790 changed files with 37139 additions and 130928 deletions
--- a/.appveyor.yml
+++ b/.appveyor.yml
@ -1,62 +0,0 @@
-version: 1.0.{build}
-
-clone_depth: 50
-
-environment:
-  compiler: mingw
-
-  matrix:
-  - target: i686-w64-mingw32
-    compiler_path: mingw32
-    openssl_path: /c/OpenSSL-Win32
-  - target: x86_64-w64-mingw32
-    compiler_path: mingw64
-    openssl_path: /c/OpenSSL-Win64
-
-install:
- ps: >-
-    Function Execute-Command ($commandPath)
-    {
-        & $commandPath $args 2>&1
-        if ( $LastExitCode -ne 0 ) {
-            $host.SetShouldExit( $LastExitCode )
-        }
-    }
-    Function Execute-Bash ()
-    {
-        Execute-Command 'c:\msys64\usr\bin\bash' '-e' '-c' $args
-    }
-    Execute-Command "C:\msys64\usr\bin\pacman" -Sy --noconfirm openssl-devel openssl libevent-devel libevent mingw-w64-i686-libevent mingw-w64-x86_64-libevent mingw-w64-i686-openssl mingw-w64-x86_64-openssl mingw-w64-i686-zstd mingw-w64-x86_64-zstd
-
-build_script:
- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin", "C:\msys64\usr\bin") + $oldpath
-            $env:Path = @($buildpath) -join ';'
-            $env:build = @("${env:APPVEYOR_BUILD_FOLDER}", $env:target) -join '\'
-            Set-Location "${env:APPVEYOR_BUILD_FOLDER}"
-            Execute-Bash 'autoreconf -i'
-            mkdir "${env:build}"
-            Set-Location "${env:build}"
-            Execute-Bash "../configure --prefix=/${env:compiler_path} --build=${env:target} --host=${env:target} --disable-asciidoc --enable-fatal-warnings --with-openssl-dir=${env:openssl_path}"
-            Execute-Bash "V=1 make -j2"
-            Execute-Bash "V=1 make -j2 install"
-     }
-
-test_script:
- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
-            $env:Path = $buildpath -join ';'
-            Set-Location "${env:build}"
-            Execute-Bash "VERBOSE=1 make -j2 check"
-    }
-
-on_success:
- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci success
-
-on_failure:
- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure
-
--- a/.gitignore
+++ b/.gitignore
@ -3,7 +3,6 @@
 .#*
 *~
 *.swp
-*.swo
 # C stuff
 *.o
 *.obj
@ -19,8 +18,6 @@
 .dirstamp
 *.trs
 *.log
-# Calltool stuff
-.*.graph
 # Stuff made by our makefiles
 *.bak
 # Python droppings
@ -41,7 +38,6 @@ uptime-*.json
 /Makefile
 /Makefile.in
 /aclocal.m4
-/ar-lib
 /autom4te.cache
 /build-stamp
 /compile
@ -71,7 +67,6 @@ uptime-*.json
 /Tor*Bundle.dmg
 /tor-*-win32.exe
 /coverage_html/
-/callgraph/

 # /contrib/
 /contrib/dist/tor.sh
@ -99,6 +94,11 @@ uptime-*.json
 /doc/tor.html
 /doc/tor.html.in
 /doc/tor.1.xml
+/doc/tor-fw-helper.1
+/doc/tor-fw-helper.1.in
+/doc/tor-fw-helper.html
+/doc/tor-fw-helper.html.in
+/doc/tor-fw-helper.1.xml
 /doc/tor-gencert.1
 /doc/tor-gencert.1.in
 /doc/tor-gencert.html
@ -127,9 +127,6 @@ uptime-*.json
 /src/Makefile
 /src/Makefile.in

-# /src/trace
-/src/trace/libor-trace.a
-
 # /src/common/
 /src/common/Makefile
 /src/common/Makefile.in
@ -175,12 +172,6 @@ uptime-*.json
 /src/or/libtor-testing.a
 /src/or/libtor.lib

-# /src/rust
-/src/rust/.cargo/config
-/src/rust/.cargo/registry
-/src/rust/target
-/src/rust/registry
-
 # /src/test
 /src/test/Makefile
 /src/test/Makefile.in
@ -192,7 +183,6 @@ uptime-*.json
 /src/test/test-child
 /src/test/test-memwipe
 /src/test/test-ntor-cl
-/src/test/test-hs-ntor-cl
 /src/test/test-switch-id
 /src/test/test-timers
 /src/test/test_workqueue
@ -201,18 +191,12 @@ uptime-*.json
 /src/test/test-bt-cl.exe
 /src/test/test-child.exe
 /src/test/test-ntor-cl.exe
-/src/test/test-hs-ntor-cl.exe
 /src/test/test-memwipe.exe
 /src/test/test-switch-id.exe
 /src/test/test-timers.exe
 /src/test/test_workqueue.exe

-# /src/test/fuzz
-/src/test/fuzz/fuzz-*
-/src/test/fuzz/lf-fuzz-*
-
 # /src/tools/
-/src/tools/libtorrunner.a
 /src/tools/tor-checkkey
 /src/tools/tor-resolve
 /src/tools/tor-cov-resolve
@ -230,6 +214,12 @@ uptime-*.json
 /src/trunnel/libor-trunnel-testing.a
 /src/trunnel/libor-trunnel.a

+# /src/tools/tor-fw-helper/
+/src/tools/tor-fw-helper/tor-fw-helper
+/src/tools/tor-fw-helper/tor-fw-helper.exe
+/src/tools/tor-fw-helper/Makefile
+/src/tools/tor-fw-helper/Makefile.in
+
 # /src/win32/
 /src/win32/Makefile
 /src/win32/Makefile.in
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,45 +0,0 @@
-before_script:
-    - apt-get update -qq
-    - apt-get upgrade -qy
-
-build:
-  script:
-    - apt-get install -qy --fix-missing automake build-essential
-      libevent-dev libssl-dev zlib1g-dev
-      libseccomp-dev liblzma-dev libscrypt-dev
-    - ./autogen.sh
-    - ./configure --disable-asciidoc --enable-fatal-warnings
-      --disable-silent-rules
-    - make check || (e=$?; cat test-suite.log; exit $e)
-    - make install
-
-update:
-  only:
-    - schedules
-  script: 
-    - "apt-get install -y --fix-missing git openssh-client"
-    
-    # Run ssh-agent (inside the build environment)
-    - eval $(ssh-agent -s)
-
-    # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
-    - ssh-add <(echo "$DEPLOY_KEY")
-
-    # For Docker builds disable host key checking. Be aware that by adding that
-    # you are susceptible to man-in-the-middle attacks.
-    # WARNING: Use this only with the Docker executor, if you use it with shell
-    # you will overwrite your user's SSH config.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-    # In order to properly check the server's host key, assuming you created the
-    # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
-    # instead.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
-    - echo "merging from torgit"
-    - git config --global user.email "labadmin@oniongit.eu"
-    - git config --global user.name "gitadmin"
-    - "mkdir tor"
-    - "cd tor" 
-    - git clone --bare https://git.torproject.org/tor.git
-    - git push --mirror git@oniongit.eu:network/tor.git
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +0,0 @@
-[submodule "src/ext/rust"]
-	path = src/ext/rust
-	url = https://git.torproject.org/tor-rust-dependencies
--- a/.travis.yml
+++ b/.travis.yml
@ -60,14 +60,6 @@ env:
  global:
    ## The Travis CI environment allows us two cores, so let's use both.
    - MAKEFLAGS="-j 2"
-  matrix:
-    ## Leave at least one entry here or Travis seems to generate a
-    ## matrix entry with empty matrix environment variables.  Leaving
-    ## more than one entry causes unwanted matrix entries with
-    ## unspecified compilers.
-    - RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    # - RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
-    # - RUST_OPTIONS=""

