-
Notifications
You must be signed in to change notification settings - Fork 0
/
ReleaseNotes
11685 lines (10754 loc) · 631 KB
/
ReleaseNotes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This document summarizes new features and bugfixes in each stable release
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
Changes in version 0.2.6.10 - 2015-07-12
Tor version 0.2.6.10 fixes some significant stability and hidden
service client bugs, bulletproofs the cryptography init process, and
fixes a bug when using the sandbox code with some older versions of
Linux. Everyone running an older version, especially an older version
of 0.2.6, should upgrade.
o Major bugfixes (hidden service clients, stability):
- Stop refusing to store updated hidden service descriptors on a
client. This reverts commit 9407040c59218 (which indeed fixed bug
14219, but introduced a major hidden service reachability
regression detailed in bug 16381). This is a temporary fix since
we can live with the minor issue in bug 14219 (it just results in
some load on the network) but the regression of 16381 is too much
of a setback. First-round fix for bug 16381; bugfix
on 0.2.6.3-alpha.
o Major bugfixes (stability):
- Stop crashing with an assertion failure when parsing certain kinds
of malformed or truncated microdescriptors. Fixes bug 16400;
bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
by "cypherpunks_backup".
- Stop random client-side assertion failures that could occur when
connecting to a busy hidden service, or connecting to a hidden
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
on 0.1.0.1-rc.
o Minor features (geoip):
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
o Minor bugfixes (crypto error-handling):
- Check for failures from crypto_early_init, and refuse to continue.
A previous typo meant that we could keep going with an
uninitialized crypto library, and would have OpenSSL initialize
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
o Minor bugfixes (Linux seccomp2 sandbox):
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
these when eventfd2() support is missing. Fixes bug 16363; bugfix
on 0.2.6.3-alpha. Patch from "teor".
Changes in version 0.2.6.9 - 2015-06-11
Tor 0.2.6.9 fixes a regression in the circuit isolation code, increases the
requirements for receiving an HSDir flag, and addresses some other small
bugs in the systemd and sandbox code. Clients using circuit isolation
should upgrade; all directory authorities should upgrade.
o Major bugfixes (client-side privacy):
- Properly separate out each SOCKSPort when applying stream
isolation. The error occurred because each port's session group was
being overwritten by a default value when the listener connection
was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
by "jojelino".
o Minor feature (directory authorities, security):
- The HSDir flag given by authorities now requires the Stable flag.
For the current network, this results in going from 2887 to 2806
HSDirs. Also, it makes it harder for an attacker to launch a sybil
attack by raising the effort for a relay to become Stable which
takes at the very least 7 days to do so and by keeping the 96
hours uptime requirement for HSDir. Implements ticket 8243.
o Minor bugfixes (compilation):
- Build with --enable-systemd correctly when libsystemd is
installed, but systemd is not. Fixes bug 16164; bugfix on
0.2.6.3-alpha. Patch from Peter Palfrader.
o Minor bugfixes (Linux seccomp2 sandbox):
- Fix sandboxing to work when running as a relaymby renaming of
secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
- Allow systemd connections to work with the Linux seccomp2 sandbox
code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
Peter Palfrader.
o Minor bugfixes (tests):
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
Changes in version 0.2.6.8 - 2015-05-21
Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
fixes an authority-side bug in assigning the HSDir flag. All directory
authorities should upgrade.
o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
- Revert commit that made directory authorities assign the HSDir
flag to relay without a DirPort; this was bad because such relays
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
on tor-0.2.6.3-alpha.
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
a client authorized hidden service. Fixes bug 15823; bugfix
on 0.2.1.6-alpha.
o Minor features (geoip):
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the April 8 2015 Maxmind GeoLite2
Country database.
Changes in version 0.2.6.7 - 2015-04-06
Tor 0.2.6.7 fixes two security issues that could be used by an
attacker to crash hidden services, or crash clients visiting hidden
services. Hidden services should upgrade as soon as possible; clients
should upgrade whenever packages become available.
This release also contains two simple improvements to make hidden
services a bit less vulnerable to denial-of-service attacks.
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
- Decrease the amount of reattempts that a hidden service performs
when its rendezvous circuits fail. This reduces the computational
cost for running a hidden service under heavy load. Resolves
ticket 11447.
Changes in version 0.2.5.12 - 2015-04-06
Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
could be used by an attacker to crash hidden services, or crash clients
visiting hidden services. Hidden services should upgrade as soon as
possible; clients should upgrade whenever packages become available.
This release also backports a simple improvement to make hidden
services a bit less vulnerable to denial-of-service attacks.
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
Changes in version 0.2.4.27 - 2015-04-06
Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that
could be used by an attacker to crash hidden services, or crash clients
visiting hidden services. Hidden services should upgrade as soon as
possible; clients should upgrade whenever packages become available.
This release also backports a simple improvement to make hidden
services a bit less vulnerable to denial-of-service attacks.
o Major bugfixes (security, hidden service):
- Fix an issue that would allow a malicious client to trigger an
assertion failure and halt a hidden service. Fixes bug 15600;
bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
- Fix a bug that could cause a client to crash with an assertion
failure when parsing a malformed hidden service descriptor. Fixes
bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
o Minor features (DoS-resistance, hidden service):
- Introduction points no longer allow multiple INTRODUCE1 cells to
arrive on the same circuit. This should make it more expensive for
attackers to overwhelm hidden services with introductions.
