Update net/tor to version 0.4.2.5
Changelog:
Changes in version 0.4.2.5 - 2019-12-09
This is the first stable release in the 0.4.2.x series. This series
improves reliability and stability, and includes several stability and
correctness improvements for onion services. It also fixes many smaller
bugs present in previous series.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.1.4-rc. For a complete list of changes
since 0.4.1.5, see the ReleaseNotes file.
o Minor features (geoip):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Testing:
- Require C99 standards-conforming code in Travis CI, but allow GNU
gcc extensions. Also activates clang's -Wtypedef-redefinition
warnings. Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.4.2.4-rc - 2019-11-15
Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
several bugs from earlier versions, including a few that would result in
stack traces or incorrect behavior.
o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
PKG_CONFIG_PATH is not set. Closes ticket 32191.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
Country database. Closes ticket 32440.
o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (configuration):
- Log the option name when skipping an obsolete option. Fixes bug
32295; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory):
- When checking if a directory connection is anonymous, test if the
circuit was marked for close before looking at its channel. This
avoids a BUG() stacktrace if the circuit was previously closed.
Fixes bug 31958; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (shellcheck):
- Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
- Start checking most scripts for shellcheck errors again. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
Changes in version 0.4.2.3-alpha - 2019-10-24
This release fixes several bugs from the previous alpha release, and
from earlier versions of Tor.
o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
(v3) onion services. Previously it defaulted to RSA1024 (v2).
Closes ticket 29669.
o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
libc name lookup functions with ones that do not actually touch
the network. This way, the tests complete more quickly in the
presence of a slow or missing DNS resolver. Closes ticket 31841.
o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
31734; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
inconsistent timing sources. Fixes bug 31995; bugfix
on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v3 onion services):
- Fix an implicit conversion from ssize_t to size_t discovered by
Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
- Fix a memory leak in an unlikely error code path when encoding HS
DoS establish intro extension cell. Fixes bug 32063; bugfix
on 0.4.2.1-alpha.
- When cleaning up intro circuits for a v3 onion service, don't
remove circuits that have an established or pending circuit, even
if they ran out of retries. This way, we don't remove a circuit on
its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.
o Documentation:
- Correct the description of "GuardLifetime". Fixes bug 31189;
bugfix on 0.3.0.1-alpha.
- Make clear in the man page, in both the bandwidth section and the
AccountingMax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes. Resolves ticket 32106.
Changes in version 0.4.2.2-alpha - 2019-10-07
This release fixes several bugs from the previous alpha release, and
from earlier versions. It also includes a change in authorities, so
that they begin to reject the currently unsupported release series.
o Major features (directory authorities):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
Closes ticket 31779.
o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (geoip):
- Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
Country database. Closes ticket 31931.
o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
decrementing a variable inside a call to log_debug(). Since
log_debug() is a macro whose arguments are conditionally
evaluated, it is usually an error to do this. One such bug was
30628, in which SENDME cells were miscounted by a decrement
operator inside a log_debug() call. Closes ticket 30743.
o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
services by pointing them to the right documentation. Closes
ticket 28966.
o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (best practices tracker):
- When listing overbroad exceptions, do not also list problems, and
do not list insufficiently broad exceptions. Fixes bug 31338;
bugfix on 0.4.2.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and
ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
Fixes bug 31854; bugfix on 0.2.1.1-alpha.
o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
happens when it is disabled. Fixes bug 31825; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Code simplification and refactoring:
- Refactor connection_control_process_inbuf() to reduce the size of
a practracker exception. Closes ticket 31840.
- Refactor the microdescs_parse_from_string() function into smaller
pieces, for better comprehensibility. Closes ticket 31675.
- Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
tests and fuzzers, rather than using hard-coded values. Closes
ticket 31334.
- Interface for function `decrypt_desc_layer` cleaned up. Closes
ticket 31589.
o Documentation:
- Document the signal-safe logging behaviour in the tor man page.
Also add some comments to the relevant functions. Closes
ticket 31839.
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
- The Tor source code repository now includes a (somewhat dated)
description of Tor's modular architecture, in doc/HACKING/design.
This is based on the old "tor-guts.git" repository, which we are
adopting and superseding. Closes ticket 31849.
2019-12-10 14:06:23 +01:00
|
|
|
# $NetBSD: Makefile,v 1.147 2019/12/10 13:06:23 ng0 Exp $
|
2004-08-13 21:33:41 +02:00
|
|
|
|
Update net/tor to version 0.4.2.5
Changelog:
Changes in version 0.4.2.5 - 2019-12-09
This is the first stable release in the 0.4.2.x series. This series
improves reliability and stability, and includes several stability and
correctness improvements for onion services. It also fixes many smaller
bugs present in previous series.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.1.4-rc. For a complete list of changes
since 0.4.1.5, see the ReleaseNotes file.
o Minor features (geoip):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Testing:
- Require C99 standards-conforming code in Travis CI, but allow GNU
gcc extensions. Also activates clang's -Wtypedef-redefinition
warnings. Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.4.2.4-rc - 2019-11-15
Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
several bugs from earlier versions, including a few that would result in
stack traces or incorrect behavior.
o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
PKG_CONFIG_PATH is not set. Closes ticket 32191.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
Country database. Closes ticket 32440.
o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (configuration):
- Log the option name when skipping an obsolete option. Fixes bug
32295; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory):
- When checking if a directory connection is anonymous, test if the
circuit was marked for close before looking at its channel. This
avoids a BUG() stacktrace if the circuit was previously closed.
Fixes bug 31958; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (shellcheck):
- Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
- Start checking most scripts for shellcheck errors again. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
Changes in version 0.4.2.3-alpha - 2019-10-24
This release fixes several bugs from the previous alpha release, and
from earlier versions of Tor.
o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
(v3) onion services. Previously it defaulted to RSA1024 (v2).
Closes ticket 29669.
o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
libc name lookup functions with ones that do not actually touch
the network. This way, the tests complete more quickly in the
presence of a slow or missing DNS resolver. Closes ticket 31841.
o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
31734; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
inconsistent timing sources. Fixes bug 31995; bugfix
on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v3 onion services):
- Fix an implicit conversion from ssize_t to size_t discovered by
Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
- Fix a memory leak in an unlikely error code path when encoding HS
DoS establish intro extension cell. Fixes bug 32063; bugfix
on 0.4.2.1-alpha.
- When cleaning up intro circuits for a v3 onion service, don't
remove circuits that have an established or pending circuit, even
if they ran out of retries. This way, we don't remove a circuit on
its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.
o Documentation:
- Correct the description of "GuardLifetime". Fixes bug 31189;
bugfix on 0.3.0.1-alpha.
- Make clear in the man page, in both the bandwidth section and the
AccountingMax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes. Resolves ticket 32106.
Changes in version 0.4.2.2-alpha - 2019-10-07
This release fixes several bugs from the previous alpha release, and
from earlier versions. It also includes a change in authorities, so
that they begin to reject the currently unsupported release series.
o Major features (directory authorities):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
Closes ticket 31779.
o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (geoip):
- Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
Country database. Closes ticket 31931.
o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
decrementing a variable inside a call to log_debug(). Since
log_debug() is a macro whose arguments are conditionally
evaluated, it is usually an error to do this. One such bug was
30628, in which SENDME cells were miscounted by a decrement
operator inside a log_debug() call. Closes ticket 30743.
o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
services by pointing them to the right documentation. Closes
ticket 28966.
o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (best practices tracker):
- When listing overbroad exceptions, do not also list problems, and
do not list insufficiently broad exceptions. Fixes bug 31338;
bugfix on 0.4.2.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and
ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
Fixes bug 31854; bugfix on 0.2.1.1-alpha.
o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
happens when it is disabled. Fixes bug 31825; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Code simplification and refactoring:
- Refactor connection_control_process_inbuf() to reduce the size of
a practracker exception. Closes ticket 31840.
- Refactor the microdescs_parse_from_string() function into smaller
pieces, for better comprehensibility. Closes ticket 31675.
- Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
tests and fuzzers, rather than using hard-coded values. Closes
ticket 31334.
- Interface for function `decrypt_desc_layer` cleaned up. Closes
ticket 31589.
o Documentation:
- Document the signal-safe logging behaviour in the tor man page.
Also add some comments to the relevant functions. Closes
ticket 31839.
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
- The Tor source code repository now includes a (somewhat dated)
description of Tor's modular architecture, in doc/HACKING/design.
This is based on the old "tor-guts.git" repository, which we are
adopting and superseding. Closes ticket 31849.
2019-12-10 14:06:23 +01:00
|
|
|
DISTNAME= tor-0.4.2.5
|
tor: updated to 0.3.1.8
Changes in version 0.3.1.8:
Tor 0.3.1.7 is the second stable release in the 0.3.1 series.
It includes several bugfixes, including a bugfix for a crash issue
that had affected relays under memory pressure. It also adds
a new directory authority, Bastet.
o Directory authority changes:
- Add "Bastet" as a ninth directory authority to the default list.
- The directory authority "Longclaw" has changed its IP address.
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
- Fix a timing-based assertion failure that could occur when the
circuit out-of-memory handler freed a connection's output buffer.
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
- Remove longclaw's IPv6 address, as it will soon change. Authority
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
3/8 directory authorities with IPv6 addresses, but there are also
52 fallback directory mirrors with IPv6 addresses.
o Minor features (geoip):
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
- Fix a compilation warning when building with zstd support on
32-bit platforms.
o Minor bugfixes (compression, backport from 0.3.2.2-alpha):
- Handle a pathological case when decompressing Zstandard data when
the output buffer size is zero.
o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
- Remove the length limit on HTTP status lines that authorities can
send in their replies.
o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
- Avoid a possible double close of a circuit by the intro point on
error of sending the INTRO_ESTABLISHED cell.
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
- Clear the address when node_get_prim_orport() returns early.
o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
- Fix additional channelpadding unit test failures by using mocked
time instead of actual time for all tests.
2017-10-27 14:56:59 +02:00
|
|
|
CATEGORIES= net security
|
tor: updated to 0.3.3.8
Changes in version 0.3.3.8:
Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
fixes for a memory leak affecting directory authorities.
o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
- Stop leaking memory on directory authorities when planning to
vote. This bug was crashing authorities by exhausting their
memory. Fixes bug 26435; bugfix on 0.3.3.6.
o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
- Make sure that failing tests in Rust will actually cause the build
to fail: previously, they were ignored. Fixes bug 26258; bugfix
on 0.3.3.4-alpha.
o Minor features (compilation, backport from 0.3.4.4-rc):
- When building Tor, prefer to use Python 3 over Python 2, and more
recent (contemplated) versions over older ones. Closes
ticket 26372.
o Minor features (geoip):
- Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
Country database. Closes ticket 26674.
o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
- Add several checks to detect whether Tor relays are uploading
their descriptors without specifying why they regenerated them.
Diagnostic for ticket 25686.
o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
- Don't count path selection failures as circuit build failures.
This change should eliminate cases where Tor blames its guard or
the network for situations like insufficient microdescriptors
and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
- Fix a compilation warning on some versions of GCC when building
code that calls routerinfo_get_my_routerinfo() twice, assuming
that the second call will succeed if the first one did. Fixes bug
26269; bugfix on 0.2.8.2-alpha.
o Minor bugfixes (control port, backport from 0.3.4.4-rc):
- Handle the HSADDRESS= argument to the HSPOST command properly.
(Previously, this argument was misparsed and thus ignored.) Fixes
bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".
o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
- Fix a number of small memory leaks identified by coverity. Fixes
bug 26467; bugfix on numerous Tor versions.
o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
- Relays now correctly block attempts to re-extend to the previous
relay by Ed25519 identity. Previously they would warn in this
case, but not actually reject the attempt. Fixes bug 26158; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
- When shutting down, Tor now clears all the flags in the control.c
module. This should prevent a bug where authentication cookies are
not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
- When running the hs_ntor_ref.py test, make sure only to pass
strings (rather than "bytes" objects) to the Python subprocess
module. Python 3 on Windows seems to require this. Fixes bug
26535; bugfix on 0.3.1.1-alpha.
- When running the ntor_ref.py test, make sure only to pass strings
(rather than "bytes" objects) to the Python subprocess module.
Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
on 0.2.5.5-alpha.
2018-07-13 17:26:32 +02:00
|
|
|
MASTER_SITES= https://dist.torproject.org/
|
2004-08-13 21:33:41 +02:00
|
|
|
|
2019-08-20 23:39:16 +02:00
|
|
|
MAINTAINER= pkgsrc-users@NetBSD.org
|
tor: updated to 0.3.1.8
Changes in version 0.3.1.8:
Tor 0.3.1.7 is the second stable release in the 0.3.1 series.
It includes several bugfixes, including a bugfix for a crash issue
that had affected relays under memory pressure. It also adds
a new directory authority, Bastet.
o Directory authority changes:
- Add "Bastet" as a ninth directory authority to the default list.
- The directory authority "Longclaw" has changed its IP address.
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
- Fix a timing-based assertion failure that could occur when the
circuit out-of-memory handler freed a connection's output buffer.
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
- Remove longclaw's IPv6 address, as it will soon change. Authority
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
3/8 directory authorities with IPv6 addresses, but there are also
52 fallback directory mirrors with IPv6 addresses.
o Minor features (geoip):
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
- Fix a compilation warning when building with zstd support on
32-bit platforms.
o Minor bugfixes (compression, backport from 0.3.2.2-alpha):
- Handle a pathological case when decompressing Zstandard data when
the output buffer size is zero.
o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
- Remove the length limit on HTTP status lines that authorities can
send in their replies.
o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
- Avoid a possible double close of a circuit by the intro point on
error of sending the INTRO_ESTABLISHED cell.
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
- Clear the address when node_get_prim_orport() returns early.
o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
- Fix additional channelpadding unit test failures by using mocked
time instead of actual time for all tests.
2017-10-27 14:56:59 +02:00
|
|
|
HOMEPAGE= http://www.torproject.org/
|
|
|
|
|
COMMENT= Anonymizing overlay network for TCP
|
|
|
|
|
LICENSE= modified-bsd
|
2004-08-13 21:33:41 +02:00
|
|
|
|
2011-03-09 11:03:06 +01:00
|
|
|
USE_LANGUAGES= c99
|
2004-08-13 21:33:41 +02:00
|
|
|
USE_PKGLOCALEDIR= yes
|
2019-03-19 16:44:19 +01:00
|
|
|
USE_TOOLS+= perl:test pkg-config
|
2019-08-31 13:16:53 +02:00
|
|
|
# There are multiple reports of failure to build with BSD make, due to
|
|
|
|
|
# an apparent lack of firing the rule to create micro-revision.i.
|
|
|
|
|
# Work around this by using gmake, which is tiny compared to the
|
|
|
|
|
# existing perl dependency, and unlikely to be needed on any given
|
|
|
|
|
# system just for tor.
|
|
|
|
|
USE_TOOLS+= gmake
|
2004-08-13 21:33:41 +02:00
|
|
|
GNU_CONFIGURE= yes
|
tor: updated to 0.3.3.8
Changes in version 0.3.3.8:
Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
fixes for a memory leak affecting directory authorities.
o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
- Stop leaking memory on directory authorities when planning to
vote. This bug was crashing authorities by exhausting their
memory. Fixes bug 26435; bugfix on 0.3.3.6.
o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
- Make sure that failing tests in Rust will actually cause the build
to fail: previously, they were ignored. Fixes bug 26258; bugfix
on 0.3.3.4-alpha.
o Minor features (compilation, backport from 0.3.4.4-rc):
- When building Tor, prefer to use Python 3 over Python 2, and more
recent (contemplated) versions over older ones. Closes
ticket 26372.
o Minor features (geoip):
- Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
Country database. Closes ticket 26674.
o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
- Add several checks to detect whether Tor relays are uploading
their descriptors without specifying why they regenerated them.
