From nickm at torproject.org Thu May 2 18:30:23 2019 From: nickm at torproject.org (Nick Mathewson) Date: Thu, 2 May 2019 14:30:23 -0400 Subject: [tor-packagers] Tor 0.4.0.5 is released Message-ID: Hi! We have a new stable release series. You can find it in the usual place on https://dist.torproject.org/ Note that this is not an LTS release -- if you need a series that will get patches for a long time, stick with 0.3.5.x. Changes in version 0.4.0.5 - 2019-05-02 This is the first stable release in the 0.4.0.x series. It contains improvements for power management and bootstrap reporting, as well as preliminary backend support for circuit padding to prevent some kinds of traffic analysis. It also continues our work in refactoring Tor for long-term maintainability. Per our support policy, we will support the 0.4.0.x series for nine months, or until three months after the release of a stable 0.4.1.x: whichever is longer. If you need longer-term support, please stick with 0.3.5.x, which will we plan to support until Feb 2022. Below are the changes since 0.4.0.4-rc. For a complete list of changes since 0.3.5.7, see the ReleaseNotes file. o Minor features (continuous integration): - In Travis, tell timelimit to use stem's backtrace signals, and launch python directly from timelimit, so python receives the signals from timelimit, rather than make. Closes ticket 30117. o Minor features (diagnostic): - Add more diagnostic log messages in an attempt to solve the issue of NUL bytes appearing in a microdescriptor cache. Related to ticket 28223. o Minor features (testing): - Use the approx_time() function when setting the "Expires" header in directory replies, to make them more testable. Needed for ticket 30001. o Minor bugfixes (rust): - Abort on panic in all build profiles, instead of potentially unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha. o Minor bugfixes (shellcheck): - Look for scripts in their correct locations during "make shellcheck". Previously we had looked in the wrong place during out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha. o Minor bugfixes (testing): - Check the time in the "Expires" header using approx_time(). Fixes bug 30001; bugfix on 0.4.0.4-rc. o Minor bugfixes (UI): - Lower log level of unlink() errors during bootstrap. Fixes bug 29930; bugfix on 0.4.0.1-alpha. From nickm at torproject.org Wed May 22 21:58:23 2019 From: nickm at torproject.org (Nick Mathewson) Date: Wed, 22 May 2019 17:58:23 -0400 Subject: [tor-packagers] Tor 0.4.1.1-alpha is released Message-ID: Hello! Tor 0.4.1.1-alpha is now available for download on https://dist.torproject.org/. This is an alpha release, so please act accordingly. :) Here's the changelog: Changes in version 0.4.1.1-alpha - 2019-05-22 This is the first alpha in the 0.4.1.x series. It introduces lightweight circuit padding to make some onion-service circuits harder to distinguish, includes a new "authenticated SENDME" feature to make certain denial-of-service attacks more difficult, and improves performance in several areas. o Major features (circuit padding): - Onion service clients now add padding cells at the start of their INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic look more like general purpose Exit traffic. The overhead for this is 2 extra cells in each direction for RENDEZVOUS circuits, and 1 extra upstream cell and 10 downstream cells for INTRODUCE circuits. This feature is only enabled when also supported by the circuit's middle node. (Clients may specify fixed middle nodes with the MiddleNodes option, and may force-disable this feature with the CircuitPadding torrc.) Closes ticket 28634. o Major features (code organization): - Tor now includes a generic publish-subscribe message-passing subsystem that we can use to organize intermodule dependencies. We hope to use this to reduce dependencies between modules that don't need to be related, and to generally simplify our codebase. Closes ticket 28226. o Major features (controller protocol): - Controller commands are now parsed using a generalized parsing subsystem. Previously, each controller command was responsible for parsing its own input, which led to strange inconsistencies. Closes ticket 30091. o Major features (flow control): - Implement authenticated SENDMEs as detailed in proposal 289. A SENDME cell now includes the digest of the traffic that it acknowledges, so that once an end point receives the SENDME, it can confirm the other side's knowledge of the previous cells that were sent, and prevent certain types of denial-of-service attacks. This behavior is controlled