Resolves ticket 15515.
Changes in version 0.2.6.6 - 2015-03-24
Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
It adds numerous safety, security, correctness, and performance
improvements. Client programs can be configured to use more kinds of
sockets, AutomapHosts works better, the multithreading backend is
improved, cell transmission is refactored, test coverage is much
higher, more denial-of-service attacks are handled, guard selection is
improved to handle long-term guards better, pluggable transports
should work a bit better, and some annoying hidden service performance
bugs should be addressed.
o New compiler and system requirements:
- Tor 0.2.6.x requires that your compiler support more of the C99
language standard than before. The 'configure' script now detects
whether your compiler supports C99 mid-block declarations and
designated initializers. If it does not, Tor will not compile.
We may revisit this requirement if it turns out that a significant
number of people need to build Tor with compilers that don't
bother implementing a 15-year-old standard. Closes ticket 13233.
- Tor no longer supports systems without threading support. When we
began working on Tor, there were several systems that didn't have
threads, or where the thread support wasn't able to run the
threads of a single process on multiple CPUs. That no longer
holds: every system where Tor needs to run well now has threading
support. Resolves ticket 12439.
o Deprecated versions and removed support:
- Tor relays older than 0.2.4.18-rc are no longer allowed to
advertise themselves on the network. Closes ticket 13555.
- Tor clients no longer support connecting to hidden services
running on Tor 0.2.2.x and earlier; the Support022HiddenServices
option has been removed. (There shouldn't be any hidden services
running these versions on the network.) Closes ticket 7803.
o Directory authority changes:
- The directory authority Faravahar has a new IP address. This
closes ticket 14487.
- Remove turtles as a directory authority.
- Add longclaw as a new (v3) directory authority. This implements
ticket 13296. This keeps the directory authority count at 9.
o Major features (bridges):
- Expose the outgoing upstream HTTP/SOCKS proxy to pluggable
transports if they are configured via the "TOR_PT_PROXY"
environment variable. Implements proposal 232. Resolves
ticket 8402.
o Major features (changed defaults):
- Prevent relay operators from unintentionally running exits: When a
relay is configured as an exit node, we now warn the user unless
the "ExitRelay" option is set to 1. We warn even more loudly if
the relay is configured with the default exit policy, since this
can indicate accidental misconfiguration. Setting "ExitRelay 0"
stops Tor from running as an exit relay. Closes ticket 10067.
o Major features (client performance, hidden services):
- Allow clients to use optimistic data when connecting to a hidden
service, which should remove a round-trip from hidden service
initialization. See proposal 181 for details. Implements
ticket 13211.
o Major features (directory system):
- Upon receiving an unparseable directory object, if its digest
matches what we expected, then don't try to download it again.
Previously, when we got a descriptor we didn't like, we would keep
trying to download it over and over. Closes ticket 11243.
- When downloading server- or microdescriptors from a directory
server, we no longer launch multiple simultaneous requests to the
same server. This reduces load on the directory servers,
especially when directory guards are in use. Closes ticket 9969.
- When downloading server- or microdescriptors over a tunneled
connection, do not limit the length of our requests to what the
Squid proxy is willing to handle. Part of ticket 9969.
- Authorities can now vote on the correct digests and latest
versions for different software packages. This allows packages
that include Tor to use the Tor authority system as a way to get
notified of updates and their correct digests. Implements proposal
227. Closes ticket 10395.
o Major features (guards):
- Introduce the Guardfraction feature to improves load balancing on
guard nodes. Specifically, it aims to reduce the traffic gap that
guard nodes experience when they first get the Guard flag. This is
a required step if we want to increase the guard lifetime to 9
months or greater. Closes ticket 9321.
o Major features (hidden services):
- Make HS port scanning more difficult by immediately closing the
circuit when a user attempts to connect to a nonexistent port.
Closes ticket 13667.
- Add a HiddenServiceStatistics option that allows Tor relays to
gather and publish statistics about the overall size and volume of
hidden service usage. Specifically, when this option is turned on,
an HSDir will publish an approximate number of hidden services
that have published descriptors to it the past 24 hours. Also, if
a relay has acted as a hidden service rendezvous point, it will
publish the approximate amount of rendezvous cells it has relayed
the past 24 hours. The statistics themselves are obfuscated so
that the exact values cannot be derived. For more details see
proposal 238, "Better hidden service stats from Tor relays". This
feature is currently disabled by default. Implements feature 13192.
o Major features (performance):
- Make the CPU worker implementation more efficient by avoiding the
kernel and lengthening pipelines. The original implementation used
sockets to transfer data from the main thread to the workers, and
didn't allow any thread to be assigned more than a single piece of
work at once. The new implementation avoids communications
overhead by making requests in shared memory, avoiding kernel IO
where possible, and keeping more requests in flight at once.
Implements ticket 9682.
o Major features (relay):
- Raise the minimum acceptable configured bandwidth rate for bridges
to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were
20 KiB/sec.) Closes ticket 13822.
- Complete revision of the code that relays use to decide which cell
to send next. Formerly, we selected the best circuit to write on
each channel, but we didn't select among channels in any
sophisticated way. Now, we choose the best circuits globally from
among those whose channels are ready to deliver traffic.
