of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.2.5.10 - 2014-10-24
+ Tor 0.2.5.10 is the first stable release in the 0.2.5 series.
+
+ It adds several new security features, including improved
+ denial-of-service resistance for relays, new compiler hardening
+ options, and a system-call sandbox for hardened installations on Linux
+ (requires seccomp2). The controller protocol has several new features,
+ resolving IPv6 addresses should work better than before, and relays
+ should be a little more CPU-efficient. We've added support for more
+ OpenBSD and FreeBSD transparent proxy types. We've improved the build
+ system and testing infrastructure to allow unit testing of more parts
+ of the Tor codebase. Finally, we've addressed several nagging pluggable
+ transport usability issues, and included numerous other small bugfixes
+ and features mentioned below.
+
+ This release marks end-of-life for Tor 0.2.3.x; those Tor versions
+ have accumulated many known flaws; everyone should upgrade.
+
+ o Major features (security):
+ - The ntor handshake is now on-by-default, no matter what the
+ directory authorities recommend. Implements ticket 8561.
+ - Make the "tor-gencert" tool used by directory authority operators
+ create 2048-bit signing keys by default (rather than 1024-bit, since
+ 1024-bit is uncomfortably small these days). Addresses ticket 10324.
+ - Warn about attempts to run hidden services and relays in the same
+ process: that's probably not a good idea. Closes ticket 12908.
+ - Disable support for SSLv3. All versions of OpenSSL in use with Tor
+ today support TLS 1.0 or later, so we can safely turn off support
+ for this old (and insecure) protocol. Fixes bug 13426.
+
+ o Major features (relay security, DoS-resistance):
+ - When deciding whether we have run out of memory and we need to
+ close circuits, also consider memory allocated in buffers for
+ streams attached to each circuit.
+
+ This change, which extends an anti-DoS feature introduced in
+ 0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays
+ better resist more memory-based DoS attacks than before. Since the
+ MaxMemInCellQueues option now applies to all queues, it is renamed
+ to MaxMemInQueues. This feature fixes bug 10169.
+ - Avoid hash-flooding denial-of-service attacks by using the secure
+ SipHash-2-4 hash function for our hashtables. Without this
+ feature, an attacker could degrade performance of a targeted
+ client or server by flooding their data structures with a large
+ number of entries to be stored at the same hash table position,
+ thereby slowing down the Tor instance. With this feature, hash
+ table positions are derived from a randomized cryptographic key,
+ and an attacker cannot predict which entries will collide. Closes
+ ticket 4900.
+ - If you don't specify MaxMemInQueues yourself, Tor now tries to
+ pick a good value based on your total system memory. Previously,
+ the default was always 8 GB. You can still override the default by
+ setting MaxMemInQueues yourself. Resolves ticket 11396.
+
+ o Major features (bridges and pluggable transports):
+ - Add support for passing arguments to managed pluggable transport
+ proxies. Implements ticket 3594.
+ - Bridges now track GeoIP information and the number of their users
+ even when pluggable transports are in use, and report usage
+ statistics in their extra-info descriptors. Resolves tickets 4773
+ and 5040.
+ - Don't launch pluggable transport proxies if we don't have any
+ bridges configured that would use them. Now we can list many
+ pluggable transports, and Tor will dynamically start one when it
+ hears a bridge address that needs it. Resolves ticket 5018.
+ - The bridge directory authority now assigns status flags (Stable,
+ Guard, etc) to bridges based on thresholds calculated over all
+ Running bridges. Now bridgedb can finally make use of its features
+ to e.g. include at least one Stable bridge in its answers. Fixes
+ bug 9859.
+
+ o Major features (controller):
+ - Extend ORCONN controller event to include an "ID" parameter,
+ and add four new controller event types CONN_BW, CIRC_BW,
+ CELL_STATS, and TB_EMPTY that show connection and circuit usage.
+ The new events are emitted in private Tor networks only, with the
+ goal of being able to better track performance and load during
+ full-network simulations. Implements proposal 218 and ticket 7359.
+
+ o Major features (relay performance):
+ - Speed up server-side lookups of rendezvous and introduction point
+ circuits by using hashtables instead of linear searches. These
+ functions previously accounted between 3 and 7% of CPU usage on
+ some busy relays. Resolves ticket 9841.
+ - Avoid wasting CPU when extending a circuit over a channel that is
+ nearly out of circuit IDs. Previously, we would do a linear scan
+ over possible circuit IDs before finding one or deciding that we
+ had exhausted our possibilities. Now, we try at most 64 random
+ circuit IDs before deciding that we probably won't succeed. Fixes
+ a possible root cause of ticket 11553.
+
+ o Major features (seccomp2 sandbox, Linux only):
+ - Use the seccomp2 syscall filtering facility on Linux to limit
+ which system calls Tor can invoke. This is an experimental,
+ Linux-only feature to provide defense-in-depth against unknown
+ attacks. To try turning it on, set "Sandbox 1" in your torrc
+ file. Please be ready to report bugs. We hope to add support
+ for better sandboxing in the future, including more fine-grained
+ filters, better division of responsibility, and support for more
+ platforms. This work has been done by Cristian-Matei Toader for
+ Google Summer of Code. Resolves tickets 11351 and 11465.
+
+ o Major features (testing networks):
+ - Make testing Tor networks bootstrap better: lower directory fetch
+ retry schedules and maximum interval without directory requests,
+ and raise maximum download tries. Implements ticket 6752.