by two new consensus parameters: see the proposal for more details. Fixes ticket 26288. o Major features (performance): - Our node selection algorithm now excludes nodes in linear time. Previously, the algorithm was quadratic, which could slow down heavily used onion services. Closes ticket 30307. o Major features (performance, RNG): - Tor now constructs a fast secure pseudorandom number generator for each thread, to use when performance is critical. This PRNG is based on AES-CTR, using a buffering construction similar to libottery and the (newer) OpenBSD arc4random() code. It outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for small outputs. Although we believe it to be cryptographically strong, we are only using it when necessary for performance. Implements tickets 29023 and 29536. o Major bugfixes (onion service v3): - Fix an unreachable bug in which an introduction point could try to send an INTRODUCE_ACK with a status code that Trunnel would refuse to encode, leading the relay to assert(). We've consolidated the ABI values into Trunnel now. Fixes bug 30454; bugfix on 0.3.0.1-alpha. - Clients can now handle unknown status codes from INTRODUCE_ACK cells. (The NACK behavior will stay the same.) This will allow us to extend status codes in the future without breaking the normal client behavior. Fixes another part of bug 30454; bugfix on 0.3.0.1-alpha. o Minor features (circuit padding): - We now use a fast PRNG when scheduling circuit padding. Part of ticket 28636. - Allow the padding machine designer to pick the edges of their histogram instead of trying to compute them automatically using an exponential formula. Resolves some undefined behavior in the case of small histograms and allows greater flexibility on machine design. Closes ticket 29298; bugfix on 0.4.0.1-alpha. - Allow circuit padding machines to hold a circuit open until they are done padding it. Closes ticket 28780. o Minor features (compile-time modules): - Add a "--list-modules" command to print a list of which compile- time modules are enabled. Closes ticket 30452. o Minor features (continuous integration): - Remove sudo configuration lines from .travis.yml as they are no longer needed with current Travis build environment. Resolves issue 30213. - In Travis, show stem's tor log after failure. Closes ticket 30234. o Minor features (controller): - Add onion service version 3 support to the HSFETCH command. Previously, only version 2 onion services were supported. Closes ticket 25417. Patch by Neel Chauhan. o Minor features (debugging): - Introduce tor_assertf() and tor_assertf_nonfatal() to enable logging of additional information during assert failure. Now we can use format strings to include information for trouble shooting. Resolves ticket 29662. o Minor features (defense in depth): - In smartlist_remove_keeporder(), set unused pointers to NULL, in case a bug causes them to be used later. Closes ticket 30176. Patch from Tobias Stoeckmann. - Tor now uses a cryptographically strong PRNG even for decisions that we do not believe are security-sensitive. Previously, for performance reasons, we had used a trivially predictable linear congruential generator algorithm for certain load-balancing and statistical sampling decisions. Now we use our fast RNG in those cases. Closes ticket 29542. o Minor features (developer tools): - Tor's "practracker" test script now checks for files and functions that seem too long and complicated. Existing overlong functions and files are accepted for now, but should eventually be refactored. Closes ticket 29221. - Add some scripts used for git maintenance to scripts/git. Closes ticket 29391. - Call practracker from pre-push and pre-commit git hooks to let developers know if they made any code style violations. Closes ticket 30051. - Add a script to check that each header has a well-formed and unique guard macro. Closes ticket 29756. o Minor features (geoip): - Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2 Country database. Closes ticket 30522. o Minor features (HTTP tunnel): - Return an informative web page when the HTTPTunnelPort is used as an HTTP proxy. Closes ticket 27821, patch by "eighthave". o Minor features (IPv6, v3 onion services): - Make v3 onion services put IPv6 addresses in service descriptors. Before this change, service descriptors only contained IPv4 addresses. Implements 26992. o Minor features (modularity): - The "--disable-module-dirauth" compile-time option now disables even more dirauth-only code. Closes ticket 30345. o Minor features (performance): - Use OpenSSL's implementations of SHA3 