GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

ChangeLog 1.76 MB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313
Changes in version 0.4.4.1-alpha - 2020-06-16
  This is the first alpha release in the 0.4.4.x series.  It improves
  our guard selection algorithms, improves the amount of code that
  can be disabled when running without relay support, and includes numerous
  small bugfixes and enhancements.  It also lays the ground for some IPv6
  features that we'll be developing more in the next (0.4.5) series.

  Here are the changes since 0.4.3.5.

  o Major features (Proposal 310, performance + security):
    - Implements Proposal 310, "Bandaid on guard selection". Proposal
      310 solves load-balancing issues with older versions of the guard
      selection algorithm, and improves its security. Under this new
      algorithm, a newly selected guard never becomes Primary unless all
      previously sampled guards are unreachable. Implements
      recommendation from 32088. (Proposal 310 is linked to the CLAPS
      project researching optimal client location-aware path selections.
      This project is a collaboration between the UCLouvain Crypto Group,
      the U.S. Naval Research Laboratory, and Princeton University.)

  o Major features (IPv6, relay):
    - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
      warning if the IPv4 or IPv6 address is an internal address, and
      internal addresses are not allowed. But continue to use the other
      address, if it is valid. Closes ticket 33817.
    - If a relay can extend over IPv4 and IPv6, and both addresses are
      provided, it chooses between them uniformly at random. Closes
      ticket 33817.
    - Re-use existing IPv6 connections for circuit extends. Closes
      ticket 33817.
    - Relays may extend circuits over IPv6, if the relay has an IPv6
      ORPort, and the client supplies the other relay's IPv6 ORPort in
      the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
      ORPort self-tests in 33222. Closes ticket 33817.

  o Major features (v3 onion services):
    - Allow v3 onion services to act as OnionBalance backend instances,
      by using the HiddenServiceOnionBalanceInstance torrc option.
      Closes ticket 32709.

  o Minor feature (developer tools):
    - Add a script to help check the alphabetical ordering of option
      names in the manual page. Closes ticket 33339.

  o Minor feature (onion service client, SOCKS5):
    - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
      new type of onion service connection failures. The semantics of
      these error codes are documented in proposal 309. Closes
      ticket 32542.

  o Minor feature (onion service v3):
    - If a service cannot upload its descriptor(s), log why at INFO
      level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.

  o Minor feature (python scripts):
    - Stop assuming that /usr/bin/python exists. Instead of using a
      hardcoded path in scripts that still use Python 2, use
      /usr/bin/env, similarly to the scripts that use Python 3. Fixes
      bug 33192; bugfix on 0.4.2.

  o Minor features (client-only compilation):
    - Disable more code related to the ext_orport protocol when
      compiling without support for relay mode. Closes ticket 33368.
    - Disable more of our self-testing code when support for relay mode
      is disabled. Closes ticket 33370.

  o Minor features (code safety):
    - Check for failures of tor_inet_ntop() and tor_inet_ntoa()
      functions in DNS and IP address processing code, and adjust
      codepaths to make them less likely to crash entire Tor instances.
      Resolves issue 33788.

  o Minor features (compilation size):
    - Most server-side DNS code is now disabled when building without
      support for relay mode. Closes ticket 33366.

  o Minor features (continuous integration):
    - Run unit-test and integration test (Stem, Chutney) jobs with
      ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
      Resolves ticket 32143.

  o Minor features (control port):
    - Return a descriptive error message from the 'GETINFO status/fresh-
      relay-descs' command on the control port. Previously, we returned
      a generic error of "Error generating descriptor". Closes ticket
      32873. Patch by Neel Chauhan.

  o Minor features (developer tooling):
    - Refrain from listing all .a files that are generated by the Tor
      build in .gitignore. Add a single wildcard *.a entry that covers
      all of them for present and future. Closes ticket 33642.
    - Add a script ("git-install-tools.sh") to install git hooks and
      helper scripts. Closes ticket 33451.

  o Minor features (directory authority, shared random):
    - Refactor more authority-only parts of the shared-random scheduling
      code to reside in the dirauth module, and to be disabled when
      compiling with --disable-module-dirauth. Closes ticket 33436.

  o Minor features (directory):
    - Remember the number of bytes we have downloaded for each directory
      purpose while bootstrapping, and while fully bootstrapped. Log
      this information as part of the heartbeat message. Closes
      ticket 32720.

  o Minor features (IPv6 support):
    - Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above
      changes and tor_addr_is_null(). Closes ticket 33679. Patch
      by MrSquanchee.
    - Allow clients and relays to send dual-stack and IPv6-only EXTEND2
      cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays.
      Closes ticket 33901.

  o Minor features (logging):
    - When trying to find our own address, add debug-level logging to
      report the sources of candidate addresses. Closes ticket 32888.

  o Minor features (testing, architecture):
    - Our test scripts now double-check that subsystem initialization
      order is consistent with the inter-module dependencies established
      by our .may_include files. Implements ticket 31634.
    - Initialize all subsystems at the beginning of our unit test
      harness, to avoid crashes due to uninitialized subsystems. Follow-
      up from ticket 33316.

  o Minor features (v3 onion services):
    - Add v3 onion service status to the dumpstats() call which is
      triggered by a SIGUSR1 signal. Previously, we only did v2 onion
      services. Closes ticket 24844. Patch by Neel Chauhan.

  o Minor features (windows):
    - Add support for console control signals like Ctrl+C in Windows.
      Closes ticket 34211. Patch from Damon Harris (TheDcoder).

  o Minor bugfix (onion service v3):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfix (refactoring):
    - Lift circuit_build_times_disabled() out of the
      circuit_expire_building() loop, to save CPU time when there are
      many circuits open. Fixes bug 33977; bugfix on 0.3.5.9.

  o Minor bugfixes (client performance):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (directory authorities):
    - Directory authorities now reject votes that arrive too late. In
      particular, once an authority has started fetching missing votes,
      it no longer accepts new votes posted by other authorities. This
      change helps prevent a consensus split, where only some authorities
      have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha.