+ - Add make target 'test-network' to run tests on a Chutney network.
+ Implements ticket 8530.
+
+ o Major features (other):
+ - On some platforms (currently: recent OSX versions, glibc-based
+ platforms that support the ELF format, and a few other
+ Unix-like operating systems), Tor can now dump stack traces
+ when a crash occurs or an assertion fails. By default, traces
+ are dumped to stderr (if possible) and to any logs that are
+ reporting errors. Implements ticket 9299.
+
+ o Deprecated versions:
+ - Tor 0.2.3.x has reached end-of-life; it has received no patches or
+ attention for some while.
+
+ o Major bugfixes (security, directory authorities):
+ - Directory authorities now include a digest of each relay's
+ identity key as a part of its microdescriptor.
+
+ This is a workaround for bug 11743 (reported by "cypherpunks"),
+ where Tor clients do not support receiving multiple
+ microdescriptors with the same SHA256 digest in the same
+ consensus. When clients receive a consensus like this, they only
+ use one of the relays. Without this fix, a hostile relay could
+ selectively disable some client use of target relays by
+ constructing a router descriptor with a different identity and the
+ same microdescriptor parameters and getting the authorities to
+ list it in a microdescriptor consensus. This fix prevents an
+ attacker from causing a microdescriptor collision, because the
+ router's identity is not forgeable.
+
+ o Major bugfixes (openssl bug workaround):
+ - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
+ 1.0.1j, built with the 'no-ssl3' configuration option. Fixes
+ bug 13471. This is a workaround for an OpenSSL bug.
+
+ o Major bugfixes (client):
+ - Perform circuit cleanup operations even when circuit
+ construction operations are disabled (because the network is
+ disabled, or because there isn't enough directory information).
+ Previously, when we were not building predictive circuits, we
+ were not closing expired circuits either. Fixes bug 8387; bugfix on
+ 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we
+ became more strict about when we have "enough directory information
+ to build circuits".
+
+ o Major bugfixes (client, pluggable transports):
+ - When managing pluggable transports, use OS notification facilities
+ to learn if they have crashed, and don't attempt to kill any
+ process that has already exited. Fixes bug 8746; bugfix
+ on 0.2.3.6-alpha.
+
+ o Major bugfixes (relay denial of service):
+ - Instead of writing destroy cells directly to outgoing connection
+ buffers, queue them and intersperse them with other outgoing cells.
+ This can prevent a set of resource starvation conditions where too
+ many pending destroy cells prevent data cells from actually getting
+ delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
+ bugfix on 0.2.0.1-alpha.
+
+ o Major bugfixes (relay):
+ - Avoid queuing or sending destroy cells for circuit ID zero when we
+ fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1.
+ Found and fixed by "cypherpunks".
+ - Fix ORPort reachability detection on relays running behind a
+ proxy, by correctly updating the "local" mark on the controlling
+ channel when changing the address of an or_connection_t after the
+ handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha.
+ - Use a direct dirport connection when uploading non-anonymous
+ descriptors to the directory authorities. Previously, relays would
+ incorrectly use tunnel connections under a fairly wide variety of
+ circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha.
+ - When a circuit accidentally has the same circuit ID for its
+ forward and reverse direction, correctly detect the direction of
+ cells using that circuit. Previously, this bug made roughly one
+ circuit in a million non-functional. Fixes bug 12195; this is a
+ bugfix on every version of Tor.
+
+ o Minor features (security):
+ - New --enable-expensive-hardening option to enable security
+ hardening options that consume nontrivial amounts of CPU and
+ memory. Right now, this includes AddressSanitizer and UbSan, which
+ are supported in newer versions of GCC and Clang. Closes ticket
+ 11477.
+ - Authorities now assign the Guard flag to the fastest 25% of the
+ network (it used to be the fastest 50%). Also raise the consensus
+ weight that guarantees the Guard flag from 250 to 2000. For the
+ current network, this results in about 1100 guards, down from 2500.
+ This step paves the way for moving the number of entry guards
+ down to 1 (proposal 236) while still providing reasonable expected
+ performance for most users. Implements ticket 12690.
+
+ o Minor features (security, memory management):
+ - Memory allocation tricks (mempools and buffer freelists) are now
+ disabled by default. You can turn them back on with
+ --enable-mempools and --enable-buf-freelists respectively. We're
+ disabling these features because malloc performance is good enough
+ on most platforms, and a similar feature in OpenSSL exacerbated
+ exploitation of the Heartbleed attack. Resolves ticket 11476.
+
+ o Minor features (bridge client):
+ - Report a more useful failure message when we can't connect to a
+ bridge because we don't have the right pluggable transport
+ configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
+
+ o Minor features (bridge):
+ - Add an ExtORPortCookieAuthFileGroupReadable option to make the
+ cookie file for the ExtORPort g+r by default.
+
+ o Minor features (bridges, pluggable transports):
+ - Bridges now write the SHA1 digest of their identity key
+ fingerprint (that is, a hash of a hash of their public key) to
+ notice-level logs, and to a new hashed-fingerprint file. This
+ information will help bridge operators look up their bridge in
+ Globe and similar tools. Resolves ticket 10884.
+ - Improve the message that Tor displays when running as a bridge
+ using pluggable transports without an Extended ORPort listener.
+ Also, log the message in the log file too. Resolves ticket 11043.