when available (in OpenSSL 1.1.1 and later), since they tend to be faster than tiny-keccak. Closes ticket 28837. o Minor features (testing): - Tor's unit test code now contains helper functions to replace the PRNG with a deterministic or reproducible version for testing. Previously, various tests implemented this in various ways. Implements ticket 29732. - We now have a script, cov-test-determinism.sh, to identify places where our unit test coverage has become nondeterministic. Closes ticket 29436. - Check that representative subsets of values of `int` and `unsigned int` can be represented by `void *`. Resolves issue 29537. o Minor bugfixes (bridge authority): - Bridge authorities now set bridges as running or non-running when about to dump their status to a file. Previously, they set bridges as running in response to a GETINFO command, but those shouldn't modify data structures. Fixes bug 24490; bugfix on 0.2.0.13-alpha. Patch by Neel Chauhan. o Minor bugfixes (channel padding statistics): - Channel padding write totals and padding-enabled totals are now counted properly in relay extrainfo descriptors. Fixes bug 29231; bugfix on 0.3.1.1-alpha. o Minor bugfixes (circuit padding): - Add a "CircuitPadding" torrc option to disable circuit padding. Fixes bug 28693; bugfix on 0.4.0.1-alpha. - Allow circuit padding machines to specify that they do not contribute much overhead, and provide consensus flags and torrc options to force clients to only use these low overhead machines. Fixes bug 29203; bugfix on 0.4.0.1-alpha. - Provide a consensus parameter to fully disable circuit padding, to be used in emergency network overload situations. Fixes bug 30173; bugfix on 0.4.0.1-alpha. - The circuit padding subsystem will no longer schedule padding if dormant mode is enabled. Fixes bug 28636; bugfix on 0.4.0.1-alpha. - Inspect a circuit-level cell queue before sending padding, to avoid sending padding while too much data is already queued. Fixes bug 29204; bugfix on 0.4.0.1-alpha. - Avoid calling monotime_absolute_usec() in circuit padding machines that do not use token removal or circuit RTT estimation. Fixes bug 29085; bugfix on 0.4.0.1-alpha. o Minor bugfixes (compilation, unusual configurations): - Avoid failures when building with the ALL_BUGS_ARE_FATAL option due to missing declarations of abort(), and prevent other such failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha. o Minor bugfixes (controller protocol): - Teach the controller parser to distinguish an object preceded by an argument list from one without. Previously, it couldn't distinguish an argument list from the first line of a multiline object. Fixes bug 29984; bugfix on 0.2.3.8-alpha. o Minor bugfixes (directory authority, ipv6): - Directory authorities with IPv6 support now always mark themselves as reachable via IPv6. Fixes bug 24338; bugfix on 0.4.0.2-alpha. Patch by Neel Chauhan. o Minor bugfixes (documentation): - Improve the documentation for using MapAddress with ".exit". Fixes bug 30109; bugfix on 0.1.0.1-rc. - Improve the monotonic time module and function documentation to explain what "monotonic" actually means, and document some results that have surprised people. Fixes bug 29640; bugfix on 0.2.9.1-alpha. - Use proper formatting when providing an example on quoting options that contain whitespace. Fixes bug 29635; bugfix on 0.2.3.18-rc. o Minor bugfixes (logging): - Do not log a warning when running with an OpenSSL version other than the one Tor was compiled with, if the two versions should be compatible. Previously, we would warn whenever the version was different. Fixes bug 30190; bugfix on 0.2.4.2-alpha. - Warn operators when the MyFamily option is set but ContactInfo is missing, as the latter should be set too. Fixes bug 25110; bugfix on 0.3.3.1-alpha. o Minor bugfixes (memory leak): - Avoid a minor memory leak that could occur on relays when failing to create a "keys" directory. Fixes bug 30148; bugfix on 0.3.3.1-alpha. o Minor bugfixes (onion services): - Avoid a GCC 9.1.1 warning (and possible crash depending on libc implemenation) when failing to load an onion service client authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha. - When refusing to launch a controller's HSFETCH request because of rate-limiting, respond to the controller with a new response, "QUERY_RATE_LIMITED". Previously, we would log QUERY_NO_HSDIR for this case. Fixes bug 28269; bugfix on 0.3.1.1-alpha. Patch by Neel Chauhan. - When relaunching a circuit to a rendezvous service, mark the circuit as needing high-uptime routers as appropriate. Fixes bug 