Changes in version 0.2.5.10 - 2014-10-24

• Major features (security):
  • The ntor handshake is now on-by-default, no matter what the directory authorities recommend. Implements ticket 8561.
  • Make the "tor-gencert" tool used by directory authority operators create 2048-bit signing keys by default (rather than 1024-bit, since 1024-bit is uncomfortably small these days). Addresses ticket 10324.
  • Warn about attempts to run hidden services and relays in the same process: thats probably not a good idea. Closes ticket 12908.
  • Disable support for SSLv3. All versions of OpenSSL in use with Tor today support TLS 1.0 or later, so we can safely turn off support for this old (and insecure) protocol. Fixes bug 13426.
• Major features (relay security, DoS-resistance):
  • When deciding whether we have run out of memory and we need to close circuits, also consider memory allocated in buffers for streams attached to each circuit.
    This change, which extends an anti-DoS feature introduced in 0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays better resist more memory-based DoS attacks than before. Since the MaxMemInCellQueues option now applies to all queues, it is renamed to MaxMemInQueues. This feature fixes bug 10169.
  • Avoid hash-flooding denial-of-service attacks by using the secure SipHash-2-4 hash function for our hashtables. Without this feature, an attacker could degrade performance of a targeted client or server by flooding their data structures with a large number of entries to be stored at the same hash table position, thereby slowing down the Tor instance. With this feature, hash table positions are derived from a randomized cryptographic key, and an attacker cannot predict which entries will collide. Closes ticket 4900.
  • If you dont specify MaxMemInQueues yourself, Tor now tries to pick a good value based on your total system memory. Previously, the default was always 8 GB. You can still override the default by setting MaxMemInQueues yourself. Resolves ticket 11396.
• Major features (bridges and pluggable transports):
  • Add support for passing arguments to managed pluggable transport proxies. Implements ticket 3594.
  • Bridges now track GeoIP information and the number of their users even when pluggable transports are in use, and report usage statistics in their extra-info descriptors. Resolves tickets 4773 and 5040.
  • Dont launch pluggable transport proxies if we dont have any bridges configured that would use them. Now we can list many pluggable transports, and Tor will dynamically start one when it hears a bridge address that needs it. Resolves ticket 5018.
  • The bridge directory authority now assigns status flags (Stable, Guard, etc) to bridges based on thresholds calculated over all Running bridges. Now bridgedb can finally make use of its features to e.g. include at least one Stable bridge in its answers. Fixes bug 9859.
• Major features (controller):
  • Extend ORCONN controller event to include an "ID" parameter, and add four new controller event types CONN_BW, CIRC_BW, CELL_STATS, and TB_EMPTY that show connection and circuit usage. The new events are emitted in private Tor networks only, with the goal of being able to better track performance and load during full-network simulations. Implements proposal 218 and ticket 7359.
• Major features (relay performance):
  • Speed up server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. Resolves ticket 9841.
  • Avoid wasting CPU when extending a circuit over a channel that is nearly out of circuit IDs. Previously, we would do a linear scan over possible circuit IDs before finding one or deciding that we had exhausted our possibilities. Now, we try at most 64 random circuit IDs before deciding that we probably wont succeed. Fixes a possible root cause of ticket 11553.
• Major features (seccomp2 sandbox, Linux only):
  • Use the seccomp2 syscall filtering facility on Linux to limit which system calls Tor can invoke. This is an experimental, Linux-only feature to provide defense-in-depth against unknown attacks. To try turning it on, set "Sandbox 1" in your torrc file. Please be ready to report bugs. We hope to add support for better sandboxing in the future, including more fine-grained filters, better division of responsibility, and support for more platforms. This work has been done by Cristian-Matei Toader for Google Summer of Code. Resolves tickets 11351 and 11465.
• Major features (testing networks):
  • Make testing Tor networks bootstrap better: lower directory fetch retry schedules and maximum interval without directory requests, and raise maximum download tries. Implements ticket 6752.
  • Add make target test-network to run tests on a Chutney network. Implements ticket 8530.
