.appveyor.yml

@@ -1,62 +0,0 @@
-version: 1.0.{build}
-
-clone_depth: 50
-
-environment:
-  compiler: mingw
-
-  matrix:
-  - target: i686-w64-mingw32
-    compiler_path: mingw32
-    openssl_path: /c/OpenSSL-Win32
-  - target: x86_64-w64-mingw32
-    compiler_path: mingw64
-    openssl_path: /c/OpenSSL-Win64
-
-install:
-- ps: >-
-    Function Execute-Command ($commandPath)
-    {
-        & $commandPath $args 2>&1
-        if ( $LastExitCode -ne 0 ) {
-            $host.SetShouldExit( $LastExitCode )
-        }
-    }
-    Function Execute-Bash ()
-    {
-        Execute-Command 'c:\msys64\usr\bin\bash' '-e' '-c' $args
-    }
-    Execute-Command "C:\msys64\usr\bin\pacman" -Sy --noconfirm openssl-devel openssl libevent-devel libevent mingw-w64-i686-libevent mingw-w64-x86_64-libevent mingw-w64-i686-openssl mingw-w64-x86_64-openssl mingw-w64-i686-zstd mingw-w64-x86_64-zstd
-
-build_script:
-- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin", "C:\msys64\usr\bin") + $oldpath
-            $env:Path = @($buildpath) -join ';'
-            $env:build = @("${env:APPVEYOR_BUILD_FOLDER}", $env:target) -join '\'
-            Set-Location "${env:APPVEYOR_BUILD_FOLDER}"
-            Execute-Bash 'autoreconf -i'
-            mkdir "${env:build}"
-            Set-Location "${env:build}"
-            Execute-Bash "../configure --prefix=/${env:compiler_path} --build=${env:target} --host=${env:target} --disable-asciidoc --enable-fatal-warnings --with-openssl-dir=${env:openssl_path}"
-            Execute-Bash "V=1 make -j2"
-            Execute-Bash "V=1 make -j2 install"
-     }
-
-test_script:
-- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
-            $env:Path = $buildpath -join ';'
-            Set-Location "${env:build}"
-            Execute-Bash "VERBOSE=1 make -j2 check"
-    }
-
-on_success:
-- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci success
-
-on_failure:
-- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure
-

.travis.yml

@@ -106,8 +106,6 @@ matrix:
       env: DISTCHECK="yes" RUST_OPTIONS=""
     - compiler: gcc
       env: DISTCHECK="yes" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    - compiler: gcc
-      env: MODULES_OPTIONS="--disable-module-dirauth"
     ## The "sudo: required" forces non-containerized builds, working
     ## around a Travis CI environment issue: clang LeakAnalyzer fails
     ## because it requires ptrace and the containerized environment no
@@ -120,9 +118,6 @@ matrix:
     - compiler: clang
       sudo: required
       env: RUST_OPTIONS=""
-    - compiler: clang
-      sudo: required
-      env: MODULES_OPTIONS="--disable-module-dirauth"
 
 before_install:
   ## If we're on OSX, homebrew usually needs to updated first
@@ -153,7 +148,7 @@ install:
 
 script:
   - ./autogen.sh
-  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS $MODULES_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
+  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
   ## We run `make check` because that's what https://jenkins.torproject.org does.
   - if [[ "$DISTCHECK" == "" ]]; then make check; fi
   - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening"; fi

CONTRIBUTING

@@ -1,39 +0,0 @@
-Contributing to Tor
--------------------
-
-### Getting started
-
-Welcome!
-
-We have a bunch of documentation about how to develop Tor in the
-doc/HACKING/ directory.  We recommend that you start with
-doc/HACKING/README.1st.md , and then go from there.  It will tell
-you how to find your way around the source code, how to get
-involved with the Tor community, how to write patches, and much
-more!
-
-You don't have to be a C developer to help with Tor: have a look
-at https://www.torproject.org/getinvolved/volunteer !
-
-The Tor Project is committed to fostering a inclusive community
-where people feel safe to engage, share their points of view, and
-participate. For the latest version of our Code of Conduct, please
-see
-
-https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
-
-
-
-### License issues
-
-Tor is distributed under the license terms in the LICENSE -- in
-brief, the "3-clause BSD license".  If you send us code to
-distribute with Tor, it needs to be code that we can distribute
-under those terms.  Please don't send us patches unless you agree
-to allow this.
-
-Some compatible licenses include:
-
-  - 3-clause BSD
-  - 2-clause BSD
-  - CC0 Public Domain Dedication

Makefile.am

@@ -38,7 +38,6 @@ include contrib/include.am
 
 EXTRA_DIST+= \
 	ChangeLog					\
-	CONTRIBUTING					\
 	INSTALL						\
 	LICENSE						\
 	Makefile.nmake					\
@@ -52,14 +51,14 @@ AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
 if COVERAGE_ENABLED
 TEST_CFLAGS=-fno-inline -fprofile-arcs -ftest-coverage
 if DISABLE_ASSERTS_IN_UNIT_TESTS
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS
 else
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE
 endif
 TEST_NETWORK_FLAGS=--coverage --hs-multi-client 1
 else
 TEST_CFLAGS=
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
 TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
@@ -218,26 +217,6 @@ check-logs:
 	$(top_srcdir)/scripts/maint/checkLogs.pl \
 		$(top_srcdir)/src/*/*.[ch] | sort -n
 
-.PHONY: check-typos
-check-typos:
-	@if test -x "`which misspell 2>&1;true`"; then \
-		echo "Checking for Typos ..."; \
-		(misspell \
-			$(top_srcdir)/src/[^e]*/*.[ch] \
-			$(top_srcdir)/doc \
-			$(top_srcdir)/contrib \
-			$(top_srcdir)/scripts \
-			$(top_srcdir)/README \
-			$(top_srcdir)/ChangeLog \
-			$(top_srcdir)/INSTALL \
-			$(top_srcdir)/ReleaseNotes \
-			$(top_srcdir)/LICENSE); \
-	else \
-		echo "Tor can use misspell to check for typos."; \
-		echo "It seems that you don't have misspell installed."; \
-		echo "You can install the latest version of misspell here: https://github.com/client9/misspell#install"; \
-	fi
-
 .PHONY: check-changes
 check-changes:
 if USEPYTHON

changes/25857

@@ -0,0 +1,3 @@
+  o Documentation:
+    - Correct an IPv6 error in the documentation for ExitPolicy.
+      Closes ticket 25857.  Patch from "CTassisF".

changes/bug21394.2

@@ -0,0 +1,7 @@
+  o Minor bugfix (Exit node DNS retries):
+    - Re-attempt timed-out DNS queries 3 times before failure, since our
+      timeout is 5 seconds for them, but clients wait 10-15. Also allow
+      slightly more timeouts per resolver before giving up on it in the
+      case where an exit has multiple resolvers configured. Fixes bug 21394;
+      bugfix on 0.3.1.9.
+

changes/bug22310

@@ -0,0 +1,8 @@
+  o Major bugfixes (performance, load balancing):
+    - Directory authorities no longer vote in favor of the Guard flag
+      for relays that don't advertise directory support. Starting in Tor
+      0.3.0.1-alpha, Tor clients have been avoiding using such relays in
+      the Guard position, leading to increasingly broken load balancing
+      for the 5%-or-so of Guards that don't advertise directory support.
+      Fixes bug 22310; bugfix on 0.3.0.6.
+

changes/bug23693.1

@@ -0,0 +1,4 @@
+  o Minor bugfixes (relay, crash):
+    - Avoid a crash when running with DirPort set but ORPort tuned off.
+      Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
+

changes/bug24031

@@ -0,0 +1,13 @@
+  o Major bugfixes (protover, voting):
+    - Revise Rust implementation of protover to use a more memory-efficient
+      voting algorithm and corresponding data structures, thus avoiding a
+      potential (but small impact) DoS attack where specially crafted protocol
+      strings would expand to several potential megabytes in memory.  In the
+      process, several portions of code were revised to be methods on new,
+      custom types, rather than functions taking interchangeable types, thus
+      increasing type safety of the module.  Custom error types and handling
+      were added as well, in order to facilitate better error dismissal/handling
+      in outside crates and avoid mistakenly passing an internal error string to
+      C over the FFI boundary.  Many tests were added, and some previous
+      differences between the C and Rust implementations have been
+      remedied. Fixes bug 24031; bugfix on 0.3.3.1-alpha.

changes/bug24767

@@ -0,0 +1,5 @@
+  o Major bugfixes (relay, connection):
+    - Refuse to connect again to a relay from which we failed previously with
+      a connection refused, timeout or error (at the TCP level). The relay
+      won't be retried for 60 seconds after the failure occured. Fixes bug
+      24767; bugfix on 0.0.6.

changes/bug24769

@@ -0,0 +1,7 @@
+  o Minor bugfixes (performance):
+    - Reduce the number of circuits that can be opened at once during the
+      circuit build timeout phase. This is done by increasing the idle timeout
+      to 3 minutes, and lowering the maximum number of concurrent learning
+      circuits to 10. Fixes bug 24769; bugfix on 0.3.1.1-alpha.
+
+

changes/bug24782

@@ -0,0 +1,4 @@
+  o Minor features (config options):
+    - Change the way the default value for MaxMemInQueues is calculated. We now
+      use 0.4 * RAM if the system have 8 GB RAM or more, otherwise we use the
+      former value of 0.75 * RAM. Closes ticket 24782.

changes/bug24854

@@ -0,0 +1,3 @@
+  o Code simplification and refactoring:
+    - Move the list of default directory authorities to their own file for
+      inclusion using the C preprocessor. Closes ticket 24854. Patch by "beastr0".

changes/bug24903

@@ -0,0 +1,5 @@
+  o Minor bugfixes (controller, reliability):
+    - Avoid a (nonfatal) assertion failure when extending a one-hop circuit
+      from the controller to become a multihop circuit. Fixes bug 24903;
+      bugfix on 0.2.5.2-alpha.
+

changes/bug24904

@@ -0,0 +1,4 @@
+  o Minor bugfix (channel, client):
+    - Better identify client connection when reporting to the geoip client
+      cache. Fixes bug 24904; bugfix on 0.3.1.7.
+

changes/bug24969

@@ -0,0 +1,3 @@
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - Allow the nanosleep() system call, which glibc uses to implement
+      sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.