  o Minor bugfixes (git scripts):
    - Stop executing the checked-out pre-commit hook from the pre-push
      hook. Instead, execute the copy in the user's git directory. Fixes
      bug 33284; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (initialization):
    - Initialize the subsystems in our code in an order more closely
      corresponding to their dependencies, so that every system is
      initialized before the ones that (theoretically) depend on it.
      Fixes bug 33316; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (IPv4, relay):
    - Check for invalid zero IPv4 addresses and ports when sending and
      receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (IPv6, relay):
    - Consider IPv6 addresses when checking if a connection is
      canonical. In 17604, relays assumed that a remote relay could
      consider an IPv6 connection canonical, but did not set the
      canonical flag on their side of the connection. Fixes bug 33899;
      bugfix on 0.3.1.1-alpha.
    - Log IPv6 addresses on connections where this relay is the
      responder. Previously, responding relays would replace the remote
      IPv6 address with the IPv4 address from the consensus. Fixes bug
      33899; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (linux seccomp sandbox nss):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, testing):
    - Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL
      and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE()
      used to log a non-fatal warning, regardless of the debugging
      mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (logs):
    - Remove surprising empty line in the INFO-level log about circuit
      build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (mainloop):
    - Better guard against growing a buffer past its maximum 2GB in
      size. Fixes bug 33131; bugfix on 0.3.0.4-rc.

  o Minor bugfixes (manual page):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() that was causing a stacktrace when a descriptor
      changed at an unexpected time. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service, logging):
    - Fix a typo in a log message PublishHidServDescriptors is set to 0.
      Fixes bug 33779; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (portability):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (protocol versions):
    - Sort tor's supported protocol version lists, as recommended by the
      tor directory specification. Fixes bug 33285; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (relays):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Code simplification and refactoring:
    - Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like
      TOR_ADDR_BUF_LEN but includes enough space for an IP address,
      brackets, separating colon, and port number. Closes ticket 33956.
      Patch by Neel Chauhan.
    - Merge the orconn and ocirc events into the "core" subsystem, which
      manages or connections and origin circuits. Previously they were
      isolated in subsystems of their own.
    - Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency
      inversion. Closes ticket 33633.
    - Move the circuit extend code to the relay module. Split the
      circuit extend function into smaller functions. Closes
      ticket 33633.
    - Rewrite port_parse_config() to use the default port flags from
      port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee.
    - Updated comments in 'scheduler.c' to reflect old code changes, and
      simplified the scheduler channel state change code. Closes
      ticket 33349.

  o Documentation:
    - Document the limitations of using %include on config files with
      seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on
      0.3.1.1-alpha. Patch by Daniel Pinto.
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.

  o Removed features:
    - Remove the ClientAutoIPv6ORPort option. This option attempted to
      randomly choose between IPv4 and IPv6 for client connections, and
      wasn't a true implementation of Happy Eyeballs. Often, this option
      failed on IPv4-only or IPv6-only connections. Closes ticket 32905.
      Patch by Neel Chauhan.
    - Stop shipping contrib/dist/rc.subr file, as it is not being used
      on FreeBSD anymore. Closes issue 31576.

  o Testing:
    - Add a basic IPv6 test to "make test-network". This test only runs
      when the local machine has an IPv6 stack. Closes ticket 33300.
    - Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile.
      These jobs run the IPv4-only and dual-stack chutney flavours from
      test-network-all. Closes ticket 33280.
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Run the test-network-ipv6 Makefile target in the Travis CI IPv6
      chutney job. This job runs on macOS, so it's a bit slow. Closes
      ticket 33303.
    - Sort the Travis jobs in order of speed. Putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - Test v3 onion services to tor's mixed IPv4 chutney network. And
      add a mixed IPv6 chutney network. These networks are used in the
      test-network-all, test-network-ipv4, and test-network-ipv6 make
      targets. Closes ticket 33334.
    - Use the "bridges+hs-v23" chutney network flavour in "make test-
      network". This test requires a recent version of chutney (mid-
      February 2020). Closes ticket 28208.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.

  o Code simplification and refactoring (onion service):
    - Refactor configuration parsing to use the new config subsystem
      code. Closes ticket 33014.

  o Code simplification and refactoring (relay address):
    - Move a series of functions related to address resolving into their
      own files. Closes ticket 33789.

  o Documentation (manual page):
    - Add cross reference links and a table of contents to the HTML tor
      manual page. Closes ticket 33369. Work by Swati Thacker as part of
      Google Season of Docs.
    - Alphabetize the Denial of Service Mitigation Options, Directory
      Authority Server Options, Hidden Service Options, and Testing
      Network Options sections of the tor(1) manual page. Closes ticket
      33275. Work by Swati Thacker as part of Google Season of Docs.
    - Refrain from mentioning nicknames in manpage section for MyFamily
      torrc option. Resolves issue 33417.
    - Updated the options set by TestingTorNetwork in the manual page.
      Closes ticket 33778.


314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352
Changes in version 0.4.3.5 - 2020-05-15
  Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
  series adds support for building without relay code enabled, and
  implements functionality needed for OnionBalance with v3 onion
  services. It includes significant refactoring of our configuration and
  controller functionality, and fixes numerous smaller bugs and
  performance issues.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.3.x will be supported until around February 2021--later, if
  0.4.4.x is later than anticipated.

  Note also that support for 0.4.1.x is about to end on May 20 of this
  year; 0.4.2.x will be supported until September 15. We still plan to
  continue supporting 0.3.5.x, our long-term stable series, until
  Feb 2022.

  Below are the changes since 0.4.3.4-rc. For a complete list of changes
  since 0.4.2.6, see the ReleaseNotes file.

  o Minor bugfixes (compiler compatibility):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (logging):
    - Stop truncating IPv6 addresses and ports in channel and connection
      logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
    - Fix a logic error in a log message about whether an address was
      invalid. Previously, the code would never report that onion
      addresses were onion addresses. Fixes bug 34131; bugfix
      on 0.4.3.1-alpha.


