ChangeLog 1.04 MB
Newer Older
Nick Mathewson's avatar
Nick Mathewson committed
1
Changes in version 0.2.8.6 - 2016-08-02
Nick Mathewson's avatar
Nick Mathewson committed
2
3
4
5
6

  Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.

  The Tor 0.2.8 series improves client bootstrapping performance,
  completes the authority-side implementation of improved identity
7
  keys for relays, and includes numerous bugfixes and performance
Nick Mathewson's avatar
Nick Mathewson committed
8
9
10
11
12
13
14
15
16
17
  improvements throughout the program. This release continues to
  improve the coverage of Tor's test suite.  For a full list of
  changes since Tor 0.2.7, see the ReleaseNotes file.

  Changes since 0.2.8.5-rc:

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
      Country database.

Nick Mathewson's avatar
Nick Mathewson committed
18
19
20
21
  o Minor bugfixes (compilation):
    - Fix a compilation warning in the unit tests on systems where char
      is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
22
23
24
25
  o Minor bugfixes (fallback directories):
    - Remove a fallback that was on the hardcoded list, then opted-out.
      Fixes bug 19782; update to fallback list from 0.2.8.2-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
26
27
28
29
30
31
32
  o Minor bugfixes (Linux seccomp2 sandbox):
    - Allow more syscalls when running with "Sandbox 1" enabled:
      sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On
      some systems, these are required for Tor to start. Fixes bug
      18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto.
    - Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1",
      so that get_interface_address6_via_udp_socket_hack() can work.
33
      Fixes bug 19660; bugfix on 0.2.5.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
34
35


36
Changes in version 0.2.8.5-rc - 2016-07-07
Nick Mathewson's avatar
Nick Mathewson committed
37
38
39
40
  Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8
  series. If we find no new bugs or regressions here, the first stable
  0.2.8 release will be identical to it. It has a few small bugfixes
  against previous versions.
41

Nick Mathewson's avatar
Nick Mathewson committed
42
43
44
  o Directory authority changes:
    - Urras is no longer a directory authority. Closes ticket 19271.

45
  o Major bugfixes (heartbeat):
46
47
    - Fix a regression that would crash Tor when the periodic
      "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on
48
      0.2.8.1-alpha. Reported by "kubaku".
49
50

  o Minor features (build):
Nick Mathewson's avatar
Nick Mathewson committed
51
52
    - Tor now again builds with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
53
54
55
56
57
58
    - When building manual pages, set the timezone to "UTC", so that the
      output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha.
      Patch from intrigeri.

  o Minor bugfixes (fallback directory selection):
    - Avoid errors during fallback selection if there are no eligible
Nick Mathewson's avatar
Nick Mathewson committed
59
60
      fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch
      by teor.
61

62
63
64
65
66
67
68
  o Minor bugfixes (IPv6, microdescriptors):
    - Don't check node addresses when we only have a routerstatus. This
      allows IPv6-only clients to bootstrap by fetching microdescriptors
      from fallback directory mirrors. (The microdescriptor consensus
      has no IPv6 addresses in it.) Fixes bug 19608; bugfix
      on 0.2.8.2-alpha.

69
  o Minor bugfixes (logging):
70
71
72
    - Reduce pointlessly verbose log messages when directory servers
      can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and
      0.2.8.1-alpha. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
73
74
75
    - When a fallback directory changes its fingerprint from the hard-
      coded fingerprint, log a less severe, more explanatory log
      message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.
76

77
78
79
  o Minor bugfixes (Linux seccomp2 sandboxing):
    - Allow statistics to be written to disk when "Sandbox 1" is
      enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and
Nick Mathewson's avatar
Nick Mathewson committed
80
      0.2.6.1-alpha respectively.
81
82
83

  o Minor bugfixes (user interface):
    - Remove a warning message "Service [scrubbed] not found after
Nick Mathewson's avatar
Nick Mathewson committed
84
85
86
87
88
89
      descriptor upload". This message appears when one uses HSPOST
      control command to upload a service descriptor. Since there is
      only a descriptor and no service, showing this message is
      pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.

  o Fallback directory list:
Nick Mathewson's avatar
Nick Mathewson committed
90
91
92
    - Add a comment to the generated fallback directory list that
      explains how to comment out unsuitable fallbacks in a way that's
      compatible with the stem fallback parser.
Nick Mathewson's avatar
Nick Mathewson committed
93
    - Update fallback whitelist and blacklist based on relay operator
94
95
      emails. Blacklist unsuitable (non-working, over-volatile)
      fallbacks. Resolves ticket 19071. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
96
97
    - Update hard-coded fallback list to remove unsuitable fallbacks.
      Resolves ticket 19071. Patch by teor.
98
99


Nick Mathewson's avatar
Nick Mathewson committed
100
101
102
103
104
105
106
107
108
109
110
Changes in version 0.2.8.4-rc - 2016-06-15
  Tor 0.2.8.4-rc is the first release candidate in the Tor 0.2.8 series.
  If we find no new bugs or regressions here, the first stable 0.2.8
  release will be identical to it. It has a few small bugfixes against
  previous versions.

  o Major bugfixes (user interface):
    - Correctly give a warning in the cases where a relay is specified
      by nickname, and one such relay is found, but it is not officially
      Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
111
112
113
114
  o Minor features (build):
    - Tor now builds once again with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev).

Nick Mathewson's avatar
Nick Mathewson committed
115
116
117
118
119
120
121
122
123
124
125
126
127
  o Minor features (geoip):
    - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation):
    - Cause the unit tests to compile correctly on mingw64 versions that
      lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (downloading):
    - Predict more correctly whether we'll be downloading over HTTP when
      we determine the maximum length of a URL. This should avoid a
      "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes
      bug 19191.
128
129


130
Changes in version 0.2.8.3-alpha - 2016-05-26
Nick Mathewson's avatar
Nick Mathewson committed
131
132
  Tor 0.2.8.3-alpha resolves several bugs, most of them introduced over
  the course of the 0.2.8 development cycle. It improves the behavior of
133
134
135
  directory clients, fixes several crash bugs, fixes a gap in compiler
  hardening, and allows the full integration test suite to run on
  more platforms.
136

137
138
139
140
141
  o Major bugfixes (security, client, DNS proxy):
    - Stop a crash that could occur when a client running with DNSPort
      received a query with multiple address types, and the first
      address type was not supported. Found and fixed by Scott Dial.
      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
142

