Start on an 0.3.0.1-alpha changelog

ChangeLog

@@ -1,4 +1,223 @@
-Changes in version 0.3.0.1-alpha - 2016-??-??
+Changes in version 0.3.0.1-alpha - 2016-12-??
+  Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development
+  series. It strengthens Tor's link and circuit handshakes by
+  identifying relays by their Ed25519 keys, improves the algorithm that
+  clients use to choose and maintain their list of guards, and includes
+  additional backend support for the next-generation hidden service
+  design. It also contains numerous other small features and
+  improvements to security, correctness, and performance.
+
+  Below are the changes since 0.2.9.8.
+
+  o Major features (next-generation hidden services):
+    - Relays can now handle v3 ESTABLISH_INTRO cells as specified by
+      prop224 aka "Next Generation Hidden Services". Service and clients
+      don't yet use this code functionnality. It marks another step
+      towards prop224 deployment. Resolves ticket 19043. Initial code by
+      Alec Heifetz.
+    - Tor relays now support the HSDir version 3 protocol meaning they
+      can store and serve v3 descriptors. This is part of the next
+      generation onion service work detailled in proposal 224. The tor
+      daemon also contains all the necessary code to encode and decode a
+      v3 descriptor but it's currently only used by the directory
+      subsystem. Closes ticket 17238.
+
+  o Major features (protocol, ed25519 identity keys):
+    - Tor relays now use Ed25519 to prove their Ed25519 identities and
+      to one another, and to clients. This algorithm is faster and more
+      secure than the RSA-based handshake we've been doing until now.
+      Implements the second big part of proposal 220; Closes
+      ticket 15055.
+    - Clients now support including Ed25519 identity keys in the EXTEND2
+      cells they generate. By default, this is controlled by a consensus
+      parameter, currently disabled. You can turn this feature on for
+      testing by setting ExtendByEd25519ID in your configuration. This
+      might make your traffic appear different than the traffic
+      generated by other users, however. Implements part of ticket
+      15056; part of proposal 220.
+    - Relays now understand requests to extend to other relays by their
+      Ed25519 identity keys. When an Ed25519 identity key is included in
+      an EXTEND2 cell, the relay will only extend the circuit if the
+      other relay can prove ownership of that identity. Implements part
+      of ticket 15056; part of proposal 220.
+
+  o Major bugfixes (scheduler):
+    - Fix an issue where the ewma_cmp_cmux() function would never
+      consider circuit policies to be different. This bug caused the
+      channel scheduler to behave more or less randomly, rather than
+      preferring channels with higher-priority circuits. Fixes bug
+      20459; bugfix on 0.2.6.2-alpha.
+
+  o Minor features (controller):
+    - When HSFETCH arguments cannot be parsed, say "Invalid argument"
+      rather than "unrecognized." Closes ticket 20389; patch from
+      Ivan Markin.
+
+  o Minor features (diagnostic, directory client):
+    - Warn if we find an unexpected inconsistency in directory download
+      status objects. Prevents some negative consequences of bug 20593.
+
+  o Minor features (directory authority):
+    - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
+      default) to control whether authorities should try to probe relays
+      by their Ed25519 link keys. This option will go away in a few
+      releases--unless we encounter major trouble in our ed25519 link
+      protocol rollout, in which case it will serve as a safety option.
+
+  o Minor features (directory cache):
+    - Relays and bridges will now refuse to serve the consensus they
+      have if they know it is too old for a client to use. Closes
+      ticket 20511.
+
+  o Minor features (ed25519 link handshake):
+    - Advertise support for the ed25519 link handshake using the
+      subprotocol-versions mechanism, so that clients can tell which
+      relays can identity themselves by Ed25519 ID. Closes ticket 20552.
+
+  o Minor features (fingerprinting resistence, authentication):
+    - Extend the length of RSA keys used for TLS link authentication to
+      2048 bits. (These weren't used for forward secrecy; for forward
+      secrecy, we used P256.) Closes ticket 13752.
+
+  o Minor features (infrastructure):
+    - Implement smartlist_add_strdup() function. Replaces the use of
+      smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
+
+  o Minor features (unit tests):
+    - Add tests for networkstatus_compute_bw_weights_v10.
+    - Add unit tests circuit_predict_and_launch_new.
+    - Extract dummy_origin_circuit_new so it can be used by other
+      test functions.
+
+  o Minor bugfix (configuration):
+    - Accept non-space whitespace characters after the severity level in
+      the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
+
+  o Minor bugfix (hidden services):
+    - Change ephemeral service checks in `rendservice.c` to use the new
+      `rend_service_is_ephemeral` helper function. Fixes bug 20853;
+      bugfix on bug 20526; not in any released version of Tor.
+
+  o Minor bugfix (util):
+    - When finishing writing a file to disk, if we were about to replace
+      the file with the temporary file created before and we fail to
+      replace it, remove the temporary file so it doesn't stay on disk.
+      Fixes bug 20646; bugfix on tor-0.2.0.7-alpha. Patch by fk.
+
+  o Minor bugfixes (client):
+    - When clients that use bridges start up with a cached consensus on
+      disk, they were ignoring it and downloading a new one. Now they