353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451
Changes in version 0.4.3.4-rc - 2020-04-13
  Tor 0.4.3.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including one affecting DoS
  defenses on bridges using pluggable transports.

  o Major bugfixes (DoS defenses, bridges, pluggable transport):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (testing):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfixes (--disable-module-relay):
    - Fix an assertion failure when Tor is built without the relay
      module, and then invoked with the "User" option. Fixes bug 33668;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (--disable-module-relay,--disable-module-dirauth):
    - Set some output arguments in the relay and dirauth module stubs,
      to guard against future stub argument handling bugs like 33668.
      Fixes bug 33674; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (build system):
    - Correctly output the enabled module in the configure summary.
      Before that, the list shown was just plain wrong. Fixes bug 33646;
      bugfix on 0.4.3.2-alpha.

  o Minor bugfixes (client, IPv6):
    - Stop forcing all non-SocksPorts to prefer IPv6 exit connections.
      Instead, prefer IPv6 connections by default, but allow users to
      change their configs using the "NoPreferIPv6" port flag. Fixes bug
      33608; bugfix on 0.4.3.1-alpha.
    - Revert PreferIPv6 set by default on the SocksPort because it broke
      the torsocks use case. Tor doesn't have a way for an application
      to request the hostname to be resolved for a specific IP version,
      but torsocks requires that. Up until now, IPv4 was used by default
      so torsocks is expecting that, and can't handle a possible IPv6
      being returned. Fixes bug 33804; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (key portability):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.
    - Stop closing stderr and stdout during shutdown. Closing these file
      descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
      on 0.4.1.6.

  o Minor bugfixes (onion services v3):
    - Relax severity of a log message that can appear naturally when
      decoding onion service descriptors as a relay. Also add some
      diagnostics to debug any future bugs in that area. Fixes bug
      31669; bugfix on 0.3.0.1-alpha.
    - Block a client-side assertion by disallowing the registration of
      an x25519 client auth key that's all zeroes. Fixes bug 33545;
      bugfix on 0.4.3.1-alpha. Based on patch from "cypherpunks".

  o Code simplification and refactoring:
    - Disable our coding standards best practices tracker in our git
      hooks. (0.4.3 branches only.) Closes ticket 33678.

  o Testing:
    - Avoid conflicts between the fake sockets in tor's unit tests, and
      real file descriptors. Resolves issues running unit tests with
      GitHub Actions, where the process that embeds or launches the
      tests has already opened a large number of file descriptors. Fixes
      bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
      Putta Khunchalee.

  o Testing (CI):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791
Changes in version 0.4.3.3-alpha - 2020-03-18
  Tor 0.4.3.3-alpha fixes several bugs in previous releases, including
  TROVE-2020-002, a major denial-of-service vulnerability that affected
  all released Tor instances since 0.2.1.5-alpha. Using this
  vulnerability, an attacker could cause Tor instances to consume a huge
  amount of CPU, disrupting their operations for several seconds or
  minutes. This attack could be launched by anybody against a relay, or
  by a directory cache against any client that had connected to it. The
  attacker could launch this attack as much as they wanted, thereby
  disrupting service or creating patterns that could aid in traffic
  analysis. This issue was found by OSS-Fuzz, and is also tracked
  as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (diagnostic):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors from relays running
      Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
      still allowed. Resolves ticket 32672. Patch by Neel Chauhan.

  o Minor features (usability):
    - Include more information when failing to parse a configuration
      value. This should make it easier to tell what's going wrong when
      a configuration file doesn't parse. Closes ticket 33460.

  o Minor bugfix (relay, configuration):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (coding best practices checks):
    - Allow the "practracker" script to read unicode files when using
      Python 2. We made the script use unicode literals in 0.4.3.1-alpha,
      but didn't change the codec for opening files. Fixes bug 33374;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (continuous integration):
    - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services v3):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Documentation (manpage):
    - Alphabetize the Server and Directory server sections of the tor
      manpage. Also split Statistics options into their own section of
      the manpage. Closes ticket 33188. Work by Swati Thacker as part of
      Google Season of Docs.
    - Document the __OwningControllerProcess torrc option and specify
      its polling interval. Resolves issue 32971.

  o Testing (Travis CI):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.4.2.7 - 2020-03-18
  This is the third stable release in the 0.4.2.x series. It backports
  numerous fixes from later releases, including a fix for TROVE-2020-
  002, a major denial-of-service vulnerability that affected all
  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
  an attacker could cause Tor instances to consume a huge amount of CPU,
  disrupting their operations for several seconds or minutes. This
  attack could be launched by anybody against a relay, or by a directory
  cache against any client that had connected to it. The attacker could
  launch this attack as much as they wanted, thereby disrupting service
  or creating patterns that could aid in traffic analysis. This issue
  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.4.1.9 - 2020-03-18
  Tor 0.4.1.9 backports important fixes from later Tor releases,
  including a fix for TROVE-2020-002, a major denial-of-service
  vulnerability that affected all released Tor instances since
  0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor
  instances to consume a huge amount of CPU, disrupting their operations
  for several seconds or minutes. This attack could be launched by
  anybody against a relay, or by a directory cache against any client
  that had connected to it. The attacker could launch this attack as
  much as they wanted, thereby disrupting service or creating patterns
  that could aid in traffic analysis. This issue was found by OSS-Fuzz,
  and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.3.5.10 - 2020-03-18
  Tor 0.3.5.10 backports many fixes from later Tor releases, including a
  fix for TROVE-2020-002, a major denial-of-service vulnerability that
  affected all released Tor instances since 0.2.1.5-alpha. Using this
  vulnerability, an attacker could cause Tor instances to consume a huge
  amount of CPU, disrupting their operations for several seconds or
  minutes. This attack could be launched by anybody against a relay, or
  by a directory cache against any client that had connected to it. The
  attacker could launch this attack as much as they wanted, thereby
  disrupting service or creating patterns that could aid in traffic
  analysis. This issue was found by OSS-Fuzz, and is also tracked
  as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
      libseccomp <2.4.0 this lead to some rules having no effect.
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (crash, backport from 0.4.2.4-rc):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


792 793 794 795 796 797
Changes in version 0.4.3.2-alpha - 2020-02-10
  This is the second stable alpha release in the Tor 0.4.3.x series. It
  fixes several bugs present in the previous alpha release. Anybody
  running the previous alpha should upgrade, and look for bugs in this
  one instead.