 matrix:
  ## Uncomment to allow the build to report success (with non-required
@ -96,39 +88,22 @@ matrix:
  ## entry under that key outside the "include" clause.
  include:
    - compiler: gcc
-    - compiler: gcc
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
-    - compiler: gcc
-      env: RUST_OPTIONS=""
    - compiler: gcc
      env: COVERAGE_OPTIONS="--enable-coverage"
    - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS=""
-    - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    - compiler: gcc
-      env: MODULES_OPTIONS="--disable-module-dirauth"
+      env: DISTCHECK="yes"
    ## The "sudo: required" forces non-containerized builds, working
    ## around a Travis CI environment issue: clang LeakAnalyzer fails
    ## because it requires ptrace and the containerized environment no
    ## longer allows ptrace.
    - compiler: clang
      sudo: required
-    - compiler: clang
-      sudo: required
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
-    - compiler: clang
-      sudo: required
-      env: RUST_OPTIONS=""
-    - compiler: clang
-      sudo: required
-      env: MODULES_OPTIONS="--disable-module-dirauth"

 before_install:
  ## If we're on OSX, homebrew usually needs to updated first
  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew update ; fi
  ## Download rustup
-  - if [[ "$RUST_OPTIONS" != "" ]]; then curl -Ssf -o rustup.sh https://sh.rustup.rs; fi
+  - curl -Ssf -o rustup.sh https://sh.rustup.rs
  - if [[ "$COVERAGE_OPTIONS" != "" ]]; then pip install --user cpp-coveralls; fi

 install:
@ -140,20 +115,10 @@ install:
  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then { brew outdated xz         || brew upgrade xz;         }; fi
  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then { brew outdated libscrypt  || brew upgrade libscrypt;  }; fi
  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then { brew outdated zstd       || brew upgrade zstd;       }; fi
-  ## Install the stable channels of rustc and cargo and setup our toolchain environment
-  - if [[ "$RUST_OPTIONS" != "" ]]; then sh rustup.sh -y --default-toolchain stable; fi
-  - if [[ "$RUST_OPTIONS" != "" ]]; then source $HOME/.cargo/env; fi
-  ## Get some info about rustc and cargo
-  - if [[ "$RUST_OPTIONS" != "" ]]; then which rustc; fi
-  - if [[ "$RUST_OPTIONS" != "" ]]; then which cargo; fi
-  - if [[ "$RUST_OPTIONS" != "" ]]; then rustc --version; fi
-  - if [[ "$RUST_OPTIONS" != "" ]]; then cargo --version; fi
-  ## If we're testing rust builds in offline-mode, then set up our vendored dependencies
-  - if [[ "$TOR_RUST_DEPENDENCIES" == "true" ]]; then export TOR_RUST_DEPENDENCIES=$PWD/src/ext/rust/crates; fi

 script:
  - ./autogen.sh
-  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS $MODULES_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
+  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
  ## We run `make check` because that's what https://jenkins.torproject.org does.
  - if [[ "$DISTCHECK" == "" ]]; then make check; fi
  - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening"; fi
--- a/39
+++ b/39
@ -1,39 +0,0 @@
-Contributing to Tor
-------------------
-
-### Getting started
-
-Welcome!
-
-We have a bunch of documentation about how to develop Tor in the
-doc/HACKING/ directory.  We recommend that you start with
-doc/HACKING/README.1st.md , and then go from there.  It will tell
-you how to find your way around the source code, how to get
-involved with the Tor community, how to write patches, and much
-more!
-
-You don't have to be a C developer to help with Tor: have a look
-at https://www.torproject.org/getinvolved/volunteer !
-
-The Tor Project is committed to fostering a inclusive community
-where people feel safe to engage, share their points of view, and
-participate. For the latest version of our Code of Conduct, please
-see
-
-https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
-
-
-
-### License issues
-
-Tor is distributed under the license terms in the LICENSE -- in
-brief, the "3-clause BSD license".  If you send us code to
-distribute with Tor, it needs to be code that we can distribute
-under those terms.  Please don't send us patches unless you agree
-to allow this.
-
-Some compatible licenses include:
-
-  - 3-clause BSD
-  - 2-clause BSD
-  - CC0 Public Domain Dedication
--- a/6955
+++ b/6955
--- a/Doxyfile.in
+++ b/Doxyfile.in
@ -446,6 +446,12 @@ MAX_INITIALIZER_LINES  = 30

 SHOW_USED_FILES        = YES

+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = NO
+
 # Set the SHOW_FILES tag to NO to disable the generation of the Files page.
 # This will remove the Files entry from the Quick Index and from the 
 # Folder Tree View (if specified). The default is YES.
@ -754,6 +760,12 @@ HTML_FOOTER            =

 HTML_STYLESHEET        = 

+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
 # If the GENERATE_HTMLHELP tag is set to YES, additional index files 
 # will be generated that can be used as input for tools like the 
 # Microsoft HTML help workshop to generate a compiled HTML help file (.chm) 
@ -1035,6 +1047,18 @@ GENERATE_XML           = NO

 XML_OUTPUT             = xml

+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
 # If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
 # dump the program listings (including syntax highlighting 
 # and cross-referencing information) to the XML output. Note that 
@ -1240,7 +1264,7 @@ HAVE_DOT               = NO
 # DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory 
 # containing the font.