+ - Add threshold cutoffs to the networkstatus document created by
+ the Bridge Authority. Fixes bug 1117.
+ - On Windows, spawn background processes using the CREATE_NO_WINDOW
+ flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled
+ doesn't pop up a blank console window. (In Tor Browser Bundle 2.x,
+ Vidalia set this option for us.) Implements ticket 10297.
+
+ o Minor features (build):
+ - The configure script has a --disable-seccomp option to turn off
+ support for libseccomp on systems that have it, in case it (or
+ Tor's use of it) is broken. Resolves ticket 11628.
+ - Assume that a user using ./configure --host wants to cross-compile,
+ and give an error if we cannot find a properly named
+ tool-chain. Add a --disable-tool-name-check option to proceed
+ nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz.
+ - If we run ./configure and the compiler recognizes -fstack-protector
+ but the linker rejects it, warn the user about a potentially missing
+ libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz.
+ - Add support for `--library-versions` flag. Implements ticket 6384.
+ - Return the "unexpected sendme" warnings to a warn severity, but make
+ them rate limited, to help diagnose ticket 8093.
+ - Detect a missing asciidoc, and warn the user about it, during
+ configure rather than at build time. Fixes issue 6506. Patch from
+ Arlo Breault.
+
+ o Minor features (client):
+ - Add a new option, PredictedPortsRelevanceTime, to control how long
+ after having received a request to connect to a given port Tor
+ will try to keep circuits ready in anticipation of future requests
+ for that port. Patch from "unixninja92"; implements ticket 9176.
+
+ o Minor features (config options and command line):
+ - Add an --allow-missing-torrc commandline option that tells Tor to
+ run even if the configuration file specified by -f is not available.
+ Implements ticket 10060.
+ - Add support for the TPROXY transparent proxying facility on Linux.
+ See documentation for the new TransProxyType option for more
+ details. Implementation by "thomo". Closes ticket 10582.
+
+ o Minor features (config options):
+ - Config (torrc) lines now handle fingerprints which are missing
+ their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
+ - Support a --dump-config option to print some or all of the
+ configured options. Mainly useful for debugging the command-line
+ option parsing code. Helps resolve ticket 4647.
+ - Raise awareness of safer logging: notify user of potentially
+ unsafe config options, like logging more verbosely than severity
+ "notice" or setting SafeLogging to 0. Resolves ticket 5584.
+ - Add a new configuration option TestingV3AuthVotingStartOffset
+ that bootstraps a network faster by changing the timing for
+ consensus votes. Addresses ticket 8532.
+ - Add a new torrc option "ServerTransportOptions" that allows
+ bridge operators to pass configuration parameters to their
+ pluggable transports. Resolves ticket 8929.
+ - The config (torrc) file now accepts bandwidth and space limits in
+ bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
+ you can now say "16 kilobits", and so on.) Resolves ticket 9214.
+ Patch by CharlieB.
+
+ o Minor features (controller):
+ - Make the entire exit policy available from the control port via
+ GETINFO exit-policy/*. Implements enhancement 7952. Patch from
+ "rl1987".
+ - Because of the fix for ticket 11396, the real limit for memory
+ usage may no longer match the configured MaxMemInQueues value. The
+ real limit is now exposed via GETINFO limits/max-mem-in-queues.
+ - Add a new "HS_DESC" controller event that reports activities
+ related to hidden service descriptors. Resolves ticket 8510.
+ - New "DROPGUARDS" controller command to forget all current entry
+ guards. Not recommended for ordinary use, since replacing guards
+ too frequently makes several attacks easier. Resolves ticket 9934;
+ patch from "ra".
+ - Implement the TRANSPORT_LAUNCHED control port event that
+ notifies controllers about new launched pluggable
+ transports. Resolves ticket 5609.
+
+ o Minor features (diagnostic):
+ - When logging a warning because of bug 7164, additionally check the
+ hash table for consistency (as proposed on ticket 11737). This may
+ help diagnose bug 7164.
+ - When we log a heartbeat, log how many one-hop circuits we have
+ that are at least 30 minutes old, and log status information about
+ a few of them. This is an attempt to track down bug 8387.
+ - When encountering an unexpected CR while writing text to a file on
+ Windows, log the name of the file. Should help diagnosing
+ bug 11233.
+ - Give more specific warnings when a client notices that an onion
+ handshake has failed. Fixes ticket 9635.
+ - Add significant new logging code to attempt to diagnose bug 12184,
+ where relays seem to run out of available circuit IDs.
+ - Improve the diagnostic log message for bug 8387 even further to
+ try to improve our odds of figuring out why one-hop directory
+ circuits sometimes do not get closed.
+ - Add more log messages to diagnose bug 7164, which causes
+ intermittent "microdesc_free() called but md was still referenced"
+ warnings. We now include more information, to figure out why we
+ might be cleaning a microdescriptor for being too old if it's
+ still referenced by a live node_t object.
+ - Log current accounting state (bytes sent and received + remaining
+ time for the current accounting period) in the relay's heartbeat
+ message. Implements ticket 5526; patch from Peter Retzlaff.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (interface):
+ - Generate a warning if any ports are listed in the SocksPolicy,
+ DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or
+ AuthDirBadExit options. (These options only support address
+ ranges.) Fixes part of ticket 11108.
+
+ o Minor features (kernel API usage):
+ - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
+ sockets in a single system call. Implements ticket 5129.