This patch implements a new inter-cmux comparison API, a global
high/low watermark mechanism and a global scheduler loop for
transmission prioritization across all channels as well as among
circuits on one channel. This schedule is currently tuned to
(tolerantly) avoid making changes in network performance, but it
should form the basis for major circuit performance increases in
the future. Code by Andrea; tuning by Rob Jansen; implements
ticket 9262.
o Major features (sample torrc):
- Add a new, infrequently-changed "torrc.minimal". This file is
similar to torrc.sample, but it will change as infrequently as
possible, for the benefit of users whose systems prompt them for
intervention whenever a default configuration file is changed.
Making this change allows us to update torrc.sample to be a more
generally useful "sample torrc".
o Major features (security, unix domain sockets):
- Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk
applications can reach Tor without having to create AF_INET or
AF_INET6 sockets, meaning they can completely disable their
ability to make non-Tor network connections. To create a socket of
this type, use "SocksPort unix:/path/to/socket". Implements
ticket 12585.
- Support mapping hidden service virtual ports to AF_UNIX sockets.
The syntax is "HiddenServicePort 80 unix:/path/to/socket".
Implements ticket 11485.
o Major bugfixes (client, automap):
- Repair automapping with IPv6 addresses. This automapping should
have worked previously, but one piece of debugging code that we
inserted to detect a regression actually caused the regression to
manifest itself again. Fixes bug 13811 and bug 12831; bugfix on
0.2.4.7-alpha. Diagnosed and fixed by Francisco Blas
Izquierdo Riera.
o Major bugfixes (crash, OSX, security):
- Fix a remote denial-of-service opportunity caused by a bug in
OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
in OSX 10.9.
o Major bugfixes (directory authorities):
- Do not assign the HSDir flag to relays if they are not Valid, or
currently hibernating. Fixes 12573; bugfix on 0.2.0.10-alpha.
o Major bugfixes (directory bandwidth performance):
- Don't flush the zlib buffer aggressively when compressing
directory information for clients. This should save about 7% of
the bandwidth currently used for compressed descriptors and
microdescriptors. Fixes bug 11787; bugfix on 0.1.1.23.
o Major bugfixes (exit node stability):
- Fix an assertion failure that could occur under high DNS load.
Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
diagnosed and fixed by "cypherpunks".
o Major bugfixes (FreeBSD IPFW transparent proxy):
- Fix address detection with FreeBSD transparent proxies, when
"TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
on 0.2.5.4-alpha.
o Major bugfixes (hidden services):
- When closing an introduction circuit that was opened in parallel
with others, don't mark the introduction point as unreachable.
Previously, the first successful connection to an introduction
point would make the other introduction points get marked as
having timed out. Fixes bug 13698; bugfix on 0.0.6rc2.
o Major bugfixes (Linux seccomp2 sandbox):
- Upon receiving sighup with the seccomp2 sandbox enabled, do not
crash during attempts to call wait4. Fixes bug 15088; bugfix on
0.2.5.1-alpha. Patch from "sanic".
o Major bugfixes (mixed relay-client operation):
- When running as a relay and client at the same time (not
recommended), if we decide not to use a new guard because we want
to retry older guards, only close the locally-originating circuits
passing through that guard. Previously we would close all the
circuits through that guard. Fixes bug 9819; bugfix on
0.2.1.1-alpha. Reported by "skruffy".
o Major bugfixes (pluggable transports):
- Initialize the extended OR Port authentication cookie before
launching pluggable transports. This prevents a race condition
that occured when server-side pluggable transports would cache the
authentication cookie before it has been (re)generated. Fixes bug
15240; bugfix on 0.2.5.1-alpha.
o Major bugfixes (relay, stability, possible security):
- Fix a bug that could lead to a relay crashing with an assertion
failure if a buffer of exactly the wrong layout is passed to
buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
0.2.0.10-alpha. Patch from "cypherpunks".
- Do not assert if the 'data' pointer on a buffer is advanced to the
very end of the buffer; log a BUG message instead. Only assert if
it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
o Minor features (build):
- New --disable-system-torrc compile-time option to prevent Tor from
looking for the system-wide torrc or torrc-defaults files.
Resolves ticket 13037.
o Minor features (client):
- Clients are now willing to send optimistic data (before they
receive a 'connected' cell) to relays of any version. (Relays
without support for optimistic data are no longer supported on the
Tor network.) Resolves ticket 13153.
o Minor features (client):
- Validate hostnames in SOCKS5 requests more strictly. If SafeSocks
is enabled, reject requests with IP addresses as hostnames.
Resolves ticket 13315.
o Minor features (controller):
- Add a "SIGNAL HEARTBEAT" controller command that tells Tor to
write an unscheduled heartbeat message to the log. Implements
feature 9503.
- Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller
events so controllers can observe circuit isolation inputs. Closes
ticket 8405.
- ControlPort now supports the unix:/path/to/socket syntax as an
alternative to the ControlSocket option, for consistency with
SocksPort and HiddenServicePort. Closes ticket 14451.
