Add the remaining changes items to ChangeLog for 0.2.7.2-alpha

1 files changed, 209 insertions, 29 deletions

diff --git a/ChangeLog b/ChangeLog
index af3b00dea5..5efd10c8a8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,36 +1,45 @@
 Changes in version 0.2.7.2-alpha - 2015-07-??
+  o Major features:
+    - Add support for offline encrypted ed25519 master keys. To use this
+      feature on your tor relay, run "tor --keygen" to make a new master
+      key (or to make a new signing key if you already have a master
+      key). Closes ticket 13642.
+
+  o Major feature (Hidden Service):
+    - Add the torrc option HiddenServiceNumIntroductionPoints for an
+      operatory to specify a fix amount of introduction points. Maximum
+      value is 10 and default is 3. Closes ticket 4862.
+    - Remove the introduction point adaptative algorithm which is
+      leaking popularity by changing the amount of introduction points
+      depending on the amount of traffic the HS sees. With this, we
+      stick to only 3 introduction points. Closes ticket 4862.
+
+  o Major features (Ed25519 identity keys, Prop220):
+    - All relays now maintain a stronger identity key, using the Ed25519
+      elliptic curve signature format. This master key is designed so
+      that it can be kept offline. Relays also generate an online
+      signing key, and a set of other Ed25519 keys and certificates.
+      These are all automatically regenerated and rotated as needed.
+    - Directory authorities now vote on Ed25519 identity keys along with
+      RSA1024 keys.
+    - Directory authorities track which Ed25519 identity keys have been
+      used with which RSA1024 identity keys, and do not allow them to
+      vary freely.
+    - Microdescriptors now include ed25519 identity keys.
+
+  o Major features (onion key cross-certification):
+    - Relay descriptors now include signatures of the identity keys
+      using the TAP and ntor onion keys. This allows relays to prove
+      ownership of their own onion keys. Because of this change,
+      microdescriptors no longer need to include RSA identity keys.
+      Implements proposal 228; closes ticket 12499.
 
   o Major bugfixes (client-side privacy, also in 0.2.6.9):
     - Properly separate out each SOCKSPort when applying stream
-      isolation. The error occurred because each port's session group was
-      being overwritten by a default value when the listener connection
-      was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
-      by "jojelino".
-
-  o Minor feature (directory authorities, security, also in 0.2.6.9):
-    - The HSDir flag given by authorities now requires the Stable flag.
-      For the current network, this results in going from 2887 to 2806
-      HSDirs. Also, it makes it harder for an attacker to launch a sybil
-      attack by raising the effort for a relay to become Stable which
-      takes at the very least 7 days to do so and by keeping the 96
-      hours uptime requirement for HSDir. Implements ticket 8243.
-
-  o Minor bugfixes (compilation, also in 0.2.6.9):
-    - Build with --enable-systemd correctly when libsystemd is
-      installed, but systemd is not. Fixes bug 16164; bugfix on
-      0.2.6.3-alpha. Patch from Peter Palfrader.
-
-  o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
-    - Fix sandboxing to work when running as a relaymby renaming of
-      secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
-      bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
-    - Allow systemd connections to work with the Linux seccomp2 sandbox
-      code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
-      Peter Palfrader.
-
-  o Minor bugfixes (tests, also in 0.2.6.9):
-    - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
-      16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
+      isolation. The error occurred because each port's session group
+      was being overwritten by a default value when the listener
+      connection was initialized. Fixes bug 16247; bugfix on
+      0.2.6.3-alpha. Patch by "jojelino".
 
   o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
     - Stop refusing to store updated hidden service descriptors on a
@@ -42,6 +51,14 @@ Changes in version 0.2.7.2-alpha - 2015-07-??
       of a setback. First-round fix for bug 16381; bugfix
       on 0.2.6.3-alpha.
 
