sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

start changelog for 0.3.1.1-alpha by sorting entries

This commit is contained in:
Nick Mathewson 2017-05-19 10:00:54 -04:00
parent 3628efe29c
commit 8410f47b6e
62 changed files with 394 additions and 373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

395
ChangeLog
View File

@ -1,4 +1,397 @@
Changes in version 0.3.1.1-alpha - 2017-??-??
Changes in version 0.3.1.1-alpha - 2017-05-??
blurb goes here
o Major features (directory protocol):
- Tor relays and authorities are now able to serve clients an
abbreviated version of the networkstatus consensus document,
containing only the changes since the an older consensus document that
the client holds. Clients now request these documents when
available. When this new protocol is in use by both client and server,
they will use far less bandwidth (up to 94% less) to keep an up-to-date
consensus. Implements proposal 140; closes ticket 13339. Based
on work by by Daniel Martí.
o Major features (directory system):
- Tor's compression module now includes support for the zstd and lzma2
compression algorithms, if the libzstd and liblzma libraries are
available when Tor is compiled. Once these features are exposed in the
directory module, they will enable Tor to provide better compression
ratios on directory documents. Part of an implementation for proposal
278; closes ticket 21662.
o Major features (internals):
- Add an ed diff/patch backend, optimized for consensus documents.
This backend will be the basis of our consensus diff implementation.
Most of the work here was done
by Daniel Martí. Closes ticket 21643.
o Major features (security, stability, experimental):
- Tor now has the optional ability to include modules written in
Rust. To turn this on, pass the "--enable-rust" flag to the
configure script.
It's not time to get excited yet: currently, there is no actual
Rust functionality beyond some simple glue code, and a notice at
startup to tell you that Rust is running. Still, we hope that
programmers and packagers will try building with rust
support, so that we can find issues with the build system,
and solve portability issues. Closes ticket 22106.
o Major features (traffic analysis resistance):
- Relays and clients will now send a padding cell on idle OR
connections every 1.5 to 9.5 seconds (tunable via consensus
parameters). Directory connections and inter-relay connections
are not padded. Padding is negotiated using Tor's link protocol,
so both relays and clients must upgrade for this to take effect.
Clients may still send padding despite the relay's version by
setting ConnectionPadding 1 in torrc, and may disable padding
by setting ConnectionPadding 0 in torrc. Padding may be minimized
for mobile users with the torrc option ReducedConnectionPadding.
Implements Proposal 251 and Section 2 of Proposal 254; closes ticket
16861.
- Relays will publish 24 hour totals of padding and non-padding cell
counts to their extra-info descriptors, unless PaddingStatistics 0
is set in torrc. These 24 hour totals are also rounded to multiples
of 10000.
o Major bugfixes (hidden service directory, security):
- Fix an assertion failure in the hidden service directory code, which
could be used by an attacker to remotely cause a Tor relay process to
exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
This security issue is tracked as tracked as
TROVE-2017-002. Fixes bug 22246; bugfix on 0.3.0.1-alpha.
o Major bugfixes (linux TPROXY support):
- Fix a typo that had prevented TPROXY-based transparent proxying from
working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Minor feature (defaults, directory):
- Onion key rotation and expiry intervals are now defined as a network
consensus parameter as per proposal 274. The default lifetime of an
onion key is bumped from 7 to 28 days. Old onion keys will expire after 7
days by default. Closes ticket 21641.
o Minor feature (hidden services):
- Add more information to the message logged when a hidden service
descriptor has fewer introduction points than specified in
HiddenServiceNumIntroductionPoints.
Follow up to tickets 21598 and 21599, closes ticket 21622.
- Log a message when a hidden service descriptor has fewer introduction
points than specified in HiddenServiceNumIntroductionPoints.
Closes ticket 21598.
- Log a message when a hidden service reaches its introduction point
circuit limit, and when that limit is reset.
Follow up to ticket 21594, closes ticket 21622.
o Minor feature (include on config files):
- Adds config-can-saveconf to GETINFO command to tell if SAVECONF
will work without the FORCE option, closes ticket 1922.
- Allow the use of %include on configuration files to include settings
from other files or directories. Using %include with a directory will
include all (non-dot) files in that directory in lexically sorted order
(non-recursive), closes ticket 1922.
- Makes SAVECONF command return error when overwriting a torrc
that has includes. Using SAVECONF with the FORCE option will
allow it to overwrite torrc even if includes are used, closes ticket
1922.
o Minor features (controller):
- Warn the first time that a controller requests data in the
long-deprecated 'GETINFO network-status' format. Closes ticket 21703.
o Minor features (defaults, security):
- The default value for UseCreateFast is now 0: clients which haven't yet
received a consensus document will nonetheless use a proper handshake
to talk to their directory servers (when they can). Closes ticket 21407.
o Minor features (fallback directories):
- Update the fallback directory mirror whitelist and blacklist based on
operator emails. Closes task 21121.
o Minor features (fallback directory list):
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
December 2016 (of which ~126 were still functional), with a list of
151 fallbacks (32 new, 119 existing, 58 removed) generated in
May 2017.
Resolves ticket 21564.
o Minor features (hidden service, logging):
- Warn user if multiple entries in EntryNodes and at least one
HiddenService are used together. Pinning EntryNodes along with an hidden
service can be possibly harmful for instance see ticket 14917 or 21155.
Closes ticket 21155.
o Minor features (infrastructure, seccomp2 sandbox):
- We now have a document storage backend compatible with the Linux