143
  o Major bugfixes (security, compilation):
144
145
    - Correctly detect compiler flags on systems where _FORTIFY_SOURCE
      is predefined. Previously, our use of -D_FORTIFY_SOURCE would
146
147
148
      cause a compiler warning, thereby making other checks fail, and
      needlessly disabling compiler-hardening support. Fixes one case of
      bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal".
149

150
151
152
153
  o Major bugfixes (security, directory authorities):
    - Fix a crash and out-of-bounds write during authority voting, when
      the list of relays includes duplicate ed25519 identity keys. Fixes
      bug 19032; bugfix on 0.2.8.2-alpha.
154

Nick Mathewson's avatar
Nick Mathewson committed
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
  o Major bugfixes (client, bootstrapping):
    - Check if bootstrap consensus downloads are still needed when the
      linked connection attaches. This prevents tor making unnecessary
      begindir-style connections, which are the only directory
      connections tor clients make since the fix for 18483 was merged.
    - Fix some edge cases where consensus download connections may not
      have been closed, even though they were not needed. Related to fix
      for 18809.
    - Make relays retry consensus downloads the correct number of times,
      rather than the more aggressive client retry count. Fixes part of
      ticket 18809.
    - Stop downloading consensuses when we have a consensus, even if we
      don't have all the certificates for it yet. Fixes bug 18809;
      bugfix on 0.2.8.1-alpha. Patches by arma and teor.

170
  o Major bugfixes (directory mirrors):
171
172
173
174
175
176
177
178
179
180
    - Decide whether to advertise begindir support in the the same way
      we decide whether to advertise our DirPort. Allowing these
      decisions to become out-of-sync led to surprising behavior like
      advertising begindir support when hibernation made us not
      advertise a DirPort. Resolves bug 18616; bugfix on 0.2.8.1-alpha.
      Patch by teor.

  o Major bugfixes (IPv6 bridges, client):
    - Actually use IPv6 addresses when selecting directory addresses for
      IPv6 bridges. Fixes bug 18921; bugfix on 0.2.8.1-alpha. Patch
181
      by teor.
182

183
184
185
186
187
188
189
190
191
  o Major bugfixes (key management):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

192
  o Major bugfixes (testing):
193
    - Fix a bug that would block 'make test-network-all' on systems where
194
      IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc.
195
196
    - Avoid "WSANOTINITIALISED" warnings in the unit tests. Fixes bug 18668;
      bugfix on 0.2.8.1-alpha.
197
198

  o Minor features (clients):
199
200
    - Make clients, onion services, and bridge relays always use an
      encrypted begindir connection for directory requests. Resolves
201
      ticket 18483. Patch by teor.
202
203

  o Minor features (fallback directory mirrors):
204
205
206
207
208
209
    - Give each fallback the same weight for client selection; restrict
      fallbacks to one per operator; report fallback directory detail
      changes when rebuilding list; add new fallback directory mirrors
      to the whitelist; update fallback directories based on the latest
      OnionOO data; and any other minor simplifications and fixes.
      Closes tasks 17158, 17905, 18749, bug 18689, and fixes part of bug
210
      18812 on 0.2.8.1-alpha; patch by teor.
211
212
213
214
215
216
217

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (assert, portability):
    - Fix an assertion failure in memarea.c on systems where "long" is
218
      shorter than the size of a pointer. Fixes bug 18716; bugfix
219
      on 0.2.1.1-alpha.
220

221
222
223
224
  o Minor bugfixes (bootstrap):
    - Consistently use the consensus download schedule for authority
      certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha.

225
226
  o Minor bugfixes (build):
    - Remove a pair of redundant AM_CONDITIONAL declarations from
227
228
      configure.ac. Fixes one final case of bug 17744; bugfix
      on 0.2.8.2-alpha.
229
    - Resolve warnings when building on systems that are concerned with
230
231
      signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha
      and 0.2.6.1-alpha.
232
233
234
    - When libscrypt.h is found, but no libscrypt library can be linked,
      treat libscrypt as absent. Fixes bug 19161; bugfix
      on 0.2.6.1-alpha.
235
236

  o Minor bugfixes (client):
237
238
239
240
    - Turn all TestingClientBootstrap* into non-testing torrc options.
      This changes simply renames them by removing "Testing" in front of
      them and they do not require TestingTorNetwork to be enabled
      anymore. Fixes bug 18481; bugfix on 0.2.8.1-alpha.
241
242
    - Make directory node selection more reliable, mainly for IPv6-only
      clients and clients with few reachable addresses. Fixes bug 18929;
243
      bugfix on 0.2.8.1-alpha. Patch by teor.
244
245

  o Minor bugfixes (controller, microdescriptors):
246
247
248
249
    - Make GETINFO dir/status-vote/current/consensus conform to the
      control specification by returning "551 Could not open cached
      consensus..." when not caching consensuses. Fixes bug 18920;
      bugfix on 0.2.2.6-alpha.
250

251
252
  o Minor bugfixes (crypto, portability):
    - The SHA3 and SHAKE routines now produce the correct output on Big
253
254
      Endian systems. No code calls either algorithm yet, so this is
      primarily a build fix. Fixes bug 18943; bugfix on 0.2.8.1-alpha.
255
256
257
    - Tor now builds again with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre4 and 1.1.0-pre5-dev). Closes
      ticket 18286.
258

Nick Mathewson's avatar
Nick Mathewson committed
259
260
261
262
263
264
265
  o Minor bugfixes (directories):
    - When fetching extrainfo documents, compare their SHA256 digests
      and Ed25519 signing key certificates with the routerinfo that led
      us to fetch them, rather than with the most recent routerinfo.
      Otherwise we generate many spurious warnings about mismatches.
      Fixes bug 17150; bugfix on 0.2.7.2-alpha.

266
  o Minor bugfixes (logging):
267
268
269
    - When we can't generate a signing key because OfflineMasterKey is
      set, do not imply that we should have been able to load it. Fixes
      bug 18133; bugfix on 0.2.7.2-alpha.
270
271
272
273
    - Stop periodic_event_dispatch() from blasting twelve lines per
      second at loglevel debug. Fixes bug 18729; fix on 0.2.8.1-alpha.
    - When rejecting a misformed INTRODUCE2 cell, only log at
      PROTOCOL_WARN severity. Fixes bug 18761; bugfix on 0.2.8.2-alpha.
274
275

  o Minor bugfixes (pluggable transports):
276
277
278
279
    - Avoid reporting a spurious error when we decide that we don't need
      to terminate a pluggable transport because it has already exited.
      Fixes bug 18686; bugfix on 0.2.5.5-alpha.

