commit 7f074c3fa7a095805fb683808ddb3b246e4803b4 Author: Nick Mathewson nickm@torproject.org Date: Thu Sep 22 18:22:47 2016 -0400

Reflow the changelog --- ChangeLog | 263 ++++++++++++++++++++++++++++++-------------------------------- 1 file changed, 129 insertions(+), 134 deletions(-)

diff --git a/ChangeLog b/ChangeLog index b5d5985..f422fd8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,9 @@ Changes in version 0.2.9.3-alpha - 2016-09-2? - Tor 0.2.9.3-alpha adds improved support for entities that - want to make high-performance services available through the Tor .onion - mechanism without themselves receiving anonymity as they host those - services. It also tries harder to ensure that all steps on a circuit are - using the strongest crypto possible, strengthens some TLS properties, and + Tor 0.2.9.3-alpha adds improved support for entities that want to make + high-performance services available through the Tor .onion mechanism + without themselves receiving anonymity as they host those services. It + also tries harder to ensure that all steps on a circuit are using the + strongest crypto possible, strengthens some TLS properties, and resolves several bugs -- including a pair of crash bugs from the 0.2.8 series. Anybody running an earlier version of 0.2.9.x should upgrade.

@@ -12,40 +12,39 @@ Changes in version 0.2.9.3-alpha - 2016-09-2? o Major features (circuit building, security): - Authorities, relays and clients specifically check that each descriptor has an ntor key. - - Circuit-building code assumes that all hops can use ntor, - except for rare hidden service protocol cases. + - Circuit-building code assumes that all hops can use ntor, except + for rare hidden service protocol cases. - Client code never chooses nodes without ntor keys: they will not be selected during circuit-building, or as guards, or as directory mirrors, or as introduction or rendezvous points. - - Clients avoid downloading a descriptor if the relay version is - too old to support ntor. + - Clients avoid downloading a descriptor if the relay version is too + old to support ntor. - Tor authorities, relays, and clients only use ntor, except for rare cases in the hidden service protocol.

o Major features (onion services): - Add experimental HiddenServiceSingleHopMode and - HiddenServiceNonAnonymousMode options. When both are set to 1, every - hidden service on a tor instance becomes a non-anonymous Single Onion - Service. Single Onions make one-hop (direct) connections to their - introduction and renzedvous points. One-hop circuits make Single Onion - servers easily locatable, but clients remain location-anonymous. - This is compatible with the existing hidden service implementation, and - works on the current tor network without any changes to older relays or - clients. - Implements proposal 260, completes ticket 17178. Patch by teor and asn. + HiddenServiceNonAnonymousMode options. When both are set to 1, + every hidden service on a tor instance becomes a non-anonymous + Single Onion Service. Single Onions make one-hop (direct) + connections to their introduction and renzedvous points. One-hop + circuits make Single Onion servers easily locatable, but clients + remain location-anonymous. This is compatible with the existing + hidden service implementation, and works on the current tor + network without any changes to older relays or clients. Implements + proposal 260, completes ticket 17178. Patch by teor and asn.

o Major features (resource management): - - Tor now includes support for noticing when we are about to run out of - sockets, and preemptively closing connections of lower priority. - (This feature is off by default for now, since the current prioritizing - method is not mature enough yet. You can enable it by setting - "DisableOOSCheck 0".) Closes ticket 18640. + - Tor now includes support for noticing when we are about to run out + of sockets, and preemptively closing connections of lower + priority. (This feature is off by default for now, since the + current prioritizing method is not mature enough yet. You can + enable it by setting "DisableOOSCheck 0".) Closes ticket 18640.

o Major bugfixes (circuit building): - - Hidden service client-to-intro-point and service-to-rendezvous-point - cicruitss use the TAP key supplied by the protocol, to avoid - epistemic attacks. - Fixes bug 19163; bugfix on 0.2.4.18-rc. + - Hidden service client-to-intro-point and service-to-rendezvous- + point cicruitss use the TAP key supplied by the protocol, to avoid + epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.

o Major bugfixes (compilation, OpenBSD): - Fix a Libevent-detection bug in our autoconf script that would @@ -53,105 +52,88 @@ Changes in version 0.2.9.3-alpha - 2016-09-2? rubiate. Fixes bug 19902; bugfix on 0.2.9.1-alpha.

