.appveyor.yml

@@ -1,62 +0,0 @@
-version: 1.0.{build}
-
-clone_depth: 50
-
-environment:
-  compiler: mingw
-
-  matrix:
-  - target: i686-w64-mingw32
-    compiler_path: mingw32
-    openssl_path: /c/OpenSSL-Win32
-  - target: x86_64-w64-mingw32
-    compiler_path: mingw64
-    openssl_path: /c/OpenSSL-Win64
-
-install:
-- ps: >-
-    Function Execute-Command ($commandPath)
-    {
-        & $commandPath $args 2>&1
-        if ( $LastExitCode -ne 0 ) {
-            $host.SetShouldExit( $LastExitCode )
-        }
-    }
-    Function Execute-Bash ()
-    {
-        Execute-Command 'c:\msys64\usr\bin\bash' '-e' '-c' $args
-    }
-    Execute-Command "C:\msys64\usr\bin\pacman" -Sy --noconfirm openssl-devel openssl libevent-devel libevent mingw-w64-i686-libevent mingw-w64-x86_64-libevent mingw-w64-i686-openssl mingw-w64-x86_64-openssl mingw-w64-i686-zstd mingw-w64-x86_64-zstd
-
-build_script:
-- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin", "C:\msys64\usr\bin") + $oldpath
-            $env:Path = @($buildpath) -join ';'
-            $env:build = @("${env:APPVEYOR_BUILD_FOLDER}", $env:target) -join '\'
-            Set-Location "${env:APPVEYOR_BUILD_FOLDER}"
-            Execute-Bash 'autoreconf -i'
-            mkdir "${env:build}"
-            Set-Location "${env:build}"
-            Execute-Bash "../configure --prefix=/${env:compiler_path} --build=${env:target} --host=${env:target} --disable-asciidoc --enable-fatal-warnings --with-openssl-dir=${env:openssl_path}"
-            Execute-Bash "V=1 make -j2"
-            Execute-Bash "V=1 make -j2 install"
-     }
-
-test_script:
-- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
-            $env:Path = $buildpath -join ';'
-            Set-Location "${env:build}"
-            Execute-Bash "VERBOSE=1 make -j2 check"
-    }
-
-on_success:
-- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci success
-
-on_failure:
-- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure
-

.gitignore

@@ -212,7 +212,6 @@ uptime-*.json
 /src/test/fuzz/lf-fuzz-*
 
 # /src/tools/
-/src/tools/libtorrunner.a
 /src/tools/tor-checkkey
 /src/tools/tor-resolve
 /src/tools/tor-cov-resolve

.gitlab-ci.yml

@@ -26,7 +26,7 @@ update:
     - ssh-add <(echo "$DEPLOY_KEY")
 
     # For Docker builds disable host key checking. Be aware that by adding that
-    # you are susceptible to man-in-the-middle attacks.
+    # you are suspectible to man-in-the-middle attacks.
     # WARNING: Use this only with the Docker executor, if you use it with shell
     # you will overwrite your user's SSH config.
     - mkdir -p ~/.ssh

.travis.yml

@@ -66,7 +66,6 @@ env:
     ## more than one entry causes unwanted matrix entries with
     ## unspecified compilers.
     - RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    # - RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
     # - RUST_OPTIONS=""
 
 matrix:
@@ -96,33 +95,21 @@ matrix:
   ## entry under that key outside the "include" clause.
   include:
     - compiler: gcc
-    - compiler: gcc
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
     - compiler: gcc
       env: RUST_OPTIONS=""
     - compiler: gcc
       env: COVERAGE_OPTIONS="--enable-coverage"
     - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS=""
-    - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    - compiler: gcc
-      env: MODULES_OPTIONS="--disable-module-dirauth"
+      env: DISTCHECK="yes"
     ## The "sudo: required" forces non-containerized builds, working
     ## around a Travis CI environment issue: clang LeakAnalyzer fails
     ## because it requires ptrace and the containerized environment no
     ## longer allows ptrace.
     - compiler: clang
       sudo: required
-    - compiler: clang
-      sudo: required
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
     - compiler: clang
       sudo: required
       env: RUST_OPTIONS=""
-    - compiler: clang
-      sudo: required
-      env: MODULES_OPTIONS="--disable-module-dirauth"
 
 before_install:
   ## If we're on OSX, homebrew usually needs to updated first
@@ -148,12 +135,10 @@ install:
   - if [[ "$RUST_OPTIONS" != "" ]]; then which cargo; fi
   - if [[ "$RUST_OPTIONS" != "" ]]; then rustc --version; fi
   - if [[ "$RUST_OPTIONS" != "" ]]; then cargo --version; fi
-  ## If we're testing rust builds in offline-mode, then set up our vendored dependencies
-  - if [[ "$TOR_RUST_DEPENDENCIES" == "true" ]]; then export TOR_RUST_DEPENDENCIES=$PWD/src/ext/rust/crates; fi
 
 script:
   - ./autogen.sh
-  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS $MODULES_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
+  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
   ## We run `make check` because that's what https://jenkins.torproject.org does.
   - if [[ "$DISTCHECK" == "" ]]; then make check; fi
   - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening"; fi

