[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] New stable Tor release:

Hello, everyone!

(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ .
If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you

After months of work, Tor is now available! This is the first
stable release in the 0.4.5.x series, and we hope you find it useful.

You can download the source code from the download page at
https://www.torproject.org/download/tor/ . Packages should be
available within the next several weeks, with a new Tor Browser likely
in a week or so.

Changes in version - 2021-02-15
  The Tor 0.4.5.x release series is dedicated to the memory of Karsten
  Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
  Karsten is best known for creating the Tor metrics portal and leading
  the metrics team, but he was involved in Tor from the early days. For
  example, while he was still a student he invented and implemented the
  v2 onion service directory design, and he also served as an ambassador
  to the many German researchers working in the anonymity field. We
  loved him and respected him for his patience, his consistency, and his
  welcoming approach to growing our community.

  This release series introduces significant improvements in relay IPv6
  address discovery, a new "MetricsPort" mechanism for relay operators
  to measure performance, LTTng support, build system improvements to
  help when using Tor as a static library, and significant bugfixes
  related to Windows relay performance. It also includes numerous
  smaller features and bugfixes.

  Below are the changes since For a list of changes since, see the ChangeLog file.

  o Major features (build):
    - When building Tor, first link all object files into a single
      static library. This may help with embedding Tor in other
      programs. Note that most Tor functions do not constitute a part of
      a stable or supported API: only those functions in tor_api.h
      should be used if embedding Tor. Closes ticket 40127.

  o Major features (metrics):
    - Introduce a new MetricsPort which exposes, through an HTTP
      interface, a series of metrics that tor collects at runtime. At
      the moment, the only supported output format is Prometheus data
      model. Closes ticket 40063. See the manual page for more
      information and security considerations.

  o Major features (relay, IPv6):
    - The torrc option Address now supports IPv6. This unifies our
      address discovery interface to support IPv4, IPv6, and hostnames.
      Closes ticket 33233.
    - Launch IPv4 and IPv6 ORPort self-test circuits on relays and
      bridges. Closes ticket 33222.
    - Relays now automatically bind on IPv6 for their ORPort, unless
      specified otherwise with the IPv4Only flag. Closes ticket 33246.
    - When a relay with IPv6 support is told to open a connection to
      another relay, and the extend cell lists both IPv4 and IPv6
      addresses, the first relay now picks randomly which address to
      use. Closes ticket 33220.
    - Relays now track their IPv6 ORPort reachability separately from
      the reachability of their IPv4 ORPort. They will not publish a
      descriptor unless _both_ ports appear to be externally reachable.
      Closes ticket 34067.

  o Major features (tracing):
    - Add event-tracing library support for USDT and LTTng-UST, and a
      few tracepoints in the circuit subsystem. More will come
      incrementally. This feature is compiled out by default: it needs
      to be enabled at configure time. See documentation in
      doc/HACKING/Tracing.md. Closes ticket 32910.

  o Major bugfixes (directory cache, performance, windows):
    - Limit the number of items in the consensus diff cache to 64 on
      Windows. We hope this will mitigate an issue where Windows relay
      operators reported Tor using 100% CPU, while we investigate better
      solutions. Fixes bug 24857; bugfix on

  o Major bugfixes (relay, windows):
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on (This bug became more serious in with
      the introduction of consensus diffs.) Patch by Daniel Pinto.

  o Major bugfixes (TLS, buffer):
    - When attempting to read N bytes on a TLS connection, really try to
      read all N bytes. Previously, Tor would stop reading after the
      first TLS record, which can be smaller than the N bytes requested,
      and not check for more data until the next mainloop event. Fixes
      bug 40006; bugfix on

  o Minor features (address discovery):
    - If no Address statements are found, relays now prioritize guessing
      their address by looking at the local interface instead of the
      local hostname. If the interface address can't be found, the local
      hostname is used. Closes ticket 33238.

  o Minor features (admin tools):
    - Add a new --format argument to -key-expiration option to allow
      specifying the time format of the expiration date. Adds Unix
      timestamp format support. Patch by Daniel Pinto. Closes
      ticket 30045.

  o Minor features (authority, logging):
    - Log more information for directory authority operators during the
      consensus voting process, and while processing relay descriptors.
      Closes ticket 40245.

  o Minor features (bootstrap reporting):
    - When reporting bootstrapping status on a relay, do not consider
      connections that have never been the target of an origin circuit.
      Previously, all connection failures were treated as potential
      bootstrapping failures, including connections that had been opened
      because of client requests. Closes ticket 25061.

  o Minor features (build):
    - When running the configure script, try to detect version
      mismatches between the OpenSSL headers and libraries, and suggest
      that the user should try "--with-openssl-dir". Closes 40138.
    - If the configure script has given any warnings, remind the user
      about them at the end of the script. Related to 40138.

  o Minor features (configuration):
    - Allow using wildcards (* and ?) with the %include option on
      configuration files. Closes ticket 25140. Patch by Daniel Pinto.
    - Allow the configuration options EntryNodes, ExcludeNodes,
      ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and
      HSLayer3Nodes to be specified multiple times. Closes ticket 28361.
      Patch by Daniel Pinto.

  o Minor features (control port):
    - Add a DROPTIMEOUTS command to drop circuit build timeout history
      and reset the current timeout. Closes ticket 40002.
    - When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status,
      send a control port event. Closes ticket 32190. Patch by
      Neel Chauhan.
    - Introduce GETINFO "stats/ntor/{assigned/requested}" and
      "stats/tap/{assigned/requested}" to get the NTor and TAP circuit
      onion handshake counts respectively. Closes ticket 28279. Patch by
      Neel Chauhan.

  o Minor features (control port, IPv6):
    - Tor relays now try to report to the controller when they are
      launching an IPv6 self-test. Closes ticket 34068.
    - Introduce "GETINFO address/v4" and "GETINFO address/v6" in the
      control port to fetch the Tor host's respective IPv4 or IPv6
      address. We keep "GETINFO address" for backwards-compatibility.
      Closes ticket 40039. Patch by Neel Chauhan.

  o Minor features (directory authorities):
    - Add a new consensus method 30 that removes the unnecessary "="
      padding from ntor-onion-key. Closes ticket 7869. Patch by
      Daniel Pinto.
    - Directory authorities now reject descriptors from relays running
      Tor versions from the obsolete 0.4.1 series. Resolves ticket
      34357. Patch by Neel Chauhan.
    - The AssumeReachable option no longer stops directory authorities
      from checking whether other relays are running. A new
      AuthDirTestReachability option can be used to disable these
      checks. Closes ticket 34445.
    - When looking for possible Sybil attacks, also consider IPv6
      addresses. Two routers are considered to have "the same" address
      by this metric if they are in the same /64 network. Patch from
      Maurice Pibouin. Closes ticket 7193.

  o Minor features (directory authorities, IPv6):
    - Make authorities add their IPv6 ORPort (if any) to the trusted
      servers list. Authorities previously added only their IPv4
      addresses. Closes ticket 32822.

  o Minor features (documentation):
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.

  o Minor features (ed25519, relay):
    - Save a relay's base64-encoded ed25519 identity key to the data
      directory in a file named fingerprint-ed25519. Closes ticket
      30642. Patch by Neel Chauhan.

  o Minor features (heartbeat):
    - Include the total number of inbound and outbound IPv4 and IPv6
      connections in the heartbeat message. Closes ticket 29113.

  o Minor features (IPv6, ExcludeNodes):
    - Handle IPv6 addresses in ExcludeNodes; previously they were
      ignored. Closes ticket 34065. Patch by Neel Chauhan.

  o Minor features (logging):
    - Add the running glibc version to the log, and the compiled glibc
      version to the library list returned when using --library-versions.
      Patch from Daniel Pinto. Closes ticket 40047.
    - Consider an HTTP 301 response to be an error (like a 404) when
      processing a directory response. Closes ticket 40053.
    - Log directory fetch statistics as a single line. Closes
      ticket 40159.
    - Provide more complete descriptions of our connections when logging
      about them. Closes ticket 40041.
    - When describing a relay in the logs, we now include its ed25519
      identity. Closes ticket 22668.

  o Minor features (onion services):
    - Only overwrite an onion service's existing hostname file if its
      contents are wrong. This enables read-only onion-service
      directories. Resolves ticket 40062. Patch by Neel Chauhan.

  o Minor features (pluggable transports):
    - Add an OutboundBindAddressPT option to allow users to specify
      which IPv4 and IPv6 address pluggable transports should use for
      outgoing IP packets. Tor does not have a way to enforce that the
      pluggable transport honors this option, so each pluggable transport
      needs to implement support on its own. Closes ticket 5304.