Diagnostic for ticket 25686.
o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
- Don't count path selection failures as circuit build failures.
This change should eliminate cases where Tor blames its guard or
the network for situations like insufficient microdescriptors
and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
- Fix a compilation warning on some versions of GCC when building
code that calls routerinfo_get_my_routerinfo() twice, assuming
that the second call will succeed if the first one did. Fixes bug
26269; bugfix on 0.2.8.2-alpha.
o Minor bugfixes (control port, backport from 0.3.4.4-rc):
- Handle the HSADDRESS= argument to the HSPOST command properly.
(Previously, this argument was misparsed and thus ignored.) Fixes
bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".
o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
- Fix a number of small memory leaks identified by coverity. Fixes
bug 26467; bugfix on numerous Tor versions.
o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
- Relays now correctly block attempts to re-extend to the previous
relay by Ed25519 identity. Previously they would warn in this
case, but not actually reject the attempt. Fixes bug 26158; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
- When shutting down, Tor now clears all the flags in the control.c
module. This should prevent a bug where authentication cookies are
not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
- When running the hs_ntor_ref.py test, make sure only to pass
strings (rather than "bytes" objects) to the Python subprocess
module. Python 3 on Windows seems to require this. Fixes bug
26535; bugfix on 0.3.1.1-alpha.
- When running the ntor_ref.py test, make sure only to pass strings
(rather than "bytes" objects) to the Python subprocess module.
Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
on 0.2.5.5-alpha.
2018-07-13 17:26:32 +02:00
|
|
|
CONFIGURE_ARGS+= --localstatedir=${VARBASE}
|
2011-03-09 11:03:06 +01:00
|
|
|
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASEDIR}
|
tor: updated to 0.3.3.8
Changes in version 0.3.3.8:
Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
fixes for a memory leak affecting directory authorities.
o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
- Stop leaking memory on directory authorities when planning to
vote. This bug was crashing authorities by exhausting their
memory. Fixes bug 26435; bugfix on 0.3.3.6.
o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
- Make sure that failing tests in Rust will actually cause the build
to fail: previously, they were ignored. Fixes bug 26258; bugfix
on 0.3.3.4-alpha.
o Minor features (compilation, backport from 0.3.4.4-rc):
- When building Tor, prefer to use Python 3 over Python 2, and more
recent (contemplated) versions over older ones. Closes
ticket 26372.
o Minor features (geoip):
- Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
Country database. Closes ticket 26674.
o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
- Add several checks to detect whether Tor relays are uploading
their descriptors without specifying why they regenerated them.
Diagnostic for ticket 25686.
o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
- Don't count path selection failures as circuit build failures.
This change should eliminate cases where Tor blames its guard or
the network for situations like insufficient microdescriptors
and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
- Fix a compilation warning on some versions of GCC when building
code that calls routerinfo_get_my_routerinfo() twice, assuming
that the second call will succeed if the first one did. Fixes bug
26269; bugfix on 0.2.8.2-alpha.
o Minor bugfixes (control port, backport from 0.3.4.4-rc):
- Handle the HSADDRESS= argument to the HSPOST command properly.
(Previously, this argument was misparsed and thus ignored.) Fixes
bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".
o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
- Fix a number of small memory leaks identified by coverity. Fixes
bug 26467; bugfix on numerous Tor versions.
o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
- Relays now correctly block attempts to re-extend to the previous
relay by Ed25519 identity. Previously they would warn in this
case, but not actually reject the attempt. Fixes bug 26158; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
- When shutting down, Tor now clears all the flags in the control.c
module. This should prevent a bug where authentication cookies are
not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
- When running the hs_ntor_ref.py test, make sure only to pass
strings (rather than "bytes" objects) to the Python subprocess
module. Python 3 on Windows seems to require this. Fixes bug
26535; bugfix on 0.3.1.1-alpha.
- When running the ntor_ref.py test, make sure only to pass strings
(rather than "bytes" objects) to the Python subprocess module.
Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
on 0.2.5.5-alpha.
2018-07-13 17:26:32 +02:00
|
|
|
CONFIGURE_ENV+= CPP=${CPP:Q}
|
Update tor to 0.1.2.17.
Changes in version 0.1.2.17 - 2007-08-30
o Major bugfixes (security):
- We removed support for the old (v0) control protocol. It has been
deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
become more of a headache than it's worth.
o Major bugfixes (load balancing):
- When choosing nodes for non-guard positions, weight guards
proportionally less, since they already have enough load. Patch
from Mike Perry.
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
will allow fast Tor servers to get more attention.
- When we're upgrading from an old Tor version, forget our current
guards and pick new ones according to the new weightings. These
three load balancing patches could raise effective network capacity
by a factor of four. Thanks to Mike Perry for measurements.
o Major bugfixes (stream expiration):
- Expire not-yet-successful application streams in all cases if
they've been around longer than SocksTimeout. Right now there are
some cases where the stream will live forever, demanding a new
circuit every 15 seconds. Fixes bug 454; reported by lodger.
o Minor features (controller):
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
is valid before any authentication has been received. It tells
a controller what kind of authentication is expected, and what
protocol is spoken. Implements proposal 119.
o Minor bugfixes (performance):
- Save on most routerlist_assert_ok() calls in routerlist.c, thus
greatly speeding up loading cached-routers from disk on startup.
- Disable sentinel-based debugging for buffer code: we squashed all
the bugs that this was supposed to detect a long time ago, and now
its only effect is to change our buffer sizes from nice powers of
two (which platform mallocs tend to like) to values slightly over
powers of two (which make some platform mallocs sad).
o Minor bugfixes (misc):
- If exit bandwidth ever exceeds one third of total bandwidth, then
use the correct formula to weight exit nodes when choosing paths.
Based on patch from Mike Perry.
- Choose perfectly fairly among routers when choosing by bandwidth and
weighting by fraction of bandwidth provided by exits. Previously, we
would choose with only approximate fairness, and correct ourselves
if we ran off the end of the list.
- If we require CookieAuthentication but we fail to write the
cookie file, we would warn but not exit, and end up in a state
where no controller could authenticate. Now we exit.
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
- Refuse to start with certain directory authority keys, and
encourage people using them to stop.
- Terminate multi-line control events properly. Original patch
from tup.
- Fix a minor memory leak when we fail to find enough suitable
servers to choose a circuit.
- Stop leaking part of the descriptor when we run into a particularly
unparseable piece of it.
2007-09-11 17:53:57 +02:00
|
|
|
|
|
|
|
|
TEST_TARGET= check
|
|
|
|
|
|
2005-02-13 21:27:53 +01:00
|
|
|
TOR_USER?= tor
|
|
|
|
|
TOR_GROUP?= tor
|
2015-05-23 10:53:11 +02:00
|
|
|
PKG_GECOS.${TOR_USER}= Torifier
|
|
|
|
|
PKG_HOME.${TOR_USER}= ${VARBASE}/chroot/tor
|
Update tor to 0.1.2.17.
Changes in version 0.1.2.17 - 2007-08-30
o Major bugfixes (security):
- We removed support for the old (v0) control protocol. It has been
deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
become more of a headache than it's worth.
o Major bugfixes (load balancing):
- When choosing nodes for non-guard positions, weight guards
proportionally less, since they already have enough load. Patch
from Mike Perry.
- Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
will allow fast Tor servers to get more attention.
- When we're upgrading from an old Tor version, forget our current
guards and pick new ones according to the new weightings. These
three load balancing patches could raise effective network capacity
by a factor of four. Thanks to Mike Perry for measurements.
o Major bugfixes (stream expiration):
- Expire not-yet-successful application streams in all cases if
they've been around longer than SocksTimeout. Right now there are
some cases where the stream will live forever, demanding a new
circuit every 15 seconds. Fixes bug 454; reported by lodger.
o Minor features (controller):
- Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
is valid before any authentication has been received. It tells
a controller what kind of authentication is expected, and what
protocol is spoken. Implements proposal 119.
o Minor bugfixes (performance):
- Save on most routerlist_assert_ok() calls in routerlist.c, thus
greatly speeding up loading cached-routers from disk on startup.
- Disable sentinel-based debugging for buffer code: we squashed all
the bugs that this was supposed to detect a long time ago, and now
its only effect is to change our buffer sizes from nice powers of
two (which platform mallocs tend to like) to values slightly over
powers of two (which make some platform mallocs sad).
o Minor bugfixes (misc):
- If exit bandwidth ever exceeds one third of total bandwidth, then
use the correct formula to weight exit nodes when choosing paths.
Based on patch from Mike Perry.
- Choose perfectly fairly among routers when choosing by bandwidth and
weighting by fraction of bandwidth provided by exits. Previously, we
would choose with only approximate fairness, and correct ourselves
if we ran off the end of the list.
- If we require CookieAuthentication but we fail to write the
cookie file, we would warn but not exit, and end up in a state
where no controller could authenticate. Now we exit.
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
- Refuse to start with certain directory authority keys, and
encourage people using them to stop.
- Terminate multi-line control events properly. Original patch
from tup.
- Fix a minor memory leak when we fail to find enough suitable
servers to choose a circuit.
- Stop leaking part of the descriptor when we run into a particularly
unparseable piece of it.
2007-09-11 17:53:57 +02:00
|
|
|
BUILD_DEFS+= VARBASE
|
2007-10-25 16:58:29 +02:00
|
|
|
PKG_SYSCONFSUBDIR= tor
|
2005-02-13 21:27:53 +01:00
|
|
|
|
2007-07-04 22:54:31 +02:00
|
|
|
PKG_GROUPS_VARS+= TOR_GROUP
|
2011-03-09 11:03:06 +01:00
|
|
|
PKG_USERS_VARS= TOR_USER
|
2007-07-04 22:54:31 +02:00
|
|
|
|
2006-05-28 19:50:23 +02:00
|
|
|
RCD_SCRIPTS= tor
|
2007-09-11 17:26:14 +02:00
|
|
|
RCD_SCRIPT_SRC.tor= ${FILESDIR}/tor.in
|
2005-02-13 21:27:53 +01:00
|
|
|
PKG_GROUPS= ${TOR_GROUP}
|
2013-10-31 16:58:30 +01:00
|
|
|
PKG_USERS= ${TOR_USER}:${TOR_GROUP}
|
2005-02-13 21:27:53 +01:00
|
|
|
USER_GROUP= ${TOR_USER} ${TOR_GROUP}
|
|
|
|
|
|
2013-10-31 16:58:30 +01:00
|
|
|
OWN_DIRS_PERMS+= ${PKG_HOME.${TOR_USER}} ${USER_GROUP} 0700
|
2004-08-13 21:33:41 +02:00
|
|
|
|
tor: updated to 0.3.5.7
Changes in version 0.3.5.7:
Tor 0.3.5.7 is the first stable release in its series; it includes
compilation and portability fixes, and a fix for a severe problem
affecting directory caches.
The Tor 0.3.5 series includes several new features and performance
improvements, including client authorization for v3 onion services,
cleanups to bootstrap reporting, support for improved bandwidth-
measurement tools, experimental support for NSS in place of OpenSSL,
and much more. It also begins a full reorganization of Tor's code
layout, for improved modularity and maintainability in the future.
Finally, there is the usual set of performance improvements and
bugfixes that we try to do in every release series.
There are a couple of changes in the 0.3.5 that may affect
compatibility. First, the default version for newly created onion
services is now v3. Use the HiddenServiceVersion option if you want to
override this. Second, some log messages related to bootstrapping have
changed; if you use stem, you may need to update to the latest version
so it will recognize them.
We have designated 0.3.5 as a "long-term support" (LTS) series: we
will continue to patch major bugs in typical configurations of 0.3.5
until at least 1 Feb 2022. (We do not plan to provide long-term
support for embedding, Rust support, NSS support, running a directory
authority, or unsupported platforms. For these, you will need to stick
with the latest stable release.)
2019-01-08 09:39:55 +01:00
|
|
|
CONF_FILES+= ${PREFIX}/share/examples/tor/torrc.sample \
|
|
|
|
|
${PKG_SYSCONFDIR}/torrc
|
2004-08-13 21:33:41 +02:00
|
|
|
|
2017-05-17 09:13:37 +02:00
|
|
|
PRINT_PLIST_AWK+= /^man\/man/ { $$0 = "$${PLIST.doc}" $$0 }
|
|
|
|
|
PRINT_PLIST_AWK+= /^share\/doc/ { $$0 = "$${PLIST.doc}" $$0 }
|
2017-05-14 18:03:23 +02:00
|
|
|
|
2013-10-31 16:58:30 +01:00
|
|
|
FILES_SUBST+= PKG_HOME=${PKG_HOME.${TOR_USER}}
|
2011-03-09 11:03:06 +01:00
|
|
|
FILES_SUBST+= TOR_USER=${TOR_USER} TOR_GROUP=${TOR_GROUP}
|
2005-02-02 17:41:22 +01:00
|
|
|
|
2009-08-18 07:48:08 +02:00
|
|
|
INSTALL_MAKE_FLAGS+= sysconfdir=${PREFIX}/share/examples
|
|
|
|
|
|
2019-11-03 12:45:28 +01:00
|
|
|
CHECK_PORTABILITY_SKIP+= contrib/*
|
2006-10-26 16:47:37 +02:00
|
|
|
|
tor: update to 0.4.0.5.
Changes in version 0.4.0.5 - 2019-05-02
This is the first stable release in the 0.4.0.x series. It contains
improvements for power management and bootstrap reporting, as well as
preliminary backend support for circuit padding to prevent some kinds
of traffic analysis. It also continues our work in refactoring Tor for
long-term maintainability.
Per our support policy, we will support the 0.4.0.x series for nine
months, or until three months after the release of a stable 0.4.1.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.3.5.7. For a complete list of changes
since 0.4.0.4-rc, see the ChangeLog file.
o Major features (battery management, client, dormant mode):
- When Tor is running as a client, and it is unused for a long time,
it can now enter a "dormant" state. When Tor is dormant, it avoids
network and CPU activity until it is reawoken either by a user
request or by a controller command. For more information, see the
configuration options starting with "Dormant". Implements tickets
2149 and 28335.
- The client's memory of whether it is "dormant", and how long it
has spent idle, persists across invocations. Implements
ticket 28624.
- There is a DormantOnFirstStartup option that integrators can use
if they expect that in many cases, Tor will be installed but
not used.
o Major features (bootstrap reporting):
- When reporting bootstrap progress, report the first connection
uniformly, regardless of whether it's a connection for building
application circuits. This allows finer-grained reporting of early
progress than previously possible, with the improvements of ticket
27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
- When reporting bootstrap progress, treat connecting to a proxy or
pluggable transport as separate from having successfully used that
proxy or pluggable transport to connect to a relay. Closes tickets
27100 and 28884.
o Major features (circuit padding):
- Implement preliminary support for the circuit padding portion of
Proposal 254. The implementation supports Adaptive Padding (aka
WTF-PAD) state machines for use between experimental clients and
relays. Support is also provided for APE-style state machines that
use probability distributions instead of histograms to specify
inter-packet delay. At the moment, Tor does not provide any
padding state machines that are used in normal operation: for now,
this feature exists solely for experimentation. Closes
ticket 28142.
o Major features (refactoring):
- Tor now uses an explicit list of its own subsystems when
initializing and shutting down. Previously, these systems were
managed implicitly in various places throughout the codebase.