+
+ o Minor features (log messages):
+ - When ServerTransportPlugin is set on a bridge, Tor can write more
+ useful statistics about bridge use in its extrainfo descriptors,
+ but only if the Extended ORPort ("ExtORPort") is set too. Add a
+ log message to inform the user in this case. Resolves ticket 9651.
+ - When receiving a new controller connection, log the origin address.
+ Resolves ticket 9698; patch from "sigpipe".
+ - When logging OpenSSL engine status at startup, log the status of
+ more engines. Fixes ticket 10043; patch from Joshua Datko.
+
+ o Minor features (log verbosity):
+ - Demote the message that we give when a flushing connection times
+ out for too long from NOTICE to INFO. It was usually meaningless.
+ Resolves ticket 5286.
+ - Don't log so many notice-level bootstrapping messages at startup
+ about downloading descriptors. Previously, we'd log a notice
+ whenever we learned about more routers. Now, we only log a notice
+ at every 5% of progress. Fixes bug 9963.
+ - Warn less verbosely when receiving a malformed
+ ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
+
+ o Minor features (performance):
+ - If we're using the pure-C 32-bit curve25519_donna implementation
+ of curve25519, build it with the -fomit-frame-pointer option to
+ make it go faster on register-starved hosts. This improves our
+ handshake performance by about 6% on i386 hosts without nacl.
+ Closes ticket 8109.
+
+ o Minor features (relay):
+ - If a circuit timed out for at least 3 minutes, check if we have a
+ new external IP address, and publish a new descriptor with the new
+ IP address if it changed. Resolves ticket 2454.
+
+ o Minor features (testing):
+ - If Python is installed, "make check" now runs extra tests beyond
+ the unit test scripts.
+ - When bootstrapping a test network, sometimes very few relays get
+ the Guard flag. Now a new option "TestingDirAuthVoteGuard" can
+ specify a set of relays which should be voted Guard regardless of
+ their uptime or bandwidth. Addresses ticket 9206.
+
+ o Minor features (transparent proxy, *BSD):
+ - Support FreeBSD's ipfw firewall interface for TransPort ports on
+ FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
+ 10267; patch from "yurivict".
+ - Support OpenBSD's divert-to rules with the pf firewall for
+ transparent proxy ports. To enable it, set "TransProxyType
+ pf-divert". This allows Tor to run a TransPort transparent proxy
+ port on OpenBSD 4.4 or later without root privileges. See the
+ pf.conf(5) manual page for information on configuring pf to use
+ divert-to rules. Closes ticket 10896; patch from Dana Koch.
+
+ o Minor bugfixes (bridge client):
+ - Stop accepting bridge lines containing hostnames. Doing so would
+ cause clients to perform DNS requests on the hostnames, which was
+ not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
+
+ o Minor bugfixes (bridges):
+ - Avoid potential crashes or bad behavior when launching a
+ server-side managed proxy with ORPort or ExtORPort temporarily
+ disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha.
+ - Fix a bug where the first connection works to a bridge that uses a
+ pluggable transport with client-side parameters, but we don't send
+ the client-side parameters on subsequent connections. (We don't
+ use any pluggable transports with client-side parameters yet,
+ but ScrambleSuit will soon become the first one.) Fixes bug 9162;
+ bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987".
+
+ o Minor bugfixes (build, auxiliary programs):
+ - Stop preprocessing the "torify" script with autoconf, since
+ it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
+ from Guilhem.
+ - The tor-fw-helper program now follows the standard convention and
+ exits with status code "0" on success. Fixes bug 9030; bugfix on
+ 0.2.3.1-alpha. Patch by Arlo Breault.
+ - Corrected ./configure advice for what openssl dev package you should
+ install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
+
+ o Minor bugfixes (client):
+ - Avoid "Tried to open a socket with DisableNetwork set" warnings
+ when starting a client with bridges configured and DisableNetwork
+ set. (Tor launcher starts Tor with DisableNetwork set the first
+ time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha.
+ - Improve the log message when we can't connect to a hidden service
+ because all of the hidden service directory nodes hosting its
+ descriptor are excluded. Improves on our fix for bug 10722, which
+ was a bugfix on 0.2.0.10-alpha.
+ - Raise a control port warning when we fail to connect to all of
+ our bridges. Previously, we didn't inform the controller, and
+ the bootstrap process would stall. Fixes bug 11069; bugfix on
+ 0.2.1.2-alpha.
+ - Exit immediately when a process-owning controller exits.
+ Previously, tor relays would wait for a little while after their
+ controller exited, as if they had gotten an INT signal -- but this
+ was problematic, since there was no feedback for the user. To do a
+ clean shutdown, controllers should send an INT signal and give Tor
+ a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta.
+ - Stop attempting to connect to bridges before our pluggable
+ transports are configured (harmless but resulted in some erroneous
+ log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha.
+ - Fix connections to IPv6 addresses over SOCKS5. Previously, we were
+ generating incorrect SOCKS5 responses, and confusing client
+ applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha.
+
+ o Minor bugfixes (client, DNSPort):
+ - When using DNSPort, try to respond to AAAA requests with AAAA
+ answers. Previously, we hadn't looked at the request type when
+ deciding which answer type to prefer. Fixes bug 10468; bugfix on
+ 0.2.4.7-alpha.
+ - When receiving a DNS query for an unsupported record type, reply
+ with no answer rather than with a NOTIMPL error. This behavior
+ isn't correct either, but it will break fewer client programs, we
+ hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
+ from "epoch".