280
281
282
283
284
285
286
287
  o Minor bugfixes (pointer arithmetic):
    - Fix a bug in memarea_alloc() that could have resulted in remote
      heap write access, if Tor had ever passed an unchecked size to
      memarea_alloc(). Fortunately, all the sizes we pass to
      memarea_alloc() are pre-checked to be less than 128 kilobytes.
      Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by
      Guido Vranken.

288
289
290
291
292
293
294
  o Minor bugfixes (relays):
    - Consider more config options when relays decide whether to
      regenerate their descriptor. Fixes more of bug 12538; bugfix
      on 0.2.8.1-alpha.
    - Resolve some edge cases where we might launch an ORPort
      reachability check even when DisableNetwork is set. Noticed while
      fixing bug 18616; bugfix on 0.2.3.9-alpha.
295
296

  o Minor bugfixes (statistics):
297
298
    - We now include consensus downloads via IPv6 in our directory-
      request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha.
299

300
301
302
303
304
305
306
307
  o Minor bugfixes (testing):
    - Allow directories in small networks to bootstrap by skipping
      DirPort checks when the consensus has no exits. Fixes bug 19003;
      bugfix on 0.2.8.1-alpha. Patch by teor.
    - Fix a small memory leak that would occur when the
      TestingEnableCellStatsEvent option was turned on. Fixes bug 18673;
      bugfix on 0.2.5.2-alpha.

308
309
  o Minor bugfixes (time handling):
    - When correcting a corrupt 'struct tm' value, fill in the tm_wday
310
311
      field. Otherwise, our unit tests crash on Windows. Fixes bug
      18977; bugfix on 0.2.2.25-alpha.
312
313

  o Documentation:
314
315
    - Document the contents of the 'datadir/keys' subdirectory in the
      manual page. Closes ticket 17621.
316
317
318
319
    - Stop recommending use of nicknames to identify relays in our
      MapAddress documentation. Closes ticket 18312.


Nick Mathewson's avatar
Nick Mathewson committed
320
Changes in version 0.2.8.2-alpha - 2016-03-28
321
322
  Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous
  bugs in earlier versions of Tor, including some that prevented
Nick Mathewson's avatar
Nick Mathewson committed
323
324
  authorities using Tor 0.2.7.x from running correctly. IPv6 and
  directory support should also be much improved.
325
326
327

  o New system requirements:
    - Tor no longer supports versions of OpenSSL with a broken
Nick Mathewson's avatar
Nick Mathewson committed
328
329
330
331
332
333
334
      implementation of counter mode. (This bug was present in OpenSSL
      1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no
      longer runs with, these versions.
    - Tor no longer attempts to support platforms where the "time_t"
      type is unsigned. (To the best of our knowledge, only OpenVMS does
      this, and Tor has never actually built on OpenVMS.) Closes
      ticket 18184.
335
336
337
338
339
    - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or
      later (released in 2008 and 2009 respectively). If you are
      building Tor from the git repository instead of from the source
      distribution, and your tools are older than this, you will need to
      upgrade. Closes ticket 17732.
340
341
342
343

  o Major bugfixes (security, pointers):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
344
345
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.
346

347
348
349
350
  o Major bugfixes (bridges, pluggable transports):
    - Modify the check for OR connections to private addresses. Allow
      bridges on private addresses, including pluggable transports that
      ignore the (potentially private) address in the bridge line. Fixes
351
      bug 18517; bugfix on 0.2.8.1-alpha. Reported by gk, patch by teor.
352

353
  o Major bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
354
355
    - Repair hardened builds under the clang compiler. Previously, our
      use of _FORTIFY_SOURCE would conflict with clang's address
356
357
      sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
358
359
360
361
362
363
  o Major bugfixes (crash on shutdown):
    - Correctly handle detaching circuits from muxes when shutting down.
      Fixes bug 18116; bugfix on 0.2.8.1-alpha.
    - Fix an assert-on-exit bug related to counting memory usage in
      rephist.c. Fixes bug 18651; bugfix on 0.2.8.1-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
364
  o Major bugfixes (crash on startup):
Nick Mathewson's avatar
Nick Mathewson committed
365
    - Fix a segfault during startup: If a Unix domain socket was
Nick Mathewson's avatar
Nick Mathewson committed
366
367
368
369
370
      configured as listener (such as a ControlSocket or a SocksPort
      "unix:" socket), and tor was started as root but not configured to
      switch to another user, tor would segfault while trying to string
      compare a NULL value. Fixes bug 18261; bugfix on 0.2.8.1-alpha.
      Patch by weasel.
Nick Mathewson's avatar
Nick Mathewson committed
371

Nick Mathewson's avatar
Nick Mathewson committed
372
373
  o Major bugfixes (dns proxy mode, crash):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
374
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
Nick Mathewson's avatar
Nick Mathewson committed
375

376
  o Major bugfixes (relays, bridge clients):
Nick Mathewson's avatar
Nick Mathewson committed
377
378
379
380
381
    - Ensure relays always allow IPv4 OR and Dir connections. Ensure
      bridge clients use the address configured in the bridge line.
      Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb,
      patch by teor.

Nick Mathewson's avatar
Nick Mathewson committed
382
  o Major bugfixes (voting):
Nick Mathewson's avatar
Nick Mathewson committed
383
    - Actually enable support for authorities to match routers by their
Nick Mathewson's avatar
Nick Mathewson committed
384
385
386
387
      Ed25519 identities. Previously, the code had been written, but
      some debugging code that had accidentally been left in the
      codebase made it stay turned off. Fixes bug 17702; bugfix
      on 0.2.7.2-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
388
389
390
391
392
393
394
395
396
397
398
    - When collating votes by Ed25519 identities, authorities now
      include a "NoEdConsensus" flag if the ed25519 value (or lack
      thereof) for a server does not reflect the majority consensus.
      Related to bug 17668; bugfix on 0.2.7.2-alpha.
    - When generating a vote with keypinning disabled, never include two
      entries for the same ed25519 identity. This bug was causing
      authorities to generate votes that they could not parse when a
      router violated key pinning by changing its RSA identity but
      keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug
      18318. Bugfix on 0.2.7.2-alpha.

399
400
  o Minor features (security, win32):
    - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing
Nick Mathewson's avatar
Nick Mathewson committed
401
402
      attack. Fixes bug 18123; bugfix on all tor versions. Patch
      by teor.
403
404

  o Minor features (bug-resistance):
Nick Mathewson's avatar
Nick Mathewson committed
405
406
407
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.
408
409

  o Minor features (build):
Nick Mathewson's avatar
Nick Mathewson committed
410
    - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD)
Nick Mathewson's avatar
Nick Mathewson committed
411
      as having possible IPFW support. Closes ticket 18448. Patch from
412
413
414
      Steven Chamberlain.

  o Minor features (code hardening):
Nick Mathewson's avatar
Nick Mathewson committed
415
    - Use tor_snprintf() and tor_vsnprintf() even in external and low-
Nick Mathewson's avatar
Nick Mathewson committed
416
417
418
      level code, to harden against accidental failures to NUL-
      terminate. Part of ticket 17852. Patch from jsturgix. Found
      with Flawfinder.
419
420

  o Minor features (crypto):
421
    - Validate the hard-coded Diffie-Hellman parameters and ensure that
Nick Mathewson's avatar
Nick Mathewson committed
422
423
      p is a safe prime, and g is a suitable generator. Closes
      ticket 18221.
424
425
426
427
428

  o Minor features (geoip):
    - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
      Country database.

Nick Mathewson's avatar
Nick Mathewson committed
429
430
431
432
433
434
435
436
437
438
439
  o Minor features (hidden service directory):
    - Streamline relay-side hsdir handling: when relays consider whether
      to accept an uploaded hidden service descriptor, they no longer
      check whether they are one of the relays in the network that is
      "supposed" to handle that descriptor. Implements ticket 18332.

  o Minor features (IPv6):
    - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set
      to 1, tor prefers IPv6 directory addresses.
    - Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor
      avoids using IPv4 for client OR and directory connections.
Nick Mathewson's avatar
Nick Mathewson committed
440
441
    - Try harder to obey the IP version restrictions "ClientUseIPv4 0",
      "ClientUseIPv6 0", "ClientPreferIPv6ORPort", and
442
      "ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
443

444
  o Minor features (linux seccomp2 sandbox):
Nick Mathewson's avatar
Nick Mathewson committed
445
446
447
448
    - Reject attempts to change our Address with "Sandbox 1" enabled.
      Changing Address with Sandbox turned on would never actually work,
      but previously it would fail in strange and confusing ways. Found
      while fixing 18548.
449

450
  o Minor features (robustness):
Nick Mathewson's avatar
Nick Mathewson committed
451
    - Exit immediately with an error message if the code attempts to use
452
      Libevent without having initialized it. This should resolve some
Nick Mathewson's avatar
Nick Mathewson committed
453
      frequently-made mistakes in our unit tests. Closes ticket 18241.
454
455

  o Minor features (unix domain sockets):
456
457
    - Add a new per-socket option, RelaxDirModeCheck, to allow creating
      Unix domain sockets without checking the permissions on the parent
Nick Mathewson's avatar
Nick Mathewson committed
458
459
460
461
462
      directory. (Tor checks permissions by default because some
      operating systems only check permissions on the parent directory.
      However, some operating systems do look at permissions on the
      socket, and tor's default check is unneeded.) Closes ticket 18458.
      Patch by weasel.
463

Nick Mathewson's avatar
Nick Mathewson committed
464
465
466
467
  o Minor bugfixes (exit policies, security):
    - Refresh an exit relay's exit policy when interface addresses
      change. Previously, tor only refreshed the exit policy when the
      configured external address changed. Fixes bug 18208; bugfix on
468
      0.2.7.3-rc. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
469
470
471
472

  o Minor bugfixes (security, hidden services):
    - Prevent hidden services connecting to client-supplied rendezvous
      addresses that are reserved as internal or multicast. Fixes bug
473
      8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor.
Nick Mathewson's avatar
Nick Mathewson committed
474

475
  o Minor bugfixes (build):
Nick Mathewson's avatar
Nick Mathewson committed
476
477
478
    - Do not link the unit tests against both the testing and non-
      testing versions of the static libraries. Fixes bug 18490; bugfix
      on 0.2.7.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
479
480
481
    - Avoid spurious failures from configure files related to calling
      exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18625; bugfix on
      0.2.0.1-alpha. Patch from "cypherpunks".
482
    - Silence spurious clang-scan warnings in the ed25519_donna code by
Nick Mathewson's avatar
Nick Mathewson committed
483
      explicitly initializing some objects. Fixes bug 18384; bugfix on
484
      0.2.7.2-alpha. Patch by teor.
485

486
  o Minor bugfixes (client, bootstrap):
487
    - Count receipt of new microdescriptors as progress towards
488
      bootstrapping. Previously, with EntryNodes set, Tor might not
Nick Mathewson's avatar
Nick Mathewson committed
489
490
      successfully repopulate the guard set on bootstrapping. Fixes bug
      16825; bugfix on 0.2.3.1-alpha.
491
492

  o Minor bugfixes (code correctness):
Nick Mathewson's avatar
Nick Mathewson committed
493
    - Update to the latest version of Trunnel, which tries harder to
Nick Mathewson's avatar
Nick Mathewson committed
494
495
496
      avoid generating code that can invoke memcpy(p,NULL,0). Bug found
      by clang address sanitizer. Fixes bug 18373; bugfix
      on 0.2.7.2-alpha.
497
498
499
500
501
502
503
504

  o Minor bugfixes (configuration):
    - Fix a tiny memory leak when parsing a port configuration ending in
      ":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha.

  o Minor bugfixes (containers):
    - If we somehow attempt to construct a heap with more than
      1073741822 elements, avoid an integer overflow when maintaining
Nick Mathewson's avatar
Nick Mathewson committed
505
      the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha.
506
507

  o Minor bugfixes (correctness):
Nick Mathewson's avatar
Nick Mathewson committed
508
509
510
511
512
    - Fix a bad memory handling bug that would occur if we had queued a
      cell on a channel's incoming queue. Fortunately, we can't actually
      queue a cell like that as our code is constructed today, but it's
      best to avoid this kind of error, even if there isn't any code
      that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha.
513
514
515

  o Minor bugfixes (directory):
    - When generating a URL for a directory server on an IPv6 address,
Nick Mathewson's avatar
Nick Mathewson committed
516
517
      wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix
      on 0.2.3.9-alpha. Patch from Malek.
518

519
520
521
522
  o Minor bugfixes (fallback directory mirrors):
    - When requesting extrainfo descriptors from a trusted directory
      server, check whether it is an authority or a fallback directory
      which supports extrainfo descriptors. Fixes bug 18489; bugfix on
523
      0.2.4.7-alpha. Reported by atagar, patch by teor.
524

525
  o Minor bugfixes (hidden service, client):
Nick Mathewson's avatar
Nick Mathewson committed
526
527
528
529
530
531
    - Handle the case where the user makes several fast consecutive
      requests to the same .onion address. Previously, the first six
      requests would each trigger a descriptor fetch, each picking a
      directory (there are 6 overall) and the seventh one would fail
      because no directories were left, thereby triggering a close on
      all current directory connections asking for the hidden service.
Nick Mathewson's avatar
Nick Mathewson committed
532
533
      The solution here is to not close the connections if we have
      pending directory fetches. Fixes bug 15937; bugfix
Nick Mathewson's avatar
Nick Mathewson committed
534
      on 0.2.7.1-alpha.
535
536
537

  o Minor bugfixes (hidden service, control port):
    - Add the onion address to the HS_DESC event for the UPLOADED action
Nick Mathewson's avatar
Nick Mathewson committed
538
539
      both on success or failure. It was previously hardcoded with
      UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha.
540

541
542
543
544
  o Minor bugfixes (hidden service, directory):
    - Bridges now refuse "rendezvous2" (hidden service descriptor)
      publish attempts. Suggested by ticket 18332.