seccomp2 sandbox. The long-term plan is to use this backend for
consensus documents and for storing unparseable directory
material. Closes ticket 21645.
o Minor features (linux seccomp2 sandbox):
- Increase the maximum allowed size passed to mprotect(PROT_WRITE)
from 1MB to 16MB. This was necessary with the glibc allocator in
order to allow worker threads to allocate more memory -- which in
turn is necessary because of our new use of worker threads for
compression. Closes ticket 22096.
o Minor features (logging):
- Log files are no longer created world-readable by default.
(Previously, most distributors would store the logs in a
non-world-readable location to prevent inappropriate access. This
change is an extra precaution.) Closes ticket 21729; patch from
toralf.
o Minor features (performance):
- The minimal keccak implementation we include now accesses memory
more efficiently, especially on little-endian systems.
Closes ticket 21737.
o Minor features (performance, controller):
- Add an O(1) implementation of channel_find_by_global_id().
o Minor features (relay, configuration):
- The MyFamily line may now be repeated as many times as desired, for
relays that want to configure large families. Closes ticket 4998;
patch by Daniel Pinto.
o Minor features (safety):
- Add an explict check to extrainfo_parse_entry_from_string() for NULL
inputs. We don't believe this can actually happen, but it may help
silence a warning from the Clang analyzer. Closes ticket 21496.
o Minor features (security, windows):
- Enable a couple of pieces of Windows hardening: one
(HeapEnableTerminationOnCorruption) that has been on-by-default since
Windows 8, and unavailable before Windows 7, and one
(PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
affect us, but shouldn't do any harm. Closes ticket 21953.
o Minor features (testing):
- Add a "--disable-memory-sentinels" feature to help with fuzzing.
When Tor is compiled with this option, we disable a number of
redundant memory-safety failsafes that are intended to stop
bugs from becoming security issues. This makes it easier to hunt
for bugs that would be security issues without the failsafes
turned on. Closes ticket 21439.
- Add a general event-tracing instrumentation support to Tor. This
subsystem will enable developers and researchers to add fine-grained
instrumentation to their Tor instances, for use when examining Tor
network performance issues. There are no trace events yet, and
event-tracing is off by default unless enabled at compile time.
Implements ticket 13802.
o Minor features (unit tests):
- Improve version parsing tests: add tests for typical version components,
add tests for invalid versions, including numeric range and non-numeric
prefixes.
Unit tests 21278, 21450, and 21507. Partially implements 21470.
o Minor bugfix (directory authority):
- Prevent the shared randomness subsystem from asserting when initialized
by a bridge authority with an incomplete configuration file. Fixes bug
21586; bugfix on 0.2.9.8.
o Minor bugfixes (bandwidth accounting):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00.
Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (cell, logging):
- Downgrade a log statement from bug to protocol warning because there is
at least one use case where it can be triggered by a buggy tor
implementation on the Internet for instance. Fixes bug 21293; bugfix on
0.1.1.14-alpha.
o Minor bugfixes (code correctness):
- Accurately identify client connections using their lack of peer
authentication. This means that we bail out earlier if asked to extend
to a client. Follow-up to 21407.
Fixes bug 21406; bugfix on 0.2.4.23.
o Minor bugfixes (configuration):
- Do not crash when starting with LearnCircuitBuildTimeout 0.
Fixes bug 22252; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (connection lifespan):
- Allow more control over how long TLS connections are kept open: unify
CircuitIdleTimeout and PredictedPortsRelevanceTime into a single option
called CircuitsAvailableTimeout. Also, allow the consensus to control
the default values for both this preference, as well as the lifespan
of relay-to-relay connections. Fixes bug 17592; bugfix on 0.2.5.5-alpha.
- Increase the intial circuit build timeout testing frequency, to help
ensure that ReducedConnectionPadding clients finish learning a timeout
before their orconn would expire. The initial testing rate was set back
in the days of TAP and before the Tor Browser updater, when we had to be
much more careful about new clients making lots of circuits. With this
change, a circuit build time is learned in about 15-20 minutes, instead
of ~100-120 minutes.
o Minor bugfixes (connection usage):
- Relays will now log hourly statistics on the total number of
connections to other relays. If the number of connections per relay
unexpectedly large, this log message is at notice level. Otherwise
it is at info.
- Use NETINFO cells to try to determine if both relays involved in
a connection will agree on the canonical status of that connection.
Prefer the connections where this is the case for extend cells,
and try to close connections where relays disagree on canonical
status early. Also, additionally alter the connection selection
logic to prefer the oldest valid connection for extend cells.
These two changes should reduce the number of long-term connections
that are kept open between relays. Fixes bug 17604; bugfix on
0.2.5.5-alpha.
o Minor bugfixes (control, hidden service client):
- Trigger HS descriptor events on the control port when the client is
unable to pick a suitable hidden service directory. This can happen if
they are all in the ExcludeNodes list or they all have been queried
inside the allowed 15 minutes. Fixes bug 22042; bugfix on
0.2.5.2-alpha.
o Minor bugfixes (controller):
- GETINFO onions/current and onions/detached no longer 551 on empty lists
Fixes bug 21329; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (directory authority):
- When rejecting a router descriptor because the relay is running an
obsolete version of Tor without ntor support, warn about the obsolete
tor version, not the missing ntor key. Fixes bug 20270;
bugfix on 0.2.9.3-alpha.
o Minor bugfixes (documentation):
- Default of NumEntryGuards is 1 if the consensus parameter
guard-n-primary-guards-to-use isn't set. Default of NumDirectoryGuards
