- tor-announce - lists.torproject.org

Tor security advisory: Old Tor Browser Bundles vulnerable
by Roger Dingledine 05 Aug '13

05 Aug '13

SUMMARY: This is a critical security announcement. An attack that exploits a Firefox vulnerability in JavaScript [1] has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches [2]) appear to have been targeted. This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following versions of the Tor Browser Bundle include this fixed version: 2.3.25-10 (released June 26 2013) [4] 2.4.15-alpha-1 (released June 26 2013) [4] 2.4.15-beta-1 (released July 8 2013) [5] 3.0alpha2 (released June 30 2013) [6] Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions as described below. WHO IS AFFECTED: In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable. But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack. (If you're not sure what version you have, click on "Help -> About Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7]) To be clear, while the Firefox vulnerability is cross-platform, the attack code is Windows-specific. It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack. IMPACT: The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit [8]. The attack appears to have been injected into (or by) various Tor hidden services [9], and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services. We don't currently believe that the attack modifies anything on the victim computer. WHAT TO DO: First, be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Second, be sure to keep up-to-date in the future. Tor Browser Bundle automatically checks whether it's out of date, and notifies you on its homepage when you need to upgrade. Recent versions also add a flashing exclamation point over the Tor onion icon. We also post about new versions on the Tor blog: https://blog.torproject.org/ Third, realize that this wasn't the first Firefox vulnerability, nor will it be the last [10]. Consider disabling JavaScript (click the blue "S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect. A future version of Tor Browser Bundle will have an easier interface for letting you configure your JavaScript settings [11]. You might also like Request Policy [12]. And you might want to randomize your MAC address, install various firewalls, etc. Fourth, consider switching to a "live system" approach like Tails [13]. Really, switching away from Windows is probably a good security move for many reasons. And finally, be aware that many other vectors remain for vulnerabilities in Firefox. JavaScript is one big vector for attack, but many other big vectors exist, like css, svg, xml, the renderer, etc. We need help improving usability of (and doing more security analysis of) better sandboxing approaches [14] as well as VM-based approaches like Whonix [15] and WiNoN [16]. Please help! [1] https://www.mozilla.org/security/announce/2013/mfsa2013-53.html [2] https://www.torproject.org/projects/torbrowser/design/ [3] https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnera… [4] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alph… [5] https://blog.torproject.org/blog/tor-02415-rc-packages-available [6] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released [7] https://media.torproject.org/video/2013-08-05-TBBversion.mp4 [8] http://tsyrklevich.net/tbb_payload.txt [9] https://blog.torproject.org/blog/hidden-services-current-events-and-freedom… [10] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html [11] https://trac.torproject.org/projects/tor/ticket/9387 [12] https://www.requestpolicy.com/ [13] https://tails.boum.org/ [14] https://trac.torproject.org/projects/tor/ticket/7680 [15] http://sourceforge.net/projects/whonix/ [16] http://dedis.cs.yale.edu/2010/anon/papers/osdi12.pdf https://trac.torproject.org/projects/tor/ticket/7681