CONTRIBUTING

@@ -1,39 +0,0 @@
-Contributing to Tor
--------------------
-
-### Getting started
-
-Welcome!
-
-We have a bunch of documentation about how to develop Tor in the
-doc/HACKING/ directory.  We recommend that you start with
-doc/HACKING/README.1st.md , and then go from there.  It will tell
-you how to find your way around the source code, how to get
-involved with the Tor community, how to write patches, and much
-more!
-
-You don't have to be a C developer to help with Tor: have a look
-at https://www.torproject.org/getinvolved/volunteer !
-
-The Tor Project is committed to fostering a inclusive community
-where people feel safe to engage, share their points of view, and
-participate. For the latest version of our Code of Conduct, please
-see
-
-https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
-
-
-
-### License issues
-
-Tor is distributed under the license terms in the LICENSE -- in
-brief, the "3-clause BSD license".  If you send us code to
-distribute with Tor, it needs to be code that we can distribute
-under those terms.  Please don't send us patches unless you agree
-to allow this.
-
-Some compatible licenses include:
-
-  - 3-clause BSD
-  - 2-clause BSD
-  - CC0 Public Domain Dedication

Makefile.am

@@ -26,7 +26,7 @@ TESTING_TOR_BINARY=$(top_builddir)/src/or/tor$(EXEEXT)
 endif
 
 if USE_RUST
-rust_ldadd=$(top_builddir)/src/rust/target/release/@TOR_RUST_STATIC_NAME@ \
+rust_ldadd=$(top_builddir)/src/rust/target/release/@TOR_RUST_UTIL_STATIC_NAME@ \
 	@TOR_RUST_EXTRA_LIBS@
 else
 rust_ldadd=
@@ -38,7 +38,6 @@ include contrib/include.am
 
 EXTRA_DIST+= \
 	ChangeLog					\
-	CONTRIBUTING					\
 	INSTALL						\
 	LICENSE						\
 	Makefile.nmake					\
@@ -52,14 +51,14 @@ AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
 if COVERAGE_ENABLED
 TEST_CFLAGS=-fno-inline -fprofile-arcs -ftest-coverage
 if DISABLE_ASSERTS_IN_UNIT_TESTS
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS
 else
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE
 endif
 TEST_NETWORK_FLAGS=--coverage --hs-multi-client 1
 else
 TEST_CFLAGS=
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
 TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
@@ -119,19 +118,17 @@ test-network: need-chutney-path $(TESTING_TOR_BINARY) src/tools/tor-gencert
 
 # Run all available tests using automake's test-driver
 # only run IPv6 tests if we can ping6 ::1 (localhost)
-# only run IPv6 tests if we can ping ::1 (localhost)
 # some IPv6 tests will fail without an IPv6 DNS server (see #16971 and #17011)
 # only run mixed tests if we have a tor-stable binary
-# Try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
-# because they're incompatible
+# Try both the BSD and the Linux ping6 syntax, because they're incompatible
 test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	mkdir -p $(TEST_NETWORK_ALL_LOG_DIR)
 	@flavors="$(TEST_CHUTNEY_FLAVORS)"; \
-	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1 || ping -6 -c 1 -W 1 ::1 >/dev/null 2>&1; then \
-		echo "ping6 ::1 or ping ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1; then \
+		echo "ping6 ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		flavors="$$flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	else \
-		echo "ping6 ::1 and ping ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+		echo "ping6 ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		skip_flavors="$$skip_flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	fi; \
 	if command -v tor-stable >/dev/null 2>&1; then \
@@ -218,26 +215,6 @@ check-logs:
 	$(top_srcdir)/scripts/maint/checkLogs.pl \
 		$(top_srcdir)/src/*/*.[ch] | sort -n
 
-.PHONY: check-typos
-check-typos:
-	@if test -x "`which misspell 2>&1;true`"; then \
-		echo "Checking for Typos ..."; \
-		(misspell \
-			$(top_srcdir)/src/[^e]*/*.[ch] \
-			$(top_srcdir)/doc \
-			$(top_srcdir)/contrib \
-			$(top_srcdir)/scripts \
-			$(top_srcdir)/README \
-			$(top_srcdir)/ChangeLog \
-			$(top_srcdir)/INSTALL \
-			$(top_srcdir)/ReleaseNotes \
-			$(top_srcdir)/LICENSE); \
-	else \
-		echo "Tor can use misspell to check for typos."; \
-		echo "It seems that you don't have misspell installed."; \
-		echo "You can install the latest version of misspell here: https://github.com/client9/misspell#install"; \
-	fi
-
 .PHONY: check-changes
 check-changes:
 if USEPYTHON
@@ -271,10 +248,6 @@ clean-local:
 	rm -rf $(top_builddir)/src/rust/target
 	rm -rf $(top_builddir)/src/rust/.cargo/registry
 