is 3 if the consensus parameter guard-n-primary-dir-guards-to-use isn't
set. Fixes bug 21715; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (exit-side DNS):
- Fix an untriggerable assertion that checked the output of a
libevent DNS error, so that the assertion actually behaves as
expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey
Karpov using PVS-Studio.
o Minor bugfixes (fallback directory mirrors):
- Make the usage example in updateFallbackDirs.py actually work.
(And explain what it does.)
Fixes bug 22270; bugfix on 0.3.0.3-alpha.
o Minor bugfixes (fallbacks):
- Decrease the guard flag average required to be a fallback. This allows
us to keep relays that have their guard flag removed when they restart.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.
- Decrease the minimum number of fallbacks to 100.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.
- Make sure fallback directory mirrors have the same address, port, and
relay identity key for at least 30 days before they are selected.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (hidden service):
- Stop printing cryptic warning when a client tries to connect on an
invalid port of the service. Fixes bug 16706; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (hidden services):
- Simplify hidden service descriptor creation by using an existing flag
to check if an introduction point is established.
Fixes bug 21599; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (memory leak):
- Fix a small memory leak at exit from the backtrace handler code.
Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto.
o Minor bugfixes (testing):
- Make test-network.sh always call chutney's test-network.sh.
Previously, this only worked on systems which had bash installed, due to
some bash-specific code in the script.
Fixes bug 19699; bugfix on 0.3.0.4-rc. Follow-up to ticket 21581.
- Use unbuffered I/O for utility functions around the process_handle_t
type. This fixes unit test failures reported on OpenBSD and FreeBSD.
Fixes bug 21654; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (unit tests):
- Make display of captured unit test log messages consistent.
Fixes bug 21510; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (voting consistency):
- Reject version numbers with non-numeric prefixes (such as +, -, and
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms.
Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
o Minor bugfixes (windows, relay):
- Resolve "Failure from drain_fd: No error" warnings on Windows
relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha.
o Code simplification and refactoring:
- Break up the 630-line function connection_dir_client_reached_eof() into
a dozen smaller functions. This change should help maintainability and
readability of the client directory code.
- Isolate our usage of the openssl headers so that they are only
used from our crypto wrapper modules, and from tests that examing those
modules' internals. Closes ticket 21841.
- Our API to launch directory requests has been greatly simplified
to become more extensible and less error-prone. We'll be using
this to improve support for adding extra headers to directory
requests. Closes ticket 21646.
- Our base64 decoding functions no longer overestimate the output
space that they will need when parsing unpadded inputs.
Closes ticket 17868.
- Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value.
Resolves ticket 22213.
- The logic that directory caches use to spool request to clients,
serving them one part at a time so as not to allocate too much memory,
has been refactored for consistency. Previously there was a separate
spooling implementation per type of spoolable data. Now there
is one common spooling implementation, with extensible data types.
Closes ticket 21651.
- Tor's compression module now supports multiple backends. Part of
an implementation of proposal 278; closes ticket 21663.
o Documentation:
- Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option.
Closes ticket 21873.
- Correct the documentation about the default DataDirectory value.
Closes ticket 21151.
- Document key=value pluggable transport arguments for Bridge lines in
torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha.
- Note that bandwidth-limiting options don't affect TCP headers or DNS.
Closes ticket 17170.
o Removed features (configuration options, all in ticket 22060):
- AllowInvalidNodes was deprecated in 0.2.9.2-alpha and now has been
removed. It is not possible anymore to use Invalid nodes.
- AllowSingleHopCircuits was deprecated in 0.2.9.2-alpha and now has been
removed. It's not possible anymore to attach streams to single hop exit
circuit.
- AllowSingleHopExits was deprecated in 0.2.9.2-alpha and now has been
removed. Relays no longer advertise that they can be used for single hop
exit proxy.
- CloseHSClientCircuitsImmediatelyOnTimeout was deprecated in
0.2.9.2-alpha and now has been removed. HS circuits never close on
circuit build timeout, they have a longer timeout period.
- CloseHSServiceRendCircuitsImmediatelyOnTimeout was deprecated in
0.2.9.2-alpha and now has been removed. HS circuits never close on
circuit build timeout, they have a long timeout period.
- ExcludeSingleHopRelays was deprecated in 0.2.9.2-alpha and now has been
removed. Client will always exclude relays that supports single hop
exits meaning relays that still advertise AllowSingleHopExits.
- FastFirstHopPK was deprecated in 0.2.9.2-alpha and now has been removed.
Decision for this feature will always be decided by the consensus.
- TLSECGroup was deprecated in 0.2.9.2-alpha and now has been removed.
P256 EC group is always used.
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
removed. Tor will now always warn the user if only an IP address is
given instead of an hostname on a SOCKS connection if SafeSocks is 1.
- {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress was deprecated in
0.2.9.2-alpha and now has been removed. Use the ORPort (and others).
o Removed features:
- We've removed the tor-checkkey tool from src/tools. Long ago, we
used it to help people detect RSA keys that were generated by
versions of Debian affected by CVE-2008-0166. But those keys
have been out of circulation for ages, and this tool is no
longer required. Closes ticket 21842.
Changes in version 0.3.0.7 - 2017-05-15