(There may still be some subsystems using the old system.) Closes
ticket 28330.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Major bugfixes (networking):
- Gracefully handle empty username/password fields in SOCKS5
username/password auth messsage and allow SOCKS5 handshake to
continue. Previously, we had rejected these handshakes, breaking
certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
o Major bugfixes (NSS, relay):
- When running with NSS, disable TLS 1.2 ciphersuites that use
SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
these ciphersuites don't work -- which caused relays to fail to
handshake with one another when these ciphersuites were enabled.
Fixes bug 29241; bugfix on 0.3.5.1-alpha.
o Major bugfixes (windows, startup):
- When reading a consensus file from disk, detect whether it was
written in text mode, and re-read it in text mode if so. Always
write consensus files in binary mode so that we can map them into
memory later. Previously, we had written in text mode, which
confused us when we tried to map the file on windows. Fixes bug
28614; bugfix on 0.4.0.1-alpha.
o Minor features (address selection):
- Treat the subnet 100.64.0.0/10 as public for some purposes;
private for others. This subnet is the RFC 6598 (Carrier Grade
NAT) IP range, and is deployed by many ISPs as an alternative to
RFC 1918 that does not break existing internal networks. Tor now
blocks SOCKS and control ports on these addresses and warns users
if client ports or ExtORPorts are listening on a RFC 6598 address.
Closes ticket 28525. Patch by Neel Chauhan.
o Minor features (bandwidth authority):
- Make bandwidth authorities ignore relays that are reported in the
bandwidth file with the flag "vote=0". This change allows us to
report unmeasured relays for diagnostic reasons without including
their bandwidth in the bandwidth authorities' vote. Closes
ticket 29806.
- When a directory authority is using a bandwidth file to obtain the
bandwidth values that will be included in the next vote, serve
this bandwidth file at /tor/status-vote/next/bandwidth. Closes
ticket 21377.
o Minor features (bootstrap reporting):
- When reporting bootstrap progress, stop distinguishing between
situations where only internal paths are available and situations
where external paths are available. Previously, Tor would often
erroneously report that it had only internal paths. Closes
ticket 27402.
o Minor features (compilation):
- Compile correctly when OpenSSL is built with engine support
disabled, or with deprecated APIs disabled. Closes ticket 29026.
Patches from "Mangix".
o Minor features (continuous integration):
- On Travis Rust builds, cleanup Rust registry and refrain from
caching the "target/" directory to speed up builds. Resolves
issue 29962.
- Log Python version during each Travis CI job. Resolves
issue 28551.
- In Travis, tell timelimit to use stem's backtrace signals, and
launch python directly from timelimit, so python receives the
signals from timelimit, rather than make. Closes ticket 30117.
o Minor features (controller):
- Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP.
Implements ticket 28843.
o Minor features (developer tooling):
- Check that bugfix versions in changes files look like Tor versions
from the versions spec. Warn when bugfixes claim to be on a future
release. Closes ticket 27761.
- Provide a git pre-commit hook that disallows commiting if we have
any failures in our code and changelog formatting checks. It is
now available in scripts/maint/pre-commit.git-hook. Implements
feature 28976.
- Provide a git hook script to prevent "fixup!" and "squash!"
commits from ending up in the master branch, as scripts/main/pre-
push.git-hook. Closes ticket 27993.
o Minor features (diagnostic):
- Add more diagnostic log messages in an attempt to solve the issue
of NUL bytes appearing in a microdescriptor cache. Related to
ticket 28223.
o Minor features (directory authority):
- When a directory authority is using a bandwidth file to obtain
bandwidth values, include the digest of that file in the vote.
Closes ticket 26698.
- Directory authorities support a new consensus algorithm, under
which the family lines in microdescriptors are encoded in a
canonical form. This change makes family lines more compressible
in transit, and on the client. Closes ticket 28266; implements
proposal 298.
o Minor features (directory authority, relay):
- Authorities now vote on a "StaleDesc" flag to indicate that a
relay's descriptor is so old that the relay should upload again
soon. Relays treat this flag as a signal to upload a new
descriptor. This flag will eventually let us remove the
'published' date from routerstatus entries, and make our consensus
diffs much smaller. Closes ticket 26770; implements proposal 293.
o Minor features (dormant mode):
- Add a DormantCanceledByStartup option to tell Tor that it should
treat a startup event as cancelling any previous dormant state.
Integrators should use this option with caution: it should only be
used if Tor is being started because of something that the user
did, and not if Tor is being automatically started in the
background. Closes ticket 29357.
o Minor features (fallback directory mirrors):
- Update the fallback whitelist based on operator opt-ins and opt-
outs. Closes ticket 24805, patch by Phoul.
o Minor features (FreeBSD):
- On FreeBSD-based systems, warn relay operators if the
"net.inet.ip.random_id" sysctl (IP ID randomization) is disabled.
Closes ticket 28518.
o Minor features (geoip):
- Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2
Country database. Closes ticket 29992.
o Minor features (HTTP standards compliance):
- Stop sending the header "Content-type: application/octet-stream"
along with transparently compressed documents: this confused
browsers. Closes ticket 28100.
o Minor features (IPv6):
- We add an option ClientAutoIPv6ORPort, to make clients randomly
prefer a node's IPv4 or IPv6 ORPort. The random preference is set
every time a node is loaded from a new consensus or bridge config.
We expect that this option will enable clients to bootstrap more
quickly without having to determine whether they support IPv4,
IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
- When using addrs_in_same_network_family(), avoid choosing circuit
paths that pass through the same IPv6 subnet more than once.
Previously, we only checked IPv4 subnets. Closes ticket 24393.
Patch by Neel Chauhan.
o Minor features (log messages):
- Improve log message in v3 onion services that could print out
negative revision counters. Closes ticket 27707. Patch
by "ffmancera".
o Minor features (memory usage):
- Save memory by storing microdescriptor family lists with a more
compact representation. Closes ticket 27359.
- Tor clients now use mmap() to read consensus files from disk, so
that they no longer need keep the full text of a consensus in
memory when parsing it or applying a diff. Closes ticket 27244.
o Minor features (NSS, diagnostic):
- Try to log an error from NSS (if there is any) and a more useful
description of our situation if we are using NSS and a call to
SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.
o Minor features (parsing):
- Directory authorities now validate that router descriptors and
ExtraInfo documents are in a valid subset of UTF-8, and reject
them if they are not. Closes ticket 27367.
o Minor features (performance):
- Cache the results of summarize_protocol_flags(), so that we don't
have to parse the same protocol-versions string over and over.
This should save us a huge number of malloc calls on startup, and
may reduce memory fragmentation with some allocators. Closes
ticket 27225.
- Remove a needless memset() call from get_token_arguments, thereby
speeding up the tokenization of directory objects by about 20%.
Closes ticket 28852.
- Replace parse_short_policy() with a faster implementation, to
improve microdescriptor parsing time. Closes ticket 28853.
- Speed up directory parsing a little by avoiding use of the non-
inlined strcmp_len() function. Closes ticket 28856.
- Speed up microdescriptor parsing by about 30%, to help improve
startup time. Closes ticket 28839.
o Minor features (pluggable transports):
- Add support for emitting STATUS updates to Tor's control port from
a pluggable transport process. Closes ticket 28846.
- Add support for logging to Tor's logging subsystem from a
pluggable transport process. Closes ticket 28180.
o Minor features (process management):
- Add a new process API for handling child processes. This new API
allows Tor to have bi-directional communication with child
processes on both Unix and Windows. Closes ticket 28179.
- Use the subsystem manager to initialize and shut down the process
module. Closes ticket 28847.
o Minor features (relay):
- When listing relay families, list them in canonical form including
the relay's own identity, and try to give a more useful set of
warnings. Part of ticket 28266 and proposal 298.
o Minor features (required protocols):
- Before exiting because of a missing required protocol, Tor will
now check the publication time of the consensus, and not exit
unless the consensus is newer than the Tor program's own release
date. Previously, Tor would not check the consensus publication
time, and so might exit because of a missing protocol that might
no longer be required in a current consensus. Implements proposal
297; closes ticket 27735.
o Minor features (testing):
- Treat all unexpected ERR and BUG messages as test failures. Closes
ticket 28668.
- Allow a HeartbeatPeriod of less than 30 minutes in testing Tor
networks. Closes ticket 28840. Patch by Rob Jansen.
- Use the approx_time() function when setting the "Expires" header
in directory replies, to make them more testable. Needed for
ticket 30001.
o Minor bugfixes (security):
- Fix a potential double free bug when reading huge bandwidth files.
The issue is not exploitable in the current Tor network because
the vulnerable code is only reached when directory authorities
read bandwidth files, but bandwidth files come from a trusted
source (usually the authorities themselves). Furthermore, the
issue is only exploitable in rare (non-POSIX) 32-bit architectures,
which are not used by any of the current authorities. Fixes bug
30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
Tobias Stoeckmann.
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the
event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
fixed by Tobias Stoeckmann.
o Minor bugfix (continuous integration):
- Reset coverage state on disk after Travis CI has finished. This
should prevent future coverage merge errors from causing the test
suite for the "process" subsystem to fail. The process subsystem
was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
on 0.2.9.15.
- Terminate test-stem if it takes more than 9.5 minutes to run.
(Travis terminates the job after 10 minutes of no output.)
Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (build, compatibility, rust):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (C correctness):
- Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
CID 1444119.
o Minor bugfixes (client, clock skew):
- Bootstrap successfully even when Tor's clock is behind the clocks
on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
- Select guards even if the consensus has expired, as long as the
consensus is still reasonably live. Fixes bug 24661; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (compilation):
- Fix compilation warnings in test_circuitpadding.c. Fixes bug
29169; bugfix on 0.4.0.1-alpha.
- Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.
- Compile correctly on OpenBSD; previously, we were missing some
headers required in order to detect it properly. Fixes bug 28938;
bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (directory clients):
- Mark outdated dirservers when Tor only has a reasonably live
consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.
o Minor bugfixes (directory mirrors):
- Even when a directory mirror's clock is behind the clocks on the
authorities, we now allow the mirror to serve "future"
consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (DNS):
- Gracefully handle an empty or absent resolve.conf file by falling
back to using "localhost" as a DNS server (and hoping it works).
Previously, we would just stop running as an exit. Fixes bug
21900; bugfix on 0.2.1.10-alpha.
o Minor bugfixes (documentation):
- Describe the contents of the v3 onion service client authorization
files correctly: They hold public keys, not private keys. Fixes
bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".
o Minor bugfixes (guards):
- In count_acceptable_nodes(), the minimum number is now one bridge
or guard node, and two non-guard nodes for a circuit. Previously,
we had added up the sum of all nodes with a descriptor, but that
could cause us to build failing circuits when we had either too
many bridges or not enough guard nodes. Fixes bug 25885; bugfix on
0.3.6.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (IPv6):
- Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
IPv6 socket was bound using an address family of AF_INET instead
of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
Kris Katterjohn.
o Minor bugfixes (linux seccomp sandbox):
- Fix startup crash when experimental sandbox support is enabled.
Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber.
o Minor bugfixes (logging):
- Correct a misleading error message when IPv4Only or IPv6Only is
used but the resolved address can not be interpreted as an address
of the specified IP version. Fixes bug 13221; bugfix on
0.2.3.9-alpha. Patch from Kris Katterjohn.
- Log the correct port number for listening sockets when "auto" is
used to let Tor pick the port number. Previously, port 0 was
logged instead of the actual port number. Fixes bug 29144; bugfix
on 0.3.5.1-alpha. Patch from Kris Katterjohn.
- Stop logging a BUG() warning when Tor is waiting for exit
descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.
- Avoid logging that we are relaxing a circuit timeout when that
timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
- Log more information at "warning" level when unable to read a
private key; log more information at "info" level when unable to
read a public key. We had warnings here before, but they were lost
during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.
- Rework rep_hist_log_link_protocol_counts() to iterate through all
link protocol versions when logging incoming/outgoing connection
counts. Tor no longer skips version 5, and we won't have to
remember to update this function when new link protocol version is
developed. Fixes bug 28920; bugfix on 0.2.6.10.
o Minor bugfixes (memory management):
- Refactor the shared random state's memory management so that it
actually takes ownership of the shared random value pointers.
Fixes bug 29706; bugfix on 0.2.9.1-alpha.
- Stop leaking parts of the shared random state in the shared-random
unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (misc):
- The amount of total available physical memory is now determined
using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
when it is defined and a 64-bit variant is not available. Fixes
bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (networking):
- Introduce additional checks into tor_addr_parse() to reject
certain incorrect inputs that previously were not detected. Fixes
bug 23082; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (onion service v3, client):
- Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
connection waiting for a descriptor that we actually have in the
cache. It turns out that this can actually happen, though it is
rare. Now, tor will recover and retry the descriptor. Fixes bug
28669; bugfix on 0.3.2.4-alpha.
o Minor bugfixes (onion services):
- Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
than one private key for a hidden service. Fixes bug 29040; bugfix
on 0.3.5.1-alpha.
- In hs_cache_store_as_client() log an HSDesc we failed to parse at
"debug" level. Tor used to log it as a warning, which caused very
long log lines to appear for some users. Fixes bug 29135; bugfix
on 0.3.2.1-alpha.
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.
o Minor bugfixes (periodic events):
- Refrain from calling routerlist_remove_old_routers() from
check_descriptor_callback(). Instead, create a new hourly periodic
event. Fixes bug 27929; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (pluggable transports):
- Make sure that data is continously read from standard output and
standard error pipes of a pluggable transport child-process, to
avoid deadlocking when a pipe's buffer is full. Fixes bug 26360;
bugfix on 0.2.3.6-alpha.
o Minor bugfixes (rust):
- Abort on panic in all build profiles, instead of potentially
unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (scheduler):
- When re-adding channels to the pending list, check the correct
channel's sched_heap_idx. This issue has had no effect in mainline
Tor, but could have led to bugs down the road in improved versions
of our circuit scheduling code. Fixes bug 29508; bugfix
on 0.3.2.10.
o Minor bugfixes (shellcheck):
- Look for scripts in their correct locations during "make
shellcheck". Previously we had looked in the wrong place during
out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (single onion services):
- Allow connections to single onion services to remain idle without
being disconnected. Previously, relays acting as rendezvous points
for single onion services were mistakenly closing idle rendezvous
circuits after 60 seconds, thinking that they were unused
directory-fetching circuits that had served their purpose. Fixes
bug 29665; bugfix on 0.2.1.26.
o Minor bugfixes (stats):
- When ExtraInfoStatistics is 0, stop including PaddingStatistics in
relay and bridge extra-info documents. Fixes bug 29017; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (testing):
- Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a
recent test-network.sh to use new chutney features in CI. Fixes
bug 29703; bugfix on 0.2.9.1-alpha.
- Fix a test failure on Windows caused by an unexpected "BUG"
warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix
on 0.2.9.3-alpha.
- Downgrade some LOG_ERR messages in the address/* tests to
warnings. The LOG_ERR messages were occurring when we had no
configured network. We were failing the unit tests, because we
backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug
29530; bugfix on 0.3.5.8.