-if USE_RUST
-distclean-local: distclean-rust
-endif
-
 # This relies on some internal details of how automake implements
 # distcheck.  We check two directories because automake-1.15 changed
 # from $(distdir)/_build to $(distdir)/_build/sub.

changes/TROVE-2018-005

@@ -1,6 +0,0 @@
-  o Major bugfixes (security, directory authority, denial-of-service):
-    - Fix a bug that could have allowed an attacker to force a
-      directory authority to use up all its RAM by passing it a
-      maliciously crafted protocol versions string. Fixes bug 25517;
-      bugfix on 0.2.9.4-alpha.  This issue is also tracked as
-      TROVE-2018-005.

changes/bastet_v6

@@ -0,0 +1,4 @@
+  o Minor features (directory authority):
+    - Add an IPv6 address for the "bastet" directory authority.
+      Closes ticket 24394.
+

changes/bug18859

@@ -0,0 +1,7 @@
+  o Major bugfixes (circuit prediction):
+    - Fix circuit prediction logic so that a client doesn't treat a stream as
+      being "handled" by a circuit if that circuit already has isolation
+      settings on it that might make it incompatible with the stream. This
+      change should make Tor clients more responsive by improving their
+      chances of having a pre-created circuit ready for use when a new client
+      request arrives.  Fixes bug 18859; bugfix on 0.2.3.3-alpha.

changes/bug20532

@@ -0,0 +1,4 @@
+  o Minor bugfixes (bridges):
+    - Overwrite the bridge address earlier in the process of directly
+      retrieving its descriptor, to make sure we reach it on the configured
+      address.  Fixes bug 20532; bugfix on 0.2.0.10-alpha.

changes/bug20963

@@ -0,0 +1,4 @@
+  o Minor features (logging):
+    - Improve the message we log when re-enabling circuit build timeouts
+      after having received a consensus. Closes ticket 20963.
+

changes/bug21074_downgrade

@@ -0,0 +1,4 @@
+  o Minor bugfixes (portability):
+    - Don't exit the Tor process if setrlimit() fails to change the file
+      limit (which can happen sometimes on some versions of OSX). Fixes
+      bug 21074; bugfix on 0.0.9pre5.

changes/bug21394

@@ -0,0 +1,9 @@
+  o Major bugfixes (Exit nodes):
+    - Fix an issue causing high-bandwidth exit nodes to fail a majority
+      or all of their DNS requests, making them basically unsuitable for
+      regular usage in Tor circuits. The problem is related to
+      libevent's DNS handling, but we can work around it in Tor. Fixes
+      bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
+      eventdns. Credit goes to Dhalgren for identifying and finding a
+      workaround to this bug and to gamambel, arthuredelstein and
+      arma in helping to track it down and analyze it.

changes/bug21509

@@ -0,0 +1,3 @@
+  o Minor bugfixes (hidden service v3, fuzzing):
+    - Fix the hidden service v3 descriptor decoding fuzzing to use the latest
+      decoding API correctly. Fixes bug 21509; bugfix on 0.3.2.1-alpha.

changes/bug23318

@@ -0,0 +1,11 @@
+  o Minor bugfixes (path selection):
+    - When selecting relays by bandwidth, avoid a rounding error that
+      could sometimes cause load to be imbalanced incorrectly. Previously,
+      we would always round upwards; now, we round towards the nearest
+      integer.  This had the biggest effect when a relay's weight adjustments
+      should have given it weight 0, but it got weight 1 instead.
+      Fixes bug 23318; bugfix on 0.2.4.3-alpha.
+    - When calculating the fraction of nodes that have descriptors, and all
+      all nodes in the network have zero bandwidths, count the number of nodes
+      instead.
+      Fixes bug 23318; bugfix on 0.2.4.10-alpha.

changes/bug23603

@@ -0,0 +1,7 @@
+  o Minor bugfixes (hidden service v3):
+    - Fix a race between the circuit close and free where the service would
+      launch a new intro circuit after the close, and then fail to register it
+      before the free of the previously closed circuit. This was making the
+      service unable to find the established intro circuit and thus not upload
+      its descriptor. It can make a service unavailable for up to 24 hours.
+      Fixes bug 23603; bugfix on 0.3.2.1-alpha.

changes/bug23623

@@ -0,0 +1,4 @@
+  o Minor bugfixes (onion services):
+    - Cache some needed onion service client information instead of
+      continuously computing it over and over again. Fixes bug 23623; bugfix
+      on 0.3.2.1-alpha.