4
changes/17868
View File

@ -1,4 +0,0 @@
o Code simplification and refactoring:
- Our base64 decoding functions no longer overestimate the output
space that they will need when parsing unpadded inputs.
Closes ticket 17868.

12
changes/21662_21663_21664
View File

@ -1,12 +0,0 @@
o Major features (directory system):
- Tor's compression module now includes support for the zstd and lzma2
compression algorithms, if the libzstd and liblzma libraries are
available when Tor is compiled. Once these features are exposed in the
directory module, they will enable Tor to provide better compression
ratios on directory documents. Part of an implementation for proposal
278; closes ticket 21662.
o Code simplification and refactoring:
- Tor's compression module now supports multiple backends. Part of
an implementation of proposal 278; closes ticket 21663.

3
changes/21873
View File

@ -1,3 +0,0 @@
o Documentation:
- Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option.
Closes ticket 21873.

3
changes/bug16706
View File

@ -1,3 +0,0 @@
o Minor bugfixes (hidden service):
- Stop printing cryptic warning when a client tries to connect on an
invalid port of the service. Fixes bug 16706; bugfix on 0.2.6.3-alpha.

16
changes/bug16861
View File

@ -1,16 +0,0 @@
o Major features (traffic analysis resistance):
- Relays and clients will now send a padding cell on idle OR
connections every 1.5 to 9.5 seconds (tunable via consensus
parameters). Directory connections and inter-relay connections
are not padded. Padding is negotiated using Tor's link protocol,
so both relays and clients must upgrade for this to take effect.
Clients may still send padding despite the relay's version by
setting ConnectionPadding 1 in torrc, and may disable padding
by setting ConnectionPadding 0 in torrc. Padding may be minimized
for mobile users with the torrc option ReducedConnectionPadding.
Implements Proposal 251 and Section 2 of Proposal 254; closes ticket
16861.
- Relays will publish 24 hour totals of padding and non-padding cell
counts to their extra-info descriptors, unless PaddingStatistics 0
is set in torrc. These 24 hour totals are also rounded to multiples
of 10000.

3
changes/bug17170
View File

@ -1,3 +0,0 @@
o Documentation:
- Note that bandwidth-limiting options don't affect TCP headers or DNS.
Closes ticket 17170.