+      use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
+
+  o Minor bugfixes (configuration):
+    - Support "TByte" and "TBytes" units in options given in bytes.
+      "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
+      supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
+
+  o Minor bugfixes (consensus weight):
+    - Add new consensus method that initializes bw weights to 1 instead
+      of 0. This prevents a zero weight from making it all the way to
+      the end (happens in small testing networks) and causing an error.
+      Fixes bug 14881; bugfix on 0.2.2.17-alpha.
+
+  o Minor bugfixes (descriptors):
+    - Correctly recognise downloaded full descriptors as valid, even
+      when using microdescriptors as circuits. This affects clients with
+      FetchUselessDescriptors set, and may affect directory authorities.
+      Fixes bug 20839; bugfix on commit 6083276 in 0.2.3.2-alpha.
+
+  o Minor bugfixes (directory downloads):
+    - Download all consensus flavors, descriptors, and authority
+      certificates when FetchUselessDescriptors is set, regardless of
+      whether tor is a directory cache or not. Fixes bug 20667; bugfix
+      on all recent tor versions.
+
+  o Minor bugfixes (directory system):
+    - Bridges and relays now use microdescriptors (like clients do)
+      rather than old-style router descriptors. Now bridges will blend
+      in with clients in terms of the circuits they build. Fixes bug
+      6769; bugfix on 0.2.3.2-alpha.
+
+  o Minor bugfixes (ed25519 certificates):
+    - Correctly interpret ed25519 certificates that would expire some
+      time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
+
+  o Minor bugfixes (hidden services):
+    - Stop ignoring duplicate hidden services when validating: this
+      could lead to a crash when those services were created. Fixes bug
+      20860; bugfix on 20559; not in any released version of tor.
+    - Stop ignoring misconfigured hidden services. Instead, refuse to
+      start tor until the misconfigurations have been corrected. Fixes
+      bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
+      and earlier.
+
+  o Minor bugfixes (memory leak at exit):
+    - Fix a small harmless memory leak at exit of the previously unused
+      RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
+      on 0.2.7.2-alpha.
+
+  o Minor bugfixes (Windows):
+    - Check for getpagesize before using it to mmap files. This fixes
+      compilation in some MinGW environments. Fixes bug 20530; bugfix on
+      0.1.2.1-alpha. Reported by "ice".
+
+  o Code simplification and refactoring:
+    - Abolish all global guard context in entrynodes.c; replace with new
+      guard_selection_t structure as preparation for proposal 271.
+      Closes ticket 19858.
+    - Introduce rend_service_is_ephemeral() that tells if given onion
+      service is ephemeral. Replace unclear NULL-checkings for service
+      directory with this function. Closes ticket 20526.
+    - Extract magic numbers in circuituse.c into defined variables.
+    - Refactor circuit_is_available_for_use to remove unnecessary check.
+    - Refactor circuit_predict_and_launch_new for readability and
+      testability. Closes ticket 18873.
+    - Refactor large if statement in purpose_needs_anonymity to use
+      switch statement instead. Closes part of ticket 20077.
+    - Refactor the hashing API to return negative values for errors, as
+      is done as throughout the codebase. Closes ticket 20717.
+    - Remove data structures that were used to index or_connection
+      objects by their RSA identity digests. These structures are fully
+      redundant with the similar structures used in the
+      channel abstraction.
+    - Remove duplicate code in the channel_write_*cell() functions.
+      Closes ticket 13827; patch from Pingl.
+    - Remove redundant behavior of is_sensitive_dir_purpose, refactor to
+      use only purpose_needs_anonymity. Closes part of ticket 20077.
+    - The code to generate and parse EXTEND and EXTEND2 cells has been
+      replaced with code automatically generated by the
+      "trunnel" utility.
+
+  o Documentation:
+    - Include the "TBits" unit in Tor's man page. Fixes part of bug
+      20622; bugfix on tor-0.2.5.1-alpha.
+    - Change '1' to 'weight_scale' in consensus bw weights calculation
+      comments, as that is reality. Closes ticket 20273. Patch
+      from pastly.
+    - Set the default value from 250 KBytes to 2 MBytes for
+      AuthDirGuardBWGuarantee in the man page which is what the code is
+      using; Fixes bug 20435; bugfix on tor-0.2.5.6-alpha.
+    - Stop the man page from ncorrectly stating that HiddenServiceDir
+      must already exist. This is not true. Fixes 20486.
+    - Clarify that when `ClientRejectInternalAddresses` is enabled
+      (which is the default), multicast DNS hostnames for machines on
+      the local network (of the form *.local) are also rejected. Closes
+      ticket 17070.
+
+  o Removed features:
+    - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
+      limit for relays running on a single IP applies to authority IP
+      addresses as well as to non-authority IP addresses. Closes
+      ticket 20960.
+    - The UseDirectoryGuards torrc options is no longer present: all
+      users that use entry guards will also use directory guards.
+      Related to proposal 271; implements part of ticket 20831.
+
+  o Testing:
+    - New unit tests for tor_htonll(). Closes ticket 19563. Patch
+      from "overcaffeinated".
+    - Perform the coding style checks when running the tests and fail
+      when coding style violations are found. Closes ticket 5500.
 