798 799 800 801
  o Major bugfixes (onion service client, authorization):
    - On a NEWNYM signal, purge entries from the ephemeral client
      authorization cache. The permanent ones are kept. Fixes bug 33139;
      bugfix on 0.4.3.1-alpha.
802 803 804 805 806 807 808

  o Minor features (best practices tracker):
    - Practracker now supports a --regen-overbroad option to regenerate
      the exceptions file, but only to revise exceptions to be _less_
      tolerant of best-practices violations. Closes ticket 32372.

  o Minor features (continuous integration):
809 810
    - Run Doxygen Makefile target on Travis, so we can learn about
      regressions in our internal documentation. Closes ticket 32455.
811 812 813 814 815
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (build system):
816 817
    - Revise configure options that were either missing or incorrect in
      the configure summary. Fixes bug 32230; bugfix on 0.4.3.1-alpha.
818 819 820 821 822 823 824

  o Minor bugfixes (controller protocol):
    - Fix a memory leak introduced by refactoring of control reply
      formatting code. Fixes bug 33039; bugfix on 0.4.3.1-alpha.
    - Fix a memory leak in GETINFO responses. Fixes bug 33103; bugfix
      on 0.4.3.1-alpha.
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
825 826
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.
827 828 829 830 831 832 833 834

  o Minor bugfixes (logging):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.
    - When logging a bug, do not say "Future instances of this warning
835
      will be silenced" unless we are actually going to silence them.
836 837 838 839
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (onion service v2):
840 841 842
    - Move a series of v2 onion service warnings to protocol-warning
      level because they can all be triggered remotely by a malformed
      request. Fixes bug 32706; bugfix on 0.1.1.14-alpha.
843 844 845

  o Minor bugfixes (onion service v3, client authorization):
    - When removing client authorization credentials using the control
846
      port, also remove the associated descriptor, so the onion service
847 848
      can no longer be contacted. Fixes bug 33148; bugfix
      on 0.4.3.1-alpha.
849 850

  o Minor bugfixes (pluggable transports):
851 852 853
    - When receiving a message on standard error from a pluggable
      transport, log it at info level, rather than as a warning. Fixes
      bug 33005; bugfix on 0.4.0.1-alpha.
854 855

  o Minor bugfixes (rust, build):
856 857 858
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.
859 860

  o Minor bugfixes (TLS bug handling):
861
    - When encountering a bug in buf_read_from_tls(), return a "MISC"
862 863 864 865 866 867 868 869 870
      error code rather than "WANTWRITE". This change might help avoid
      some CPU-wasting loops if the bug is ever triggered. Bug reported
      by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha.

  o Code simplification and refactoring (mainloop):
    - Simplify the ip_address_changed() function by removing redundant
      checks. Closes ticket 33091.

  o Documentation (manpage):
871
    - Split "Circuit Timeout" options and "Node Selection" options into
872 873 874 875
      their own sections of the tor manpage. Closes tickets 32928 and
      32929. Work by Swati Thacker as part of Google Season of Docs.


876 877 878 879 880 881 882 883 884 885 886
Changes in version 0.4.2.6 - 2020-01-30
  This is the second stable release in the 0.4.2.x series. It backports
  several bugfixes from 0.4.3.1-alpha, including some that had affected
  the Linux seccomp2 sandbox or Windows services. If you're running with
  one of those configurations, you'll probably want to upgrade;
  otherwise, you should be fine with 0.4.2.5.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
887
      libseccomp <2.4.0 this led to some rules having no effect.
888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.

  o Minor bugfixes (correctness checks, backport from 0.4.3.1-alpha):
    - Use GCC/Clang's printf-checking feature to make sure that
      tor_assertf() arguments are correctly typed. Fixes bug 32765;
      bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, crash, backport from 0.4.3.1-alpha):
    - Avoid a possible crash when trying to log a (fatal) assertion
      failure about mismatched magic numbers in configuration objects.
      Fixes bug 32771; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.3.1-alpha):
    - When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
      test_practracker.sh script. Doing so caused a test failure. Fixes
      bug 32705; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
      skipping practracker checks. Fixes bug 32705; bugfix
      on 0.4.2.1-alpha.

  o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
    - Initialize the publish/subscribe system when running as a windows
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


Changes in version 0.4.1.8 - 2020-01-30
  This release backports several bugfixes from later release series,
  including some that had affected the Linux seccomp2 sandbox or Windows
  services. If you're running with one of those configurations, you'll
  probably want to upgrade; otherwise, you should be fine with your
  current version of 0.4.1.x.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
942
      libseccomp <2.4.0 this led to some rules having no effect.
943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.

  o Minor bugfixes (crash, backport form 0.4.2.4-rc):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
    - Initialize the publish/subscribe system when running as a windows
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


Nick Mathewson's avatar
Nick Mathewson committed
974
Changes in version 0.4.3.1-alpha - 2020-01-22
975 976 977 978 979 980 981
  This is the first alpha release in the 0.4.3.x series. It includes
  improved support for application integration of onion services, support
  for building in a client-only mode, and newly improved internal
  documentation (online at https://src-ref.docs.torproject.org/tor/). It
  also has numerous other small bugfixes and features, as well as
  improvements to our code's internal organization that should help us
  write better code in the future.
982

Nick Mathewson's avatar
Nick Mathewson committed
983 984 985 986 987
  o New system requirements:
    - When building Tor, you now need to have Python 3 in order to run
      the integration tests. (Python 2 is officially unsupported
      upstream, as of 1 Jan 2020.) Closes ticket 32608.

988
  o Major features (build system):
Nick Mathewson's avatar
Nick Mathewson committed
989 990 991 992 993
    - The relay code can now be disabled using the --disable-module-relay
      configure option. When this option is set, we also disable the
      dirauth module. Closes ticket 32123.
    - When Tor is compiled --disable-module-relay, we also omit the code
      used to act as a directory cache. Closes ticket 32487.
994 995

  o Major features (directory authority, ed25519):
Nick Mathewson's avatar
Nick Mathewson committed
996
    - Add support for banning a relay's ed25519 keys in the approved-
Nick Mathewson's avatar
Nick Mathewson committed
997 998
      routers file. This will help us migrate away from RSA keys in the
      future. Previously, only RSA keys could be banned in approved-
Nick Mathewson's avatar
Nick Mathewson committed
999
      routers. Resolves ticket 22029. Patch by Neel Chauhan.
1000

