Tor 0.3.0.1-alpha: A new alpha series begins

Now that Tor 0.2.9.8 is stable, it's time to release a new alpha series for testing and bug-hunting!
Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development series. It strengthens Tor's link and circuit handshakes by identifying relays by their Ed25519 keys, improves the algorithm that clients use to choose and maintain their list of guards, and includes additional backend support for the next-generation hidden service design. It also contains numerous other small features and improvements to security, correctness, and performance.
You can download the source from the usual place on the website. Packages should be available over the next weeks, including an alpha TorBrowser release some time in January.
Please note: This is an alpha release. Please expect more bugs than usual. If you want a stable experience, please stick to the stable releases.

Below are the changes since 0.2.9.8.

Changes in version 0.3.0.1-alpha - 2016-12-19

• Major features (guard selection algorithm):
  • Tor's guard selection algorithm has been redesigned from the ground up, to better support unreliable networks and restrictive sets of entry nodes, and to better resist guard-capture attacks by hostile local networks. Implements proposal 271; closes ticket 19877.
• Major features (next-generation hidden services):
  • Relays can now handle v3 ESTABLISH_INTRO cells as specified by prop224 aka "Next Generation Hidden Services". Service and clients don't use this functionality yet. Closes ticket 19043. Based on initial code by Alec Heifetz.
  • Relays now support the HSDir version 3 protocol, so that they can can store and serve v3 descriptors. This is part of the next- generation onion service work detailled in proposal 224. Closes ticket 17238.
• Major features (protocol, ed25519 identity keys):
  • Relays now use Ed25519 to prove their Ed25519 identities and to one another, and to clients. This algorithm is faster and more secure than the RSA-based handshake we've been doing until now. Implements the second big part of proposal 220; Closes ticket 15055.
  • Clients now support including Ed25519 identity keys in the EXTEND2 cells they generate. By default, this is controlled by a consensus parameter, currently disabled. You can turn this feature on for testing by setting ExtendByEd25519ID in your configuration. This might make your traffic appear different than the traffic generated by other users, however. Implements part of ticket 15056; part of proposal 220.
  • Relays now understand requests to extend to other relays by their Ed25519 identity keys. When an Ed25519 identity key is included in an EXTEND2 cell, the relay will only extend the circuit if the other relay can prove ownership of that identity. Implements part of ticket 15056; part of proposal 220.

 