-DOT_FONTNAME           =
+DOT_FONTNAME           = FreeSans

 # By default doxygen will tell dot to use the output directory to look for the 
 # FreeSans.ttf font (which doxygen will put there itself). If you specify a 
--- a/2
+++ b/2
@ -13,7 +13,7 @@ Tor is distributed under this license:

 Copyright (c) 2001-2004, Roger Dingledine
 Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-Copyright (c) 2007-2017, The Tor Project, Inc.
+Copyright (c) 2007-2016, The Tor Project, Inc.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
--- a/Makefile.am
+++ b/Makefile.am
@ -1,6 +1,6 @@
 # Copyright (c) 2001-2004, Roger Dingledine
 # Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-# Copyright (c) 2007-2017, The Tor Project, Inc.
+# Copyright (c) 2007-2015, The Tor Project, Inc.
 # See LICENSE for licensing information

 ACLOCAL_AMFLAGS = -I m4
@ -9,14 +9,13 @@ noinst_LIBRARIES=
 EXTRA_DIST=
 noinst_HEADERS=
 bin_PROGRAMS=
-EXTRA_PROGRAMS=
 CLEANFILES=
 TESTS=
 noinst_PROGRAMS=
 DISTCLEANFILES=
 bin_SCRIPTS=
 AM_CPPFLAGS=
-AM_CFLAGS=@TOR_SYSTEMD_CFLAGS@ @CFLAGS_BUGTRAP@ @TOR_LZMA_CFLAGS@ @TOR_ZSTD_CFLAGS@
+AM_CFLAGS=@TOR_SYSTEMD_CFLAGS@ @CFLAGS_BUGTRAP@
 SHELL=@SHELL@

 if COVERAGE_ENABLED
@ -25,26 +24,17 @@ else
 TESTING_TOR_BINARY=$(top_builddir)/src/or/tor$(EXEEXT)
 endif

-if USE_RUST
-rust_ldadd=$(top_builddir)/src/rust/target/release/@TOR_RUST_STATIC_NAME@ \
-	@TOR_RUST_EXTRA_LIBS@
-else
-rust_ldadd=
-endif
-
 include src/include.am
 include doc/include.am
 include contrib/include.am

 EXTRA_DIST+= \
 	ChangeLog					\
-	CONTRIBUTING					\
 	INSTALL						\
 	LICENSE						\
 	Makefile.nmake					\
 	README						\
-	ReleaseNotes					\
-	scripts/maint/checkSpace.pl
+	ReleaseNotes

 ## This tells etags how to find mockable function definitions.
 AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
@ -52,22 +42,16 @@ AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
 if COVERAGE_ENABLED
 TEST_CFLAGS=-fno-inline -fprofile-arcs -ftest-coverage
 if DISABLE_ASSERTS_IN_UNIT_TESTS
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS
 else
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE
 endif
 TEST_NETWORK_FLAGS=--coverage --hs-multi-client 1
 else
 TEST_CFLAGS=
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
-TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
-
-if LIBFUZZER_ENABLED
-TEST_CFLAGS += -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div
-# not "edge"
-endif

 TEST_NETWORK_ALL_LOG_DIR=$(top_builddir)/test_network_log
 TEST_NETWORK_ALL_DRIVER_FLAGS=--color-tests yes
@ -98,8 +82,6 @@ doxygen:
 test: all
 	$(top_builddir)/src/test/test

-check-local: check-spaces check-changes
-
 need-chutney-path:
 	@if test ! -d "$$CHUTNEY_PATH"; then \
 		echo '$$CHUTNEY_PATH was not set.'; \
@ -119,19 +101,17 @@ test-network: need-chutney-path $(TESTING_TOR_BINARY) src/tools/tor-gencert

 # Run all available tests using automake's test-driver
 # only run IPv6 tests if we can ping6 ::1 (localhost)
-# only run IPv6 tests if we can ping ::1 (localhost)
 # some IPv6 tests will fail without an IPv6 DNS server (see #16971 and #17011)
 # only run mixed tests if we have a tor-stable binary
-# Try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
-# because they're incompatible
+# Try both the BSD and the Linux ping6 syntax, because they're incompatible
 test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	mkdir -p $(TEST_NETWORK_ALL_LOG_DIR)
 	@flavors="$(TEST_CHUTNEY_FLAVORS)"; \
-	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1 || ping -6 -c 1 -W 1 ::1 >/dev/null 2>&1; then \
-		echo "ping6 ::1 or ping ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1; then \
+		echo "ping6 ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		flavors="$$flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	else \
-		echo "ping6 ::1 and ping ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+		echo "ping6 ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		skip_flavors="$$skip_flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	fi; \
 	if command -v tor-stable >/dev/null 2>&1; then \
@ -146,7 +126,6 @@ test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/
 	done; \
 	for f in $$flavors; do \
 		$(SHELL) $(top_srcdir)/test-driver --test-name $$f --log-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.log --trs-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.trs $(TEST_NETWORK_ALL_DRIVER_FLAGS) $(top_srcdir)/src/test/test-network.sh --flavor $$f $(TEST_NETWORK_FLAGS); \
-		$(top_srcdir)/src/test/test-network.sh $(TEST_NETWORK_WARNING_FLAGS); \
 	done; \
 	echo "Log and result files are available in $(TEST_NETWORK_ALL_LOG_DIR)."; \
 	! grep -q FAIL test_network_log/*.trs
@ -202,14 +181,11 @@ coverage-html-full: all
 # Avoid strlcpy.c, strlcat.c, aes.c, OpenBSD_malloc_Linux.c, sha256.c,
 # tinytest*.[ch]
 check-spaces:
-if USE_PERL
-	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+	$(top_srcdir)/scripts/maint/checkSpace.pl -C \
 		$(top_srcdir)/src/common/*.[ch] \
 		$(top_srcdir)/src/or/*.[ch] \
 		$(top_srcdir)/src/test/*.[ch] \
-		$(top_srcdir)/src/test/*/*.[ch] \
 		$(top_srcdir)/src/tools/*.[ch]
-endif

 check-docs: all
 	$(PERL) $(top_builddir)/scripts/maint/checkOptionDocs.pl
@ -218,42 +194,16 @@ check-logs:
 	$(top_srcdir)/scripts/maint/checkLogs.pl \
 		$(top_srcdir)/src/*/*.[ch] | sort -n

-.PHONY: check-typos
-check-typos:
-	@if test -x "`which misspell 2>&1;true`"; then \
-		echo "Checking for Typos ..."; \
-		(misspell \
-			$(top_srcdir)/src/[^e]*/*.[ch] \
-			$(top_srcdir)/doc \
-			$(top_srcdir)/contrib \
-			$(top_srcdir)/scripts \
-			$(top_srcdir)/README \
-			$(top_srcdir)/ChangeLog \
-			$(top_srcdir)/INSTALL \
-			$(top_srcdir)/ReleaseNotes \
-			$(top_srcdir)/LICENSE); \
-	else \
-		echo "Tor can use misspell to check for typos."; \
-		echo "It seems that you don't have misspell installed."; \
-		echo "You can install the latest version of misspell here: https://github.com/client9/misspell#install"; \
-	fi
-
 .PHONY: check-changes
 check-changes:
-if USEPYTHON
 	@if test -d "$(top_srcdir)/changes"; then \
-		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
+		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes/*; \
 		fi
-endif

 .PHONY: update-versions
 update-versions:
 	$(PERL) $(top_builddir)/scripts/maint/updateVersions.pl

-.PHONY: callgraph
-callgraph:
-	$(top_builddir)/scripts/maint/run_calltool.sh
-
 version:
 	@echo "Tor @VERSION@"
 	@if test -d "$(top_srcdir)/.git" && test -x "`which git 2>&1;true`"; then \
@ -267,14 +217,6 @@ mostlyclean-local:
 	rm -rf $(top_builddir)/doc/doxygen
 	rm -rf $(TEST_NETWORK_ALL_LOG_DIR)