1 0

Tor 0.2.3.25 is released
by Roger Dingledine 28 Feb '13

28 Feb '13

The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, programmer, and friend. Unstinting in his dedication to the cause of freedom, he inspired and helped many of us as we began our work on anonymity, and inspires us still. Please honor his memory by writing software to protect people's freedoms, and by helping others to do so. Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features significantly reduced directory overhead (via microdescriptors), enormous crypto performance improvements for fast relays on new enough hardware, a new v3 TLS handshake protocol that can better resist fingerprinting, support for protocol obfuscation plugins (aka pluggable transports), better scalability for hidden services, IPv6 support for bridges, performance improvements like allowing clients to skip the first round-trip on the circuit ("optimistic data") and refilling token buckets more often, a new "stream isolation" design to isolate different applications on different circuits, and many stability, security, and privacy fixes. (I apologize for the delay in announcing the release to this list: I was waiting for the Tor Browser Bundles with it to stabilize a bit, but with the new integration to Firefox 17, it's become clear that TBB will be in flux a while more.) https://www.torproject.org/download/download Changes in version 0.2.3.25 - 2012-11-19 Major features (v3 directory protocol): - Clients now use microdescriptors instead of regular descriptors to build circuits. Microdescriptors are authority-generated summaries of regular descriptors' contents, designed to change very rarely (see proposal 158 for details). This feature is designed to save bandwidth, especially for clients on slow internet connections. Use "UseMicrodescriptors 0" to disable it. - Caches now download, cache, and serve microdescriptors, as well as multiple "flavors" of the consensus, including a flavor that describes microdescriptors. o Major features (build hardening): - Enable gcc and ld hardening by default. Resolves ticket 5210. o Major features (relay scaling): - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64 instruction set, take advantage of OpenSSL's AESNI, bitsliced, or vectorized AES implementations as appropriate. These can be much, much faster than other AES implementations. - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode implementation. It makes AES_CTR about 7% faster than our old one (which was about 10% faster than the one OpenSSL used to provide). Resolves ticket 4526. - Use OpenSSL's EVP interface for AES encryption, so that all AES operations can use hardware acceleration (if present). Resolves ticket 4442. - Unconditionally use OpenSSL's AES implementation instead of our old built-in one. OpenSSL's AES has been better for a while, and relatively few servers should still be on any version of OpenSSL that doesn't have good optimized assembly AES. o Major features (blocking resistance): - Update TLS cipher list to match Firefox 8 and later. Resolves ticket 4744. - Remove support for clients falsely claiming to support standard ciphersuites that they can actually provide. As of modern OpenSSL versions, it's not necessary to fake any standard ciphersuite, and doing so prevents us from using better ciphersuites in the future, since servers can't know whether an advertised ciphersuite is really supported or not. Some hosts -- notably, ones with very old versions of OpenSSL or where OpenSSL has been built with ECC disabled -- will stand out because of this change; TBB users should not be affected. Implements the client side of proposal 198. - Implement a new handshake protocol (v3) for authenticating Tors to each other over TLS. It should be more resistant to fingerprinting than previous protocols, and should require less TLS hacking for future Tor implementations. Implements proposal 176. - Allow variable-length padding cells, to disguise the length of Tor's TLS records. Implements part of proposal 184. - While we're trying to bootstrap, record how many TLS connections fail in each state, and report which states saw the most failures in response to any bootstrap failures. This feature may speed up diagnosis of censorship events. Implements ticket 3116. o Major features (pluggable transports): - Clients and bridges can now be configured to use a separate "transport" proxy. This approach makes the censorship arms race easier by allowing bridges to use protocol obfuscation plugins. Implements proposal 180 (tickets 2841 and 3472). o Major features (DoS resistance): - Now that Tor 0.2.0.x is completely deprecated, enable the final part of "Proposal 110: Avoiding infinite length circuits" by refusing all circuit-extend requests that do not use a relay_early cell. This change helps Tor resist a class of denial-of-service attacks by limiting the maximum circuit length. - Tear down the circuit if we get an unexpected SENDME cell. Clients could use this trick to make their circuits receive cells faster than our flow control would have allowed, or to gum up the network, or possibly to do targeted memory denial-of-service attacks on entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- from July 2002, before the release of Tor 0.0.0. o Major features (hidden services): - Adjust the number of introduction points that a hidden service will try to maintain based on how long its introduction points remain in use and how many introductions they handle. Fixes part of bug 3825. - Add a "tor2web mode" for clients that want to connect to hidden services non-anonymously (and possibly more quickly). As a safety measure to try to keep users from turning this on without knowing what they are doing, tor2web mode must be explicitly enabled at compile time, and a copy of Tor compiled to run in tor2web mode cannot be used as a normal Tor client. Implements feature 2553. o Major features (IPv6): - Clients can now connect to private bridges over IPv6. Bridges still need at least one IPv4 address in order to connect to other relays. Note that we don't yet handle the case where the user has two bridge lines for the same bridge (one IPv4, one IPv6). Implements parts of proposal 186. o Major features (directory authorities): - Use a more secure consensus parameter voting algorithm. Now at least three directory authorities or a majority of them must vote on a given parameter before it will be included in the consensus. Implements proposal 178. - Remove the artificially low cutoff of 20KB to guarantee the Fast flag. In the past few years the average relay speed has picked up, and while the "top 7/8 of the network get the Fast flag" and "all relays with 20KB or more of capacity get the Fast flag" rules used to have the same result, now the top 7/8 of the network has a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489. o Major features (performance): - Exit nodes now accept and queue data on not-yet-connected streams. Previously, the client wasn't allowed to send data until the stream was connected, which slowed down all connections. This change will enable clients to perform a "fast-start" on streams and send data without having to wait for a confirmation that the stream has opened. Patch from Ian Goldberg; implements the server side of Proposal 174. - When using an exit relay running 0.2.3.x, clients can now "optimistically" send data before the exit relay reports that the stream has opened. This saves a round trip when starting connections where the client speaks first (such as web browsing). This behavior is controlled by a consensus parameter (currently disabled). To turn it on or off manually, use the "OptimisticData" torrc option. Implements proposal 181; code by Ian Goldberg. - Add a new TokenBucketRefillInterval option to refill token buckets more frequently than once per second. This should improve network performance, alleviate queueing problems, and make traffic less bursty. Implements proposal 183; closes ticket 3630. Design by Florian Tschorsch and BjÃ¶rn Scheuermann; implementation by Florian Tschorsch. - Raise the threshold of server descriptors needed (75%) and exit server descriptors needed (50%) before we will declare ourselves bootstrapped. This will make clients start building circuits a little later, but makes the initially constructed circuits less skewed and less in conflict with further directory fetches. Fixes ticket 3196. o Major features (relays): - Relays now try regenerating and uploading their descriptor more frequently if they are not listed in the consensus, or if the version of their descriptor listed in the consensus is too old. This fix should prevent situations where a server declines to re-publish itself because it has done so too recently, even though the authorities decided not to list its recent-enough descriptor. Fix for bug 3327. o Major features (stream isolation): - You can now configure Tor so that streams from different applications are isolated on different circuits, to prevent an attacker who sees your streams as they leave an exit node from linking your sessions to one another. To do this, choose some way to distinguish the applications: have them connect to different SocksPorts, or have one of them use SOCKS4 while the other uses SOCKS5, or have them pass different authentication strings to the SOCKS proxy. Then, use the new SocksPort syntax to configure the degree of isolation you need. This implements Proposal 171. - There's a new syntax for specifying multiple client ports (such as SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare multiple *Port entries with full addr:port syntax on each. The old *ListenAddress format is still supported, but you can't mix it with the new *Port syntax. o Major features (bufferevents): - Tor can now optionally build with the "bufferevents" buffered IO backend provided by Libevent 2. To use this feature, make sure you have the latest possible version of Libevent, and pass the --enable-bufferevents flag to configure when building Tor from source. This feature will make our networking code more flexible, let us stack layers on each other, and let us use more efficient zero-copy transports where available. - Add experimental support for running on Windows with IOCP and no kernel-space socket buffers. This feature is controlled by a new "UserspaceIOCPBuffers" config option (off by default), which has no effect unless Tor has been built with bufferevents enabled, you're running on Windows, and you've set "DisableIOCP 0". In the long run, this may help solve or mitigate bug 98. o Major features (path selection): - The EntryNodes option can now include country codes like {de} or IP addresses or network masks. Previously we had disallowed these options because we didn't have an efficient way to keep the list up to date. Addresses ticket 1982, but see bug 2798 for an unresolved issue here. o Major features (port forwarding): - Add support for automatic port mapping on the many home routers that support NAT-PMP or UPnP. To build the support code, you'll need to have the libnatpnp library and/or the libminiupnpc library, and you'll need to enable the feature specifically by passing "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn it on, use the new PortForwarding option. o Major features (logging): - Add a new 'Heartbeat' log message type to periodically log a message describing Tor's status at level Notice. This feature is meant for operators who log at notice, and want to make sure that their Tor server is still working. Implementation by George Kadianakis. - Make logging resolution configurable with a new LogTimeGranularity option, and change the default from 1 millisecond to 1 second. Implements enhancement 1668. o Major features (other): - New "DisableNetwork" config option to prevent Tor from launching any connections or accepting any connections except on a control port. Bundles and controllers can set this option before letting Tor talk to the rest of the network, for example to prevent any connections to a non-bridge address. Packages like Orbot can also use this option to instruct Tor to save power when the network is off. - Try to use system facilities for enumerating local interface addresses, before falling back to our old approach (which was binding a UDP socket, and calling getsockname() on it). That approach was scaring OS X users whose draconian firewall software warned about binding to UDP sockets regardless of whether packets were sent. Now we try to use getifaddrs(), SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the system supports. Resolves ticket 1827. - Add experimental support for a "defaults" torrc file to be parsed before the regular torrc. Torrc options override the defaults file's options in the same way that the command line overrides the torrc. The SAVECONF controller command saves only those options which differ between the current configuration and the defaults file. HUP reloads both files. Implements task 4552. o New directory authorities: - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory authority. Closes ticket 5749. o Security/privacy fixes: - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha. - Reject any attempt to extend to an internal address. Without this fix, a router could be used to probe addresses on an internal network to see whether they were accepting connections. Fixes bug 6710; bugfix on 0.0.8pre1. - Close any connection that sends unrecognized junk before the TLS handshake. Solves an issue noted in bug 4369. - The advertised platform of a relay now includes only its operating system's name (e.g., "Linux", "Darwin", "Windows 7"), and not its service pack level (for Windows) or its CPU architecture (for Unix). Also drop the "git-XYZ" tag in the version. Packagers can insert an extra string in the platform line by setting the preprocessor variable TOR_BUILD_TAG. Resolves bug 2988. - Disable TLS session tickets. OpenSSL's implementation was giving our TLS session keys the lifetime of our TLS context objects, when perfect forward secrecy would want us to discard anything that could decrypt a link connection as soon as the link connection was closed. Fixes bug 7139; bugfix on all versions of Tor linked against OpenSSL 1.0.0 or later. Found by Florent DaigniÃ¨re. - Tor tries to wipe potentially sensitive data after using it, so that if some subsequent security failure exposes Tor's memory, the damage will be limited. But we had a bug where the compiler was eliminating these wipe operations when it decided that the memory was no longer visible to a (correctly running) program, hence defeating our attempt at defense in depth. We fix that by using OpenSSL's OPENSSL_cleanse() operation, which a compiler is unlikely to optimize away. Future versions of Tor may use a less ridiculously heavy approach for this. Fixes bug 7352. Reported in an article by Andrey Karpov. o Major bugfixes (crashes and asserts): - Avoid a pair of double-free and use-after-mark bugs that can occur with certain timings in canceled and re-received DNS requests. Fixes bug 6472; bugfix on 0.0.7rc1. - Fix a denial of service attack by which any directory authority could crash all the others, or by which a single v2 directory authority could crash everybody downloading v2 directory information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. - Fix an assert that directory authorities could trigger on sighup during some configuration state transitions. We now don't treat it as a fatal error when the new descriptor we just generated in init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha. - Avoid segfault when starting up having run with an extremely old version of Tor and parsing its state file. Fixes bug 6801; bugfix on 0.2.2.23-alpha. o Major bugfixes (clients): - If we are unable to find any exit that supports our predicted ports, stop calling them predicted, so that we don't loop and build hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6, which introduced predicted ports. - Check at each new consensus whether our entry guards were picked long enough ago that we should rotate them. Previously, we only did this check at startup, which could lead to us holding a guard indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. - When fetching a bridge descriptor from a bridge authority, always do so anonymously, whether we have been able to open circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. This behavior makes it *safer* to use UpdateBridgesFromAuthority, but we'll need to wait for bug 6010 before it's actually usable. o Major bugfixes (directory voting): - Check more thoroughly to prevent a rogue authority from double-voting on any consensus directory parameter. Previously, authorities would crash in this case if the total number of votes for any parameter exceeded the number of active voters, but would let it pass otherwise. Partially fixes bug 5786; bugfix on 0.2.2.2-alpha. - When computing weight parameters, behave more robustly in the presence of a bad bwweightscale value. Previously, the authorities would crash if they agreed on a sufficiently broken weight_scale value; now, they use a reasonable default and carry on. Fixes the rest of bug 5786; bugfix on 0.2.2.17-alpha. - If authorities are unable to get a v2 consensus document from other directory authorities, they no longer fall back to fetching them from regular directory caches. Fixes bug 5635; bugfix on 0.2.2.26-beta, where routers stopped downloading v2 consensus documents entirely. o Major bugfixes (relays): - Fix a bug handling SENDME cells on nonexistent streams that could result in bizarre window values. Report and patch contributed pseudonymously. Fixes part of bug 6271. This bug was introduced before the first Tor release, in svn commit r152. - Don't update the AccountingSoftLimitHitAt state file entry whenever tor gets started. This prevents a wrong average bandwidth estimate, which would cause relays to always start a new accounting interval at the earliest possible moment. Fixes bug 2003; bugfix on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped immensely in tracking this bug down. - Fix a possible crash bug when checking for deactivated circuits in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. - Set the SO_REUSEADDR socket option before we call bind() on outgoing connections. This change should allow busy exit relays to stop running out of available sockets as quickly. Fixes bug 4950; bugfix on 0.2.2.26-beta. o Major bugfixes (blocking resistance): - Bridges no longer include their address in NETINFO cells on outgoing OR connections, to allow them to blend in better with clients. Removes another avenue for enumerating bridges. Reported by "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO cells were introduced. - Warn the user when HTTPProxy, but no other proxy type, is configured. This can cause surprising behavior: it doesn't send all of Tor's traffic over the HTTPProxy -- it sends unencrypted directory traffic only. Resolves ticket 4663. o Major bugfixes (hidden services): - Improve hidden service robustness: when an attempt to connect to a hidden service ends, be willing to refetch its hidden service descriptors from each of the HSDir relays responsible for them immediately. Previously, we would not consider refetching the service's descriptors from each HSDir for 15 minutes after the last fetch, which was inconvenient if the hidden service was not running during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335. - Hidden services now ignore the timestamps on INTRODUCE2 cells. They used to check that the timestamp was within 30 minutes of their system clock, so they could cap the size of their replay-detection cache, but that approach unnecessarily refused service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when the v3 intro-point protocol (the first one which sent a timestamp field in the INTRODUCE2 cell) was introduced; fixes bug 3460. - When one of a hidden service's introduction points appears to be unreachable, stop trying it. Previously, we would keep trying to build circuits to the introduction point until we lost the descriptor, usually because the user gave up and restarted Tor. Fixes part of bug 3825. o Changes to default torrc file: - Stop listing "socksport 9050" in torrc.sample. We open a socks port on 9050 by default anyway, so this should not change anything in practice. - Stop mentioning the deprecated *ListenAddress options in torrc.sample. Fixes bug 5438. - Document unit of bandwidth-related options in sample torrc. Fixes bug 5621. - Fix broken URLs in the sample torrc file, and tell readers about the OutboundBindAddress, ExitPolicyRejectPrivate, and PublishServerDescriptor options. Addresses bug 4652. o Minor features (directory authorities): - Consider new, removed or changed IPv6 OR ports a non-cosmetic change when the authority is deciding whether to accept a newly uploaded descriptor. Implements ticket 6423. - Directory authorities are now a little more lenient at accepting older router descriptors, or newer router descriptors that don't make big changes. This should help ameliorate past and future issues where routers think they have uploaded valid descriptors, but the authorities don't think so. Fix for ticket 2479. - Authority operators can now vote for all relays in a given set of countries to be BadDir/BadExit/Invalid/Rejected. - Provide two consensus parameters (FastFlagMinThreshold and FastFlagMaxThreshold) to control the range of allowable bandwidths for the Fast directory flag. These allow authorities to run experiments on appropriate requirements for being a "Fast" node. The AuthDirFastGuarantee config value still applies. Implements ticket 3946. o Minor features (bridges / bridge authorities): - Make bridge SSL certificates a bit more stealthy by using random serial numbers, in the same fashion as OpenSSL when generating self-signed certificates. Implements ticket 4584. - Tag a bridge's descriptor as "never to be sent unencrypted". This shouldn't matter, since bridges don't open non-anonymous connections to the bridge authority and don't allow unencrypted directory connections from clients, but we might as well make sure. Closes bug 5139. - The Bridge Authority now writes statistics on how many bridge descriptors it gave out in total, and how many unique descriptors it gave out. It also lists how often the most and least commonly fetched descriptors were given out, as well as the median and 25th/75th percentile. Implements tickets 4200 and 4294. o Minor features (IPv6): - Make the code that clients use to detect an address change be IPv6-aware, so that it won't fill clients' logs with error messages when trying to get the IPv4 address of an IPv6 connection. Implements ticket 5537. - Relays now understand an IPv6 address when they get one from a directory server. Resolves ticket 4875. o Minor features (hidden services): - Expire old or over-used hidden service introduction points. Required by fix for bug 3460. - Reduce the lifetime of elements of hidden services' Diffie-Hellman public key replay-detection cache from 60 minutes to 5 minutes. This replay-detection cache is now used only to detect multiple INTRODUCE2 cells specifying the same rendezvous point, so we can avoid launching multiple simultaneous attempts to connect to it. - When a hidden service's introduction point times out, consider trying it again during the next attempt to connect to the HS. Previously, we would not try it again unless a newly fetched descriptor contained it. Required by fixes for bugs 1297 and 3825. o Minor features (relays): - Relays now include a reason for regenerating their descriptors in an HTTP header when uploading to the authorities. This will make it easier to debug descriptor-upload issues in the future. - Turn on directory request statistics by default and include them in extra-info descriptors. Don't break if we have no GeoIP database. - Replace files in stats/ rather than appending to them. Now that we include statistics in extra-info descriptors, it makes no sense to keep old statistics forever. Implements ticket 2930. - Relays that set "ConnDirectionStatistics 1" write statistics on the bidirectional use of connections to disk every 24 hours. - Add a GeoIP file digest to the extra-info descriptor. Implements ticket 1883. o Minor features (new config options): - New config option "DynamicDHGroups" (disabled by default) provides each bridge with a unique prime DH modulus to be used during SSL handshakes. This option attempts to help against censors who might use the Apache DH modulus as a static identifier for bridges. Addresses ticket 4548. - New config option "DisableDebuggerAttachment" (on by default) to prevent basic debugging attachment attempts by other processes. Supports Mac OS X and Gnu/Linux. Resolves ticket 3313. - Ordinarily, Tor does not count traffic from private addresses (like 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting. There is now a new option, CountPrivateBandwidth, to disable this behavior. Patch from Daniel Cagara. o Minor features (different behavior for old config options): - Allow MapAddress directives to specify matches against super-domains, as in "MapAddress *.torproject.org *.torproject.org.torserver.exit". Implements issue 933. - Don't disable the DirPort when we cannot exceed our AccountingMax limit during this interval because the effective bandwidthrate is low enough. This is useful in a situation where AccountMax is only used as an additional safeguard or to provide statistics. - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri; implements ticket 3439. - When configuring a large set of nodes in EntryNodes, and there are enough of them listed as Guard so that we don't need to consider the non-guard entries, prefer the ones listed with the Guard flag. - If you set the NumCPUs option to 0, Tor will now try to detect how many CPUs you have. This is the new default behavior. - The NodeFamily option -- which let you declare that you want to consider nodes to be part of a family whether they list themselves that way or not -- now allows IP address ranges and country codes. o Minor features (new command-line config behavior): - Slightly change behavior of "list" options (that is, config options that can appear more than once) when they appear both in torrc and on the command line. Previously, the command-line options would be appended to the ones from torrc. Now, the command-line options override the torrc options entirely. This new behavior allows the user to override list options (like exit policies and ports to listen on) from the command line, rather than simply appending to the list. - You can get the old (appending) command-line behavior for "list" options by prefixing the option name with a "+". - You can remove all the values for a "list" option from the command line without adding any new ones by prefixing the option name with a "/". o Minor features (controller, new events): - Extend the control protocol to report flags that control a circuit's path selection in CIRC events and in replies to 'GETINFO circuit-status'. Implements part of ticket 2411. - Extend the control protocol to report the hidden service address and current state of a hidden-service-related circuit in CIRC events and in replies to 'GETINFO circuit-status'. Implements part of ticket 2411. - Include the creation time of a circuit in CIRC and CIRC2 control-port events and the list produced by the 'GETINFO circuit-status' control-port command. - Add a new CONF_CHANGED event so that controllers can be notified of any configuration changes made by other controllers, or by the user. Implements ticket 1692. - Add a new SIGNAL event to the controller interface so that controllers can be notified when Tor handles a signal. Resolves issue 1955. Patch by John Brooks. o Minor features (controller, new getinfo options): - Expose our view of whether we have gone dormant to the controller, via a new "GETINFO dormant" value. Torbutton and other controllers can use this to avoid doing periodic requests through Tor while it's dormant (bug 4718). Resolves ticket 5954. - Add a new GETINFO option to get total bytes read and written. Patch from pipe, revised by atagar. Resolves ticket 2345. - Implement new GETINFO controller fields to provide information about the Tor process's pid, euid, username, and resource limits. o Minor features (controller, other): - Allow controllers to request an event notification whenever a circuit is cannibalized or its purpose is changed. Implements part of ticket 3457. - Use absolute path names when reporting the torrc filename in the control protocol, so a controller can more easily find the torrc file. Resolves bug 1101. - When reporting the path to the cookie file to the controller, give an absolute path. Resolves ticket 4881. o Minor features (log messages): - Add more information to a log statement that might help track down bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a non-IP address" messages (or any Bug messages, for that matter!), please let us know about it. - If EntryNodes are given, but UseEntryGuards is set to 0, warn that EntryNodes will have no effect. Resolves issue 2571. - Try to make the introductory warning message that Tor prints on startup more useful for actually finding help and information. Resolves ticket 2474. - When the system call to create a listener socket fails, log the error message explaining why. This may help diagnose bug 4027. o Minor features (other): - When we fail to initialize Libevent, retry with IOCP disabled so we don't need to turn on multi-threading support in Libevent, which in turn requires a working socketpair(). This is a workaround for bug 4457, which affects Libevent versions from 2.0.1-alpha through 2.0.15-stable. - When starting as root and then changing our UID via the User control option, and we have a ControlSocket configured, make sure that the ControlSocket is owned by the same account that Tor will run under. Implements ticket 3421; fix by JÃ©rÃ©my Bobbio. - Accept attempts to include a password authenticator in the handshake, as supported by SOCKS5. This handles SOCKS clients that don't know how to omit a password when authenticating. Resolves bug 1666. - Check for and recover from inconsistency in the microdescriptor cache. This will make it harder for us to accidentally free a microdescriptor without removing it from the appropriate data structures. Fixes issue 3135; issue noted by "wanoskarnet". - Shorten links in the tor-exit-notice file. Patch by Christian Kujau. o Minor bugfixes (code security): - Prevent a null-pointer dereference when receiving a data cell for a nonexistent stream when the circuit in question has an empty deliver window. We don't believe this is triggerable, since we don't currently allow deliver windows to become empty, but the logic is tricky enough that it's better to make the code robust. Fixes bug 5541; bugfix on 0.0.2pre14. - Fix a (harmless) integer overflow in cell statistics reported by some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha. - Fix our implementation of crypto_random_hostname() so it can't overflow on ridiculously large inputs. (No Tor version has ever provided this kind of bad inputs, but let's be correct in depth.) Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer. - Add a (probably redundant) memory clear between iterations of the router status voting loop, to prevent future coding errors where data might leak between iterations of the loop. Resolves ticket 6514. o Minor bugfixes (wrapper functions): - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a utility function used in the control-port code). This shouldn't ever happen unless Tor is completely out of memory, but if it did happen and Tor somehow recovered from it, Tor could have sent a log message to a control port in the middle of a reply to a controller command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha. - Fix some (not actually triggerable) buffer size checks in usage of tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch by Anders Sundman. - Fix parsing of some corner-cases with tor_inet_pton(). Fixes bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman. - Enforce correct return behavior of tor_vsscanf() when the '%%' pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13. - Make our replacement implementation of strtok_r() compatible with the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091; bugfix on 0.2.2.1-alpha. - Find more places in the code that should have been testing for invalid sockets using the SOCKET_OK macro. Required for a fix for bug 4533. Bugfix on 0.2.2.28-beta. o Minor bugfixes (code correctness): - Check return value of fputs() when writing authority certificate file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. - When building Tor on Windows with -DUNICODE (not default), ensure that error messages, filenames, and DNS server names are always NUL-terminated when we convert them to a single-byte encoding. Fixes bug 5909; bugfix on 0.2.2.16-alpha. - Fix a memory leak when trying to launch a DNS request when the nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor 0.1.2.1-alpha. - Correct file sizes when reading binary files on Cygwin, to avoid a bug where Tor would fail to read its state file. Fixes bug 6844; bugfix on 0.1.2.7-alpha. - Make sure to set *socket_error in all error cases in connection_connect(), so it can't produce a warning about errno being zero from errno_to_orconn_end_reason(). Bugfix on 0.2.1.1-alpha; resolves ticket 6028. - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes bug 4532; found by "troll_un". o Minor bugfixes (clients): - Allow one-hop directory-fetching circuits the full "circuit build timeout" period, rather than just half of it, before failing them and marking the relay down. This fix should help reduce cases where clients declare relays (or worse, bridges) unreachable because the TLS handshake takes a few seconds to complete. Fixes bug 6743; bugfix on 0.2.2.2-alpha, where we changed the timeout from a static 30 seconds. - Ensure we don't cannibalize circuits that are longer than three hops already, so we don't end up making circuits with 5 or more hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on 0.1.0.1-rc which introduced cannibalization. o Minor bugfixes (relays): - Don't publish a new relay descriptor when we reload our onion key, unless the onion key has actually changed. Fixes bug 3263 and resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha. - When relays refuse a "create" cell because their queue of pending create cells is too big (typically because their cpu can't keep up with the arrival rate), send back reason "resource limit" rather than reason "internal", so network measurement scripts can get a more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. - Exit nodes don't need to fetch certificates for authorities that they don't recognize; only directory authorities, bridges, and caches need to do that. Fixes part of bug 2297; bugfix on 0.2.2.11-alpha. o Minor bugfixes (directory authority / mirrors): - Avoid O(n^2) performance characteristics when parsing a large extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha. - Authorities no longer include any router in their microdescriptor consensuses for which they couldn't generate or agree on a microdescriptor. Fixes the second piece of bug 6404; fix on 0.2.2.6-alpha. - When checking for requested signatures on the latest consensus before serving it to a client, make sure to check the right consensus flavor. Bugfix on 0.2.2.6-alpha. - Fix an edge case where TestingTorNetwork is set but the authorities and relays all have an uptime of zero, so the private Tor network could briefly lack support for hidden services. Fixes bug 3886; bugfix on 0.2.2.18-alpha. - Directory caches no longer refuse to clean out descriptors because of missing v2 networkstatus documents, unless they're configured to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on 0.2.2.26-beta. Patch by Daniel Bryg. - Don't serve or accept v2 hidden service descriptors over a relay's DirPort. It's never correct to do so, and disabling it might make it more annoying to exploit any bugs that turn up in the descriptor-parsing code. Fixes bug 7149. o Minor bugfixes (hidden services, client-side): - Assert that hidden-service-related operations are not performed using single-hop circuits. Previously, Tor would assert that client-side streams are not attached to single-hop circuits, but not that other sensitive operations on the client and service side are not performed using single-hop circuits. Fixes bug 3332; bugfix on 0.0.6. - Avoid undefined behaviour when parsing the list of supported rendezvous/introduction protocols in a hidden service descriptor. Previously, Tor would have confused (as-yet-unused) protocol version numbers greater than 32 with lower ones on many platforms. Fixes bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. - Don't close hidden service client circuits which have almost finished connecting to their destination when they reach the normal circuit-build timeout. Previously, we would close introduction circuits which are waiting for an acknowledgement from the introduction point, and rendezvous circuits which have been specified in an INTRODUCE1 cell sent to a hidden service, after the normal CBT. Now, we mark them as 'timed out', and launch another rendezvous attempt in parallel. This behavior change can be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha. o Minor bugfixes (hidden services, service-side): - Don't close hidden-service-side rendezvous circuits when they reach the normal circuit-build timeout. This behaviour change can be disabled using the new CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the remaining part of bug 1297; bugfix on 0.2.2.2-alpha. - Don't launch more than 10 service-side introduction-point circuits for a hidden service in five minutes. Previously, we would consider launching more introduction-point circuits if at least one second had passed without any introduction-point circuits failing. Fixes bug 4607; bugfix on 0.0.7pre1. o Minor bugfixes (config option behavior): - If the user tries to set MyFamily on a bridge, refuse to do so, and warn about the security implications. Fixes bug 4657; bugfix on 0.2.0.3-alpha. - The "--quiet" and "--hush" options now apply not only to Tor's behavior before logs are configured, but also to Tor's behavior in the absense of configured logs. Fixes bug 3550; bugfix on 0.2.0.10-alpha. - Change the AllowDotExit rules so they should actually work. We now enforce AllowDotExit only immediately after receiving an address via SOCKS or DNSPort: other sources are free to provide .exit addresses after the resolution occurs. Fixes bug 3940; bugfix on 0.2.2.1-alpha. - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically, don't depend on the consensus parameters or compute adaptive timeouts when it is disabled. Fixes bug 5049; bugfix on 0.2.2.14-alpha. - After we pick a directory mirror, we would refuse to use it if it's in our ExcludeExitNodes list, resulting in mysterious failures to bootstrap for people who just wanted to avoid exiting from certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha. - When told to add a bridge with the same digest as a preexisting bridge but a different addr:port, change the addr:port as requested. Previously we would not notice the change. Fixes half of bug 5603; fix on 0.2.2.26-beta. o Minor bugfixes (controller): - Allow manual 'authenticate' commands to the controller interface from netcat (nc) as well as telnet. We were rejecting them because they didn't come with the expected whitespace at the end of the command. Bugfix on 0.1.1.1-alpha; fixes bug 2893. - Report a real bootstrap problem to the controller on router identity mismatch. Previously we just said "foo", which probably made a lot of sense at the time. Fixes bug 4169; bugfix on 0.2.1.1-alpha. - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP option is set to 0 (which Vidalia version 0.2.16 now does when a SAVECONF attempt fails), perform other actions that SIGHUP usually causes (like reopening the logs). Fixes bug 5095; bugfix on 0.2.1.9-alpha. - Correctly handle checking the permissions on the parent directory of a control socket in the root directory. Bug found by Esteban Manchado VelÃ¡zquez. Fixes bug 5089; bugfix on Tor 0.2.2.26-beta. - End AUTHCHALLENGE error messages (in the control protocol) with a CRLF. Fixes bug 5760; bugfix on 0.2.2.36. o Minor bugfixes (network reading/writing): - Disable writing on marked-for-close connections when they are blocked on bandwidth, to prevent busy-looping in Libevent. Fixes bug 5263; bugfix on 0.0.2pre13, where we first added a special case for flushing marked connections. - Make sure that there are no unhandled pending TLS errors before reading from a TLS stream. We had checks in 0.1.0.3-rc, but lost them in 0.1.0.5-rc when we refactored read_to_buf_tls(). Bugfix on 0.1.0.5-rc; fixes bug 4528. - Detect SSL handshake even when the initial attempt to write the server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha. - If the client fails to set a reasonable set of ciphersuites during its v2 handshake renegotiation, allow the renegotiation to continue nevertheless (i.e. send all the required certificates). Fixes bug 4591; bugfix on 0.2.0.20-rc. o Minor bugfixes (other): - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as resource exhaustion, so that clients can adjust their load to try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which started using END_STREAM_REASON_RESOURCELIMIT. - Don't check for whether the address we're using for outbound connections has changed until after the outbound connection has completed. On Windows, getsockname() doesn't succeed until the connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha. - Don't hold a Windows file handle open for every file mapping; the file mapping handle is sufficient. Fixes bug 5951; bugfix on 0.1.2.1-alpha. - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; bugfix on 0.2.1.10-alpha. - If we fail to write a microdescriptor to the disk cache, do not continue replacing the old microdescriptor file. Fixes bug 2954; bugfix on 0.2.2.6-alpha. o Minor bugfixes (log messages, path selection): - Downgrade "set buildtimeout to low value" messages to "info" severity; they were never an actual problem, there was never anything reasonable to do about them, and they tended to spam logs from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. - Rate-limit the "Weighted bandwidth is 0.000000" message, and add more information to it, so that we can track it down in case it returns again. Mitigates bug 5235. - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in options_validate(); warn if LearnCircuitBuildTimeout is disabled and CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452. - Issue a log message if a guard completes less than 40% of your circuits. Threshold is configurable by torrc option PathBiasNoticeRate and consensus parameter pb_noticepct. There is additional, off-by-default code to disable guards which fail too many circuits. Addresses ticket 5458. o Minor bugfixes (log messages, client): - Downgrade "Got a certificate, but we already have it" log messages from warning to info, except when we're a dirauth. Fixes bug 5238; bugfix on 0.2.1.7-alpha. - Fix the log message describing how we work around discovering that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug 4837; bugfix on 0.2.2.9-alpha. - When logging about a disallowed .exit name, do not also call it an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha. - Fix a log message suggesting that people contact a non-existent email address. Fixes bug 3448. - Rephrase the log message emitted if the TestSocks check is successful. Patch from Fabian Keil; fixes bug 4094. - Log (at debug level) whenever a circuit's purpose is changed. - Log SSL state transitions at log level DEBUG, log domain HANDSHAKE. This can be useful for debugging censorship events. Implements ticket 3264. - We now log which torrc file we're using on startup. Implements ticket 2444. - Rate-limit log messages when asked to connect anonymously to a private address. When these hit, they tended to hit fast and often. Also, don't bother trying to connect to addresses that we are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory reply makes us think we have been lied to, even when the address the client tried to connect to was "localhost." Resolves ticket 2822. o Minor bugfixes (log messages, non-client): - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN. Fixes bug 5932; bugfix on 0.2.2.7-alpha. - Don't log that we have "decided to publish new relay descriptor" unless we are actually publishing a descriptor. Fixes bug 3942; bugfix on 0.2.2.28-beta. - Log which authority we're missing votes from when we go to fetch them from the other auths. - Replace "Sending publish request" log messages with "Launching upload", so that they no longer confusingly imply that we're sending something to a directory we might not even be connected to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha. - Warn when Tor is configured to use accounting in a way that can link a hidden service to some other hidden service or public address. Resolves ticket 6490. - Fix a minor formatting issue in one of tor-gencert's error messages. Fixes bug 4574. o Testing: - Update to the latest version of the tinytest unit testing framework. This includes a couple of bugfixes that can be relevant for running forked unit tests on Windows, and removes all reserved identifiers. - Avoid a false positive in the util/threads unit test by increasing the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha. - Make it possible to set the TestingTorNetwork configuration option using AlternateDirAuthority and AlternateBridgeAuthority as an alternative to setting DirServer. Addresses ticket 6377. - Add a unit test for the environment_variable_names_equal() function. - A wide variety of new unit tests by Esteban Manchado VelÃ¡zquez. - Numerous new unit tests for functions in util.c and address.c by Anders Sundman. - The long-disabled benchmark tests are now split into their own ./src/test/bench binary. - The benchmark tests can now use more accurate timers than gettimeofday() when such timers are available. - Use tt_assert(), not tor_assert(), for checking for test failures. This makes the unit tests more able to go on in the event that one of them fails. o Build improvements: - Use the dead_strip option when building Tor on OS X. This reduces binary size by almost 19% when linking openssl and libevent statically, which we do for Tor Browser Bundle. - Provide a better error message about possible OSX Asciidoc failure reasons. Fixes bug 6436. - Detect attempts to build Tor on (as yet hypothetical) versions of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial fix for bug 4533. Bugfix on 0.2.2.28-beta. - On Windows, we now define the _WIN32_WINNT macros only if they are not already defined. This lets the person building Tor decide, if they want, to require a later version of Windows. - Our autogen.sh script now uses autoreconf to launch autoconf, automake, and so on. This is more robust against some of the failure modes associated with running the autotools pieces on their own. - Running "make version" now displays the version of Tor that we're about to build. Idea from katmagic; resolves issue 4400. - Make 'tor --digests' list hashes of all Tor source files. Bugfix on 0.2.2.4-alpha; fixes bug 3427. - New --enable-static-tor configure option for building Tor as statically as possible. Idea, general hackery and thoughts from Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket 2702. - Limited, experimental support for building with nmake and MSVC. o Build requirements: - Building Tor with bufferevent support now requires Libevent 2.0.13-stable or later. Previous versions of Libevent had bugs in SSL-related bufferevents and related issues that would make Tor work badly with bufferevents. Requiring 2.0.13-stable also allows Tor with bufferevents to take advantage of Libevent APIs introduced after 2.0.8-rc. - Our build system requires automake 1.6 or later to create the Makefile.in files. Previously, you could have used 1.4. This only affects developers and people building Tor from git; people who build Tor from the source distribution without changing the Makefile.am files should be fine. - Detect when we try to build on a platform that doesn't define AF_UNSPEC to 0. We don't work there, so refuse to compile. o Build fixes (compile/link): - Format more doubles with %f, not %lf. Patch from grarpamp to make Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on Tor 0.2.0.8-alpha. - When building with --enable-static-tor on OpenBSD, do not erroneously attempt to link -lrt. Fixes bug 5103. - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so that IPv6 stuff will compile on MSVC, and compilation issues will be easier to track down. Fixes bug 5861. - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. Fixes bug 6379. Bugfix on 0.2.0.20-rc. - Make Tor build correctly again with -DUNICODE -D_UNICODE defined. Fixes bug 6097; bugfix on 0.2.2.16-alpha. o Build fixes (other): - Use the _WIN32 macro throughout our code to detect Windows. (Previously we had used the obsolete 'WIN32' and the idiosyncratic 'MS_WINDOWS'.) - Properly handle the case where the build-tree is not the same as the source tree when generating src/common/common_sha1.i, src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953; bugfix on 0.2.0.1-alpha. - During configure, search for library containing cos function as libm lives in libcore on some platforms (BeOS/Haiku). Linking against libm was hard-coded before. Fixes the first part of bug 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes Pedersen. - Prevent a false positive from the check-spaces script, by disabling the "whitespace between function name and (" check for functions named 'op()'. o Packaging (RPM) changes: - Update our default RPM spec files to work with mock and rpmbuild on RHEL/Fedora. They have an updated set of dependencies and conflicts, a fix for an ancient typo when creating the "_tor" user, and better instructions. Thanks to Ondrej Mikle for the patch series. Fixes bug 6043. - On OpenSUSE, create the /var/run/tor directory on startup if it is not already created. Patch from Andreas Stieger. Fixes bug 2573. o Code refactoring (safety): - Do not use SMARTLIST_FOREACH for any loop whose body exceeds 10 lines. Also, don't nest them. Doing so in the past has led to hard-to-debug code. The new style is to use the SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. - Use macros to indicate OpenSSL versions, so we don't need to worry about accidental hexadecimal bit shifts. - Use tor_sscanf() in place of scanf() in more places through the code. This makes us a little more locale-independent, and should help shut up code-analysis tools that can't tell a safe sscanf string from a dangerous one. - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf. - Use the smartlist_add_asprintf() alias more consistently. o Code refactoring (consolidate): - A major revision to our internal node-selecting and listing logic. Tor already had at least two major ways to look at the question of "which Tor servers do we know about": a list of router descriptors, and a list of entries in the current consensus. With microdescriptors, we're adding a third. Having so many systems without an abstraction layer over them was hurting the codebase. Now, we have a new "node_t" abstraction that presents a consistent interface to a client's view of a Tor node, and holds (nearly) all of the mutable state formerly in routerinfo_t and routerstatus_t. - Move tor_gettimeofday_cached() into compat_libevent.c, and use Libevent's notion of cached time when possible. - Remove duplicate code for invoking getrlimit() from control.c. - Use OpenSSL's built-in SSL_state_string_long() instead of our own homebrewed ssl_state_to_string() replacement. Patch from Emile Snyder. Fixes bug 4653. - Change the symmetric cipher interface so that creating and initializing a stream cipher are no longer separate functions. o Code refactoring (separate): - Make a new "entry connection" struct as an internal subtype of "edge connection", to simplify the code and make exit connections smaller. - Split connection_about_to_close() into separate functions for each connection type. - Rewrite the listener-selection logic so that parsing which ports we want to listen on is now separate from binding to the ports we want. o Code refactoring (name changes): - Rename a handful of old identifiers, mostly related to crypto structures and crypto functions. By convention, our "create an object" functions are called "type_new()", our "free an object" functions are called "type_free()", and our types indicate that they are types only with a final "_t". But a handful of older types and functions broke these rules, with function names like "type_create" or "subsystem_op_type", or with type names like type_env_t. - Rename Tor functions that turn strings into addresses, so that "parse" indicates that no hostname resolution occurs, and "lookup" indicates that hostname resolution may occur. This should help prevent mistakes in the future. Fixes bug 3512. - Use the name "CERTS" consistently to refer to the new cell type; we were calling it CERT in some places and CERTS in others. - Use a TOR_INVALID_SOCKET macro when initializing a socket to an invalid value, rather than just -1. - Rename the bench_{aes,dmap} functions to test_*, so that tinytest can pick them up when the tests aren't disabled. Bugfix on 0.2.2.4-alpha which introduced tinytest. o Code refactoring (other): - Defensively refactor rend_mid_rendezvous() so that protocol violations and length checks happen in the beginning. Fixes bug 5645. - Remove the pure attribute from all functions that used it previously. In many cases we assigned it incorrectly, because the functions might assert or call impure functions, and we don't have evidence that keeping the pure attribute is worthwhile. Implements changes suggested in ticket 4421. - Move the replay-detection cache for the RSA-encrypted parts of INTRODUCE2 cells to the introduction point data structures. Previously, we would use one replay-detection cache per hidden service. Required by fix for bug 3460. - The helper programs tor-gencert, tor-resolve, and tor-checkkey no longer link against Libevent: they never used it, but our library structure used to force them to link it. o Removed features and files: - Remove all internal support for unpadded RSA. We never used it, and it would be a bad idea to start. - Remove some workaround code for OpenSSL 0.9.6 (which is no longer supported). - Remove some redundant #include directives throughout the code. Patch from Andrea Gelmini. - Remove some old code to remember statistics about which descriptors we've served as a directory mirror. The feature wasn't used and is outdated now that microdescriptors are around. - Remove some old code to work around even older versions of Tor that used forked processes to handle DNS requests. Such versions of Tor are no longer in use as relays. - The "torify" script no longer supports the "tsocks" socksifier tool, since tsocks doesn't support DNS and UDP right for Tor. Everyone should be using torsocks instead. Fixes bugs 3530 and 5180. Based on a patch by "ugh". - Remove the torrc.bridge file: we don't use it for anything, and it had become badly desynchronized from torrc.sample. Resolves bug 5622. o Documentation: - Begin a doc/state-contents.txt file to explain the contents of the Tor state file. Fixes bug 2987. - Clarify the documentation for the Alternate*Authority options. Fixes bug 6387. - Document the --defaults-torrc option, and the new semantics for overriding, extending, and clearing lists of options. Closes bug 4748. - Add missing man page documentation for consensus and microdesc files. Resolves ticket 6732. - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. o Documentation fixes: - Improve the manual's documentation for the NT Service command-line options. Addresses ticket 3964. - Clarify SessionGroup documentation slightly; resolves ticket 5437. - Document the changes to the ORPort and DirPort options, and the fact that {OR/Dir}ListenAddress is now unnecessary (and therefore deprecated). Resolves ticket 5597. - Correct a broken faq link in the INSTALL file. Fixes bug 2307. - Clarify that hidden services are TCP only. Fixes bug 6024.