changes/bug23653

@@ -0,0 +1,7 @@
+  o Minor bugfixes (hidden service client):
+    - When getting multiple SOCKS request for the same .onion address, don't
+      trigger multiple descriptor fetches.
+    - When the descriptor fetch fails with an internal error, no more HSDir to
+      query or we aren't allowed to fetch (FetchHidServDescriptors 0), close
+      all pending SOCKS request for that .onion. Fixes bug 23653; bugfix on
+      0.3.2.1-alpha.

changes/bug23662

@@ -0,0 +1,4 @@
+  o Minor bugfixes (onion services):
+    - Silence a warning about failed v3 onion descriptor uploads since it can
+      happen naturally under certain edge-cases. Fixes part of bug 23662;
+      bugfix on 0.3.2.1-alpha.

changes/bug23670

@@ -0,0 +1,3 @@
+  o Minor features (entry guards):
+    - Improve logs issued when we are missing descriptors of primary guards.
+      Resolves ticket 23670.

changes/bug23678

@@ -0,0 +1,7 @@
+  o Minor bugfixes (warnings):
+    - When we get an HTTP request on a SOCKS port, tell the user about
+      the new HTTPTunnelPort option. Previously, we would give a
+      "Tor is not an HTTP Proxy" message, which stopped being true when
+      HTTPTunnelPort was introduced. Fixes bug 23678; bugfix on
+      0.3.2.1-alpha.
+

changes/bug23681

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service client):
+    - The introduction circuit was being timed out too quickly while waiting
+      for the rendezvous circuit to complete. Keep the intro circuit around
+      longer instead of timing out and reopening new ones constantly. Fixes
+      bug 23681; bugfix on 0.2.4.8-alpha.

changes/bug23693

@@ -0,0 +1,6 @@
+  o Minor bugfixes (relay, crash):
+    - Avoid a crash when transitioning from client mode to bridge mode.
+      Previously, we would launch the worker threads whenever our "public
+      server" mode changed, but not when our "server" mode changed.
+      Fixes bug 23693; bugfix on 0.2.6.3-alpha.
+

changes/bug23693.1

@@ -0,0 +1,4 @@
+  o Minor bugfixes (relay, crash):
+    - Avoid a crash when running with DirPort set but ORPort tuned off.
+      Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
+

changes/bug23696

@@ -0,0 +1,5 @@
+  o Minor bugfix (KIST scheduler):
+    - Downgrade a warning to log info when the monotonic time diff is
+      negative. This can happen on platform not supporting monotonic time. The
+      scheduler recovers from this without any problem. Fixes bug 23696;
+      bugfix on 0.3.2.1-alpha.

changes/bug23739

@@ -0,0 +1,3 @@
+  o Minor bugfixes (documentation):
+    - Document better how to read gcov and what our postprocessing scripts do.
+      Fixes bug 23739; bugfix on 0.2.9.1-alpha.

changes/bug23741

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Prevent scripts/test/coverage from attempting to move gcov
+      output to the root directory.  Fixes bug 23741; bugfix on
+      0.2.5.1-alpha.

changes/bug23748

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service):
+    - Always make sure the hidden service generate the public key file if it
+      is missing. Prior to this, if the public key was deleted from disk, it
+      wouldn't get recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha.
+      Patch from "cathugger".

changes/bug23751

@@ -0,0 +1,6 @@
+  o Minor bugfixes (scheduler, channel):
+    - Ignore channels that have been closed while flushing cells. This can
+      happen if the write on the connection fails leading to the channel being
+      closed while in the scheduler loop. This is not a complete fix, it is a
+      bandaid until we are able to refactor those interactions. Fixes bug
+      23751; bugfix on 0.3.2.1-alpha.

changes/bug23753

@@ -0,0 +1,4 @@
+  o Minor features (logging, scheduler):
+    - Introduce a SCHED_BUG() function to log extra information about the
+      scheduler state if we ever catch a bug in the scheduler. Closes ticket
+      23753.

changes/bug23755

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Stop unconditionally mirroring the tor repository in GitLab CI.
+      This prevented developers from enabling GitLab CI on master.
+      Fixes bug 23755; bugfix on 0.3.2.2-alpha.

changes/bug23757

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Adjust the GitLab CI configuration to more closely match that of Travis
+      CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
+

changes/bug23758

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Skip a test that would fail if run as root (because it expects a
+      permissions error).  This affects some continuous integration setups.
+      Fixes bug 23758; bugfix on 0.3.2.2-alpha.

changes/bug23762

@@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service v3):
+    - Properly retry HSv3 descriptor fetches in the case where we were initially
+      missing required directory information. Fixes bug 23762; bugfix on
+      0.3.2.1-alpha.

changes/bug23774

@@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leak):
+    - Fix a minor memory-leak-at-exit in the KIST scheduler. This
+      bug should have no user-visible impact. Fixes bug 23774;
+      bugfix on 0.3.2.1-alpha.