-clean-local:
-	rm -rf $(top_builddir)/src/rust/target
-	rm -rf $(top_builddir)/src/rust/.cargo/registry
-
-if USE_RUST
-distclean-local: distclean-rust
-endif
-
 # This relies on some internal details of how automake implements
 # distcheck.  We check two directories because automake-1.15 changed
 # from $(distdir)/_build to $(distdir)/_build/sub.
--- a/3
+++ b/3
@ -27,6 +27,3 @@ Frequently Asked Questions:

 To get started working on Tor development:
        See the doc/HACKING directory.
-
-Release timeline:
-         https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases
--- a/5815
+++ b/5815
--- a/acinclude.m4
+++ b/acinclude.m4
@ -2,7 +2,7 @@ dnl Helper macros for Tor configure.ac
 dnl Copyright (c) 2001-2004, Roger Dingledine
 dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
 dnl Copyright (c) 2007-2008, Roger Dingledine, Nick Mathewson
-dnl Copyright (c) 2007-2017, The Tor Project, Inc.
+dnl Copyright (c) 2007-2015, The Tor Project, Inc.
 dnl See LICENSE for licensing information

 AC_DEFUN([TOR_EXTEND_CODEPATH],
@ -51,12 +51,12 @@ AC_DEFUN([TOR_TRY_COMPILE_WITH_CFLAGS], [
  AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
    tor_saved_CFLAGS="$CFLAGS"
    CFLAGS="$CFLAGS -pedantic -Werror $1"
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+    AC_TRY_COMPILE([], [return 0;],
                   [AS_VAR_SET(VAR,yes)],
                   [AS_VAR_SET(VAR,no)])
    if test x$2 != x; then
      AS_VAR_PUSHDEF([can_link],[tor_can_link_$1])
-      AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+      AC_TRY_LINK([], [return 0;],
                  [AS_VAR_SET(can_link,yes)],
                  [AS_VAR_SET(can_link,no)])
      AS_VAR_POPDEF([can_link])
@ -93,7 +93,7 @@ AC_DEFUN([TOR_CHECK_LDFLAGS], [
    AC_RUN_IFELSE([AC_LANG_PROGRAM([#include <stdio.h>], [fputs("", stdout)])],
                  [AS_VAR_SET(VAR,yes)],
                  [AS_VAR_SET(VAR,no)],
-                  [AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	          [AC_TRY_LINK([], [return 0;],
                                   [AS_VAR_SET(VAR,yes)],
                                   [AS_VAR_SET(VAR,no)])])
    CFLAGS="$tor_saved_CFLAGS"
@ -113,21 +113,21 @@ if test x$2 = xdevpkg; then
  h=" headers for"
 fi
 if test -f /etc/debian_version && test x"$tor_$1_$2_debian" != x; then
-  AC_MSG_WARN([On Debian, you can install$h $1 using "apt-get install $tor_$1_$2_debian"])
+  AC_WARN([On Debian, you can install$h $1 using "apt-get install $tor_$1_$2_debian"])
  if test x"$tor_$1_$2_debian" != x"$tor_$1_devpkg_debian"; then 
-    AC_MSG_WARN([   You will probably need $tor_$1_devpkg_debian too.])
+    AC_WARN([   You will probably need $tor_$1_devpkg_debian too.])
  fi 
 fi
 if test -f /etc/fedora-release && test x"$tor_$1_$2_redhat" != x; then
-  AC_MSG_WARN([On Fedora, you can install$h $1 using "dnf install $tor_$1_$2_redhat"])
+  AC_WARN([On Fedora, you can install$h $1 using "dnf install $tor_$1_$2_redhat"])
  if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-    AC_MSG_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
+    AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
  fi 
 else
  if test -f /etc/redhat-release && test x"$tor_$1_$2_redhat" != x; then
-    AC_MSG_WARN([On most Redhat-based systems, you can get$h $1 by installing the $tor_$1_$2_redhat RPM package])
+    AC_WARN([On most Redhat-based systems, you can get$h $1 by installing the $tor_$1_$2_redhat RPM package])
    if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-      AC_MSG_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
+      AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
    fi 
  fi
 fi
@ -245,10 +245,7 @@ if test "$cross_compiling" != yes; then
       LDFLAGS="$tor_tryextra $orig_LDFLAGS"
     fi
     AC_RUN_IFELSE([AC_LANG_PROGRAM([$5], [$6])],
-                   [runnable=yes], [runnable=no],
-                   [AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
-                                   [runnable=yes],
-                                   [runnable=no])])
+                   [runnable=yes], [runnable=no])
     if test "$runnable" = yes; then
        tor_cv_library_$1_linker_option=$tor_tryextra
        break
--- a/autogen.sh
+++ b/autogen.sh
@ -1,12 +1,12 @@
 #!/bin/sh

 if [ -x "`which autoreconf 2>/dev/null`" ] ; then
-  opt="-i -f -W all,error"
+  opt="-if"

