[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor is out

Tor marks feature-freeze for the 0.2.3 tree. It deploys
the last step of the plan to limit maximum circuit length, includes
a wide variety of hidden service performance and correctness fixes,
works around an OpenSSL security flaw if your distro is too stubborn
to upgrade, and fixes a bunch of smaller issues.


Note that the tarball and git tags are signed by my newer (4096 bit)
gpg key, 0x19F78451.

(Packages coming eventually.)

Changes in version - 2012-01-22
  o Major features:
    - Now that Tor 0.2.0.x is completely deprecated, enable the final
      part of "Proposal 110: Avoiding infinite length circuits" by
      refusing all circuit-extend requests that do not use a relay_early
      cell. This change helps Tor resist a class of denial-of-service
      attacks by limiting the maximum circuit length.
    - Adjust the number of introduction points that a hidden service
      will try to maintain based on how long its introduction points
      remain in use and how many introductions they handle. Fixes
      part of bug 3825.
    - Try to use system facilities for enumerating local interface
      addresses, before falling back to our old approach (which was
      binding a UDP socket, and calling getsockname() on it). That
      approach was scaring OS X users whose draconian firewall
      software warned about binding to UDP sockets, regardless of
      whether packets were sent. Now we try to use getifaddrs(),
      SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
      system supports. Resolves ticket 1827.

  o Major security workaround:
    - When building or running with any version of OpenSSL earlier
      than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
      versions have a bug (CVE-2011-4576) in which their block cipher
      padding includes uninitialized data, potentially leaking sensitive
      information to any peer with whom they make a SSLv3 connection. Tor
      does not use SSL v3 by default, but a hostile client or server
      could force an SSLv3 connection in order to gain information that
      they shouldn't have been able to get. The best solution here is to
      upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
      or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
      to make sure that the bug can't happen.

  o Major bugfixes:
    - Fix the SOCKET_OK test that we use to tell when socket
      creation fails so that it works on Win64. Fixes part of bug 4533;
      bugfix on Bug found by wanoskarnet.
    - Correct our replacements for the timeradd() and timersub() functions
      on platforms that lack them (for example, Windows). The timersub()
      function is used when expiring circuits, while timeradd() is
      currently unused. Bug report and patch by Vektor. Fixes bug 4778;
      bugfix on and
    - Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
      that was fixed in OpenSSL 1.0.0a. We test for the counter mode
      bug at runtime, not compile time, because some distributions hack
      their OpenSSL to mis-report its version. Fixes bug 4779; bugfix
      on Found by Pascal.

  o Minor features (controller):
    - Use absolute path names when reporting the torrc filename in the
      control protocol, so a controller can more easily find the torrc
      file. Resolves bug 1101.
    - Extend the control protocol to report flags that control a circuit's
      path selection in CIRC events and in replies to 'GETINFO
      circuit-status'. Implements part of ticket 2411.
    - Extend the control protocol to report the hidden service address
      and current state of a hidden-service-related circuit in CIRC
      events and in replies to 'GETINFO circuit-status'. Implements part
      of ticket 2411.
    - When reporting the path to the cookie file to the controller,
      give an absolute path. Resolves ticket 4881.
    - Allow controllers to request an event notification whenever a
      circuit is cannibalized or its purpose is changed. Implements
      part of ticket 3457.
    - Include the creation time of a circuit in CIRC and CIRC2
      control-port events and the list produced by the 'GETINFO
      circuit-status' control-port command.

  o Minor features (directory authorities):
    - Directory authorities now reject versions of Tor older than, and Tor versions between and
      inclusive. These versions accounted for only a small fraction of
      the Tor network, and have numerous known security issues. Resolves
      issue 4788.
    - Authority operators can now vote for all relays in a given
      set of countries to be BadDir/BadExit/Invalid/Rejected.
    - Provide two consensus parameters (FastFlagMinThreshold and
      FastFlagMaxThreshold) to control the range of allowable bandwidths
      for the Fast directory flag. These allow authorities to run
      experiments on appropriate requirements for being a "Fast" node.
      The AuthDirFastGuarantee config value still applies.
    - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
      directory authority option (introduced in Tor

  o Minor features (other):
    - Don't disable the DirPort when we cannot exceed our AccountingMax
      limit during this interval because the effective bandwidthrate is
      low enough. This is useful in a situation where AccountMax is only
      used as an additional safeguard or to provide statistics.
    - Prepend an informative header to generated dynamic_dh_params files.
    - If EntryNodes are given, but UseEntryGuards is set to 0, warn that
      EntryNodes will have no effect. Resolves issue 2571.
    - Log more useful messages when we fail to disable debugger
    - Log which authority we're missing votes from when we go to fetch
      them from the other auths.
    - Log (at debug level) whenever a circuit's purpose is changed.
    - Add missing documentation for the MaxClientCircuitsPending,
      UseMicrodescriptors, UserspaceIOCPBuffers, and
      _UseFilteringSSLBufferevents options, all introduced during
      the 0.2.3.x series.
    - Update to the January 3 2012 Maxmind GeoLite Country database.