13
changes/bug17592
View File

@ -1,13 +0,0 @@
o Minor bugfixes (connection lifespan):
- Allow more control over how long TLS connections are kept open: unify
CircuitIdleTimeout and PredictedPortsRelevanceTime into a single option
called CircuitsAvailableTimeout. Also, allow the consensus to control
the default values for both this preference, as well as the lifespan
of relay-to-relay connections. Fixes bug 17592; bugfix on 0.2.5.5-alpha.
- Increase the intial circuit build timeout testing frequency, to help
ensure that ReducedConnectionPadding clients finish learning a timeout
before their orconn would expire. The initial testing rate was set back
in the days of TAP and before the Tor Browser updater, when we had to be
much more careful about new clients making lots of circuits. With this
change, a circuit build time is learned in about 15-20 minutes, instead
of ~100-120 minutes.

15
changes/bug17604
View File

@ -1,15 +0,0 @@
o Minor bugfixes (connection usage):
- Use NETINFO cells to try to determine if both relays involved in
a connection will agree on the canonical status of that connection.
Prefer the connections where this is the case for extend cells,
and try to close connections where relays disagree on canonical
status early. Also, additionally alter the connection selection
logic to prefer the oldest valid connection for extend cells.
These two changes should reduce the number of long-term connections
that are kept open between relays. Fixes bug 17604; bugfix on
0.2.5.5-alpha.
- Relays will now log hourly statistics on the total number of
connections to other relays. If the number of connections per relay
unexpectedly large, this log message is at notice level. Otherwise
it is at info.

5
changes/bug18100
View File

@ -1,5 +0,0 @@
o Major bugfixes (linux TPROXY support):
- Fix a typo that had prevented TPROXY-based transparent proxying from
working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".

5
changes/bug19699
View File

@ -1,5 +0,0 @@
o Minor bugfixes (testing):
- Make test-network.sh always call chutney's test-network.sh.
Previously, this only worked on systems which had bash installed, due to
some bash-specific code in the script.
Fixes bug 19699; bugfix on 0.3.0.4-rc. Follow-up to ticket 21581.

6
changes/bug20270
View File

@ -1,6 +0,0 @@
o Minor bugfixes (directory authority):
- When rejecting a router descriptor because the relay is running an
obsolete version of Tor without ntor support, warn about the obsolete
tor version, not the missing ntor key. Fixes bug 20270;
bugfix on 0.2.9.3-alpha.

3
changes/bug20341
View File

@ -1,3 +0,0 @@
o Documentation:
- Document key=value pluggable transport arguments for Bridge lines in
torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha.

9
changes/bug20913
View File

@ -1,9 +0,0 @@
o Minor bugfixes (fallbacks):
- Make sure fallback directory mirrors have the same address, port, and
relay identity key for at least 30 days before they are selected.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.
- Decrease the guard flag average required to be a fallback. This allows
us to keep relays that have their guard flag removed when they restart.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.
- Decrease the minimum number of fallbacks to 100.
Fixes bug 20913; bugfix on 0.2.8.1-alpha.

3
changes/bug21121
View File

@ -1,3 +0,0 @@
o Minor features (fallback directories):
- Update the fallback directory mirror whitelist and blacklist based on
operator emails. Closes task 21121.

5
changes/bug21155
View File

@ -1,5 +0,0 @@
o Minor features (hidden service, logging):
- Warn user if multiple entries in EntryNodes and at least one
HiddenService are used together. Pinning EntryNodes along with an hidden
service can be possibly harmful for instance see ticket 14917 or 21155.
Closes ticket 21155.

5
changes/bug21293
View File

@ -1,5 +0,0 @@
o Minor bugfixes (cell, logging):
- Downgrade a log statement from bug to protocol warning because there is
at least one use case where it can be triggered by a buggy tor
implementation on the Internet for instance. Fixes bug 21293; bugfix on
0.1.1.14-alpha.

3
changes/bug21329
View File

@ -1,3 +0,0 @@
o Minor bugfixes (controller):
- GETINFO onions/current and onions/detached no longer 551 on empty lists
Fixes bug 21329; bugfix on 0.2.7.1-alpha.

5
changes/bug21406
View File

@ -1,5 +0,0 @@
o Minor bugfixes (code correctness):
- Accurately identify client connections using their lack of peer
authentication. This means that we bail out earlier if asked to extend
to a client. Follow-up to 21407.
Fixes bug 21406; bugfix on 0.2.4.23.

4
changes/bug21407
View File

@ -1,4 +0,0 @@
o Minor features (defaults, security):
- The default value for UseCreateFast is now 0: clients which haven't yet
received a consensus document will nonetheless use a proper handshake
to talk to their directory servers (when they can). Closes ticket 21407.