- Fix our gcov wrapper script to look for object files at the
correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.
- Decrease the false positive rate of stochastic probability
distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha.
- Fix intermittent failures on an adaptive padding test. Fixes one
case of bug 29122; bugfix on 0.4.0.1-alpha.
- Disable an unstable circuit-padding test that was failing
intermittently because of an ill-defined small histogram. Such
histograms will be allowed again after 29298 is implemented. Fixes
a second case of bug 29122; bugfix on 0.4.0.1-alpha.
- Detect and suppress "bug" warnings from the util/time test on
Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
- Do not log an error-level message if we fail to find an IPv6
network interface from the unit tests. Fixes bug 29160; bugfix
on 0.2.7.3-rc.
- Instead of relying on hs_free_all() to clean up all onion service
objects in test_build_descriptors(), we now deallocate them one by
one. This lets Coverity know that we are not leaking memory there
and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha.
- Check the time in the "Expires" header using approx_time(). Fixes
bug 30001; bugfix on 0.4.0.4-rc.
o Minor bugfixes (TLS protocol):
- When classifying a client's selection of TLS ciphers, if the
client ciphers are not yet available, do not cache the result.
Previously, we had cached the unavailability of the cipher list
and never looked again, which in turn led us to assume that the
client only supported the ancient V1 link protocol. This, in turn,
was causing Stem integration tests to stall in some cases. Fixes
bug 30021; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (UI):
- Lower log level of unlink() errors during bootstrap. Fixes bug
29930; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (usability):
- Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
Some users took this phrasing to mean that the mentioned guard was
under their control or responsibility, which it is not. Fixes bug
28895; bugfix on Tor 0.3.0.1-alpha.
o Minor bugfixes (Windows, CI):
- Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit
Windows Server 2012 R2 job. The remaining 2 jobs still provide
coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set
fast_finish, so failed jobs terminate the build immediately. Fixes
bug 29601; bugfix on 0.3.5.4-alpha.
o Code simplification and refactoring:
- Introduce a connection_dir_buf_add() helper function that detects
whether compression is in use, and adds a string accordingly.
Resolves issue 28816.
- Refactor handle_get_next_bandwidth() to use
connection_dir_buf_add(). Implements ticket 29897.
- Reimplement NETINFO cell parsing and generation to rely on
trunnel-generated wire format handling code. Closes ticket 27325.
- Remove unnecessary unsafe code from the Rust macro "cstr!". Closes
ticket 28077.
- Rework SOCKS wire format handling to rely on trunnel-generated
parsing/generation code. Resolves ticket 27620.
- Split out bootstrap progress reporting from control.c into a
separate file. Part of ticket 27402.
- The .may_include files that we use to describe our directory-by-
directory dependency structure now describe a noncircular
dependency graph over the directories that they cover. Our
checkIncludes.py tool now enforces this noncircularity. Closes
ticket 28362.
o Documentation:
- Clarify that Tor performs stream isolation among *Port listeners
by default. Resolves issue 29121.
- In the manpage entry describing MapAddress torrc setting, use
example IP addresses from ranges specified for use in documentation
by RFC 5737. Resolves issue 28623.
- Mention that you cannot add a new onion service if Tor is already
running with Sandbox enabled. Closes ticket 28560.
- Improve ControlPort documentation. Mention that it accepts
address:port pairs, and can be used multiple times. Closes
ticket 28805.
- Document the exact output of "tor --version". Closes ticket 28889.
o Removed features:
- Remove the old check-tor script. Resolves issue 29072.
- Stop responding to the 'GETINFO status/version/num-concurring' and
'GETINFO status/version/num-versioning' control port commands, as
those were deprecated back in 0.2.0.30. Also stop listing them in
output of 'GETINFO info/names'. Resolves ticket 28757.
- The scripts used to generate and maintain the list of fallback
directories have been extracted into a new "fallback-scripts"
repository. Closes ticket 27914.
o Testing:
- Run shellcheck for scripts in the in scripts/ directory. Closes
ticket 28058.
- Add unit tests for tokenize_string() and get_next_token()
functions. Resolves ticket 27625.
o Code simplification and refactoring (onion service v3):
- Consolidate the authorized client descriptor cookie computation
code from client and service into one function. Closes
ticket 27549.
o Code simplification and refactoring (shell scripts):
- Cleanup scan-build.sh to silence shellcheck warnings. Closes
ticket 28007.
- Fix issues that shellcheck found in chutney-git-bisect.sh.
Resolves ticket 28006.
- Fix issues that shellcheck found in updateRustDependencies.sh.
Resolves ticket 28012.
- Fix shellcheck warnings in cov-diff script. Resolves issue 28009.
- Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011.
- Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010.
- Fix shellcheck warnings in scripts/test/coverage. Resolves
issue 28008.
2019-05-03 10:45:51 +02:00
|
|
|
.include "options.mk"
|
|
|
|
|
|
Updated tor to 0.3.0.6.
Changes in version 0.3.0.6 - 2017-04-26
Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
With the 0.3.0 series, clients and relays now use Ed25519 keys to
authenticate their link connections to relays, rather than the old
RSA1024 keys that they used before. (Circuit crypto has been
Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
the guard selection and replacement algorithm to behave more robustly
in the presence of unreliable networks, and to resist guard-
capture attacks.
This series also includes numerous other small features and bugfixes,
along with more groundwork for the upcoming hidden-services revamp.
Per our stable release policy, we plan to support the Tor 0.3.0
release series for at least the next nine months, or for three months
after the first stable release of the 0.3.1 series: whichever is
longer. If you need a release with long-term support, we recommend
that you stay with the 0.2.9 series.
Below are the changes since 0.2.9.10. For a list of only the changes
since 0.3.0.5-rc, see the ChangeLog file.
o Major features (directory authority, security):
- The default for AuthDirPinKeys is now 1: directory authorities
will reject relays where the RSA identity key matches a previously
seen value, but the Ed25519 key has changed. Closes ticket 18319.
o Major features (guard selection algorithm):
- Tor's guard selection algorithm has been redesigned from the
ground up, to better support unreliable networks and restrictive
sets of entry nodes, and to better resist guard-capture attacks by
hostile local networks. Implements proposal 271; closes
ticket 19877.
o Major features (next-generation hidden services):
- Relays can now handle v3 ESTABLISH_INTRO cells as specified by
prop224 aka "Next Generation Hidden Services". Service and clients
don't use this functionality yet. Closes ticket 19043. Based on
initial code by Alec Heifetz.
- Relays now support the HSDir version 3 protocol, so that they can
can store and serve v3 descriptors. This is part of the next-
generation onion service work detailled in proposal 224. Closes
ticket 17238.
o Major features (protocol, ed25519 identity keys):
- Clients now support including Ed25519 identity keys in the EXTEND2
cells they generate. By default, this is controlled by a consensus
parameter, currently disabled. You can turn this feature on for
testing by setting ExtendByEd25519ID in your configuration. This
might make your traffic appear different than the traffic
generated by other users, however. Implements part of ticket
15056; part of proposal 220.
- Relays now understand requests to extend to other relays by their
Ed25519 identity keys. When an Ed25519 identity key is included in
an EXTEND2 cell, the relay will only extend the circuit if the
other relay can prove ownership of that identity. Implements part
of ticket 15056; part of proposal 220.
- Relays now use Ed25519 to prove their Ed25519 identities and to
one another, and to clients. This algorithm is faster and more
secure than the RSA-based handshake we've been doing until now.
Implements the second big part of proposal 220; Closes
ticket 15055.
o Major features (security):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
Feamster. Now relays only return one of two possible DNS TTL
values, and clients are willing to believe DNS TTL values up to 3
hours long. Closes ticket 19769.
o Major bugfixes (client, onion service, also in 0.2.9.9):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Major bugfixes (crash, directory connections):
- Fix a rare crash when sending a begin cell on a circuit whose
linked directory connection had already been closed. Fixes bug
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
o Major bugfixes (directory authority):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (DNS):
- Fix a bug that prevented exit nodes from caching DNS records for
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
o Major bugfixes (IPv6 Exits):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
- When parsing a malformed content-length field from an HTTP
message, do not read off the end of the buffer. This bug was a
potential remote denial-of-service attack against Tor clients and
relays. A workaround was released in October 2016, to prevent this
bug from crashing Tor. This is a fix for the underlying issue,
which should no longer matter (if you applied the earlier patch).
Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
using AFL (http://lcamtuf.coredump.cx/afl/).
o Major bugfixes (scheduler):
- Actually compare circuit policies in ewma_cmp_cmux(). This bug
caused the channel scheduler to behave more or less randomly,
rather than preferring channels with higher-priority circuits.
Fixes bug 20459; bugfix on 0.2.6.2-alpha.
o Major bugfixes (security, also in 0.2.9.9):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes--and having it
on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Minor feature (client):
- Enable IPv6 traffic on the SocksPort by default. To disable this,
a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
o Minor feature (fallback scripts):
- Add a check_existing mode to updateFallbackDirs.py, which checks
if fallbacks in the hard-coded list are working. Closes ticket
20174. Patch by haxxpop.
o Minor feature (protocol versioning):
- Add new protocol version for proposal 224. HSIntro now advertises
version "3-4" and HSDir version "1-2". Fixes ticket 20656.
o Minor features (ciphersuite selection):
- Allow relays to accept a wider range of ciphersuites, including
chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
- Clients now advertise a list of ciphersuites closer to the ones
preferred by Firefox. Closes part of ticket 15426.
o Minor features (controller):
- Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
shared-random values to the controller. Closes ticket 19925.
- When HSFETCH arguments cannot be parsed, say "Invalid argument"
rather than "unrecognized." Closes ticket 20389; patch from
Ivan Markin.
o Minor features (controller, configuration):
- Each of the *Port options, such as SocksPort, ORPort, ControlPort,
and so on, now comes with a __*Port variant that will not be saved
to the torrc file by the controller's SAVECONF command. This
change allows TorBrowser to set up a single-use domain socket for
each time it launches Tor. Closes ticket 20956.
- The GETCONF command can now query options that may only be
meaningful in context-sensitive lists. This allows the controller
to query the mixed SocksPort/__SocksPort style options introduced
in feature 20956. Implements ticket 21300.
o Minor features (diagnostic, directory client):
- Warn when we find an unexpected inconsistency in directory
download status objects. Prevents some negative consequences of
bug 20593.
o Minor features (directory authorities):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (directory authority):
- Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
default) to control whether authorities should try to probe relays
by their Ed25519 link keys. This option will go away in a few
releases--unless we encounter major trouble in our ed25519 link
protocol rollout, in which case it will serve as a safety option.
o Minor features (directory cache):
- Relays and bridges will now refuse to serve the consensus they
have if they know it is too old for a client to use. Closes
ticket 20511.
o Minor features (ed25519 link handshake):
- Advertise support for the ed25519 link handshake using the
subprotocol-versions mechanism, so that clients can tell which
relays can identity themselves by Ed25519 ID. Closes ticket 20552.
o Minor features (entry guards):
- Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
break regression tests.
- Require UseEntryGuards when UseBridges is set, in order to make
sure bridges aren't bypassed. Resolves ticket 20502.
o Minor features (fallback directories):
- Allow 3 fallback relays per operator, which is safe now that we
are choosing 200 fallback relays. Closes ticket 20912.
- Annotate updateFallbackDirs.py with the bandwidth and consensus
weight for each candidate fallback. Closes ticket 20878.
- Display the relay fingerprint when downloading consensuses from
fallbacks. Closes ticket 20908.
- Exclude relays affected by bug 20499 from the fallback list.
Exclude relays from the fallback list if they are running versions
known to be affected by bug 20499, or if in our tests they deliver
a stale consensus (i.e. one that expired more than 24 hours ago).
Closes ticket 20539.
- Make it easier to change the output sort order of fallbacks.
Closes ticket 20822.
- Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
ticket 18828.
- Require fallback directories to have the same address and port for
7 days (now that we have enough relays with this stability).
Relays whose OnionOO stability timer is reset on restart by bug
18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
this issue. Closes ticket 20880; maintains short-term fix
in 0.2.8.2-alpha.
- Require fallbacks to have flags for 90% of the time (weighted
decaying average), rather than 95%. This allows at least 73% of
clients to bootstrap in the first 5 seconds without contacting an
authority. Part of ticket 18828.
- Select 200 fallback directories for each release. Closes
ticket 20881.
o Minor features (fingerprinting resistence, authentication):
- Extend the length of RSA keys used for TLS link authentication to
2048 bits. (These weren't used for forward secrecy; for forward
secrecy, we used P256.) Closes ticket 13752.
o Minor features (geoip):
- Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
Country database.
o Minor features (geoip, also in 0.2.9.9):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor features (infrastructure):
- Implement smartlist_add_strdup() function. Replaces the use of
smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
o Minor features (linting):
- Enhance the changes file linter to warn on Tor versions that are
prefixed with "tor-". Closes ticket 21096.
o Minor features (logging):
- In several places, describe unset ed25519 keys as "<unset>",
rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
o Minor features (portability, compilation):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor features (relay):
- We now allow separation of exit and relay traffic to different
source IP addresses, using the OutboundBindAddressExit and
OutboundBindAddressOR options respectively. Closes ticket 17975.
Written by Michael Sonntag.
o Minor features (reliability, crash):
- Try better to detect problems in buffers where they might grow (or
think they have grown) over 2 GB in size. Diagnostic for
bug 21369.
o Minor features (testing):
- During 'make test-network-all', if tor logs any warnings, ask
chutney to output them. Requires a recent version of chutney with
the 21572 patch. Implements 21570.
o Minor bugfix (control protocol):
- The reply to a "GETINFO config/names" request via the control
protocol now spells the type "Dependent" correctly. This is a
breaking change in the control protocol. (The field seems to be
ignored by the most common known controllers.) Fixes bug 18146;
bugfix on 0.1.1.4-alpha.
- The GETINFO extra-info/digest/<digest> command was broken because
of a wrong base16 decode return value check, introduced when
refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
o Minor bugfix (logging):
- Don't recommend the use of Tor2web in non-anonymous mode.
Recommending Tor2web is a bad idea because the client loses all
anonymity. Tor2web should only be used in specific cases by users
who *know* and understand the issues. Fixes bug 21294; bugfix
on 0.2.9.3-alpha.
o Minor bugfixes (bug resilience):
- Fix an unreachable size_t overflow in base64_decode(). Fixes bug
19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
Hans Jerry Illikainen.
o Minor bugfixes (build):
- Replace obsolete Autoconf macros with their modern equivalent and
prevent similar issues in the future. Fixes bug 20990; bugfix
on 0.1.0.1-rc.
o Minor bugfixes (certificate expiration time):
- Avoid using link certificates that don't become valid till some
time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
o Minor bugfixes (client):
- Always recover from failures in extend_info_from_node(), in an
attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
bugfix on 0.2.3.1-alpha.
- When clients that use bridges start up with a cached consensus on
disk, they were ignoring it and downloading a new one. Now they
use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
o Minor bugfixes (code correctness):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (config):
- Don't assert on startup when trying to get the options list and
LearnCircuitBuildTimeout is set to 0: we are currently parsing the
options so of course they aren't ready yet. Fixes bug 21062;
bugfix on 0.2.9.3-alpha.
o Minor bugfixes (configuration):
- Accept non-space whitespace characters after the severity level in
the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
- Support "TByte" and "TBytes" units in options given in bytes.
"TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
o Minor bugfixes (configure, autoconf):
- Rename the configure option --enable-expensive-hardening to
--enable-fragile-hardening. Expensive hardening makes the tor
daemon abort when some kinds of issues are detected. Thus, it
makes tor more at risk of remote crashes but safer against RCE or
heartbleed bug category. We now try to explain this issue in a
message from the configure script. Fixes bug 21290; bugfix
on 0.2.5.4-alpha.
o Minor bugfixes (consensus weight):
- Add new consensus method that initializes bw weights to 1 instead
of 0. This prevents a zero weight from making it all the way to
the end (happens in small testing networks) and causing an error.
Fixes bug 14881; bugfix on 0.2.2.17-alpha.
o Minor bugfixes (crash prevention):
- Fix an (currently untriggerable, but potentially dangerous) crash
bug when base32-encoding inputs whose sizes are not a multiple of
5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (dead code):
- Remove a redundant check for PidFile changes at runtime in
options_transition_allowed(): this check is already performed
regardless of whether the sandbox is active. Fixes bug 21123;
bugfix on 0.2.5.4-alpha.
o Minor bugfixes (descriptors):
- Correctly recognise downloaded full descriptors as valid, even
when using microdescriptors as circuits. This affects clients with
FetchUselessDescriptors set, and may affect directory authorities.
Fixes bug 20839; bugfix on 0.2.3.2-alpha.
o Minor bugfixes (directory mirrors):
- Allow relays to use directory mirrors without a DirPort: these
relays need to be contacted over their ORPorts using a begindir
connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
- Clarify the message logged when a remote relay is unexpectedly
missing an ORPort or DirPort: users were confusing this with a
local port. Fixes another case of bug 20711; bugfix
on 0.2.8.2-alpha.
o Minor bugfixes (directory system):
- Bridges and relays now use microdescriptors (like clients do)
rather than old-style router descriptors. Now bridges will blend
in with clients in terms of the circuits they build. Fixes bug
6769; bugfix on 0.2.3.2-alpha.
- Download all consensus flavors, descriptors, and authority
certificates when FetchUselessDescriptors is set, regardless of
whether tor is a directory cache or not. Fixes bug 20667; bugfix
on all recent tor versions.
o Minor bugfixes (documentation):
- Update the tor manual page to document every option that can not
be changed while tor is running. Fixes bug 21122.
o Minor bugfixes (ed25519 certificates):
- Correctly interpret ed25519 certificates that would expire some
time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (fallback directories):
- Avoid checking fallback candidates' DirPorts if they are down in
OnionOO. When a relay operator has multiple relays, this
prioritizes relays that are up over relays that are down. Fixes
bug 20926; bugfix on 0.2.8.3-alpha.
- Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
Fixes bug 20877; bugfix on 0.2.8.3-alpha.
- Stop failing when a relay has no uptime data in
updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (hidden service):
- Clean up the code for expiring intro points with no associated
circuits. It was causing, rarely, a service with some expiring
introduction points to not open enough additional introduction
points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
- Resolve two possible underflows which could lead to creating and
closing a lot of introduction point circuits in a non-stop loop.
Fixes bug 21302; bugfix on 0.2.7.2-alpha.
- Stop setting the torrc option HiddenServiceStatistics to "0" just
because we're not a bridge or relay. Instead, we preserve whatever
value the user set (or didn't set). Fixes bug 21150; bugfix
on 0.2.6.2-alpha.
o Minor bugfixes (hidden services):
- Make hidden services check for failed intro point connections,
even when they have exceeded their intro point creation limit.
Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
- Make hidden services with 8 to 10 introduction points check for
failed circuits immediately after startup. Previously, they would
wait for 5 minutes before performing their first checks. Fixes bug
21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
- Stop ignoring misconfigured hidden services. Instead, refuse to
start tor until the misconfigurations have been corrected. Fixes
bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
and earlier.
o Minor bugfixes (IPv6):
- Make IPv6-using clients try harder to find an IPv6 directory
server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
- When IPv6 addresses have not been downloaded yet (microdesc
consensus documents don't list relay IPv6 addresses), use hard-
coded addresses for authorities, fallbacks, and configured
bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
o Minor bugfixes (memory leak at exit):
- Fix a small harmless memory leak at exit of the previously unused
RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
on 0.2.7.2-alpha.
o Minor bugfixes (onion services):
- Allow the number of introduction points to be as low as 0, rather
than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (portability):
- Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
It is supported by OpenBSD itself, and also by most OpenBSD
variants (such as Bitrig). Fixes bug 20980; bugfix
on 0.1.2.1-alpha.
o Minor bugfixes (portability, also in 0.2.9.9):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (relay):
- Avoid a double-marked-circuit warning that could happen when we
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
on 0.1.0.1-rc.
- Honor DataDirectoryGroupReadable when tor is a relay. Previously,
initializing the keys would reset the DataDirectory to 0700
instead of 0750 even if DataDirectoryGroupReadable was set to 1.
Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
o Minor bugfixes (testing):
- Fix Raspbian build issues related to missing socket errno in
test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
- Remove undefined behavior from the backtrace generator by removing
its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
- Use bash in src/test/test-network.sh. This ensures we reliably
call chutney's newer tools/test-network.sh when available. Fixes
bug 21562; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (tor-resolve):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
o Minor bugfixes (unit tests):
- Allow the unit tests to pass even when DNS lookups of bogus
addresses do not fail as expected. Fixes bug 20862 and 20863;
bugfix on unit tests introduced in 0.2.8.1-alpha
through 0.2.9.4-alpha.
o Minor bugfixes (util):
- When finishing writing a file to disk, if we were about to replace
the file with the temporary file created before and we fail to
replace it, remove the temporary file so it doesn't stay on disk.
Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.
o Minor bugfixes (Windows services):
- Be sure to initialize the monotonic time subsystem before using
it, even when running as an NT service. Fixes bug 21356; bugfix
on 0.2.9.1-alpha.
o Minor bugfixes (Windows):
- Check for getpagesize before using it to mmap files. This fixes
compilation in some MinGW environments. Fixes bug 20530; bugfix on
0.1.2.1-alpha. Reported by "ice".
o Code simplification and refactoring:
- Abolish all global guard context in entrynodes.c; replace with new
guard_selection_t structure as preparation for proposal 271.
Closes ticket 19858.
- Extract magic numbers in circuituse.c into defined variables.
- Introduce rend_service_is_ephemeral() that tells if given onion
service is ephemeral. Replace unclear NULL-checkings for service
directory with this function. Closes ticket 20526.
- Refactor circuit_is_available_for_use to remove unnecessary check.
- Refactor circuit_predict_and_launch_new for readability and
testability. Closes ticket 18873.
- Refactor code to manipulate global_origin_circuit_list into
separate functions. Closes ticket 20921.
- Refactor large if statement in purpose_needs_anonymity to use
switch statement instead. Closes part of ticket 20077.
- Refactor the hashing API to return negative values for errors, as
is done as throughout the codebase. Closes ticket 20717.
- Remove data structures that were used to index or_connection
objects by their RSA identity digests. These structures are fully
redundant with the similar structures used in the
channel abstraction.
- Remove duplicate code in the channel_write_*cell() functions.
Closes ticket 13827; patch from Pingl.
- Remove redundant behavior of is_sensitive_dir_purpose, refactor to
use only purpose_needs_anonymity. Closes part of ticket 20077.
- The code to generate and parse EXTEND and EXTEND2 cells has been
replaced with code automatically generated by the
"trunnel" utility.
o Documentation (formatting):
- Clean up formatting of tor.1 man page and HTML doc, where <pre>
blocks were incorrectly appearing. Closes ticket 20885.
o Documentation (man page):
- Clarify many options in tor.1 and add some min/max values for
HiddenService options. Closes ticket 21058.
o Documentation:
- Change '1' to 'weight_scale' in consensus bw weights calculation
comments, as that is reality. Closes ticket 20273. Patch
from pastly.
- Clarify that when ClientRejectInternalAddresses is enabled (which
is the default), multicast DNS hostnames for machines on the local
network (of the form *.local) are also rejected. Closes
ticket 17070.
- Correct the value for AuthDirGuardBWGuarantee in the manpage, from
250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
- Include the "TBits" unit in Tor's man page. Fixes part of bug
20622; bugfix on 0.2.5.1-alpha.
- Small fixes to the fuzzing documentation. Closes ticket 21472.
- Stop the man page from incorrectly stating that HiddenServiceDir
must already exist. Fixes 20486.
- Update the description of the directory server options in the
manual page, to clarify that a relay no longer needs to set
DirPort in order to be a directory cache. Closes ticket 21720.
o Removed features:
- The AuthDirMaxServersPerAuthAddr option no longer exists: The same
limit for relays running on a single IP applies to authority IP
addresses as well as to non-authority IP addresses. Closes
ticket 20960.
- The UseDirectoryGuards torrc option no longer exists: all users
that use entry guards will also use directory guards. Related to
proposal 271; implements part of ticket 20831.
o Testing:
- Add tests for networkstatus_compute_bw_weights_v10.
- Add unit tests circuit_predict_and_launch_new.
- Extract dummy_origin_circuit_new so it can be used by other
test functions.
- New unit tests for tor_htonll(). Closes ticket 19563. Patch
from "overcaffeinated".
- Perform the coding style checks when running the tests and fail
when coding style violations are found. Closes ticket 5500.
2017-05-02 13:16:02 +02:00
|
|
|
.include "../../mk/bsd.prefs.mk"
|
|
|
|
|
|
2008-08-01 19:23:21 +02:00
|
|
|
.if !empty(PKGSRC_COMPILER:Mmipspro)
|
|
|
|
|
CFLAGS+= -c99
|
|
|
|
|
.endif
|
|
|
|
|
|
2019-03-19 16:44:19 +01:00
|
|
|
.include "../../archivers/zstd/buildlink3.mk"
|
Update tor to latest stable release, 0.2.7.5.
Changes in version 0.2.7.5 - 2015-11-20
The Tor 0.2.7 release series is dedicated to the memory of Tor user
and privacy advocate Caspar Bowden (1961-2015). Caspar worked
tirelessly to advocate human rights regardless of national borders,
and oppose the encroachments of mass surveillance. He opposed national
exceptionalism, he brought clarity to legal and policy debates, he
understood and predicted the impact of mass surveillance on the world,
and he laid the groundwork for resisting it. While serving on the Tor
Project's board of directors, he brought us his uncompromising focus
on technical excellence in the service of humankind. Caspar was an
inimitable force for good and a wonderful friend. He was kind,
humorous, generous, gallant, and believed we should protect one
another without exception. We honor him here for his ideals, his
efforts, and his accomplishments. Please honor his memory with works
that would make him proud.
Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
The 0.2.7 series adds a more secure identity key type for relays,
improves cryptography performance, resolves several longstanding
hidden-service performance issues, improves controller support for
hidden services, and includes small bugfixes and performance
improvements throughout the program. This release series also includes
more tests than before, and significant simplifications to which parts
of Tor invoke which others.
(This release contains no code changes since 0.2.7.4-rc.)
Changes in version 0.2.7.4-rc - 2015-10-21
Tor 0.2.7.4-rc is the second release candidate in the 0.2.7 series. It
fixes some important memory leaks, and a scary-looking (but mostly
harmless in practice) invalid-read bug. It also has a few small
bugfixes, notably fixes for compilation and portability on different
platforms. If no further significant bounds are found, the next
release will the the official stable release.
o Major bugfixes (security, correctness):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (correctness):
- Fix a use-after-free bug in validate_intro_point_failure(). Fixes
bug 17401; bugfix on 0.2.7.3-rc.
o Major bugfixes (memory leaks):
- Fix a memory leak in ed25519 batch signature checking. Fixes bug
17398; bugfix on 0.2.6.1-alpha.
- Fix a memory leak in rend_cache_failure_entry_free(). Fixes bug
17402; bugfix on 0.2.7.3-rc.
- Fix a memory leak when reading an expired signing key from disk.
Fixes bug 17403; bugfix on 0.2.7.2-rc.
o Minor features (geoIP):
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- Repair compilation with the most recent (unreleased, alpha)
vesions of OpenSSL 1.1. Fixes part of ticket 17237.
- Fix an integer overflow warning in test_crypto_slow.c. Fixes bug
17251; bugfix on 0.2.7.2-alpha.
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
o Minor bugfixes (portability):
- Use libexecinfo on FreeBSD to enable backtrace support. Fixes part
of bug 17151; bugfix on 0.2.5.2-alpha. Patch from Marcin Cieślak.
o Minor bugfixes (sandbox):
- Add the "hidserv-stats" filename to our sandbox filter for the
HiddenServiceStatistics option to work properly. Fixes bug 17354;
bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
o Minor bugfixes (testing):
- Add unit tests for get_interface_address* failure cases. Fixes bug
17173; bugfix on 0.2.7.3-rc. Patch by fk/teor.
- Fix breakage when running 'make check' with BSD make. Fixes bug
17154; bugfix on 0.2.7.3-rc. Patch by Marcin Cieślak.
- Make the get_ifaddrs_* unit tests more tolerant of different
network configurations. (Don't assume every test box has an IPv4
address, and don't assume every test box has a non-localhost
address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor".
- Skip backtrace tests when backtrace support is not compiled in.
Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from
Marcin Cieślak.
o Documentation:
- Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
- Note that HiddenServicePorts can take a unix domain socket. Closes
ticket 17364.
Changes in version 0.2.7.3-rc - 2015-09-25
Tor 0.2.7.3-rc is the first release candidate in the 0.2.7 series. It
contains numerous usability fixes for Ed25519 keys, safeguards against
several misconfiguration problems, significant simplifications to
Tor's callgraph, and numerous bugfixes and small features.
This is the most tested release of Tor to date. The unit tests cover
39.40% of the code, and the integration tests (accessible with "make
test-full-online", requiring stem and chutney and a network
connection) raise the coverage to 64.49%.
o Major features (security, hidden services):
- Hidden services, if using the EntryNodes option, are required to
use more than one EntryNode, in order to avoid a guard discovery
attack. (This would only affect people who had configured hidden
services and manually specified the EntryNodes option with a
single entry-node. The impact was that it would be easy to
remotely identify the guard node used by such a hidden service.
See ticket for more information.) Fixes ticket 14917.
o Major features (Ed25519 keys, keypinning):
- The key-pinning option on directory authorities is now advisory-
only by default. In a future version, or when the AuthDirPinKeys
option is set, pins are enforced again. Disabling key-pinning
seemed like a good idea so that we can survive the fallout of any
usability problems associated with Ed25519 keys. Closes
ticket 17135.
o Major features (Ed25519 performance):
- Improve the speed of Ed25519 operations and Curve25519 keypair
generation when built targeting 32 bit x86 platforms with SSE2
available. Implements ticket 16535.
- Improve the runtime speed of Ed25519 signature verification by
using Ed25519-donna's batch verification support. Implements
ticket 16533.
o Major features (performance testing):
- The test-network.sh script now supports performance testing.
Requires corresponding chutney performance testing changes. Patch
by "teor". Closes ticket 14175.
o Major features (relay, Ed25519):
- Significant usability improvements for Ed25519 key management. Log
messages are better, and the code can recover from far more
failure conditions. Thanks to "s7r" for reporting and diagnosing
so many of these!
- Add a new OfflineMasterKey option to tell Tor never to try loading
or generating a secret Ed25519 identity key. You can use this in
combination with tor --keygen to manage offline and/or encrypted
Ed25519 keys. Implements ticket 16944.
- Add a --newpass option to allow changing or removing the
passphrase of an encrypted key with tor --keygen. Implements part
of ticket 16769.
- On receiving a HUP signal, check to see whether the Ed25519
signing key has changed, and reload it if so. Closes ticket 16790.
o Major bugfixes (relay, Ed25519):
- Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on
0.2.7.2-alpha. Reported by "s7r".
- Improve handling of expired signing keys with offline master keys.
Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r".
o Minor features (client-side privacy):
- New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
lifespan when IsolateSOCKSAuth and streams with SOCKS
authentication are attached to the circuit. This allows
applications like TorBrowser to manage circuit lifetime on their
own. Implements feature 15482.
- When logging malformed hostnames from SOCKS5 requests, respect
SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
o Minor features (compilation):
- Give a warning as early as possible when trying to build with an
unsupported OpenSSL version. Closes ticket 16901.
- Fail during configure if we're trying to build against an OpenSSL
built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha
which started requiring ECC.
o Minor features (geoip):
- Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2
Country database.
o Minor features (hidden services):
- Relays need to have the Fast flag to get the HSDir flag. As this
is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
drop. This change should make some attacks against the hidden
service directory system harder. Fixes ticket 15963.
- Turn on hidden service statistics collection by setting the torrc
option HiddenServiceStatistics to "1" by default. (This keeps
track only of the fraction of traffic used by hidden services, and
the total number of hidden services in existence.) Closes
ticket 15254.
- Client now uses an introduction point failure cache to know when
to fetch or keep a descriptor in their cache. Previously, failures
were recorded implicitly, but not explicitly remembered. Closes
ticket 16389.
o Minor features (testing, authorities, documentation):
- New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
explicitly manage consensus flags in testing networks. Patch by
"robgjansen", modified by "teor". Implements part of ticket 14882.
o Minor bugfixes (security, exit policies):
- ExitPolicyRejectPrivate now also rejects the relay's published
IPv6 address (if any), and any publicly routable IPv4 or IPv6
addresses on any local interfaces. ticket 17027. Patch by "teor".
Fixes bug 17027; bugfix on 0.2.0.11-alpha.
o Minor bug fixes (torrc exit policies):
- In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
produce IPv6 wildcard addresses. Previously they would produce
both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
of bug 16069; bugfix on 0.2.4.7-alpha.
- When parsing torrc ExitPolicies, we now warn for a number of cases
where the user's intent is likely to differ from Tor's actual
behavior. These include: using an IPv4 address with an accept6 or
reject6 line; using "private" on an accept6 or reject6 line; and
including any ExitPolicy lines after accept *:* or reject *:*.
Related to ticket 16069.
- When parsing torrc ExitPolicies, we now issue an info-level
message when expanding an "accept/reject *" line to include both
IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
- In each instance above, usage advice is provided to avoid the
message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
16069; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (authority):
- Don't assign "HSDir" to a router if it isn't Valid and Running.
Fixes bug 16524; bugfix on 0.2.7.2-alpha.
- Downgrade log messages about Ed25519 key issues if they are in old
cached router descriptors. Fixes part of bug 16286; bugfix
on 0.2.7.2-alpha.
- When we find an Ed25519 key issue in a cached descriptor, stop
saying the descriptor was just "uploaded". Fixes another part of
bug 16286; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (control port):
- Repair a warning and a spurious result when getting the maximum
number of file descriptors from the controller. Fixes bug 16697;
bugfix on 0.2.7.2-alpha.
o Minor bugfixes (correctness):
- When calling channel_free_list(), avoid calling smartlist_remove()
while inside a FOREACH loop. This partially reverts commit
17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (documentation):
- Advise users on how to configure separate IPv4 and IPv6 exit
policies in the manpage and sample torrcs. Related to ticket 16069.
- Fix the usage message of tor-resolve(1) so that it no longer lists
the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
- Fix an error in the manual page and comments for
TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
required "ORPort connectivity". While this is true, it is in no
way unique to the HSDir flag. Of all the flags, only HSDirs need a
DirPort configured in order for the authorities to assign that
particular flag. Patch by "teor". Fixed as part of 14882; bugfix
on 0.2.6.3-alpha.
o Minor bugfixes (Ed25519):
- Fix a memory leak when reading router descriptors with expired
Ed25519 certificates. Fixes bug 16539; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow bridge authorities to run correctly under the seccomp2
sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
- Allow routers with ed25519 keys to run correctly under the
seccomp2 sandbox. Fixes bug 16965; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (open file limit):
- Fix set_max_file_descriptors() to set by default the max open file
limit to the current limit when setrlimit() fails. Fixes bug
16274; bugfix on tor- 0.2.0.10-alpha. Patch by dgoulet.
o Minor bugfixes (portability):
- Try harder to normalize the exit status of the Tor process to the
standard-provided range. Fixes bug 16975; bugfix on every version
of Tor ever.
- Check correctly for Windows socket errors in the workqueue
backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
- Fix the behavior of crypto_rand_time_range() when told to consider
times before 1970. (These times were possible when running in a
simulated network environment where time()'s output starts at
zero.) Fixes bug 16980; bugfix on 0.2.7.1-alpha.
- Restore correct operation of TLS client-cipher detection on
OpenSSL 1.1. Fixes bug 14047; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (relay):
- Ensure that worker threads actually exit when a fatal error or
shutdown is indicated. This fix doesn't currently affect the
behavior of Tor, because Tor workers never indicates fatal error
or shutdown except in the unit tests. Fixes bug 16868; bugfix
on 0.2.6.3-alpha.
- Unblock threads before releasing the work queue mutex to ensure
predictable scheduling behavior. Fixes bug 16644; bugfix
on 0.2.6.3-alpha.
o Code simplification and refactoring:
- Change the function that's called when we need to retry all
downloads so that it only reschedules the downloads to happen
immediately, rather than launching them all at once itself. This
further simplifies Tor's callgraph.
- Move some format-parsing functions out of crypto.c and
crypto_curve25519.c into crypto_format.c and/or util_format.c.
- Move the client-only parts of init_keys() into a separate
function. Closes ticket 16763.
- Simplify the microdesc_free() implementation so that it no longer
appears (to code analysis tools) to potentially invoke a huge
suite of other microdesc functions.
- Simply the control graph further by deferring the inner body of
directory_all_unreachable() into a callback. Closes ticket 16762.
- Treat the loss of an owning controller as equivalent to a SIGTERM
signal. This removes a tiny amount of duplicated code, and
simplifies our callgraph. Closes ticket 16788.
- When generating an event to send to the controller, we no longer
put the event over the network immediately. Instead, we queue
these events, and use a Libevent callback to deliver them. This
change simplifies Tor's callgraph by reducing the number of
functions from which all other Tor functions are reachable. Closes
ticket 16695.
- Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
that try to scan or compile every file on Unix won't decide that
they are broken.
- Remove the unused "nulterminate" argument from buf_pullup().
o Documentation:
- Recommend a 40 GB example AccountingMax in torrc.sample rather
than a 4 GB max. Closes ticket 16742.
- Include the TUNING document in our source tarball. It is referred
to in the ChangeLog and an error message. Fixes bug 16929; bugfix
on 0.2.6.1-alpha.
o Removed code:
- The internal pure-C tor-fw-helper tool is now removed from the Tor
distribution, in favor of the pure-Go clone available from
https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries
used by the C tor-fw-helper are not, in our opinion, very
confidence- inspiring in their secure-programming techniques.
Closes ticket 13338.
- Remove the code that would try to aggressively flush controller
connections while writing to them. This code was introduced in
0.1.2.7-alpha, in order to keep output buffers from exceeding
their limits. But there is no longer a maximum output buffer size,
and flushing data in this way caused some undesirable recursions
in our call graph. Closes ticket 16480.
o Testing:
- Make "bridges+hs" the default test network. This tests almost all
tor functionality during make test-network, while allowing tests
to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
(chutney). Patches by "teor".
- Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
by-side in the same parent directory. Closes ticket 16903. Patch
by "teor".
- Use environment variables rather than autoconf substitutions to
send variables from the build system to the test scripts. This
change should be easier to maintain, and cause 'make distcheck' to
work better than before. Fixes bug 17148.
- Add a new set of callgraph analysis scripts that use clang to
produce a list of which Tor functions are reachable from which
other Tor functions. We're planning to use these to help simplify
our code structure by identifying illogical dependencies.
- Add new 'test-full' and 'test-full-online' targets to run all
tests, including integration tests with stem and chutney.
- Make the test-workqueue test work on Windows by initializing the
network before we begin.
- New make target (make test-network-all) to run multiple applicable
chutney test cases. Patch from Teor; closes 16953.
- Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
functions in dns.c. Implements a portion of ticket 16831.
- When building Tor with testing coverage enabled, run Chutney tests
(if any) using the 'tor-cov' coverage binary.
- When running test-network or test-stem, check for the absence of
stem/chutney before doing any build operations.
Changes in version 0.2.7.2-alpha - 2015-07-27
This, the second alpha in the Tor 0.2.7 series, has a number of new
features, including a way to manually pick the number of introduction
points for hidden services, and the much stronger Ed25519 signing key
algorithm for regular Tor relays (including support for encrypted
offline identity keys in the new algorithm).
Support for Ed25519 on relays is currently limited to signing router
descriptors; later alphas in this series will extend Ed25519 key
support to more parts of the Tor protocol.
o Major features (Ed25519 identity keys, Proposal 220):
- All relays now maintain a stronger identity key, using the Ed25519
elliptic curve signature format. This master key is designed so
that it can be kept offline. Relays also generate an online
signing key, and a set of other Ed25519 keys and certificates.
These are all automatically regenerated and rotated as needed.
Implements part of ticket 12498.
- Directory authorities now vote on Ed25519 identity keys along with
RSA1024 keys. Implements part of ticket 12498.
- Directory authorities track which Ed25519 identity keys have been
used with which RSA1024 identity keys, and do not allow them to
vary freely. Implements part of ticket 12498.
- Microdescriptors now include Ed25519 identity keys. Implements
part of ticket 12498.
- Add support for offline encrypted Ed25519 master keys. To use this
feature on your tor relay, run "tor --keygen" to make a new master
key (or to make a new signing key if you already have a master
key). Closes ticket 13642.
o Major features (Hidden services):
- Add the torrc option HiddenServiceNumIntroductionPoints, to
specify a fixed number of introduction points. Its maximum value
is 10 and default is 3. Using this option can increase a hidden
service's reliability under load, at the cost of making it more
visible that the hidden service is facing extra load. Closes
ticket 4862.
- Remove the adaptive algorithm for choosing the number of
introduction points, which used to change the number of
introduction points (poorly) depending on the number of
connections the HS sees. Closes ticket 4862.
o Major features (onion key cross-certification):
- Relay descriptors now include signatures of their own identity
keys, made using the TAP and ntor onion keys. These signatures
allow relays to prove ownership of their own onion keys. Because
of this change, microdescriptors will no longer need to include
RSA identity keys. Implements proposal 228; closes ticket 12499.
o Major features (performance):
- Improve the runtime speed of Ed25519 operations by using the
public-domain Ed25519-donna by Andrew M. ("floodyberry").
Implements ticket 16467.
- Improve the runtime speed of the ntor handshake by using an
optimized curve25519 basepoint scalarmult implementation from the
public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
ideas by Adam Langley. Implements ticket 9663.
o Major bugfixes (client-side privacy, also in 0.2.6.9):
- Properly separate out each SOCKSPort when applying stream
isolation. The error occurred because each port's session group
was being overwritten by a default value when the listener
connection was initialized. Fixes bug 16247; bugfix on
0.2.6.3-alpha. Patch by "jojelino".
o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
- Stop refusing to store updated hidden service descriptors on a
client. This reverts commit 9407040c59218 (which indeed fixed bug
14219, but introduced a major hidden service reachability
regression detailed in bug 16381). This is a temporary fix since
we can live with the minor issue in bug 14219 (it just results in
some load on the network) but the regression of 16381 is too much
of a setback. First-round fix for bug 16381; bugfix
on 0.2.6.3-alpha.
o Major bugfixes (hidden services):
- When cannibalizing a circuit for an introduction point, always
extend to the chosen exit node (creating a 4 hop circuit).
Previously Tor would use the current circuit exit node, which
changed the original choice of introduction point, and could cause
the hidden service to skip excluded introduction points or
reconnect to a skipped introduction point. Fixes bug 16260; bugfix
on 0.1.0.1-rc.
o Major bugfixes (open file limit):
- The open file limit wasn't checked before calling
tor_accept_socket_nonblocking(), which would make Tor exceed the
limit. Now, before opening a new socket, Tor validates the open
file limit just before, and if the max has been reached, return an
error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
o Major bugfixes (stability, also in 0.2.6.10):
- Stop crashing with an assertion failure when parsing certain kinds
of malformed or truncated microdescriptors. Fixes bug 16400;
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
by "cypherpunks_backup".
- Stop random client-side assertion failures that could occur when
connecting to a busy hidden service, or connecting to a hidden
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
on 0.1.0.1-rc.
o Minor features (directory authorities, security, also in 0.2.6.9):
- The HSDir flag given by authorities now requires the Stable flag.
For the current network, this results in going from 2887 to 2806
HSDirs. Also, it makes it harder for an attacker to launch a sybil
attack by raising the effort for a relay to become Stable to
require at the very least 7 days, while maintaining the 96 hours
uptime requirement for HSDir. Implements ticket 8243.
o Minor features (client):
- Relax the validation of hostnames in SOCKS5 requests, allowing the
character '_' to appear, in order to cope with domains observed in
the wild that are serving non-RFC compliant records. Resolves
ticket 16430.
- Relax the validation done to hostnames in SOCKS5 requests, and
allow a single trailing '.' to cope with clients that pass FQDNs
using that syntax to explicitly indicate that the domain name is
fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
- Add GroupWritable and WorldWritable options to unix-socket based
SocksPort and ControlPort options. These options apply to a single
socket, and override {Control,Socks}SocketsGroupWritable. Closes
ticket 15220.
o Minor features (control protocol):
- Support network-liveness GETINFO key and NETWORK_LIVENESS event in
the control protocol. Resolves ticket 15358.
o Minor features (directory authorities):
- Directory authorities no longer vote against the "Fast", "Stable",
and "HSDir" flags just because they were going to vote against
"Running": if the consensus turns out to be that the router was
running, then the authority's vote should count. Patch from Peter
Retzlaff; closes issue 8712.
o Minor features (geoip, also in 0.2.6.10):
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
o Minor features (hidden services):
- Add the new options "HiddenServiceMaxStreams" and
"HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
limit the maximum number of simultaneous streams per circuit, and
optionally tear down the circuit when the limit is exceeded. Part
of ticket 16052.
o Minor features (portability):
- Use C99 variadic macros when the compiler is not GCC. This avoids
failing compilations on MSVC, and fixes a log-file-based race
condition in our old workarounds. Original patch from Gisle Vanem.
o Minor bugfixes (compilation, also in 0.2.6.9):
- Build with --enable-systemd correctly when libsystemd is
installed, but systemd is not. Fixes bug 16164; bugfix on
0.2.6.3-alpha. Patch from Peter Palfrader.
o Minor bugfixes (controller):
- Add the descriptor ID in each HS_DESC control event. It was
missing, but specified in control-spec.txt. Fixes bug 15881;
bugfix on 0.2.5.2-alpha.
o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
- Check for failures from crypto_early_init, and refuse to continue.
