[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor is released.

  Tor is the first alpha release in its series. It
  includes numerous small features and bugfixes against previous Tor
  versions, and numerous small infrastructure improvements. The most
  notable features are a set of improvements to the directory subsystem.

You can download the source from the usual place on the website.
Packages should be available over the next several days.

PLEASE NOTE: This is an alpha release.  Expect a lot of bugs.  Only
run this release if you're willing to find bugs and report them. :)

Changes in version - 2016-02-04
  Tor is the first alpha release in its series. It
  includes numerous small features and bugfixes against previous Tor
  versions, and numerous small infrastructure improvements. The most
  notable features are a set of improvements to the directory subsystem.

  o Major features (security, Linux):
    - When Tor starts as root on Linux and is told to switch user ID, it
      can now retain the capability to bind to low ports. By default,
      Tor will do this only when it's switching user ID and some low
      ports have been configured. You can change this behavior with the
      new option KeepBindCapabilities. Closes ticket 8195.

  o Major features (directory system):
    - When bootstrapping multiple consensus downloads at a time, use the
      first one that starts downloading, and close the rest. This
      reduces failures when authorities or fallback directories are slow
      or down. Together with the code for feature 15775, this feature
      should reduces failures due to fallback churn. Implements ticket
      4483. Patch by "teor". Implements IPv4 portions of proposal 210 by
      "mikeperry" and "teor".
    - Include a trial list of default fallback directories, based on an
      opt-in survey of suitable relays. Doing this should make clients
      bootstrap more quickly and reliably, and reduce the load on the
      directory authorities. Closes ticket 15775. Patch by "teor".
      Candidates identified using an OnionOO script by "weasel", "teor",
      "gsathya", and "karsten".
    - Previously only relays that explicitly opened a directory port
      (DirPort) accepted directory requests from clients. Now all
      relays, with and without a DirPort, accept and serve tunneled
      directory requests that they receive through their ORPort. You can
      disable this behavior using the new DirCache option. Closes
      ticket 12538.

  o Major key updates:
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Minor features (security, clock):
    - Warn when the system clock appears to move back in time (when the
      state file was last written in the future). Tor doesn't know that
      consensuses have expired if the clock is in the past. Patch by
      "teor". Implements ticket 17188.

  o Minor features (security, exit policies):
    - ExitPolicyRejectPrivate now rejects more private addresses by
      default. Specifically, it now rejects the relay's outbound bind
      addresses (if configured), and the relay's configured port
      addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on Patch by "teor".

  o Minor features (security, memory erasure):
    - Set the unused entries in a smartlist to NULL. This helped catch
      a (harmless) bug, and shouldn't affect performance too much.
      Implements ticket 17026.
    - Use SecureMemoryWipe() function to securely clean memory on
      Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
      Implements feature 17986.
    - Use explicit_bzero or memset_s when present. Previously, we'd use
      OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
      from <logan@xxxxxxxxxx> and <selven@xxxxxxxxxx>.
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on and Reported by "gk",
      patch by "teor".

  o Minor features (security, RNG):
    - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
      positively are not allowed to fail. Previously we depended on
      internal details of OpenSSL's behavior. Closes ticket 17686.
    - Never use the system entropy output directly for anything besides
      seeding the PRNG. When we want to generate important keys, instead
      of using system entropy directly, we now hash it with the PRNG
      stream. This may help resist certain attacks based on broken OS
      entropy implementations. Closes part of ticket 17694.
    - Use modern system calls (like getentropy() or getrandom()) to
      generate strong entropy on platforms that have them. Closes
      ticket 13696.

  o Minor features (accounting):
    - Added two modes to the AccountingRule option: One for limiting
      only the number of bytes sent ("AccountingRule out"), and one for
      limiting only the number of bytes received ("AccountingRule in").
      Closes ticket 15989; patch from "unixninja92".

  o Minor features (build):
    - Since our build process now uses "make distcheck", we no longer
      force "make dist" to depend on "make check". Closes ticket 17893;
      patch from "cypherpunks."
    - Tor now builds successfully with the recent OpenSSL 1.1
      development branch, and with the latest LibreSSL. Closes tickets
      17549, 17921, and 17984.

  o Minor features (controller):
    - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
      tickets 16774 and 17817. Patch by George Tankersley.
    - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
      service descriptor from a service's local hidden service
      descriptor cache. Closes ticket 14846.
    - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
      controllers can examine the the reject rules added by
      ExitPolicyRejectPrivate. This makes it easier for stem to display
      exit policies.

  o Minor features (crypto):
    - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
      George Tankersley.
    - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
    - When allocating a digest state object, allocate no more space than
      we actually need. Previously, we would allocate as much space as
      the state for the largest algorithm would need. This change saves
      up to 672 bytes per circuit. Closes ticket 17796.
    - Improve performance when hashing non-multiple of 8 sized buffers,
      based on Andrew Moon's public domain SipHash-2-4 implementation.
      Fixes bug 17544; bugfix on

  o Minor features (directory downloads):
    - Wait for busy authorities and fallback directories to become non-
      busy when bootstrapping. (A similar change was made in 6c443e987d
      for directory caches chosen from the consensus.) Closes ticket
      17864; patch by "teor".
    - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
      directory mirrors. The default is 1; set it to 0 to disable
      fallbacks. Implements ticket 17576. Patch by "teor".