7
changes/bug21439
View File

@ -1,7 +0,0 @@
o Minor features (testing):
- Add a "--disable-memory-sentinels" feature to help with fuzzing.
When Tor is compiled with this option, we disable a number of
redundant memory-safety failsafes that are intended to stop
bugs from becoming security issues. This makes it easier to hunt
for bugs that would be security issues without the failsafes
turned on. Closes ticket 21439.

4
changes/bug21496
View File

@ -1,4 +0,0 @@
o Minor features (safety):
- Add an explict check to extrainfo_parse_entry_from_string() for NULL
inputs. We don't believe this can actually happen, but it may help
silence a warning from the Clang analyzer. Closes ticket 21496.

5
changes/bug21507
View File

@ -1,5 +0,0 @@
o Minor bugfixes (voting consistency):
- Reject version numbers with non-numeric prefixes (such as +, -, and
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms.
Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.

4
changes/bug21510
View File

@ -1,4 +0,0 @@
o Minor bugfixes (unit tests):
- Make display of captured unit test log messages consistent.
Fixes bug 21510; bugfix on 0.2.9.3-alpha.

4
changes/bug21540
View File

@ -1,4 +0,0 @@
o Minor bugfixes (windows, relay):
- Resolve "Failure from drain_fd: No error" warnings on Windows
relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha.

4
changes/bug21586
View File

@ -1,4 +0,0 @@
o Minor bugfix (directory authority):
- Prevent the shared randomness subsystem from asserting when initialized
by a bridge authority with an incomplete configuration file. Fixes bug
21586; bugfix on 0.2.9.8.

4
changes/bug21599
View File

@ -1,4 +0,0 @@
o Minor bugfixes (hidden services):
- Simplify hidden service descriptor creation by using an existing flag
to check if an introduction point is established.
Fixes bug 21599; bugfix on 0.2.7.2-alpha.

5
changes/bug21641
View File

@ -1,5 +0,0 @@
o Minor feature (defaults, directory):
- Onion key rotation and expiry intervals are now defined as a network
consensus parameter as per proposal 274. The default lifetime of an
onion key is bumped from 7 to 28 days. Old onion keys will expire after 7
days by default. Closes ticket 21641.

4
changes/bug21654
View File

@ -1,4 +0,0 @@
o Minor bugfixes (testing):
- Use unbuffered I/O for utility functions around the process_handle_t
type. This fixes unit test failures reported on OpenBSD and FreeBSD.
Fixes bug 21654; bugfix on 0.2.3.1-alpha.

4
changes/bug21703
View File

@ -1,4 +0,0 @@
o Minor features (controller):
- Warn the first time that a controller requests data in the
long-deprecated 'GETINFO network-status' format. Closes ticket 21703.

5
changes/bug21715
View File

@ -1,5 +0,0 @@
o Minor bugfixes (documentation):
- Default of NumEntryGuards is 1 if the consensus parameter
guard-n-primary-guards-to-use isn't set. Default of NumDirectoryGuards
is 3 if the consensus parameter guard-n-primary-dir-guards-to-use isn't
set. Fixes bug 21715; bugfix on 0.3.0.1-alpha.

3
changes/bug21788
View File

@ -1,3 +0,0 @@
o Minor bugfixes (memory leak):
- Fix a small memory leak at exit from the backtrace handler code.
Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto.

7
changes/bug22042
View File

@ -1,7 +0,0 @@
o Minor bugfixes (control, hidden service client):
- Trigger HS descriptor events on the control port when the client is
unable to pick a suitable hidden service directory. This can happen if
they are all in the ExcludeNodes list or they all have been queried
inside the allowed 15 minutes. Fixes bug 22042; bugfix on
0.2.5.2-alpha.

28
changes/bug22060
View File

@ -1,28 +0,0 @@
o Removed features (configuration options, all in ticket 22060):
- AllowInvalidNodes was deprecated in 0.2.9.2-alpha and now has been
removed. It is not possible anymore to use Invalid nodes.
- AllowSingleHopCircuits was deprecated in 0.2.9.2-alpha and now has been
removed. It's not possible anymore to attach streams to single hop exit
circuit.
- AllowSingleHopExits was deprecated in 0.2.9.2-alpha and now has been
removed. Relays no longer advertise that they can be used for single hop
exit proxy.
- ExcludeSingleHopRelays was deprecated in 0.2.9.2-alpha and now has been
removed. Client will always exclude relays that supports single hop
exits meaning relays that still advertise AllowSingleHopExits.
- FastFirstHopPK was deprecated in 0.2.9.2-alpha and now has been removed.
Decision for this feature will always be decided by the consensus.
- CloseHSClientCircuitsImmediatelyOnTimeout was deprecated in
0.2.9.2-alpha and now has been removed. HS circuits never close on
circuit build timeout, they have a longer timeout period.
- CloseHSServiceRendCircuitsImmediatelyOnTimeout was deprecated in
0.2.9.2-alpha and now has been removed. HS circuits never close on
circuit build timeout, they have a long timeout period.
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
removed. Tor will now always warn the user if only an IP address is
given instead of an hostname on a SOCKS connection if SafeSocks is 1.
- TLSECGroup was deprecated in 0.2.9.2-alpha and now has been removed.
P256 EC group is always used.
- {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress was deprecated in
0.2.9.2-alpha and now has been removed. Use the ORPort (and others).