545
  o Minor bugfixes (linux seccomp2 sandbox):
546
547
548
    - Allow the setrlimit syscall, and the prlimit and prlimit64
      syscalls, which some libc implementations use under the hood.
      Fixes bug 15221; bugfix on 0.2.5.1-alpha.
549
550
551
    - Avoid a 10-second delay when starting as a client with "Sandbox 1"
      enabled and no DNS resolvers configured. This should help TAILS
      start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
552
    - Fix the sandbox's interoperability with unix domain sockets under
Nick Mathewson's avatar
Nick Mathewson committed
553
      setuid. Fixes bug 18253; bugfix on 0.2.8.1-alpha.
554

555
  o Minor bugfixes (logging):
Nick Mathewson's avatar
Nick Mathewson committed
556
557
    - When logging information about an unparsable networkstatus vote or
      consensus, do not say "vote" when we mean consensus. Fixes bug
558
      18368; bugfix on 0.2.0.8-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
559
    - Scrub service name in "unrecognized service ID" log messages.
560
      Fixes bug 18600; bugfix on 0.2.4.11-alpha.
561
562
    - Downgrade logs and backtraces about IP versions to info-level.
      Only log backtraces once each time tor runs. Assists in diagnosing
563
564
      bug 18351; bugfix on 0.2.8.1-alpha. Reported by sysrqb and
      Christian, patch by teor.
565
566

  o Minor bugfixes (memory safety):
567
    - Avoid freeing an uninitialized pointer when opening a socket fails
568
      in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on
Nick Mathewson's avatar
Nick Mathewson committed
569
570
      0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch
      by teor.
571
    - Correctly duplicate addresses in get_interface_address6_list().
Nick Mathewson's avatar
Nick Mathewson committed
572
573
      Fixes bug 18454; bugfix on 0.2.8.1-alpha. Reported by toralf,
      patch by "cypherpunks".
Nick Mathewson's avatar
Nick Mathewson committed
574
575
    - Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix
      on 0.2.0.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
576
    - Fix a memory leak in "tor --list-fingerprint". Fixes part of bug
577
      18672; bugfix on 0.2.5.1-alpha.
578
579

  o Minor bugfixes (private directory):
Nick Mathewson's avatar
Nick Mathewson committed
580
    - Prevent a race condition when creating private directories. Fixes
Nick Mathewson's avatar
Nick Mathewson committed
581
582
      part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852.
      Patch from jsturgix. Found with Flawfinder.
583
584
585

  o Minor bugfixes (test networks, IPv6):
    - Allow internal IPv6 addresses in descriptors in test networks.
Nick Mathewson's avatar
Nick Mathewson committed
586
587
      Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported
      by karsten.
588
589

  o Minor bugfixes (testing):
Nick Mathewson's avatar
Nick Mathewson committed
590
591
    - We no longer disable assertions in the unit tests when coverage is
      enabled. Instead, we require you to say --disable-asserts-in-tests
592
593
594
595
      to the configure script if you need assertions disabled in the
      unit tests (for example, if you want to perform branch coverage).
      Fixes bug 18242; bugfix on 0.2.7.1-alpha.

596
597
598
  o Minor bugfixes (time parsing):
    - Avoid overflow in tor_timegm when parsing dates in and after 2038
      on platforms with 32-bit time_t. Fixes bug 18479; bugfix on
599
      0.0.2pre14. Patch by teor.
600

601
602
603
  o Minor bugfixes (tor-gencert):
    - Correctly handle the case where an authority operator enters a
      passphrase but sends an EOF before sending a newline. Fixes bug
604
      17443; bugfix on 0.2.0.20-rc. Found by junglefowl.
605

606
  o Code simplification and refactoring:
Nick Mathewson's avatar
Nick Mathewson committed
607
608
    - Quote all the string interpolations in configure.ac -- even those
      which we are pretty sure can't contain spaces. Closes ticket
609
      17744. Patch from zerosion.
Nick Mathewson's avatar
Nick Mathewson committed
610
611
612
    - Remove specialized code for non-inplace AES_CTR. 99% of our AES is
      inplace, so there's no need to have a separate implementation for
      the non-inplace code. Closes ticket 18258. Patch from Malek.
613
    - Simplify return types for some crypto functions that can't
Nick Mathewson's avatar
Nick Mathewson committed
614
      actually fail. Patch from Hassan Alsibyani. Closes ticket 18259.
615
616

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
617
618
    - Change build messages to refer to "Fedora" instead of "Fedora
      Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426.
619
620
      Patches from "icanhasaccount" and "cypherpunks".

Nick Mathewson's avatar
Nick Mathewson committed
621
622
623
624
625
  o Removed features:
    - We no longer maintain an internal freelist in memarea.c.
      Allocators should be good enough to make this code unnecessary,
      and it's doubtful that it ever had any performance benefit.

626
  o Testing:
Nick Mathewson's avatar
Nick Mathewson committed
627
628
    - Fix several warnings from clang's address sanitizer produced in
      the unit tests.
629
630
631
632
    - Treat backtrace test failures as expected on FreeBSD until we
      solve bug 17808. Closes ticket 18204.