• Major features (other):
  • On some platforms (currently: recent OSX versions, glibc-based platforms that support the ELF format, and a few other Unix-like operating systems), Tor can now dump stack traces when a crash occurs or an assertion fails. By default, traces are dumped to stderr (if possible) and to any logs that are reporting errors. Implements ticket 9299.
• Deprecated versions:
  • Tor 0.2.3.x has reached end-of-life; it has received no patches or attention for some while.
• Major bugfixes (security, directory authorities):
  • Directory authorities now include a digest of each relays identity key as a part of its microdescriptor.
    This is a workaround for bug 11743 (reported by "cypherpunks"), where Tor clients do not support receiving multiple microdescriptors with the same SHA256 digest in the same consensus. When clients receive a consensus like this, they only use one of the relays. Without this fix, a hostile relay could selectively disable some client use of target relays by constructing a router descriptor with a different identity and the same microdescriptor parameters and getting the authorities to list it in a microdescriptor consensus. This fix prevents an attacker from causing a microdescriptor collision, because the routers identity is not forgeable.
• Major bugfixes (openssl bug workaround):
  • Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or 1.0.1j, built with the no-ssl3 configuration option. Fixes bug 13471. This is a workaround for an OpenSSL bug.
• Major bugfixes (client):
  • Perform circuit cleanup operations even when circuit construction operations are disabled (because the network is disabled, or because there isnt enough directory information). Previously, when we were not building predictive circuits, we were not closing expired circuits either. Fixes bug 8387; bugfix on 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we became more strict about when we have "enough directory information to build circuits".
• Major bugfixes (client, pluggable transports):
  • When managing pluggable transports, use OS notification facilities to learn if they have crashed, and dont attempt to kill any process that has already exited. Fixes bug 8746; bugfix on 0.2.3.6-alpha.
• Major bugfixes (relay denial of service):
  • Instead of writing destroy cells directly to outgoing connection buffers, queue them and intersperse them with other outgoing cells. This can prevent a set of resource starvation conditions where too many pending destroy cells prevent data cells from actually getting delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912; bugfix on 0.2.0.1-alpha.
• Major bugfixes (relay):
  • Avoid queuing or sending destroy cells for circuit ID zero when we fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. Found and fixed by "cypherpunks".
  • Fix ORPort reachability detection on relays running behind a proxy, by correctly updating the "local" mark on the controlling channel when changing the address of an or_connection_t after the handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha.
  • Use a direct dirport connection when uploading non-anonymous descriptors to the directory authorities. Previously, relays would incorrectly use tunnel connections under a fairly wide variety of circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha.
  • When a circuit accidentally has the same circuit ID for its forward and reverse direction, correctly detect the direction of cells using that circuit. Previously, this bug made roughly one circuit in a million non-functional. Fixes bug 12195; this is a bugfix on every version of Tor.
• Minor features (security):
  • New --enable-expensive-hardening option to enable security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan, which are supported in newer versions of GCC and Clang. Closes ticket 11477.
  • Authorities now assign the Guard flag to the fastest 25% of the network (it used to be the fastest 50%). Also raise the consensus weight that guarantees the Guard flag from 250 to 2000. For the current network, this results in about 1100 guards, down from 2500. This step paves the way for moving the number of entry guards down to 1 (proposal 236) while still providing reasonable expected performance for most users. Implements ticket 12690.
• Minor features (security, memory management):
  • Memory allocation tricks (mempools and buffer freelists) are now disabled by default. You can turn them back on with --enable-mempools and --enable-buf-freelists respectively. Were disabling these features because malloc performance is good enough on most platforms, and a similar feature in OpenSSL exacerbated exploitation of the Heartbleed attack. Resolves ticket 11476.
• Minor features (bridge client):
  • Report a more useful failure message when we cant connect to a bridge because we dont have the right pluggable transport configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
• Minor features (bridge):
  • Add an ExtORPortCookieAuthFileGroupReadable option to make the cookie file for the ExtORPort g+r by default.