- New "GETINFO bw-event-cache" to get information about recent
bandwidth events. Closes ticket 14128. Useful for controllers to
get recent bandwidth history after the fix for ticket 13988.
- Messages about problems in the bootstrap process now include
information about the server we were trying to connect to when we
noticed the problem. Closes ticket 15006.
o Minor features (Denial of service resistance):
- Count the total number of bytes used storing hidden service
descriptors against the value of MaxMemInQueues. If we're low on
memory, and more than 20% of our memory is used holding hidden
service descriptors, free them until no more than 10% of our
memory holds hidden service descriptors. Free the least recently
fetched descriptors first. Resolves ticket 13806.
- When we have recently been under memory pressure (over 3/4 of
MaxMemInQueues is allocated), then allocate smaller zlib objects
for small requests. Closes ticket 11791.
o Minor features (directory authorities):
- Don't list relays with a bandwidth estimate of 0 in the consensus.
Implements a feature proposed during discussion of bug 13000.
- In tor-gencert, report an error if the user provides the same
argument more than once.
- If a directory authority can't find a best consensus method in the
votes that it holds, it now falls back to its favorite consensus
method. Previously, it fell back to method 1. Neither of these is
likely to get enough signatures, but "fall back to favorite"
doesn't require us to maintain support an obsolete consensus
method. Implements part of proposal 215.
o Minor features (geoip):
- Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the March 3 2015 Maxmind GeoLite2
Country database.
o Minor features (guard nodes):
- Reduce the time delay before saving guard status to disk from 10
minutes to 30 seconds (or from one hour to 10 minutes if
AvoidDiskWrites is set). Closes ticket 12485.
o Minor features (heartbeat):
- On relays, report how many connections we negotiated using each
version of the Tor link protocols. This information will let us
know if removing support for very old versions of the Tor
protocols is harming the network. Closes ticket 15212.
o Minor features (hidden service):
- Make Sybil attacks against hidden services harder by changing the
minimum time required to get the HSDir flag from 25 hours up to 96
hours. Addresses ticket 14149.
- New option "HiddenServiceAllowUnknownPorts" to allow hidden
services to disable the anti-scanning feature introduced in
0.2.6.2-alpha. With this option not set, a connection to an
unlisted port closes the circuit. With this option set, only a
RELAY_DONE cell is sent. Closes ticket 14084.
- When re-enabling the network, don't try to build introduction
circuits until we have successfully built a circuit. This makes
hidden services come up faster when the network is re-enabled.
Patch from "akwizgran". Closes ticket 13447.
- When we fail to retrieve a hidden service descriptor, send the
controller an "HS_DESC FAILED" controller event. Implements
feature 13212.
- New HiddenServiceDirGroupReadable option to cause hidden service
directories and hostname files to be created group-readable. Patch
from "anon", David Stainton, and "meejah". Closes ticket 11291.
o Minor features (interface):
- Implement "-f -" command-line option to read torrc configuration
from standard input, if you don't want to store the torrc file in
the file system. Implements feature 13865.
o Minor features (logging):
- Add a count of unique clients to the bridge heartbeat message.
Resolves ticket 6852.
- Suppress "router info incompatible with extra info" message when
reading extrainfo documents from cache. (This message got loud
around when we closed bug 9812 in 0.2.6.2-alpha.) Closes
ticket 13762.
- Elevate hidden service authorized-client message from DEBUG to
INFO. Closes ticket 14015.
- On Unix-like systems, you can now use named pipes as the target of
the Log option, and other options that try to append to files.
Closes ticket 12061. Patch from "carlo von lynX".
- When opening a log file at startup, send it every log message that
we generated between startup and opening it. Previously, log
messages that were generated before opening the log file were only
logged to stdout. Closes ticket 6938.
- Add a TruncateLogFile option to overwrite logs instead of
appending to them. Closes ticket 5583.
- Quiet some log messages in the heartbeat and at startup. Closes
ticket 14950.
o Minor features (portability, Solaris):
- Threads are no longer disabled by default on Solaris; we believe
that the versions of Solaris with broken threading support are all
obsolete by now. Resolves ticket 9495.
o Minor features (relay):
- Re-check our address after we detect a changed IP address from
getsockname(). This ensures that the controller command "GETINFO
address" will report the correct value. Resolves ticket 11582.
Patch from "ra".
- A new AccountingRule option lets Relays set whether they'd like
AccountingMax to be applied separately to inbound and outbound
traffic, or applied to the sum of inbound and outbound traffic.
Resolves ticket 961. Patch by "chobe".
- When identity keypair is generated for first time, log a
congratulatory message that links to the new relay lifecycle
document. Implements feature 10427.
o Minor features (security, memory wiping):
- Ensure we securely wipe keys from memory after
crypto_digest_get_digest and init_curve25519_keypair_from_file
have finished using them. Resolves ticket 13477.
o Minor features (security, out-of-memory handling):
- When handling an out-of-memory condition, allocate less memory for
temporary data structures. Fixes issue 10115.
- When handling an out-of-memory condition, consider more types of
buffers, including those on directory connections, and zlib
buffers. Resolves ticket 11792.
o Minor features (stability):
- Add assertions in our hash-table iteration code to check for
corrupted values that could cause infinite loops. Closes
ticket 11737.
o Minor features (systemd):
- Various improvements and modernizations in systemd hardening
support. Closes ticket 13805. Patch from Craig Andrews.