  o Minor bugfixes (hidden services):
    - Don't close hidden service client circuits which have almost
      finished connecting to their destination when they reach
      the normal circuit-build timeout. Previously, we would close
      introduction circuits which are waiting for an acknowledgement
      from the introduction point, and rendezvous circuits which have
      been specified in an INTRODUCE1 cell sent to a hidden service,
      after the normal CBT. Now, we mark them as 'timed out', and launch
      another rendezvous attempt in parallel. This behavior change can
      be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
      option. Fixes part of bug 1297; bugfix on
    - Don't close hidden-service-side rendezvous circuits when they
      reach the normal circuit-build timeout. This behaviour change can
      be disabled using the new
      CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
      remaining part of bug 1297; bugfix on
    - Make sure we never mark the wrong rendezvous circuit as having
      had its introduction cell acknowleged by the introduction-point
      relay. Previously, when we received an INTRODUCE_ACK cell on a
      client-side hidden-service introduction circuit, we might have
      marked a rendezvous circuit other than the one we specified in
      the INTRODUCE1 cell as INTRO_ACKED, which would have produced
      a warning message and interfered with the hidden service
      connection-establishment process. Fixes bug 4759; bugfix on, when we added the stream-isolation feature which
      might cause Tor to open multiple rendezvous circuits for the same
      hidden service.
    - Don't trigger an assertion failure when we mark a new client-side
      hidden-service introduction circuit for close during the process
      of creating it. Fixes bug 4796; bugfix on Reported
      by murb.

  o Minor bugfixes (log messages):
    - Correctly spell "connect" in a log message on failure to create a
      controlsocket. Fixes bug 4803; bugfix on and
    - Fix a typo in a log message in rend_service_rendezvous_has_opened().
      Fixes bug 4856; bugfix on Tor 0.0.6.
    - Fix the log message describing how we work around discovering
      that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
      4837; bugfix on
    - When logging about a disallowed .exit name, do not also call it
      an "invalid onion address". Fixes bug 3325; bugfix on

  o Minor bugfixes (build fixes):
    - During configure, detect when we're building with clang version
      3.0 or lower and disable the -Wnormalized=id and -Woverride-init
      CFLAGS. clang doesn't support them yet.
    - During configure, search for library containing cos function as
      libm lives in libcore on some platforms (BeOS/Haiku). Linking
      against libm was hard-coded before. Fixes the first part of bug
      4727; bugfix on Patch and analysis by Martin Hebnes
    - Detect attempts to build Tor on (as yet hypothetical) versions
      of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
      fix for bug 4533. Bugfix on
    - Preprocessor directives should not be put inside the arguments
      of a macro. This would break compilation with GCC releases prior
      to version 3.3. We would never recommend such an old GCC version,
      but it is apparently required for binary compatibility on some
      platforms (namely, certain builds of Haiku). Fixes the other part
      of bug 4727; bugfix on Patch and analysis by Martin
      Hebnes Pedersen.

  o Minor bugfixes (other):
    - Older Linux kernels erroneously respond to strange nmap behavior
      by having accept() return successfully with a zero-length
      socket. When this happens, just close the connection. Previously,
      we would try harder to learn the remote address: but there was
      no such remote address to learn, and our method for trying to
      learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
      on Reported and diagnosed by "r1eo".
    - Fix null-pointer access that could occur if TLS allocation failed.
      Fixes bug 4531; bugfix on Found by "troll_un". This was
      erroneously listed as fixed in, but the fix had
      accidentally been reverted.
    - Fix our implementation of crypto_random_hostname() so it can't
      overflow on ridiculously large inputs. (No Tor version has ever
      provided this kind of bad inputs, but let's be correct in depth.)
      Fixes bug 4413; bugfix on Fix by Stephen Palmateer.
    - Find more places in the code that should have been testing for
      invalid sockets using the SOCKET_OK macro. Required for a fix
      for bug 4533. Bugfix on
    - Fix an assertion failure when, while running with bufferevents, a
      connection finishes connecting after it is marked for close, but
      before it is closed. Fixes bug 4697; bugfix on
    - test_util_spawn_background_ok() hardcoded the expected value
      for ENOENT to 2. This isn't portable as error numbers are
      platform specific, and particularly the hurd has ENOENT at
      0x40000002. Construct expected string at runtime, using the correct
      value for ENOENT. Fixes bug 4733; bugfix on
    - Reject attempts to disable DisableDebuggerAttachment while Tor is
      running. Fixes bug 4650; bugfix on
    - Use an appropriate-width type for sockets in tor-fw-helper on
      win64. Fixes bug 1983 at last. Bugfix on

  o Feature removal:
    - When sending or relaying a RELAY_EARLY cell, we used to convert
      it to a RELAY cell if the connection was using the v1 link
      protocol. This was a workaround for older versions of Tor, which
      didn't handle RELAY_EARLY cells properly. Now that all supported
      versions can handle RELAY_EARLY cells, and now that we're enforcing
      the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
      remove this workaround. Addresses bug 4786.

  o Code simplifications and refactoring:
    - Use OpenSSL's built-in SSL_state_string_long() instead of our
      own homebrewed ssl_state_to_string() replacement. Patch from
      Emile Snyder. Fixes bug 4653.
    - Use macros to indicate OpenSSL versions, so we don't need to worry
      about accidental hexadecimal bit shifts.
    - Remove some workaround code for OpenSSL 0.9.6 (which is no longer
    - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
    - Use the smartlist_add_asprintf() alias more consistently.
    - Use a TOR_INVALID_SOCKET macro when initializing a socket to an
      invalid value, rather than just -1.
    - Rename a handful of old identifiers, mostly related to crypto
      structures and crypto functions. By convention, our "create an
      object" functions are called "type_new()", our "free an object"
      functions are called "type_free()", and our types indicate that
      they are types only with a final "_t". But a handful of older
      types and functions broke these rules, with function names like
      "type_create" or "subsystem_op_type", or with type names like

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list