  for i in $@; do
    case "$i" in
      -v)
-        opt="${opt} -v"
+        opt=$opt"v"
        ;;
    esac
  done
--- a/changes/19974
+++ b/changes/19974
@ -0,0 +1,5 @@
+  o Minor bugfixes (unit tests):
+    - Fix tolerances in unit tests for monotonic time comparisons between
+      nanoseconds and microseconds. Previously, we accepted a 10 us
+      difference only, which is not realistic on every platform's
+      clock_gettime(). Fixes bug 19974; bugfix on 0.2.9.1-alpha.
--- a/changes/20460
+++ b/changes/20460
@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
+      removed the ECDH ciphers which caused the tests to fail on
+      platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
--- a/changes/20492
+++ b/changes/20492
@ -0,0 +1,4 @@
+  o Minor bugfix (build):
+    - The current Git revision when building from a local repository is now
+      detected correctly when using git worktrees.  Fixes bug 20492; bugfix on
+      0.2.3.9-alpha.
--- a/changes/21359
+++ b/changes/21359
@ -0,0 +1,8 @@
+
+  o Minor features (portability, compilationc)
+    - Support building with recent LibreSSL code that uses opaque
+      structures. Closes ticket 21359.
+    - Autoconf now check to determine if OpenSSL
+      structures are opaque, instead of explicitly checking for
+      OpenSSL version numbers. 
+      Part of ticket 21359.
--- a/changes/TROVE-2018-005
+++ b/changes/TROVE-2018-005
@ -1,6 +0,0 @@
-  o Major bugfixes (security, directory authority, denial-of-service):
-    - Fix a bug that could have allowed an attacker to force a
-      directory authority to use up all its RAM by passing it a
-      maliciously crafted protocol versions string. Fixes bug 25517;
-      bugfix on 0.2.9.4-alpha.  This issue is also tracked as
-      TROVE-2018-005.
--- a/changes/bastet_v6
+++ b/changes/bastet_v6
@ -0,0 +1,4 @@
+  o Minor features (directory authority):
+    - Add an IPv6 address for the "bastet" directory authority.
+      Closes ticket 24394.
+
--- a/changes/bug15582
+++ b/changes/bug15582
@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+    - Avoid compiler warnings in the unit tests for running tor_sscanf()
+      with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
+
--- a/changes/bug18100
+++ b/changes/bug18100
@ -0,0 +1,5 @@
+  o Major bugfixes (linux TPROXY support):
+    - Fix a typo that had prevented TPROXY-based transparent proxying from
+      working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
+      Patch from "d4fq0fQAgoJ".
+
--- a/changes/bug18329-minimal
+++ b/changes/bug18329-minimal
@ -0,0 +1,6 @@
+  o Minor features (bridge):
+    - Bridges now include notice in their descriptors that they are bridges,
+      and notice of their distribution status, based on their publication
+      settings.  Implements ticket 18329.  For more fine-grained control of
+      how a bridge is distributed, upgrade to 0.3.2.x or later.
+
--- a/changes/bug19025
+++ b/changes/bug19025
@ -0,0 +1,4 @@
+  o Major bugfixes (DNS):
+    - Fix a bug that prevented exit nodes from caching DNS records for more
+      than 60 seconds.
+      Fixes bug 19025; bugfix on 0.2.4.7-alpha.
--- a/changes/bug19869
+++ b/changes/bug19869
@ -0,0 +1,4 @@
+  o Minor bugfixes (DNSPort):
+    - On DNSPort, stop logging a BUG warning on a failed hostname lookup.
+      Fixes bug 19869; bugfix on 0.2.9.1-alpha.
+
--- a/changes/bug19926_029_info
+++ b/changes/bug19926_029_info
@ -0,0 +1,3 @@
+  o Minor bugfixes (logging):
+    - Downgrade a harmless log message about the pending_entry_connections
+      list from "warn" to "info". Mitigates bug 19926.
--- a/changes/bug19960
+++ b/changes/bug19960
@ -0,0 +1,4 @@
+  o Minor bugfixes (netbsd, unit tests):
+    - Stop expecting NetBSD unit tests to report success for ipfw;
+      on NetBSD, it's only pf that's supported.
+      Part of a fix for bug 19960; bugfix on 0.2.9.5-alpha.
--- a/changes/bug19968
+++ b/changes/bug19968
@ -0,0 +1,11 @@
+  o Minor bugfixes (relay):
+    - Do not try to parallelize workers more than 16x without the
+      user explicitly configuring us to do so, even if we do detect more than
+      16 CPU cores. Fixes bug 19968; bugfix on
+      0.2.3.1-alpha.
+
+
+  o Minor bugfixes (testing):
+    - Avoid a unit test failure on systems with over 16 detectable
+      CPU cores. Fixes bug 19968; bugfix on
+      0.2.3.1-alpha.
--- a/changes/bug19969
+++ b/changes/bug19969
@ -0,0 +1,10 @@
+  o Major bugfixes (client performance):
+    - Clients now respond to new application stream requests when
+      they arrive, rather than waiting up to one second before starting
+      to handle them. Fixes part of bug 19969; bugfix on 0.2.8.1-alpha.
+
+  o Major bugfixes (clients on flaky network connections):
+    - When Tor leaves standby because of a new application request, open
+      circuits as needed to serve that request. Previously, we would
+      potentially wait a very long time. Fixes part of bug 19969; bugfix
+      on 0.2.8.1-alpha.
--- a/changes/bug20059
+++ b/changes/bug20059
@ -0,0 +1,3 @@
+  o Minor bugfixes (relay):
+    - Avoid a double-marked-circuit warning that can happen when we receive
+      DESTROY cells under heavy load. Fixes bug 20059; bugfix on 0.1.0.1-rc.
--- a/changes/bug20085
+++ b/changes/bug20085
@ -0,0 +1,4 @@
+  o Documentation:
+    - Correct the minimum bandwidth value in torrc.sample, and queue a
+      corresponding change for torrc.minimal. Closes ticket 20085.
+
--- a/changes/bug20235
+++ b/changes/bug20235
@ -0,0 +1,4 @@
+  o Minor features (compatibility):
+    - Work around a bug in the OSX 10.12 SDK that would prevent us
+      from successfully targetting earlier versions of OSX.
+      Resolves ticket 20235.
--- a/changes/bug20247
+++ b/changes/bug20247
@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Avoid a sandbox failure when trying to re-bind to a socket and mark
+      it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
+
--- a/changes/bug20306_029
+++ b/changes/bug20306_029
@ -0,0 +1,4 @@
+  o Minor bugfixes (fascistfirewall):
+    - Avoid spurious warnings when ReachableAddresses or FascistFirewall
+      is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
+
--- a/changes/bug20307
+++ b/changes/bug20307
@ -0,0 +1,7 @@
+  o Minor bugfixes (circuit, hidden service)
+    - When closing a circuit, the reason for doing so was assigned from an int
+      value to a uint16_t which is quite a problem for negative values that are
+      our internal reasons (ex: END_CIRC_REASON_IP_NOW_REDUNDANT). On the HS
+      side, this was causing introduction points to be flagged as unusable
+      because the reason wasn't the right one due to the bad conversion.
+      Partially fixes bug 21056 and fixes bug 20307; Bugfix on 0.2.8.1-alpha.
--- a/changes/bug20401
+++ b/changes/bug20401
@ -0,0 +1,4 @@
+  o Minor bugfixes (relay):
+    - Avoid a small memory leak when informing worker threads about rotated
+      onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
+
--- a/changes/bug20423
+++ b/changes/bug20423
@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - For relays that don't know their own address, avoid attempting
+      a local hostname resolve for each descriptor we download. Also cut
+      down on the number of "Success: chose address 'x.x.x.x'" log lines.
+      Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
