Changes in version 0.2.5.4-alpha - 2014-04-25 Tor 0.2.5.4-alpha includes several security and performance improvements for clients and relays, including blacklisting authority signing keys that were used while susceptible to the OpenSSL "heartbleed" bug, fixing two expensive functions on busy relays, improved TLS ciphersuite preference lists, support for run-time hardening on compilers that support AddressSanitizer, and more work on the Linux sandbox code.
There are also several usability fixes for clients (especially clients that use bridges), two new TransPort protocols supported (one on OpenBSD, one on FreeBSD), and various other bugfixes. This release marks end-of-life for Tor 0.2.2.x; those Tor versions have accumulated many known flaws; everyone should upgrade. The source is ready today; packages should be ready in the next several days. (I'm trying to take some load off of Roger's shoulders by doing releases myself. This means that the signatures on the release are be made with my PGP key, not Roger's. Please don't freak out.) https://www.torproject.org/dist/ o Major features (security): - If you don't specify MaxMemInQueues yourself, Tor now tries to pick a good value based on your total system memory. Previously, the default was always 8 GB. You can still override the default by setting MaxMemInQueues yourself. Resolves ticket 11396. - Block authority signing keys that were used on authorities vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464. o Major features (relay performance): - Speed up server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. Resolves ticket 9841. - Avoid wasting CPU when extending a circuit over a channel that is nearly out of circuit IDs. Previously, we would do a linear scan over possible circuit IDs before finding one or deciding that we had exhausted our possibilities. Now, we try at most 64 random circuit IDs before deciding that we probably won't succeed. Fixes a possible root cause of ticket 11553. o Major features (seccomp2 sandbox, Linux only): - The seccomp2 sandbox can now run a test network for multiple hours without crashing. The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. Resolves ticket 11351. - Strengthen sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. Resolves another part of ticket 11351. - When the sandbox blocks a system call, it now tries to log a stack trace before exiting. Resolves ticket 11465. o Major bugfixes (TLS cipher selection): - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. Previously, we had left some perfectly fine ciphersuites unsupported due to omission or typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by 'cypherpunks'. Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. (Thanks to bug 11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over AES128. Resolves ticket 11528. - Clients now try to advertise the same list of ciphersuites as Firefox 28. This change enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and stops advertising the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. o Major bugfixes (bridge client): - Avoid 60-second delays in the bootstrapping process when Tor is launching for a second time while using bridges. Fixes bug 9229; bugfix on 0.2.0.3-alpha. o Minor features (transparent proxy, *BSD): - Support FreeBSD's ipfw firewall interface for TransPort ports on FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket 10267; patch from "yurivict". - Support OpenBSD's divert-to rules with the pf firewall for transparent proxy ports. To enable it, set "TransProxyType pf-divert". This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch. o Minor features (security): - New --enable-expensive-hardening option to enable security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan, which are supported in newer versions of GCC and Clang. Closes ticket 11477. o Minor features (log verbosity): - Demote the message that we give when a flushing connection times out for too long from NOTICE to INFO. It was usually meaningless. Resolves ticket 5286. - Don't log so many notice-level bootstrapping messages at startup about downloading descriptors. Previously, we'd log a notice whenever we learned about more routers. Now, we only log a notice at every 5% of progress. Fixes bug 9963. - Warn less verbosely when receiving a malformed ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. - When we run out of usable circuit IDs on a channel, log only one warning for the whole channel, and describe how many circuits there were on the channel. Fixes part of ticket 11553. o Minor features (relay): - If a circuit timed out for at least 3 minutes, check if we have a new external IP address, and publish a new descriptor with the new IP address if it changed. Resolves ticket 2454. o Minor features (controller): - Make the entire exit policy available from the control port via GETINFO exit-policy/*. Implements enhancement 7952. Patch from "rl1987". - Because of the fix for ticket 11396, the real limit for memory usage may no longer match the configured MaxMemInQueues value. The real limit is now exposed via GETINFO limits/max-mem-in-queues. o Minor features (bridge client): - Report a more useful failure message when we can't connect to a bridge because we don't have the right pluggable transport configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. o Minor features (diagnostic): - Add more log messages to diagnose bug 7164, which causes intermittent "microdesc_free() called but md was still referenced" warnings. We now include more information, to figure out why we might be cleaning a microdescriptor for being too old if it's still referenced by a live node_t object. o Minor bugfixes (client, DNSPort): - When using DNSPort, try to respond to AAAA requests with AAAA answers. Previously, we hadn't looked at the request type when deciding which answer type to prefer. Fixes bug 10468; bugfix on 0.2.4.7-alpha. - When receiving a DNS query for an unsupported record type, reply with no answer rather than with a NOTIMPL error. This behavior isn't correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". o Minor bugfixes (exit relay): - Stop leaking memory when we successfully resolve