changes/bug23783

@@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation, windows):
+    - When detecting OpenSSL on Windows from our configure script, make sure
+      to try linking with the ws2_32 library. Fixes bug 23783; bugfix on
+      0.3.2.2-alpha.
+

changes/bug23790

@@ -0,0 +1,6 @@
+  o Minor bugfixes (hidden service v2):
+    - When reloading tor (HUP) configured with hidden service(s), some
+      information weren't copy to the new service object. One problem with
+      this was that tor would wait at least the RendPostPeriod time before
+      uploading the descriptor if the reload happened before the descriptor
+      needed to be published. Fixes bug 23790; bugfix on 0.2.1.9-alpha.

changes/bug23816

@@ -0,0 +1,6 @@
+  o Minor bugfixes (directory client):
+    - On failure to download directory information, delay retry attempts
+      by a random amount based on the "decorrelated jitter" algorithm.
+      Our previous delay algorithm tended to produce extra-long delays too
+      easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
+

changes/bug23817

@@ -0,0 +1,3 @@
+  o Minor bugfixes (descriptors):
+    - Don't try fetching microdescriptors from relays that have failed to
+      deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha.

changes/bug23820

@@ -0,0 +1,5 @@
+  o Minor bugfixes (IPv6, v3 single onion services):
+    - Remove buggy code for IPv6-only v3 single onion services, and reject
+      attempts to configure them. This release supports IPv4, dual-stack, and
+      IPv6-only v3 hidden services; and IPv4 and dual-stack v3 single onion
+      services. Fixes bug 23820; bugfix on 0.3.2.1-alpha.

changes/bug23861

@@ -0,0 +1,5 @@
+  o Minor bugfixes (logging, relay):
+    - Suppress a log notice when relay descriptors arrive. We already have a
+      bootstrap progress for this so no need to log notice everytime tor
+      receives relay descriptors. Microdescriptors behave the same. Fixes bug
+      23861; bugfix on 0.2.8.2-alpha.

changes/bug23862

@@ -0,0 +1,5 @@
+  o Minor bugfixes (entry guards):
+    - Tor now updates its guard state when it reads a consensus regardless of
+      whether it's missing descriptors. That makes tor use its primary guards
+      to fetch descriptors in some edge cases where it would have used fallback
+      directories in the past. Fixes bug 23862; bugfix on 0.3.0.1-alpha.

changes/bug23874

@@ -0,0 +1,3 @@
+  o Minor bugfixes (memory safety):
+    - Clear the address when node_get_prim_orport() returns early.
+      Fixes bug 23874; bugfix on 0.2.8.2-alpha.

changes/bug23952

@@ -0,0 +1,4 @@
+  o Minor bugfixes (relay):
+    - Avoid a BUG warning when receiving a dubious CREATE cell while
+      an option transition is in progress. Fixes bug 23952; bugfix on
+      0.3.2.1-alpha.

changes/bug23985

@@ -0,0 +1,9 @@
+  o Minor bugfixes (bootstrapping):
+    - Fetch descriptors aggressively whenever we lack enough
+      to build circuits, regardless of how many descriptors we are missing.
+      Previously, we would delay launching the fetch when we had fewer than
+      15 missing descriptors, even if some of those descriptors were
+      blocking circuits from building. Fixes bug 23985; bugfix on
+      0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
+      when we began treating missing descriptors from our primary guards
+      as a reason to delay circuits.

changes/bug24002

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service):
+    - Make sure that we have a usable ed25519 key when the intro point relay
+      does support ed25519 link authentication. We do check for an empty key
+      when the relay does not support it so this makes it nice and symmetric.
+      Fixes bug 24002; bugfix on 0.3.2.1-alpha.

changes/bug24025

@@ -0,0 +1,5 @@
+  o Minor bugfixes (logging, relay):
+    - Downgrade a warning to a protocol warning in the case the ed25519 key is
+      not consistent between the descriptor and micro descriptor of a relay.
+      This can happen for instance if the relay has been flagged
+      NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.

changes/bug24050

@@ -0,0 +1,5 @@
+  o Minor bugfixes (client):
+    - By default, do not enable storage of client-side DNS values.
+      These values were unused by default previously, but they should
+      not have been cached at all.  Fixes bug 24050; bugfix on
+      0.2.6.3-alpha.

changes/bug24082

@@ -0,0 +1,3 @@
+  o Minor bugfixes (testing):
+    - Fix a spurious fuzzing-only use of an uninitialized value.
+      Found by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.

changes/bug24086

@@ -0,0 +1,7 @@
+  o Minor bugfixes (directory cache):
+    - When a consensus diff calculation is only partially successful, only
+      record the successful parts as having succeeded. Partial success
+      can happen if (for example) one compression method fails but
+      the others succeed. Previously we misrecorded all the calculations as
+      having succeeded, which would later cause a nonfatal assertion failure.
+      Fixes bug 24086; bugfix on 0.3.1.1-alpha.

