Tor 0.2.5.1-alpha introduces experimental support for syscall sandboxing
on Linux, allows bridges that offer pluggable transports to report usage
statistics, fixes many issues to make testing easier, and provides
a pile of minor features and bugfixes that have been waiting for a
release of the new branch.
This is the first alpha release in a new series, so expect there to
be bugs. Users who would rather test out a more stable branch should
stay with 0.2.4.x for now.
I'm going to leave the download pages listing 0.2.3.x and 0.2.4.x,
so we don't have the confusion of three branches at once. I'm also not
sure yet how the packaging people plan to handle three branches.
https://www.torproject.org/dist/
Changes in version 0.2.5.1-alpha - 2013-10-02
o Major features (security):
- Use the seccomp2 syscall filtering facility on Linux to limit
which system calls Tor can invoke. This is an experimental,
Linux-only feature to provide defense-in-depth against unknown
attacks. To try turning it on, set "Sandbox 1" in your torrc
file. Please be ready to report bugs. We hope to add support
for better sandboxing in the future, including more fine-grained
filters, better division of responsibility, and support for more
platforms. This work has been done by Cristian-Matei Toader for
Google Summer of Code.
- Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or
1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented
renegotiation from working with TLS 1.1 or 1.2, so we had disabled
them to solve bug 6033.)
o Major features (other):
- Add support for passing arguments to managed pluggable transport
proxies. Implements ticket 3594.
- Bridges now track GeoIP information and the number of their users
even when pluggable transports are in use, and report usage
statistics in their extra-info descriptors. Resolves tickets 4773
and 5040.
- Make testing Tor networks bootstrap better: lower directory fetch
retry schedules and maximum interval without directory requests,
and raise maximum download tries. Implements ticket 6752.
- Add make target 'test-network' to run tests on a Chutney network.
Implements ticket 8530.
- The ntor handshake is now on-by-default, no matter what the
directory authorities recommend. Implements ticket 8561.
o Major bugfixes:
- Instead of writing destroy cells directly to outgoing connection
buffers, queue them and intersperse them with other outgoing cells.
This can prevent a set of resource starvation conditions where too
many pending destroy cells prevent data cells from actually getting
delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
bugfix on 0.2.0.1-alpha.
- If we are unable to save a microdescriptor to the journal, do not
drop it from memory and then reattempt downloading it. Fixes bug
9645; bugfix on 0.2.2.6-alpha.
- The new channel code sometimes lost track of in-progress circuits,
causing long-running clients to stop building new circuits. The
fix is to always call circuit_n_chan_done(chan, 0) from
channel_closed(). Fixes bug 9776; bugfix on 0.2.4.17-rc.
o Build features:
- Tor now builds each source file in two modes: a mode that avoids
exposing identifiers needlessly, and another mode that exposes
more identifiers for testing. This lets the compiler do better at
optimizing the production code, while enabling us to take more
radical measures to let the unit tests test things.
- The production builds no longer include functions used only in
the unit tests; all functions exposed from a module only for
unit-testing are now static in production builds.
- Add an --enable-coverage configuration option to make the unit
tests (and a new src/or/tor-cov target) to build with gcov test
coverage support.
o Testing:
- We now have rudimentary function mocking support that our unit
tests can use to test functions in isolation. Function mocking
lets the tests temporarily replace a function's dependencies with
stub functions, so that the tests can check the function without
invoking the other functions it calls.
- Add more unit tests for the <circid,channel>->circuit map, and
the destroy-cell-tracking code to fix bug 7912.
- Unit tests for failing cases of the TAP onion handshake.
- More unit tests for address-manipulation functions.
o Minor features (protecting client timestamps):
- Clients no longer send timestamps in their NETINFO cells. These were
not used for anything, and they provided one small way for clients
to be distinguished from each other as they moved from network to
network or behind NAT. Implements part of proposal 222.
- Clients now round timestamps in INTRODUCE cells down to the nearest
10 minutes. If a new Support022HiddenServices option is set to 0, or
if it's set to "auto" and the feature is disabled in the consensus,
the timestamp is sent as 0 instead. Implements part of proposal 222.
- Stop sending timestamps in AUTHENTICATE cells. This is not such
a big deal from a security point of view, but it achieves no actual
good purpose, and isn't needed. Implements part of proposal 222.
- Reduce down accuracy of timestamps in hidden service descriptors.
Implements part of proposal 222.
o Minor features (config options):
- Config (torrc) lines now handle fingerprints which are missing
their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
- Support a --dump-config option to print some or all of the
configured options. Mainly useful for debugging the command-line
option parsing code. Helps resolve ticket 4647.