o Major bugfixes (hidden services): - - Clients require hidden services to include the TAP keys - for their intro points in the hidden service descriptor. - This prevents an inadvertent upgrade to ntor, which a - malicious hidden service could use to discover which - consensus a client has. - Fixes bug 20012; bugfix on 0.2.4.8-alpha. Patch by teor. + - Clients require hidden services to include the TAP keys for their + intro points in the hidden service descriptor. This prevents an + inadvertent upgrade to ntor, which a malicious hidden service + could use to discover which consensus a client has. Fixes bug + 20012; bugfix on 0.2.4.8-alpha. Patch by teor.

- o Minor feature (port flags): - - Add *Port flags NoDNSRequest and NoOnionTraffic, and - the synthetic flag OnionTrafficOnly, which is equivalent to - NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. - Closes enhancement 18693; patch by "teor". + o Minor features (security, TLS): + - Servers no longer support clients that do not provide AES + ciphersuites. (3DES is no longer considered an acceptable cipher.) + We believe that no such clients currently exist, since we have + required OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.

- o Minor features (testing, ipv6): - - Add the single-onion and single-onion-ipv6 chutney targets to - make test-network-all. This requires a recent chutney version - with the single onion network flavours (git c72a652 or later). - Closes ticket 20072; patch by teor. - - Add the hs-ipv6 chutney target to make test-network-all's IPv6 - tests. Remove bridges+hs, as it's somewhat redundant. - This requires a recent chutney version that supports IPv6 clients, - relays, and authorities. - Closes ticket 20069; patch by teor. + o Minor feature (port flags): + - Add *Port flags NoDNSRequest and NoOnionTraffic, and the synthetic + flag OnionTrafficOnly, which is equivalent to NoDNSRequest, + NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement 18693; patch + by "teor".

o Minor features (directory authority): - - After voting, if the authorities decide that a relay is not "Valid", - they no longer include it in the consensus at all. Closes ticket - 20002; implements part of proposal 272. - - o Minor features (security, TLS): - - Servers no longer support clients that do not provide AES - ciphersuites. (3DES is no longer considered an acceptable - cipher.) We believe that no such clients currently exist, - since we have required OpenSSL 0.9.7 or later since 2009. - Closes ticket 19998. + - After voting, if the authorities decide that a relay is not + "Valid", they no longer include it in the consensus at all. Closes + ticket 20002; implements part of proposal 272.

o Minor features (testing): - - Disable memory protections on OpenBSD when testing memwipe(). - The test deliberately invokes undefined behaviour which the - protections interfere with. Patch from "rubiate". Closes ticket - 20066. + - Disable memory protections on OpenBSD when testing memwipe(). The + test deliberately invokes undefined behaviour which the protections + interfere with. Patch from "rubiate". Closes ticket 20066. + + o Minor features (testing, ipv6): + - Add the single-onion and single-onion-ipv6 chutney targets to make + test-network-all. This requires a recent chutney version with the + single onion network flavours (git c72a652 or later). Closes + ticket 20072; patch by teor. + - Add the hs-ipv6 chutney target to make test-network-all's IPv6 + tests. Remove bridges+hs, as it's somewhat redundant. This + requires a recent chutney version that supports IPv6 clients, + relays, and authorities. Closes ticket 20069; patch by teor.

o Minor features (Tor2web): - - Make Tor2web clients respect ReachableAddresses. - This feature was inadvertently enabled in 0.2.8.6, then removed - by bugfix 19973 on 0.2.8.7. - Implements feature 20034. Patch by teor. + - Make Tor2web clients respect ReachableAddresses. This feature was + inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on + 0.2.8.7. Implements feature 20034. Patch by teor.