changes/bug24099

@@ -0,0 +1,4 @@
+  o Minor bugfixes (directory cache):
+    - Recover better from empty or corrupt files in the consensus cache
+      directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
+

changes/bug24115

@@ -0,0 +1,4 @@
+  o Minor bugfixes (manpage, hidden service):
+    - Mention that the HiddenServiceNumIntroductionPoints option is 0-10 for
+      v2 service and 0-20 for v3 service. Fixes bug 24115; bugfix on
+      0.3.2.1-alpha.

changes/bug24150

@@ -0,0 +1,4 @@
+  o Minor bugfixes (v3 onion services):
+    - Fix a memory leak when decrypting a badly formatted v3 onion
+      service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
+      Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.

changes/bug24167

@@ -0,0 +1,7 @@
+  o Minor bugfixes (network layer):
+    - When closing a connection via close_connection_immediately(), we
+      mark it as "not blocked on bandwidth", to prevent later calls
+      from trying to unblock it, and give it permission to read. This
+      fixes a backtrace warning that can happen on relays under various
+      circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
+

changes/bug24170

@@ -0,0 +1,3 @@
+  o Minor bugfixes (path selection):
+    - Actually log the total bandwidth in compute_weighted_bandwidths().
+      Fixes bug 24170; bugfix on 0.2.4.3-alpha.

changes/bug24198

@@ -0,0 +1,4 @@
+  o Minor bugfixes (controller, linux seccomp2 sandbox):
+    - Avoid a crash when attempting to use the seccomp2 sandbox
+      together with the OwningControllerProcess feature.
+      Fixes bug 24198; bugfix on 0.2.5.1-alpha.

changes/bug24230

@@ -0,0 +1,4 @@
+  o Minor bugfixes (control port, hidden service):
+    - Control port was reporting the action "UPLOAD_FAILED" instead of
+      "FAILED" for the HS_DESC event when a service was not able to upload a
+      descriptor. Fixes bug 24230; bugfix on 0.2.7.1-alpha.

changes/bug24247

@@ -0,0 +1,6 @@
+  o Minor bugfixes (fuzzing):
+    - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
+      correctly handle cases where a caller gives it an RSA key of under 160
+      bits. (This is not actually a bug in Tor itself, but wrather in our
+      fuzzing code.)  Fixes bug 24247; bugfix on 0.3.0.3-alpha.
+      Found by OSS-Fuzz as issue 4177.

changes/bug24262

@@ -0,0 +1,3 @@
+  o Minor bugfixes (hidden service):
+    - Fix the consensus parameter "hsdir-interval" to "hsdir_interval" so it
+      matches the dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.

changes/bug24279

@@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation, hardening):
+    - Fix a memory leak warning in one of the libevent-related
+      configuration tests that could occur when manually specifying
+      -fsanitize=address.  Fixes bug 24279; bugfix on 0.3.0.2-alpha.
+      Found and patched by Alex Xu.

changes/bug24313

@@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service v2):
+    - Fix a use-after-free error that could crash v2 Tor hidden services
+      when it failed to open circuits while expiring introductions
+      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha.  This
+      issue is also tracked as TROVE-2017-013 and CVE-2017-8823.

changes/bug24345

@@ -0,0 +1,3 @@
+  o Minor bugfixes (tests):
+    - Fix a unit test in one of the bridge-distribution test cases.
+      Fixes bug 24345; bugfix on 0.3.2.3-alpha.

changes/bug24367

@@ -0,0 +1,13 @@
+  o Minor bugfixes (bridge clients, bootstrap):
+    - Retry directory downloads when we get our first bridge descriptor
+      during bootstrap or while reconnecting to the network. Keep retrying
+      every time we get a bridge descriptor, until we have a reachable bridge.
+      Fixes bug 24367; bugfix on 0.2.0.3-alpha.
+    - Stop delaying bridge descriptor fetches when we have cached bridge
+      descriptors. Instead, only delay bridge descriptor fetches when we
+      have at least one reachable bridge.
+      Fixes bug 24367; bugfix on 0.2.0.3-alpha.
+    - Stop delaying directory fetches when we have cached bridge descriptors.
+      Instead, only delay bridge descriptor fetches when all our bridges are
+      definitely unreachable.
+      Fixes bug 24367; bugfix on 0.2.0.3-alpha.

changes/bug24424

@@ -0,0 +1,3 @@
+  o Minor features (portability):
+    - Tor now compiles correctly on arm64 with libseccomp-dev installed.
+      (It doesn't yet work with the sandbox enabled.) Closes ticket 24424.

changes/bug24480

@@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix a signed/unsigned comparison warning introduced by our
+      fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.

changes/bug24502

@@ -0,0 +1,4 @@
+  o Minor bugfixes (scheduler):
+    - Properly set the scheduler state of an unopened channel in the KIST
+      scheduler main loop. This prevents a harmless but annoying log warning.
+      Fixes bug 24502; bugfix on 0.3.2.4-alpha.