17357; bugfix on 0.4.0.2-alpha. Patch by Neel Chauhan. - Stop ignoring IPv6 link specifiers sent to v3 onion services. (IPv6 support for v3 onion services is still incomplete: see ticket 23493 for details.) Fixes bug 23588; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (onion services, performance): - When building circuits to onion services, call tor_addr_parse() less often. Previously, we called tor_addr_parse() in circuit_is_acceptable() even if its output wasn't used. This change should improve performance when building circuits. Fixes bug 22210; bugfix on 0.2.8.12. Patch by Neel Chauhan. o Minor bugfixes (performance): - When checking whether a node is a bridge, use a fast check to make sure that its identity is set. Previously, we used a constant-time check, which is not necessary in this case. Fixes bug 30308; bugfix on 0.3.5.1-alpha. o Minor bugfixes (pluggable transports): - Tor now sets TOR_PT_EXIT_ON_STDIN_CLOSE=1 for client transports as well as servers. Fixes bug 25614; bugfix on 0.2.7.1-alpha. o Minor bugfixes (probability distributions): - Refactor and improve parts of the probability distribution code that made Coverity complain. Fixes bug 29805; bugfix on 0.4.0.1-alpha. o Minor bugfixes (python): - Stop assuming that /usr/bin/python3 exists. For scripts that work with python2, use /usr/bin/python. Otherwise, use /usr/bin/env python3. Fixes bug 29913; bugfix on 0.2.5.3-alpha. o Minor bugfixes (relay): - When running as a relay, if IPv6Exit is set to 1 while ExitRelay is auto, act as if ExitRelay is 1. Previously, we would ignore IPv6Exit if ExitRelay was 0 or auto. Fixes bug 29613; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (stats): - When ExtraInfoStatistics is 0, stop including bandwidth usage statistics, GeoIPFile hashes, ServerTransportPlugin lines, and bridge statistics by country in extra-info documents. Fixes bug 29018; bugfix on 0.2.4.1-alpha. o Minor bugfixes (testing): - Call setrlimit() to disable core dumps in test_bt_cl.c. Previously we used `ulimit -c` in test_bt.sh, which violates POSIX shell compatibility. Fixes bug 29061; bugfix on 0.3.5.1-alpha. - Fix some incorrect code in the v3 onion service unit tests. Fixes bug 29243; bugfix on 0.3.2.1-alpha. - In the "routerkeys/*" tests, check the return values of mkdir() for possible failures. Fixes bug 29939; bugfix on 0.2.7.2-alpha. Found by Coverity as CID 1444254. - Split test_utils_general() into several smaller test functions. This makes it easier to perform resource deallocation on assert failure, and fixes Coverity warnings CID 1444117 and CID 1444118. Fixes bug 29823; bugfix on 0.2.9.1-alpha. o Minor bugfixes (tor-resolve): - Fix a memory leak in tor-resolve that could happen if Tor gave it a malformed SOCKS response. (Memory leaks in tor-resolve don't actually matter, but it's good to fix them anyway.) Fixes bug 30151; bugfix on 0.4.0.1-alpha. o Code simplification and refactoring: - Abstract out the low-level formatting of replies on the control port. Implements ticket 30007. - Add several assertions in an attempt to fix some Coverity warnings. Closes ticket 30149. - Introduce a connection_dir_buf_add() helper function that checks for compress_state of dir_connection_t and automatically writes a string to directory connection with or without compression. Resolves issue 28816. - Make the base32_decode() API return the number of bytes written, for consistency with base64_decode(). Closes ticket 28913. - Move most relay-only periodic events out of mainloop.c into the relay subsystem. Closes ticket 30414. - Refactor and encapsulate parts of the codebase that manipulate crypt_path_t objects. Resolves issue 30236. - Refactor several places in our code that Coverity incorrectly believed might have memory leaks. Closes ticket 30147. - Remove redundant return values in crypto_format, and the associated return value checks elsewhere in the code. Make the implementations in crypto_format consistent, and remove redundant code. Resolves ticket 29660. - Rename tor_mem_is_zero() to fast_mem_is_zero(), to emphasize that it is not a constant-time function. Closes ticket 30309. - Replace hs_desc_link_specifier_t with link_specifier_t, and remove all hs_desc_link_specifier_t-specific code. Fixes bug 22781; bugfix on 0.3.2.1-alpha. - Simplify v3 onion service link specifier handling code. Fixes bug 23576; bugfix on 0.3.2.1-alpha. - Split crypto_digest.c into NSS code, OpenSSL code, and shared code. Resolves ticket 29108. - Split control.c into several submodules, in preparation for distributing its current responsibilities throughout the