changes/bug24978

@@ -0,0 +1,7 @@
+  o Minor features (compatibility, OpenSSL):
+    - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
+      Previous versions of Tor would not have worked with OpenSSL
+      1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
+      ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
+      Closes ticket 24978.
+

changes/bug24989

@@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden services):
+    - Re-instate counting pending client HSDir fetch circuits against the
+      MaxClientCircuitsPending rate limit. Fixes bug 24989; bugfix on
+      0.3.3.0-alpha-dev.

changes/bug25120

@@ -0,0 +1,4 @@
+  o Minor features (logging):
+    - Clarify the log messages produced when getrandom() or a related
+      entropy-generation mechanism gives an error. Closes ticket
+      25120.

changes/bug25213

@@ -0,0 +1,5 @@
+  o Minor bugfixes (warnings, ipv6):
+    - Avoid a bug warning that could occur when trying to connect to
+      a relay over IPv6 on a Tor instance that downloads router descriptors,
+      but prefers to use microdescriptors. Fixes bug 25213; bugfix on
+      0.3.3.1-alpha.

changes/bug25223

@@ -0,0 +1,4 @@
+  o Minor bugfixes (DoS mitigation):
+    - Make sure we don't modify consensus parameters if we aren't a public
+      relay when a new consensus arrives. Fixes bug 25223; bugfix on
+      0.3.3.2-alpha.

changes/bug25226

@@ -0,0 +1,4 @@
+  o Major bugfixes (relay, denial of service):
+    - Impose a limit on circuit cell queue size. The limit can be controlled by
+      a consensus parameter. Fixes bug 25226; bugfix on 0.2.4.14-alpha.
+

changes/bug25249

@@ -0,0 +1,3 @@
+  o Minor bugfixes (spec conformance):
+    - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
+      0.2.9.4-alpha.

changes/bug25249.2

@@ -0,0 +1,3 @@
+  o Minor bugfixes (spec conformance):
+    - Forbid UINT32_MAX as a protocol version.  Fixes part of bug 25249;
+      bugfix on 0.2.9.4-alpha.

changes/bug25296_032

@@ -0,0 +1,5 @@
+  o Minor bugfixes (documentation):
+    - Document that the PerConnBW{Rate,Burst} options will fall back to their
+      corresponding consensus parameters only if those parameters are
+      set. Previously we had claimed that these values would always be
+      set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha.

changes/bug25306

@@ -0,0 +1,6 @@
+  o Minor bugfixes (hidden service v3):
+    - Avoid asserting when building descriptors in the next rotation time is
+      out of sync with the consensus valid after time. Instead, log a bug
+      warning with extra information to hunt down the cause of this assert.
+      Fixes bug 25306; bugfix on 0.3.2.1-alpha.
+

changes/bug25372

@@ -0,0 +1,3 @@
+  o Minor features (log messages):
+    - Improve log message in the out of memory handler to include information
+      about memory usage from the different compression backends. Closes ticket 25372.

changes/bug25378

@@ -0,0 +1,4 @@
+  o Documentation:
+    - Update the documentation for "Log" to include the current list
+      of logging domains. Closes ticket 25378.
+

changes/bug25415

@@ -0,0 +1,4 @@
+  o Major bugfixes (directory authority):
+    - Avoid a crash when testing router reachability on a router that could
+      have an ed25519 ID, but which does not. Fixes bug 25415; bugfix on
+      0.3.3.2-alpha.

changes/bug25450

@@ -0,0 +1,8 @@
+  o Minor bugfixes (testing):
+    - Avoid intermittent test failures due to relying on hidden service
+      introductory point creation within 5 seconds of real clock time.  The
+      time limit for the test has been increased to 500 seconds, which may
+      still result in intermittent failures (e.g. if the system doing the
+      testing enters sleep/hibernation or experiences some other clock jump).
+      However, this should elliminate test failures currently happening on
+      developer and CI systems.  Fixes bug 25450; bugfix on 0.3.1.3-alpha.

changes/bug25474

@@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation):
+    - Fix a c99 compliance issue in our configuration script that was
+      causing compilation issues when compiling Tor with certain
+      versions of xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha.
+

changes/bug25479

@@ -0,0 +1,4 @@
+  o Major bugfixes (benchmarks):
+    - Fix a crash when running benchmark tests on win32 systems which
+      was due to an uninitialised mutex before logging and options
+      were initialised.  Fixes bug 25479; bugfix on 0.3.3.3-alpha.

changes/bug25560

@@ -0,0 +1,5 @@
+  o Minor bugfixes (testing, rust):
+    - Some of our Rust crates were not having their tests run with `make
+      test-rust` due to a static string in the `src/test/test_rust.sh` script
+      specifying which crates to test.  Rust crates are not automatically
+      detected and tested.  Fixes bug 25560; bugfix on 0.3.3.3-alpha.

changes/bug25581

@@ -0,0 +1,4 @@
+  o Minor bugfixes (configuration):
+    - Remove undescores from the _HSLayer{2,3}Nodes options. This expert-user
+      configuration can now be enabled as HSLayer{2,3}Nodes. Fixes bug 25581;
+      bugfix on 0.3.3.1-alpha

changes/bug25582

@@ -0,0 +1,3 @@
+  o Minor bugfixes (documentation):
+    - Revert a misformatting issue in the ExitPolicy
+      documentation. Fixes bug 25582; bugfix on 0.3.3.1-alpha.

changes/bug25617

@@ -0,0 +1,5 @@
+  o Minor bugfixes (controller):
+    - Restore the correct operation of the RESOLVE command, which had
+      been broken since we added the ability to enable/disable DNS
+      on specific listener ports. Fixes bug 25617; bugfix on 0.2.9.3-alpha.
+

changes/bug25629

@@ -0,0 +1,3 @@
+  o Minor bugfixes (C correctness):
+    - Fix a very unlikely null pointer dereference.  Fixes bug 25629;
+      bugfix on 0.2.9.15.  Found by Coverity; this is CID 1430932.

changes/bug25664

@@ -0,0 +1,3 @@
+  o New system requirements:
+    - When built with Rust, Tor now depends on version 0.2.39 of the libc
+      crate. Closes tickets 25310 and 25664.

changes/bug25679

@@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation, rust):
+    - Build correctly when the rust dependencies submodule is loaded,
+      but the TOR_RUST_DEPENDENCIES environment variable is not set.
+      Fixes bug 25679; bugfix on 0.3.3.1-alpha.

changes/bug25691

@@ -0,0 +1,6 @@
+  o Minor bugfixes (client):
+    - When using a listed relay as a bridge, and also using
+      microdescriptors, and considering that relay as a non-bridge in
+      a circuit, consider its microdescriptor as a valid source of information
+      about that relay. Fixes bug 25691; bugfix on 0.3.3.4-alpha.
+

changes/bug25691_again

@@ -0,0 +1,6 @@
+  o Minor bugfixes (path selection):
+    - Only select relays when they have the descriptors we prefer to
+      use for them. This change fixes a bug where we could select
+      a relay because it had _some_ descriptor, but reject it later with
+      a nonfatal assertion error because it didn't have the exact one we
+      wanted. Fixes bugs 25691 and 25692; bugfix on 0.3.3.4-alpha.

changes/bug25732

@@ -0,0 +1,4 @@
+  o Minor bugfixes (distribution, compilation):
+    - Actually include all of our Rust source in our source
+      distributions. (Previously, a few of the files were accidentally
+      omitted.) Fixes bug 25732; bugfix on 0.3.3.2-alpha.

changes/bug25733

@@ -0,0 +1,4 @@
+  o Minor bugfixes (Assert crash):
+    - Avoid an assert in the circuit build timeout code if we fail to
+      allow any circuits to actually complete. Fixes bug 25733;
+      bugfix on 0.2.2.2-alpha.

changes/bug25761

@@ -0,0 +1,3 @@
+  o Major bugfixes (onion service):
+    - Correctly detect when onion services get disabled after HUP.
+      Fixes bug 25761; bugfix on 0.3.2.1.

changes/bug25901

@@ -0,0 +1,3 @@
+  o Minor bugfixes (hidden service v3):
+    - Fix a memory leak when an hidden service v3 is configured and gets a
+      SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha.

changes/bug25939

@@ -1,3 +0,0 @@
-  o Minor bugfixes (onion services):
-    - Fix a bug that blocked the creation of ephemeral v3 onion services. Fixes
-      bug 25939; bugfix on 0.3.4.1-alpha.

changes/bug26007

@@ -0,0 +1,5 @@
+  o Major bugfixes (directory authorities, security):
+    - When directory authorities read a zero-byte bandwidth file, they log
+      a warning with the contents of an uninitialised buffer. Log a warning
+      about the empty file instead.
+      Fixes bug 26007; bugfix on 0.2.2.1-alpha.

changes/bug26052

@@ -0,0 +1,6 @@
+  o Minor bugfixes (documentation):
+    - Stop saying in the manual that clients cache ipv4 dns answers
+      from exit relays. We haven't used them since 0.2.6.3-alpha, and
+      in ticket 24050 we stopped even caching them as of 0.3.2.6-alpha,
+      but we forgot to say so in the man page. Fixes bug 26052; bugfix
+      on 0.3.2.6-alpha.

changes/bug26069

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service v3):
+    - When parsing the descriptor signature, look for the token plus an extra
+      white-space at the end. This is more correct but also will allow us to
+      support new fields that might start with "signature". Fixes bug 26069;
+      bugfix on 0.3.0.1-alpha.

changes/bug26072

@@ -0,0 +1,5 @@
+  o Minor bugfixes (correctness, client):
+    - Upon receiving a malformed connected cell, stop processing the cell
+      immediately.  Previously we would mark the connection for close, but
+      continue processing the cell as if the connection were open. Fixes bug
+      26072; bugfix on 0.2.4.7-alpha.

changes/bug26101_26102

@@ -1,5 +0,0 @@
-  o Minor bugfixes (test coverage tools):
-    - Update our "cov-diff" script to handle output from the latest
-      version of gcov, and to remove extraneous timestamp information
-      from its output. Fixes bugs 26101 and 26102; bugfix on
-      0.2.5.1-alpha.

changes/bug26156

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix compilation when building with OpenSSL 1.1.0 with the
-      "no-deprecated" flag enabled. Fixes bug 26156; bugfix on 0.3.4.1-alpha.

changes/bug26259

@@ -1,4 +0,0 @@
-  o Minor bugfixes (control port):
-    - Do not count 0-length RELAY_COMMAND_DATA cells as valid data in CIRC_BW
-      events. Previously, such cells were counted entirely in the OVERHEAD
-      field. Now they are not. Fixes bug 26259; bugfix on 0.3.4.1-alpha.