changes/bug24526

@@ -0,0 +1,4 @@
+  o Documentation:
+    - Document that operators who run more than one relay or bridge are
+      expected to set MyFamily and ContactInfo correctly. Closes ticket
+      24526.

changes/bug24590

@@ -0,0 +1,5 @@
+  o Minor bugfixes (scheduler, KIST):
+    - Avoid a possible integer overflow when computing the available space on
+      the TCP buffer of a channel. This has no security implications but can
+      make KIST not behave properly by allowing more cells on a already
+      saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.

changes/bug24633

@@ -0,0 +1,5 @@
+  o Minor bugfixes (portability, msvc):
+    - Fix a bug in the bit-counting parts of our timing-wheel code on
+      MSVC. (Note that MSVC is still not a supported build platform,
+      due to cyptographic timing channel risks.) Fixes bug 24633;
+      bugfix on 0.2.9.1-alpha.

changes/bug24634

@@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Resolve a few shadowed-variable warnings in the onion service code.
+      Fixes bug 24634; bugfix on 0.3.2.1-alpha.

changes/bug24652

@@ -0,0 +1,6 @@
+  o Minor bugfixes (build, compatibility, rust, OSX):
+
+    - When building with Rust on OSX, link against libresolv, to
+      work around the issue at
+      https://github.com/rust-lang/rust/issues/46797. Fixes bug
+      24652; bugfix on 0.3.1.1-alpha.

changes/bug24665

@@ -0,0 +1,6 @@
+  o Major bugfixes (KIST, scheduler):
+    - The KIST scheduler did not correctly account for data already enqueued
+      in each connection's send socket buffer, particularly in cases when the
+      TCP/IP congestion window was reduced between scheduler calls. This
+      situation lead to excessive per-connection buffering in the kernel, and
+      a potential memory DoS. Fixes bug 24665; bugfix on 0.3.2.1-alpha.

changes/bug24666

@@ -0,0 +1,7 @@
+  o Minor bugfixes (memory usage):
+
+    - When queuing DESTROY cells on a channel, only queue the
+      circuit-id and reason fields: not the entire 514-byte
+      cell. This fix should help mitigate any bugs or attacks that
+      fill up these queues, and free more RAM for other uses. Fixes
+      bug 24666; bugfix on 0.2.5.1-alpha.

changes/bug24671

@@ -0,0 +1,6 @@
+  o Minor bugfixes (scheduler, KIST):
+    - Use a sane write limit for KISTLite when writing onto a connection
+      buffer instead of using INT_MAX and shoving as much as it can. Because
+      the OOM handler cleans up circuit queues, we are better off at keeping
+      them in that queue instead of the connection's buffer. Fixes bug 24671;
+      bugfix on 0.3.2.1-alpha.

changes/bug24700

@@ -0,0 +1,4 @@
+  o Minor bugfixes (scheduler, KIST):
+    - Avoid adding the same channel twice in the KIST scheduler pending list
+      wasting CPU cycles at handling the same channel twice. Fixes bug 24700;
+      bugfix on 0.3.2.1-alpha.

changes/bug24736

@@ -0,0 +1,6 @@
+  o Minor bugfixes (address selection):
+    - When the fascist_firewall_choose_address_ functions don't find a
+      reachable address, set the returned address to the null address and port.
+      This is a precautionary measure, because some callers do not check the
+      return value.
+      Fixes bug 24736; bugfix on 0.2.8.2-alpha.

changes/bug24826_031

@@ -0,0 +1,4 @@
+  o Minor bugfixes (performance, fragile-hardening):
+    - Improve the performance of our consensus-diff application code when Tor
+      is built with the --enable-fragile-hardening option set. Fixes bug
+      24826; bugfix on  0.3.1.1-alpha.

changes/bug24854

@@ -0,0 +1,3 @@
+  o Code simplification and refactoring:
+    - Move the list of default directory authorities to their own file for
+      inclusion using the C preprocessor. Closes ticket 24854. Patch by "beastr0".

changes/bug24859

@@ -0,0 +1,4 @@
+  o Minor bugfixes (logging):
+    - Don't treat inability to store a cached consensus object as a
+      bug: it can happen normally when we are out of disk space.
+      Fixes bug 24859; bugfix on 0.3.1.1-alpha.

changes/bug24894

@@ -0,0 +1,5 @@
+  o Major bugfixes (v3 onion services):
+    - New-style (v3) onion services now obey the "max rendezvous circuit
+      attempts" logic. Previously they would make as many rendezvous
+      circuit attempts as they could fit in the MAX_REND_TIMEOUT second
+      window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.