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
      Country database.

  o Minor features (IPv6):
    - Add an argument 'ipv6=address:orport' to the DirAuthority and
      FallbackDir torrc options, to specify an IPv6 address for an
      authority or fallback directory. Add hard-coded ipv6 addresses for
      directory authorities that have them. Closes ticket 17327; patch
      from Nick Mathewson and "teor".
    - Add address policy assume_action support for IPv6 addresses.
    - Limit IPv6 mask bits to 128.
    - Warn when comparing against an AF_UNSPEC address in a policy, it's
      almost always a bug. Closes ticket 17863; patch by "teor".
    - Allow users to configure directory authorities and fallback
      directory servers with IPv6 addresses and ORPorts. Resolves
      ticket 6027.
    - routerset_parse now accepts IPv6 literal addresses. Fixes bug
      17060; bugfix on Patch by "teor".
    - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug
      17638; bugfix on 0.0.2pre8. Patch by "teor".

  o Minor features (logging):
    - When logging to syslog, allow a tag to be added to the syslog
      identity (the string prepended to every log message). The tag can
      be configured with SyslogIdentityTag and defaults to none. Setting
      it to "foo" will cause logs to be tagged as "Tor-foo". Closes
      ticket 17194.

  o Minor features (portability):
    - Use timingsafe_memcmp() where available. Closes ticket 17944;
      patch from <logan@xxxxxxxxxx>.

  o Minor features (relay, address discovery):
    - Add a family argument to get_interface_addresses_raw() and
      subfunctions to make network interface address interogation more
      efficient. Now Tor can specifically ask for IPv4, IPv6 or both
      types of interfaces from the operating system. Resolves
      ticket 17950.
    - When get_interface_address6_list(.,AF_UNSPEC,.) is called and
      fails to enumerate interface addresses using the platform-specific
      API, have it rely on the UDP socket fallback technique to try and
      find out what IP addresses (both IPv4 and IPv6) our machine has.
      Resolves ticket 17951.

  o Minor features (replay cache):
    - The replay cache now uses SHA256 instead of SHA1. Implements
      feature 8961. Patch by "teor", issue reported by "rransom".

  o Minor features (unix file permissions):
    - Defer creation of Unix sockets until after setuid. This avoids
      needing CAP_CHOWN and CAP_FOWNER when using systemd's
      CapabilityBoundingSet, or chown and fowner when using SELinux.
      Implements part of ticket 17562. Patch from Jamie Nguyen.
    - If any directory created by Tor is marked as group readable, the
      filesystem group is allowed to be either the default GID or the
      root user. Allowing root to read the DataDirectory prevents the
      need for CAP_READ_SEARCH when using systemd's
      CapabilityBoundingSet, or dac_read_search when using SELinux.
      Implements part of ticket 17562. Patch from Jamie Nguyen.
    - Introduce a new DataDirectoryGroupReadable option. If it is set to
      1, the DataDirectory will be made readable by the default GID.
      Implements part of ticket 17562. Patch from Jamie Nguyen.

  o Minor bugfixes (accounting):
    - The max bandwidth when using 'AccountRule sum' is now correctly
      logged. Fixes bug 18024; bugfix on Patch
      from "unixninja92".

  o Minor bugfixes (code correctness):
    - When closing an entry connection, generate a warning if we should
      have sent an end cell for it but we haven't. Fixes bug 17876;
      bugfix on
    - Assert that allocated memory held by the reputation code is freed
      according to its internal counters. Fixes bug 17753; bugfix
      on tor-
    - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
      bugfix on 0.0.6.

  o Minor bugfixes (compilation):
    - Mark all object files that include micro-revision.i as depending
      on it, so as to make parallel builds more reliable. Fixes bug
      17826; bugfix on
    - Don't try to use the pthread_condattr_setclock() function unless
      it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug
      17819; bugfix on
    - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix
      on tor-
    - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
      bugfix on Patch from 'jamestk'.
    - Fix search for libevent libraries on OpenBSD (and other systems
      that install libevent 1 and libevent 2 in parallel). Fixes bug
      16651; bugfix on Patch from "rubiate".
    - Isolate environment variables meant for tests from the rest of the
      build system. Fixes bug 17818; bugfix on tor-
    - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
      on tor-0.0.2pre8.
    - Remove config.log only from make distclean, not from make clean.
      Fixes bug 17924; bugfix on

  o Minor bugfixes (crypto):
    - Check the return value of HMAC() and assert on failure. Fixes bug
      17658; bugfix on Patch by "teor".

  o Minor bugfixes (fallback directories):
    - Mark fallbacks as "too busy" when they return a 503 response,
      rather than just marking authorities. Fixes bug 17572; bugfix on Patch by "teor".