changes/bugs_25036_25055

@@ -0,0 +1,7 @@
+  o Minor bugfixes (networking):
+    - Tor will not reject IPv6 address strings from TorBrowser when they
+      are passed as hostnames in SOCKS5 requests. Fixes bug 25036,
+      bugfix on Tor 0.3.1.2.
+    - string_is_valid_hostname() will not consider IP strings to be valid
+      hostnames. Fixes bug 25055; bugfix on Tor 0.2.5.5.
+

changes/coveralls

@@ -0,0 +1,3 @@
+  o Minor features (continuous integration):
+    - Our Travis CI configuration now integrates with the Coveralls coverage
+      analysis tool. Closes ticket 25818.

changes/doc25237

@@ -1,4 +0,0 @@
-  o Documentation:
-    - In code comment, point the reader to the exact section
-      in Tor specification that specifies circuit close error
-      code values. Resolves ticket 25237.

changes/feature25313

@@ -0,0 +1,4 @@
+  o Minor features (sandbox):
+    - Explicitly permit the poll() system call when the Linux seccomp2-based
+      sandbox is enabled: apparently, some versions of libc use poll() when
+      calling getpwnam(). Closes ticket 25313.

changes/geoip-2018-03-08

@@ -0,0 +1,4 @@
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the March 8 2018 Maxmind GeoLite2
+      Country database. Closes ticket 25469.
+

changes/geoip-2018-04-03

@@ -0,0 +1,4 @@
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the April 3 2018 Maxmind GeoLite2
+      Country database. Closes ticket 25718.
+

changes/geoip-2018-05-01

@@ -0,0 +1,4 @@
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the May 1 2018 Maxmind GeoLite2
+      Country database. Closes ticket 26104.
+

changes/refactor23814

@@ -0,0 +1,4 @@
+  o Code simplification and refactoring:
+    - Remove the old (deterministic) directory retry logic entirely:
+      We've used exponential backoff exclusively for some time.
+      Closes ticket 23814.

changes/ticket23635

@@ -0,0 +1,3 @@
+  o Documentation:
+    - Improved the documentation of AccountingStart paremeter.
+      Closes ticket 23635.

changes/ticket24343

@@ -0,0 +1,6 @@
+  o Minor bugfixes (man page, SocksPort):
+    - Remove dead code about the old "SocksSockets" option. To do so, the
+      SocksSocketsGroupWritable option has been renamed to
+      UnixSockssGroupWritable which does the same exact thing. The old option
+      is still usable but will warn that it is deprecated. Fixes bug 24343;
+      bugfix on 0.2.6.3.

changes/ticket25071

@@ -0,0 +1,4 @@
+  o Minor features (testing):
+    - Add a "make test-rust" target to run the rust tests only.
+      Closes ticket 25071.
+

changes/ticket25202

@@ -0,0 +1,4 @@
+  o Minor bugfixes (DoS mitigation):
+    - Add extra safety checks when refilling the circuit creation bucket to
+      ensure we never set a value that is above the allowed burst. Fixes
+      bug 25202; bugfix on 0.3.3.2-alpha.

changes/ticket25248

@@ -0,0 +1,4 @@
+  o Documentation (manpage, denial of service):
+    - Better detail the denial of service options by listing the different
+      mitigation in place. Closes ticket 25248.
+

changes/ticket25323

@@ -0,0 +1,4 @@
+  o Code simplification and refactoring:
+    - Update the "rust dependencies" submodule to be an project-level
+      repository, rather than a user repository. Closes ticket 25323.
+

changes/ticket25549

@@ -1,4 +0,0 @@
-  o Minor features (continuous integration):
-    - Add the necessary configuration files for continuous integration
-      testing on Windows, via the Appveyor platform. Closes ticket 25549.
-      Patches from Marcin Cieślak and Isis Lovecruft.

changes/ticket25714

@@ -0,0 +1,4 @@
+  o Minor feature (continuous integration):
+    - Update the Travis CI configuration to use the stable Rust
+      channel, now that we have decided to require that.  Closes
+      ticket 25714.

changes/ticket26006

@@ -0,0 +1,4 @@
+  o Minor features (compilation, portability):
+    - Avoid some compilation warnings with recent versions
+      of LibreSSL. Closes ticket 26006.
+

changes/ticket26062

@@ -0,0 +1,3 @@
+  o Minor bugfixes (client):
+    - Don't consider Tor running as a client if the ControlPort is open. Fixes
+      bug 26062; bugfix on 0.2.9.4-alpha.

changes/travis_distcheck

@@ -0,0 +1,4 @@
+  o Minor features (continuous integration):
+    - Our .travis.yml configuration now includes support for testing
+      the results of "make distcheck". (It's not uncommon for "make check" to
+      pass but "make distcheck" to fail.)  Closes ticket 25814.

changes/trove-2018-001.1

@@ -0,0 +1,6 @@
+  o Major bugfixes (denial-of-service, directory authority):
+    - Fix a protocol-list handling bug that could be used to remotely crash
+      directory authorities with a null-pointer exception. Fixes bug 25074;
+      bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001.
+
+

changes/trove-2018-004

@@ -0,0 +1,8 @@
+  o Minor bugfixes (denial-of-service):
+    - Fix a possible crash on malformed consensus. If a consensus had
+      contained an unparseable protocol line, it could have made clients
+      and relays crash with a null-pointer exception. To exploit this
+      issue, however, an attacker would need to be able to subvert the
+      directory-authority system. Fixes bug 25251; bugfix on
+      0.2.9.4-alpha. Also tracked as TROVE-2018-004.
+

configure.ac

@@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2017, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_PREREQ([2.63])
-AC_INIT([tor],[0.3.4.1-alpha-dev])
+AC_INIT([tor],[0.3.3.6-dev])
 AC_CONFIG_SRCDIR([src/or/main.c])
 AC_CONFIG_MACRO_DIR([m4])
 
@@ -61,8 +61,6 @@ AC_ARG_ENABLE(cargo-online-mode,
    AS_HELP_STRING(--enable-cargo-online-mode, [Allow cargo to make network requests to fetch crates. For builds with rust only.]))
 AC_ARG_ENABLE(restart-debugging,
    AS_HELP_STRING(--enable-restart-debugging, [Build Tor with support for debugging in-process restart. Developers only.]))
-AC_ARG_ENABLE(zstd-advanced-apis,
-   AS_HELP_STRING(--disable-zstd-advanced-apis, [Build without support for zstd's "static-only" APIs.]))
 
 if test "x$enable_coverage" != "xyes" -a "x$enable_asserts_in_tests" = "xno" ; then
     AC_MSG_ERROR([Can't disable assertions outside of coverage build])
@@ -116,10 +114,6 @@ if test "$enable_restart_debugging" = "yes"; then
             [Defined if we're building with support for in-process restart debugging.])
 fi
 
-if test "$enable_zstd_advanced_apis" != "no"; then
-   AC_DEFINE(ENABLE_ZSTD_ADVANCED_APIS, 1,
-             [Defined if we're going to try to use zstd's "static-only" APIs.])
-fi
 
 # systemd support
 if test "x$enable_systemd" = "xno"; then
@@ -230,31 +224,6 @@ if test "x$enable_android" = "xyes"; then
 
 fi
 
-dnl ---
-dnl Tor modules options. These options are namespaced with --disable-module-XXX
-dnl ---
-
-dnl All our modules.
-m4_define(MODULES, dirauth)
-
-dnl Directory Authority module.
-AC_ARG_ENABLE([module-dirauth],
-              AS_HELP_STRING([--disable-module-dirauth],
-                             [Do not build tor with the dirauth module]),
-              [], dnl Action if-given
-              AC_DEFINE([HAVE_MODULE_DIRAUTH], [1],
-                        [Compile with Directory Authority feature support]))
-AM_CONDITIONAL(BUILD_MODULE_DIRAUTH, [test "x$enable_module_dirauth" != "xno"])
-
-dnl Helper variables.
-TOR_MODULES_ALL_ENABLED=
-AC_DEFUN([ADD_MODULE], [
-    MODULE=m4_toupper($1)
-    TOR_MODULES_ALL_ENABLED="${TOR_MODULES_ALL_ENABLED} -DHAVE_MODULE_${MODULE}=1"
-])
-m4_foreach_w([module], MODULES, [ADD_MODULE([module])])
-AC_SUBST(TOR_MODULES_ALL_ENABLED)
-
 dnl check for the correct "ar" when cross-compiling.
 dnl   (AM_PROG_AR was new in automake 1.11.2, which we do not yet require,
 dnl    so kludge up a replacement for the case where it isn't there yet.)
@@ -306,10 +275,7 @@ fi
 AM_CONDITIONAL(USEPYTHON, [test "x$PYTHON" != "x"])
 
 dnl List all external rust crates we depend on here. Include the version
-rust_crates=" \
-    digest-0.7.2 \
-    libc-0.2.39 \
-"
+rust_crates="libc-0.2.39"
 AC_SUBST(rust_crates)
 
 ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [
@@ -581,7 +547,6 @@ AC_CHECK_FUNCS(
 	mach_approximate_time \
         memmem \
         memset_s \
-        mmap \
 	pipe \
 	pipe2 \
         prctl \
@@ -650,21 +615,6 @@ fi
 AM_CONDITIONAL(BUILD_READPASSPHRASE_C,
   test "x$ac_cv_func_readpassphrase" = "xno" && test "$bwin32" = "false")
 
-AC_MSG_CHECKING([whether free(NULL) works])
-AC_RUN_IFELSE([AC_LANG_PROGRAM([
-  #include <stdlib.h>
-], [
-char *p = NULL;
-free(p);
-])],
-[free_null_ok=true; AC_MSG_RESULT(yes)],
-[free_null_ok=false; AC_MSG_RESULT(no)],
-[free_null_ok=cross; AC_MSG_RESULT(cross)])
-
-if test "$free_null_ok" = "false"; then
-   AC_MSG_ERROR([Your libc implementation doesn't allow free(NULL), as required by C99.])
-fi
-
 dnl ------------------------------------------------------
 dnl Where do you live, libevent?  And how do we call you?
 
@@ -816,18 +766,9 @@ AC_ARG_WITH(ssl-dir,
 
 AC_MSG_NOTICE([Now, we'll look for OpenSSL >= 1.0.1])
 TOR_SEARCH_LIBRARY(openssl, $tryssldir, [-lssl -lcrypto $TOR_LIB_GDI $TOR_LIB_WS32],
-    [#include <openssl/ssl.h>
-     char *getenv(const char *);],
-    [struct ssl_cipher_st;
-     unsigned SSL_CIPHER_get_id(const struct ssl_cipher_st *);
-     char *getenv(const char *);],
-    dnl This funny-looking test program calls getenv, so that the compiler
-    dnl will neither make code that call SSL_CIPHER_get_id(NULL) [producing
-    dnl a crash], nor optimize out the call to SSL_CIPHER_get_id().
-    dnl We look for SSL_cipher_get_id() because it is present in
-    dnl OpenSSL >=1.0.1, because it is not deprecated, and because Tor
-    dnl depends on it.
-    [if (getenv("THIS_SHOULDNT_BE_SET_X201803")) SSL_CIPHER_get_id((void *)0);], [],
+    [#include <openssl/ssl.h>],
+    [struct ssl_method_st; const struct ssl_method_st *TLSv1_1_method(void);],
+    [TLSv1_1_method();], [],
     [/usr/local/opt/openssl /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /opt/openssl])
 
 dnl XXXX check for OPENSSL_VERSION_NUMBER == SSLeay()
@@ -894,10 +835,6 @@ AC_CHECK_MEMBERS([SSL.state], , ,
 [#include <openssl/ssl.h>
 ])
 
-AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT()
-#include <openssl/sha.h>
-])
-
 dnl Define the set of checks for KIST scheduler support.
 AC_DEFUN([CHECK_KIST_SUPPORT],[
   dnl KIST needs struct tcp_info and for certain members to exist.
@@ -1016,16 +953,6 @@ if test "x$have_zstd" = "xyes"; then
     AC_DEFINE(HAVE_ZSTD,1,[Have Zstd])
     TOR_ZSTD_CFLAGS="${ZSTD_CFLAGS}"
     TOR_ZSTD_LIBS="${ZSTD_LIBS}"
-
-    dnl now check for zstd functions
-    save_LIBS="$LIBS"
-    save_CFLAGS="$CFLAGS"
-    LIBS="$LIBS $ZSTD_LIBS"
-    CFLAGS="$CFLAGS $ZSTD_CFLAGS"
-    AC_CHECK_FUNCS(ZSTD_estimateCStreamSize \
-                   ZSTD_estimateDCtxSize)
-    LIBS="$save_LIBS"
-    CFLAGS="$save_CFLAGS"
 fi
 AC_SUBST(TOR_ZSTD_CFLAGS)
 AC_SUBST(TOR_ZSTD_LIBS)
@@ -1778,6 +1705,14 @@ AC_CHECK_DECLS([mlockall], , , [
 #include <sys/mman.h>
 #endif])
 
+# Some MinGW environments don't have getpagesize in unistd.h. We don't use
+# AC_CHECK_FUNCS(getpagesize), because other environments rename getpagesize
+# using macros
+AC_CHECK_DECLS([getpagesize], , , [
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif])
+
 # Allow user to specify an alternate syslog facility
 AC_ARG_WITH(syslog-facility,
 AS_HELP_STRING(--with-syslog-facility=LOG, [syslog facility to use (default=LOG_DAEMON)]),
@@ -1915,12 +1850,6 @@ AC_SUBST(BUILDDIR)
 AH_TEMPLATE([BUILDDIR],[tor's build directory])
 AC_DEFINE_UNQUOTED(BUILDDIR,"$BUILDDIR")
 
-if test "x$SRCDIR" = "x"; then
-  SRCDIR=$(cd "$srcdir"; pwd)
-fi
-AH_TEMPLATE([SRCDIR],[tor's sourcedir directory])
-AC_DEFINE_UNQUOTED(SRCDIR,"$SRCDIR")
-
 if test "x$CONFDIR" = "x"; then
   CONFDIR=`eval echo $sysconfdir/tor`
 fi

contrib/win32build/tor-mingw.nsi.in

@@ -8,7 +8,7 @@
 !include "LogicLib.nsh"
 !include "FileFunc.nsh"
 !insertmacro GetParameters
-!define VERSION "0.3.4.1-alpha-dev"
+!define VERSION "0.3.3.6-dev"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"

doc/HACKING/CodingStandards.md

@@ -42,23 +42,6 @@ If you have changed build system components:
    - For example, if you have changed Makefiles, autoconf files, or anything
      else that affects the build system.
 
-License issues
-==============
-
-Tor is distributed under the license terms in the LICENSE -- in
-brief, the "3-clause BSD license".  If you send us code to
-distribute with Tor, it needs to be code that we can distribute
-under those terms.  Please don't send us patches unless you agree
-to allow this.
-
-Some compatible licenses include:
-
-  - 3-clause BSD
-  - 2-clause BSD
-  - CC0 Public Domain Dedication
-
-
-
 How we use Git branches
 =======================
 
@@ -434,4 +417,3 @@ the functions that call your function rely on it doing something, then your
 function should mention that it does that something in the documentation.  If
 you rely on a function doing something beyond what is in its documentation,
 then you should watch out, or it might do something else later.
-

doc/HACKING/CodingStandardsRust.md

@@ -324,26 +324,12 @@ Here are some additional bits of advice and rules:
             }
         }
 
-3. Pass only C-compatible primitive types and bytes over the boundary
+3. Pass only integer types and bytes over the boundary
 
-   Rust's C-compatible primitive types are integers and floats.
-   These types are declared in the [libc crate](https://doc.rust-lang.org/libc/x86_64-unknown-linux-gnu/libc/index.html#types).
-   Most Rust objects have different [representations](https://doc.rust-lang.org/libc/x86_64-unknown-linux-gnu/libc/index.html#types)
-   in C and Rust, so they can't be passed using FFI.
-
-   Tor currently uses the following Rust primitive types from libc for FFI:
-   * defined-size integers: `uint32_t`
-   * native-sized integers: `c_int`
-   * native-sized floats: `c_double`
-   * native-sized raw pointers: `* c_void`, `* c_char`, `** c_char`
-
-   TODO: C smartlist to Stringlist conversion using FFI
-
-   The only non-primitive type which may cross the FFI boundary is
+   The only non-integer type which may cross the FFI boundary is
    bytes, e.g. `&[u8]`.  This SHOULD be done on the Rust side by
-   passing a pointer (`*mut libc::c_char`). The length can be passed
-   explicitly (`libc::size_t`), or the string can be NUL-byte terminated
-   C string.
+   passing a pointer (`*mut libc::c_char`) and a length
+   (`libc::size_t`).
 
    One might be tempted to do this via doing
    `CString::new("blah").unwrap().into_raw()`. This has several problems:

doc/HACKING/HelpfulTools.md

@@ -4,22 +4,6 @@ Useful tools
 These aren't strictly necessary for hacking on Tor, but they can help track
 down bugs.
 
-Travis CI
----------
-It's CI. Looks like this: https://travis-ci.org/torproject/tor.
-
-Runs automatically on Pull Requests sent to torproject/tor. You can set it up
-for your fork to build commits outside of PRs too:
-
-1. sign up for GitHub: https://github.com/join
-2. fork https://github.com/torproject/tor:
-   https://help.github.com/articles/fork-a-repo/
-3. follow https://docs.travis-ci.com/user/getting-started/#To-get-started-with-Travis-CI.
-   skip steps involving `.travis.yml` (we already have one).
-
-Builds should show up on the web at travis-ci.com and on IRC at #tor-ci on
-OFTC. If they don't, ask #tor-dev (also on OFTC).
-
 Jenkins
 -------
 

doc/HACKING/Module.md

@@ -1,111 +0,0 @@
-# Modules in Tor #
-
-This document describes the build system and coding standards when writing a
-module in Tor.
-
-## What is a module? ##
-
-In the context of the tor code base, a module is a subsystem that we can
-selectively enable or disable, at `configure` time.
-
-Currently, there is only one module:
-
-  - Directory Authority subsystem (dirauth)
-
-It is located in its own directory in `src/or/dirauth/`. To disable it, one
-need to pass `--disable-module-dirauth` at configure time. All modules are
-currently enabled by default.
-
-## Build System ##
-
-The changes to the build system are pretty straightforward.
-
-1. Locate in the `configure.ac` file this define: `m4_define(MODULES`. It
-   contains a list (white-space separated) of the module in tor. Add yours to
-   the list.
-
-2. Use the `AC_ARG_ENABLE([module-dirauth]` template for your new module. We
-   use the "disable module" approach instead of enabling them one by one. So,
-   by default, tor will build all the modules.
-
-   This will define the `HAVE_MODULE_<name>` statement which can be used in
-   the C code to conditionally compile things for your module. And the
-   `BUILD_MODULE_<name>` is also defined for automake files (e.g: include.am).
-
-3. In the `src/or/include.am` file, locate the `MODULE_DIRAUTH_SOURCES` value.
-   You need to create your own `_SOURCES` variable for your module and then
-   conditionally add the it to `LIBTOR_A_SOURCES` if you should build the
-   module.
-
-   It is then **very** important to add your SOURCES variable to
-   `src_or_libtor_testing_a_SOURCES` so the tests can build it.
-
-4. Do the same for header files, locate `ORHEADERS +=` which always add all
-   headers of all modules so the symbol can be found for the module entry
-   points.
-
-Finally, your module will automatically be included in the
-`TOR_MODULES_ALL_ENABLED` variable which is used to build the unit tests. They
-always build everything in order to tests everything.
-
-## Coding ##
-
-As mentioned above, a module must be isolated in its own directory (name of
-the module) in `src/or/`.
-
-There are couples of "rules" you want to follow:
-
-* Minimize as much as you can the number of entry points into your module.
-  Less is always better but of course that doesn't work out for every use
-  case. However, it is a good thing to always keep that in mind.
-
-* Do **not** use the `HAVE_MODULE_<name>` define outside of the module code
-  base. Every entry point should have a second definition if the module is
-  disabled. For instance:
-
-  ```
-  #ifdef HAVE_MODULE_DIRAUTH
-
-  int sr_init(int save_to_disk);
-
-  #else /* HAVE_MODULE_DIRAUTH */
-
-  static inline int
-  sr_init(int save_to_disk)
-  {
-    (void) save_to_disk;
-    return 0;
-  }
-
-  #endif /* HAVE_MODULE_DIRAUTH */
-
-  ```
-
-  The main reason for this approach is to avoid having conditional code
-  everywhere in the code base. It should be centralized as much as possible
-  which helps maintainability but also avoids conditional spaghetti code
-  making the code much more difficult to follow/understand.
-
-* It is possible that you end up with code that needs to be used by the rest
-  of the code base but is still part of your module. As a good example, if you
-  look at `src/or/shared_random_client.c`: it contains code needed by the hidden
-  service subsystem but mainly related to the shared random subsystem very
-  specific to the dirauth module.
-
-  This is fine but try to keep it as lean as possible and never use the same
-  filename as the one in the module. For example, this is a bad idea and
-  should never be done:
-
-    - `src/or/shared_random.c`
-    - `src/or/dirauth/shared_random.c`
-
-* When you include headers from the module, **always** use the full module
-  path in your statement. Example:
-
-  `#include "dirauth/dirvote.h"`
-
-  The main reason is that we do **not** add the module include path by default
-  so it needs to be specified. But also, it helps our human brain understand
-  which part comes from a module or not.
-
-  Even **in** the module itself, use the full include path like above.

doc/HACKING/ReleasingTor.md

@@ -34,7 +34,7 @@ new Tor release:
 
    What about Coverity Scan?
 
-   What about clang scan-build?
+   What about clan scan-build?
 
    Does 'make distcheck' complain?
 

doc/include.am

@@ -35,15 +35,10 @@ EXTRA_DIST+= doc/asciidoc-helper.sh			\
 	     doc/TUNING						\
 	     doc/HACKING/README.1st.md				\
 	     doc/HACKING/CodingStandards.md 			\
-	     doc/HACKING/CodingStandardsRust.md			\
-	     doc/HACKING/Fuzzing.md				\
 	     doc/HACKING/GettingStarted.md 			\
-	     doc/HACKING/GettingStartedRust.md 			\
 	     doc/HACKING/HelpfulTools.md 			\
 	     doc/HACKING/HowToReview.md  			\
-	     doc/HACKING/Module.md				\
 	     doc/HACKING/ReleasingTor.md                        \
-	     doc/HACKING/Tracing.md				\
 	     doc/HACKING/WritingTests.md
 
 docdir = @docdir@

doc/tor.1.txt

@@ -311,9 +311,7 @@ GENERAL OPTIONS
     other than controller connections, and we close (and don't reattempt)
     any outbound
     connections.  Controllers sometimes use this option to avoid using
-    the network until Tor is fully configured.  Tor will make still certain
-    network-related calls (like DNS lookups) as a part of its configuration
-    process, even if DisableNetwork is set. (Default: 0)
+    the network until Tor is fully configured. (Default: 0)
 
 [[ConstrainedSockets]] **ConstrainedSockets** **0**|**1**::
     If set, Tor will tell the kernel to attempt to shrink the buffers for all
@@ -368,8 +366,7 @@ GENERAL OPTIONS
 
 [[ControlSocket]] **ControlSocket** __Path__::
     Like ControlPort, but listens on a Unix domain socket, rather than a TCP
-    socket. '0' disables ControlSocket. (Unix and Unix-like systems only.)
-    (Default: 0)
+    socket. '0' disables ControlSocket (Unix and Unix-like systems only.)
 
 [[ControlSocketsGroupWritable]] **ControlSocketsGroupWritable** **0**|**1**::
     If this option is set to 0, don't allow the filesystem group to read and
@@ -789,15 +786,17 @@ GENERAL OPTIONS
     This is useful when running on flash memory or other media that support
     only a limited number of writes. (Default: 0)
 
-[[CircuitPriorityHalflife]] **CircuitPriorityHalflife** __NUM__::
+[[CircuitPriorityHalflife]] **CircuitPriorityHalflife** __NUM1__::
     If this value is set, we override the default algorithm for choosing which
-    circuit's cell to deliver or relay next. It is delivered first to the
-    circuit that has the lowest weighted cell count, where cells are weighted
-    exponentially according to this value (in seconds). If the value is -1, it
-    is taken from the consensus if possible else it will fallback to the
-    default value of 30. Minimum: 1, Maximum: 2147483647. This can be defined
-    as a float value. This is an advanced option; you generally shouldn't have
-    to mess with it. (Default: -1)
+    circuit's cell to deliver or relay next. When the value is 0, we
+    round-robin between the active circuits on a connection, delivering one
+    cell from each in turn. When the value is positive, we prefer delivering
+    cells from whichever connection has the lowest weighted cell count, where
+    cells are weighted exponentially according to the supplied
+    CircuitPriorityHalflife value (in seconds). If this option is not set at
+    all, we use the behavior recommended in the current consensus
+    networkstatus. This is an advanced option; you generally shouldn't have
+    to mess with it. (Default: not set)
 
 [[CountPrivateBandwidth]] **CountPrivateBandwidth** **0**|**1**::
     If this option is set, then Tor's rate-limiting applies not only to
@@ -814,9 +813,10 @@ GENERAL OPTIONS
 
 [[NoExec]] **NoExec** **0**|**1**::
     If this option is set to 1, then Tor will never launch another
-    executable, regardless of the settings of ClientTransportPlugin
-    or ServerTransportPlugin.  Once this option has been set to 1,
-    it cannot be set back to 0 without restarting Tor. (Default: 0)
+    executable, regardless of the settings of PortForwardingHelper,
+    ClientTransportPlugin, or ServerTransportPlugin.  Once this
+    option has been set to 1, it cannot be set back to 0 without
+    restarting Tor. (Default: 0)
 
 [[Schedulers]] **Schedulers** **KIST**|**KISTLite**|**Vanilla**::
     Specify the scheduler type that tor should use. The scheduler is
@@ -1294,11 +1294,9 @@ The following options are useful only for clients (that is, if
     2 minutes)
 
 [[TokenBucketRefillInterval]] **TokenBucketRefillInterval** __NUM__ [**msec**|**second**]::
-    Set the refill delay interval of Tor's token bucket to NUM milliseconds.
-    NUM must be between 1 and 1000, inclusive.  When Tor is out of bandwidth,
-    on a connection or globally, it will wait up to this long before it tries
-    to use that connection again.
-    Note that bandwidth limits are still expressed in bytes per second: this
+    Set the refill interval of Tor's token bucket to NUM milliseconds.
+    NUM must be between 1 and 1000, inclusive.  Note that the configured
+    bandwidth limits are still expressed in bytes per second: this
     option only affects the frequency with which Tor checks to see whether
     previously exhausted connections may read again.
     Can not be changed while tor is running. (Default: 100 msec)
@@ -1355,13 +1353,6 @@ The following options are useful only for clients (that is, if
     number from the guard-n-primary-guards-to-use consensus parameter, and
     default to 1 if the consensus parameter isn't set. (Default: 0)
 
-[[NumPrimaryGuards]] **NumPrimaryGuards** __NUM__::
-    If UseEntryGuards is set to 1, we will try to pick NUM routers for our
-    primary guard list, which is the set of routers we strongly prefer when
-    connecting to the Tor network. If NUM is 0, we try to learn the number from
-    the guard-n-primary-guards consensus parameter, and default to 3 if the
-    consensus parameter isn't set. (Default: 0)
-
 [[NumDirectoryGuards]] **NumDirectoryGuards** __NUM__::
     If UseEntryGuards is set to 1, we try to make sure we have at least NUM
     routers to use as directory guards. If this option is set to 0, use the
@@ -1415,7 +1406,7 @@ The following options are useful only for clients (that is, if
 
 [[HTTPTunnelPort]] **HTTPTunnelPort**  \['address':]__port__|**auto** [_isolation flags_]::
     Open this port to listen for proxy connections using the "HTTP CONNECT"
-    protocol instead of SOCKS. Set this to
+    protocol instead of SOCKS. Set this to 0
     0 if you don't want to allow "HTTP CONNECT" connections. Set the port
     to "auto" to have Tor pick a port for you. This directive can be
     specified multiple times to bind to multiple addresses/ports.  See
@@ -1455,7 +1446,7 @@ The following options are useful only for clients (that is, if
     Set this to "default", or leave it unconfigured, to use regular IPTables
     on Linux, or to use pf +rdr-to+ rules on *BSD systems. +
  +
-    (Default: "default")
+    (Default: "default".)
 
 [[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
     Open this port to listen for connections from old versions of ipfw (as
@@ -1591,14 +1582,6 @@ The following options are useful only for clients (that is, if
     ExcludeNodes have higher priority than HSLayer2Nodes,
     which means that nodes specified in ExcludeNodes will not be
     picked.
- +
-    When either this option or HSLayer3Nodes are set, the /16 subnet
-    and node family restrictions are removed for hidden service
-    circuits. Additionally, we allow the guard node to be present
-    as the Rend, HSDir, and IP node, and as the hop before it. This
-    is done to prevent the adversary from inferring information
-    about our guard, layer2, and layer3 node choices at later points
-    in the path.
  +
     This option is meant to be managed by a Tor controller such as
     https://github.com/mikeperry-tor/vanguards that selects and
@@ -1645,14 +1628,6 @@ The following options are useful only for clients (that is, if
     ExcludeNodes have higher priority than HSLayer3Nodes,
     which means that nodes specified in ExcludeNodes will not be
     picked.
- +
-    When either this option or HSLayer2Nodes are set, the /16 subnet
-    and node family restrictions are removed for hidden service
-    circuits. Additionally, we allow the guard node to be present
-    as the Rend, HSDir, and IP node, and as the hop before it. This
-    is done to prevent the adversary from inferring information
-    about our guard, layer2, and layer3 node choices at later points
-    in the path.
   +
     This option is meant to be managed by a Tor controller such as
     https://github.com/mikeperry-tor/vanguards that selects and
@@ -1763,31 +1738,34 @@ The following options are useful only for clients (that is, if
     prevent your Tor client from bootstrapping.  If this option is negative,
     Tor will use a default value chosen by the directory authorities. If the
     directory authorities do not choose a value, Tor will default to 0.6.
-    (Default: -1)
+    (Default: -1.)
 