o Minor features (unit tests): - Our link-handshake unit tests now check, that when invalid - handshakes fail, they fail with the error messages we - expected. - - Our unit testing code that captures log messages no longer prevents - them from being written out if the user asked for them (by passing - --debug or --info or or --notice --warn to the "test" binary). This - change will prevent us from missing unexpected log messages simply - because we were looking for others. Related to ticket 19999. + handshakes fail, they fail with the error messages we expected. + - Our unit testing code that captures log messages no longer + prevents them from being written out if the user asked for them + (by passing --debug or --info or or --notice --warn to the "test" + binary). This change will prevent us from missing unexpected log + messages simply because we were looking for others. Related to + ticket 19999. - The unit tests now log all warning messages with the "BUG" flag. Previously, they only logged errors by default. This change will - help us make our testing code more correct, and make sure that - we only hit this code when we mean to. This is preparatory work - for ticket 19999. + help us make our testing code more correct, and make sure that we + only hit this code when we mean to. This is preparatory work for + ticket 19999. - The unit tests now treat any failure of a "tor_assert_nonfatal()" assertion as a test failure. - We've done significant work to make the unit tests run faster.

o Minor bug fixes (circuits): - - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is disabled. - Fixes bug 19678; bugfix on commit 5b0b51ca3 in 0.2.4.12-alpha. Patch by teor. - - o Minor bugfixes (options): - - Check the consistency of UseEntryGuards and EntryNodes more reliably. - Fixes bug 20074; bugfix on commit 686aaa5c in tor-0.2.4.12-alpha. Patch by teor. - - Stop changing the configured value of UseEntryGuards on authorities - and Tor2web clients. - Fixes bug 20074; bugfix on commits 51fc6799 in tor-0.1.1.16-rc and - acda1735 in tor-0.2.4.3-alpha. Patch by teor. - - o Minor bugfixes (Tor2web): - - Prevent Tor2web clients running hidden services, these services are - not anonymous due to the one-hop client paths. - Fixes bug 19678. Patch by teor. + - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is + disabled. Fixes bug 19678; bugfix on commit 5b0b51ca3 in + 0.2.4.12-alpha. Patch by teor.

o Minor bugfixes (allocation): - - Change how we allocate memory for large chunks on buffers, to avoid - a (currently impossible) integer overflow, and to waste less space - when allocating unusually large chunks. Fixes bug 20081; bugfix on - 0.2.0.16-alpha. Issue identified by Guido Vranken. + - Change how we allocate memory for large chunks on buffers, to + avoid a (currently impossible) integer overflow, and to waste less + space when allocating unusually large chunks. Fixes bug 20081; + bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken. - Always include orconfig.h before including any other C headers. Sometimes, it includes macros that affect the behavior of the - standard headers. Fixes bug 19767; bugfix on 0.2.9.1-alpha (the first - version to use AC_USE_SYSTEM_EXTENSIONS). - - Fix a syntax error in the IF_BUG_ONCE__() macro in non- - GCC-compatible compilers. Fixes bug 20141; bugfix on - 0.2.9.1-alpha. Patch from Gisle Vanem. - - Stop trying to build with Clang 4.0's -Wthread-safety - warnings. They apparently require a set of annotations that we - aren't currently using, and they create false positives in our - pthreads wrappers. Fixes bug 20110; bugfix on 0.2.9.1-alpha. + standard headers. Fixes bug 19767; bugfix on 0.2.9.1-alpha (the + first version to use AC_USE_SYSTEM_EXTENSIONS). + - Fix a syntax error in the IF_BUG_ONCE__() macro in non- GCC- + compatible compilers. Fixes bug 20141; bugfix on 0.2.9.1-alpha. + Patch from Gisle Vanem. + - Stop trying to build with Clang 4.0's -Wthread-safety warnings. + They apparently require a set of annotations that we aren't + currently using, and they create false positives in our pthreads + wrappers. Fixes bug 20110; bugfix on 0.2.9.1-alpha.

o Minor bugfixes (directory authority): - Die with a useful error when the operator forgets to place the @@ -159,24 +141,22 @@ Changes in version 0.2.9.3-alpha - 2016-09-2? uninformative assert & traceback about having an invalid key. Fixes bug 20065; bugfix on 0.2.0.1-alpha. - When allowing private addresses, mark Exits that only exit to - private locations as such. Fixes bug 20064; bugfix on - 0.2.2.9-alpha. + private locations as such. Fixes bug 20064; bugfix + on 0.2.2.9-alpha.