- Raise awareness of safer logging: notify user of potentially
unsafe config options, like logging more verbosely than severity
"notice" or setting SafeLogging to 0. Resolves ticket 5584.
- Add a new configuration option TestingV3AuthVotingStartOffset
that bootstraps a network faster by changing the timing for
consensus votes. Addresses ticket 8532.
- Add a new torrc option "ServerTransportOptions" that allows
bridge operators to pass configuration parameters to their
pluggable transports. Resolves ticket 8929.
- The config (torrc) file now accepts bandwidth and space limits in
bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
you can now say "16 kilobits", and so on.) Resolves ticket 9214.
Patch by CharlieB.
o Minor features (build):
- Add support for `--library-versions` flag. Implements ticket 6384.
- Return the "unexpected sendme" warnings to a warn severity, but make
them rate limited, to help diagnose ticket 8093.
- Detect a missing asciidoc, and warn the user about it, during
configure rather than at build time. Fixes issue 6506. Patch from
Arlo Breault.
o Minor features (other):
- Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
sockets in a single system call. Implements ticket 5129.
- Log current accounting state (bytes sent and received + remaining
time for the current accounting period) in the relay's heartbeat
message. Implements ticket 5526; patch from Peter Retzlaff.
- Implement the TRANSPORT_LAUNCHED control port event that
notifies controllers about new launched pluggable
transports. Resolves ticket 5609.
- If we're using the pure-C 32-bit curve25519_donna implementation
of curve25519, build it with the -fomit-frame-pointer option to
make it go faster on register-starved hosts. This improves our
handshake performance by about 6% on i386 hosts without nacl.
Closes ticket 8109.
- Update to the September 4 2013 Maxmind GeoLite Country database.
o Minor bugfixes:
- Set the listen() backlog limit to the largest actually supported
on the system, not to the value in a header file. Fixes bug 9716;
bugfix on every released Tor.
- No longer accept malformed http headers when parsing urls from
headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
bugfix on 0.0.6pre1.
- In munge_extrainfo_into_routerinfo(), check the return value of
memchr(). This would have been a serious issue if we ever passed
it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch
from Arlo Breault.
- On the chance that somebody manages to build Tor on a
platform where time_t is unsigned, correct the way that
microdesc_add_to_cache() handles negative time arguments.
Fixes bug 8042; bugfix on 0.2.3.1-alpha.
- Reject relative control socket paths and emit a warning. Previously,
single-component control socket paths would be rejected, but Tor
would not log why it could not validate the config. Fixes bug 9258;
bugfix on 0.2.3.16-alpha.
o Minor bugfixes (command line):
- Use a single command-line parser for parsing torrc options on the
command line and for finding special command-line options to avoid
inconsistent behavior for torrc option arguments that have the same
names as command-line options. Fixes bugs 4647 and 9578; bugfix on
0.0.9pre5.
- No longer allow 'tor --hash-password' with no arguments. Fixes bug
9573; bugfix on 0.0.9pre5.
o Minor fixes (build, auxiliary programs):
- Stop preprocessing the "torify" script with autoconf, since
it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
from Guilhem.
- The tor-fw-helper program now follows the standard convention and
exits with status code "0" on success. Fixes bug 9030; bugfix on
0.2.3.1-alpha. Patch by Arlo Breault.
- Corrected ./configure advice for what openssl dev package you should
install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
o Minor code improvements:
- Remove constants and tests for PKCS1 padding; it's insecure and
shouldn't be used for anything new. Fixes bug 8792; patch
from Arlo Breault.
- Remove instances of strcpy() from the unit tests. They weren't
hurting anything, since they were only in the unit tests, but it's
embarassing to have strcpy() in the code at all, and some analysis
tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and
0.2.3.8-alpha. Patch from Arlo Breault.
o Removed features:
- Remove migration code from when we renamed the "cached-routers"
file to "cached-descriptors" back in 0.2.0.8-alpha. This
incidentally resolves ticket 6502 by cleaning up the related code
a bit. Patch from Akshay Hebbar.
o Code simplification and refactoring:
- Extract the common duplicated code for creating a subdirectory
of the data directory and writing to a file in it. Fixes ticket
4282; patch from Peter Retzlaff.
- Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
- Add a set of accessor functions for the circuit timeout data
structure. Fixes ticket 6153; patch from "piet".
- Clean up exit paths from connection_listener_new(). Closes ticket
8789. Patch from Arlo Breault.
- Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
and drop our own custom pkey_eq() implementation. Fixes bug 9043.
- Use a doubly-linked list to implement the global circuit list.
Resolves ticket 9108. Patch from Marek Majkowski.
- Remove contrib/id_to_fp.c since it wasn't used anywhere.
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk