Hi, friends. Here's what I did in April 2014. The heartbleed bug went public, and like all the rest of the openssl-using world, we had to run in circles. Other people did much more work here than I; I wrote a couple of design proposals for how to do RSA1024 migration "the right way" (proposals 230, 231), and wrote the code to block authority signing keys that had been used on authorities while the bug was in effect (#11464)
We've been charging ahead on getting 0.2.5.x-alpha out. This month, we put out Tor 0.2.5.4-alpha. We merged dozens of fixes and patches, including some for IPv6 usage, IPv6 with DNSPorts, pluggable transport usability, and *BSD transparent proxies. Code I worked on myself included * authority signing key blocking (11464) * Numerous sandbox code fixes * automatic support for the AddressSanitizer and UbSan sanitizers for run-time checking for a number of security issues. (11477) * Numerous pluggable transport and client usability fixes, particularly at bootstrap time (eg 9665, 2454) * Improved memory-DoS resistance by using measured memory levels to decide when we're almost out of memory. * major performance improvement (conjectured) when running a relay that's low on circuit IDs. (11553) * fix a significant memory leak in microdesc parsing (11649) I went methodically through the code-analysis tools we've tried, including several with high with false positive rates, looking for bugs in Tor. These led to a couple of important fixes and a lot of code improvements. Tools used include clang's dynamic sanitizers (see above, 11232), clang's static analysis tool (8793), valgrind on the unit tests (11649, 11618), coverity scan, and our own check-docs tool. I updated the client and server ciphersuites in Tor's TLS usage to prefer the use of ECDHE with strong ciphers, and to match (on the client side) a newer firefox ciphersuite lists. (11438, 11513, 11528). I merged proposals 232 to 236 to the torspec repository. I started work on a "roadmap" -- really, a list of all the coding projects I'd like us to do in tor over the next few years. It's been a while since we had one. I finished the first major section and started on the second. I participated in the last stages of student selection for GSoC, and talked with the accepted students about preparing their projects. Towards the end of the month, I triaged the tickets pending backport for 0.2.4.x in , and spent a lot of time discussing proper criteria for backports to stable. In May: * I hope we can put out a stable 0.2.4.22, and an 0.2.5.5-alpha with (nearly?) all of the issues in 0.2.5 resolved. * I hope I can finally finish that roadmap thing. * I should revise proposals that target 0.2.6. * I hope we can do some 0.2.6 work at last! cheers! -- Nick _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