 
 Changes in version 0.2.8.12 - 2016-12-19

changes/14881

@@ -1,8 +0,0 @@
-  o Minor bugfixes (consensus weight):
-    - Add new consensus method that initializes bw weights to 1 instead of 0. This
-      prevents a zero weight from making it all the way to the end (happens in
-      small testing networks) and causing an error. Fixes bug 14881; bugfix
-      on 0.2.2.17-alpha.
-
-  o Minor features (unit tests):
-    - Add tests for networkstatus_compute_bw_weights_v10.

changes/17070

@@ -1,4 +0,0 @@
-  o Documentation (SOCKS connections):
-    - Clarify that when `ClientRejectInternalAddresses` is enabled (which is the
-      default), multicast DNS hostnames for machines on the local network (of
-      the form *.local) are also rejected.  Closes ticket 17070.

changes/19965

@@ -1,3 +0,0 @@
-  o Minor bugfix (configuration):
-    - Accept non-space whitespace characters after the severity level in the
-      `Log` option.  Fixes bug 19965; bugfix on 0.2.1.1-alpha.

changes/20273

@@ -1,4 +0,0 @@
-  o Documentation (comments):
-    - Change '1' to 'weight_scale' in consensus bw weights calculation
-      comments, as that is reality. Closes ticket 20273. Patch from pastly.
-

changes/20511

@@ -1,3 +0,0 @@
-  o Minor feature (directory cache):
-    - Relays and bridges will now refuse to serve the consensus they have if
-      they know it is too old for a client to use. Closes ticket 20511.

changes/20526

@@ -1,5 +0,0 @@
-  o Code simplification and refactoring:
-     - Introduce rend_service_is_ephemeral() that tells if given onion
-       service is ephemeral. Replace unclear NULL-checkings for service
-       directory with this function.
-       Closes ticket 20526.

changes/20853

@@ -1,4 +0,0 @@
-  o Minor bugfix (hidden services):
-    - Change ephemeral service checks in `rendservice.c` to use the new
-      `rend_service_is_ephemeral` helper function.  Fixes bug 20853; bugfix on
-      bug 20526; not in any released version of Tor.

changes/bug13827

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Remove duplicate code in the channel_write_*cell() functions.
-       Closes ticket 13827; patch from Pingl.

changes/bug17779

@@ -1,6 +0,0 @@
-  o Minor bugfixes (leak at exit):
-    - Fix a small harmless memory leak at exit of the previously unused
-      RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix on
-      0.2.7.2-alpha.
-
-

changes/bug19043

@@ -1,5 +0,0 @@
-  o Major features (hidden services):
-    - Relays can now handle v3 ESTABLISH_INTRO cells as specified by prop224
-      aka "Next Generation Hidden Services". Service and clients don't yet use
-      this code functionnality. It marks another step towards prop224
-      deployment. Resolves ticket 19043. Initial code by Alec Heifetz.

changes/bug19563

@@ -1,3 +0,0 @@
-  o Testing:
-    - New unit tests for tor_htonll(). Closes ticket 19563. Patch from
-      "overcaffeinated".

changes/bug20027

@@ -1,3 +0,0 @@
-  o Minor bugfixes (ed25519 certificates):
-    - Correctly interpret ed25519 certificates that would expire some
-      time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.