A previous typo meant that we could keep going with an
uninitialized crypto library, and would have OpenSSL initialize
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
o Minor bugfixes (hidden services):
- Fix a crash when reloading configuration while at least one
configured and one ephemeral hidden service exists. Fixes bug
16060; bugfix on 0.2.7.1-alpha.
- Avoid crashing with a double-free bug when we create an ephemeral
hidden service but adding it fails for some reason. Fixes bug
16228; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox):
- Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
these when eventfd2() support is missing. Fixes bug 16363; bugfix
on 0.2.6.3-alpha. Patch from "teor".
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
- Fix sandboxing to work when running as a relay, by allowing the
renaming of secret_id_key, and allowing the eventfd2 and futex
syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
Peter Palfrader.
- Allow systemd connections to work with the Linux seccomp2 sandbox
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
Peter Palfrader.
o Minor bugfixes (relay):
- Fix a rarely-encountered memory leak when failing to initialize
the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
from "cypherpunks".
o Minor bugfixes (systemd):
- Fix an accidental formatting error that broke the systemd
configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
- Tor's systemd unit file no longer contains extraneous spaces.
These spaces would sometimes confuse tools like deb-systemd-
helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
o Minor bugfixes (tests):
- Use the configured Python executable when running test-stem-full.
Fixes bug 16470; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (tests, also in 0.2.6.9):
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
o Minor bugfixes (threads, comments):
- Always initialize return value in compute_desc_id in rendcommon.c
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Check for NULL values in getinfo_helper_onions(). Patch by "teor".
Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Remove undefined directive-in-macro in test_util_writepid clang
3.7 complains that using a preprocessor directive inside a macro
invocation in test_util_writepid in test_util.c is undefined.
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
o Code simplification and refactoring:
- Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
to ensure they remain consistent and visible everywhere.
- Remove some vestigial workarounds for the MSVC6 compiler. We
haven't supported that in ages.
- The link authentication code has been refactored for better
testability and reliability. It now uses code generated with the
"trunnel" binary encoding generator, to reduce the risk of bugs
due to programmer error. Done as part of ticket 12498.
o Documentation:
- Include a specific and (hopefully) accurate documentation of the
torrc file's meta-format in doc/torrc_format.txt. This is mainly
of interest to people writing programs to parse or generate torrc
files. This document is not a commitment to long-term
compatibility; some aspects of the current format are a bit
ridiculous. Closes ticket 2325.
o Removed features:
- Tor no longer supports copies of OpenSSL that are missing support
for Elliptic Curve Cryptography. (We began using ECC when
available in 0.2.4.8-alpha, for more safe and efficient key
negotiation.) In particular, support for at least one of P256 or
P224 is now required, with manual configuration needed if only
P224 is available. Resolves ticket 16140.
- Tor no longer supports versions of OpenSSL before 1.0. (If you are
on an operating system that has not upgraded to OpenSSL 1.0 or
later, and you compile Tor from source, you will need to install a
more recent OpenSSL to link Tor against.) These versions of
OpenSSL are still supported by the OpenSSL, but the numerous
cryptographic improvements in later OpenSSL releases makes them a
clear choice. Resolves ticket 16034.
- Remove the HidServDirectoryV2 option. Now all relays offer to
store hidden service descriptors. Related to 16543.
- Remove the VoteOnHidServDirectoriesV2 option, since all
authorities have long set it to 1. Closes ticket 16543.
o Testing:
- Document use of coverity, clang static analyzer, and clang dynamic
undefined behavior and address sanitizers in doc/HACKING. Include
detailed usage instructions in the blacklist. Patch by "teor".
Closes ticket 15817.
- The link authentication protocol code now has extensive tests.
- The relay descriptor signature testing code now has
extensive tests.
- The test_workqueue program now runs faster, and is enabled by
default as a part of "make check".
- Now that OpenSSL has its own scrypt implementation, add an unit
test that checks for interoperability between libscrypt_scrypt()
and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
and rely on EVP_PBE_scrypt() whenever possible. Resolves
ticket 16189.
2015-12-08 14:19:38 +01:00
|
|
|
BUILDLINK_API_DEPENDS.libevent+= libevent>=2.0
|
2005-08-04 12:55:31 +02:00
|
|
|
.include "../../devel/libevent/buildlink3.mk"
|
2005-02-18 05:13:04 +01:00
|
|
|
.include "../../devel/zlib/buildlink3.mk"
|
Update tor to latest stable release, 0.2.7.5.
Changes in version 0.2.7.5 - 2015-11-20
The Tor 0.2.7 release series is dedicated to the memory of Tor user
and privacy advocate Caspar Bowden (1961-2015). Caspar worked
tirelessly to advocate human rights regardless of national borders,
and oppose the encroachments of mass surveillance. He opposed national
exceptionalism, he brought clarity to legal and policy debates, he
understood and predicted the impact of mass surveillance on the world,
and he laid the groundwork for resisting it. While serving on the Tor
Project's board of directors, he brought us his uncompromising focus
on technical excellence in the service of humankind. Caspar was an
inimitable force for good and a wonderful friend. He was kind,
humorous, generous, gallant, and believed we should protect one
another without exception. We honor him here for his ideals, his
efforts, and his accomplishments. Please honor his memory with works
that would make him proud.
Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series.
The 0.2.7 series adds a more secure identity key type for relays,
improves cryptography performance, resolves several longstanding
hidden-service performance issues, improves controller support for
hidden services, and includes small bugfixes and performance
improvements throughout the program. This release series also includes
more tests than before, and significant simplifications to which parts
of Tor invoke which others.
(This release contains no code changes since 0.2.7.4-rc.)
Changes in version 0.2.7.4-rc - 2015-10-21
Tor 0.2.7.4-rc is the second release candidate in the 0.2.7 series. It
fixes some important memory leaks, and a scary-looking (but mostly
harmless in practice) invalid-read bug. It also has a few small
bugfixes, notably fixes for compilation and portability on different
platforms. If no further significant bounds are found, the next
release will the the official stable release.
o Major bugfixes (security, correctness):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (correctness):
- Fix a use-after-free bug in validate_intro_point_failure(). Fixes
bug 17401; bugfix on 0.2.7.3-rc.
o Major bugfixes (memory leaks):
- Fix a memory leak in ed25519 batch signature checking. Fixes bug
17398; bugfix on 0.2.6.1-alpha.
- Fix a memory leak in rend_cache_failure_entry_free(). Fixes bug
17402; bugfix on 0.2.7.3-rc.
- Fix a memory leak when reading an expired signing key from disk.
Fixes bug 17403; bugfix on 0.2.7.2-rc.
o Minor features (geoIP):
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation):
- Repair compilation with the most recent (unreleased, alpha)
vesions of OpenSSL 1.1. Fixes part of ticket 17237.
- Fix an integer overflow warning in test_crypto_slow.c. Fixes bug
17251; bugfix on 0.2.7.2-alpha.
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
o Minor bugfixes (portability):
- Use libexecinfo on FreeBSD to enable backtrace support. Fixes part
of bug 17151; bugfix on 0.2.5.2-alpha. Patch from Marcin Cieślak.
o Minor bugfixes (sandbox):
- Add the "hidserv-stats" filename to our sandbox filter for the
HiddenServiceStatistics option to work properly. Fixes bug 17354;
bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
o Minor bugfixes (testing):
- Add unit tests for get_interface_address* failure cases. Fixes bug
17173; bugfix on 0.2.7.3-rc. Patch by fk/teor.
- Fix breakage when running 'make check' with BSD make. Fixes bug
17154; bugfix on 0.2.7.3-rc. Patch by Marcin Cieślak.
- Make the get_ifaddrs_* unit tests more tolerant of different
network configurations. (Don't assume every test box has an IPv4
address, and don't assume every test box has a non-localhost
address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor".
- Skip backtrace tests when backtrace support is not compiled in.
Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from
Marcin Cieślak.
o Documentation:
- Fix capitalization of SOCKS in sample torrc. Closes ticket 15609.
- Note that HiddenServicePorts can take a unix domain socket. Closes
ticket 17364.
Changes in version 0.2.7.3-rc - 2015-09-25
Tor 0.2.7.3-rc is the first release candidate in the 0.2.7 series. It
contains numerous usability fixes for Ed25519 keys, safeguards against
several misconfiguration problems, significant simplifications to
Tor's callgraph, and numerous bugfixes and small features.
This is the most tested release of Tor to date. The unit tests cover
39.40% of the code, and the integration tests (accessible with "make
test-full-online", requiring stem and chutney and a network
connection) raise the coverage to 64.49%.
o Major features (security, hidden services):
- Hidden services, if using the EntryNodes option, are required to
use more than one EntryNode, in order to avoid a guard discovery
attack. (This would only affect people who had configured hidden
services and manually specified the EntryNodes option with a
single entry-node. The impact was that it would be easy to
remotely identify the guard node used by such a hidden service.
See ticket for more information.) Fixes ticket 14917.
o Major features (Ed25519 keys, keypinning):
- The key-pinning option on directory authorities is now advisory-
only by default. In a future version, or when the AuthDirPinKeys
option is set, pins are enforced again. Disabling key-pinning
seemed like a good idea so that we can survive the fallout of any
usability problems associated with Ed25519 keys. Closes
ticket 17135.
o Major features (Ed25519 performance):
- Improve the speed of Ed25519 operations and Curve25519 keypair
generation when built targeting 32 bit x86 platforms with SSE2
available. Implements ticket 16535.
- Improve the runtime speed of Ed25519 signature verification by
using Ed25519-donna's batch verification support. Implements
ticket 16533.
o Major features (performance testing):
- The test-network.sh script now supports performance testing.
Requires corresponding chutney performance testing changes. Patch
by "teor". Closes ticket 14175.
o Major features (relay, Ed25519):
- Significant usability improvements for Ed25519 key management. Log
messages are better, and the code can recover from far more
failure conditions. Thanks to "s7r" for reporting and diagnosing
so many of these!
- Add a new OfflineMasterKey option to tell Tor never to try loading
or generating a secret Ed25519 identity key. You can use this in
combination with tor --keygen to manage offline and/or encrypted
Ed25519 keys. Implements ticket 16944.
- Add a --newpass option to allow changing or removing the
passphrase of an encrypted key with tor --keygen. Implements part
of ticket 16769.
- On receiving a HUP signal, check to see whether the Ed25519
signing key has changed, and reload it if so. Closes ticket 16790.
o Major bugfixes (relay, Ed25519):
- Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on
0.2.7.2-alpha. Reported by "s7r".
- Improve handling of expired signing keys with offline master keys.
Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r".
o Minor features (client-side privacy):
- New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit
lifespan when IsolateSOCKSAuth and streams with SOCKS
authentication are attached to the circuit. This allows
applications like TorBrowser to manage circuit lifetime on their
own. Implements feature 15482.
- When logging malformed hostnames from SOCKS5 requests, respect
SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc.
o Minor features (compilation):
- Give a warning as early as possible when trying to build with an
unsupported OpenSSL version. Closes ticket 16901.
- Fail during configure if we're trying to build against an OpenSSL
built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha
which started requiring ECC.
o Minor features (geoip):
- Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2
Country database.
o Minor features (hidden services):
- Relays need to have the Fast flag to get the HSDir flag. As this
is being written, we'll go from 2745 HSDirs down to 2342, a ~14%
drop. This change should make some attacks against the hidden
service directory system harder. Fixes ticket 15963.
- Turn on hidden service statistics collection by setting the torrc
option HiddenServiceStatistics to "1" by default. (This keeps
track only of the fraction of traffic used by hidden services, and
the total number of hidden services in existence.) Closes
ticket 15254.
- Client now uses an introduction point failure cache to know when
to fetch or keep a descriptor in their cache. Previously, failures
were recorded implicitly, but not explicitly remembered. Closes
ticket 16389.
o Minor features (testing, authorities, documentation):
- New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
explicitly manage consensus flags in testing networks. Patch by
"robgjansen", modified by "teor". Implements part of ticket 14882.
o Minor bugfixes (security, exit policies):
- ExitPolicyRejectPrivate now also rejects the relay's published
IPv6 address (if any), and any publicly routable IPv4 or IPv6
addresses on any local interfaces. ticket 17027. Patch by "teor".
Fixes bug 17027; bugfix on 0.2.0.11-alpha.
o Minor bug fixes (torrc exit policies):
- In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only
produce IPv6 wildcard addresses. Previously they would produce
both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part
of bug 16069; bugfix on 0.2.4.7-alpha.
- When parsing torrc ExitPolicies, we now warn for a number of cases
where the user's intent is likely to differ from Tor's actual
behavior. These include: using an IPv4 address with an accept6 or
reject6 line; using "private" on an accept6 or reject6 line; and
including any ExitPolicy lines after accept *:* or reject *:*.
Related to ticket 16069.
- When parsing torrc ExitPolicies, we now issue an info-level
message when expanding an "accept/reject *" line to include both
IPv4 and IPv6 wildcard addresses. Related to ticket 16069.
- In each instance above, usage advice is provided to avoid the
message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
16069; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (authority):
- Don't assign "HSDir" to a router if it isn't Valid and Running.
Fixes bug 16524; bugfix on 0.2.7.2-alpha.
- Downgrade log messages about Ed25519 key issues if they are in old
cached router descriptors. Fixes part of bug 16286; bugfix
on 0.2.7.2-alpha.
- When we find an Ed25519 key issue in a cached descriptor, stop
saying the descriptor was just "uploaded". Fixes another part of
bug 16286; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (control port):
- Repair a warning and a spurious result when getting the maximum
number of file descriptors from the controller. Fixes bug 16697;
bugfix on 0.2.7.2-alpha.
o Minor bugfixes (correctness):
- When calling channel_free_list(), avoid calling smartlist_remove()
while inside a FOREACH loop. This partially reverts commit
17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was
incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (documentation):
- Advise users on how to configure separate IPv4 and IPv6 exit
policies in the manpage and sample torrcs. Related to ticket 16069.
- Fix the usage message of tor-resolve(1) so that it no longer lists
the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
- Fix an error in the manual page and comments for
TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
required "ORPort connectivity". While this is true, it is in no
way unique to the HSDir flag. Of all the flags, only HSDirs need a
DirPort configured in order for the authorities to assign that
particular flag. Patch by "teor". Fixed as part of 14882; bugfix
on 0.2.6.3-alpha.
o Minor bugfixes (Ed25519):
- Fix a memory leak when reading router descriptors with expired
Ed25519 certificates. Fixes bug 16539; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow bridge authorities to run correctly under the seccomp2
sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
- Allow routers with ed25519 keys to run correctly under the
seccomp2 sandbox. Fixes bug 16965; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (open file limit):
- Fix set_max_file_descriptors() to set by default the max open file
limit to the current limit when setrlimit() fails. Fixes bug
16274; bugfix on tor- 0.2.0.10-alpha. Patch by dgoulet.
o Minor bugfixes (portability):
- Try harder to normalize the exit status of the Tor process to the
standard-provided range. Fixes bug 16975; bugfix on every version
of Tor ever.
- Check correctly for Windows socket errors in the workqueue
backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha.