- Where supported, when running with systemd, report successful
startup to systemd. Part of ticket 11016. Patch by Michael Scherer.
- When running with systemd, support systemd watchdog messages. Part
of ticket 11016. Patch by Michael Scherer.
o Minor features (testing networks):
- Add the TestingDirAuthVoteExit option, which lists nodes to assign
the "Exit" flag regardless of their uptime, bandwidth, or exit
policy. TestingTorNetwork must be set for this option to have any
effect. Previously, authorities would take up to 35 minutes to
give nodes the Exit flag in a test network. Partially implements
ticket 13161.
- Drop the minimum RendPostPeriod on a testing network to 5 seconds,
and the default on a testing network to 2 minutes. Drop the
MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but
keep the default on a testing network at 30 seconds. This reduces
HS bootstrap time to around 25 seconds. Also, change the default
time in test-network.sh to match. Closes ticket 13401. Patch
by "teor".
- Create TestingDirAuthVoteHSDir to correspond to
TestingDirAuthVoteExit/Guard. Ensures that authorities vote the
HSDir flag for the listed relays regardless of uptime or ORPort
connectivity. Respects the value of VoteOnHidServDirectoriesV2.
Partial implementation for ticket 14067. Patch by "teor".
o Minor features (tor2web mode):
- Introduce the config option Tor2webRendezvousPoints, which allows
clients in Tor2webMode to select a specific Rendezvous Point to be
used in HS circuits. This might allow better performance for
Tor2Web nodes. Implements ticket 12844.
o Minor features (transparent proxy):
- Update the transparent proxy option checks to allow for both ipfw
and pf on OS X. Closes ticket 14002.
- Use the correct option when using IPv6 with transparent proxy
support on Linux. Resolves 13808. Patch by Francisco Blas
Izquierdo Riera.
o Minor features (validation):
- Check all date/time values passed to tor_timegm and
parse_rfc1123_time for validity, taking leap years into account.
Improves HTTP header validation. Implemented with bug 13476.
- In correct_tm(), limit the range of values returned by system
localtime(_r) and gmtime(_r) to be between the years 1 and 8099.
This means we don't have to deal with negative or too large dates,
even if a clock is wrong. Otherwise we might fail to read a file
written by us which includes such a date. Fixes bug 13476.
- Stop allowing invalid address patterns like "*/24" that contain
both a wildcard address and a bit prefix length. This affects all
our address-range parsing code. Fixes bug 7484; bugfix
on 0.0.2pre14.
o Minor bugfixes (bridge clients):
- When configured to use a bridge without an identity digest (not
recommended), avoid launching an extra channel to it when
bootstrapping. Fixes bug 7733; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (bridges):
- When DisableNetwork is set, do not launch pluggable transport
plugins, and if any are running, terminate them. Fixes bug 13213;
bugfix on 0.2.3.6-alpha.
o Minor bugfixes (C correctness):
- Fix several instances of possible integer overflow/underflow/NaN.
Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches
from "teor".
- In circuit_build_times_calculate_timeout() in circuitstats.c,
avoid dividing by zero in the pareto calculations. This traps
under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix
on 0.2.2.2-alpha.
- Fix an integer overflow in format_time_interval(). Fixes bug
13393; bugfix on 0.2.0.10-alpha.
- Set the correct day of year value when the system's localtime(_r)
or gmtime(_r) functions fail to set struct tm. Not externally
visible. Fixes bug 13476; bugfix on 0.0.2pre14.
- Avoid unlikely signed integer overflow in tor_timegm on systems
with 32-bit time_t. Fixes bug 13476; bugfix on 0.0.2pre14.
o Minor bugfixes (certificate handling):
- If an authority operator accidentally makes a signing certificate
with a future publication time, do not discard its real signing
certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
- Remove any old authority certificates that have been superseded
for at least two days. Previously, we would keep superseded
certificates until they expired, if they were published close in
time to the certificate that superseded them. Fixes bug 11454;
bugfix on 0.2.1.8-alpha.
o Minor bugfixes (client):
- Fix smartlist_choose_node_by_bandwidth() so that relays with the
BadExit flag are not considered worthy candidates. Fixes bug
13066; bugfix on 0.1.2.3-alpha.
- Use the consensus schedule for downloading consensuses, and not
the generic schedule. Fixes bug 11679; bugfix on 0.2.2.6-alpha.
- Handle unsupported or malformed SOCKS5 requests properly by
responding with the appropriate error message before closing the
connection. Fixes bugs 12971 and 13314; bugfix on 0.0.2pre13.
o Minor bugfixes (client, automapping):
- Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
no value follows the option. Fixes bug 14142; bugfix on
0.2.4.7-alpha. Patch by "teor".
- Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
14195; bugfix on 0.1.0.1-rc.
- Prevent changes to other options from removing the wildcard value
"." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix
on 0.2.0.1-alpha.
- Allow MapAddress and AutomapHostsOnResolve to work together when
an address is mapped into another address type (like .onion) that
must be automapped at resolve time. Fixes bug 7555; bugfix
on 0.2.0.1-alpha.
o Minor bugfixes (client, bridges):
- When we are using bridges and we had a network connectivity
problem, only retry connecting to our currently configured
bridges, not all bridges we know about and remember using. Fixes
bug 14216; bugfix on 0.2.2.17-alpha.
o Minor bugfixes (client, DNS):
- Report the correct cached DNS expiration times on SOCKS port or in
DNS replies. Previously, we would report everything as "never
expires." Fixes bug 14193; bugfix on 0.2.3.17-beta.
- Avoid a small memory leak when we find a cached answer for a
reverse DNS lookup in a client-side DNS cache. (Remember, client-
side DNS caching is off by default, and is not recommended.) Fixes
bug 14259; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (client, IPv6):
- Reject socks requests to literal IPv6 addresses when IPv6Traffic
flag is not set; and not because the NoIPv4Traffic flag was set.
Previously we'd looked at the NoIPv4Traffic flag for both types of
literal addresses. Fixes bug 14280; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (client, microdescriptors):
- Use a full 256 bits of the SHA256 digest of a microdescriptor when
computing which microdescriptors to download. This keeps us from
erroneous download behavior if two microdescriptor digests ever
have the same first 160 bits. Fixes part of bug 13399; bugfix
on 0.2.3.1-alpha.
- Reset a router's status if its microdescriptor digest changes,
even if the first 160 bits remain the same. Fixes part of bug
13399; bugfix on 0.2.3.1-alpha.
o Minor bugfixes (client, torrc):
- Stop modifying the value of our DirReqStatistics torrc option just
because we're not a bridge or relay. This bug was causing Tor
Browser users to write "DirReqStatistics 0" in their torrc files
as if they had chosen to change the config. Fixes bug 4244; bugfix
on 0.2.3.1-alpha.
- When GeoIPExcludeUnknown is enabled, do not incorrectly decide
that our options have changed every time we SIGHUP. Fixes bug
9801; bugfix on 0.2.4.10-alpha. Patch from "qwerty1".
o Minor bugfixes (compilation):
- Fix a compilation warning on s390. Fixes bug 14988; bugfix
on 0.2.5.2-alpha.
- Silence clang warnings under --enable-expensive-hardening,
including implicit truncation of 64 bit values to 32 bit, const
char assignment to self, tautological compare, and additional
parentheses around equality tests. Fixes bug 13577; bugfix
on 0.2.5.4-alpha.
- Fix a clang warning about checking whether an address in the
middle of a structure is NULL. Fixes bug 14001; bugfix
on 0.2.1.2-alpha.
- The address of an array in the middle of a structure will always
be non-NULL. clang recognises this and complains. Disable the
tautologous and redundant check to silence this warning. Fixes bug
14001; bugfix on 0.2.1.2-alpha.
- Compile correctly with (unreleased) OpenSSL 1.1.0 headers.
Addresses ticket 14188.
- Build without warnings with the stock OpenSSL srtp.h header, which
has a duplicate declaration of SSL_get_selected_srtp_profile().
Fixes bug 14220; this is OpenSSL's bug, not ours.
- Do not compile any code related to Tor2Web mode when Tor2Web mode
is not enabled at compile time. Previously, this code was included
in a disabled state. See discussion on ticket 12844.
- Allow our configure script to build correctly with autoconf 2.62
again. Fixes bug 12693; bugfix on 0.2.5.2-alpha.
- Improve the error message from ./configure to make it clear that
when asciidoc has not been found, the user will have to either add
--disable-asciidoc argument or install asciidoc. Resolves
ticket 13228.
o Minor bugfixes (controller):
- Report "down" in response to the "GETINFO entry-guards" command
when relays are down with an unreachable_since value. Previously,
we would report "up". Fixes bug 14184; bugfix on 0.1.2.2-alpha.
- Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug
14116; bugfix on 0.2.2.9-alpha.
o Minor bugfixes (controller):
- Return an error when the second or later arguments of the
"setevents" controller command are invalid events. Previously we
would return success while silently skipping invalid events. Fixes
bug 13205; bugfix on 0.2.3.2-alpha. Reported by "fpxnns".
o Minor bugfixes (directory authority):
- Allow directory authorities to fetch more data from one another if
they find themselves missing lots of votes. Previously, they had
been bumping against the 10 MB queued data limit. Fixes bug 14261;
bugfix on 0.1.2.5-alpha.
- Do not attempt to download extrainfo documents which we will be
unable to validate with a matching server descriptor. Fixes bug
13762; bugfix on 0.2.0.1-alpha.
- Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the
control port. Fixes bug 14953; bugfix on 0.2.0.1-alpha.
- Enlarge the buffer to read bwauth generated files to avoid an
issue when parsing the file in dirserv_read_measured_bandwidths().
Fixes bug 14125; bugfix on 0.2.2.1-alpha.
- When running as a v3 directory authority, advertise that you serve
extra-info documents so that clients who want them can find them
from you too. Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (directory system):
- Always believe that v3 directory authorities serve extra-info
documents, whether they advertise "caches-extra-info" or not.
Fixes part of bug 11683; bugfix on 0.2.0.1-alpha.
- Check the BRIDGE_DIRINFO flag bitwise rather than using equality.