Nick Mathewson's avatar
Nick Mathewson committed
633
Changes in version 0.2.8.1-alpha - 2016-02-04
634
635
636
  Tor 0.2.8.1-alpha is the first alpha release in its series. It
  includes numerous small features and bugfixes against previous Tor
  versions, and numerous small infrastructure improvements. The most
Nick Mathewson's avatar
Nick Mathewson committed
637
  notable features are a set of improvements to the directory subsystem.
Nick Mathewson's avatar
Nick Mathewson committed
638

Nick Mathewson's avatar
Nick Mathewson committed
639
  o Major features (security, Linux):
Nick Mathewson's avatar
Nick Mathewson committed
640
641
642
643
644
    - When Tor starts as root on Linux and is told to switch user ID, it
      can now retain the capability to bind to low ports. By default,
      Tor will do this only when it's switching user ID and some low
      ports have been configured. You can change this behavior with the
      new option KeepBindCapabilities. Closes ticket 8195.
645

Nick Mathewson's avatar
Nick Mathewson committed
646
  o Major features (directory system):
647
648
649
650
651
    - When bootstrapping multiple consensus downloads at a time, use the
      first one that starts downloading, and close the rest. This
      reduces failures when authorities or fallback directories are slow
      or down. Together with the code for feature 15775, this feature
      should reduces failures due to fallback churn. Implements ticket
652
653
      4483. Patch by teor. Implements IPv4 portions of proposal 210 by
      mikeperry and teor.
Nick Mathewson's avatar
Nick Mathewson committed
654
655
656
    - Include a trial list of default fallback directories, based on an
      opt-in survey of suitable relays. Doing this should make clients
      bootstrap more quickly and reliably, and reduce the load on the
657
658
659
      directory authorities. Closes ticket 15775. Patch by teor.
      Candidates identified using an OnionOO script by weasel, teor,
      gsathya, and karsten.
660
    - Previously only relays that explicitly opened a directory port
Nick Mathewson's avatar
Nick Mathewson committed
661
      (DirPort) accepted directory requests from clients. Now all
Nick Mathewson's avatar
Nick Mathewson committed
662
663
664
665
666
667
668
669
      relays, with and without a DirPort, accept and serve tunneled
      directory requests that they receive through their ORPort. You can
      disable this behavior using the new DirCache option. Closes
      ticket 12538.

  o Major key updates:
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
670
      by teor.
671

Nick Mathewson's avatar
Nick Mathewson committed
672
  o Minor features (security, clock):
Nick Mathewson's avatar
Nick Mathewson committed
673
674
    - Warn when the system clock appears to move back in time (when the
      state file was last written in the future). Tor doesn't know that
Nick Mathewson's avatar
Nick Mathewson committed
675
      consensuses have expired if the clock is in the past. Patch by
676
      teor. Implements ticket 17188.
Nick Mathewson's avatar
Nick Mathewson committed
677
678

  o Minor features (security, exit policies):
Nick Mathewson's avatar
Nick Mathewson committed
679
680
681
682
    - ExitPolicyRejectPrivate now rejects more private addresses by
      default. Specifically, it now rejects the relay's outbound bind
      addresses (if configured), and the relay's configured port
      addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
683
      0.2.0.11-alpha. Patch by teor.
684
685

  o Minor features (security, memory erasure):
686
    - Set the unused entries in a smartlist to NULL. This helped catch
687
688
689
      a (harmless) bug, and shouldn't affect performance too much.
      Implements ticket 17026.
    - Use SecureMemoryWipe() function to securely clean memory on
Nick Mathewson's avatar
Nick Mathewson committed
690
691
      Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
      Implements feature 17986.
692
693
694
    - Use explicit_bzero or memset_s when present. Previously, we'd use
      OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
      from <logan@hackers.mu> and <selven@hackers.mu>.
Nick Mathewson's avatar
Nick Mathewson committed
695
696
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
697
698
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by gk,
      patch by teor.
699

Nick Mathewson's avatar
Nick Mathewson committed
700
701
702
  o Minor features (security, RNG):
    - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
      positively are not allowed to fail. Previously we depended on
703
      internal details of OpenSSL's behavior. Closes ticket 17686.
Nick Mathewson's avatar
Nick Mathewson committed
704
705
    - Never use the system entropy output directly for anything besides
      seeding the PRNG. When we want to generate important keys, instead
Nick Mathewson's avatar
Nick Mathewson committed
706
707
708
709
710
711
      of using system entropy directly, we now hash it with the PRNG
      stream. This may help resist certain attacks based on broken OS
      entropy implementations. Closes part of ticket 17694.
    - Use modern system calls (like getentropy() or getrandom()) to
      generate strong entropy on platforms that have them. Closes
      ticket 13696.
Nick Mathewson's avatar
Nick Mathewson committed
712
713

  o Minor features (accounting):
Nick Mathewson's avatar
Nick Mathewson committed
714
715
716
    - Added two modes to the AccountingRule option: One for limiting
      only the number of bytes sent ("AccountingRule out"), and one for
      limiting only the number of bytes received ("AccountingRule in").
717
      Closes ticket 15989; patch from "unixninja92".
Nick Mathewson's avatar
Nick Mathewson committed
718
719

  o Minor features (build):
720
    - Since our build process now uses "make distcheck", we no longer
Nick Mathewson's avatar
Nick Mathewson committed
721
722
      force "make dist" to depend on "make check". Closes ticket 17893;
      patch from "cypherpunks."
723
724
725
    - Tor now builds successfully with the recent OpenSSL 1.1
      development branch, and with the latest LibreSSL. Closes tickets
      17549, 17921, and 17984.
Nick Mathewson's avatar
Nick Mathewson committed
726
727

  o Minor features (controller):
728
    - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
Nick Mathewson's avatar
Nick Mathewson committed
729
      tickets 16774 and 17817. Patch by George Tankersley.
730
    - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
Nick Mathewson's avatar
Nick Mathewson committed
731
732
      service descriptor from a service's local hidden service
      descriptor cache. Closes ticket 14846.
Nick Mathewson's avatar
Nick Mathewson committed
733
734
735
736
    - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
      controllers can examine the the reject rules added by
      ExitPolicyRejectPrivate. This makes it easier for stem to display
      exit policies.
737

738
  o Minor features (crypto):
739
740
    - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
      George Tankersley.
741
742
    - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
    - When allocating a digest state object, allocate no more space than
743
      we actually need. Previously, we would allocate as much space as
744
745
      the state for the largest algorithm would need. This change saves
      up to 672 bytes per circuit. Closes ticket 17796.
Nick Mathewson's avatar
Nick Mathewson committed
746
    - Improve performance when hashing non-multiple of 8 sized buffers,
747
      based on Andrew Moon's public domain SipHash-2-4 implementation.
Nick Mathewson's avatar
Nick Mathewson committed
748
      Fixes bug 17544; bugfix on 0.2.5.3-alpha.
749

750
  o Minor features (directory downloads):
Nick Mathewson's avatar
Nick Mathewson committed
751
752
753
    - Wait for busy authorities and fallback directories to become non-
      busy when bootstrapping. (A similar change was made in 6c443e987d
      for directory caches chosen from the consensus.) Closes ticket
754
      17864; patch by teor.
755
    - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
Nick Mathewson's avatar
Nick Mathewson committed
756
      directory mirrors. The default is 1; set it to 0 to disable
757
      fallbacks. Implements ticket 17576. Patch by teor.
758

Nick Mathewson's avatar
Nick Mathewson committed
759
760
761
762
  o Minor features (geoip):
    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
      Country database.