-[[ClientBootstrapConsensusAuthorityDownloadInitialDelay]] **ClientBootstrapConsensusAuthorityDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download consensuses from authorities
+[[ClientBootstrapConsensusAuthorityDownloadSchedule]] **ClientBootstrapConsensusAuthorityDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download consensuses from authorities
     if they are bootstrapping (that is, they don't have a usable, reasonably
     live consensus). Only used by clients fetching from a list of fallback
     directory mirrors. This schedule is advanced by (potentially concurrent)
     connection attempts, unlike other schedules, which are advanced by
-    connection failures. (Default: 6)
+    connection failures. (Default: 6, 11, 3600, 10800, 25200, 54000, 111600,
+    262800)
 
-[[ClientBootstrapConsensusFallbackDownloadInitialDelay]] **ClientBootstrapConsensusFallbackDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download consensuses from fallback
+[[ClientBootstrapConsensusFallbackDownloadSchedule]] **ClientBootstrapConsensusFallbackDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download consensuses from fallback
     directory mirrors if they are bootstrapping (that is, they don't have a
     usable, reasonably live consensus). Only used by clients fetching from a
     list of fallback directory mirrors. This schedule is advanced by
     (potentially concurrent) connection attempts, unlike other schedules,
-    which are advanced by connection failures. (Default: 0)
+    which are advanced by connection failures. (Default: 0, 1, 4, 11, 3600,
+    10800, 25200, 54000, 111600, 262800)
 
-[[ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay]] **ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download consensuses from authorities
+[[ClientBootstrapConsensusAuthorityOnlyDownloadSchedule]] **ClientBootstrapConsensusAuthorityOnlyDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download consensuses from authorities
     if they are bootstrapping (that is, they don't have a usable, reasonably
     live consensus). Only used by clients which don't have or won't fetch
     from a list of fallback directory mirrors. This schedule is advanced by
     (potentially concurrent) connection attempts, unlike other schedules,
-    which are advanced by connection failures. (Default: 0)
+    which are advanced by connection failures. (Default: 0, 3, 7, 3600,
+    10800, 25200, 54000, 111600, 262800)
 
 [[ClientBootstrapConsensusMaxInProgressTries]] **ClientBootstrapConsensusMaxInProgressTries** __NUM__::
     Try this many simultaneous connections to download a consensus before
@@ -1918,7 +1896,7 @@ is non-zero):
     If you want to use a reduced exit policy rather than the default exit
     policy, set "ReducedExitPolicy 1". If you want to _replace_ the default
     exit policy with your custom exit policy, end your exit policy with either
-    a reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending
+    a reject *:* or an accept *:*. Otherwise, you’re _augmenting_ (prepending
     to) the default or reduced exit policy. +
  +
     The default exit policy is:
@@ -2081,8 +2059,6 @@ is non-zero):
 [[Nickname]] **Nickname** __name__::
     Set the server's nickname to \'name'. Nicknames must be between 1 and 19
     characters inclusive, and must contain only the characters [a-zA-Z0-9].
-    If not set, **Unnamed** will be used. Relays can always be uniquely identified
-    by their identity fingerprints.
 
 [[NumCPUs]] **NumCPUs** __num__::
     How many processes to use at once for decrypting onionskins and other
@@ -2118,6 +2094,18 @@ is non-zero):
     For obvious reasons, NoAdvertise and NoListen are mutually exclusive, and
     IPv4Only and IPv6Only are mutually exclusive.
 
+[[PortForwarding]] **PortForwarding** **0**|**1**::
+    Attempt to automatically forward the DirPort and ORPort on a NAT router
+    connecting this Tor server to the Internet. If set, Tor will try both
+    NAT-PMP (common on Apple routers) and UPnP (common on routers from other
+    manufacturers). (Default: 0)
+
+[[PortForwardingHelper]] **PortForwardingHelper** __filename__|__pathname__::
+    If PortForwarding is set, use this executable to configure the forwarding.
+    If set to a filename, the system path will be searched for the executable.
+    If set to a path, only the specified path will be executed.
+    (Default: tor-fw-helper)
+
 [[PublishServerDescriptor]] **PublishServerDescriptor** **0**|**1**|**v3**|**bridge**,**...**::
     This option specifies which descriptors Tor will publish when acting as
     a relay. You can
@@ -2281,8 +2269,7 @@ is non-zero):
     sent and received by this relay, in addition to total cell counts.
     These statistics are rounded, and omitted if traffic is low. This
     information is important for load balancing decisions related to padding.
-    If ExtraInfoStatistics is enabled, it will be published
-    as a part of extra-info document. (Default: 1)
+    (Default: 1)
 
 [[DirReqStatistics]] **DirReqStatistics** **0**|**1**::
     Relays and bridges only.
@@ -2381,11 +2368,6 @@ is non-zero):
     KeywDirectory. If the option is set to 1, make the KeyDirectory readable
     by the default GID. (Default: 0)
 
-[[RephistTrackTime]] **RephistTrackTime** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**::
-    Tells an authority, or other node tracking node reliability and history,
-    that fine-grained information about nodes can be discarded when it hasn't
-    changed for a given amount of time.  (Default: 24 hours)
-
 
 DIRECTORY SERVER OPTIONS
 ------------------------
@@ -2755,6 +2737,11 @@ on the public Tor network.
     different identity.  This feature is used to migrate directory authority
     keys in the event of a compromise.  (Default: 0)
 
+[[RephistTrackTime]] **RephistTrackTime** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**::
+    Tells an authority, or other node tracking node reliability and history,
+    that fine-grained information about nodes can be discarded when it hasn't
+    changed for a given amount of time.  (Default: 24 hours)
+
 [[AuthDirHasIPv6Connectivity]] **AuthDirHasIPv6Connectivity** **0**|**1**::
     Authoritative directories only. When set to 0, OR ports with an
     IPv6 address are not included in the authority's votes. When set to 1,
@@ -2922,9 +2909,12 @@ The following options are used for running a testing Tor network.
        AssumeReachable 1
        AuthDirMaxServersPerAddr 0
        AuthDirMaxServersPerAuthAddr 0
-       ClientBootstrapConsensusAuthorityDownloadInitialDelay 0
-       ClientBootstrapConsensusFallbackDownloadInitialDelay 0
-       ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay 0
+       ClientBootstrapConsensusAuthorityDownloadSchedule 0, 2,
+          4 (for 40 seconds), 8, 16, 32, 60
+       ClientBootstrapConsensusFallbackDownloadSchedule 0, 1,
+          4 (for 40 seconds), 8, 16, 32, 60
+       ClientBootstrapConsensusAuthorityOnlyDownloadSchedule 0, 1,
+          4 (for 40 seconds), 8, 16, 32, 60
        ClientDNSRejectInternalAddresses 0
        ClientRejectInternalAddresses 0
        CountPrivateBandwidth 1
@@ -2939,16 +2929,17 @@ The following options are used for running a testing Tor network.
        TestingV3AuthInitialDistDelay 20 seconds
        TestingAuthDirTimeToLearnReachability 0 minutes
        TestingEstimatedDescriptorPropagationTime 0 minutes
-       TestingServerDownloadInitialDelay 0
-       TestingClientDownloadInitialDelay 0
-       TestingServerConsensusDownloadInitialDelay 0
-       TestingClientConsensusDownloadInitialDelay 0
-       TestingBridgeDownloadInitialDelay 10
-       TestingBridgeBootstrapDownloadInitialDelay 0
+       TestingServerDownloadSchedule 0, 0, 0, 5, 10, 15, 20, 30, 60
+       TestingClientDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
+       TestingServerConsensusDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
+       TestingClientConsensusDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
+       TestingBridgeDownloadSchedule 10, 30, 60
+       TestingBridgeBootstrapDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
        TestingClientMaxIntervalWithoutRequest 5 seconds
        TestingDirConnectionMaxStall 30 seconds
        TestingEnableConnBwEvent 1
        TestingEnableCellStatsEvent 1
+       TestingEnableTbEmptyEvent 1
 
 [[TestingV3AuthInitialVotingInterval]] **TestingV3AuthInitialVotingInterval** __N__ **minutes**|**hours**::
     Like V3AuthVotingInterval, but for initial voting interval before the first
@@ -2983,31 +2974,37 @@ The following options are used for running a testing Tor network.
     Minimum value for the Fast flag.  Overrides the ordinary minimum taken
     from the consensus when TestingTorNetwork is set. (Default: 0.)
 
-[[TestingServerDownloadInitialDelay]] **TestingServerDownloadInitialDelay** __N__::
-    Initial delay in seconds for when servers should download things in general. Changing this
-    requires that **TestingTorNetwork** is set. (Default: 0)
+[[TestingServerDownloadSchedule]] **TestingServerDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when servers should download things in general. Changing this
+    requires that **TestingTorNetwork** is set. (Default: 0, 0, 0, 60, 60, 120,
+    300, 900, 2147483647)
 
-[[TestingClientDownloadInitialDelay]] **TestingClientDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download things in general. Changing this
-    requires that **TestingTorNetwork** is set. (Default: 0)
+[[TestingClientDownloadSchedule]] **TestingClientDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download things in general. Changing this
+    requires that **TestingTorNetwork** is set. (Default: 0, 0, 60, 300, 600,
+    2147483647)
 
-[[TestingServerConsensusDownloadInitialDelay]] **TestingServerConsensusDownloadInitialDelay** __N__::
-    Initial delay in seconds for when servers should download consensuses. Changing this
-    requires that **TestingTorNetwork** is set. (Default: 0)
+[[TestingServerConsensusDownloadSchedule]] **TestingServerConsensusDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when servers should download consensuses. Changing this
+    requires that **TestingTorNetwork** is set. (Default: 0, 0, 60, 300, 600,
+    1800, 1800, 1800, 1800, 1800, 3600, 7200)
 
-[[TestingClientConsensusDownloadInitialDelay]] **TestingClientConsensusDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download consensuses. Changing this
-    requires that **TestingTorNetwork** is set. (Default: 0)
+[[TestingClientConsensusDownloadSchedule]] **TestingClientConsensusDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download consensuses. Changing this
+    requires that **TestingTorNetwork** is set. (Default: 0, 0, 60, 300, 600,
+    1800, 3600, 3600, 3600, 10800, 21600, 43200)
 
-[[TestingBridgeDownloadInitialDelay]] **TestingBridgeDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download each bridge descriptor when they
+[[TestingBridgeDownloadSchedule]] **TestingBridgeDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download each bridge descriptor when they
     know that one or more of their configured bridges are running. Changing
-    this requires that **TestingTorNetwork** is set. (Default: 10800)
+    this requires that **TestingTorNetwork** is set. (Default: 10800, 25200,
+    54000, 111600, 262800)
 
-[[TestingBridgeBootstrapDownloadInitialDelay]] **TestingBridgeBootstrapDownloadInitialDelay** __N__::
-    Initial delay in seconds for when clients should download each bridge descriptor when they
+[[TestingBridgeBootstrapDownloadSchedule]] **TestingBridgeBootstrapDownloadSchedule** __N__,__N__,__...__::
+    Schedule for when clients should download each bridge descriptor when they
     have just started, or when they can not contact any of their bridges.
-    Changing this requires that **TestingTorNetwork** is set. (Default: 0)
+    Changing this requires that **TestingTorNetwork** is set. (Default: 0, 30,
+    90, 600, 3600, 10800, 25200, 54000, 111600, 262800)
 