Nick Mathewson's avatar
Nick Mathewson committed
1001 1002 1003 1004 1005 1006 1007 1008 1009 1010
  o Major features (onion service, controller):
    - New control port commands to manage client-side onion service
      authorization credentials. The ONION_CLIENT_AUTH_ADD command adds
      a credential, ONION_CLIENT_AUTH_REMOVE deletes a credential, and
      ONION_CLIENT_AUTH_VIEW lists the credentials. Closes ticket 30381.

  o Major features (onion service, SOCKS5):
    - Introduce a new SocksPort flag, ExtendedErrors, to support more
      detailed error codes in information for applications that support
      them. Closes ticket 30382; implements proposal 304.
1011 1012

  o Major features (proxy):
Nick Mathewson's avatar
Nick Mathewson committed
1013 1014 1015 1016 1017
    - In addition to its current supported proxy types (HTTP CONNECT,
      SOCKS4, and SOCKS5), Tor can now make its OR connections through a
      HAProxy server. A new torrc option was added to specify the
      address/port of the server: TCPProxy <protocol> <host>:<port>.
      Currently the only supported protocol for the option is haproxy.
1018
      Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).
Nick Mathewson's avatar
Nick Mathewson committed
1019 1020 1021 1022 1023

  o Major bugfixes (linux seccomp sandbox):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
1024
      libseccomp <2.4.0 this led to some rules having no effect.
1025 1026
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
Nick Mathewson's avatar
Nick Mathewson committed
1027 1028 1029 1030 1031
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.
1032 1033 1034 1035 1036 1037 1038

  o Major bugfixes (networking):
    - Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
      and accept strings as well as binary addresses. Fixes bug 32315;
      bugfix on 0.3.5.1-alpha.

  o Major bugfixes (onion service):
1039 1040 1041 1042 1043
    - Report HS circuit failure back into the HS subsystem so we take
      appropriate action with regards to the client introduction point
      failure cache. This improves reachability of onion services, since
      now clients notice failing introduction circuits properly. Fixes
      bug 32020; bugfix on 0.3.2.1-alpha.
1044 1045

  o Minor feature (configure, build system):
Nick Mathewson's avatar
Nick Mathewson committed
1046 1047
    - Output a list of enabled/disabled features at the end of the
      configure process in a pleasing way. Closes ticket 31373.
1048 1049

  o Minor feature (heartbeat, onion service):
Nick Mathewson's avatar
Nick Mathewson committed
1050 1051
    - Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
      message. Closes ticket 31371.
1052 1053 1054

  o Minor features (configuration validation):
    - Configuration validation can now be done by per-module callbacks,
Nick Mathewson's avatar
Nick Mathewson committed
1055 1056 1057
      rather than a global validation function. This will let us reduce
      the size of config.c and some of its more cumbersome functions.
      Closes ticket 31241.
1058 1059

  o Minor features (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
1060
    - If a configured hardware crypto accelerator in AccelName is
Nick Mathewson's avatar
Nick Mathewson committed
1061 1062
      prefixed with "!", Tor now exits when it cannot be found. Closes
      ticket 32406.
Nick Mathewson's avatar
Nick Mathewson committed
1063
    - We now use flag-driven logic to warn about obsolete configuration
Nick Mathewson's avatar
Nick Mathewson committed
1064 1065
      fields, so that we can include their names. In 0.4.2, we used a
      special type, which prevented us from generating good warnings.
1066 1067 1068 1069
      Implements ticket 32404.

  o Minor features (controller):
    - Add stream isolation data to STREAM event. Closes ticket 19859.
Nick Mathewson's avatar
Nick Mathewson committed
1070 1071
    - Implement a new GETINFO command to fetch microdescriptor
      consensus. Closes ticket 31684.
1072 1073

  o Minor features (debugging, directory system):
Nick Mathewson's avatar
Nick Mathewson committed
1074 1075 1076
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.
1077 1078

  o Minor features (defense in depth):
Nick Mathewson's avatar
Nick Mathewson committed
1079 1080
    - Add additional checks around tor_vasprintf() usage, in case the
      function returns an error. Patch by Tobias Stoeckmann. Fixes
Nick Mathewson's avatar
Nick Mathewson committed
1081
      ticket 31147.
1082 1083

  o Minor features (developer tooling):
Nick Mathewson's avatar
Nick Mathewson committed
1084
    - Remove the 0.2.9.x series branches from git scripts (git-merge-
Nick Mathewson's avatar
Nick Mathewson committed
1085 1086
      forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
      Closes ticket 32772.
1087 1088

  o Minor features (developer tools):
Nick Mathewson's avatar
Nick Mathewson committed
1089 1090
    - Add a check_cocci_parse.sh script that checks that new code is
      parseable by Coccinelle. Add an exceptions file for unparseable
Nick Mathewson's avatar
Nick Mathewson committed
1091 1092 1093
      files, and run the script from travis CI. Closes ticket 31919.
    - Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
      target. Closes ticket 31919.
1094 1095 1096 1097 1098
    - Add a rename_c_identifiers.py tool to rename a bunch of C
      identifiers at once, and generate a well-formed commit message
      describing the change. This should help with refactoring. Closes
      ticket 32237.
    - Add some scripts in "scripts/coccinelle" to invoke the Coccinelle
Nick Mathewson's avatar
Nick Mathewson committed
1099 1100 1101
      semantic patching tool with the correct flags. These flags are
      fairly easy to forget, and these scripts should help us use
      Coccinelle more effectively in the future. Closes ticket 31705.
1102 1103 1104

  o Minor features (Doxygen):
    - Update Doxygen configuration file to a more recent template (from
Nick Mathewson's avatar
Nick Mathewson committed
1105 1106 1107
      1.8.15). Closes ticket 32110.
    - "make doxygen" now works with out-of-tree builds. Closes
      ticket 32113.
Nick Mathewson's avatar
Nick Mathewson committed
1108 1109 1110
    - Make sure that doxygen outputs documentation for all of our C
      files. Previously, some were missing @file declarations, causing
      them to be ignored. Closes ticket 32307.
1111
    - Our "make doxygen" target now respects --enable-fatal-warnings by
Nick Mathewson's avatar
Nick Mathewson committed
1112 1113 1114 1115
      default, and does not warn about items that are missing
      documentation. To warn about missing documentation, run configure
      with the "--enable-missing-doc-warnings" flag: doing so suspends
      fatal warnings for doxygen. Closes ticket 32385.
1116 1117 1118 1119

