an onion
      descriptor. This can now happen as a normal use case if a client
      gets a descriptor with client authorization but the client is not
      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
    - When deleting an ephemeral onion service (DEL_ONION), do not close
      any rendezvous circuits in order to let the existing client
      connections finish by themselves or closed by the application. The
      HS v2 is doing that already so now we have the same behavior for
      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (HTTP tunnel):
    - Fix a bug warning when closing an HTTP tunnel connection due to
      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
      0.3.2.1-alpha.

  o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.

  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
    - Ensure circuitmux queues are empty before scheduling or sending
      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
    - Reject protocol names containing bytes other than alphanumeric
      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
    - Compute protover votes correctly in the rust version of the
      protover code. Previously, the protover rewrite in 24031 allowed
      repeated votes from the same voter for the same protocol version
      to be counted multiple times in protover_compute_vote(). Fixes bug
      27649; bugfix on 0.3.3.5-rc.
    - Reject protover names that contain invalid characters. Fixes bug
      27687; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
    - protover_all_supported() would attempt to allocate up to 16GB on
      some inputs, leading to a potential memory DoS. Fixes bug 27206;
      bugfix on 0.3.3.5-rc.

  o Minor bugfixes (rust, backport from 0.3.5.4-alpha):
    - Fix a potential null dereference in protover_all_supported(). Add
      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    - Return a string that can be safely freed by C code, not one
      created by the rust allocator, in protover_all_supported(). Fixes
      bug 27740; bugfix on 0.3.3.1-alpha.
    - Fix an API mismatch in the rust implementation of
      protover_compute_vote(). This bug could have caused crashes on any
      directory authorities running Tor with Rust (which we do not yet
      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
    - If a unit test running in a subprocess exits abnormally or with a
      nonzero status code, treat the test as having failed, even if the
      test reported success. Without this fix, memory leaks don't cause
      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
      bugfix on 0.2.2.4-alpha.

  o Minor bugfixes (testing, backport from 0.3.5.4-alpha):
    - Treat backtrace test failures as expected on BSD-derived systems
      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
      (FreeBSD failures have been treated as expected since 18204 in
      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
      bugfix on 0.3.0.1-alpha.


2147
Changes in version 0.3.4.10 - 2019-01-07
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347