[tor-talk] Tor is out

Roger Dingledine arma at mit.edu
Wed Oct 2 19:25:23 UTC 2013

Tor introduces experimental support for syscall sandboxing
on Linux, allows bridges that offer pluggable transports to report usage
statistics, fixes many issues to make testing easier, and provides
a pile of minor features and bugfixes that have been waiting for a
release of the new branch.

This is the first alpha release in a new series, so expect there to
be bugs. Users who would rather test out a more stable branch should
stay with 0.2.4.x for now.

I'm going to leave the download pages listing 0.2.3.x and 0.2.4.x,
so we don't have the confusion of three branches at once. I'm also not
sure yet how the packaging people plan to handle three branches.


Changes in version - 2013-10-02
  o Major features (security):
    - Use the seccomp2 syscall filtering facility on Linux to limit
      which system calls Tor can invoke. This is an experimental,
      Linux-only feature to provide defense-in-depth against unknown
      attacks. To try turning it on, set "Sandbox 1" in your torrc
      file. Please be ready to report bugs. We hope to add support
      for better sandboxing in the future, including more fine-grained
      filters, better division of responsibility, and support for more
      platforms. This work has been done by Cristian-Matei Toader for
      Google Summer of Code.
    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
      Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or
      1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented
      renegotiation from working with TLS 1.1 or 1.2, so we had disabled
      them to solve bug 6033.)

  o Major features (other):
    - Add support for passing arguments to managed pluggable transport
      proxies. Implements ticket 3594.
    - Bridges now track GeoIP information and the number of their users
      even when pluggable transports are in use, and report usage
      statistics in their extra-info descriptors. Resolves tickets 4773
      and 5040.
    - Make testing Tor networks bootstrap better: lower directory fetch
      retry schedules and maximum interval without directory requests,
      and raise maximum download tries. Implements ticket 6752.
    - Add make target 'test-network' to run tests on a Chutney network.
      Implements ticket 8530.
    - The ntor handshake is now on-by-default, no matter what the
      directory authorities recommend. Implements ticket 8561.

  o Major bugfixes:
    - Instead of writing destroy cells directly to outgoing connection
      buffers, queue them and intersperse them with other outgoing cells.
      This can prevent a set of resource starvation conditions where too
      many pending destroy cells prevent data cells from actually getting
      delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
      bugfix on
    - If we are unable to save a microdescriptor to the journal, do not
      drop it from memory and then reattempt downloading it. Fixes bug
      9645; bugfix on
    - The new channel code sometimes lost track of in-progress circuits,
      causing long-running clients to stop building new circuits. The
      fix is to always call circuit_n_chan_done(chan, 0) from
      channel_closed(). Fixes bug 9776; bugfix on

  o Build features:
    - Tor now builds each source file in two modes: a mode that avoids
      exposing identifiers needlessly, and another mode that exposes
      more identifiers for testing. This lets the compiler do better at
      optimizing the production code, while enabling us to take more
      radical measures to let the unit tests test things.
    - The production builds no longer include functions used only in
      the unit tests; all functions exposed from a module only for
      unit-testing are now static in production builds.
    - Add an --enable-coverage configuration option to make the unit
      tests (and a new src/or/tor-cov target) to build with gcov test
      coverage support.

  o Testing:
    - We now have rudimentary function mocking support that our unit
      tests can use to test functions in isolation. Function mocking
      lets the tests temporarily replace a function's dependencies with
      stub functions, so that the tests can check the function without
      invoking the other functions it calls.
    - Add more unit tests for the <circid,channel>->circuit map, and
      the destroy-cell-tracking code to fix bug 7912.
    - Unit tests for failing cases of the TAP onion handshake.
    - More unit tests for address-manipulation functions.

  o Minor features (protecting client timestamps):
    - Clients no longer send timestamps in their NETINFO cells. These were
      not used for anything, and they provided one small way for clients
      to be distinguished from each other as they moved from network to
      network or behind NAT. Implements part of proposal 222.
    - Clients now round timestamps in INTRODUCE cells down to the nearest
      10 minutes. If a new Support022HiddenServices option is set to 0, or
      if it's set to "auto" and the feature is disabled in the consensus,
      the timestamp is sent as 0 instead. Implements part of proposal 222.
    - Stop sending timestamps in AUTHENTICATE cells. This is not such
      a big deal from a security point of view, but it achieves no actual
      good purpose, and isn't needed. Implements part of proposal 222.
    - Reduce down accuracy of timestamps in hidden service descriptors.
      Implements part of proposal 222.