codebase. Closes ticket 29894. - Start to move responsibility for knowing about periodic events to the appropriate subsystems, so that the mainloop doesn't need to know all the periodic events in the rest of the codebase. Implements tickets 30293 and 30294. o Documentation: - Document how to find git commits and tags for bug fixes in CodingStandards.md. Update some file documentation. Closes ticket 30261. o Removed features: - Remove the linux-tor-prio.sh script from contrib/operator-tools directory. Resolves issue 29434. - Remove the obsolete OpenSUSE initscript. Resolves issue 30076. - Remove the obsolete script at contrib/dist/tor.sh.in. Resolves issue 30075. o Code simplification and refactoring (shell scripts): - Clean up many of our shell scripts to fix shellcheck warnings. These include autogen.sh (ticket 26069), test_keygen.sh (ticket 29062), test_switch_id.sh (ticket 29065), test_rebind.sh (ticket 29063), src/test/fuzz/minimize.sh (ticket 30079), test_rust.sh (ticket 29064), torify (ticket 29070), asciidoc-helper.sh (29926), fuzz_multi.sh (30077), fuzz_static_testcases.sh (ticket 29059), nagios-check-tor-authority-cert (ticket 29071), src/test/fuzz/fixup_filenames.sh (ticket 30078), test-network.sh (ticket 29060), test_key_expiration.sh (ticket 30002), zero_length_keys.sh (ticket 29068), and test_workqueue_*.sh (ticket 29067). o Testing (chutney): - In "make test-network-all", test IPv6-only v3 single onion services, using the chutney network single-onion-v23-ipv6-md. Closes ticket 27251. From wiz at NetBSD.org Mon May 27 12:47:21 2019 From: wiz at NetBSD.org (Thomas Klausner) Date: Mon, 27 May 2019 14:47:21 +0200 Subject: [tor-packagers] torbrowser package on NetBSD In-Reply-To: <20190315114029.GA1105@mars-attacks.org> References: <20190314225037.sfmd25cikz7pn7ex@danbala> <20190315114029.GA1105@mars-attacks.org> Message-ID: <20190527124721.ggvjf7qy76ccu5lx@danbala> Hi Nicolas! Thanks for the reply! On Fri, Mar 15, 2019 at 12:40:29PM +0100, Nicolas Vigier wrote: > On Thu, 14 Mar 2019, Thomas Klausner wrote: > > There are no tarballs. Please provide some! :) > > The next Tor Browser alpha release (which will be released next week) > will include source tarballs for firefox, torbutton and tor-launcher: > https://trac.torproject.org/projects/tor/ticket/25876 > > For the stable release, this should be included in the first 8.5 stable > release (currently planned for early April). I saw that these exist now. Great! Thank you! I've switched the pkgsrc package to use them. I'm not sure if I should package torbutton or tor-launcher. Is torbutton included in the src-firefox-tor-browser-60.7.0esr-8.5-1-build1.tar.xz? If not, how should this be packaged exactly? (I.e. installed in a particular subdirectory of tor-browser?) What is tor-launcher, is that torbrowser-launcher? Does that make sense on platforms where binary tor packages are not provided by the tor project? > > tor-browser defaults to using socks port 9150, but tor defaults to > > port 9050. Why is that so? Is there an intended way (configure flag?) > > to change the tor-browser default? > > Tor Browser includes its own tor daemon. It is using a different port > so it does not conflict with the one that might be installed on the > system. > > It is possible to change the ports used with the TOR_SOCKS_PORT and > TOR_CONTROL_PORT environment variables: > https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcess > > It is also possible to change the pref network.proxy.socks_port in > tor-browser.git/browser/app/profile/000-tor-browser.js, and > extensions.torlauncher.control_port in > tor-launcher.git/src/defaults/preferences/prefs.js. tor daemon is not included in the pkgsrc package for tor-browser, it's a separate package that is installed automatically whenever tor-browser is installed (but with tor's defaults, i.e. 9050). What would you suggest is the preferred solution here, patching the two javascript files so that the standard tor daemon is used? I want to make running tor-browser as easy as possible by default. > > I've inherited the attached patch from the previous version of the > > package. It changes the default directory to one in the user's home, > > which makes more sense to me on a Unix system where the program is > > installed in a public path. Would this patch be acceptable for > > inclusion, or what do you suggest? > > I opened a ticket about this: > https://trac.torproject.org/projects/tor/ticket/29790 Thanks. This looks like an internal discussion has started about it but fizzled out; I hope it gets resolved at some point. Cheers, Thomas