+  o Major bugfixes (open file limit):
+    - The max open file limit wasn't checked before calling
+      tor_accept_socket_nonblocking() which made tor go beyond the open
+      file limit set previously. With this fix, before opening a new
+      socket, tor validates the open file limit just before and if the
+      max has been reached, return EMFILE. Fixes bug 16288; bugfix
+      on 0.1.1.1-alpha.
+
   o Major bugfixes (stability, also in 0.2.6.10):
     - Stop crashing with an assertion failure when parsing certain kinds
       of malformed or truncated microdescriptors. Fixes bug 16400;
@@ -52,10 +69,74 @@ Changes in version 0.2.7.2-alpha - 2015-07-??
       service while a NEWNYM is in progress. Fixes bug 16013; bugfix
       on 0.1.0.1-rc.
 
+  o Minor feature (directory authorities, security, also in 0.2.6.9):
+    - The HSDir flag given by authorities now requires the Stable flag.
+      For the current network, this results in going from 2887 to 2806
+      HSDirs. Also, it makes it harder for an attacker to launch a sybil
+      attack by raising the effort for a relay to become Stable which
+      takes at the very least 7 days to do so and by keeping the 96
+      hours uptime requirement for HSDir. Implements ticket 8243.
+
+  o Minor feature (performance):
+    - Improve the runtime speed of Ed25519 operations by using the
+      public-domain ed25519-donna by Andrew M. ("floodyberry").
+      Implements ticket 16467.
+    - Improve the runtime speed of the ntor handshake by using an
+      optimized curve25519 basepoint scalarmult implementation from the
+      public-domain ed25519-donna by Andrew M. ("floodyberry"), based on
+      ideas by Adam Langley. Implements ticket 9663.
+
+  o Minor features (client):
+    - Relax the validation done to hostnames in SOCKS5 requests, and
+      allow '_' to cope with domains observed in the wild that are
+      serving non-RFC compliant records. Resolves ticket 16430.
+
+  o Minor features (client, unix sockets):
+    - Add GroupWritable and WorldWritable options to unix-socket based
+      SocksPort and ControlPort options. These options apply to a single
+      socket, and override {Control,Socks}SocketsGroupWritable. Closes
+      ticket 15220.
+
+  o Minor Features (crypto, testing):
+    - Now that OpenSSL has its own scrypt implementation, add an unit
+      test that checks for interoperability between libscrypt_scrypt()
+      and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
+      and rely on EVP_PBE_scrypt() whenever possible. Resolves
+      ticket 16189.
+
+  o Minor features (directory authorities):
+    - Directory authorities no longer vote against the "Fast", "Stable",
+      and "HSDir" flags just because they were going to vote against
+      "Running": if the consensus turns out to be that the router was
+      running, then the authority's vote should count. Patch from Peter
+      Retzlaff; closes issue 8712.
+
   o Minor features (geoip, also in 0.2.6.10):
     - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
     - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
 
+  o Minor features (hidden service):
+    - Add the new options "HiddenServiceMaxStreams" and
+      "HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
+      limit the maximum number of simultaneous streams per circuit, and
+      optionally tear down the circuit when the limit is exceeded. Part
+      of ticket 16052.
+
+  o Minor features (portability):
+    - Use C99 variadic macros when the compiler is not GCC. This avoids
+      failing compilations on MSVC, and fixes a log-file-based race
+      condition in our old workarounds. Original patch from Gisle Vanem.
+
+  o Minor bugfixes (compilation, also in 0.2.6.9):
+    - Build with --enable-systemd correctly when libsystemd is
+      installed, but systemd is not. Fixes bug 16164; bugfix on
+      0.2.6.3-alpha. Patch from Peter Palfrader.
+
+  o Minor bugfixes (controller):
+    - Add the descriptor ID in each HS_DESC control event. It was
+      missing but specified in control-spec.txt. Fixes bug 15881; bugfix
+      on 0.2.5.2-alpha.
+
   o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
     - Check for failures from crypto_early_init, and refuse to continue.
       A previous typo meant that we could keep going with an
@@ -63,11 +144,110 @@ Changes in version 0.2.7.2-alpha - 2015-07-??
       its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
       when implementing ticket 4900. Patch by "teor".
 