+
+ o Minor bugfixes (client, logging during bootstrap):
+ - Only report the first fatal bootstrap error on a given OR
+ connection. This stops us from telling the controller bogus error
+ messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
+ - Avoid generating spurious warnings when starting with
+ DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
+ 0.2.3.9-alpha.
+
+ o Minor bugfixes (closing OR connections):
+ - If write_to_buf() in connection_write_to_buf_impl_() ever fails,
+ check if it's an or_connection_t and correctly call
+ connection_or_close_for_error() rather than
+ connection_mark_for_close() directly. Fixes bug 11304; bugfix on
+ 0.2.4.4-alpha.
+ - When closing all connections on setting DisableNetwork to 1, use
+ connection_or_close_normally() rather than closing OR connections
+ out from under the channel layer. Fixes bug 11306; bugfix on
+ 0.2.4.4-alpha.
+
+ o Minor bugfixes (code correctness):
+ - Previously we used two temporary files when writing descriptors to
+ disk; now we only use one. Fixes bug 1376.
+ - Remove an erroneous (but impossible and thus harmless) pointer
+ comparison that would have allowed compilers to skip a bounds
+ check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on
+ 0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield.
+ - Fix an always-true assertion in pluggable transports code so it
+ actually checks what it was trying to check. Fixes bug 10046;
+ bugfix on 0.2.3.9-alpha. Found by "dcb".
+
+ o Minor bugfixes (command line):
+ - Use a single command-line parser for parsing torrc options on the
+ command line and for finding special command-line options to avoid
+ inconsistent behavior for torrc option arguments that have the same
+ names as command-line options. Fixes bugs 4647 and 9578; bugfix on
+ 0.0.9pre5.
+ - No longer allow 'tor --hash-password' with no arguments. Fixes bug
+ 9573; bugfix on 0.0.9pre5.
+
+ o Minor bugfixes (compilation):
+ - Compile correctly with builds and forks of OpenSSL (such as
+ LibreSSL) that disable compression. Fixes bug 12602; bugfix on
+ 0.2.1.1-alpha. Patch from "dhill".
+ - Restore the ability to compile Tor with V2_HANDSHAKE_SERVER
+ turned off (that is, without support for v2 link handshakes). Fixes
+ bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet".
+ - In routerlist_assert_ok(), don't take the address of a
+ routerinfo's cache_info member unless that routerinfo is non-NULL.
+ Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor".
+ - Fix a large number of false positive warnings from the clang
+ analyzer static analysis tool. This should make real warnings
+ easier for clang analyzer to find. Patch from "teor". Closes
+ ticket 13036.
+ - Resolve GCC complaints on OpenBSD about discarding constness in
+ TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix
+ on 0.1.1.23. Patch from Dana Koch.
+ - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to
+ treatment of long and time_t as comparable types. Fixes part of
+ bug 11633. Patch from Dana Koch.
+ - When deciding whether to build the 64-bit curve25519
+ implementation, detect platforms where we can compile 128-bit
+ arithmetic but cannot link it. Fixes bug 11729; bugfix on
+ 0.2.4.8-alpha. Patch from "conradev".
+ - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761;
+ bugfix on 0.2.3.13-alpha. Found by "cypherpunks".
+ - Fix compilation with dmalloc. Fixes bug 11605; bugfix
+ on 0.2.4.10-alpha.
+ - Build and run correctly on systems like OpenBSD-current that have
+ patched OpenSSL to remove get_cipher_by_char and/or its
+ implementations. Fixes issue 13325.
+
+ o Minor bugfixes (controller and command-line):
+ - If changing a config option via "setconf" fails in a recoverable
+ way, we used to nonetheless write our new control ports to the
+ file described by the "ControlPortWriteToFile" option. Now we only
+ write out that file if we successfully switch to the new config
+ option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman".
+
+ o Minor bugfixes (directory server):
+ - No longer accept malformed http headers when parsing urls from
+ headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
+ bugfix on 0.0.6pre1.
+ - When sending a compressed set of descriptors or microdescriptors,
+ make sure to finalize the zlib stream. Previously, we would write
+ all the compressed data, but if the last descriptor we wanted to
+ send was missing or too old, we would not mark the stream as
+ finished. This caused problems for decompression tools. Fixes bug
+ 11648; bugfix on 0.1.1.23.
+
+ o Minor bugfixes (hidden service):
+ - Only retry attempts to connect to a chosen rendezvous point 8
+ times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc.
+
+ o Minor bugfixes (interface):
+ - Reject relative control socket paths and emit a warning. Previously,
+ single-component control socket paths would be rejected, but Tor
+ would not log why it could not validate the config. Fixes bug 9258;
+ bugfix on 0.2.3.16-alpha.
+
+ o Minor bugfixes (log messages):
+ - Fix a bug where clients using bridges would report themselves
+ as 50% bootstrapped even without a live consensus document.
+ Fixes bug 9922; bugfix on 0.2.1.1-alpha.
+ - Suppress a warning where, if there's only one directory authority
+ in the network, we would complain that votes and signatures cannot
+ be uploaded to other directory authorities. Fixes bug 10842;
+ bugfix on 0.2.2.26-beta.