+
--- a/changes/bug20472
+++ b/changes/bug20472
@ -0,0 +1,5 @@
+  o Minor bugfixes (circuits):
+    - Remove a BUG warning in circuit_pick_extend_handshake. Instead, assume
+      all nodes support EXTEND2. Use ntor whenever a key is available.
+      Fixes bug 20472; bugfix on 0.2.9.3-alpha.
+
--- a/changes/bug20484
+++ b/changes/bug20484
@ -0,0 +1,5 @@
+  o Minor bugfixes (single onion services):
+    - Start correctly when creating a single onion service in a
+      directory that did not previously exist. Fixes bug 20484; bugfix on
+      0.2.9.3-alpha.
+
--- a/changes/bug20487
+++ b/changes/bug20487
@ -0,0 +1,4 @@
+  o Documentation:
+    - Clarify that setting HiddenServiceNonAnonymousMode requires
+      you to also set "SOCKSPort 0". Fixes bug 20487; bugfix on
+      0.2.9.3-alpha.
--- a/changes/bug20509
+++ b/changes/bug20509
@ -0,0 +1,5 @@
+  o Minor features:
+    - Directory authorities now reject relays running versions
+      0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
+      suffer from bug 20499 and don't keep their consensus cache
+      up-to-date. Resolves ticket 20509.
--- a/changes/bug20529
+++ b/changes/bug20529
@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden services):
+    - When configuring hidden services, check every hidden service directory's
+      permissions. Previously, we only checked the last hidden service.
+      Fixes bug 20529; bugfix on 13942 commit 85bfad1 in 0.2.6.2-alpha.
--- a/changes/bug20533
+++ b/changes/bug20533
@ -0,0 +1,7 @@
+  o Minor bugfixes (consensus downloads):
+    - If a consensus expires while we are waiting for certificates to download,
+      stop waiting for certificates.
+    - If we stop waiting for certificates less than a minute after we started
+      downloading them, do not consider the certificate download failure a
+      separate failure.
+      Fixes bug 20533; bugfix on commit e0204f21 in 0.2.0.9-alpha.
--- a/changes/bug20534
+++ b/changes/bug20534
@ -0,0 +1,8 @@
+  o Minor bugfixes (directory download scheduling):
+    - Remove the maximum delay on exponential-backoff scheduling.
+      Since we now allow an infinite number of failures (see ticket
+      20536), we must now allow the time to grow longer on each failure.
+      Fixes part of bug 20534; bugfix on 0.2.9.1-alpha.
+    - Use initial delays and decrements in download scheduling closer to
+      those from 0.2.8. Fixes another part of bug 20534; bugfix on
+      0.2.9.1-alpha.
--- a/changes/bug20536
+++ b/changes/bug20536
@ -0,0 +1,6 @@
+  o Major bugfixes (download scheduling):
+    - When using an exponential backoff schedule, do not give up on
+      dowloading just because we have failed a bunch of times.  Since
+      each delay is longer than the last, retrying indefinitely won't
+      hurt. Fixes bug 20536; bugfix on 0.2.9.1-alpha.
+
--- a/changes/bug20551
+++ b/changes/bug20551
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix implicit conversion warnings under OpenSSL 1.1.
+      Fixes bug 20551; bugfix on 0.2.1.1-alpha.
--- a/changes/bug20553
+++ b/changes/bug20553
@ -0,0 +1,3 @@
+  o Minor bugfixes (memory leak):
+    - Work around a memory leak in OpenSSL 1.1 when encoding public keys.
+      Fixes bug 20553; bugfix on 0.0.2pre8.
--- a/changes/bug20560
+++ b/changes/bug20560
@ -0,0 +1,4 @@
+  o Minor bugfixes (portability):
+    - Run correctly when built on Windows build environments that require
+      _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
+
--- a/changes/bug20587
+++ b/changes/bug20587
@ -0,0 +1,5 @@
+  o Minor bugfixes (download timing):
+    - When determining when to download a directory object, handle times
+      after 2038 if the operating system supports that.  (Someday this will be
+      important!)  Fixes bug 20587; bugfix on 0.2.8.1-alpha.
+
--- a/changes/bug20588
+++ b/changes/bug20588
@ -0,0 +1,3 @@
+  o Minor features (portability):
+    - Fix compilation with OpenSSL 1.1 and less commonly-used
+      CPU architectures. Closes ticket 20588.
--- a/changes/bug20591
+++ b/changes/bug20591
@ -0,0 +1,3 @@
+  o Minor bugfixes (relay bootstrap):
+    - Ensure relays don't make multiple connections during bootstrap.
+      Fixes bug 20591; bugfix on 0.2.8.1-alpha.
--- a/changes/bug20593
+++ b/changes/bug20593
@ -0,0 +1,6 @@
+  o Minor bugfixes (client directory scheduling):
+    - Treat "relay too busy to answer request" as a failed request and a
+      reason to back off on our retry frequency. This is safe now that
+      exponential backups retry indefinitely, and avoids a bug where we would
+      reset our download schedule erroneously.
+      Fixes bug 20593; bugfix on 0.2.9.1-alpha.
--- a/changes/bug20597
+++ b/changes/bug20597
@ -0,0 +1,5 @@
+  o Minor bugfixes (test networks, exponential backoff):
+    - When using exponential backoff in test networks, use a lower exponent,
+      so the delays do not vary as much. This helps test networks bootstrap
+      consistently. Fixes bug 20597; bugfix on 20499; not in any released
+      version of tor.
--- a/changes/bug20613
+++ b/changes/bug20613
@ -0,0 +1,6 @@
+  o Minor bugfixes (single onion services, Tor2web):
+    - Stop logging long-term one-hop circuits deliberately created by single
+      onion services and Tor2web. These log messages are intended to diagnose
+      issue 8387, which relates to circuits hanging around forever for no
+      reason.
+      Fixes bug 20613; bugfix on 0.2.9.1-alpha. Reported by "pastly".
--- a/changes/bug20634
+++ b/changes/bug20634
@ -0,0 +1,3 @@
+  o Minor bugfixes (unit tests):
+    - Stop spurious failures in the local interface address discovery unit
+      tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by Neel Chauhan.
--- a/changes/bug20638
+++ b/changes/bug20638
@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden services):
+    - Stop ignoring hidden service key anonymity when first starting tor.
+      Instead, refuse to start tor if any hidden service key has been used in
+      a different hidden service anonymity mode.
+      Fixes bug 20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.
--- a/changes/bug20710_025
+++ b/changes/bug20710_025
@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox):
+    - Fix a memory leak and use-after-free error when removing entries
+      from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
+      0.2.5.5-alpha. Patch from "cypherpunks".
--- a/changes/bug20715
+++ b/changes/bug20715
@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leak)
+    - When moving a signed descriptor object from a source to an existing
+      destination, free the allocated memory inside that destination object.
+      Bugfix on tor-0.2.8.3-alpha; Closes #20715.
--- a/changes/bug20716
+++ b/changes/bug20716
@ -0,0 +1,3 @@
+  o Minor bugfixes (client, memory leak):
+    - Fix a small memory leak when receiving AF_UNIX connections on
+      a SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
--- a/changes/bug20810
+++ b/changes/bug20810
@ -0,0 +1,4 @@
+  o Minor bugfixes (relay)
+    - When computing old Tor protocol line version in protover, we were
+      looking at 0.2.7.5 twice instead of a specific case for 0.2.9.1-alpha.
+      Bugfix on tor-0.2.9.4-alpha.
--- a/changes/bug20864
+++ b/changes/bug20864
@ -0,0 +1,4 @@
+  o Minor bugfixes (unit tests, hidden services):