  o Minor bugfixes (IPv6):
    - Update the limits in max_dl_per_request for IPv6 address length.
      Fixes bug 17573; bugfix on

  o Minor bugfixes (linux seccomp2 sandbox):
    - Fix a crash when using offline master ed25519 keys with the Linux
      seccomp2 sandbox enabled. Fixes bug 17675; bugfix on

  o Minor bugfixes (logging):
    - In log messages that include a function name, use __FUNCTION__
      instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but
      with clang __PRETTY_FUNCTION__ has extra information we don't
      need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van
      der Woerdt.
    - Remove needless quotes from a log message about unparseable
      addresses. Fixes bug 17843; bugfix on

  o Minor bugfixes (portability):
    - Remove an #endif from configure.ac so that we correctly detect the
      presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix

  o Minor bugfixes (relays):
    - Check that both the ORPort and DirPort (if present) are reachable
      before publishing a relay descriptor. Otherwise, relays publish a
      descriptor with DirPort 0 when the DirPort reachability test takes
      longer than the ORPort reachability test. Fixes bug 18050; bugfix
      on Reported by "starlight", patch by "teor".

  o Minor bugfixes (relays, hidden services):
    - Refuse connection requests to private OR addresses unless
      ExtendAllowPrivateAddresses is set. Previously, tor would connect,
      then refuse to send any cells to a private address. Fixes bugs
      17674 and 8976; bugfix on Patch by "teor".

  o Minor bugfixes (safe logging):
    - When logging a malformed hostname received through socks4, scrub
      it if SafeLogging says we should. Fixes bug 17419; bugfix

  o Minor bugfixes (statistics code):
    - Consistently check for overflow in round_*_to_next_multiple_of
      functions, and add unit tests with additional and maximal values.
      Fixes part of bug 13192; bugfix on
    - Handle edge cases in the laplace functions: avoid division by
      zero, avoid taking the log of zero, and silence clang type
      conversion warnings using round and trunc. Add unit tests for edge
      cases with maximal values. Fixes part of bug 13192; bugfix

  o Minor bugfixes (testing):
    - The test for log_heartbeat was incorrectly failing in timezones
      with non-integer offsets. Instead of comparing the end of the time
      string against a constant, compare it to the output of
      format_local_iso_time when given the correct input. Fixes bug
      18039; bugfix on
    - Make unit tests pass on IPv6-only systems, and systems without
      localhost addresses (like some FreeBSD jails). Fixes bug 17632;
      bugfix on Patch by "teor".
    - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix
    - Check the full results of SHA256 and SHA512 digests in the unit
      tests. Bugfix on Patch by "teor".

  o Code simplification and refactoring:
    - Move logging of redundant policy entries in
      policies_parse_exit_policy_internal into its own function. Closes
      ticket 17608; patch from "juce".
    - Extract the more complicated parts of circuit_mark_for_close()
      into a new function that we run periodically before circuits are
      freed. This change removes more than half of the functions
      currently in the "blob". Closes ticket 17218.
    - Clean up a little duplicated code in
      crypto_expand_key_material_TAP(). Closes ticket 17587; patch
      from "pfrankw".
    - Decouple the list of streams waiting to be attached to circuits
      from the overall connection list. This change makes it possible to
      attach streams quickly while simplifying Tor's callgraph and
      avoiding O(N) scans of the entire connection list. Closes
      ticket 17590.
    - When a direct directory request fails immediately on launch,
      instead of relaunching that request from inside the code that
      launches it, instead mark the connection for teardown. This change
      simplifies Tor's callback and prevents the directory-request
      launching code from invoking itself recursively. Closes
      ticket 17589
    - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't
      use them. Closes ticket 17926.

  o Documentation:
    - Add a description of the correct use of the '--keygen' command-
      line option. Closes ticket 17583; based on text by 's7r'.
    - Document the minimum HeartbeatPeriod value. Closes ticket 15638.
    - Explain actual minima for BandwidthRate. Closes ticket 16382.
    - Fix a minor formatting typo in the manpage. Closes ticket 17791.
    - Mention torspec URL in the manpage and point the reader to it
      whenever we mention a document that belongs in torspce. Fixes
      issue 17392.

  o Removed features:
    - Remove client-side support for connecting to Tor relays running
      versions of Tor before These relays didn't support
      the v3 TLS handshake protocol, and are no longer allowed on the
      Tor network. Implements the client side of ticket 11150. Based on
      patches by Tom van der Woerdt.

  o Testing:
    - Add unit tests to check for common RNG failure modes, such as
      returning all zeroes, identical values, or incrementing values
      (OpenSSL's rand_predictable feature). Patch by "teor".
    - Log more information when the backtrace tests fail. Closes ticket
      17892. Patch from "cypherpunks."
    - Always test both ed25519 backends, so that we can be sure that our
      batch-open replacement code works. Part of ticket 16794.
    - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
      portion of ticket 16831.
    - More unit tests for compat_libevent.c, procmon.c, tortls.c,
      util_format.c, directory.c, and options_validate.c. Closes tickets
      17075, 17082, 17084, 17003, and 17076 respectively. Patches from
      Ola Bini.
    - Unit tests for directory_handle_command_get. Closes ticket 17004.
      Patch from Reinaldo de Souza Jr.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to