a PTR record. Fixes bug 11437; bugfix on 0.2.4.7-alpha. o Minor bugfixes (bridge client): - Stop accepting bridge lines containing hostnames. Doing so would cause clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - Avoid a 60-second delay in the bootstrapping process when a Tor client with pluggable transports re-reads its configuration at just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. o Minor bugfixes (client, logging during bootstrap): - Warn only once if we start logging in an unsafe way. Previously, we complain as many times as we had problems. Fixes bug 9870; bugfix on 0.2.5.1-alpha. - Only report the first fatal bootstrap error on a given OR connection. This stops us from telling the controller bogus error messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha. - Be more helpful when trying to run sandboxed on Linux without libseccomp. Instead of saying "Sandbox is not implemented on this platform", we now explain that we need to be built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. - Avoid generating spurious warnings when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha. o Minor bugfixes (closing OR connections): - If write_to_buf() in connection_write_to_buf_impl_() ever fails, check if it's an or_connection_t and correctly call connection_or_close_for_error() rather than connection_mark_for_close() directly. Fixes bug 11304; bugfix on 0.2.4.4-alpha. - When closing all connections on setting DisableNetwork to 1, use connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug 11306; bugfix on 0.2.4.4-alpha. o Minor bugfixes (controller): - Avoid sending a garbage value to the controller when a circuit is cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. o Minor bugfixes (tor-fw-helper): - Allow tor-fw-helper to build again by adding src/ext to its CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha. o Minor bugfixes (bridges): - Avoid potential crashes or bad behavior when launching a server-side managed proxy with ORPort or ExtORPort temporarily disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. o Minor bugfixes (platform-specific): - Fix compilation on Solaris, which does not have <endian.h>. Fixes bug 11426; bugfix on 0.2.5.3-alpha. - When dumping a malformed directory object to disk, save it in binary mode on Windows, not text mode. Fixes bug 11342; bugfix on 0.2.2.1-alpha. - Don't report failures from make_socket_reuseable() on incoming sockets on OSX: this can happen when incoming connections close early. Fixes bug 10081. o Minor bugfixes (trivial memory leaks): - Fix a small memory leak when signing a directory object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. - Free placeholder entries in our circuit table at exit; fixes a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. - Don't re-initialize a second set of OpenSSL mutexes when starting up. Previously, we'd make one set of mutexes, and then immediately replace them with another. Fixes bug 11726; bugfix on 0.2.5.3-alpha. - Resolve some memory leaks found by coverity in the unit tests, on exit in tor-gencert, and on a failure to compute digests for our own keys when generating a v3 networkstatus vote. These leaks should never have affected anyone in practice. o Minor bugfixes (hidden service): - Only retry attempts to connect to a chosen rendezvous point 8 times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc. o Minor bugfixes (misc code correctness): - Fix various instances of undefined behavior in channeltls.c, tor_memmem(), and eventdns.c that would cause us to construct pointers to memory outside an allocated object. (These invalid pointers were not accessed, but C does not even allow them to exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha, 0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom". - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some miscellaneous errors in our tests and codebase. Fixes bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. - Always check return values for unlink, munmap, UnmapViewOfFile; check strftime return values more often. In some cases all we can do is report a warning, but this may help prevent deeper bugs from going unnoticed. Closes ticket 8787; bugfixes on many, many tor versions. - Fix numerous warnings from the clang "scan-build" static analyzer. Some of these are programming style issues; some of them are false positives that indicated awkward code; some are undefined behavior cases related to constructing (but not using) invalid pointers; some are assumptions about API behavior; some are (harmlessly) logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be correct; and one or two are genuine bugs that weren't reachable from the rest of the program. Fixes bug 8793; bugfixes on many, many tor versions. o Documentation: - Build the torify.1 manpage again. Previously, we were only trying to build it when also building tor-fw-helper. That's why we didn't notice that we'd broken the ability to build it. Fixes bug 11321; bugfix on 0.2.5.1-alpha. - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug 11061; bugfix on 0.2.4.7-alpha. - Correctly document that we search for a system torrc file before looking in ~/.torrc. Fixes documentation side of 9213; bugfix on 0.2.3.18-rc. - Resolve warnings from Doxygen. o Code simplifications and refactoring: - Remove is_internal_IP() function. Resolves ticket 4645. - Remove unused function circuit_dump_by_chan from circuitlist.c. Closes issue 9107; patch from "marek". - Change our use of the ENUM_BF macro to avoid declarations that confuse Doxygen. o Deprecated versions: - Tor 0.2.2.x has reached end-of-life; it has received no patches or attention for some while. Directory authorities no longer accept descriptors from relays running any version of Tor prior to Tor 0.2.3.16-alpha. Resolves ticket 11149. o Testing: - New macros in test.h to simplify writing mock-functions for unit tests. Part of ticket 11507. Patch from Dana Koch. - Complete tests for the status.c module. Resolves ticket 11507. Patch from Dana Koch. o Removed code: - Remove all code for the long unused v1 directory protocol. Resolves ticket 11070. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