• Minor features (bridges, pluggable transports):
  • Bridges now write the SHA1 digest of their identity key fingerprint (that is, a hash of a hash of their public key) to notice-level logs, and to a new hashed-fingerprint file. This information will help bridge operators look up their bridge in Globe and similar tools. Resolves ticket 10884.
  • Improve the message that Tor displays when running as a bridge using pluggable transports without an Extended ORPort listener. Also, log the message in the log file too. Resolves ticket 11043.
  • Add threshold cutoffs to the networkstatus document created by the Bridge Authority. Fixes bug 1117.
  • On Windows, spawn background processes using the CREATE_NO_WINDOW flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled doesnt pop up a blank console window. (In Tor Browser Bundle 2.x, Vidalia set this option for us.) Implements ticket 10297.
• Minor features (build):
  • The configure script has a --disable-seccomp option to turn off support for libseccomp on systems that have it, in case it (or Tors use of it) is broken. Resolves ticket 11628.
  • Assume that a user using ./configure --host wants to cross-compile, and give an error if we cannot find a properly named tool-chain. Add a --disable-tool-name-check option to proceed nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz.
  • If we run ./configure and the compiler recognizes -fstack-protector but the linker rejects it, warn the user about a potentially missing libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz.
  • Add support for `--library-versions` flag. Implements ticket 6384.
  • Return the "unexpected sendme" warnings to a warn severity, but make them rate limited, to help diagnose ticket 8093.
  • Detect a missing asciidoc, and warn the user about it, during configure rather than at build time. Fixes issue 6506. Patch from Arlo Breault.
• Minor features (client):
  • Add a new option, PredictedPortsRelevanceTime, to control how long after having received a request to connect to a given port Tor will try to keep circuits ready in anticipation of future requests for that port. Patch from "unixninja92"; implements ticket 9176.
• Minor features (config options and command line):
  • Add an --allow-missing-torrc commandline option that tells Tor to run even if the configuration file specified by -f is not available. Implements ticket 10060.
  • Add support for the TPROXY transparent proxying facility on Linux. See documentation for the new TransProxyType option for more details. Implementation by "thomo". Closes ticket 10582.
• Minor features (config options):
  • Config (torrc) lines now handle fingerprints which are missing their initial $. Resolves ticket 4341; improvement over 0.0.9pre5.
  • Support a --dump-config option to print some or all of the configured options. Mainly useful for debugging the command-line option parsing code. Helps resolve ticket 4647.
  • Raise awareness of safer logging: notify user of potentially unsafe config options, like logging more verbosely than severity "notice" or setting SafeLogging to 0. Resolves ticket 5584.
  • Add a new configuration option TestingV3AuthVotingStartOffset that bootstraps a network faster by changing the timing for consensus votes. Addresses ticket 8532.
  • Add a new torrc option "ServerTransportOptions" that allows bridge operators to pass configuration parameters to their pluggable transports. Resolves ticket 8929.
  • The config (torrc) file now accepts bandwidth and space limits in bits as well as bytes. (Anywhere that you can say "2 Kilobytes", you can now say "16 kilobits", and so on.) Resolves ticket 9214. Patch by CharlieB.
• Minor features (controller):
  • Make the entire exit policy available from the control port via GETINFO exit-policy/*. Implements enhancement 7952. Patch from "rl1987".
  • Because of the fix for ticket 11396, the real limit for memory usage may no longer match the configured MaxMemInQueues value. The real limit is now exposed via GETINFO limits/max-mem-in-queues.
  • Add a new "HS_DESC" controller event that reports activities related to hidden service descriptors. Resolves ticket 8510.
  • New "DROPGUARDS" controller command to forget all current entry guards. Not recommended for ordinary use, since replacing guards too frequently makes several attacks easier. Resolves ticket 9934; patch from "ra".
  • Implement the TRANSPORT_LAUNCHED control port event that notifies controllers about new launched pluggable transports. Resolves ticket 5609.
• Minor features (diagnostic):
  • When logging a warning because of bug 7164, additionally check the hash table for consistency (as proposed on ticket 11737). This may help diagnose bug 7164.