+ - Report bootstrapping progress correctly when we're downloading
+ microdescriptors. We had updated our "do we have enough microdescs
+ to begin building circuits?" logic most recently in 0.2.4.10-alpha
+ (see bug 5956), but we left the bootstrap status event logic at
+ "how far through getting 1/4 of them are we?" Fixes bug 9958;
+ bugfix on 0.2.2.36, which is where they diverged (see bug 5343).
+
+ o Minor bugfixes (logging):
+ - Downgrade "Unexpected onionskin length after decryption" warning
+ to a protocol-warn, since there's nothing relay operators can do
+ about a client that sends them a malformed create cell. Resolves
+ bug 12996; bugfix on 0.0.6rc1.
+ - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS
+ cell on a cannibalized or non-OR circuit. Resolves ticket 12997.
+ - When logging information about an EXTEND2 or EXTENDED2 cell, log
+ their names correctly. Fixes part of bug 12700; bugfix
+ on 0.2.4.8-alpha.
+ - When logging information about a relay cell whose command we don't
+ recognize, log its command as an integer. Fixes part of bug 12700;
+ bugfix on 0.2.1.10-alpha.
+ - Escape all strings from the directory connection before logging
+ them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor".
+ - Squelch a spurious LD_BUG message "No origin circuit for
+ successful SOCKS stream" in certain hidden service failure cases;
+ fixes bug 10616.
+ - Downgrade the severity of the 'unexpected sendme cell from client'
+ from 'warn' to 'protocol warning'. Closes ticket 8093.
+
+ o Minor bugfixes (misc code correctness):
+ - In munge_extrainfo_into_routerinfo(), check the return value of
+ memchr(). This would have been a serious issue if we ever passed
+ it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch
+ from Arlo Breault.
+ - On the chance that somebody manages to build Tor on a
+ platform where time_t is unsigned, correct the way that
+ microdesc_add_to_cache() handles negative time arguments.
+ Fixes bug 8042; bugfix on 0.2.3.1-alpha.
+ - Fix various instances of undefined behavior in channeltls.c,
+ tor_memmem(), and eventdns.c that would cause us to construct
+ pointers to memory outside an allocated object. (These invalid
+ pointers were not accessed, but C does not even allow them to
+ exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha,
+ 0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom".
+ - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
+ fix some miscellaneous errors in our tests and codebase. Fixes bug
+ 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
+ - Always check return values for unlink, munmap, UnmapViewOfFile;
+ check strftime return values more often. In some cases all we can
+ do is report a warning, but this may help prevent deeper bugs from
+ going unnoticed. Closes ticket 8787; bugfixes on many, many tor
+ versions.
+ - Fix numerous warnings from the clang "scan-build" static analyzer.
+ Some of these are programming style issues; some of them are false
+ positives that indicated awkward code; some are undefined behavior
+ cases related to constructing (but not using) invalid pointers;
+ some are assumptions about API behavior; some are (harmlessly)
+ logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be
+ correct; and one or two are genuine bugs that weren't reachable
+ from the rest of the program. Fixes bug 8793; bugfixes on many,
+ many tor versions.
+
+ o Minor bugfixes (node selection):
+ - If ExcludeNodes is set, consider non-excluded hidden service
+ directory servers before excluded ones. Do not consider excluded
+ hidden service directory servers at all if StrictNodes is
+ set. (Previously, we would sometimes decide to connect to those
+ servers, and then realize before we initiated a connection that
+ we had excluded them.) Fixes bug 10722; bugfix on 0.2.0.10-alpha.
+ Reported by "mr-4".
+ - If we set the ExitNodes option but it doesn't include any nodes
+ that have the Exit flag, we would choose not to bootstrap. Now we
+ bootstrap so long as ExitNodes includes nodes which can exit to
+ some port. Fixes bug 10543; bugfix on 0.2.4.10-alpha.
+
+ o Minor bugfixes (performance):
+ - Avoid a bug where every successful connection made us recompute
+ the flag telling us whether we have sufficient information to
+ build circuits. Previously, we would forget our cached value
+ whenever we successfully opened a channel (or marked a router as
+ running or not running for any other reason), regardless of
+ whether we had previously believed the router to be running. This
+ forced us to run an expensive update operation far too often.
+ Fixes bug 12170; bugfix on 0.1.2.1-alpha.
+ - Avoid using tor_memeq() for checking relay cell integrity. This
+ removes a possible performance bottleneck. Fixes part of bug
+ 12169; bugfix on 0.2.1.31.
+
+ o Minor bugfixes (platform-specific):
+ - When dumping a malformed directory object to disk, save it in
+ binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
+ 0.2.2.1-alpha.
+ - Don't report failures from make_socket_reuseable() on incoming
+ sockets on OSX: this can happen when incoming connections close
+ early. Fixes bug 10081.
+
+ o Minor bugfixes (pluggable transports):
+ - Avoid another 60-second delay when starting Tor in a pluggable-
+ transport-using configuration when we already have cached
+ descriptors for our bridges. Fixes bug 11965; bugfix
+ on 0.2.3.6-alpha.
+
+ o Minor bugfixes (protocol correctness):
+ - When receiving a VERSIONS cell with an odd number of bytes, close
+ the connection immediately since the cell is malformed. Fixes bug
+ 10365; bugfix on 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by
+ "rl1987".
+
+ o Minor bugfixes (relay, other):
+ - We now drop CREATE cells for already-existent circuit IDs and for
+ zero-valued circuit IDs, regardless of other factors that might
+ otherwise have called for DESTROY cells. Fixes bug 12191; bugfix
+ on 0.0.8pre1.