1 0

Tor 0.2.2.39 is released
by Roger Dingledine 15 Sep '12

15 Sep '12

Tor 0.2.2.39 fixes two more opportunities for remotely triggerable assertions. https://www.torproject.org/download/download Changes in version 0.2.2.39 - 2012-09-11 o Security fixes: - Fix an assertion failure in tor_timegm() that could be triggered by a badly formatted directory object. Bug found by fuzzing with Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. - Do not crash when comparing an address with port value 0 to an address policy. This bug could have been used to cause a remote assertion failure by or against directory authorities, or to allow some applications to crash clients. Fixes bug 6690; bugfix on 0.2.1.10-alpha.

1 0

Tor 0.2.2.38 is released
by Roger Dingledine 19 Aug '12

19 Aug '12

Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; fixes a remotely triggerable crash bug; and fixes a timing attack that could in theory leak path information. https://www.torproject.org/download/download Changes in version 0.2.2.38 - 2012-08-12 o Security fixes: - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha. - Avoid an uninitialized memory read when reading a vote or consensus document that has an unrecognized flavor name. This read could lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. - Try to leak less information about what relays a client is choosing to a side-channel attacker. Previously, a Tor client would stop iterating through the list of available relays as soon as it had chosen one, thus finishing a little earlier when it picked a router earlier in the list. If an attacker can recover this timing information (nontrivial but not proven to be impossible), they could learn some coarse-grained information about which relays a client was picking (middle nodes in particular are likelier to be affected than exits). The timing attack might be mitigated by other factors (see bug 6537 for some discussion), but it's best not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.

1 0

Tor 0.2.2.37 is released
by Roger Dingledine 13 Jun '12

13 Jun '12

Tor 0.2.2.37 introduces a workaround for a critical renegotiation bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself currently). https://www.torproject.org/download/download Changes in version 0.2.2.37 - 2012-06-06 o Major bugfixes: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor connection protocol when both sides were using OpenSSL 1.0.1 would fail. Resolves ticket 6033. - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a potential DoS issue. Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. - Fix an edge case where if we fetch or publish a hidden service descriptor, we might build a 4-hop circuit and then use that circuit for exiting afterwards -- even if the new last hop doesn't obey our ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. o Minor bugfixes: - Fix a build warning with Clang 3.1 related to our use of vasprintf. Fixes bug 5969. Bugfix on 0.2.2.11-alpha. o Minor features: - Tell GCC and Clang to check for any errors in format strings passed to the tor_v*(print|scan)f functions.

1 0

Tor 0.2.2.36 is released
by Roger Dingledine 06 Jun '12

06 Jun '12

Tor 0.2.2.36 updates the addresses for two of the eight directory authorities, fixes some potential anonymity and security issues, and fixes several crash bugs. We're going to be following it soon with 0.2.2.37, which works around a bug in OpenSSL's TLS renegotiation (currently being tested in the Tor 0.2.3.16-alpha release). Stay tuned. Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway. https://www.torproject.org/download/download Changes in version 0.2.2.36 - 2012-05-24 o Directory authority changes: - Change IP address for maatuska (v3 directory authority). - Change IP address for ides (v3 directory authority), and rename it to turtles. o Security fixes: - When building or running with any version of OpenSSL earlier than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL versions have a bug (CVE-2011-4576) in which their block cipher padding includes uninitialized data, potentially leaking sensitive information to any peer with whom they make a SSLv3 connection. Tor does not use SSL v3 by default, but a hostile client or server could force an SSLv3 connection in order to gain information that they shouldn't have been able to get. The best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building or running with a non-upgraded OpenSSL, we disable SSLv3 entirely to make sure that the bug can't happen. - Never use a bridge or a controller-supplied node as an exit, even if its exit policy allows it. Found by wanoskarnet. Fixes bug 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) and 0.2.0.3-alpha (for bridge-purpose descriptors). - Only build circuits if we have a sufficient threshold of the total descriptors that are marked in the consensus with the "Exit" flag. This mitigates an attack proposed by wanoskarnet, in which all of a client's bridges collude to restrict the exit nodes that the client knows about. Fixes bug 5343. - Provide controllers with a safer way to implement the cookie authentication mechanism. With the old method, if another locally running program could convince a controller that it was the Tor process, then that program could trick the controller into telling it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" authentication method uses a challenge-response approach to prevent this attack. Fixes bug 5185; implements proposal 193. o Major bugfixes: - Avoid logging uninitialized data when unable to decode a hidden service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. - Avoid a client-side assertion failure when receiving an INTRODUCE2 cell on a general purpose circuit. Fixes bug 5644; bugfix on 0.2.1.6-alpha. - Fix builds when the path to sed, openssl, or sha1sum contains spaces, which is pretty common on Windows. Fixes bug 5065; bugfix on 0.2.2.1-alpha. - Correct our replacements for the timeradd() and timersub() functions on platforms that lack them (for example, Windows). The timersub() function is used when expiring circuits, while timeradd() is currently unused. Bug report and patch by Vektor. Fixes bug 4778; bugfix on 0.2.2.24-alpha. - Fix the SOCKET_OK test that we use to tell when socket creation fails so that it works on Win64. Fixes part of bug 4533; bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. o Minor bugfixes: - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). Fixes bug 5346; bugfix on 0.0.8pre3. - Make our number-parsing functions always treat too-large values as an error, even when those values exceed the width of the underlying type. Previously, if the caller provided these functions with minima or maxima set to the extreme values of the underlying integer type, these functions would return those values on overflow rather than treating overflow as an error. Fixes part of bug 5786; bugfix on 0.0.9. - Older Linux kernels erroneously respond to strange nmap behavior by having accept() return successfully with a zero-length socket. When this happens, just close the connection. Previously, we would try harder to learn the remote address: but there was no such remote address to learn, and our method for trying to learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix on 0.1.0.3-rc. Reported and diagnosed by "r1eo". - Correct parsing of certain date types in parse_http_time(). Without this patch, If-Modified-Since would behave incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from Esteban Manchado VelÃ¡zques. - Change the BridgePassword feature (part of the "bridge community" design, which is not yet implemented) to use a time-independent comparison. The old behavior might have allowed an adversary to use timing to guess the BridgePassword value. Fixes bug 5543; bugfix on 0.2.0.14-alpha. - Detect and reject certain misformed escape sequences in configuration values. Previously, these values would cause us to crash if received in a torrc file or over an authenticated control port. Bug found by Esteban Manchado VelÃ¡zquez, and independently by Robert Connolly from Matta Consulting who further noted that it allows a post-authentication heap overflow. Patch by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); bugfix on 0.2.0.16-alpha. - Fix a compile warning when using the --enable-openbsd-malloc configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. - During configure, detect when we're building with clang version 3.0 or lower and disable the -Wnormalized=id and -Woverride-init CFLAGS. clang doesn't support them yet. - When sending an HTTP/1.1 proxy request, include a Host header. Fixes bug 5593; bugfix on 0.2.2.1-alpha. - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. - If we hit the error case where routerlist_insert() replaces an existing (old) server descriptor, make sure to remove that server descriptor from the old_routers list. Fix related to bug 1776. Bugfix on 0.2.2.18-alpha. o Minor bugfixes (documentation and log messages): - Fix a typo in a log message in rend_service_rendezvous_has_opened(). Fixes bug 4856; bugfix on Tor 0.0.6. - Update "ClientOnly" man page entry to explain that there isn't really any point to messing with it. Resolves ticket 5005. - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays directory authority option (introduced in Tor 0.2.2.34). - Downgrade the "We're missing a certificate" message from notice to info: people kept mistaking it for a real problem, whereas it is seldom the problem even when we are failing to bootstrap. Fixes bug 5067; bugfix on 0.2.0.10-alpha. - Correctly spell "connect" in a log message on failure to create a controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. - Clarify the behavior of MaxCircuitDirtiness with hidden service circuits. Fixes issue 5259. o Minor features: - Directory authorities now reject versions of Tor older than 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha inclusive. These versions accounted for only a small fraction of the Tor network, and have numerous known security issues. Resolves issue 4788. - Update to the May 1 2012 Maxmind GeoLite Country database. - Feature removal: - When sending or relaying a RELAY_EARLY cell, we used to convert it to a RELAY cell if the connection was using the v1 link protocol. This was a workaround for older versions of Tor, which didn't handle RELAY_EARLY cells properly. Now that all supported versions can handle RELAY_EARLY cells, and now that we're enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, remove this workaround. Addresses bug 4786.

1 0

Tor 0.2.2.35 is released (security patches)
by Roger Dingledine 16 Dec '11

16 Dec '11

Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's buffers code. Absolutely everybody should upgrade. The bug relied on an incorrect calculation when making data continuous in one of our IO buffers, if the first chunk of the buffer was misaligned by just the wrong amount. The miscalculation would allow an attacker to overflow a piece of heap-allocated memory. To mount this attack, the attacker would need to either open a SOCKS connection to Tor's SocksPort (usually restricted to localhost), or target a Tor instance configured to make its connections through a SOCKS proxy (which Tor does not do by default). Good security practice requires that all heap-overflow bugs should be presumed to be exploitable until proven otherwise, so we are treating this as a potential code execution attack. Please upgrade immediately! This bug does not affect bufferevents-based builds of Tor. Special thanks to "Vektor" for reporting this issue to us! Tor 0.2.2.35 also fixes several bugs in previous versions, including crash bugs for unusual configurations, and a long-term bug that would prevent Tor from starting on Windows machines with draconian AV software. With this release, we remind everyone that 0.2.0.x has reached its formal end-of-life. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade -- ideally to the 0.2.2.x series. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway. The Tor 0.2.1.x series is also approaching its end-of-life: it will no longer receive support after some time in early 2012. https://www.torproject.org/download/download Note that the tarball and git tags are signed by Nick Mathewson (gpg key 165733EA) this time around. Changes in version 0.2.2.35 - 2011-12-16 o Major bugfixes: - Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor". - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so that it doesn't attempt to allocate a socketpair. This could cause some problems on Windows systems with overzealous firewalls. Fix for bug 4457; workaround for Libevent versions 2.0.1-alpha through 2.0.15-stable. - If we mark an OR connection for close based on a cell we process, don't process any further cells on it. We already avoid further reads on marked-for-close connections, but now we also discard the cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, which was the first version where we might mark a connection for close based on processing a cell on it. - Correctly sanity-check that we don't underflow on a memory allocation (and then assert) for hidden service introduction point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; bugfix on 0.2.1.5-alpha. - Fix a memory leak when we check whether a hidden service descriptor has any usable introduction points left. Fixes bug 4424. Bugfix on 0.2.2.25-alpha. - Don't crash when we're running as a relay and don't have a GeoIP file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix we've had in the 0.2.3.x branch already. - When running as a client, do not print a misleading (and plain wrong) log message that we're collecting "directory request" statistics: clients don't collect statistics. Also don't create a useless (because empty) stats file in the stats/ directory. Fixes bug 4353; bugfix on 0.2.2.34. o Minor bugfixes: - Detect failure to initialize Libevent. This fix provides better detection for future instances of bug 4457. - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers function. This was eating up hideously large amounts of time on some busy servers. Fixes bug 4518; bugfix on 0.0.9.8. - Resolve an integer overflow bug in smartlist_ensure_capacity(). Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by Mansour Moufid. - Don't warn about unused log_mutex in log.c when building with --disable-threads using a recent GCC. Fixes bug 4437; bugfix on 0.1.0.6-rc which introduced --disable-threads. - When configuring, starting, or stopping an NT service, stop immediately after the service configuration attempt has succeeded or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha. - When sending a NETINFO cell, include the original address received for the other side, not its canonical address. Found by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. - Fix a typo in a hibernation-related log message. Fixes bug 4331; bugfix on 0.2.2.23-alpha; found by "tmpname0901". - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that occurred when a client tried to fetch a descriptor for a bridge in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha. - Backport fixes for a pair of compilation warnings on Windows. Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. - If we had ever tried to call tor_addr_to_str on an address of unknown type, we would have done a strdup on an uninitialized buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. Reported by "troll_un". - Correctly detect and handle transient lookup failures from tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. Reported by "troll_un". - Fix null-pointer access that could occur if TLS allocation failed. Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". - Use tor_socket_t type for listener argument to accept(). Fixes bug 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". o Minor features: - Add two new config options for directory authorities: AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold that is always sufficient to satisfy the bandwidth requirement for the Guard flag. Now it will be easier for researchers to simulate Tor networks with different values. Resolves ticket 4484. - When Tor ignores a hidden service specified in its configuration, include the hidden service's directory in the warning message. Previously, we would only tell the user that some hidden service was ignored. Bugfix on 0.0.6; fixes bug 4426. - Update to the December 6 2011 Maxmind GeoLite Country database. o Packaging changes: - Make it easier to automate expert package builds on Windows, by removing an absolute path from makensis.exe command.