+    - Remove a double-free in the single onion service unit test. Stop
+      ignoring a return value. Make future changes less error-prone.
+      Fixes bug 20864; bugfix on 0.2.9.6-rc.
--- a/changes/bug20875
+++ b/changes/bug20875
@ -0,0 +1,4 @@
+  o Minor bugfixes (download scheduling)
+    - Resolve a "bug" warning when considering a download schedule whose
+      delay had approached INT_MAX. Fixes 20875; bugfix on 0.2.9.5-alpha.
+
--- a/changes/bug20935
+++ b/changes/bug20935
@ -0,0 +1,3 @@
+  o Minor bugfixes (portability):
+    - Use the correct spelling of MAC_OS_X_VERSION_10_12 on configure.ac
+      Fixes bug 20935; bugfix on 0.2.9.6-rc.
--- a/changes/bug21018
+++ b/changes/bug21018
@ -0,0 +1,11 @@
+  o Major bugfixes (parsing, security):
+
+    - Fix a bug in parsing that could cause clients to read a single
+      byte past the end of an allocated region. This bug could be
+      used to cause hardened clients (built with
+      --enable-expensive-hardening) to crash if they tried to visit
+      a hostile hidden service.  Non-hardened clients are only
+      affected depending on the details of their platform's memory
+      allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
+      using libFuzzer. Also tracked as TROVE-2016-12-002 and as
+      CVE-2016-1254.
--- a/changes/bug21035
+++ b/changes/bug21035
@ -0,0 +1,6 @@
+  o Minor bugfixes (portability):
+    - Avoid crashing when Tor is built using headers that contain
+      CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
+      without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix on
+      0.2.9.1-alpha.
+
--- a/changes/bug21051
+++ b/changes/bug21051
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix Libevent detection on platforms without Libevent 1 headers
+      installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
--- a/changes/bug21074_downgrade
+++ b/changes/bug21074_downgrade
@ -0,0 +1,4 @@
+  o Minor bugfixes (portability):
+    - Don't exit the Tor process if setrlimit() fails to change the file
+      limit (which can happen sometimes on some versions of OSX). Fixes
+      bug 21074; bugfix on 0.0.9pre5.
--- a/changes/bug21108_029
+++ b/changes/bug21108_029
@ -0,0 +1,6 @@
+  o Major bugfixes (directory authority):
+    - During voting, when marking a node as a probable sybil, do not
+      clear its BadExit flag: sybils can still be bad in other ways
+      too. (We still clear the other flags.) Fixes bug 21108; bugfix
+      on 0.2.0.13-alpha.
+
--- a/changes/bug21278_extras
+++ b/changes/bug21278_extras
@ -0,0 +1,3 @@
+  o Minor bugfixes (code correctness):
+    - Repair a couple of (unreachable or harmless) cases of the risky
+      comparison-by-subtraction pattern that caused bug 21278.
--- a/changes/bug21278_prevention
+++ b/changes/bug21278_prevention
@ -0,0 +1,4 @@
+  o Minor features (directory authority):
+    - Directory authorities now reject descriptors that claim to be
+      malformed versions of Tor. Helps prevent exploitation of bug 21278.
+      
--- a/changes/bug21280
+++ b/changes/bug21280
@ -0,0 +1,5 @@
+  o Minor bugfixes (tor-resolve):
+    - The tor-resolve command line tool now rejects hostnames over 255
+      characters in length. Previously, it would silently truncate
+      them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
+      Patch by "junglefowl".
--- a/changes/bug21357
+++ b/changes/bug21357
@ -0,0 +1,7 @@
+  o Major bugfixes (IPv6 Exits):
+    - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects IPv6
+      addresses. Instead, only reject a port over IPv6 if the exit policy
+      rejects that port on more than an IPv6 /16 of addresses. This bug was
+      made worse by 17027 in 0.2.8.1-alpha, which rejects a relay's own IPv6
+      address by default.
+      Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
--- a/changes/bug21394
+++ b/changes/bug21394
@ -0,0 +1,9 @@
+  o Major bugfixes (Exit nodes):
+    - Fix an issue causing high-bandwidth exit nodes to fail a majority
+      or all of their DNS requests, making them basically unsuitable for
+      regular usage in Tor circuits. The problem is related to
+      libevent's DNS handling, but we can work around it in Tor. Fixes
+      bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
+      eventdns. Credit goes to Dhalgren for identifying and finding a
+      workaround to this bug and to gamambel, arthuredelstein and
+      arma in helping to track it down and analyze it.
--- a/changes/bug21450
+++ b/changes/bug21450
@ -0,0 +1,4 @@
+  o Minor bugfixes (voting consistency):
+    - Reject version numbers with components that exceed INT32_MAX.
+      Otherwise 32-bit and 64-bit platforms would behave inconsistently.
+      Fixes bug 21450; bugfix on 0.0.8pre1.
--- a/changes/bug21507
+++ b/changes/bug21507
@ -0,0 +1,5 @@
+  o Minor bugfixes (voting consistency):
+    - Reject version numbers with non-numeric prefixes (such as +, -, and
+      whitespace). Disallowing whitespace prevents differential version
+      parsing between POSIX-based and Windows platforms.
+      Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
--- a/changes/bug21576
+++ b/changes/bug21576
@ -0,0 +1,4 @@
+  o Major bugfixes (crash, directory connections):
+    - Fix a rare crash when sending a begin cell on a circuit whose linked
+      directory connection has already been closed. Fixes bug 21576;
+      bugfix on Tor 0.2.9.3-alpha. Reported by alecmuffett.
--- a/changes/bug21943
+++ b/changes/bug21943
@ -0,0 +1,6 @@
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - The getpid() system call is now permitted under the Linux seccomp2
+      sandbox, to avoid crashing with versions of OpenSSL (and other
+      libraries) that attempt to learn the process's PID by using the
+      syscall rather than the VDSO code. Fixes bug 21943; bugfix on
+      0.2.5.1-alpha.
--- a/changes/bug22034
+++ b/changes/bug22034
@ -0,0 +1,4 @@
+  o Minor bugfixes (control port, regression):
+    - The GETINFO extra-info/digest/<digest> command was broken because of a
+      wrong base16 decode return value check. In was introduced in a refactor
+      of that API. Fixex bug #22034; bugfix on tor-0.2.9.1-alpha.
--- a/changes/bug22245
+++ b/changes/bug22245
@ -0,0 +1,5 @@
+  o Minor bugfixes (bandwidth accounting):
+    - Roll over monthly accounting at the configured hour and minute,
+      rather than always at 00:00.
+      Fixes bug 22245; bugfix on 0.0.9rc1.
+      Found by Andrey Karpov with PVS-Studio.
--- a/changes/bug22349
+++ b/changes/bug22349
@ -0,0 +1,9 @@
+  o Minor bugfixes (directory authority):
+    - When a directory authority rejects a descriptor or extrainfo with
+      a given digest, mark that digest as undownloadable, so that we
+      do not attempt to download it again over and over. We previously
+      tried to avoid downloading such descriptors by other means, but
+      we didn't notice if we accidentally downloaded one anyway. This
+      behavior became problematic in 0.2.7.2-alpha, when authorities
+      began pinning Ed25519 keys. Fixes ticket
+      22349; bugfix on 0.2.1.19-alpha.
--- a/changes/bug22370
+++ b/changes/bug22370
@ -0,0 +1,4 @@
+  o Minor bugfixes (memory handling):
+    - When directory authorities reject a router descriptor due to keypinning,
+      free the router descriptor rather than leaking the memory.