+ - When rejecting DATA cells for stream_id zero, still count them
+ against the circuit's deliver window so that we don't fail to send
+ a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha.
+
+ o Minor bugfixes (relay, threading):
+ - Check return code on spawn_func() in cpuworker code, so that we
+ don't think we've spawned a nonworking cpuworker and write junk to
+ it forever. Fix related to bug 4345; bugfix on all released Tor
+ versions. Found by "skruffy".
+ - Use a pthread_attr to make sure that spawn_func() cannot return an
+ error while at the same time launching a thread. Fix related to
+ bug 4345; bugfix on all released Tor versions. Reported
+ by "cypherpunks".
+
+ o Minor bugfixes (relays and bridges):
+ - Avoid crashing on a malformed resolv.conf file when running a
+ relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23.
+ - Non-exit relays no longer launch mock DNS requests to check for
+ DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when
+ non-exit relays stopped servicing DNS requests. Fixes bug 965;
+ bugfix on 0.2.1.7-alpha. Patch from Matt Pagan.
+ - Bridges now report complete directory request statistics. Related
+ to bug 5824; bugfix on 0.2.2.1-alpha.
+ - Bridges now never collect statistics that were designed for
+ relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha.
+
+ o Minor bugfixes (testing):
+ - Fix all valgrind warnings produced by the unit tests. There were
+ over a thousand memory leak warnings previously, mostly produced
+ by forgetting to free things in the unit test code. Fixes bug
+ 11618, bugfixes on many versions of Tor.
+
+ o Minor bugfixes (tor-fw-helper):
+ - Give a correct log message when tor-fw-helper fails to launch.
+ (Previously, we would say something like "tor-fw-helper sent us a
+ string we could not parse".) Fixes bug 9781; bugfix
+ on 0.2.4.2-alpha.
+
+ o Minor bugfixes (trivial memory leaks):
+ - Fix a small memory leak when signing a directory object. Fixes bug
+ 11275; bugfix on 0.2.4.13-alpha.
+ - Resolve some memory leaks found by coverity in the unit tests, on
+ exit in tor-gencert, and on a failure to compute digests for our
+ own keys when generating a v3 networkstatus vote. These leaks
+ should never have affected anyone in practice.
+
+ o Code simplification and refactoring:
+ - Remove some old fallback code designed to keep Tor clients working
+ in a network with only two working relays. Elsewhere in the code we
+ have long since stopped supporting such networks, so there wasn't
+ much point in keeping it around. Addresses ticket 9926.
+ - Reject 0-length EXTEND2 cells more explicitly. Fixes bug 10536;
+ bugfix on 0.2.4.8-alpha. Reported by "cypherpunks".
+ - Extract the common duplicated code for creating a subdirectory
+ of the data directory and writing to a file in it. Fixes ticket
+ 4282; patch from Peter Retzlaff.
+ - Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
+ buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
+ i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
+ - Add a set of accessor functions for the circuit timeout data
+ structure. Fixes ticket 6153; patch from "piet".
+ - Clean up exit paths from connection_listener_new(). Closes ticket
+ 8789. Patch from Arlo Breault.
+ - Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
+ and drop our own custom pkey_eq() implementation. Fixes bug 9043.
+ - Use a doubly-linked list to implement the global circuit list.
+ Resolves ticket 9108. Patch from Marek Majkowski.
+ - Remove contrib/id_to_fp.c since it wasn't used anywhere.
+ - Remove constants and tests for PKCS1 padding; it's insecure and
+ shouldn't be used for anything new. Fixes bug 8792; patch
+ from Arlo Breault.
+ - Remove instances of strcpy() from the unit tests. They weren't
+ hurting anything, since they were only in the unit tests, but it's
+ embarassing to have strcpy() in the code at all, and some analysis
+ tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and
+ 0.2.3.8-alpha. Patch from Arlo Breault.
+ - Remove is_internal_IP() function. Resolves ticket 4645.
+ - Remove unused function circuit_dump_by_chan from circuitlist.c.
+ Closes issue 9107; patch from "marek".
+ - Change our use of the ENUM_BF macro to avoid declarations that
+ confuse Doxygen.
+ - Get rid of router->address, since in all cases it was just the
+ string representation of router->addr. Resolves ticket 5528.
+
+ o Documentation:
+ - Adjust the URLs in the README to refer to the new locations of
+ several documents on the website. Fixes bug 12830. Patch from
+ Matt Pagan.
+ - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves
+ ticket 12878.
+ - Update manpage to describe some of the files you can expect to
+ find in Tor's DataDirectory. Addresses ticket 9839.
+ - Clean up several option names in the manpage to match their real
+ names, add the missing documentation for a couple of testing and
+ directory authority options, remove the documentation for a
+ V2-directory fetching option that no longer exists. Resolves
+ ticket 11634.
+ - Correct the documenation so that it lists the correct directory
+ for the stats files. (They are in a subdirectory called "stats",
+ not "status".)
+ - In the manpage, move more authority-only options into the
+ directory authority section so that operators of regular directory
+ caches don't get confused.
+ - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug
+ 11061; bugfix on 0.2.4.7-alpha.
+ - Resolve warnings from Doxygen.
+ - Document in the manpage that "KBytes" may also be written as
+ "kilobytes" or "KB", that "Kbits" may also be written as
+ "kilobits", and so forth. Closes ticket 9222.