o Minor bugfixes (documentation): - - Document the default PathsNeededToBuildCircuits value that's - used by clients when the directory authorities don't set - min_paths_for_circs_pct. - Fixes bug 20117; bugfix on 02c320916e02 in tor-0.2.4.10-alpha. - Patch by teor, reported by Jesse V. + - Document the default PathsNeededToBuildCircuits value that's used + by clients when the directory authorities don't set + min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02 + in tor-0.2.4.10-alpha. Patch by teor, reported by Jesse V. - Fix manual for the User option: it takes a username, not a UID. Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have a manpage!).

o Minor bugfixes (hidden services): - - Stop logging intro point details to the client log on - certain error conditions. - Fixed as part of bug 20012; bugfix on 0.2.4.8-alpha. - Patch by teor. + - Stop logging intro point details to the client log on certain + error conditions. Fixed as part of bug 20012; bugfix on + 0.2.4.8-alpha. Patch by teor.

o Minor bugfixes (IPv6, testing): - Check for IPv6 correctly on Linux when running test networks. @@ -184,36 +164,51 @@ Changes in version 0.2.9.3-alpha - 2016-09-2?

o Minor bugfixes (Linux seccomp2 sandbox): - Add permission to run the sched_yield() and sigaltstack() system - calls, in order to support versions of Tor compiled with - asan or ubsan code that use these calls. Now "sandbox 1" and - "--enable-expensive-hardening" should be compatible. - Fixes bug 20063; bugfix on 0.2.5.1-alpha. + calls, in order to support versions of Tor compiled with asan or + ubsan code that use these calls. Now "sandbox 1" and + "--enable-expensive-hardening" should be compatible. Fixes bug + 20063; bugfix on 0.2.5.1-alpha.

o Minor bugfixes (logging): - - When logging a message from the BUG() macro, be explicit about what - we were asserting. Previously we were confusing what we were asserting - with what the bug was. Fixes bug 20093; bugfix on 0.2.9.1-alpha. + - When logging a message from the BUG() macro, be explicit about + what we were asserting. Previously we were confusing what we were + asserting with what the bug was. Fixes bug 20093; bugfix + on 0.2.9.1-alpha. - When we are unable to remove the bw_accounting file, do not warn if the reason we couldn't remove it was that it didn't exist. - Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch - from 'pastly'. + Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from 'pastly'.

o Minor bugfixes (option parsing): - Count unix sockets when counting client listeners (SOCKS, Trans, NATD, and DNS). This has no user-visible behaviour changes: these - options are set once, and never read. - Required for correct behaviour in ticket 17178. - Fixes bug 19677; bugfix on 0.2.6.3-alpha. Patch by teor. + options are set once, and never read. Required for correct + behaviour in ticket 17178. Fixes bug 19677; bugfix on + 0.2.6.3-alpha. Patch by teor. + + o Minor bugfixes (options): + - Check the consistency of UseEntryGuards and EntryNodes more + reliably. Fixes bug 20074; bugfix on commit 686aaa5c in tor- + 0.2.4.12-alpha. Patch by teor. + - Stop changing the configured value of UseEntryGuards on + authorities and Tor2web clients. Fixes bug 20074; bugfix on + commits 51fc6799 in tor-0.1.1.16-rc and acda1735 in tor-0.2.4.3- + alpha. Patch by teor. + + o Minor bugfixes (Tor2web): + - Prevent Tor2web clients running hidden services, these services + are not anonymous due to the one-hop client paths. Fixes bug + 19678. Patch by teor.

o Minor bugfixes (unit tests): - - Fix shared random unit test that was failing on big endian architecture - due to internal representation of a integer copied to a buffer. The test - is changed to take a full 32 bytes of data and use the output of a - python script that make the COMMIT and REVEAL calculation according to - the spec. Fixes bug 19977; bugfix on tor-0.2.9.1-alpha. + - Fix shared random unit test that was failing on big endian + architecture due to internal representation of a integer copied to + a buffer. The test is changed to take a full 32 bytes of data and + use the output of a python script that make the COMMIT and REVEAL + calculation according to the spec. Fixes bug 19977; bugfix + on tor-0.2.9.1-alpha. - The tor_tls_server_info_callback unit test no longer crashes when - debug-level logging is turned on. Fixes bug 20041; bugfix on - 0.2.8.1-alpha. + debug-level logging is turned on. Fixes bug 20041; bugfix + on 0.2.8.1-alpha.

Changes in version 0.2.9.2-alpha - 2016-08-24