  o Minor features (config options):
    - Config (torrc) lines now handle fingerprints which are missing
      their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
    - Support a --dump-config option to print some or all of the
      configured options. Mainly useful for debugging the command-line
      option parsing code. Helps resolve ticket 4647.
    - Raise awareness of safer logging: notify user of potentially
      unsafe config options, like logging more verbosely than severity
      "notice" or setting SafeLogging to 0. Resolves ticket 5584.
    - Add a new configuration option TestingV3AuthVotingStartOffset
      that bootstraps a network faster by changing the timing for
      consensus votes. Addresses ticket 8532.
    - Add a new torrc option "ServerTransportOptions" that allows
      bridge operators to pass configuration parameters to their
      pluggable transports. Resolves ticket 8929.
    - The config (torrc) file now accepts bandwidth and space limits in
      bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
      you can now say "16 kilobits", and so on.) Resolves ticket 9214.
      Patch by CharlieB.

  o Minor features (build):
    - Add support for `--library-versions` flag. Implements ticket 6384.
    - Return the "unexpected sendme" warnings to a warn severity, but make
      them rate limited, to help diagnose ticket 8093.
    - Detect a missing asciidoc, and warn the user about it, during
      configure rather than at build time. Fixes issue 6506. Patch from
      Arlo Breault.

  o Minor features (other):
    - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
      sockets in a single system call. Implements ticket 5129.
    - Log current accounting state (bytes sent and received + remaining
      time for the current accounting period) in the relay's heartbeat
      message. Implements ticket 5526; patch from Peter Retzlaff.
    - Implement the TRANSPORT_LAUNCHED control port event that
      notifies controllers about new launched pluggable
      transports. Resolves ticket 5609.
    - If we're using the pure-C 32-bit curve25519_donna implementation
      of curve25519, build it with the -fomit-frame-pointer option to
      make it go faster on register-starved hosts. This improves our
      handshake performance by about 6% on i386 hosts without nacl.
      Closes ticket 8109.
    - Update to the September 4 2013 Maxmind GeoLite Country database.

  o Minor bugfixes:
    - Set the listen() backlog limit to the largest actually supported
      on the system, not to the value in a header file. Fixes bug 9716;
      bugfix on every released Tor.
    - No longer accept malformed http headers when parsing urls from
      headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
      bugfix on 0.0.6pre1.
    - In munge_extrainfo_into_routerinfo(), check the return value of
      memchr(). This would have been a serious issue if we ever passed
      it a non-extrainfo. Fixes bug 8791; bugfix on Patch
      from Arlo Breault.
    - On the chance that somebody manages to build Tor on a
      platform where time_t is unsigned, correct the way that
      microdesc_add_to_cache() handles negative time arguments.
      Fixes bug 8042; bugfix on
    - Reject relative control socket paths and emit a warning. Previously,
      single-component control socket paths would be rejected, but Tor
      would not log why it could not validate the config. Fixes bug 9258;
      bugfix on

  o Minor bugfixes (command line):
    - Use a single command-line parser for parsing torrc options on the
      command line and for finding special command-line options to avoid
      inconsistent behavior for torrc option arguments that have the same
      names as command-line options. Fixes bugs 4647 and 9578; bugfix on
    - No longer allow 'tor --hash-password' with no arguments. Fixes bug
      9573; bugfix on 0.0.9pre5.

  o Minor fixes (build, auxiliary programs):
    - Stop preprocessing the "torify" script with autoconf, since
      it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
      from Guilhem.
    - The tor-fw-helper program now follows the standard convention and
      exits with status code "0" on success. Fixes bug 9030; bugfix on Patch by Arlo Breault.
    - Corrected ./configure advice for what openssl dev package you should
      install on Debian. Fixes bug 9207; bugfix on

  o Minor code improvements:
    - Remove constants and tests for PKCS1 padding; it's insecure and
      shouldn't be used for anything new. Fixes bug 8792; patch
      from Arlo Breault.
    - Remove instances of strcpy() from the unit tests. They weren't
      hurting anything, since they were only in the unit tests, but it's
      embarassing to have strcpy() in the code at all, and some analysis
      tools don't like it. Fixes bug 8790; bugfix on and Patch from Arlo Breault.

  o Removed features:
    - Remove migration code from when we renamed the "cached-routers"
      file to "cached-descriptors" back in This
      incidentally resolves ticket 6502 by cleaning up the related code
      a bit. Patch from Akshay Hebbar.

  o Code simplification and refactoring:
    - Extract the common duplicated code for creating a subdirectory
      of the data directory and writing to a file in it. Fixes ticket
      4282; patch from Peter Retzlaff.
    - Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
      buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
      i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
    - Add a set of accessor functions for the circuit timeout data
      structure. Fixes ticket 6153; patch from "piet".
    - Clean up exit paths from connection_listener_new(). Closes ticket
      8789. Patch from Arlo Breault.
    - Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
      and drop our own custom pkey_eq() implementation. Fixes bug 9043.
    - Use a doubly-linked list to implement the global circuit list.
      Resolves ticket 9108. Patch from Marek Majkowski.
    - Remove contrib/id_to_fp.c since it wasn't used anywhere.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20131002/c814ff4b/attachment-0001.sig>

More information about the tor-talk mailing list