763
  o Minor features (IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
764
765
766
767
    - Add an argument 'ipv6=address:orport' to the DirAuthority and
      FallbackDir torrc options, to specify an IPv6 address for an
      authority or fallback directory. Add hard-coded ipv6 addresses for
      directory authorities that have them. Closes ticket 17327; patch
768
      from Nick Mathewson and teor.
769
770
    - Add address policy assume_action support for IPv6 addresses.
    - Limit IPv6 mask bits to 128.
771
    - Warn when comparing against an AF_UNSPEC address in a policy, it's
772
      almost always a bug. Closes ticket 17863; patch by teor.
773
774
775
776
    - Allow users to configure directory authorities and fallback
      directory servers with IPv6 addresses and ORPorts. Resolves
      ticket 6027.
    - routerset_parse now accepts IPv6 literal addresses. Fixes bug
777
      17060; bugfix on 0.2.1.3-alpha. Patch by teor.
778
    - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug
779
      17638; bugfix on 0.0.2pre8. Patch by teor.
780

781
  o Minor features (logging):
782
    - When logging to syslog, allow a tag to be added to the syslog
Nick Mathewson's avatar
Nick Mathewson committed
783
784
785
786
      identity (the string prepended to every log message). The tag can
      be configured with SyslogIdentityTag and defaults to none. Setting
      it to "foo" will cause logs to be tagged as "Tor-foo". Closes
      ticket 17194.
787
788
789
790
791
792
793
794
795

  o Minor features (portability):
    - Use timingsafe_memcmp() where available. Closes ticket 17944;
      patch from <logan@hackers.mu>.

  o Minor features (relay, address discovery):
    - Add a family argument to get_interface_addresses_raw() and
      subfunctions to make network interface address interogation more
      efficient. Now Tor can specifically ask for IPv4, IPv6 or both
796
797
798
799
800
801
802
      types of interfaces from the operating system. Resolves
      ticket 17950.
    - When get_interface_address6_list(.,AF_UNSPEC,.) is called and
      fails to enumerate interface addresses using the platform-specific
      API, have it rely on the UDP socket fallback technique to try and
      find out what IP addresses (both IPv4 and IPv6) our machine has.
      Resolves ticket 17951.
803

804
  o Minor features (replay cache):
805
    - The replay cache now uses SHA256 instead of SHA1. Implements
806
      feature 8961. Patch by teor, issue reported by rransom.
807

808
  o Minor features (unix file permissions):
809
810
811
    - Defer creation of Unix sockets until after setuid. This avoids
      needing CAP_CHOWN and CAP_FOWNER when using systemd's
      CapabilityBoundingSet, or chown and fowner when using SELinux.
812
813
      Implements part of ticket 17562. Patch from Jamie Nguyen.
    - If any directory created by Tor is marked as group readable, the
814
815
816
817
      filesystem group is allowed to be either the default GID or the
      root user. Allowing root to read the DataDirectory prevents the
      need for CAP_READ_SEARCH when using systemd's
      CapabilityBoundingSet, or dac_read_search when using SELinux.
818
      Implements part of ticket 17562. Patch from Jamie Nguyen.
Nick Mathewson's avatar
Nick Mathewson committed
819
820
821
    - Introduce a new DataDirectoryGroupReadable option. If it is set to
      1, the DataDirectory will be made readable by the default GID.
      Implements part of ticket 17562. Patch from Jamie Nguyen.
822
823

  o Minor bugfixes (accounting):
824
    - The max bandwidth when using 'AccountRule sum' is now correctly
825
826
      logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch
      from "unixninja92".
827

828
  o Minor bugfixes (code correctness):
829
    - When closing an entry connection, generate a warning if we should
830
      have sent an end cell for it but we haven't. Fixes bug 17876;
831
832
      bugfix on 0.2.3.2-alpha.
    - Assert that allocated memory held by the reputation code is freed
833
      according to its internal counters. Fixes bug 17753; bugfix
834
      on 0.1.1.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
835
836
    - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
      bugfix on 0.0.6.
837
838

  o Minor bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
839
    - Mark all object files that include micro-revision.i as depending
Nick Mathewson's avatar
Nick Mathewson committed
840
841
842
843
844
      on it, so as to make parallel builds more reliable. Fixes bug
      17826; bugfix on 0.2.5.1-alpha.
    - Don't try to use the pthread_condattr_setclock() function unless
      it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
      17819; bugfix on 0.2.6.3-alpha.
845
    - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
846
      on 0.2.5.2-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
847
848
    - Fix search for libevent libraries on OpenBSD (and other systems
      that install libevent 1 and libevent 2 in parallel). Fixes bug
849
      16651; bugfix on 0.1.0.7-rc. Patch from "rubiate".
850
    - Isolate environment variables meant for tests from the rest of the
851
      build system. Fixes bug 17818; bugfix on 0.2.7.3-rc.
852
    - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
853
      on 0.0.2pre8.
854
855
    - Remove config.log only from make distclean, not from make clean.
      Fixes bug 17924; bugfix on 0.2.4.1-alpha.
856

Nick Mathewson's avatar
Nick Mathewson committed
857
858
  o Minor bugfixes (crypto):
    - Check the return value of HMAC() and assert on failure. Fixes bug
859
      17658; bugfix on 0.2.3.6-alpha. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
860
861
862
863

  o Minor bugfixes (fallback directories):
    - Mark fallbacks as "too busy" when they return a 503 response,
      rather than just marking authorities. Fixes bug 17572; bugfix on
864
      0.2.4.7-alpha. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
865

866
  o Minor bugfixes (IPv6):
867
868
    - Update the limits in max_dl_per_request for IPv6 address length.
      Fixes bug 17573; bugfix on 0.2.1.5-alpha.
869
870

  o Minor bugfixes (linux seccomp2 sandbox):
871
    - Fix a crash when using offline master ed25519 keys with the Linux
872
      seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-rc.
873
874

  o Minor bugfixes (logging):
875
876
877
878
879
880
881
    - In log messages that include a function name, use __FUNCTION__
      instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but
      with clang __PRETTY_FUNCTION__ has extra information we don't
      need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van
      der Woerdt.
    - Remove needless quotes from a log message about unparseable
      addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha.
882
883

  o Minor bugfixes (portability):
884
885
886
    - Remove an #endif from configure.ac so that we correctly detect the
      presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix
      on 0.2.0.13-alpha.
887
888
889
890
891

  o Minor bugfixes (relays):
    - Check that both the ORPort and DirPort (if present) are reachable
      before publishing a relay descriptor. Otherwise, relays publish a
      descriptor with DirPort 0 when the DirPort reachability test takes
892
      longer than the ORPort reachability test. Fixes bug 18050; bugfix
893
      on 0.1.0.1-rc. Reported by "starlight", patch by teor.
894