changes/bug24895

@@ -0,0 +1,8 @@
+  o Major bugfixes (onion services):
+    - Fix an "off by 2" error in counting rendezvous failures on the onion
+      service side. While we thought we would stop the rendezvous attempt
+      after one failed circuit, we were actually making three circuit attempts
+      before giving up. Now switch to a default of 2, and allow the consensus
+      parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
+      bugfix on 0.0.6.
+

changes/bug24898

@@ -0,0 +1,8 @@
+  o Major bugfixes (relays):
+    - Fix a set of false positives where relays would consider connections
+      to other relays as being client-only connections (and thus e.g.
+      deserving different link padding schemes) if those relays fell out
+      of the consensus briefly. Now we look only at the initial handshake
+      and whether the connection authenticated as a relay. Fixes bug
+      24898; bugfix on 0.3.1.1-alpha.
+

changes/bug24952

@@ -0,0 +1,5 @@
+  o Minor bugfix (channel connection):
+    - The accurate address of a connection is real_addr, not the addr member.
+      TLS Channel remote address is now real_addr content instead of addr
+      member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
+      Patch by "ffmancera".

changes/bug24969

@@ -0,0 +1,3 @@
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - Allow the nanosleep() system call, which glibc uses to implement
+      sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.

changes/bug24972

@@ -0,0 +1,4 @@
+  o Minor features (logging, diagnostic):
+    - When logging a failure to check a hidden service's certificate,
+      also log what the problem with the certificate was. Diagnostic
+      for ticket 24972.

changes/bug24975

@@ -0,0 +1,6 @@
+  o Major bugfixes (scheduler, consensus):
+    - A logic in the code was preventing the scheduler subystem to properly
+      make a decision based on the latest consensus when it arrives. This lead
+      to the scheduler failing to notice any consensus parameters that might
+      have changed between consensuses. Fixes bug 24975; bugfix on
+      0.3.2.1-alpha.

changes/bug24976

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service v3 client):
+    - Remove a BUG() statement which can be triggered in normal circumstances
+      where a client fetches a descriptor that has a lower revision counter
+      than the one in its cache. This can happen due to HSDir desync. Fixes
+      bug 24976; bugfix on 0.3.2.1-alpha.

changes/bug24978

@@ -0,0 +1,7 @@
+  o Minor features (compatibility, OpenSSL):
+    - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
+      Previous versions of Tor would not have worked with OpenSSL
+      1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
+      ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
+      Closes ticket 24978.
+

changes/bug25005

@@ -0,0 +1,4 @@
+  o Minor bugfixes (unit tests):
+    - Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
+      25005; bugfix on 0.3.2.7-rc.
+

changes/bug25070

@@ -0,0 +1,3 @@
+  o Major bugfixes (protocol versions):
+    - Add Link protocol version 5 to the supported protocols list.
+      Fixes bug 25070; bugfix on 0.3.1.1-alpha.

changes/bug25105

@@ -0,0 +1,5 @@
+  o Minor bugfixes (v3 onion services):
+    - Look at the "HSRend" protocol version, not the "HSDir" protocol
+      version, when deciding whether a consensus entry can support
+      the v3 onion service protocol as a rendezvous point.
+      Fixes bug 25105; bugfix on 0.3.2.1-alpha.

changes/bug25223

@@ -0,0 +1,4 @@
+  o Minor bugfixes (DoS mitigation):
+    - Make sure we don't modify consensus parameters if we aren't a public
+      relay when a new consensus arrives. Fixes bug 25223; bugfix on
+      0.3.3.2-alpha.

changes/bug25249

@@ -0,0 +1,3 @@
+  o Minor bugfixes (spec conformance):
+    - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
+      0.2.9.4-alpha.

changes/bug25249.2

@@ -0,0 +1,3 @@
+  o Minor bugfixes (spec conformance):
+    - Forbid UINT32_MAX as a protocol version.  Fixes part of bug 25249;
+      bugfix on 0.2.9.4-alpha.

changes/bug25296_032

@@ -0,0 +1,5 @@
+  o Minor bugfixes (documentation):
+    - Document that the PerConnBW{Rate,Burst} options will fall back to their
+      corresponding consensus parameters only if those parameters are
+      set. Previously we had claimed that these values would always be
+      set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha.

changes/bug25450

@@ -0,0 +1,8 @@
+  o Minor bugfixes (testing):
+    - Avoid intermittent test failures due to relying on hidden service
+      introductory point creation within 5 seconds of real clock time.  The
+      time limit for the test has been increased to 500 seconds, which may
+      still result in intermittent failures (e.g. if the system doing the
+      testing enters sleep/hibernation or experiences some other clock jump).
+      However, this should elliminate test failures currently happening on
+      developer and CI systems.  Fixes bug 25450; bugfix on 0.3.1.3-alpha.

changes/bug25474

@@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation):
+    - Fix a c99 compliance issue in our configuration script that was
+      causing compilation issues when compiling Tor with certain
+      versions of xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha.
+

changes/bug25629

@@ -0,0 +1,3 @@
+  o Minor bugfixes (C correctness):
+    - Fix a very unlikely null pointer dereference.  Fixes bug 25629;
+      bugfix on 0.2.9.15.  Found by Coverity; this is CID 1430932.