changes/bug20048

@@ -1,4 +0,0 @@
-  o Minor features (infrastructure):
-    - Implement smartlist_add_strdup() function. Replaces the use of
-      smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
-

changes/bug20269

@@ -1,4 +0,0 @@
-  o Minor bugfixes (client):
-    - When clients that use bridges start up with a cached consensus
-      on disk, they were ignoring it and downloading a new one. Now they
-      use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.

changes/bug20389

@@ -1,4 +0,0 @@
-  o Minor features (controller):
-    - When HSFETCH arguments cannot be parsed, say "Invalid argument"
-      rather than "unrecognized." Closes ticket 20389; patch from
-      Ivan Markin.

changes/bug20435

@@ -1,4 +0,0 @@
-  o Documentation (man page):
-    - Set the default value from 250 KBytes to 2 MBytes for
-      AuthDirGuardBWGuarantee in the man page which is what the code is using;
-      Fixes bug 20435; bugfix on tor-0.2.5.6-alpha.

changes/bug20459

@@ -1,6 +0,0 @@
-  o Major bugfixes (scheduler):
-    - Fix an issue where the ewma_cmp_cmux() function would never consider
-      circuit policies to be different.  This bug caused the channel scheduler
-      to behave more or less randomly, rather than preferring channels with
-      higher-priority circuits.
-      Fixes bug 20459; bugfix on 0.2.6.2-alpha.

changes/bug20530

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Windows):
-    - Check for getpagesize before using it to mmap files. This fixes
-      compilation in some MinGW environments. Fixes bug 20530; bugfix on
-      0.1.2.1-alpha. Reported by "ice".

changes/bug20559

@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden services):
-    - Stop ignoring misconfigured hidden services. Instead, refuse to start
-      tor until the misconfigurations have been corrected.
-      Fixes bug 20559; bugfix on multiple commits in 0.2.7.1-alpha and earlier.

changes/bug20593.2

@@ -1,4 +0,0 @@
-  o Minor features (diagnostic, directory client):
-    - Warn if we find an unexpected inconsistency in directory download
-      status objects. Prevents some negative consequences of bug 20593.
-

changes/bug20622

@@ -1,8 +0,0 @@
-  o Minor bugfixes (configuration):
-    - Support "TByte" and "TBytes" units in options given in bytes.
-      "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
-      supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
-
-  o Minor bugfixes (documentation):
-    - Include the "TBits" unit in Tor's man page. Fixes part of bug
-      20622; bugfix on tor-0.2.5.1-alpha.

changes/bug20646

@@ -1,5 +0,0 @@
-  o Minor bugfix (util):
-    - When finishing writing a file to disk, if we were about to replace the
-      file with the temporary file created before and we fail to replace it,
-      remove the temporary file so it doesn't stay on disk. Fixes bug 20646;
-      bugfix on tor-0.2.0.7-alpha. Patch by fk.

changes/bug20667

@@ -1,5 +0,0 @@
-  o Minor bugfixes (directory downloads):
-    - Download all consensus flavors, descriptors, and authority certificates
-      when FetchUselessDescriptors is set, regardless of whether tor is a
-      directory cache or not.
-      Fixes bug 20667; bugfix on all recent tor versions.

changes/bug20839

@@ -1,5 +0,0 @@
-  o Minor bugfixes (descriptors):
-    - Correctly recognise downloaded full descriptors as valid, even when
-      using microdescriptors as circuits. This affects clients with
-      FetchUselessDescriptors set, and may affect directory authorities.
-      Fixes bug 20839; bugfix on commit 6083276 in 0.2.3.2-alpha.

changes/bug20860

@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden services):
-    - Stop ignoring duplicate hidden services when validating: this could
-      lead to a crash when those services were created.
-      Fixes bug 20860; bugfix on 20559; not in any released version of tor.

changes/bug6769

@@ -1,5 +0,0 @@
-  o Minor bugfixes (directory system):
-    - Bridges and relays now use microdescriptors (like clients do)
-      rather than old-style router descriptors. Now bridges will blend in
-      with clients in terms of the circuits they build. Fixes bug 6769;
-      bugfix on 0.2.3.2-alpha.

changes/feature13752

@@ -1,4 +0,0 @@
-  o Minor features (fingerprinting resistence, authentication):
-    - Extend the length of RSA keys used for TLS link authentication to
-      2048 bits. (These weren't used for forward secrecy; for forward
-      secrecy, we used P256.) Closes ticket 13752.