+  o Minor bugfixes (Hidden service):
+    - When cannibalizing a circuit for an introduction point, always
+      extend to the chosen exit node creating a 4 hop circuit instead of
+      using the current circuit exit node which resulted in changing the
+      original intro point choice. This resulted in the hidden service
+      skipping excluded nodes like for instance reconnecting to an
+      expired intro point. Fixes bug 16260; bugfix on 0.1.0.1-rc. This
+      is particularly important for the introduction point retry
+      behavior (see bug 8239) since cannibalization is allowed, which is
+      desired, so it's important to pin the chosen exit point.
+
+  o Minor bugfixes (hidden service):
+    - Fix a crash when reloading configuration while at least one
+      configured and one ephemeral hidden service exists. Fixes bug
+      16060; bugfix on 0.2.7.1-alpha.
+
+  o Minor bugfixes (hidden services):
+    - Avoid crashing with a double-free bug when we create an ephemeral
+      hidden service but adding it fails for some reason. Fixes bug
+      16228; bugfix on 0.2.7.1-alpha.
+
   o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
     - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
       these when eventfd2() support is missing. Fixes bug 16363; bugfix
       on 0.2.6.3-alpha. Patch from "teor".
 
+  o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
+    - Fix sandboxing to work when running as a relaymby renaming of
+      secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
+      bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
+    - Allow systemd connections to work with the Linux seccomp2 sandbox
+      code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
+      Peter Palfrader.
+
+  o Minor bugfixes (systemd):
+    - Fix an accidental formatting error that broke the systemd
+      configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
+
+  o Minor bugfixes (tests):
+    - Use the configured Python executable when running test-stem-full.
+      Fixes bug 16470; bugfix on 0.2.7.1-alpha.
+
+  o Minor bugfixes (tests, also in 0.2.6.9):
+    - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
+      16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
+
+  o Minor enhancements (correctness, testing):
+    - Document use of coverity, clang static analyzer, and clang dynamic
+      undefined behavior and address sanitizers in doc/HACKING. Add
+      clang dynamic sanitizer blacklist in
+      contrib/clang/sanitizer_blacklist.txt to exempt known undefined
+      behavior. Include detailed usage instructions in the blacklist.
+      Patch by "teor". Closes ticket 15817.
+
+  o Minor fixes (sandbox, files):
+    - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
+      defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
+
+  o Minor fixes (threads, comments):
+    - Always initialise return value in compute_desc_id in rendcommon.c
+      Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+    - Check for NULL values in getinfo_helper_onions Patch by "teor".
+      Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+    - Remove undefined directive-in-macro in test_util_writepid clang
+      3.7 complains that using a preprocessor directive inside a macro
+      invocation in test_util_writepid in test_util.c is undefined.
+      Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+
+  o Code simplification and refactoring:
+    - Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
+      to ensure they remain consistent and visible everywhere.
+    - Remove some vestigial workarounds for the MSVC6 compiler. We
+      haven't supported that in ages.
+    - The link authentication code has been refactored for better
+      testability and reliability. It now uses code generated with the
+      "trunnel" binary encoding generator, to reduce the risk of bugs
+      due to programmer error. Done as part of ticket 12498.
+
+  o Removed features:
+    - Remove the HidServDirectoryV2 option. Now all relays offer to
+      store hidden service descriptors. Related to 16543.
+    - Remove the VoteOnHidServDirectoriesV2 option, since all
+      authorities have long set it to 1. Closes ticket 16543.
+    - Tor no longer supports copies of OpenSSL that are missing support
+      for Elliptic Curve Cryptography. In particular support for at
+      least one of P256 or P224 is now required, with manual
+      configuration needed if only P224 is available. Resolves
+      ticket 16140.
+    - Tor no longer supports versions of OpenSSL before 1.0. (If you are
+      on an operating system that has not upgraded to OpenSSL 1.0 or
+      later, and you compile Tor from source, you will need to install a
+      more recent OpenSSL to link Tor against.) Resolves ticket 16034.
+
+  o Testing:
+    - The link authentication protocol code now has extensive tests.
+    - The relay descriptor signature testing code now has
+      extensive tests.
+    - The test_workqueue program now runs faster, and is enabled by
+      default as a part of "make check".
+
+  o Features (control protocl):
+    - Support network-liveness GETINFO key and NETWORK_LIVENESS events
+      in the control protocol. Resolves ticket 15358.
+
 
 Changes in version 0.2.6.10 - 2015-07-12
   Tor version 0.2.6.10 fixes some significant stability and hidden