 [[TestingClientMaxIntervalWithoutRequest]] **TestingClientMaxIntervalWithoutRequest** __N__ **seconds**|**minutes**::
     When directory clients have only a few descriptors to request, they batch
@@ -3080,6 +3077,11 @@ The following options are used for running a testing Tor network.
     events.  Changing this requires that **TestingTorNetwork** is set.
     (Default: 0)
 
+[[TestingEnableTbEmptyEvent]] **TestingEnableTbEmptyEvent** **0**|**1**::
+    If this option is set, then Tor controllers may register for TB_EMPTY
+    events.  Changing this requires that **TestingTorNetwork** is set.
+    (Default: 0)
+
 [[TestingMinExitFlagThreshold]] **TestingMinExitFlagThreshold**  __N__ **KBytes**|**MBytes**|**GBytes**|**TBytes**|**KBits**|**MBits**|**GBits**|**TBits**::
     Sets a lower-bound for assigning an exit flag when running as an
     authority on a testing network. Overrides the usual default lower bound

scripts/maint/updateFallbackDirs.py

@@ -173,6 +173,12 @@ MAX_LIST_FILE_SIZE = 1024 * 1024
 # meant that we had to rebuild the list more often. We want fallbacks to be
 # stable for 2 years, so we set it to a few months.
 #
+# There was a bug in Tor 0.2.8.1-alpha and earlier where a relay temporarily
+# submits a 0 DirPort when restarted.
+# This causes OnionOO to (correctly) reset its stability timer.
+# Affected relays should upgrade to Tor 0.2.9 or later, which has a fix
+# for this issue.
+#
 # If a relay changes address or port, that's it, it's not useful any more,
 # because clients can't find it
 ADDRESS_AND_PORT_STABLE_DAYS = 90

scripts/test/appveyor-irc-notify.py

@@ -1,192 +0,0 @@
-# coding=utf8
-# Copyright (C) 2015-2016 Christopher R. Wood
-# Copyright (c) 2018 The Tor Project
-# Copyright (c) 2018 isis agora lovecruft
-#
-# From: https://raw.githubusercontent.com/gridsync/gridsync/def54f8166089b733d166665fdabcad4cdc526d8/misc/irc-notify.py
-# and: https://github.com/gridsync/gridsync
-#
-# Modified by nexB on October 2016:
-#  - rework the handling of environment variables.
-#  - made the script use functions
-#  - support only Appveyor loading its environment variable to craft IRC notices.
-#
-# Modified by isis agora lovecruft <isis@torproject.org> in 2018:
-#  - Make IRC server configurable.
-#  - Make bot IRC nick deterministic.
-#  - Make bot join the channel rather than sending NOTICE messages externally.
-#  - Fix a bug which always caused sys.exit() to be logged as a traceback.
-#  - Actually reset the IRC colour codes after printing.
-#
-# Modified by Marcin Cieślak in 2018:
-#  - Accept UTF-8
-#  - only guess github URLs
-#  - stop using ANSI colors
-
-# This program is free software; you can redistribute it and/or modify it under the
-# terms of the GNU General Public License as published by the Free Software Foundation;
-# either version 2 of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY
-# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE. See the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along with this
-# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street,
-# Fifth Floor, Boston, MA 02110-1301 USA.
-
-"""Simple AppVeyor IRC notification script.
-
-The first argument is an IRC server and port; the second is the channel. Other
-arguments passed to the script will be sent as notice messages content and any
-{var}-formatted environment variables will be expanded automatically, replaced
-with a corresponding Appveyor environment variable value. Use commas to
-delineate multiple messages.
-
-
-Example:
-export APPVEYOR_URL=https://ci.appveyor.com
-export APPVEYOR_PROJECT_NAME=tor
-export APPVEYOR_REPO_COMMIT_AUTHOR=isislovecruft
-export APPVEYOR_REPO_COMMIT_TIMESTAMP=2018-04-23
-export APPVEYOR_REPO_PROVIDER=gihub
-export APPVEYOR_REPO_BRANCH=repo_branch
-export APPVEYOR_PULL_REQUEST_TITLE=pull_request_title
-export APPVEYOR_BUILD_VERSION=1
-export APPVEYOR_REPO_COMMIT=22c95b72e29248dc4de9b85e590ee18f6f587de8
-export APPVEYOR_REPO_COMMIT_MESSAGE="some IRC test"
-export APPVEYOR_ACCOUNT_NAME=isislovecruft
-export APPVEYOR_PULL_REQUEST_NUMBER=pull_request_number
-export APPVEYOR_REPO_NAME=isislovecruft/tor
-python ./appveyor-irc-notify.py irc.oftc.net:6697 tor-ci '{repo_name} {repo_branch} {short_commit} - {repo_commit_author}: {repo_commit_message}','Build #{build_version} passed. Details: {build_url} |  Commit: {commit_url}
-
-See also https://github.com/gridsync/gridsync/blob/master/appveyor.yml for examples
-in Appveyor's YAML:
-
-    on_success:
-      - "python scripts/test/appveyor-irc-notify.py irc.oftc.net:6697 tor-ci success
-    on_failure:
-      - "python scripts/test/appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure
-"""
-
-from __future__ import print_function
-from __future__ import absolute_import
-
-import os
-import random
-import socket
-import ssl
-import sys
-import time
-
-
-def appveyor_vars():
-    """
-    Return a dict of key value carfted from appveyor environment variables.
-    """
-
-    vars = dict([
-            (
-                v.replace('APPVEYOR_', '').lower(),
-                os.getenv(v, '').decode('utf-8')
-            ) for v in [
-                'APPVEYOR_URL',
-                'APPVEYOR_REPO_COMMIT_MESSAGE_EXTENDED',
-                'APPVEYOR_REPO_BRANCH',
-                'APPVEYOR_REPO_COMMIT_AUTHOR',
-                'APPVEYOR_REPO_COMMIT_AUTHOR_EMAIL',
-                'APPVEYOR_REPO_COMMIT_TIMESTAMP',
-                'APPVEYOR_REPO_PROVIDER',
-                'APPVEYOR_PROJECT_NAME',
-                'APPVEYOR_PULL_REQUEST_TITLE',
-                'APPVEYOR_BUILD_VERSION',
-                'APPVEYOR_REPO_COMMIT',
-                'APPVEYOR_REPO_COMMIT_MESSAGE',
-                'APPVEYOR_ACCOUNT_NAME',
-                'APPVEYOR_PULL_REQUEST_NUMBER',
-                'APPVEYOR_REPO_NAME'
-            ]
-    ])
-
-    BUILD_FMT = u'{url}/project/{account_name}/{project_name}/build/{build_version}'
-
-    if vars["repo_provider"] == 'github':
-        COMMIT_FMT = u'https://{repo_provider}.com/{repo_name}/commit/{repo_commit}'
-        vars.update(commit_url=COMMIT_FMT.format(**vars))
-
-    vars.update(
-        build_url=BUILD_FMT.format(**vars),
-        short_commit=vars["repo_commit"][:7],
-    )
-    return vars
-
-
-def notify():
-    """
-    Send IRC notification
-    """
-    apvy_vars = appveyor_vars()
-
-    server, port = sys.argv[1].rsplit(":", 1)
-    channel = sys.argv[2]
-    success = sys.argv[3] == "success"
-    failure = sys.argv[3] == "failure"
-
-    if success or failure:
-        messages = []
-        messages.append(u"{repo_name} {repo_branch} {short_commit} - {repo_commit_author}: {repo_commit_message}")
-
-        if success:
-            m = u"Build #{build_version} passed. Details: {build_url}"
-        if failure:
-            m = u"Build #{build_version} failed. Details: {build_url}"
-
-        if "commit_url" in apvy_vars:
-            m += " Commit: {commit_url}"
-     
-        messages.append(m)
-    else:
-        messages = sys.argv[3:]
-        messages = ' '.join(messages)
-        messages = messages.decode("utf-8").split(',')
-
-    print(repr(apvy_vars))
-    messages = [msg.format(**apvy_vars).strip() for msg in messages]
-
-    irc_username = 'appveyor-ci'
-    irc_nick = irc_username
-
-    # establish connection
-    irc_sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
-    irc_sock.connect((socket.gethostbyname(server), int(port)))
-    irc_sock.send('NICK {0}\r\nUSER {0} * 0 :{0}\r\n'.format(irc_username).encode())
-    irc_sock.send('JOIN #{0}\r\n'.format(channel).encode())
-    irc_file = irc_sock.makefile()
-
-    while irc_file:
-        line = irc_file.readline()
-        print(line.rstrip())
-        response = line.split()
-
-        if response[0] == 'PING':
-            irc_file.send('PONG {}\r\n'.format(response[1]).encode())
-
-        elif response[1] == '433':
-            irc_sock.send('NICK {}\r\n'.format(irc_nick).encode())
-
-        elif response[1] == '001':
-            time.sleep(5)
-            # send notification
-            for msg in messages:
-                print(u'PRIVMSG #{} :{}'.format(channel, msg).encode("utf-8"))
-                irc_sock.send(u'PRIVMSG #{} :{}\r\n'.format(channel, msg).encode("utf-8"))
-            time.sleep(5)
-            return
-
-
-if __name__ == '__main__':
-    try:
-        notify()
-    except:
-        import traceback
-        print('ERROR: Failed to send notification: \n' + traceback.format_exc())

scripts/test/cov-diff

@@ -10,12 +10,12 @@ DIRB="$2"
 for B in $DIRB/*; do
   A=$DIRA/`basename $B`
   if [ -f $A ]; then
-      perl -pe 's/^\s*\!*\d+(\*?):/        1$1:/; s/^([^:]+:)[\d\s]+:/$1/; s/^ *-:(Runs|Programs):.*//;' "$A" > "$A.tmp"
+      perl -pe 's/^\s*\!*\d+:/        1:/; s/^([^:]+:)[\d\s]+:/$1/; s/^ *-:(Runs|Programs):.*//;' "$A" > "$A.tmp"
   else
       cat /dev/null > "$A.tmp"
   fi
-  perl -pe 's/^\s*\!*\d+(\*?):/        1$1:/; s/^([^:]+:)[\d\s]+:/$1/; s/^ *-:(Runs|Programs):.*//;' "$B" > "$B.tmp"
-  diff -u "$A.tmp" "$B.tmp" |perl -pe 's/^((?:\+\+\+|---)(?:.*tmp))\s+.*/$1/;'
+  perl -pe 's/^\s*\!*\d+:/        1:/; s/^([^:]+:)[\d\s]+:/$1/; s/^ *-:(Runs|Programs):.*//;' "$B" > "$B.tmp"
+  diff -u "$A.tmp" "$B.tmp"
   rm "$A.tmp" "$B.tmp"
 done
 

src/common/address.c

@@ -1697,7 +1697,7 @@ get_interface_address6_via_udp_socket_hack,(int severity,
                                             sa_family_t family,
                                             tor_addr_t *addr))
 {
-  struct sockaddr_storage target_addr;
+  struct sockaddr_storage my_addr, target_addr;
   int sock=-1, r=-1;
   socklen_t addr_len;
 