Nick Mathewson's avatar
Nick Mathewson committed
895
896
897
898
  o Minor bugfixes (relays, hidden services):
    - Refuse connection requests to private OR addresses unless
      ExtendAllowPrivateAddresses is set. Previously, tor would connect,
      then refuse to send any cells to a private address. Fixes bugs
899
      17674 and 8976; bugfix on 0.2.3.21-rc. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
900

901
  o Minor bugfixes (safe logging):
902
903
904
    - When logging a malformed hostname received through socks4, scrub
      it if SafeLogging says we should. Fixes bug 17419; bugfix
      on 0.1.1.16-rc.
905
906
907
908
909

  o Minor bugfixes (statistics code):
    - Consistently check for overflow in round_*_to_next_multiple_of
      functions, and add unit tests with additional and maximal values.
      Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
910
911
912
913
914
    - Handle edge cases in the laplace functions: avoid division by
      zero, avoid taking the log of zero, and silence clang type
      conversion warnings using round and trunc. Add unit tests for edge
      cases with maximal values. Fixes part of bug 13192; bugfix
      on 0.2.6.2-alpha.
915

Nick Mathewson's avatar
Nick Mathewson committed
916
917
918
919
920
921
922
923
  o Minor bugfixes (testing):
    - The test for log_heartbeat was incorrectly failing in timezones
      with non-integer offsets. Instead of comparing the end of the time
      string against a constant, compare it to the output of
      format_local_iso_time when given the correct input. Fixes bug
      18039; bugfix on 0.2.5.4-alpha.
    - Make unit tests pass on IPv6-only systems, and systems without
      localhost addresses (like some FreeBSD jails). Fixes bug 17632;
924
      bugfix on 0.2.7.3-rc. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
925
926
927
    - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
      on 0.2.4.8-alpha.
    - Check the full results of SHA256 and SHA512 digests in the unit
928
      tests. Bugfix on 0.2.2.4-alpha. Patch by teor.
Nick Mathewson's avatar
Nick Mathewson committed
929

930
  o Code simplification and refactoring:
931
932
933
    - Move logging of redundant policy entries in
      policies_parse_exit_policy_internal into its own function. Closes
      ticket 17608; patch from "juce".
Nick Mathewson's avatar
Nick Mathewson committed
934
935
936
937
    - Extract the more complicated parts of circuit_mark_for_close()
      into a new function that we run periodically before circuits are
      freed. This change removes more than half of the functions
      currently in the "blob". Closes ticket 17218.
938
    - Clean up a little duplicated code in
Nick Mathewson's avatar
Nick Mathewson committed
939
      crypto_expand_key_material_TAP(). Closes ticket 17587; patch
940
      from "pfrankw".
Nick Mathewson's avatar
Nick Mathewson committed
941
    - Decouple the list of streams waiting to be attached to circuits
942
      from the overall connection list. This change makes it possible to
Nick Mathewson's avatar
Nick Mathewson committed
943
      attach streams quickly while simplifying Tor's callgraph and
944
945
      avoiding O(N) scans of the entire connection list. Closes
      ticket 17590.
946
947
    - When a direct directory request fails immediately on launch,
      instead of relaunching that request from inside the code that
948
      launches it, instead mark the connection for teardown. This change
Nick Mathewson's avatar
Nick Mathewson committed
949
      simplifies Tor's callback and prevents the directory-request
950
      launching code from invoking itself recursively. Closes
951
      ticket 17589
Nick Mathewson's avatar
Nick Mathewson committed
952
953
    - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
      use them. Closes ticket 17926.
954
955

  o Documentation:
956
957
    - Add a description of the correct use of the '--keygen' command-
      line option. Closes ticket 17583; based on text by 's7r'.
958
959
    - Document the minimum HeartbeatPeriod value. Closes ticket 15638.
    - Explain actual minima for BandwidthRate. Closes ticket 16382.
960
    - Fix a minor formatting typo in the manpage. Closes ticket 17791.
961
    - Mention torspec URL in the manpage and point the reader to it
962
963
      whenever we mention a document that belongs in torspce. Fixes
      issue 17392.
964

Nick Mathewson's avatar
Nick Mathewson committed
965
  o Removed features:
966
967
    - Remove client-side support for connecting to Tor relays running
      versions of Tor before 0.2.3.6-alpha. These relays didn't support
Nick Mathewson's avatar
Nick Mathewson committed
968
969
970
971
      the v3 TLS handshake protocol, and are no longer allowed on the
      Tor network. Implements the client side of ticket 11150. Based on
      patches by Tom van der Woerdt.

972
  o Testing:
Nick Mathewson's avatar
Nick Mathewson committed
973
    - Add unit tests to check for common RNG failure modes, such as
974
      returning all zeroes, identical values, or incrementing values
975
      (OpenSSL's rand_predictable feature). Patch by teor.
976
    - Log more information when the backtrace tests fail. Closes ticket
977
      17892. Patch from "cypherpunks".
978
979
    - Always test both ed25519 backends, so that we can be sure that our
      batch-open replacement code works. Part of ticket 16794.
980
981
    - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
      portion of ticket 16831.
982
    - More unit tests for compat_libevent.c, procmon.c, tortls.c,
Nick Mathewson's avatar
Nick Mathewson committed
983
984
985
      util_format.c, directory.c, and options_validate.c. Closes tickets
      17075, 17082, 17084, 17003, and 17076 respectively. Patches from
      Ola Bini.
986
987
988
989
    - Unit tests for directory_handle_command_get. Closes ticket 17004.
      Patch from Reinaldo de Souza Jr.


990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.2.7.6 - 2015-12-10
  Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
  well as a minor bug in hidden service reliability.

  o Major bugfixes (guard selection):
    - Actually look at the Guard flag when selecting a new directory
      guard. When we implemented the directory guard design, we
      accidentally started treating all relays as if they have the Guard
      flag during guard selection, leading to weaker anonymity and worse
      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
      by Mohsen Imani.
For faster browsing, not all history is shown. View entire blame