6
changes/bug22096
View File

@ -1,6 +0,0 @@
o Minor features (linux seccomp2 sandbox):
- Increase the maximum allowed size passed to mprotect(PROT_WRITE)
from 1MB to 16MB. This was necessary with the glibc allocator in
order to allow worker threads to allocate more memory -- which in
turn is necessary because of our new use of worker threads for
compression. Closes ticket 22096.

6
changes/bug22244
View File

@ -1,6 +0,0 @@
o Minor bugfixes (exit-side DNS):
- Fix an untriggerable assertion that checked the output of a
libevent DNS error, so that the assertion actually behaves as
expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey
Karpov using PVS-Studio.

5
changes/bug22245
View File

@ -1,5 +0,0 @@
o Minor bugfixes (bandwidth accounting):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00.
Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.

6
changes/bug22246
View File

@ -1,6 +0,0 @@
o Major bugfixes (hidden service directory, security):
- Fix an assertion failure in the hidden service directory code, which
could be used by an attacker to remotely cause a Tor relay process to
exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
This security issue is tracked as tracked as
TROVE-2017-002. Fixes bug 22246; bugfix on 0.3.0.1-alpha.

3
changes/bug22252
View File

@ -1,3 +0,0 @@
o Minor bugfixes (configuration):
- Do not crash when starting with LearnCircuitBuildTimeout 0.
Fixes bug 22252; bugfix on 0.2.9.3-alpha.

4
changes/bug22270
View File

@ -1,4 +0,0 @@
o Minor bugfixes (fallback directory mirrors):
- Make the usage example in updateFallbackDirs.py actually work.
(And explain what it does.)
Fixes bug 22270; bugfix on 0.3.0.3-alpha.

4
changes/cleanup22213
View File

@ -1,4 +0,0 @@
o Code simplification and refactoring:
- Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value.
Resolves ticket 22213.

5
changes/consdiff_21643
View File

@ -1,5 +0,0 @@
o Major features (internals):
- Add an ed diff/patch backend, optimized for consensus documents.
This backend will be the basis of our consensus diff implementation.
Most of the work here was done
by Daniel Martí. Closes ticket 21643.

3
changes/data_dir_default_doc
View File

@ -1,3 +0,0 @@
o Documentation:
- Correct the documentation about the default DataDirectory value.
Closes ticket 21151.

2
changes/fast_channel_lookup
View File

@ -1,2 +0,0 @@
o Minor features (performance, controller):
- Add an O(1) implementation of channel_find_by_global_id().

4
changes/faster-keccak
View File

@ -1,4 +0,0 @@
o Minor features (performance):
- The minimal keccak implementation we include now accesses memory
more efficiently, especially on little-endian systems.
Closes ticket 21737.

11
changes/feature1922
View File

@ -1,11 +0,0 @@
o Minor feature (include on config files):
- Allow the use of %include on configuration files to include settings
from other files or directories. Using %include with a directory will
include all (non-dot) files in that directory in lexically sorted order
(non-recursive), closes ticket 1922.
- Makes SAVECONF command return error when overwriting a torrc
that has includes. Using SAVECONF with the FORCE option will
allow it to overwrite torrc even if includes are used, closes ticket
1922.
- Adds config-can-saveconf to GETINFO command to tell if SAVECONF
will work without the FORCE option, closes ticket 1922.

4
changes/feature21598
View File

@ -1,4 +0,0 @@
o Minor feature (hidden services):
- Log a message when a hidden service descriptor has fewer introduction
points than specified in HiddenServiceNumIntroductionPoints.
Closes ticket 21598.

8
changes/feature21622
View File

@ -1,8 +0,0 @@
o Minor feature (hidden services):
- Log a message when a hidden service reaches its introduction point
circuit limit, and when that limit is reset.
Follow up to ticket 21594, closes ticket 21622.
- Add more information to the message logged when a hidden service
descriptor has fewer introduction points than specified in
HiddenServiceNumIntroductionPoints.
Follow up to tickets 21598 and 21599, closes ticket 21622.