Previously, directories offering BRIDGE_DIRINFO and some other
flag (i.e. microdescriptors or extrainfo) would be ignored when
looking for bridges. Partially fixes bug 13163; bugfix
on 0.2.0.7-alpha.
o Minor bugfixes (file handling):
- Stop failing when key files are zero-length. Instead, generate new
keys, and overwrite the empty key files. Fixes bug 13111; bugfix
on all versions of Tor. Patch by "teor".
- Stop generating a fresh .old RSA onion key file when the .old file
is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
- Avoid overwriting .old key files with empty key files.
- Skip loading zero-length extrainfo store, router store, stats,
state, and key files.
- Avoid crashing when trying to reload a torrc specified as a
relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix
on 0.2.3.11-alpha.
o Minor bugfixes (hidden services):
- Close the introduction circuit when we have no more usable intro
points, instead of waiting for it to time out. This also ensures
that no follow-up HS descriptor fetch is triggered when the
circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
- When fetching a hidden service descriptor for a down service that
was recently up, do not keep refetching until we try the same
replica twice in a row. Fixes bug 14219; bugfix on 0.2.0.10-alpha.
- Correctly send a controller event when we find that a rendezvous
circuit has finished. Fixes bug 13936; bugfix on 0.1.1.5-alpha.
- Pre-check directory permissions for new hidden-services to avoid
at least one case of "Bug: Acting on config options left us in a
broken state. Dying." Fixes bug 13942; bugfix on 0.0.6pre1.
- When fetching hidden service descriptors, we now check not only
for whether we got the hidden service we had in mind, but also
whether we got the particular descriptors we wanted. This prevents
a class of inefficient but annoying DoS attacks by hidden service
directories. Fixes bug 13214; bugfix on 0.2.1.6-alpha. Reported
by "special".
o Minor bugfixes (Linux seccomp2 sandbox):
- Make transparent proxy support work along with the seccomp2
sandbox. Fixes part of bug 13808; bugfix on 0.2.5.1-alpha. Patch
by Francisco Blas Izquierdo Riera.
- Fix a memory leak in tor-resolve when running with the sandbox
enabled. Fixes bug 14050; bugfix on 0.2.5.9-rc.
- Allow glibc fatal errors to be sent to stderr before Tor exits.
Previously, glibc would try to write them to /dev/tty, and the
sandbox would trap the call and make Tor exit prematurely. Fixes
bug 14759; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (logging):
- Avoid crashing when there are more log domains than entries in
domain_list. Bugfix on 0.2.3.1-alpha.
- Downgrade warnings about RSA signature failures to info log level.
Emit a warning when an extra info document is found incompatible
with a corresponding router descriptor. Fixes bug 9812; bugfix
on 0.0.6rc3.
- Make connection_ap_handshake_attach_circuit() log the circuit ID
correctly. Fixes bug 13701; bugfix on 0.0.6.
o Minor bugfixes (networking):
- Check for orconns and use connection_or_close_for_error() rather
than connection_mark_for_close() directly in the getsockopt()
failure case of connection_handle_write_impl(). Fixes bug 11302;
bugfix on 0.2.4.4-alpha.
o Minor bugfixes (parsing):
- Stop accepting milliseconds (or other junk) at the end of
descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
- Support two-number and three-number version numbers correctly, in
case we change the Tor versioning system in the future. Fixes bug
13661; bugfix on 0.0.8pre1.
o Minor bugfixes (portability):
- Fix the ioctl()-based network interface lookup code so that it
will work on systems that have variable-length struct ifreq, for
example Mac OS X.
- Use the correct datatype in the SipHash-2-4 function to prevent
compilers from assuming any sort of alignment. Fixes bug 15436;
bugfix on 0.2.5.3-alpha.
o Minor bugfixes (preventative security, C safety):
- When reading a hexadecimal, base-32, or base-64 encoded value from
a string, always overwrite the whole output buffer. This prevents
some bugs where we would look at (but fortunately, not reveal)
uninitialized memory on the stack. Fixes bug 14013; bugfix on all
versions of Tor.
- Clear all memory targetted by tor_addr_{to,from}_sockaddr(), not
just the part that's used. This makes it harder for data leak bugs
to occur in the event of other programming failures. Resolves
ticket 14041.
o Minor bugfixes (relay):
- When generating our family list, remove spaces from around the
entries. Fixes bug 12728; bugfix on 0.2.1.7-alpha.
- If our previous bandwidth estimate was 0 bytes, allow publishing a
new relay descriptor immediately. Fixes bug 13000; bugfix
on 0.1.1.6-alpha.
o Minor bugfixes (shutdown):
- When shutting down, always call event_del() on lingering read or
write events before freeing them. Otherwise, we risk double-frees
or read-after-frees in event_base_free(). Fixes bug 12985; bugfix
on 0.1.0.2-rc.
o Minor bugfixes (small memory leaks):
- Avoid leaking memory when using IPv6 virtual address mappings.
Fixes bug 14123; bugfix on 0.2.4.7-alpha. Patch by Tom van
der Woerdt.
o Minor bugfixes (statistics):
- Increase period over which bandwidth observations are aggregated
from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
o Minor bugfixes (systemd support):
- Run correctly under systemd with the RunAsDaemon option set. Fixes
part of bug 14141; bugfix on 0.2.5.7-rc. Patch from Tomasz Torcz.