  o Minor features (git scripts):
    - Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone
      customisation. Closes ticket 32347.
Nick Mathewson's avatar
Nick Mathewson committed
1120 1121
    - Add git-setup-dirs.sh, which sets up an upstream git repository
      and worktrees for tor maintainers. Closes ticket 29603.
1122 1123
    - Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra
      remote. Closes ticket 32347.
Nick Mathewson's avatar
Nick Mathewson committed
1124 1125 1126 1127
    - Call the check_cocci_parse.sh script from the git commit and push
      hooks. Closes ticket 31919.
    - Make git-push-all.sh skip unchanged branches when pushing to
      upstream. The script already skipped unchanged test branches.
1128
      Closes ticket 32216.
Nick Mathewson's avatar
Nick Mathewson committed
1129 1130 1131 1132
    - Make git-setup-dirs.sh create a master symlink in the worktree
      directory. Closes ticket 32347.
    - Skip unmodified source files when doing some existing git hook
      checks. Related to ticket 31919.
1133 1134 1135

  o Minor features (IPv6, client):
    - Make Tor clients tell dual-stack exits that they prefer IPv6
Nick Mathewson's avatar
Nick Mathewson committed
1136 1137 1138 1139
      connections. This change is equivalent to setting the PreferIPv6
      flag on SOCKSPorts (and most other listener ports). Tor Browser
      has been setting this flag for some time, and we want to remove a
      client distinguisher at exits. Closes ticket 32637.
1140 1141

  o Minor features (portability, android):
Nick Mathewson's avatar
Nick Mathewson committed
1142 1143
    - When building for Android, disable some tests that depend on $HOME
      and/or pwdb, which Android doesn't have. Closes ticket 32825.
1144 1145
      Patch from Hans-Christoph Steiner.

Nick Mathewson's avatar
Nick Mathewson committed
1146
  o Minor features (relay modularity):
1147
    - Split the relay and server pluggable transport config code into
Nick Mathewson's avatar
Nick Mathewson committed
1148
      separate files in the relay module. Disable this code when the
Nick Mathewson's avatar
Nick Mathewson committed
1149
      relay module is disabled. Closes part of ticket 32213.
1150 1151 1152
    - When the relay module is disabled, reject attempts to set the
      ORPort, DirPort, DirCache, BridgeRelay, ExtORPort, or
      ServerTransport* options, rather than ignoring the values of these
Nick Mathewson's avatar
Nick Mathewson committed
1153
      options. Closes part of ticket 32213.
1154 1155

  o Minor features (relay):
Nick Mathewson's avatar
Nick Mathewson committed
1156 1157
    - When the relay module is disabled, change the default config so
      that DirCache is 0, and ClientOnly is 1. Closes ticket 32410.
1158 1159

  o Minor features (release tools):
Nick Mathewson's avatar
Nick Mathewson committed
1160
    - Port our ChangeLog formatting and sorting tools to Python 3.
1161 1162 1163
      Closes ticket 32704.

  o Minor features (testing):
Nick Mathewson's avatar
Nick Mathewson committed
1164
    - Detect some common failure cases for test_parseconf.sh in
1165 1166 1167
      src/test/conf_failures. Closes ticket 32451.
    - Allow test_parseconf.sh to test expected log outputs for successful
      configs, as well as failed configs. Closes ticket 32451.
Nick Mathewson's avatar
Nick Mathewson committed
1168 1169 1170
    - The test_parseconf.sh script now supports result variants for any
      combination of the optional libraries lzma, nss, and zstd. Closes
      ticket 32397.
1171 1172

  o Minor features (tests, Android):
Nick Mathewson's avatar
Nick Mathewson committed
1173 1174 1175
    - When running the unit tests on Android, create temporary files in
      a subdirectory of /data/local/tmp. Closes ticket 32172. Based on a
      patch from Hans-Christoph Steiner.
1176 1177

  o Minor bugfixes (bridges):
Nick Mathewson's avatar
Nick Mathewson committed
1178
    - Lowercase the configured value of BridgeDistribution before adding
Nick Mathewson's avatar
Nick Mathewson committed
1179
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
1180

Nick Mathewson's avatar
Nick Mathewson committed
1181
  o Minor bugfixes (build system):
Nick Mathewson's avatar
Nick Mathewson committed
1182 1183
    - Fix "make autostyle" for out-of-tree builds. Fixes bug 32370;
      bugfix on 0.4.1.2-alpha.
1184 1185

  o Minor bugfixes (configuration handling):
Nick Mathewson's avatar
Nick Mathewson committed
1186
    - Make control_event_conf_changed() take in a config_line_t instead
Nick Mathewson's avatar
Nick Mathewson committed
1187 1188
      of a smartlist of alternating key/value entries. Fixes bug 31531;
      bugfix on 0.2.3.3-alpha. Patch by Neel Chauhan.
1189 1190

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
1191 1192 1193 1194 1195 1196 1197
    - Check for multiplication overflow when parsing memory units inside
      configuration. Fixes bug 30920; bugfix on 0.0.9rc1.
    - When dumping the configuration, stop adding a trailing space after
      the option name when there is no option value. This issue only
      affects options that accept an empty value or list. (Most options
      reject empty values, or delete the entire line from the dumped
      options.) Fixes bug 32352; bugfix on 0.0.9pre6.
Nick Mathewson's avatar
Nick Mathewson committed
1198 1199 1200
    - Avoid changing the user's value of HardwareAccel as stored by
      SAVECONF, when AccelName is set but HardwareAccel is not. Fixes
      bug 32382; bugfix on 0.2.2.1-alpha.
1201 1202
    - When creating a KeyDirectory with the same location as the
      DataDirectory (not recommended), respect the DataDirectory's
Nick Mathewson's avatar
Nick Mathewson committed
1203 1204
      group-readable setting if one has not been set for the
      KeyDirectory. Fixes bug 27992; bugfix on 0.3.3.1-alpha.
1205 1206

  o Minor bugfixes (controller):
Nick Mathewson's avatar
Nick Mathewson committed
1207 1208 1209
    - In routerstatus_has_changed(), check all the fields that are
      output over the control port. Fixes bug 20218; bugfix
      on 0.1.1.11-alpha
1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228

  o Minor bugfixes (correctness checks):
    - Use GCC/Clang's printf-checking feature to make sure that
      tor_assertf() arguments are correctly typed. Fixes bug 32765;
      bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (developer tools):
    - Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug
      31336; bugfix on 0.4.1.2-alpha.