  • When we log a heartbeat, log how many one-hop circuits we have that are at least 30 minutes old, and log status information about a few of them. This is an attempt to track down bug 8387.
  • When encountering an unexpected CR while writing text to a file on Windows, log the name of the file. Should help diagnosing bug 11233.
  • Give more specific warnings when a client notices that an onion handshake has failed. Fixes ticket 9635.
  • Add significant new logging code to attempt to diagnose bug 12184, where relays seem to run out of available circuit IDs.
  • Improve the diagnostic log message for bug 8387 even further to try to improve our odds of figuring out why one-hop directory circuits sometimes do not get closed.
  • Add more log messages to diagnose bug 7164, which causes intermittent "microdesc_free() called but md was still referenced" warnings. We now include more information, to figure out why we might be cleaning a microdescriptor for being too old if its still referenced by a live node_t object.
  • Log current accounting state (bytes sent and received + remaining time for the current accounting period) in the relays heartbeat message. Implements ticket 5526; patch from Peter Retzlaff.
• Minor features (geoip):
  • Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 Country database.
• Minor features (interface):
  • Generate a warning if any ports are listed in the SocksPolicy, DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or AuthDirBadExit options. (These options only support address ranges.) Fixes part of ticket 11108.
• Minor features (kernel API usage):
  • Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking sockets in a single system call. Implements ticket 5129.
• Minor features (log messages):
  • When ServerTransportPlugin is set on a bridge, Tor can write more useful statistics about bridge use in its extrainfo descriptors, but only if the Extended ORPort ("ExtORPort") is set too. Add a log message to inform the user in this case. Resolves ticket 9651.
  • When receiving a new controller connection, log the origin address. Resolves ticket 9698; patch from "sigpipe".
  • When logging OpenSSL engine status at startup, log the status of more engines. Fixes ticket 10043; patch from Joshua Datko.
• Minor features (log verbosity):
  • Demote the message that we give when a flushing connection times out for too long from NOTICE to INFO. It was usually meaningless. Resolves ticket 5286.
  • Dont log so many notice-level bootstrapping messages at startup about downloading descriptors. Previously, wed log a notice whenever we learned about more routers. Now, we only log a notice at every 5% of progress. Fixes bug 9963.
  • Warn less verbosely when receiving a malformed ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
• Minor features (performance):
  • If were using the pure-C 32-bit curve25519_donna implementation of curve25519, build it with the -fomit-frame-pointer option to make it go faster on register-starved hosts. This improves our handshake performance by about 6% on i386 hosts without nacl. Closes ticket 8109.
• Minor features (relay):
  • If a circuit timed out for at least 3 minutes, check if we have a new external IP address, and publish a new descriptor with the new IP address if it changed. Resolves ticket 2454.
• Minor features (testing):
  • If Python is installed, "make check" now runs extra tests beyond the unit test scripts.
  • When bootstrapping a test network, sometimes very few relays get the Guard flag. Now a new option "TestingDirAuthVoteGuard" can specify a set of relays which should be voted Guard regardless of their uptime or bandwidth. Addresses ticket 9206.
• Minor features (transparent proxy, *BSD):
  • Support FreeBSDs ipfw firewall interface for TransPort ports on FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket 10267; patch from "yurivict".
  • Support OpenBSDs divert-to rules with the pf firewall for transparent proxy ports. To enable it, set "TransProxyType pf-divert". This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch.
• Minor bugfixes (bridge client):
  • Stop accepting bridge lines containing hostnames. Doing so would cause clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
• Minor bugfixes (bridges):
  • Avoid potential crashes or bad behavior when launching a server-side managed proxy with ORPort or ExtORPort temporarily disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha.
  • Fix a bug where the first connection works to a bridge that uses a pluggable transport with client-side parameters, but we dont send the client-side parameters on subsequent connections. (We dont use any pluggable transports with client-side parameters yet, but ScrambleSuit will soon become the first one.) Fixes bug 9162; bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987".