- Inform the systemd supervisor about more changes in the Tor
process status. Implements part of ticket 14141. Patch from
Tomasz Torcz.
o Minor bugfixes (testing networks):
- Fix TestingDirAuthVoteGuard to properly give out Guard flags in a
testing network. Fixes bug 13064; bugfix on 0.2.5.2-alpha.
- Stop using the default authorities in networks which provide both
AlternateDirAuthority and AlternateBridgeAuthority. Partially
fixes bug 13163; bugfix on 0.2.0.13-alpha.
o Minor bugfixes (testing networks, fast startup):
- Allow Tor to build circuits using a consensus with no exits. If
the consensus has no exits (typical of a bootstrapping test
network), allow Tor to build circuits once enough descriptors have
been downloaded. This assists in bootstrapping a testing Tor
network. Fixes bug 13718; bugfix on 0.2.4.10-alpha. Patch
by "teor".
- When V3AuthVotingInterval is low, give a lower If-Modified-Since
header to directory servers. This allows us to obtain consensuses
promptly when the consensus interval is very short. This assists
in bootstrapping a testing Tor network. Fixes parts of bugs 13718
and 13963; bugfix on 0.2.0.3-alpha. Patch by "teor".
- Stop assuming that private addresses are local when checking
reachability in a TestingTorNetwork. Instead, when testing, assume
all OR connections are remote. (This is necessary due to many test
scenarios running all relays on localhost.) This assists in
bootstrapping a testing Tor network. Fixes bug 13924; bugfix on
0.1.0.1-rc. Patch by "teor".
- Avoid building exit circuits from a consensus with no exits. Now
thanks to our fix for 13718, we accept a no-exit network as not
wholly lost, but we need to remember not to try to build exit
circuits on it. Closes ticket 13814; patch by "teor".
- Stop requiring exits to have non-zero bandwithcapacity in a
TestingTorNetwork. Instead, when TestingMinExitFlagThreshold is 0,
ignore exit bandwidthcapacity. This assists in bootstrapping a
testing Tor network. Fixes parts of bugs 13718 and 13839; bugfix
on 0.2.0.3-alpha. Patch by "teor".
- Add "internal" to some bootstrap statuses when no exits are
available. If the consensus does not contain Exits, Tor will only
build internal circuits. In this case, relevant statuses will
contain the word "internal" as indicated in the Tor control-
spec.txt. When bootstrap completes, Tor will be ready to build
internal circuits. If a future consensus contains Exits, exit
circuits may become available. Fixes part of bug 13718; bugfix on
0.2.4.10-alpha. Patch by "teor".
- Decrease minimum consensus interval to 10 seconds when
TestingTorNetwork is set, or 5 seconds for the first consensus.
Fix assumptions throughout the code that assume larger intervals.
Fixes bugs 13718 and 13823; bugfix on 0.2.0.3-alpha. Patch
by "teor".
- Avoid excluding guards from path building in minimal test
networks, when we're in a test network and excluding guards would
exclude all relays. This typically occurs in incredibly small tor
networks, and those using "TestingAuthVoteGuard *". Fixes part of
bug 13718; bugfix on 0.1.1.11-alpha. Patch by "teor".
o Minor bugfixes (testing):
- Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
- Stop spawn test failures due to a race condition between the
SIGCHLD handler updating the process status, and the test reading
it. Fixes bug 13291; bugfix on 0.2.3.3-alpha.
- Avoid passing an extra backslash when creating a temporary
directory for running the unit tests on Windows. Fixes bug 12392;
bugfix on 0.2.2.25-alpha. Patch from Gisle Vanem.
o Minor bugfixes (TLS):
- Check more thoroughly throughout the TLS code for possible
unlogged TLS errors. Possible diagnostic or fix for bug 13319.
o Minor bugfixes (transparent proxy):
- Use getsockname, not getsockopt, to retrieve the address for a
TPROXY-redirected connection. Fixes bug 13796; bugfix
on 0.2.5.2-alpha.
o Minor bugfixes (windows):
- Remove code to special-case handling of NTE_BAD_KEYSET when
acquiring windows CryptoAPI context. This error can't actually
occur for the parameters we're providing. Fixes bug 10816; bugfix
on 0.0.2pre26.
o Minor bugfixes (zlib):
- Avoid truncating a zlib stream when trying to finalize it with an
empty output buffer. Fixes bug 11824; bugfix on 0.1.1.23.
o Code simplification and refactoring:
- Change the entry_is_live() function to take named bitfield
elements instead of an unnamed list of booleans. Closes
ticket 12202.
- Refactor and unit-test entry_is_time_to_retry() in entrynodes.c.
Resolves ticket 12205.
- Use calloc and reallocarray functions instead of multiply-
then-malloc. This makes it less likely for us to fall victim to an
integer overflow attack when allocating. Resolves ticket 12855.
- Use the standard macro name SIZE_MAX, instead of our
own SIZE_T_MAX.
- Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in
functions which take them as arguments. Replace 0 with NO_DIRINFO
in a function call for clarity. Seeks to prevent future issues
like 13163.
- Avoid 4 null pointer errors under clang static analysis by using
tor_assert() to prove that the pointers aren't null. Fixes
bug 13284.