  o Minor bugfixes (dirauth module):
    - Split the dirauth config code into a separate file in the dirauth
      module. Disable this code when the dirauth module is disabled.
      Closes ticket 32213.
    - When the dirauth module is disabled, reject attempts to set the
      AuthoritativeDir option, rather than ignoring the value of the
      option. Fixes bug 32213; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (embedded Tor):
Nick Mathewson's avatar
Nick Mathewson committed
1229 1230 1231 1232 1233
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.
1234 1235

  o Minor bugfixes (git scripts):
Nick Mathewson's avatar
Nick Mathewson committed
1236 1237
    - Avoid sleeping before the last push in git-push-all.sh. Closes
      ticket 32216.
1238 1239 1240 1241
    - Forward all unrecognised arguments in git-push-all.sh to git push.
      Closes ticket 32216.

  o Minor bugfixes (hidden service v3):
1242
    - Do not rely on a "circuit established" flag for intro circuits but
Nick Mathewson's avatar
Nick Mathewson committed
1243 1244 1245
      instead always query the HS circuit map. This is to avoid sync
      issue with that flag and the map. Fixes bug 32094; bugfix
      on 0.3.2.1-alpha.
1246 1247

  o Minor bugfixes (logging, crash):
Nick Mathewson's avatar
Nick Mathewson committed
1248 1249 1250
    - Avoid a possible crash when trying to log a (fatal) assertion
      failure about mismatched magic numbers in configuration objects.
      Fixes bug 32771; bugfix on 0.4.2.1-alpha.
1251 1252

  o Minor bugfixes (onion service v2):
Nick Mathewson's avatar
Nick Mathewson committed
1253 1254
    - When sending the INTRO cell for a v2 Onion Service, look at the
      failure cache alongside timeout values to check if the intro point
1255
      is marked as failed. Previously, we only looked at the relay
Nick Mathewson's avatar
Nick Mathewson committed
1256 1257
      timeout values. Fixes bug 25568; bugfix on 0.2.7.3-rc. Patch by
      Neel Chauhan.
1258 1259

  o Minor bugfixes (onion services v3, client):
Nick Mathewson's avatar
Nick Mathewson committed
1260 1261 1262 1263 1264
    - Properly handle the client rendezvous circuit timeout. Previously
      Tor would sometimes timeout a rendezvous circuit awaiting the
      introduction ACK, and find itself unable to re-establish all
      circuits because the rendezvous circuit timed out too early. Fixes
      bug 32021; bugfix on 0.3.2.1-alpha.
1265 1266

  o Minor bugfixes (onion services):
Nick Mathewson's avatar
Nick Mathewson committed
1267 1268 1269
    - In cancel_descriptor_fetches(), use
      connection_list_by_type_purpose() instead of
      connection_list_by_type_state(). Fixes bug 32639; bugfix on
1270 1271 1272
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (scripts):
Nick Mathewson's avatar
Nick Mathewson committed
1273 1274
    - Fix update_versions.py for out-of-tree builds. Fixes bug 32371;
      bugfix on 0.4.0.1-alpha.
1275 1276

  o Minor bugfixes (test):
Nick Mathewson's avatar
Nick Mathewson committed
1277 1278
    - Use the same code to find the tor binary in all of our test
      scripts. This change makes sure we are always using the coverage
Nick Mathewson's avatar
Nick Mathewson committed
1279
      binary when coverage is enabled. Fixes bug 32368; bugfix
Nick Mathewson's avatar
Nick Mathewson committed
1280
      on 0.2.7.3-rc.
1281 1282 1283 1284 1285

  o Minor bugfixes (testing):
    - Stop ignoring "tor --dump-config" errors in test_parseconf.sh.
      Fixes bug 32468; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
Nick Mathewson's avatar
Nick Mathewson committed
1286 1287 1288 1289 1290
      test_practracker.sh script. Doing so caused a test failure. Fixes
      bug 32705; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
      skipping practracker checks. Fixes bug 32705; bugfix
      on 0.4.2.1-alpha.
1291 1292

  o Minor bugfixes (tests):
Nick Mathewson's avatar
Nick Mathewson committed
1293
    - Our option-validation tests no longer depend on specially
1294
      configured non-default, non-passing sets of options. Previously,
Nick Mathewson's avatar
Nick Mathewson committed
1295 1296 1297
      the tests had been written to assume that options would _not_ be
      set to their defaults, which led to needless complexity and
      verbosity. Fixes bug 32175; bugfix on 0.2.8.1-alpha.
1298 1299

  o Minor bugfixes (windows service):
Nick Mathewson's avatar
Nick Mathewson committed
1300
    - Initialize the publish/subscribe system when running as a windows
Nick Mathewson's avatar
Nick Mathewson committed
1301
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.
1302 1303

  o Deprecated features:
Nick Mathewson's avatar
Nick Mathewson committed
1304
    - Deprecate the ClientAutoIPv6ORPort option. This option was not
1305 1306 1307
      true "Happy Eyeballs", and often failed on connections that
      weren't reliably dual-stack. Closes ticket 32942. Patch by
      Neel Chauhan.
1308 1309

  o Documentation:
1310 1311
    - Provide a quickstart guide for a Circuit Padding Framework, and
      documentation for researchers to implement and study circuit
Nick Mathewson's avatar
Nick Mathewson committed
1312
      padding machines. Closes ticket 28804.
Nick Mathewson's avatar
Nick Mathewson committed
1313 1314
    - Add documentation in 'HelpfulTools.md' to describe how to build a
      tag file. Closes ticket 32779.
1315
    - Create a high-level description of the long-term software
Nick Mathewson's avatar
Nick Mathewson committed
1316 1317 1318
      architecture goals. Closes ticket 32206.
    - Describe the --dump-config command in the manual page. Closes
      ticket 32467.
1319 1320 1321 1322
    - Unite coding advice from this_not_that.md in torguts repo into our
      coding standards document. Resolves ticket 31853.