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.

  o Minor features (relay address tracking):
    - We now store relay addresses for OR connections in a more logical
      way. Previously we would sometimes overwrite the actual address of
      a connection with a "canonical address", and then store the "real
      address" elsewhere to remember it. We now track the "canonical
      address" elsewhere for the cases where we need it, and leave the
      connection's address alone. Closes ticket 33898.

  o Minor features (relay):
    - If a relay is unable to discover its address, attempt to learn it
      from the NETINFO cell. Closes ticket 40022.
    - Log immediately when launching a relay self-check. Previously we
      would try to log before launching checks, or approximately when we
      intended to launch checks, but this tended to be error-prone.
      Closes ticket 34137.

  o Minor features (relay, address discovery):
    - If Address option is not found in torrc, attempt to learn our
      address with the configured ORPort address if any. Closes
      ticket 33236.

  o Minor features (relay, IPv6):
    - Add an AssumeReachableIPv6 option to disable self-checking IPv6
      reachability. Closes part of ticket 33224.
    - Add new "assume-reachable" and "assume-reachable-ipv6" consensus
      parameters to be used in an emergency to tell relays that they
      should publish even if they cannot complete their ORPort self-
      checks. Closes ticket 34064 and part of 33224.
    - Allow relays to send IPv6-only extend cells. Closes ticket 33222.
    - Declare support for the Relay=3 subprotocol version. Closes
      ticket 33226.
    - When launching IPv6 ORPort self-test circuits, make sure that the
      second-last hop can initiate an IPv6 extend. Closes ticket 33222.

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor features (specification update):
    - Several fields in microdescriptors, router descriptors, and
      consensus documents that were formerly optional are now required.
      Implements proposal 315; closes ticket 40132.

  o Minor features (state management):
    - When loading the state file, remove entries from the statefile
      that have been obsolete for a long time. Ordinarily Tor preserves
      unrecognized entries in order to keep forward-compatibility, but
      these entries have not actually been used in any release since
      before 0.3.5.x. Closes ticket 40137.

  o Minor features (statistics, ipv6):
    - Relays now publish IPv6-specific counts of single-direction versus
      bidirectional relay connections. Closes ticket 33264.
    - Relays now publish their IPv6 read and write statistics over time,
      if statistics are enabled. Closes ticket 33263.

  o Minor features (subprotocol versions):
    - Use the new limitations on subprotocol versions due to proposal
      318 to simplify our implementation. Part of ticket 40133.

  o Minor features (testing configuration):
    - The TestingTorNetwork option no longer implicitly sets
      AssumeReachable to 1. This change allows us to test relays' self-
      testing mechanisms, and to test authorities' relay-testing
      functionality. Closes ticket 34446.

  o Minor features (testing):
    - Added unit tests for channel_matches_target_addr_for_extend().
      Closes Ticket 33919. Patch by MrSquanchee.

  o Minor bugfixes (circuit padding):
    - When circpad_send_padding_cell_for_callback is called,
      `is_padding_timer_scheduled` flag was not reset. Now it is set to
      0 at the top of that function. Fixes bug 32671; bugfix
    - Add a per-circuit padding machine instance counter, so we can
      differentiate between shutdown requests for old machines on a
      circuit. Fixes bug 30992; bugfix on
    - Add the ability to keep circuit padding machines if they match a
      set of circuit states or purposes. This allows us to have machines
      that start up under some conditions but don't shut down under
      others. We now use this mask to avoid starting up introduction
      circuit padding again after the machines have already completed.
      Fixes bug 32040; bugfix on

  o Minor bugfixes (circuit, handshake):
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on Patch by Neel Chauhan.

  o Minor bugfixes (compilation):
    - Change the linker flag ordering in our library search code so that
      it works for compilers that need the libraries to be listed in the
      right order. Fixes bug 33624; bugfix on
    - Fix the "--enable-static-tor" switch to properly set the "-static"
      compile option onto the tor binary only. Fixes bug 40111; bugfix

  o Minor bugfixes (configuration):
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix

  o Minor bugfixes (control port):
    - Make sure we send the SOCKS request address in relay begin cells
      when a stream is attached with the purpose
      CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5.
      Patch by Neel Chauhan.

  o Minor bugfixes (crash, relay, signing key):
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
      40015; bugfix on Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Avoid a spurious log message about missing subprotocol versions,
      when the consensus that we're reading from is older than the
      current release. Previously we had made this message nonfatal, but
      in practice, it is never relevant when the consensus is older than
      the current release. Fixes bug 40281; bugfix on
    - Remove trailing whitespace from control event log messages. Fixes
      bug 32178; bugfix on Based on a patch by
      Amadeusz Pawlik.
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on
    - When logging a rate-limited message about how many messages have
      been suppressed in the last N seconds, give an accurate value for
      N, rounded up to the nearest minute. Previously we would report
      the size of the rate-limiting interval, regardless of when the
      messages started to occur. Fixes bug 19431; bugfix

  o Minor bugfixes (onion services):
    - Avoid a non-fatal assertion in certain edge-cases when
      establishing a circuit to an onion service. Fixes bug 32666;
      bugfix on