changes/feature15055

@@ -1,6 +0,0 @@
-  o Major features (protocol, Ed25519):
-    - Tor relays now use Ed25519 to prove their Ed25519 identities and
-      Ed25519 to one another, and to clients. This algorithm is faster
-      and more secure than the RSA-based handshake we've been doing until
-      now. Implements the second big part of proposal 220; Closes ticket
-      15055.

changes/feature15056

@@ -1,28 +0,0 @@
-  o Major features (ed25519 identity keys):
-    - Relays now understand requests to extend to other relays
-      by their Ed25519 identity keys. When an Ed25519 identity key
-      is included in an EXTEND2 cell, the relay will only extend
-      the circuit if the other relay can prove ownership of that identity.
-      Implements part of ticket 15056; part of proposal 220.
-    - Clients now support including Ed25519 identity keys in the EXTEND2
-      cells they generate.  By default, this is controlled by a consensus
-      parameter, currently disabled.  You can turn this feature on for
-      testing by setting ExtendByEd25519ID in your configuration. This might
-      make your traffic appear different than the traffic generated by other
-      users, however.
-      Implements part of ticket 15056; part of proposal 220.
-
-  o Code simplification and refactoring:
-    - The code to generate and parse EXTEND and EXTEND2 cells has
-      been replaced with code automatically generated by the "trunnel"
-      utility.
-    - Remove data structures that were used to index or_connection objects by
-      their RSA identity digests. These structures are fully redundant with
-      the similar structures used in the channel abstraction.
-
-  o Minor features (directory authority):
-    - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
-      default) to control whether authorities should try to probe relays by
-      their Ed25519 link keys.  This option will go away in a few
-      releases--unless we encounter major trouble in our ed25519 link
-      protocol rollout, in which case it will serve as a safety option.

changes/feature17238

@@ -1,6 +0,0 @@
-  o Major features (onion services):
-    - Tor relays now support the HSDir version 3 protocol meaning they can
-      store and serve v3 descriptors. This is part of the next generation
-      onion service work detailled in proposal 224. The tor daemon also
-      contains all the necessary code to encode and decode a v3 descriptor but
-      it's currently only used by the directory subsystem. Closes ticket 17238.

changes/feature20552

@@ -1,4 +0,0 @@
-  o Minor features (ed25519 link handshake):
-    - Advertise support for the ed25519 link handshake using the
-      subprotocol-versions mechanism, so that clients can tell which
-      relays can identity themselves by Ed25519 ID. Closes ticket 20552.

changes/ticket18873

@@ -1,10 +0,0 @@
-  o Code simplification and refactoring:
-    - Refactor circuit_predict_and_launch_new for readability and
-      testability. Closes ticket 18873.
-    - Extract magic numbers in circuituse.c into defined variables.
-    - Refactor circuit_is_available_for_use to remove unnecessary check.
-
-  o Minor features (unit tests):
-    - Extract dummy_origin_circuit_new so it can be used by other test
-      functions.
-    - Add unit tests circuit_predict_and_launch_new.

changes/ticket19858

@@ -1,4 +0,0 @@
-  o Code simplification and refactoring (guards):
-    - Abolish all global guard context in entrynodes.c; replace with new
-      guard_selection_t structure as preparation for proposal 271.  Closes
-      ticket 19858.

changes/ticket20077

@@ -1,5 +0,0 @@
-  o Code simplification and refactoring:
-    - Remove redundant behavior of is_sensitive_dir_purpose, refactor to use
-      only purpose_needs_anonymity.  Closes part of ticket 20077.
-    - Refactor large if statement in purpose_needs_anonymity to use switch
-      statement instead. Closes part of ticket 20077.

changes/ticket20486

@@ -1,3 +0,0 @@
-  o Documentation (Onion Services):
-     - tor's man page incorrectly states that HiddenServiceDir must already
-       exist. This is not true. Fixes 20486.

changes/ticket20717

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Refactor the hashing API to return negative values for errors, as is done
-      as throughout the codebase. Closes ticket 20717.

changes/ticket20831

@@ -1,6 +0,0 @@
-  o Removed features:
-    - The UseDirectoryGuards torrc options is
-      no longer present: all users that use entry guards will also use
-      directory guards. Related to proposal 271; implements part of
-      ticket 20831.
-

changes/ticket20960

@@ -1,5 +0,0 @@
-  o Removed features:
-    - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
-      limit for relays running on a single IP applies to authority IP
-      addresses as well as to non-authority IP addresses.  Closes ticket
-      20960.

changes/ticket5500

@@ -1,3 +0,0 @@
-  o Testing:
-    - Perform the coding style checks when running the tests and fail when
-      coding style violations are found. Closes ticket 5500.