• Major bugfixes (scheduler):
  • Actually compare circuit policies in ewma_cmp_cmux(). This bug caused the channel scheduler to behave more or less randomly, rather than preferring channels with higher-priority circuits. Fixes bug 20459; bugfix on 0.2.6.2-alpha.
• Minor features (controller):
  • When HSFETCH arguments cannot be parsed, say "Invalid argument" rather than "unrecognized." Closes ticket 20389; patch from Ivan Markin.
• Minor features (diagnostic, directory client):
  • Warn when we find an unexpected inconsistency in directory download status objects. Prevents some negative consequences of bug 20593.
• Minor features (directory authority):
  • Add a new authority-only AuthDirTestEd25519LinkKeys option (on by default) to control whether authorities should try to probe relays by their Ed25519 link keys. This option will go away in a few releases--unless we encounter major trouble in our ed25519 link protocol rollout, in which case it will serve as a safety option.
• Minor features (directory cache):
  • Relays and bridges will now refuse to serve the consensus they have if they know it is too old for a client to use. Closes ticket 20511.
• Minor features (ed25519 link handshake):
  • Advertise support for the ed25519 link handshake using the subprotocol-versions mechanism, so that clients can tell which relays can identity themselves by Ed25519 ID. Closes ticket 20552.
• Minor features (fingerprinting resistence, authentication):
  • Extend the length of RSA keys used for TLS link authentication to 2048 bits. (These weren't used for forward secrecy; for forward secrecy, we used P256.) Closes ticket 13752.
• Minor features (infrastructure):
  • Implement smartlist_add_strdup() function. Replaces the use of smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
• Minor bugfixes (client):
  • When clients that use bridges start up with a cached consensus on disk, they were ignoring it and downloading a new one. Now they use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
• Minor bugfixes (configuration):
  • Accept non-space whitespace characters after the severity level in the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
  • Support "TByte" and "TBytes" units in options given in bytes. "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
• Minor bugfixes (consensus weight):
  • Add new consensus method that initializes bw weights to 1 instead of 0. This prevents a zero weight from making it all the way to the end (happens in small testing networks) and causing an error. Fixes bug 14881; bugfix on 0.2.2.17-alpha.
• Minor bugfixes (descriptors):
  • Correctly recognise downloaded full descriptors as valid, even when using microdescriptors as circuits. This affects clients with FetchUselessDescriptors set, and may affect directory authorities. Fixes bug 20839; bugfix on 0.2.3.2-alpha.
• Minor bugfixes (directory system):
  • Download all consensus flavors, descriptors, and authority certificates when FetchUselessDescriptors is set, regardless of whether tor is a directory cache or not. Fixes bug 20667; bugfix on all recent tor versions.
  • Bridges and relays now use microdescriptors (like clients do) rather than old-style router descriptors. Now bridges will blend in with clients in terms of the circuits they build. Fixes bug 6769; bugfix on 0.2.3.2-alpha.
• Minor bugfixes (ed25519 certificates):
  • Correctly interpret ed25519 certificates that would expire some time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
• Minor bugfixes (hidden services):
  • Stop ignoring misconfigured hidden services. Instead, refuse to start tor until the misconfigurations have been corrected. Fixes bug 20559; bugfix on multiple commits in 0.2.7.1-alpha and earlier.
• Minor bugfixes (memory leak at exit):
  • Fix a small harmless memory leak at exit of the previously unused RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix on 0.2.7.2-alpha.
• Minor bugfixes (util):
  • When finishing writing a file to disk, if we were about to replace the file with the temporary file created before and we fail to replace it, remove the temporary file so it doesn't stay on disk. Fixes bug 20646; bugfix on tor-0.2.0.7-alpha. Patch by fk.
• Minor bugfixes (Windows):
  • Check for getpagesize before using it to mmap files. This fixes compilation in some MinGW environments. Fixes bug 20530; bugfix on 0.1.2.1-alpha. Reported by "ice".
• Code simplification and refactoring:
  • Abolish all global guard context in entrynodes.c; replace with new guard_selection_t structure as preparation for proposal 271. Closes ticket 19858.
  • Introduce rend_service_is_ephemeral() that tells if given onion service is ephemeral. Replace unclear NULL-checkings for service directory with this function. Closes ticket 20526.
  • Extract magic numbers in circuituse.c into defined variables.
  • Refactor circuit_is_available_for_use to remove unnecessary check.
  • Refactor circuit_predict_and_launch_new for readability and testability. Closes ticket 18873.
  • Refactor large if statement in purpose_needs_anonymity to use switch statement instead. Closes part of ticket 20077.
  • Refactor the hashing API to return negative values for errors, as is done as throughout the codebase. Closes ticket 20717.
  • Remove data structures that were used to index or_connection objects by their RSA identity digests. These structures are fully redundant with the similar structures used in the channel abstraction.
  • Remove duplicate code in the channel_write_*cell() functions. Closes ticket 13827; patch from Pingl.
  • Remove redundant behavior of is_sensitive_dir_purpose, refactor to use only purpose_needs_anonymity. Closes part of ticket 20077.
  • The code to generate and parse EXTEND and EXTEND2 cells has been replaced with code automatically generated by the "trunnel" utility.
• Documentation:
  • Include the "TBits" unit in Tor's man page. Fixes part of bug 20622; bugfix on tor-0.2.5.1-alpha.
  • Change '1' to 'weight_scale' in consensus bw weights calculation comments, as that is reality. Closes ticket 20273. Patch from pastly.
  • Correct the value for AuthDirGuardBWGuarantee in the manpage, from 250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on tor-0.2.5.6-alpha.
  • Stop the man page from incorrectly stating that HiddenServiceDir must already exist. Fixes 20486.
  • Clarify that when ClientRejectInternalAddresses is enabled (which is the default), multicast DNS hostnames for machines on the local network (of the form *.local) are also rejected. Closes ticket 17070.
• Removed features:
  • The AuthDirMaxServersPerAuthAddr option no longer exists: The same limit for relays running on a single IP applies to authority IP addresses as well as to non-authority IP addresses. Closes ticket 20960.
  • The UseDirectoryGuards torrc option no longer exists: all users that use entry guards will also use directory guards. Related to proposal 271; implements part of ticket 20831.
• Testing:
  • New unit tests for tor_htonll(). Closes ticket 19563. Patch from "overcaffeinated".
  • Perform the coding style checks when running the tests and fail when coding style violations are found. Closes ticket 5500.
  • Add tests for networkstatus_compute_bw_weights_v10.
  • Add unit tests circuit_predict_and_launch_new.
  • Extract dummy_origin_circuit_new so it can be used by other test functions.