• Minor bugfixes (build, auxiliary programs):
  • Stop preprocessing the "torify" script with autoconf, since it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch from Guilhem.
  • The tor-fw-helper program now follows the standard convention and exits with status code "0" on success. Fixes bug 9030; bugfix on 0.2.3.1-alpha. Patch by Arlo Breault.
  • Corrected ./configure advice for what openssl dev package you should install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
• Minor bugfixes (client):
  • Avoid "Tried to open a socket with DisableNetwork set" warnings when starting a client with bridges configured and DisableNetwork set. (Tor launcher starts Tor with DisableNetwork set the first time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha.
  • Improve the log message when we cant connect to a hidden service because all of the hidden service directory nodes hosting its descriptor are excluded. Improves on our fix for bug 10722, which was a bugfix on 0.2.0.10-alpha.
  • Raise a control port warning when we fail to connect to all of our bridges. Previously, we didnt inform the controller, and the bootstrap process would stall. Fixes bug 11069; bugfix on 0.2.1.2-alpha.
  • Exit immediately when a process-owning controller exits. Previously, tor relays would wait for a little while after their controller exited, as if they had gotten an INT signal -- but this was problematic, since there was no feedback for the user. To do a clean shutdown, controllers should send an INT signal and give Tor a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta.
  • Stop attempting to connect to bridges before our pluggable transports are configured (harmless but resulted in some erroneous log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha.
  • Fix connections to IPv6 addresses over SOCKS5. Previously, we were generating incorrect SOCKS5 responses, and confusing client applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha.
• Minor bugfixes (client, DNSPort):
  • When using DNSPort, try to respond to AAAA requests with AAAA answers. Previously, we hadnt looked at the request type when deciding which answer type to prefer. Fixes bug 10468; bugfix on 0.2.4.7-alpha.
  • When receiving a DNS query for an unsupported record type, reply with no answer rather than with a NOTIMPL error. This behavior isnt correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch".
• Minor bugfixes (client, logging during bootstrap):
  • Only report the first fatal bootstrap error on a given OR connection. This stops us from telling the controller bogus error messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
  • Avoid generating spurious warnings when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha.
• Minor bugfixes (closing OR connections):
  • If write_to_buf() in connection_write_to_buf_impl_() ever fails, check if its an or_connection_t and correctly call connection_or_close_for_error() rather than connection_mark_for_close() directly. Fixes bug 11304; bugfix on 0.2.4.4-alpha.
  • When closing all connections on setting DisableNetwork to 1, use connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug 11306; bugfix on 0.2.4.4-alpha.
• Minor bugfixes (code correctness):
  • Previously we used two temporary files when writing descriptors to disk; now we only use one. Fixes bug 1376.
  • Remove an erroneous (but impossible and thus harmless) pointer comparison that would have allowed compilers to skip a bounds check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on 0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield.
  • Fix an always-true assertion in pluggable transports code so it actually checks what it was trying to check. Fixes bug 10046; bugfix on 0.2.3.9-alpha. Found by "dcb".
• Minor bugfixes (command line):
  • Use a single command-line parser for parsing torrc options on the command line and for finding special command-line options to avoid inconsistent behavior for torrc option arguments that have the same names as command-line options. Fixes bugs 4647 and 9578; bugfix on 0.0.9pre5.
  • No longer allow tor --hash-password with no arguments. Fixes bug 9573; bugfix on 0.0.9pre5.
• Minor bugfixes (compilation):
  • Compile correctly with builds and forks of OpenSSL (such as LibreSSL) that disable compression. Fixes bug 12602; bugfix on 0.2.1.1-alpha. Patch from "dhill".
  • Restore the ability to compile Tor with V2_HANDSHAKE_SERVER turned off (that is, without support for v2 link handshakes). Fixes bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet".
  • In routerlist_assert_ok(), dont take the address of a routerinfos cache_info member unless that routerinfo is non-NULL. Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor".
  • Fix a large number of false positive warnings from the clang analyzer static analysis tool. This should make real warnings easier for
    

    Go to link download