+ - Document that the ClientOnly config option overrides ORPort.
+ Our old explanation made ClientOnly sound as though it did
+ nothing at all. Resolves bug 9059.
+ - Explain that SocksPolicy, DirPolicy, and similar options don't
+ take port arguments. Fixes the other part of ticket 11108.
+ - Fix a comment about the rend_server_descriptor_t.protocols field
+ to more accurately describe its range. Also, make that field
+ unsigned, to more accurately reflect its usage. Fixes bug 9099;
+ bugfix on 0.2.1.5-alpha.
+ - Fix the manpage's description of HiddenServiceAuthorizeClient:
+ the maximum client name length is 16, not 19. Fixes bug 11118;
+ bugfix on 0.2.1.6-alpha.
+
+ o Package cleanup:
+ - The contrib directory has been sorted and tidied. Before, it was
+ an unsorted dumping ground for useful and not-so-useful things.
+ Now, it is divided based on functionality, and the items which
+ seemed to be nonfunctional or useless have been removed. Resolves
+ ticket 8966; based on patches from "rl1987".
+
+ o Removed code and features:
+ - Clients now reject any directory authority certificates lacking
+ a dir-key-crosscert element. These have been included since
+ 0.2.1.9-alpha, so there's no real reason for them to be optional
+ any longer. Completes proposal 157. Resolves ticket 10162.
+ - Remove all code that existed to support the v2 directory system,
+ since there are no longer any v2 directory authorities. Resolves
+ ticket 10758.
+ - Remove the HSAuthoritativeDir and AlternateHSAuthority torrc
+ options, which were used for designating authorities as "Hidden
+ service authorities". There has been no use of hidden service
+ authorities since 0.2.2.1-alpha, when we stopped uploading or
+ downloading v0 hidden service descriptors. Fixes bug 10881; also
+ part of a fix for bug 10841.
+ - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU
+ and MTBF calculations, but that nobody was using. Fixes bug 11742.
+ - The TunnelDirConns and PreferTunnelledDirConns options no longer
+ exist; tunneled directory connections have been available since
+ 0.1.2.5-alpha, and turning them off is not a good idea. This is a
+ brute-force fix for 10849, where "TunnelDirConns 0" would break
+ hidden services.
+ - Remove all code for the long unused v1 directory protocol.
+ Resolves ticket 11070.
+ - Remove all remaining code related to version-0 hidden service
+ descriptors: they have not been in use since 0.2.2.1-alpha. Fixes
+ the rest of bug 10841.
+ - Remove migration code from when we renamed the "cached-routers"
+ file to "cached-descriptors" back in 0.2.0.8-alpha. This
+ incidentally resolves ticket 6502 by cleaning up the related code
+ a bit. Patch from Akshay Hebbar.
+
+ o Test infrastructure:
+ - Tor now builds each source file in two modes: a mode that avoids
+ exposing identifiers needlessly, and another mode that exposes
+ more identifiers for testing. This lets the compiler do better at
+ optimizing the production code, while enabling us to take more
+ radical measures to let the unit tests test things.
+ - The production builds no longer include functions used only in
+ the unit tests; all functions exposed from a module only for
+ unit-testing are now static in production builds.
+ - Add an --enable-coverage configuration option to make the unit
+ tests (and a new src/or/tor-cov target) to build with gcov test
+ coverage support.
+ - Update to the latest version of tinytest.
+ - Improve the tinytest implementation of string operation tests so
+ that comparisons with NULL strings no longer crash the tests; they
+ now just fail, normally. Fixes bug 9004; bugfix on 0.2.2.4-alpha.
+ - New macros in test.h to simplify writing mock-functions for unit
+ tests. Part of ticket 11507. Patch from Dana Koch.
+ - We now have rudimentary function mocking support that our unit
+ tests can use to test functions in isolation. Function mocking
+ lets the tests temporarily replace a function's dependencies with
+ stub functions, so that the tests can check the function without
+ invoking the other functions it calls.
+
+ o Testing:
+ - Complete tests for the status.c module. Resolves ticket 11507.
+ Patch from Dana Koch.
+ - Add more unit tests for the <circid,channel>->circuit map, and
+ the destroy-cell-tracking code to fix bug 7912.
+ - Unit tests for failing cases of the TAP onion handshake.
+ - More unit tests for address-manipulation functions.
+
+ o Distribution (systemd):
+ - Include a tor.service file in contrib/dist for use with systemd.
+ Some distributions will be able to use this file unmodified;
+ others will need to tweak it, or write their own. Patch from Jamie
+ Nguyen; resolves ticket 8368.
+ - Verify configuration file via ExecStartPre in the systemd unit
+ file. Patch from intrigeri; resolves ticket 12730.
+ - Explicitly disable RunAsDaemon in the systemd unit file. Our
+ current systemd unit uses "Type = simple", so systemd does not
+ expect tor to fork. If the user has "RunAsDaemon 1" in their
+ torrc, then things won't work as expected. This is e.g. the case
+ on Debian (and derivatives), since there we pass "--defaults-torrc
+ /usr/share/tor/tor-service-defaults-torrc" (that contains
+ "RunAsDaemon 1") by default. Patch by intrigeri; resolves
+ ticket 12731.
+
+
Changes in version 0.2.4.25 - 2014-10-20
Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
(even though POODLE does not affect Tor). It also works around a crash
projects / thirdparty / tor.git / commitdiff