  o Removed features:
Nick Mathewson's avatar
Nick Mathewson committed
1323
    - Our Doxygen configuration no longer generates LaTeX output. The
1324
      reference manual produced by doing this was over 4000 pages long,
Nick Mathewson's avatar
Nick Mathewson committed
1325 1326 1327 1328 1329
      and generally unusable. Closes ticket 32099.
    - The option "TestingEstimatedDescriptorPropagationTime" is now
      marked as obsolete. It has had no effect since 0.3.0.7, when
      clients stopped rejecting consensuses "from the future". Closes
      ticket 32807.
1330 1331
    - We no longer support consensus methods before method 28; these
      methods were only used by authorities running versions of Tor that
1332
      are now at end-of-life. In effect, this means that clients,
1333 1334 1335
      relays, and authorities now assume that authorities will be
      running version 0.3.5.x or later. Closes ticket 32695.

Nick Mathewson's avatar
Nick Mathewson committed
1336 1337 1338 1339 1340 1341 1342 1343
  o Testing:
    - Add more test cases for tor's UTF-8 validation function. Also,
      check the arguments passed to the function for consistency. Closes
      ticket 32845.
    - Improve test coverage for relay and dirauth config code, focusing
      on option validation and normalization. Closes ticket 32213.
    - Improve the consistency of test_parseconf.sh output, and run all
      the tests, even if one fails. Closes ticket 32213.
1344 1345 1346
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
Nick Mathewson's avatar
Nick Mathewson committed
1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357
      Closes ticket 32629.
    - Run the practracker unit tests in the pre-commit git hook. Closes
      ticket 32609.
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.

  o Code simplification and refactoring (channel):
    - Channel layer had a variable length cell handler that was not used
      and thus removed. Closes ticket 32892.

Nick Mathewson's avatar
Nick Mathewson committed
1358 1359 1360 1361 1362 1363 1364
  o Code simplification and refactoring (configuration):
    - Immutability is now implemented as a flag on individual
      configuration options rather than as part of the option-transition
      checking code. Closes ticket 32344.
    - Instead of keeping a list of configuration options to check for
      relative paths, check all the options whose type is "FILENAME".
      Solves part of ticket 32339.
1365
    - Our default log (which ordinarily sends NOTICE-level messages to
Nick Mathewson's avatar
Nick Mathewson committed
1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382
      standard output) is now handled in a more logical manner.
      Previously, we replaced the configured log options if they were
      empty. Now, we interpret an empty set of log options as meaning
      "use the default log". Closes ticket 31999.
    - Remove some unused arguments from the options_validate() function,
      to simplify our code and tests. Closes ticket 32187.
    - Simplify the options_validate() code so that it looks at the
      default options directly, rather than taking default options as an
      argument. This change lets us simplify its interface. Closes
      ticket 32185.
    - Use our new configuration architecture to move most authority-
      related options to the directory authority module. Closes
      ticket 32806.
    - When parsing the command line, handle options that determine our
      "quiet level" and our mode of operation (e.g., --dump-config and
      so on) all in one table. Closes ticket 32003.

Nick Mathewson's avatar
Nick Mathewson committed
1383
  o Code simplification and refactoring (controller):
Nick Mathewson's avatar
Nick Mathewson committed
1384 1385 1386
    - Create a new abstraction for formatting control protocol reply
      lines based on key-value pairs. Refactor some existing control
      protocol code to take advantage of this. Closes ticket 30984.
Nick Mathewson's avatar
Nick Mathewson committed
1387 1388 1389
    - Create a helper function that can fetch network status or
      microdesc consensuses. Closes ticket 31684.

Nick Mathewson's avatar
Nick Mathewson committed
1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423
  o Code simplification and refactoring (dirauth modularization):
    - Remove the last remaining HAVE_MODULE_DIRAUTH inside a function.
      Closes ticket 32163.
    - Replace some confusing identifiers in process_descs.c. Closes
      ticket 29826.
    - Simplify some relay and dirauth config code. Closes ticket 32213.

  o Code simplification and refactoring (misc):
    - Make all the structs we declare follow the same naming convention
      of ending with "_t". Closes ticket 32415.
    - Move and rename some configuration-related code for clarity.
      Closes ticket 32304.
    - Our include.am files are now broken up by subdirectory.
      Previously, src/core/include.am covered all of the subdirectories
      in "core", "feature", and "app". Closes ticket 32137.
    - Remove underused NS*() macros from test code: they make our tests
      more confusing, especially for code-formatting tools. Closes
      ticket 32887.

  o Code simplification and refactoring (relay modularization):
    - Disable relay_periodic when the relay module is disabled. Closes
      ticket 32244.
    - Disable relay_sys when the relay module is disabled. Closes
      ticket 32245.

  o Code simplification and refactoring (tool support):
    - Add numerous missing dependencies to our include files, so that
      they can be included in different reasonable orders and still
      compile. Addresses part of ticket 32764.
    - Fix some parts of our code that were difficult for Coccinelle to
      parse. Related to ticket 31705.
    - Fix some small issues in our code that prevented automatic
      formatting tools from working. Addresses part of ticket 32764.

Nick Mathewson's avatar
Nick Mathewson committed
1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436
  o Documentation (manpage):
    - Alphabetize the Client Options section of the tor manpage. Closes
      ticket 32846.
    - Alphabetize the General Options section of the tor manpage. Closes
      ticket 32708.
    - In the tor(1) manpage, reword and improve formatting of the
      COMMAND-LINE OPTIONS and DESCRIPTION sections. Closes ticket
      32277. Based on work by Swati Thacker as part of Google Season
      of Docs.
    - In the tor(1) manpage, reword and improve formatting of the FILES,
      SEE ALSO, and BUGS sections. Closes ticket 32176. Based on work by
      Swati Thacker as part of Google Season of Docs.

1437
  o Testing (circuit, EWMA):
Nick Mathewson's avatar
Nick Mathewson committed
1438 1439
    - Add unit tests for circuitmux and EWMA subsystems. Closes
      ticket 32196.
1440 1441 1442 1443 1444

  o Testing (continuous integration):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022