12
changes/feature22106
View File

@ -1,12 +0,0 @@
o Major features (security, stability, experimental):
- Tor now has the optional ability to include modules written in
Rust. To turn this on, pass the "--enable-rust" flag to the
configure script.
It's not time to get excited yet: currently, there is no actual
Rust functionality beyond some simple glue code, and a notice at
startup to tell you that Rust is running. Still, we hope that
programmers and packagers will try building with rust
support, so that we can find issues with the build system,
and solve portability issues. Closes ticket 22106.

7
changes/new_spooling_backend
View File

@ -1,7 +0,0 @@
o Code simplification and refactoring:
- The logic that directory caches use to spool request to clients,
serving them one part at a time so as not to allocate too much memory,
has been refactored for consistency. Previously there was a separate
spooling implementation per type of spoolable data. Now there
is one common spooling implementation, with extensible data types.
Closes ticket 21651.

10
changes/prop140
View File

@ -1,10 +0,0 @@
o Major features (directory protocol):
- Tor relays and authorities are now able to serve clients an
abbreviated version of the networkstatus consensus document,
containing only the changes since the an older consensus document that
the client holds. Clients now request these documents when
available. When this new protocol is in use by both client and server,
they will use far less bandwidth (up to 94% less) to keep an up-to-date
consensus. Implements proposal 140; closes ticket 13339. Based
on work by by Daniel Martí.

5
changes/refactor_reached_eof
View File

@ -1,5 +0,0 @@
o Code simplification and refactoring:
- Break up the 630-line function connection_dir_client_reached_eof() into
a dozen smaller functions. This change should help maintainability and
readability of the client directory code.

5
changes/storagedir
View File

@ -1,5 +0,0 @@
o Minor features (infrastructure, seccomp2 sandbox):
- We now have a document storage backend compatible with the Linux
seccomp2 sandbox. The long-term plan is to use this backend for
consensus documents and for storing unparseable directory
material. Closes ticket 21645.

5
changes/test21470
View File

@ -1,5 +0,0 @@
o Minor features (unit tests):
- Improve version parsing tests: add tests for typical version components,
add tests for invalid versions, including numeric range and non-numeric
prefixes.
Unit tests 21278, 21450, and 21507. Partially implements 21470.

7
changes/ticket13802
View File

@ -1,7 +0,0 @@
o Minor features (testing):
- Add a general event-tracing instrumentation support to Tor. This
subsystem will enable developers and researchers to add fine-grained
instrumentation to their Tor instances, for use when examining Tor
network performance issues. There are no trace events yet, and
event-tracing is off by default unless enabled at compile time.
Implements ticket 13802.

6
changes/ticket21564
View File

@ -1,6 +0,0 @@
o Minor features (fallback directory list):
- Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
December 2016 (of which ~126 were still functional), with a list of
151 fallbacks (32 new, 119 existing, 58 removed) generated in
May 2017.
Resolves ticket 21564.

6
changes/ticket21646
View File

@ -1,6 +0,0 @@
o Code simplification and refactoring:
- Our API to launch directory requests has been greatly simplified
to become more extensible and less error-prone. We'll be using
this to improve support for adding extra headers to directory
requests. Closes ticket 21646.

7
changes/ticket21729
View File

@ -1,7 +0,0 @@
o Minor features (logging):
- Log files are no longer created world-readable by default.
(Previously, most distributors would store the logs in a
non-world-readable location to prevent inappropriate access. This
change is an extra precaution.) Closes ticket 21729; patch from
toralf.

4
changes/ticket21841
View File

@ -1,4 +0,0 @@
o Code simplification and refactoring:
- Isolate our usage of the openssl headers so that they are only
used from our crypto wrapper modules, and from tests that examing those
modules' internals. Closes ticket 21841.

6
changes/ticket21842
View File

@ -1,6 +0,0 @@
o Removed features:
- We've removed the tor-checkkey tool from src/tools. Long ago, we
used it to help people detect RSA keys that were generated by
versions of Debian affected by CVE-2008-0166. But those keys
have been out of circulation for ages, and this tool is no
longer required. Closes ticket 21842.

6
changes/ticket21953
View File

@ -1,6 +0,0 @@
o Minor features (security, windows):
- Enable a couple of pieces of Windows hardening: one
(HeapEnableTerminationOnCorruption) that has been on-by-default since
Windows 8, and unavailable before Windows 7, and one
(PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
affect us, but shouldn't do any harm. Closes ticket 21953.

5
changes/ticket4998
View File

@ -1,5 +0,0 @@
o Minor features (relay, configuration):
- The MyFamily line may now be repeated as many times as desired, for
relays that want to configure large families. Closes ticket 4998;
patch by Daniel Pinto.