+      Fixes bug 22370; bugfix on 0.2.7.2-alpha.
--- a/changes/bug22446
+++ b/changes/bug22446
@ -0,0 +1,4 @@
+  o Minor features (code style, backport from 0.3.1.3-alpha):
+    - Add "Falls through" comments to our codebase, in order to silence
+      GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
+      Stieger. Closes ticket 22446.
--- a/changes/bug22460_case2
+++ b/changes/bug22460_case2
@ -0,0 +1,8 @@
+  o Major bugfixes (relay, link handshake):
+
+    - When performing the v3 link handshake on a TLS connection, report that
+      we have the x509 certificate that we actually used on that connection,
+      even if we have changed certificates since that connection was first
+      opened. Previously, we would claim to have used our most recent x509
+      link certificate, which would sometimes make the link handshake fail.
+      Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha.
--- a/changes/bug22490
+++ b/changes/bug22490
@ -0,0 +1,3 @@
+  o Minor bugfixes (correctness):
+    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
--- a/changes/bug22516
+++ b/changes/bug22516
@ -0,0 +1,5 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Permit the fchmod system call, to avoid crashing on startup when
+      starting with the seccomp2 sandbox and an unexpected set of permissions
+      on the data directory or its contents. Fixes bug 22516; bugfix on
+      0.2.5.4-alpha.
--- a/changes/bug22636
+++ b/changes/bug22636
@ -0,0 +1,8 @@
+ o Build features:
+   - Tor's repository now includes a Travis Continuous Integration (CI)
+     configuration file (.travis.yml). This is meant to help new developers and
+     contributors who fork Tor to a Github repository be better able to test
+     their changes, and understand what we expect to pass. To use this new build
+     feature, you must fork Tor to your Github account, then go into the
+     "Integrations" menu in the repository settings for your fork and enable
+     Travis, then push your changes.
--- a/changes/bug22644
+++ b/changes/bug22644
@ -0,0 +1,5 @@
+  o Minor bugfixes (controller):
+    - Do not crash when receiving a POSTDESCRIPTOR command with an
+      empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
+    - Do not crash when receiving a HSPOST command with an empty body.
+      Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
--- a/changes/bug22737
+++ b/changes/bug22737
@ -0,0 +1,12 @@
+  o Minor bugfixes (defensive programming, undefined behavior):
+
+    - Fix a memset() off the end of an array when packing cells.  This
+      bug should be harmless in practice, since the corrupted bytes
+      are still in the same structure, and are always padding bytes,
+      ignored, or immediately overwritten, depending on compiler
+      behavior. Nevertheless, because the memset()'s purpose is to
+      make sure that any other cell-handling bugs can't expose bytes
+      to the network, we need to fix it. Fixes bug 22737; bugfix on
+      0.2.4.11-alpha. Fixes CID 1401591.
+
+
--- a/changes/bug22789
+++ b/changes/bug22789
@ -0,0 +1,7 @@
+  o Major bugfixes (openbsd, denial-of-service):
+    - Avoid an assertion failure bug affecting our implementation of
+      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+      handling of "0xfoo" differs from what we had expected.
+      Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as
+      TROVE-2017-007.
+
--- a/changes/bug22797
+++ b/changes/bug22797
@ -0,0 +1,4 @@
+  o Minor bugfixes (file limits):
+    - When setting the maximum number of connections allowed by the OS,
+      always allow some extra file descriptors for other files.
+      Fixes bug 22797; bugfix on 0.2.0.10-alpha.
--- a/changes/bug22801
+++ b/changes/bug22801
@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation):
+    - When building with certain versions the mingw C header files, avoid
+      float-conversion warnings when calling the C functions isfinite(),
+      isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
+
--- a/changes/bug22838_028
+++ b/changes/bug22838_028
@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
+    - Backport a fix for an "unused variable" warning that appeared
+      in some versions of mingw. Fixes bug 22838; bugfix on
+      0.2.8.1-alpha.
+
--- a/changes/bug22915
+++ b/changes/bug22915
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation warnings):
+    - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
+      bugfix on 0.2.8.1-alpha.
--- a/changes/bug22916_027
+++ b/changes/bug22916_027
@ -0,0 +1,3 @@
+  o Minor bugfixes (Compilation):
+    - Fix warnings when building with libscrypt and openssl scrypt support
+      on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
--- a/changes/bug23030_029
+++ b/changes/bug23030_029
@ -0,0 +1,7 @@
+  o Minor bugfixes (coverity builds):
+    - Avoid Coverity build warnings related to our BUG() macro. By
+      default, Coverity treats BUG() as the Linux kernel does: an
+      instant abort(). We need to override that so our BUG() macro
+      doesn't prevent Coverity from analyzing functions that use it.
+      Fixes bug 23030; bugfix on 0.2.9.1-alpha.
+
--- a/changes/bug23081
+++ b/changes/bug23081
@ -0,0 +1,8 @@
+  o Minor bugfixes (Windows service):
+    - When running as a Windows service, set the ID of the main thread
+      correctly. Failure to do so made us fail to send log messages
+      to the controller in 0.2.1.16-rc, slowed down controller
+      event delivery in 0.2.7.3-rc and later, and crash with an assertion
+      failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
+      Patch and diagnosis from "Vort".
+
--- a/changes/bug23291
+++ b/changes/bug23291
@ -0,0 +1,3 @@
+  o Minor bugfixes (testing):
+    - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291; bugfix on
+      0.2.7.2-alpha. Found and patched by Ties Stuij.
--- a/changes/bug23318
+++ b/changes/bug23318
@ -0,0 +1,11 @@
+  o Minor bugfixes (path selection):
+    - When selecting relays by bandwidth, avoid a rounding error that
+      could sometimes cause load to be imbalanced incorrectly. Previously,
+      we would always round upwards; now, we round towards the nearest
+      integer.  This had the biggest effect when a relay's weight adjustments
+      should have given it weight 0, but it got weight 1 instead.
+      Fixes bug 23318; bugfix on 0.2.4.3-alpha.
+    - When calculating the fraction of nodes that have descriptors, and all
+      all nodes in the network have zero bandwidths, count the number of nodes
+      instead.
+      Fixes bug 23318; bugfix on 0.2.4.10-alpha.
--- a/changes/bug23470
+++ b/changes/bug23470
@ -0,0 +1,6 @@
+  o Minor bugfix (relay address resolution):
+    - Avoid unnecessary calls to directory_fetches_from_authorities()
+      on relays. This avoids spurious address resolutions and
+      descriptor rebuilds. This is a mitigation for 21789. The original
+      bug was introduced in commit 35bbf2e as part of prop210.
+      Fixes 23470 in 0.2.8.1-alpha.
--- a/changes/bug23690
+++ b/changes/bug23690
@ -0,0 +1,5 @@
+  o Major bugfixes (relay, crash, assertion failure):
+    - Fix a timing-based assertion failure that could occur when the
+      circuit out-of-memory handler freed a connection's output buffer.
+      Fixes bug 23690; bugfix on 0.2.6.1-alpha.
+
--- a/Show More
+++ b/Show More