  o Minor bugfixes (rust, protocol versions):
    - Declare support for the onion service introduction point denial of
      service extensions when building with Rust. Fixes bug 34248;
      bugfix on
    - Make Rust protocol version support checks consistent with the
      undocumented error behavior of the corresponding C code. Fixes bug
      34251; bugfix on

  o Minor bugfixes (self-testing):
    - When receiving an incoming circuit, only accept it as evidence
      that we are reachable if the declared address of its channel is
      the same address we think that we have. Otherwise, it could be
      evidence that we're reachable on some other address. Fixes bug
      20165; bugfix on

  o Minor bugfixes (spec conformance):
    - Use the correct key type when generating signing->link
      certificates. Fixes bug 40124; bugfix on

  o Minor bugfixes (subprotocol versions):
    - Consistently reject extra commas, instead of only rejecting
      leading commas. Fixes bug 27194; bugfix on
    - In summarize_protover_flags(), treat empty strings the same as
      NULL. This prevents protocols_known from being set. Previously, we
      treated empty strings as normal strings, which led to
      protocols_known being set. Fixes bug 34232; bugfix on Patch by Neel Chauhan.

  o Code simplification and refactoring:
    - Add and use a set of functions to perform down-casts on constant
      connection and channel pointers. Closes ticket 40046.
    - Refactor our code that logs descriptions of connections, channels,
      and the peers on them, to use a single call path. This change
      enables us to refactor the data types that they use, and eliminates
      many confusing usages of those types. Closes ticket 40041.
    - Refactor some common node selection code into a single function.
      Closes ticket 34200.
    - Remove the now-redundant 'outbuf_flushlen' field from our
      connection type. It was previously used for an older version of
      our rate-limiting logic. Closes ticket 33097.
    - Rename "fascist_firewall_*" identifiers to "reachable_addr_*"
      instead, for consistency with other code. Closes ticket 18106.
    - Rename functions about "advertised" ports which are not in fact
      guaranteed to return the ports that have been advertised. Closes
      ticket 40055.
    - Split implementation of several command line options from
      options_init_from_torrc into smaller isolated functions. Patch by
      Daniel Pinto. Closes ticket 40102.
    - When an extend cell is missing an IPv4 or IPv6 address, fill in
      the address from the extend info. This is similar to what was done
      in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by
      Neel Chauhan.

  o Deprecated features:
    - The "non-builtin" argument to the "--dump-config" command is now
      deprecated. When it works, it behaves the same as "short", which
      you should use instead. Closes ticket 33398.

  o Documentation:
    - Replace URLs from our old bugtracker so that they refer to the new
      bugtracker and wiki. Closes ticket 40101.

  o Removed features:
    - We no longer ship or build a "tor.service" file for use with
      systemd. No distribution included this script unmodified, and we
      don't have the expertise ourselves to maintain this in a way that
      all the various systemd-based distributions can use. Closes
      ticket 30797.
    - We no longer ship support for the Android logging API. Modern
      versions of Android can use the syslog API instead. Closes
      ticket 32181.
    - The "optimistic data" feature is now always on; there is no longer
      an option to disable it from the torrc file or from the consensus
      directory. Closes part of 40139.
    - The "usecreatefast" network parameter is now removed; there is no
      longer an option for authorities to turn it off. Closes part
      of 40139.

  o Testing:
    - Add unit tests for bandwidth statistics manipulation functions.
      Closes ticket 33812. Patch by MrSquanchee.

  o Code simplification and refactoring (autoconf):
    - Remove autoconf checks for unused funcs and headers. Closes ticket
      31699; Patch by @bduszel

  o Code simplification and refactoring (maintainer scripts):
    - Disable by default the pre-commit hook. Use the environment
      variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it.
      Furthermore, stop running practracker in the pre-commit hook and
      make check-local. Closes ticket 40019.

  o Code simplification and refactoring (relay address):
    - Most of IPv4 representation was using "uint32_t". It has now been
      moved to use the internal "tor_addr_t" interface instead. This is
      so we can properly integrate IPv6 along IPv4 with common
      interfaces. Closes ticket 40043.

  o Documentation (manual page):
    - Move them from doc/ to doc/man/. Closes ticket 40044.
    - Describe the status of the "Sandbox" option more accurately. It is
      no longer "experimental", but it _is_ dependent on kernel and libc
      versions. Closes ticket 23378.

  o Documentation (tracing):
    - Document in depth the circuit subsystem trace events in the new
      doc/tracing/EventsCircuit.md. Closes ticket 40036.

  o Removed features (controller):
    - Remove the "GETINFO network-status" controller command. It has
      been deprecated since Closes ticket 22473.
tor-announce mailing list