1 0

Tor 0.2.2.34 is released (security patches)
by Roger Dingledine 27 Oct '11

27 Oct '11

Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker can deanonymize Tor users. Everybody should upgrade. The attack relies on four components: 1) Clients reuse their TLS cert when talking to different relays, so relays can recognize a user by the identity key in her cert. 2) An attacker who knows the client's identity key can probe each guard relay to see if that identity key is connected to that guard relay right now. 3) A variety of active attacks in the literature (starting from "Low-Cost Traffic Analysis of Tor" by Murdoch and Danezis in 2005) allow a malicious website to discover the guard relays that a Tor user visiting the website is using. 4) Clients typically pick three guards at random, so the set of guards for a given user could well be a unique fingerprint for her. This release fixes components #1 and #2, which is enough to block the attack; the other two remain as open research problems. Special thanks to "frosty_un" for reporting the issue to us! (As far as we know, this has nothing to do with any claimed attack currently getting attention in the media.) Clients should upgrade so they are no longer recognizable by the TLS certs they present. Relays should upgrade so they no longer allow a remote attacker to probe them to test whether unpatched clients are currently connected to them. This release also fixes several vulnerabilities that allow an attacker to enumerate bridge relays. Some bridge enumeration attacks still remain; see for example proposal 188. https://www.torproject.org/download/download Changes in version 0.2.2.34 - 2011-10-26 o Privacy/anonymity fixes (clients): - Clients and bridges no longer send TLS certificate chains on outgoing OR connections. Previously, each client or bridge would use the same cert chain for all outgoing OR connections until its IP address changes, which allowed any relay that the client or bridge contacted to determine which entry guards it is using. Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". - If a relay receives a CREATE_FAST cell on a TLS connection, it no longer considers that connection as suitable for satisfying a circuit EXTEND request. Now relays can protect clients from the CVE-2011-2768 issue even if the clients haven't upgraded yet. - Directory authorities no longer assign the Guard flag to relays that haven't upgraded to the above "refuse EXTEND requests to client connections" fix. Now directory authorities can protect clients from the CVE-2011-2768 issue even if neither the clients nor the relays have upgraded yet. There's a new "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us transition smoothly, else tomorrow there would be no guard relays. o Privacy/anonymity fixes (bridge enumeration): - Bridge relays now do their directory fetches inside Tor TLS connections, like all the other clients do, rather than connecting directly to the DirPort like public relays do. Removes another avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. - Bridges relays now build circuits for themselves in a more similar way to how clients build them. Removes another avenue for enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, when bridges were introduced. - Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they initiated. Relays could distinguish incoming bridge connections from client connections, creating another avenue for enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. Found by "frosty_un". o Major bugfixes: - Fix a crash bug when changing node restrictions while a DNS lookup is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix by "Tey'". - Don't launch a useless circuit after failing to use one of a hidden service's introduction points. Previously, we would launch a new introduction circuit, but not set the hidden service which that circuit was intended to connect to, so it would never actually be used. A different piece of code would then create a new introduction circuit correctly. Bug reported by katmagic and found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. o Minor bugfixes: - Change an integer overflow check in the OpenBSD_Malloc code so that GCC is less likely to eliminate it as impossible. Patch from Mansour Moufid. Fixes bug 4059. - When a hidden service turns an extra service-side introduction circuit into a general-purpose circuit, free the rend_data and intro_key fields first, so we won't leak memory if the circuit is cannibalized for use as another service-side introduction circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. - Bridges now skip DNS self-tests, to act a little more stealthily. Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced bridges. Patch by "warms0x". - Fix internal bug-checking logic that was supposed to catch failures in digest generation so that it will fail more robustly if we ask for a nonexistent algorithm. Found by Coverity Scan. Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. - Report any failure in init_keys() calls launched because our IP address has changed. Spotted by Coverity Scan. Bugfix on 0.1.1.4-alpha; fixes CID 484. o Minor bugfixes (log messages and documentation): - Remove a confusing dollar sign from the example fingerprint in the man page, and also make the example fingerprint a valid one. Fixes bug 4309; bugfix on 0.2.1.3-alpha. - The next version of Windows will be called Windows 8, and it has a major version of 6, minor version of 2. Correctly identify that version instead of calling it "Very recent version". Resolves ticket 4153; reported by funkstar. - Downgrade log messages about circuit timeout calibration from "notice" to "info": they don't require or suggest any human intervention. Patch from Tom Lowenthal. Fixes bug 4063; bugfix on 0.2.2.14-alpha. o Minor features: - Turn on directory request statistics by default and include them in extra-info descriptors. Don't break if we have no GeoIP database. Backported from 0.2.3.1-alpha; implements ticket 3951. - Update to the October 4 2011 Maxmind GeoLite Country database.

1 0

Tor 0.2.2.33 is released
by Roger Dingledine 19 Sep '11

19 Sep '11

Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's TLS handshake that makes relays and bridges that run this new version reachable from Iran again. https://www.torproject.org/download/download Relays and bridges should upgrade: https://blog.torproject.org/blog/iran-blocks-tor-tor-releases-same-day-fix Since there are no critical client-side fixes, we haven't built new Tor Browser Bundle packages for this version yet. The latest Tor Browser Bundle version remains 2.2.32-4: https://blog.torproject.org/blog/new-tor-browser-bundles-6 Changes in version 0.2.2.33 - 2011-09-13 o Major bugfixes: - Avoid an assertion failure when reloading a configuration with TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug 3923; bugfix on 0.2.2.25-alpha. o Minor features (security): - Check for replays of the public-key encrypted portion of an INTRODUCE1 cell, in addition to the current check for replays of the g^x value. This prevents a possible class of active attacks by an attacker who controls both an introduction point and a rendezvous point, and who uses the malleability of AES-CTR to alter the encrypted g^x portion of the INTRODUCE1 cell. We think that these attacks are infeasible (requiring the attacker to send on the order of zettabytes of altered cells in a short interval), but we'd rather block them off in case there are any classes of this attack that we missed. Reported by Willem Pinckaers. o Minor features: - Adjust the expiration time on our SSL session certificates to better match SSL certs seen in the wild. Resolves ticket 4014. - Change the default required uptime for a relay to be accepted as a HSDir (hidden service directory) from 24 hours to 25 hours. Improves on 0.2.0.10-alpha; resolves ticket 2649. - Add a VoteOnHidServDirectoriesV2 config option to allow directory authorities to abstain from voting on assignment of the HSDir consensus flag. Related to bug 2649. - Update to the September 6 2011 Maxmind GeoLite Country database. o Minor bugfixes (documentation and log messages): - Correct the man page to explain that HashedControlPassword and CookieAuthentication can both be set, in which case either method is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, when we decided to allow these config options to both be set. Issue raised by bug 3898. - Demote the 'replay detected' log message emitted when a hidden service receives the same Diffie-Hellman public key in two different INTRODUCE2 cells to info level. A normal Tor client can cause that log message during its normal operation. Bugfix on 0.2.1.6-alpha; fixes part of bug 2442. - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info level. There is nothing that a hidden service's operator can do to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part of bug 2442. - Clarify a log message specifying the characters permitted in HiddenServiceAuthorizeClient client names. Previously, the log message said that "[A-Za-z0-9+-_]" were permitted; that could have given the impression that every ASCII character between "+" and "_" was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. o Build fixes: - Provide a substitute implementation of lround() for MSVC, which apparently lacks it. Patch from Gisle Vanem. - Clean up some code issues that prevented Tor from building on older BSDs. Fixes bug 3894; reported by "grarpamp". - Search for a platform-specific version of "ar" when cross-compiling. Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.