- Fix the behavior of crypto_rand_time_range() when told to consider
times before 1970. (These times were possible when running in a
simulated network environment where time()'s output starts at
zero.) Fixes bug 16980; bugfix on 0.2.7.1-alpha.
- Restore correct operation of TLS client-cipher detection on
OpenSSL 1.1. Fixes bug 14047; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (relay):
- Ensure that worker threads actually exit when a fatal error or
shutdown is indicated. This fix doesn't currently affect the
behavior of Tor, because Tor workers never indicates fatal error
or shutdown except in the unit tests. Fixes bug 16868; bugfix
on 0.2.6.3-alpha.
- Unblock threads before releasing the work queue mutex to ensure
predictable scheduling behavior. Fixes bug 16644; bugfix
on 0.2.6.3-alpha.
o Code simplification and refactoring:
- Change the function that's called when we need to retry all
downloads so that it only reschedules the downloads to happen
immediately, rather than launching them all at once itself. This
further simplifies Tor's callgraph.
- Move some format-parsing functions out of crypto.c and
crypto_curve25519.c into crypto_format.c and/or util_format.c.
- Move the client-only parts of init_keys() into a separate
function. Closes ticket 16763.
- Simplify the microdesc_free() implementation so that it no longer
appears (to code analysis tools) to potentially invoke a huge
suite of other microdesc functions.
- Simply the control graph further by deferring the inner body of
directory_all_unreachable() into a callback. Closes ticket 16762.
- Treat the loss of an owning controller as equivalent to a SIGTERM
signal. This removes a tiny amount of duplicated code, and
simplifies our callgraph. Closes ticket 16788.
- When generating an event to send to the controller, we no longer
put the event over the network immediately. Instead, we queue
these events, and use a Libevent callback to deliver them. This
change simplifies Tor's callgraph by reducing the number of
functions from which all other Tor functions are reachable. Closes
ticket 16695.
- Wrap Windows-only C files inside '#ifdef _WIN32' so that tools
that try to scan or compile every file on Unix won't decide that
they are broken.
- Remove the unused "nulterminate" argument from buf_pullup().
o Documentation:
- Recommend a 40 GB example AccountingMax in torrc.sample rather
than a 4 GB max. Closes ticket 16742.
- Include the TUNING document in our source tarball. It is referred
to in the ChangeLog and an error message. Fixes bug 16929; bugfix
on 0.2.6.1-alpha.
o Removed code:
- The internal pure-C tor-fw-helper tool is now removed from the Tor
distribution, in favor of the pure-Go clone available from
https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries
used by the C tor-fw-helper are not, in our opinion, very
confidence- inspiring in their secure-programming techniques.
Closes ticket 13338.
- Remove the code that would try to aggressively flush controller
connections while writing to them. This code was introduced in
0.1.2.7-alpha, in order to keep output buffers from exceeding
their limits. But there is no longer a maximum output buffer size,
and flushing data in this way caused some undesirable recursions
in our call graph. Closes ticket 16480.
o Testing:
- Make "bridges+hs" the default test network. This tests almost all
tor functionality during make test-network, while allowing tests
to succeed on non-IPv6 systems. Requires chutney commit 396da92 in
test-network-bridges-hs. Closes tickets 16945 (tor) and 16946
(chutney). Patches by "teor".
- Autodetect CHUTNEY_PATH if the chutney and Tor sources are side-
by-side in the same parent directory. Closes ticket 16903. Patch
by "teor".
- Use environment variables rather than autoconf substitutions to
send variables from the build system to the test scripts. This
change should be easier to maintain, and cause 'make distcheck' to
work better than before. Fixes bug 17148.
- Add a new set of callgraph analysis scripts that use clang to
produce a list of which Tor functions are reachable from which
other Tor functions. We're planning to use these to help simplify
our code structure by identifying illogical dependencies.
- Add new 'test-full' and 'test-full-online' targets to run all
tests, including integration tests with stem and chutney.
- Make the test-workqueue test work on Windows by initializing the
network before we begin.
- New make target (make test-network-all) to run multiple applicable
chutney test cases. Patch from Teor; closes 16953.
- Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl()
functions in dns.c. Implements a portion of ticket 16831.
- When building Tor with testing coverage enabled, run Chutney tests
(if any) using the 'tor-cov' coverage binary.
- When running test-network or test-stem, check for the absence of
stem/chutney before doing any build operations.
Changes in version 0.2.7.2-alpha - 2015-07-27
This, the second alpha in the Tor 0.2.7 series, has a number of new
features, including a way to manually pick the number of introduction
points for hidden services, and the much stronger Ed25519 signing key
algorithm for regular Tor relays (including support for encrypted
offline identity keys in the new algorithm).
Support for Ed25519 on relays is currently limited to signing router
descriptors; later alphas in this series will extend Ed25519 key
support to more parts of the Tor protocol.
o Major features (Ed25519 identity keys, Proposal 220):
- All relays now maintain a stronger identity key, using the Ed25519
elliptic curve signature format. This master key is designed so
that it can be kept offline. Relays also generate an online
signing key, and a set of other Ed25519 keys and certificates.
These are all automatically regenerated and rotated as needed.
Implements part of ticket 12498.
- Directory authorities now vote on Ed25519 identity keys along with
RSA1024 keys. Implements part of ticket 12498.
- Directory authorities track which Ed25519 identity keys have been
used with which RSA1024 identity keys, and do not allow them to
vary freely. Implements part of ticket 12498.
- Microdescriptors now include Ed25519 identity keys. Implements
part of ticket 12498.
- Add support for offline encrypted Ed25519 master keys. To use this
feature on your tor relay, run "tor --keygen" to make a new master
key (or to make a new signing key if you already have a master
key). Closes ticket 13642.
o Major features (Hidden services):
- Add the torrc option HiddenServiceNumIntroductionPoints, to
specify a fixed number of introduction points. Its maximum value
is 10 and default is 3. Using this option can increase a hidden
service's reliability under load, at the cost of making it more
visible that the hidden service is facing extra load. Closes
ticket 4862.
- Remove the adaptive algorithm for choosing the number of
introduction points, which used to change the number of
introduction points (poorly) depending on the number of
connections the HS sees. Closes ticket 4862.
o Major features (onion key cross-certification):
- Relay descriptors now include signatures of their own identity
keys, made using the TAP and ntor onion keys. These signatures
allow relays to prove ownership of their own onion keys. Because
of this change, microdescriptors will no longer need to include
RSA identity keys. Implements proposal 228; closes ticket 12499.
o Major features (performance):
- Improve the runtime speed of Ed25519 operations by using the
public-domain Ed25519-donna by Andrew M. ("floodyberry").
Implements ticket 16467.
- Improve the runtime speed of the ntor handshake by using an
optimized curve25519 basepoint scalarmult implementation from the
public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
ideas by Adam Langley. Implements ticket 9663.
o Major bugfixes (client-side privacy, also in 0.2.6.9):
- Properly separate out each SOCKSPort when applying stream
isolation. The error occurred because each port's session group
was being overwritten by a default value when the listener
connection was initialized. Fixes bug 16247; bugfix on
0.2.6.3-alpha. Patch by "jojelino".
o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
- Stop refusing to store updated hidden service descriptors on a
client. This reverts commit 9407040c59218 (which indeed fixed bug
14219, but introduced a major hidden service reachability
regression detailed in bug 16381). This is a temporary fix since
we can live with the minor issue in bug 14219 (it just results in
some load on the network) but the regression of 16381 is too much
of a setback. First-round fix for bug 16381; bugfix
on 0.2.6.3-alpha.
o Major bugfixes (hidden services):
- When cannibalizing a circuit for an introduction point, always
extend to the chosen exit node (creating a 4 hop circuit).
Previously Tor would use the current circuit exit node, which
changed the original choice of introduction point, and could cause
the hidden service to skip excluded introduction points or
reconnect to a skipped introduction point. Fixes bug 16260; bugfix
on 0.1.0.1-rc.
o Major bugfixes (open file limit):
- The open file limit wasn't checked before calling
tor_accept_socket_nonblocking(), which would make Tor exceed the
limit. Now, before opening a new socket, Tor validates the open
file limit just before, and if the max has been reached, return an
error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
o Major bugfixes (stability, also in 0.2.6.10):
- Stop crashing with an assertion failure when parsing certain kinds
of malformed or truncated microdescriptors. Fixes bug 16400;
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
by "cypherpunks_backup".
- Stop random client-side assertion failures that could occur when
connecting to a busy hidden service, or connecting to a hidden
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
on 0.1.0.1-rc.
o Minor features (directory authorities, security, also in 0.2.6.9):
- The HSDir flag given by authorities now requires the Stable flag.
For the current network, this results in going from 2887 to 2806
HSDirs. Also, it makes it harder for an attacker to launch a sybil
attack by raising the effort for a relay to become Stable to
require at the very least 7 days, while maintaining the 96 hours
uptime requirement for HSDir. Implements ticket 8243.
o Minor features (client):
- Relax the validation of hostnames in SOCKS5 requests, allowing the
character '_' to appear, in order to cope with domains observed in
the wild that are serving non-RFC compliant records. Resolves
ticket 16430.
- Relax the validation done to hostnames in SOCKS5 requests, and
allow a single trailing '.' to cope with clients that pass FQDNs
using that syntax to explicitly indicate that the domain name is
fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
- Add GroupWritable and WorldWritable options to unix-socket based
SocksPort and ControlPort options. These options apply to a single
socket, and override {Control,Socks}SocketsGroupWritable. Closes
ticket 15220.
o Minor features (control protocol):
- Support network-liveness GETINFO key and NETWORK_LIVENESS event in
the control protocol. Resolves ticket 15358.
o Minor features (directory authorities):
- Directory authorities no longer vote against the "Fast", "Stable",
and "HSDir" flags just because they were going to vote against
"Running": if the consensus turns out to be that the router was
running, then the authority's vote should count. Patch from Peter
Retzlaff; closes issue 8712.
o Minor features (geoip, also in 0.2.6.10):
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
o Minor features (hidden services):
- Add the new options "HiddenServiceMaxStreams" and
"HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
limit the maximum number of simultaneous streams per circuit, and
optionally tear down the circuit when the limit is exceeded. Part
of ticket 16052.
o Minor features (portability):
- Use C99 variadic macros when the compiler is not GCC. This avoids
failing compilations on MSVC, and fixes a log-file-based race
condition in our old workarounds. Original patch from Gisle Vanem.
o Minor bugfixes (compilation, also in 0.2.6.9):
- Build with --enable-systemd correctly when libsystemd is
installed, but systemd is not. Fixes bug 16164; bugfix on
0.2.6.3-alpha. Patch from Peter Palfrader.
o Minor bugfixes (controller):
- Add the descriptor ID in each HS_DESC control event. It was
missing, but specified in control-spec.txt. Fixes bug 15881;
bugfix on 0.2.5.2-alpha.
o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
- Check for failures from crypto_early_init, and refuse to continue.
A previous typo meant that we could keep going with an
uninitialized crypto library, and would have OpenSSL initialize
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
o Minor bugfixes (hidden services):
- Fix a crash when reloading configuration while at least one
configured and one ephemeral hidden service exists. Fixes bug
16060; bugfix on 0.2.7.1-alpha.
- Avoid crashing with a double-free bug when we create an ephemeral
hidden service but adding it fails for some reason. Fixes bug
16228; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox):
- Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
these when eventfd2() support is missing. Fixes bug 16363; bugfix
on 0.2.6.3-alpha. Patch from "teor".
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
- Fix sandboxing to work when running as a relay, by allowing the
renaming of secret_id_key, and allowing the eventfd2 and futex
syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
Peter Palfrader.
- Allow systemd connections to work with the Linux seccomp2 sandbox
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
Peter Palfrader.
o Minor bugfixes (relay):
- Fix a rarely-encountered memory leak when failing to initialize
the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
from "cypherpunks".
o Minor bugfixes (systemd):
- Fix an accidental formatting error that broke the systemd
configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
- Tor's systemd unit file no longer contains extraneous spaces.
These spaces would sometimes confuse tools like deb-systemd-
helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
o Minor bugfixes (tests):
- Use the configured Python executable when running test-stem-full.
Fixes bug 16470; bugfix on 0.2.7.1-alpha.
o Minor bugfixes (tests, also in 0.2.6.9):
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
o Minor bugfixes (threads, comments):
- Always initialize return value in compute_desc_id in rendcommon.c
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Check for NULL values in getinfo_helper_onions(). Patch by "teor".
Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
- Remove undefined directive-in-macro in test_util_writepid clang
3.7 complains that using a preprocessor directive inside a macro
invocation in test_util_writepid in test_util.c is undefined.
Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
o Code simplification and refactoring:
- Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
to ensure they remain consistent and visible everywhere.
- Remove some vestigial workarounds for the MSVC6 compiler. We
haven't supported that in ages.
- The link authentication code has been refactored for better
testability and reliability. It now uses code generated with the
"trunnel" binary encoding generator, to reduce the risk of bugs
due to programmer error. Done as part of ticket 12498.
o Documentation:
- Include a specific and (hopefully) accurate documentation of the
torrc file's meta-format in doc/torrc_format.txt. This is mainly
of interest to people writing programs to parse or generate torrc
files. This document is not a commitment to long-term
compatibility; some aspects of the current format are a bit
ridiculous. Closes ticket 2325.
o Removed features:
- Tor no longer supports copies of OpenSSL that are missing support
for Elliptic Curve Cryptography. (We began using ECC when
available in 0.2.4.8-alpha, for more safe and efficient key
negotiation.) In particular, support for at least one of P256 or
P224 is now required, with manual configuration needed if only
P224 is available. Resolves ticket 16140.
- Tor no longer supports versions of OpenSSL before 1.0. (If you are
on an operating system that has not upgraded to OpenSSL 1.0 or
later, and you compile Tor from source, you will need to install a
more recent OpenSSL to link Tor against.) These versions of
OpenSSL are still supported by the OpenSSL, but the numerous
cryptographic improvements in later OpenSSL releases makes them a
clear choice. Resolves ticket 16034.
- Remove the HidServDirectoryV2 option. Now all relays offer to
store hidden service descriptors. Related to 16543.
- Remove the VoteOnHidServDirectoriesV2 option, since all
authorities have long set it to 1. Closes ticket 16543.
o Testing:
- Document use of coverity, clang static analyzer, and clang dynamic
undefined behavior and address sanitizers in doc/HACKING. Include
detailed usage instructions in the blacklist. Patch by "teor".
Closes ticket 15817.
- The link authentication protocol code now has extensive tests.
- The relay descriptor signature testing code now has
extensive tests.
- The test_workqueue program now runs faster, and is enabled by
default as a part of "make check".
- Now that OpenSSL has its own scrypt implementation, add an unit
test that checks for interoperability between libscrypt_scrypt()
and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
and rely on EVP_PBE_scrypt() whenever possible. Resolves
ticket 16189.
2015-12-08 14:19:38 +01:00
|
|
|
BUILDLINK_API_DEPENDS.openssl+= openssl>=1.0
|
2004-08-13 21:33:41 +02:00
|
|
|
.include "../../security/openssl/buildlink3.mk"
|
2008-08-01 19:23:21 +02:00
|
|
|
.include "../../mk/pthread.buildlink3.mk"
|
2004-08-13 21:33:41 +02:00
|
|
|
.include "../../mk/bsd.pkg.mk"
|