1 0

Tor 0.2.2.32 is released
by Roger Dingledine 29 Aug '11

29 Aug '11

The Tor 0.2.2 release series is dedicated to the memory of Andreas Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, a founder of the PETS community, a leader in our field, a mentor, and a friend. He left us with these words: "I had the possibility to contribute to this world that is not as it should be. I hope I could help in some areas to make the world a better place, and that I could also encourage other people to be engaged in improving the world. Please, stay engaged. This world needs you, your love, your initiative -- now I cannot be part of that anymore." Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally ready. More than two years in the making, this release features improved client performance and hidden service reliability, better compatibility for Android, correct behavior for bridges that listen on more than one address, more extensible and flexible directory object handling, better reporting of network statistics, improved code security, and many many other features and bugfixes. https://www.torproject.org/download/download Changes in version 0.2.2.32 - 2011-08-27 o Major features (client performance): - When choosing which cells to relay first, relays now favor circuits that have been quiet recently, to provide lower latency for low-volume circuits. By default, relays enable or disable this feature based on a setting in the consensus. They can override this default by using the new "CircuitPriorityHalflife" config option. Design and code by Ian Goldberg, Can Tang, and Chris Alexander. - Directory authorities now compute consensus weightings that instruct clients how to weight relays flagged as Guard, Exit, Guard+Exit, and no flag. Clients use these weightings to distribute network load more evenly across these different relay types. The weightings are in the consensus so we can change them globally in the future. Extra thanks to "outofwords" for finding some nasty security bugs in the first implementation of this feature. o Major features (client performance, circuit build timeout): - Tor now tracks how long it takes to build client-side circuits over time, and adapts its timeout to local network performance. Since a circuit that takes a long time to build will also provide bad performance, we get significant latency improvements by discarding the slowest 20% of circuits. Specifically, Tor creates circuits more aggressively than usual until it has enough data points for a good timeout estimate. Implements proposal 151. - Circuit build timeout constants can be controlled by consensus parameters. We set good defaults for these parameters based on experimentation on broadband and simulated high-latency links. - Circuit build time learning can be disabled via consensus parameter or by the client via a LearnCircuitBuildTimeout config option. We also automatically disable circuit build time calculation if either AuthoritativeDirectory is set, or if we fail to write our state file. Implements ticket 1296. o Major features (relays use their capacity better): - Set SO_REUSEADDR socket option on all sockets, not just listeners. This should help busy exit nodes avoid running out of useable ports just because all the ports have been used in the near past. Resolves issue 2850. - Relays now save observed peak bandwidth throughput rates to their state file (along with total usage, which was already saved), so that they can determine their correct estimated bandwidth on restart. Resolves bug 1863, where Tor relays would reset their estimated bandwidth to 0 after restarting. - Lower the maximum weighted-fractional-uptime cutoff to 98%. This should give us approximately 40-50% more Guard-flagged nodes, improving the anonymity the Tor network can provide and also decreasing the dropoff in throughput that relays experience when they first get the Guard flag. - Directory authorities now take changes in router IP address and ORPort into account when determining router stability. Previously, if a router changed its IP or ORPort, the authorities would not treat it as having any downtime for the purposes of stability calculation, whereas clients would experience downtime since the change would take a while to propagate to them. Resolves issue 1035. - New AccelName and AccelDir options add support for dynamic OpenSSL hardware crypto acceleration engines. o Major features (relays control their load better): - Exit relays now try harder to block exit attempts from unknown relays, to make it harder for people to use them as one-hop proxies a la tortunnel. Controlled by the refuseunknownexits consensus parameter (currently enabled), or you can override it on your relay with the RefuseUnknownExits torrc option. Resolves bug 1751; based on a variant of proposal 163. - Add separate per-conn write limiting to go with the per-conn read limiting. We added a global write limit in Tor 0.1.2.5-alpha, but never per-conn write limits. - New consensus params "bwconnrate" and "bwconnburst" to let us rate-limit client connections as they enter the network. It's controlled in the consensus so we can turn it on and off for experiments. It's starting out off. Based on proposal 163. o Major features (controllers): - Export GeoIP information on bridge usage to controllers even if we have not yet been running for 24 hours. Now Vidalia bridge operators can get more accurate and immediate feedback about their contributions to the network. - Add an __OwningControllerProcess configuration option and a TAKEOWNERSHIP control-port command. Now a Tor controller can ensure that when it exits, Tor will shut down. Implements feature 3049. o Major features (directory authorities): - Directory authorities now create, vote on, and serve multiple parallel formats of directory data as part of their voting process. Partially implements Proposal 162: "Publish the consensus in multiple flavors". - Directory authorities now agree on and publish small summaries of router information that clients can use in place of regular server descriptors. This transition will allow Tor 0.2.3 clients to use far less bandwidth for downloading information about the network. Begins the implementation of Proposal 158: "Clients download consensus + microdescriptors". - The directory voting system is now extensible to use multiple hash algorithms for signatures and resource selection. Newer formats are signed with SHA256, with a possibility for moving to a better hash algorithm in the future. - Directory authorities can now vote on arbitary integer values as part of the consensus process. This is designed to help set network-wide parameters. Implements proposal 167. o Major features and bugfixes (node selection): - Revise and reconcile the meaning of the ExitNodes, EntryNodes, ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes options. Previously, we had been ambiguous in describing what counted as an "exit" node, and what operations exactly "StrictNodes 0" would permit. This created confusion when people saw nodes built through unexpected circuits, and made it hard to tell real bugs from surprises. Now the intended behavior is: . "Exit", in the context of ExitNodes and ExcludeExitNodes, means a node that delivers user traffic outside the Tor network. . "Entry", in the context of EntryNodes, means a node used as the first hop of a multihop circuit. It doesn't include direct connections to directory servers. . "ExcludeNodes" applies to all nodes. . "StrictNodes" changes the behavior of ExcludeNodes only. When StrictNodes is set, Tor should avoid all nodes listed in ExcludeNodes, even when it will make user requests fail. When StrictNodes is *not* set, then Tor should follow ExcludeNodes whenever it can, except when it must use an excluded node to perform self-tests, connect to a hidden service, provide a hidden service, fulfill a .exit request, upload directory information, or fetch directory information. Collectively, the changes to implement the behavior fix bug 1090. - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes change during a config reload, mark and discard all our origin circuits. This fix should address edge cases where we change the config options and but then choose a circuit that we created before the change. - Make EntryNodes config option much more aggressive even when StrictNodes is not set. Before it would prepend your requested entrynodes to your list of guard nodes, but feel free to use others after that. Now it chooses only from your EntryNodes if any of those are available, and only falls back to others if a) they're all down and b) StrictNodes is not set. - Now we refresh your entry guards from EntryNodes at each consensus fetch -- rather than just at startup and then they slowly rot as the network changes. - Add support for the country code "{??}" in torrc options like ExcludeNodes, to indicate all routers of unknown country. Closes bug 1094. - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if a node is listed in both, it's treated as excluded. - ExcludeNodes now applies to directory nodes -- as a preference if StrictNodes is 0, or an absolute requirement if StrictNodes is 1. Don't exclude all the directory authorities and set StrictNodes to 1 unless you really want your Tor to break. - ExcludeNodes and ExcludeExitNodes now override exit enclaving. - ExcludeExitNodes now overrides .exit requests. - We don't use bridges listed in ExcludeNodes. - When StrictNodes is 1: . We now apply ExcludeNodes to hidden service introduction points and to rendezvous points selected by hidden service users. This can make your hidden service less reliable: use it with caution! . If we have used ExcludeNodes on ourself, do not try relay reachability self-tests. . If we have excluded all the directory authorities, we will not even try to upload our descriptor if we're a relay. . Do not honor .exit requests to an excluded node. - When the set of permitted nodes changes, we now remove any mappings introduced via TrackExitHosts to now-excluded nodes. Bugfix on 0.1.0.1-rc. - We never cannibalize a circuit that had excluded nodes on it, even if StrictNodes is 0. Bugfix on 0.1.0.1-rc. - Improve log messages related to excluded nodes. o Major features (misc): - Numerous changes, bugfixes, and workarounds from Nathan Freitas to help Tor build correctly for Android phones. - The options SocksPort, ControlPort, and so on now all accept a value "auto" that opens a socket on an OS-selected port. A new ControlPortWriteToFile option tells Tor to write its actual control port or ports to a chosen file. If the option ControlPortFileGroupReadable is set, the file is created as group-readable. Now users can run two Tor clients on the same system without needing to manually mess with parameters. Resolves part of ticket 3076. - Tor now supports tunneling all of its outgoing connections over a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy configuration options. Code by Christopher Davis. o Code security improvements: - Replace all potentially sensitive memory comparison operations with versions whose runtime does not depend on the data being compared. This will help resist a class of attacks where an adversary can use variations in timing information to learn sensitive data. Fix for one case of bug 3122. (Safe memcmp implementation by Robert Ransom based partially on code by DJB.) - Enable Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) by default on Windows to make it harder for attackers to exploit vulnerabilities. Patch from John Brooks. - New "--enable-gcc-hardening" ./configure flag (off by default) to turn on gcc compile time hardening options. It ensures that signed ints have defined behavior (-fwrapv), enables -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection with canaries (-fstack-protector-all), turns on ASLR protection if supported by the kernel (-fPIE, -pie), and adds additional security related warnings. Verified to work on Mac OS X and Debian Lenny. - New "--enable-linker-hardening" ./configure flag (off by default) to turn on ELF specific hardening features (relro, now). This does not work with Mac OS X or any other non-ELF binary format. - Always search the Windows system directory for system DLLs, and nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. - New DisableAllSwap option. If set to 1, Tor will attempt to lock all current and future memory pages via mlockall(). On supported platforms (modern Linux and probably BSD but not Windows or OS X), this should effectively disable any and all attempts to page out memory. This option requires that you start your Tor as root -- if you use DisableAllSwap, please consider using the User option to properly reduce the privileges of your Tor. o Major bugfixes (crashes): - Fix crash bug on platforms where gmtime and localtime can return NULL. Windows 7 users were running into this one. Fixes part of bug 2077. Bugfix on all versions of Tor. Found by boboper. - Introduce minimum/maximum values that clients will believe from the consensus. Now we'll have a better chance to avoid crashes or worse when a consensus param has a weird value. - Fix a rare crash bug that could occur when a client was configured with a large number of bridges. Fixes bug 2629; bugfix on 0.2.1.2-alpha. Bugfix by trac user "shitlei". - Do not crash when our configuration file becomes unreadable, for example due to a permissions change, between when we start up and when a controller calls SAVECONF. Fixes bug 3135; bugfix on 0.0.9pre6. - If we're in the pathological case where there's no exit bandwidth but there is non-exit bandwidth, or no guard bandwidth but there is non-guard bandwidth, don't crash during path selection. Bugfix on 0.2.0.3-alpha. - Fix a crash bug when trying to initialize the evdns module in Libevent 2. Bugfix on 0.2.1.16-rc. o Major bugfixes (stability): - Fix an assert in parsing router descriptors containing IPv6 addresses. This one took down the directory authorities when somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. - Fix an uncommon assertion failure when running with DNSPort under heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. - Treat an unset $HOME like an empty $HOME rather than triggering an assert. Bugfix on 0.0.8pre1; fixes bug 1522. - More gracefully handle corrupt state files, removing asserts in favor of saving a backup and resetting state. - Instead of giving an assertion failure on an internal mismatch on estimated freelist size, just log a BUG warning and try later. Mitigates but does not fix bug 1125. - Fix an assert that got triggered when using the TestingTorNetwork configuration option and then issuing a GETINFO config-text control command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. - If the cached cert file is unparseable, warn but don't exit. o Privacy fixes (relays/bridges): - Don't list Windows capabilities in relay descriptors. We never made use of them, and maybe it's a bad idea to publish them. Bugfix on 0.1.1.8-alpha. - If the Nickname configuration option isn't given, Tor would pick a nickname based on the local hostname as the nickname for a relay. Because nicknames are not very important in today's Tor and the "Unnamed" nickname has been implemented, this is now problematic behavior: It leaks information about the hostname without being useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which introduced the Unnamed nickname. Reported by tagnaq. - Maintain separate TLS contexts and certificates for incoming and outgoing connections in bridge relays. Previously we would use the same TLS contexts and certs for incoming and outgoing connections. Bugfix on 0.2.0.3-alpha; addresses bug 988. - Maintain separate identity keys for incoming and outgoing TLS contexts in bridge relays. Previously we would use the same identity keys for incoming and outgoing TLS contexts. Bugfix on 0.2.0.3-alpha; addresses the other half of bug 988. - Make the bridge directory authority refuse to answer directory requests for "all descriptors". It used to include bridge descriptors in its answer, which was a major information leak. Found by "piebeer". Bugfix on 0.2.0.3-alpha. o Privacy fixes (clients): - When receiving a hidden service descriptor, check that it is for the hidden service we wanted. Previously, Tor would store any hidden service descriptors that a directory gave it, whether it wanted them or not. This wouldn't have let an attacker impersonate a hidden service, but it did let directories pre-seed a client with descriptors that it didn't want. Bugfix on 0.0.6. - Start the process of disabling ".exit" address notation, since it can be used for a variety of esoteric application-level attacks on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix on 0.0.9rc5. - Reject attempts at the client side to open connections to private IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with a randomly chosen exit node. Attempts to do so are always ill-defined, generally prevented by exit policies, and usually in error. This will also help to detect loops in transparent proxy configurations. You can disable this feature by setting "ClientRejectInternalAddresses 0" in your torrc. - Log a notice when we get a new control connection. Now it's easier for security-conscious users to recognize when a local application is knocking on their controller door. Suggested by bug 1196. o Privacy fixes (newnym): - Avoid linkability based on cached hidden service descriptors: forget all hidden service descriptors cached as a client when processing a SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. - On SIGHUP, do not clear out all TrackHostExits mappings, client DNS cache entries, and virtual address mappings: that's what NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. - Don't attach new streams to old rendezvous circuits after SIGNAL NEWNYM. Previously, we would keep using an existing rendezvous circuit if it remained open (i.e. if it were kept open by a long-lived stream, or if a new stream were attached to it before Tor could notice that it was old and no longer in use). Bugfix on 0.1.1.15-rc; fixes bug 3375. o Major bugfixes (relay bandwidth accounting): - Fix a bug that could break accounting on 64-bit systems with large time_t values, making them hibernate for impossibly long intervals. Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. - Fix a bug in bandwidth accounting that could make us use twice the intended bandwidth when our interval start changes due to daylight saving time. Now we tolerate skew in stored vs computed interval starts: if the start of the period changes by no more than 50% of the period's duration, we remember bytes that we transferred in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. o Major bugfixes (bridges): - Bridges now use "reject *:*" as their default exit policy. Bugfix on 0.2.0.3-alpha. Fixes bug 1113. - If you configure your bridge with a known identity fingerprint, and the bridge authority is unreachable (as it is in at least one country now), fall back to directly requesting the descriptor from the bridge. Finishes the feature started in 0.2.0.10-alpha; closes bug 1138. - Fix a bug where bridge users who configure the non-canonical address of a bridge automatically switch to its canonical address. If a bridge listens at more than one address, it should be able to advertise those addresses independently and any non-blocked addresses should continue to work. Bugfix on Tor 0.2.0.3-alpha. Fixes bug 2510. - If you configure Tor to use bridge A, and then quit and configure Tor to use bridge B instead (or if you change Tor to use bridge B via the controller), it would happily continue to use bridge A if it's still reachable. While this behavior is a feature if your goal is connectivity, in some scenarios it's a dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. - When the controller configures a new bridge, don't wait 10 to 60 seconds before trying to fetch its descriptor. Bugfix on 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). o Major bugfixes (directory authorities): - Many relays have been falling out of the consensus lately because not enough authorities know about their descriptor for them to get a majority of votes. When we deprecated the v2 directory protocol, we got rid of the only way that v3 authorities can hear from each other about other descriptors. Now authorities examine every v3 vote for new descriptors, and fetch them from that authority. Bugfix on 0.2.1.23. - Authorities could be tricked into giving out the Exit flag to relays that didn't allow exiting to any ports. This bug could screw with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug 1238. Bug discovered by Martin Kowalczyk. - If all authorities restart at once right before a consensus vote, nobody will vote about "Running", and clients will get a consensus with no usable relays. Instead, authorities refuse to build a consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. o Major bugfixes (stream-level fairness): - When receiving a circuit-level SENDME for a blocked circuit, try to package cells fairly from all the streams that had previously been blocked on that circuit. Previously, we had started with the oldest stream, and allowed each stream to potentially exhaust the circuit's package window. This gave older streams on any given circuit priority over newer ones. Fixes bug 1937. Detected originally by Camilo Viecco. This bug was introduced before the first Tor release, in svn commit r152: it is the new winner of the longest-lived bug prize. - Fix a stream fairness bug that would cause newer streams on a given circuit to get preference when reading bytes from the origin or destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was introduced before the first Tor release, in svn revision r152. - When the exit relay got a circuit-level sendme cell, it started reading on the exit streams, even if had 500 cells queued in the circuit queue already, so the circuit queue just grew and grew in some cases. We fix this by not re-enabling reading on receipt of a sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by "yetonetime". - Newly created streams were allowed to read cells onto circuits, even if the circuit's cell queue was blocked and waiting to drain. This created potential unfairness, as older streams would be blocked, but newer streams would gladly fill the queue completely. We add code to detect this situation and prevent any stream from getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially fixes bug 1298. o Major bugfixes (hidden services): - Apply circuit timeouts to opened hidden-service-related circuits based on the correct start time. Previously, we would apply the circuit build timeout based on time since the circuit's creation; it was supposed to be applied based on time since the circuit entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. - Improve hidden service robustness: When we find that we have extended a hidden service's introduction circuit to a relay not listed as an introduction point in the HS descriptor we currently have, retry with an introduction point from the current descriptor. Previously we would just give up. Fixes bugs 1024 and 1930; bugfix on 0.2.0.10-alpha. - Directory authorities now use data collected from their own uptime observations when choosing whether to assign the HSDir flag to relays, instead of trusting the uptime value the relay reports in its descriptor. This change helps prevent an attack where a small set of nodes with frequently-changing identity keys can blackhole a hidden service. (Only authorities need upgrade; others will be fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. - Stop assigning the HSDir flag to relays that disable their DirPort (and thus will refuse to answer directory requests). This fix should dramatically improve the reachability of hidden services: hidden services and hidden service clients pick six HSDir relays to store and retrieve the hidden service descriptor, and currently about half of the HSDir relays will refuse to work. Bugfix on 0.2.0.10-alpha; fixes part of bug 1693. o Major bugfixes (misc): - Clients now stop trying to use an exit node associated with a given destination by TrackHostExits if they fail to reach that exit node. Fixes bug 2999. Bugfix on 0.2.0.20-rc. - Fix a regression that caused Tor to rebind its ports if it receives SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. - Remove an extra pair of quotation marks around the error message in control-port STATUS_GENERAL BUG events. Bugfix on 0.1.2.6-alpha; fixes bug 3732. o Minor features (relays): - Ensure that no empty [dirreq-](read|write)-history lines are added to an extrainfo document. Implements ticket 2497. - When bandwidth accounting is enabled, be more generous with how much bandwidth we'll use up before entering "soft hibernation". Previously, we'd refuse new connections and circuits once we'd used up 95% of our allotment. Now, we use up 95% of our allotment, AND make sure that we have no more than 500MB (or 3 hours of expected traffic, whichever is lower) remaining before we enter soft hibernation. - Relays now log the reason for publishing a new relay descriptor, so we have a better chance of hunting down instances of bug 1810. Resolves ticket 3252. - Log a little more clearly about the times at which we're no longer accepting new connections (e.g. due to hibernating). Resolves bug 2181. - When AllowSingleHopExits is set, print a warning to explain to the relay operator why most clients are avoiding her relay. - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such clients are already deprecated because of security bugs. o Minor features (network statistics): - Directory mirrors that set "DirReqStatistics 1" write statistics about directory requests to disk every 24 hours. As compared to the "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few improvements: 1) stats are written to disk exactly every 24 hours; 2) estimated shares of v2 and v3 requests are determined as mean values, not at the end of a measurement period; 3) unresolved requests are listed with country code '??'; 4) directories also measure download times. - Exit nodes that set "ExitPortStatistics 1" write statistics on the number of exit streams and transferred bytes per port to disk every 24 hours. - Relays that set "CellStatistics 1" write statistics on how long cells spend in their circuit queues to disk every 24 hours. - Entry nodes that set "EntryStatistics 1" write statistics on the rough number and origins of connecting clients to disk every 24 hours. - Relays that write any of the above statistics to disk and set "ExtraInfoStatistics 1" include the past 24 hours of statistics in their extra-info documents. Implements proposal 166. o Minor features (GeoIP and statistics): - Provide a log message stating which geoip file we're parsing instead of just stating that we're parsing the geoip file. Implements ticket 2432. - Make sure every relay writes a state file at least every 12 hours. Previously, a relay could go for weeks without writing its state file, and on a crash could lose its bandwidth history, capacity estimates, client country statistics, and so on. Addresses bug 3012. - Relays report the number of bytes spent on answering directory requests in extra-info descriptors similar to {read,write}-history. Implements enhancement 1790. - Report only the top 10 ports in exit-port stats in order not to exceed the maximum extra-info descriptor length of 50 KB. Implements task 2196. - If writing the state file to disk fails, wait up to an hour before retrying again, rather than trying again each second. Fixes bug 2346; bugfix on Tor 0.1.1.3-alpha. - Delay geoip stats collection by bridges for 6 hours, not 2 hours, when we switch from being a public relay to a bridge. Otherwise there will still be clients that see the relay in their consensus, and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes bug 932. - Update to the August 2 2011 Maxmind GeoLite Country database. o Minor features (clients): - When expiring circuits, use microsecond timers rather than one-second timers. This can avoid an unpleasant situation where a circuit is launched near the end of one second and expired right near the beginning of the next, and prevent fluctuations in circuit timeout values. - If we've configured EntryNodes and our network goes away and/or all our entrynodes get marked down, optimistically retry them all when a new socks application request appears. Fixes bug 1882. - Always perform router selections using weighted relay bandwidth, even if we don't need a high capacity circuit at the time. Non-fast circuits now only differ from fast ones in that they can use relays not marked with the Fast flag. This "feature" could turn out to be a horrible bug; we should investigate more before it goes into a stable release. - When we run out of directory information such that we can't build circuits, but then get enough that we can build circuits, log when we actually construct a circuit, so the user has a better chance of knowing what's going on. Fixes bug 1362. - Log SSL state transitions at debug level during handshake, and include SSL states in error messages. This may help debug future SSL handshake issues. o Minor features (directory authorities): - When a router changes IP address or port, authorities now launch a new reachability test for it. Implements ticket 1899. - Directory authorities now reject relays running any versions of Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have known bugs that keep RELAY_EARLY cells from working on rendezvous circuits. Followup to fix for bug 2081. - Directory authorities now reject relays running any version of Tor older than 0.2.0.26-rc. That version is the earliest that fetches current directory information correctly. Fixes bug 2156. - Directory authorities now do an immediate reachability check as soon as they hear about a new relay. This change should slightly reduce the time between setting up a relay and getting listed as running in the consensus. It should also improve the time between setting up a bridge and seeing use by bridge users. - Directory authorities no longer launch a TLS connection to every relay as they startup. Now that we have 2k+ descriptors cached, the resulting network hiccup is becoming a burden. Besides, authorities already avoid voting about Running for the first half hour of their uptime. - Directory authorities now log the source of a rejected POSTed v3 networkstatus vote, so we can track failures better. - Backport code from 0.2.3.x that allows directory authorities to clean their microdescriptor caches. Needed to resolve bug 2230. o Minor features (hidden services): - Use computed circuit-build timeouts to decide when to launch parallel introduction circuits for hidden services. (Previously, we would retry after 15 seconds.) - Don't allow v0 hidden service authorities to act as clients. Required by fix for bug 3000. - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required by fix for bug 3000. - Make hidden services work better in private Tor networks by not requiring any uptime to join the hidden service descriptor DHT. Implements ticket 2088. - Log (at info level) when purging pieces of hidden-service-client state because of SIGNAL NEWNYM. o Minor features (controller interface): - New "GETINFO net/listeners/(type)" controller command to return a list of addresses and ports that are bound for listeners for a given connection type. This is useful when the user has configured "SocksPort auto" and the controller needs to know which port got chosen. Resolves another part of ticket 3076. - Have the controller interface give a more useful message than "Internal Error" in response to failed GETINFO requests. - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port event, to give information on the current rate of circuit timeouts over our stored history. - The 'EXTENDCIRCUIT' control port command can now be used with a circ id of 0 and no path. This feature will cause Tor to build a new 'fast' general purpose circuit using its own path selection algorithms. - Added a BUILDTIMEOUT_SET controller event to describe changes to the circuit build timeout. - New controller command "getinfo config-text". It returns the contents that Tor would write if you send it a SAVECONF command, so the controller can write the file to disk itself. o Minor features (controller protocol): - Add a new ControlSocketsGroupWritable configuration option: when it is turned on, ControlSockets are group-writeable by the default group of the current user. Patch by JÃ©rÃ©my Bobbio; implements ticket 2972. - Tor now refuses to create a ControlSocket in a directory that is world-readable (or group-readable if ControlSocketsGroupWritable is 0). This is necessary because some operating systems do not enforce permissions on an AF_UNIX sockets. Permissions on the directory holding the socket, however, seems to work everywhere. - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is not. This would lead to a cookie that is still not group readable. Closes bug 1843. Suggested by katmagic. - Future-proof the controller protocol a bit by ignoring keyword arguments we do not recognize. o Minor features (more useful logging): - Revise most log messages that refer to nodes by nickname to instead use the "$key=nickname at address" format. This should be more useful, especially since nicknames are less and less likely to be unique. Resolves ticket 3045. - When an HTTPS proxy reports "403 Forbidden", we now explain what it means rather than calling it an unexpected status code. Closes bug 2503. Patch from Michael Yakubovich. - Rate-limit a warning about failures to download v2 networkstatus documents. Resolves part of bug 1352. - Rate-limit the "your application is giving Tor only an IP address" warning. Addresses bug 2000; bugfix on 0.0.8pre2. - Rate-limit "Failed to hand off onionskin" warnings. - When logging a rate-limited warning, we now mention how many messages got suppressed since the last warning. - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, 2 no signature, 4 required" messages about consensus signatures easier to read, and make sure they get logged at the same severity as the messages explaining which keys are which. Fixes bug 1290. - Don't warn when we have a consensus that we can't verify because of missing certificates, unless those certificates are ones that we have been trying and failing to download. Fixes bug 1145. o Minor features (log domains): - Add documentation for configuring logging at different severities in different log domains. We've had this feature since 0.2.1.1-alpha, but for some reason it never made it into the manpage. Fixes bug 2215. - Make it simpler to specify "All log domains except for A and B". Previously you needed to say "[*,~A,~B]". Now you can just say "[~A,~B]". - Add a "LogMessageDomains 1" option to include the domains of log messages along with the messages. Without this, there's no way to use log domains without reading the source or doing a lot of guessing. - Add a new "Handshake" log domain for activities that happen during the TLS handshake. o Minor features (build process): - Make compilation with clang possible when using "--enable-gcc-warnings" by removing two warning options that clang hasn't implemented yet and by fixing a few warnings. Resolves ticket 2696. - Detect platforms that brokenly use a signed size_t, and refuse to build there. Found and analyzed by doorss and rransom. - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. Resolves bug 2314. - Add support for statically linking zlib by specifying "--enable-static-zlib", to go with our support for statically linking openssl and libevent. Resolves bug 1358. - Instead of adding the svn revision to the Tor version string, report the git commit (when we're building from a git checkout). - Rename the "log.h" header to "torlog.h" so as to conflict with fewer system headers. - New --digests command-line switch to output the digests of the source files Tor was built with. - Generate our manpage and HTML documentation using Asciidoc. This change should make it easier to maintain the documentation, and produce nicer HTML. The build process fails if asciidoc cannot be found and building with asciidoc isn't disabled (via the "--disable-asciidoc" argument to ./configure. Skipping the manpage speeds up the build considerably. o Minor features (options / torrc): - Warn when the same option is provided more than once in a torrc file, on the command line, or in a single SETCONF statement, and the option is one that only accepts a single line. Closes bug 1384. - Warn when the user configures two HiddenServiceDir lines that point to the same directory. Bugfix on 0.0.6 (the version introducing HiddenServiceDir); fixes bug 3289. - Add new "perconnbwrate" and "perconnbwburst" consensus params to do individual connection-level rate limiting of clients. The torrc config options with the same names trump the consensus params, if both are present. Replaces the old "bwconnrate" and "bwconnburst" consensus params which were broken from 0.2.2.7-alpha through 0.2.2.14-alpha. Closes bug 1947. - New config option "WarnUnsafeSocks 0" disables the warning that occurs whenever Tor receives a socks handshake using a version of the socks protocol that can only provide an IP address (rather than a hostname). Setups that do DNS locally over Tor are fine, and we shouldn't spam the logs in that case. - New config option "CircuitStreamTimeout" to override our internal timeout schedule for how many seconds until we detach a stream from a circuit and try a new circuit. If your network is particularly slow, you might want to set this to a number like 60. - New options for SafeLogging to allow scrubbing only log messages generated while acting as a relay. Specify "SafeLogging relay" if you want to ensure that only messages known to originate from client use of the Tor process will be logged unsafely. - Time and memory units in the configuration file can now be set to fractional units. For example, "2.5 GB" is now a valid value for AccountingMax. - Support line continuations in the torrc config file. If a line ends with a single backslash character, the newline is ignored, and the configuration value is treated as continuing on the next line. Resolves bug 1929. o Minor features (unit tests): - Revise our unit tests to use the "tinytest" framework, so we can run tests in their own processes, have smarter setup/teardown code, and so on. The unit test code has moved to its own subdirectory, and has been split into multiple modules. - Add a unit test for cross-platform directory-listing code. - Add some forgotten return value checks during unit tests. Found by coverity. - Use GetTempDir to find the proper temporary directory location on Windows when generating temporary files for the unit tests. Patch by Gisle Vanem. o Minor features (misc): - The "torify" script now uses torsocks where available. - Make Libevent log messages get delivered to controllers later, and not from inside the Libevent log handler. This prevents unsafe reentrant Libevent calls while still letting the log messages get through. - Certain Tor clients (such as those behind check.torproject.org) may want to fetch the consensus in an extra early manner. To enable this a user may now set FetchDirInfoExtraEarly to 1. This also depends on setting FetchDirInfoEarly to 1. Previous behavior will stay the same as only certain clients who must have this information sooner should set this option. - Expand homedirs passed to tor-checkkey. This should silence a coverity complaint about passing a user-supplied string into open() without checking it. - Make sure to disable DirPort if running as a bridge. DirPorts aren't used on bridges, and it makes bridge scanning somewhat easier. - Create the /var/run/tor directory on startup on OpenSUSE if it is not already created. Patch from Andreas Stieger. Fixes bug 2573. o Minor bugfixes (relays): - When a relay decides that its DNS is too broken for it to serve as an exit server, it advertised itself as a non-exit, but continued to act as an exit. This could create accidental partitioning opportunities for users. Instead, if a relay is going to advertise reject *:* as its exit policy, it should really act with exit policy "reject *:*". Fixes bug 2366. Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. - Publish a router descriptor even if generating an extra-info descriptor fails. Previously we would not publish a router descriptor without an extra-info descriptor; this can cause fast exit relays collecting exit-port statistics to drop from the consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. - When we're trying to guess whether we know our IP address as a relay, we would log various ways that we failed to guess our address, but never log that we ended up guessing it successfully. Now add a log line to help confused and anxious relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. - For bandwidth accounting, calculate our expected bandwidth rate based on the time during which we were active and not in soft-hibernation during the last interval. Previously, we were also considering the time spent in soft-hibernation. If this was a long time, we would wind up underestimating our bandwidth by a lot, and skewing our wakeup time towards the start of the accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. - Demote a confusing TLS warning that relay operators might get when someone tries to talk to their ORPort. It is not the operator's fault, nor can they do anything about it. Fixes bug 1364; bugfix on 0.2.0.14-alpha. - Change "Application request when we're believed to be offline." notice to "Application request when we haven't used client functionality lately.", to clarify that it's not an error. Bugfix on 0.0.9.3; fixes bug 1222. o Minor bugfixes (bridges): - When a client starts or stops using bridges, never use a circuit that was built before the configuration change. This behavior could put at risk a user who uses bridges to ensure that her traffic only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes bug 3200. - Do not reset the bridge descriptor download status every time we re-parse our configuration or get a configuration change. Fixes bug 3019; bugfix on 0.2.0.3-alpha. - Users couldn't configure a regular relay to be their bridge. It didn't work because when Tor fetched the bridge descriptor, it found that it already had it, and didn't realize that the purpose of the descriptor had changed. Now we replace routers with a purpose other than bridge with bridge descriptors when fetching them. Bugfix on 0.1.1.9-alpha. Fixes bug 1776. - In the special case where you configure a public exit relay as your bridge, Tor would be willing to use that exit relay as the last hop in your circuit as well. Now we fail that circuit instead. Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". o Minor bugfixes (clients): - We now ask the other side of a stream (the client or the exit) for more data on that stream when the amount of queued data on that stream dips low enough. Previously, we wouldn't ask the other side for more data until either it sent us more data (which it wasn't supposed to do if it had exhausted its window!) or we had completely flushed all our queued data. This flow control fix should improve throughput. Fixes bug 2756; bugfix on the earliest released versions of Tor (svn commit r152). - When a client finds that an origin circuit has run out of 16-bit stream IDs, we now mark it as unusable for new streams. Previously, we would try to close the entire circuit. Bugfix on 0.0.6. - Make it explicit that we don't cannibalize one-hop circuits. This happens in the wild, but doesn't turn out to be a problem because we fortunately don't use those circuits. Many thanks to outofwords for the initial analysis and to swissknife who confirmed that two-hop circuits are actually created. - Resolve an edge case in path weighting that could make us misweight our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. - Make the DNSPort option work with libevent 2.x. Don't alter the behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. o Minor bugfixes (directory authorities): - Make directory authorities more accurate at recording when relays that have failed several reachability tests became unreachable, so we can provide more accuracy at assigning Stable, Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. - Directory authorities are now more robust to hops back in time when calculating router stability. Previously, if a run of uptime or downtime appeared to be negative, the calculation could give incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing bug 1035. - Directory authorities will now attempt to download consensuses if their own efforts to make a live consensus have failed. This change means authorities that restart will fetch a valid consensus, and it means authorities that didn't agree with the current consensus will still fetch and serve it if it has enough signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. - Never vote for a server as "Running" if we have a descriptor for it claiming to be hibernating, and that descriptor was published more recently than our last contact with the server. Bugfix on 0.2.0.3-alpha; fixes bug 911. - Directory authorities no longer change their opinion of, or vote on, whether a router is Running, unless they have themselves been online long enough to have some idea. Bugfix on 0.2.0.6-alpha. Fixes bug 1023. o Minor bugfixes (hidden services): - Log malformed requests for rendezvous descriptors as protocol warnings, not warnings. Also, use a more informative log message in case someone sees it at log level warning without prior info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. - Accept hidden service descriptors if we think we might be a hidden service directory, regardless of what our consensus says. This helps robustness, since clients and hidden services can sometimes have a more up-to-date view of the network consensus than we do, and if they think that the directory authorities list us a HSDir, we might actually be one. Related to bug 2732; bugfix on 0.2.0.10-alpha. - Correct the warning displayed when a rendezvous descriptor exceeds the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by John Brooks. - Clients and hidden services now use HSDir-flagged relays for hidden service descriptor downloads and uploads even if the relays have no DirPort set and the client has disabled TunnelDirConns. This will eventually allow us to give the HSDir flag to relays with no DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. - Only limit the lengths of single HS descriptors, even when multiple HS descriptors are published to an HSDir relay in a single POST operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. o Minor bugfixes (controllers): - Allow GETINFO fingerprint to return a fingerprint even when we have not yet built a router descriptor. Fixes bug 3577; bugfix on 0.2.0.1-alpha. - Send a SUCCEEDED stream event to the controller when a reverse resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue discovered by katmagic. - Remove a trailing asterisk from "exit-policy/default" in the output of the control port command "GETINFO info/names". Bugfix on 0.1.2.5-alpha. - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug 2917. Bugfix on 0.1.1.1-alpha. - When we restart our relay, we might get a successful connection from the outside before we've started our reachability tests, triggering a warning: "ORPort found reachable, but I have no routerinfo yet. Failing to inform controller of success." This bug was harmless unless Tor is running under a controller like Vidalia, in which case the controller would never get a REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; fixes bug 1172. - When a controller changes TrackHostExits, remove mappings for hosts that should no longer have their exits tracked. Bugfix on 0.1.0.1-rc. - When a controller changes VirtualAddrNetwork, remove any mappings for hosts that were automapped to the old network. Bugfix on 0.1.1.19-rc. - When a controller changes one of the AutomapHosts* options, remove any mappings for hosts that should no longer be automapped. Bugfix on 0.2.0.1-alpha. - Fix an off-by-one error in calculating some controller command argument lengths. Fortunately, this mistake is harmless since the controller code does redundant NUL termination too. Found by boboper. Bugfix on 0.1.1.1-alpha. - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" would return "551 Internal error" rather than "552 Unrecognized key ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. - Don't spam the controller with events when we have no file descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting for log messages was already solved from bug 748.) - Emit a GUARD DROPPED controller event for a case we missed. - Ensure DNS requests launched by "RESOLVE" commands from the controller respect the __LeaveStreamsUnattached setconf options. The same goes for requests launched via DNSPort or transparent proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. o Minor bugfixes (config options): - Tor used to limit HttpProxyAuthenticator values to 48 characters. Change the limit to 512 characters by removing base64 newlines. Fixes bug 2752. Fix by Michael Yakubovich. - Complain if PublishServerDescriptor is given multiple arguments that include 0 or 1. This configuration will be rejected in the future. Bugfix on 0.2.0.1-alpha; closes bug 1107. - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. Bugfix on 0.2.0.13-alpha; closes bug 928. o Minor bugfixes (log subsystem fixes): - When unable to format an address as a string, report its value as "???" rather than reusing the last formatted address. Bugfix on 0.2.1.5-alpha. - Be more consistent in our treatment of file system paths. "~" should get expanded to the user's home directory in the Log config option. Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the feature for the -f and --DataDirectory options. o Minor bugfixes (memory management): - Don't stack-allocate the list of supplementary GIDs when we're about to log them. Stack-allocating NGROUPS_MAX gid_t elements could take up to 256K, which is way too much stack. Found by Coverity; CID #450. Bugfix on 0.2.1.7-alpha. - Save a couple bytes in memory allocation every time we escape certain characters in a string. Patch from Florian Zumbiehl. o Minor bugfixes (protocol correctness): - When checking for 1024-bit keys, check for 1024 bits, not 128 bytes. This allows Tor to correctly discard keys of length 1017 through 1023. Bugfix on 0.0.9pre5. - Require that introduction point keys and onion handshake keys have a public exponent of 65537. Starts to fix bug 3207; bugfix on 0.2.0.10-alpha. - Handle SOCKS messages longer than 128 bytes long correctly, rather than waiting forever for them to finish. Fixes bug 2330; bugfix on 0.2.0.16-alpha. Found by doorss. - Never relay a cell for a circuit we have already destroyed. Between marking a circuit as closeable and finally closing it, it may have been possible for a few queued cells to get relayed, even though they would have been immediately dropped by the next OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. - Never queue a cell for a circuit that's already been marked for close. - Fix a spec conformance issue: the network-status-version token must be the first token in a v3 consensus or vote. Discovered by "parakeep". Bugfix on 0.2.0.3-alpha. - A networkstatus vote must contain exactly one signature. Spec conformance issue. Bugfix on 0.2.0.3-alpha. - When asked about a DNS record type we don't support via a client DNSPort, reply with NOTIMPL rather than an empty reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. - Make more fields in the controller protocol case-insensitive, since control-spec.txt said they were. o Minor bugfixes (log messages): - Fix a log message that said "bits" while displaying a value in bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on 0.2.0.1-alpha. - Downgrade "no current certificates known for authority" message from Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. - Correctly describe errors that occur when generating a TLS object. Previously we would attribute them to a failure while generating a TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes bug 1994. - Fix an instance where a Tor directory mirror might accidentally log the IP address of a misbehaving Tor client. Bugfix on 0.1.0.1-rc. - Stop logging at severity 'warn' when some other Tor client tries to establish a circuit with us using weak DH keys. It's a protocol violation, but that doesn't mean ordinary users need to hear about it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. - If your relay can't keep up with the number of incoming create cells, it would log one warning per failure into your logs. Limit warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. o Minor bugfixes (build fixes): - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. - When warning about missing zlib development packages during compile, give the correct package names. Bugfix on 0.2.0.1-alpha. - Fix warnings that newer versions of autoconf produce during ./autogen.sh. These warnings appear to be harmless in our case, but they were extremely verbose. Fixes bug 2020. - Squash a compile warning on OpenBSD. Reported by Tas; fixes bug 1848. o Minor bugfixes (portability): - Write several files in text mode, on OSes that distinguish text mode from binary mode (namely, Windows). These files are: 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays that collect those statistics; 'client_keys' and 'hostname' for hidden services that use authentication; and (in the tor-gencert utility) newly generated identity and signing keys. Previously, we wouldn't specify text mode or binary mode, leading to an assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when the DirRecordUsageByCountry option which would have triggered the assertion failure was added), although this assertion failure would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. - Selectively disable deprecation warnings on OS X because Lion started deprecating the shipped copy of openssl. Fixes bug 3643. - Use a wide type to hold sockets when built for 64-bit Windows. Fixes bug 3270. - Fix an issue that prevented static linking of libevent on some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, where we introduced the "--with-static-libevent" configure option. - Fix a bug with our locking implementation on Windows that couldn't correctly detect when a file was already locked. Fixes bug 2504, bugfix on 0.2.1.6-alpha. - Build correctly on OSX with zlib 1.2.4 and higher with all warnings enabled. - Fix IPv6-related connect() failures on some platforms (BSD, OS X). Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by "piebeer". o Minor bugfixes (code correctness): - Always NUL-terminate the sun_path field of a sockaddr_un before passing it to the kernel. (Not a security issue: kernels are smart enough to reject bad sockaddr_uns.) Found by Coverity; CID #428. Bugfix on Tor 0.2.0.3-alpha. - Make connection_printf_to_buf()'s behaviour sane. Its callers expect it to emit a CRLF iff the format string ends with CRLF; it actually emitted a CRLF iff (a) the format string ended with CRLF or (b) the resulting string was over 1023 characters long or (c) the format string did not end with CRLF *and* the resulting string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; fixes part of bug 3407. - Make send_control_event_impl()'s behaviour sane. Its callers expect it to always emit a CRLF at the end of the string; it might have emitted extra control characters as well. Bugfix on 0.1.1.9-alpha; fixes another part of bug 3407. - Make crypto_rand_int() check the value of its input correctly. Previously, it accepted values up to UINT_MAX, but could return a negative number if given a value above INT_MAX+1. Found by George Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. - Fix a potential null-pointer dereference while computing a consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of clang's analyzer. - If we fail to compute the identity digest of a v3 legacy keypair, warn, and don't use a buffer-full of junk instead. Bugfix on 0.2.1.1-alpha; fixes bug 3106. - Resolve an untriggerable issue in smartlist_string_num_isin(), where if the function had ever in the future been used to check for the presence of a too-large number, it would have given an incorrect result. (Fortunately, we only used it for 16-bit values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. - Be more careful about reporting the correct error from a failed connect() system call. Under some circumstances, it was possible to look at an incorrect value for errno when sending the end reason. Bugfix on 0.1.0.1-rc. - Correctly handle an "impossible" overflow cases in connection byte counting, where we write or read more than 4GB on an edge connection in a single second. Bugfix on 0.1.2.8-beta. - Avoid a double mark-for-free warning when failing to attach a transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes bug 2279. - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; found by "cypherpunks". This bug was introduced before the first Tor release, in svn commit r110. - Fix a bug in bandwidth history state parsing that could have been triggered if a future version of Tor ever changed the timing granularity at which bandwidth history is measured. Bugfix on Tor 0.1.1.11-alpha. - Add assertions to check for overflow in arguments to base32_encode() and base32_decode(); fix a signed-unsigned comparison there too. These bugs are not actually reachable in Tor, but it's good to prevent future errors too. Found by doorss. - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by "memcpyfail". - Set target port in get_interface_address6() correctly. Bugfix on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. - Fix an impossible-to-actually-trigger buffer overflow in relay descriptor generation. Bugfix on 0.1.0.15. - Fix numerous small code-flaws found by Coverity Scan Rung 3. o Minor bugfixes (code improvements): - After we free an internal connection structure, overwrite it with a different memory value than we use for overwriting a freed internal circuit structure. Should help with debugging. Suggested by bug 1055. - If OpenSSL fails to make a duplicate of a private or public key, log an error message and try to exit cleanly. May help with debugging if bug 1209 ever remanifests. - Some options used different conventions for uppercasing of acronyms when comparing manpage and source. Fix those in favor of the manpage, as it makes sense to capitalize acronyms. - Take a first step towards making or.h smaller by splitting out function definitions for all source files in src/or/. Leave structures and defines in or.h for now. - Remove a few dead assignments during router parsing. Found by coverity. - Don't use 1-bit wide signed bit fields. Found by coverity. - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. None of the cases where we did this before were wrong, but by making this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. - The memarea code now uses a sentinel value at the end of each area to make sure nothing writes beyond the end of an area. This might help debug some conceivable causes of bug 930. - Always treat failure to allocate an RSA key as an unrecoverable allocation error. - Add some more defensive programming for architectures that can't handle unaligned integer accesses. We don't know of any actual bugs right now, but that's the best time to fix them. Fixes bug 1943. o Minor bugfixes (misc): - Fix a rare bug in rend_fn unit tests: we would fail a test when a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix on 0.2.0.10-alpha; fixes bug 1808. - Where available, use Libevent 2.0's periodic timers so that our once-per-second cleanup code gets called even more closely to once per second than it would otherwise. Fixes bug 943. - Ignore OutboundBindAddress when connecting to localhost. Connections to localhost need to come _from_ localhost, or else local servers (like DNS and outgoing HTTP/SOCKS proxies) will often refuse to listen. - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m too. - If any of the v3 certs we download are unparseable, we should actually notice the failure so we don't retry indefinitely. Bugfix on 0.2.0.x; reported by "rotator". - When Tor fails to parse a descriptor of any kind, dump it to disk. Might help diagnosing bug 1051. - Make our 'torify' script more portable; if we have only one of 'torsocks' or 'tsocks' installed, don't complain to the user; and explain our warning about tsocks better. - Fix some urls in the exit notice file and make it XHTML1.1 strict compliant. Based on a patch from Christian Kujau. o Documentation changes: - Modernize the doxygen configuration file slightly. Fixes bug 2707. - Resolve all doxygen warnings except those for missing documentation. Fixes bug 2705. - Add doxygen documentation for more functions, fields, and types. - Convert the HACKING file to asciidoc, and add a few new sections to it, explaining how we use Git, how we make changelogs, and what should go in a patch. - Document the default socks host and port (127.0.0.1:9050) for tor-resolve. - Removed some unnecessary files from the source distribution. The AUTHORS file has now been merged into the people page on the website. The roadmaps and design doc can now be found in the projects directory in svn. o Deprecated and removed features (config): - Remove the torrc.complete file. It hasn't been kept up to date and users will have better luck checking out the manpage. - Remove the HSAuthorityRecordStats option that version 0 hidden service authorities could use to track statistics of overall v0 hidden service usage. - Remove the obsolete "NoPublish" option; it has been flagged as obsolete and has produced a warning since 0.1.1.18-rc. - Caches no longer download and serve v2 networkstatus documents unless FetchV2Networkstatus flag is set: these documents haven't haven't been used by clients or relays since 0.2.0.x. Resolves bug 3022. o Deprecated and removed features (controller): - The controller no longer accepts the old obsolete "addr-mappings/" or "unregistered-servers-" GETINFO values. - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now always on; using them is necessary for correct forward-compatible controllers. o Deprecated and removed features (misc): - Hidden services no longer publish version 0 descriptors, and clients do not request or use version 0 descriptors. However, the old hidden service authorities still accept and serve version 0 descriptors when contacted by older hidden services/clients. - Remove undocumented option "-F" from tor-resolve: it hasn't done anything since 0.2.1.16-rc. - Remove everything related to building the expert bundle for OS X. It has confused many users, doesn't work right on OS X 10.6, and is hard to get rid of once installed. Resolves bug 1274. - Remove support for .noconnect style addresses. Nobody was using them, and they provided another avenue for detecting Tor users via application-level web tricks. - When we fixed bug 1038 we had to put in a restriction not to send RELAY_EARLY cells on rend circuits. This was necessary as long as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were active. Now remove this obsolete check. Resolves bug 2081. - Remove workaround code to handle directory responses from servers that had bug 539 (they would send HTTP status 503 responses _and_ send a body too). Since only server versions before 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to keep the workaround in place. - Remove the old 'fuzzy time' logic. It was supposed to be used for handling calculations where we have a known amount of clock skew and an allowed amount of unknown skew. But we only used it in three places, and we never adjusted the known/unknown skew values. This is still something we might want to do someday, but if we do, we'll want to do it differently. - Remove the "--enable-iphone" option to ./configure. According to reports from Marco Bonetti, Tor builds fine without any special tweaking on recent iPhone SDK versions.

1 0