@@ -1740,19 +1740,21 @@ get_interface_address6_via_udp_socket_hack,(int severity,
     goto err;
   }
 
-  if (tor_addr_from_getsockname(addr, sock) < 0) {
+  if (tor_getsockname(sock,(struct sockaddr*)&my_addr, &addr_len)) {
     int e = tor_socket_errno(sock);
     log_fn(severity, LD_NET, "getsockname() to determine interface failed: %s",
            tor_socket_strerror(e));
     goto err;
   }
 
-  if (tor_addr_is_loopback(addr) || tor_addr_is_multicast(addr)) {
-    log_fn(severity, LD_NET, "Address that we determined via UDP socket"
-           " magic is unsuitable for public comms.");
-  } else {
-    r=0;
-  }
+ if (tor_addr_from_sockaddr(addr, (struct sockaddr*)&my_addr, NULL) == 0) {
+    if (tor_addr_is_loopback(addr) || tor_addr_is_multicast(addr)) {
+      log_fn(severity, LD_NET, "Address that we determined via UDP socket"
+                               " magic is unsuitable for public comms.");
+    } else {
+      r=0;
+    }
+ }
 
  err:
   if (sock >= 0)

src/common/address_set.c

@@ -15,7 +15,7 @@
 #include "address.h"
 #include "compat.h"
 #include "container.h"
-#include "crypto_rand.h"
+#include "crypto.h"
 #include "util.h"
 #include "siphash.h"
 

src/common/aes.c

@@ -16,8 +16,8 @@
   #include <ws2tcpip.h>
 #endif
 
-#include "compat_openssl.h"
 #include <openssl/opensslv.h>
+#include "crypto.h"
 #include "crypto_openssl_mgt.h"
 
 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
@@ -116,11 +116,7 @@ aes_cipher_free_(aes_cnt_cipher_t *cipher_)
   if (!cipher_)
     return;
   EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
-#ifdef OPENSSL_1_1_API
-  EVP_CIPHER_CTX_reset(cipher);
-#else
   EVP_CIPHER_CTX_cleanup(cipher);
-#endif
   EVP_CIPHER_CTX_free(cipher);
 }
 void

src/common/buffers.h

@@ -12,6 +12,7 @@
 #ifndef TOR_BUFFERS_H
 #define TOR_BUFFERS_H
 
+#include "compat.h"
 #include "compat.h"
 #include "torint.h"
 #include "testsupport.h"

src/common/compat.c

@@ -100,6 +100,7 @@ SecureZeroMemory(PVOID ptr, SIZE_T cnt)
 /* Only use the linux prctl;  the IRIX prctl is totally different */
 #include <sys/prctl.h>
 #elif defined(__APPLE__)
+#include <sys/types.h>
 #include <sys/ptrace.h>
 #endif /* defined(HAVE_SYS_PRCTL_H) && defined(__linux__) || ... */
 
@@ -115,7 +116,7 @@ SecureZeroMemory(PVOID ptr, SIZE_T cnt)
 #ifdef HAVE_SIGNAL_H
 #include <signal.h>
 #endif
-#ifdef HAVE_MMAP
+#ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
 #ifdef HAVE_SYS_SYSLIMITS_H
@@ -203,17 +204,25 @@ tor_rename(const char *path_old, const char *path_new)
                 sandbox_intern_string(path_new));
 }
 
-#if defined(HAVE_MMAP) || defined(RUNNING_DOXYGEN)
+/* Some MinGW builds have sys/mman.h, but not the corresponding symbols.
+ * Other configs rename the symbols using macros (including getpagesize).
+ * So check for sys/mman.h and unistd.h, and a getpagesize declaration. */
+#if (defined(HAVE_SYS_MMAN_H) && defined(HAVE_UNISTD_H) && \
+     defined(HAVE_DECL_GETPAGESIZE))
+#define COMPAT_HAS_MMAN_AND_PAGESIZE
+#endif
+
+#if defined(COMPAT_HAS_MMAN_AND_PAGESIZE) || \
+  defined(RUNNING_DOXYGEN)
 /** Try to create a memory mapping for <b>filename</b> and return it.  On
- * failure, return NULL. Sets errno properly, using ERANGE to mean
- * "empty file". Must only be called on trusted Tor-owned files, as changing
- * the underlying file's size causes unspecified behavior. */
+ * failure, return NULL.  Sets errno properly, using ERANGE to mean
+ * "empty file". */
 tor_mmap_t *
 tor_mmap_file(const char *filename)
 {
   int fd; /* router file */
   char *string;
-  int result;
+  int page_size, result;
   tor_mmap_t *res;
   size_t size, filesize;
   struct stat st;
@@ -242,6 +251,13 @@ tor_mmap_file(const char *filename)
     return NULL;
   }
   size = filesize = (size_t)(st.st_size);
+  /*
+   * Should we check for weird crap like mmapping a named pipe here,
+   * or just wait for if (!size) below to fail?
+   */
+  /* ensure page alignment */
+  page_size = getpagesize();
+  size += (size%page_size) ? page_size-(size%page_size) : 0;
 
   if (st.st_size > SSIZE_T_CEILING || (off_t)size < st.st_size) {
     log_warn(LD_FS, "File \"%s\" is too large. Ignoring.",filename);
@@ -402,8 +418,40 @@ tor_munmap_file(tor_mmap_t *handle)
   return 0;
 }
 #else
-#error "cannot implement tor_mmap_file"
-#endif /* defined(HAVE_MMAP) || ... || ... */
+tor_mmap_t *
+tor_mmap_file(const char *filename)
+{
+  struct stat st;
+  char *res = read_file_to_str(filename, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
+  tor_mmap_t *handle;
+  if (! res)
+    return NULL;
+  handle = tor_malloc_zero(sizeof(tor_mmap_t));
+  handle->data = res;
+  handle->size = st.st_size;
+  return handle;
+}
+
+/** Unmap the file mapped with tor_mmap_file(), and return 0 for success
+ * or -1 for failure.
+ */
+
+int
+tor_munmap_file(tor_mmap_t *handle)
+{
+  char *d = NULL;
+  if (handle == NULL)
+    return 0;
+
+  d = (char*)handle->data;
+  tor_free(d);
+  memwipe(handle, 0, sizeof(tor_mmap_t));
+  tor_free(handle);
+
+  /* Can't fail in this mmap()/munmap()-free case */
+  return 0;
+}
+#endif /* defined(COMPAT_HAS_MMAN_AND_PAGESIZE) || ... || ... */
 
 /** Replacement for snprintf.  Differs from platform snprintf in two
  * ways: First, always NUL-terminates its output.  Second, always
@@ -1344,24 +1392,6 @@ tor_getsockname,(tor_socket_t sock, struct sockaddr *address,
    return getsockname(sock, address, address_len);
 }
 
-/**
- * Find the local address associated with the socket <b>sock</b>, and
- * place it in *<b>addr_out</b>.  Return 0 on success, -1 on failure.
- *
- * (As tor_getsockname, but instead places the result in a tor_addr_t.) */
-int
-tor_addr_from_getsockname(tor_addr_t *addr_out, tor_socket_t sock)
-{
-  struct sockaddr_storage ss;
-  socklen_t ss_len = sizeof(ss);
-  memset(&ss, 0, sizeof(ss));
-
-  if (tor_getsockname(sock, (struct sockaddr *) &ss, &ss_len) < 0)
-    return -1;
-
-  return tor_addr_from_sockaddr(addr_out, (struct sockaddr *)&ss, NULL);
-}
-
 /** Turn <b>socket</b> into a nonblocking socket. Return 0 on success, -1
  * on failure.
  */

src/common/compat.h

@@ -318,12 +318,12 @@ typedef struct tor_mmap_t {
   size_t size; /**< Size of the file. */
 
   /* None of the fields below should be accessed from outside compat.c */
-#ifdef HAVE_MMAP
+#ifdef HAVE_SYS_MMAN_H
   size_t mapping_size; /**< Size of the actual mapping. (This is this file
                         * size, rounded up to the nearest page.) */
 #elif defined _WIN32
   HANDLE mmap_handle;
-#endif /* defined(HAVE_MMAP) || ... */
+#endif /* defined(HAVE_SYS_MMAN_H) || ... */
 
 } tor_mmap_t;
 
@@ -510,8 +510,6 @@ int get_n_open_sockets(void);
 MOCK_DECL(int,
 tor_getsockname,(tor_socket_t socket, struct sockaddr *address,
                  socklen_t *address_len));
-struct tor_addr_t;
-int tor_addr_from_getsockname(struct tor_addr_t *addr_out, tor_socket_t sock);
 
 #define tor_socket_send(s, buf, len, flags) send(s, buf, len, flags)
 #define tor_socket_recv(s, buf, len, flags) recv(s, buf, len, flags)

src/common/compat_libevent.c

@@ -11,7 +11,7 @@
 #define COMPAT_LIBEVENT_PRIVATE
 #include "compat_libevent.h"
 
-#include "crypto_rand.h"
+#include "crypto.h"
 
 #include "util.h"
 #include "torlog.h"
@@ -79,43 +79,6 @@ tor_event_free_(struct event *ev)
 /** Global event base for use by the main thread. */
 static struct event_base *the_event_base = NULL;
 
-/**
- * @defgroup postloop post-loop event helpers
- *
- * If we're not careful, Libevent can susceptible to infinite event chains:
- * one event can activate another, whose callback activates another, whose
- * callback activates another, ad infinitum.  While this is happening,
- * Libevent won't be checking timeouts, socket-based events, signals, and so
- * on.
- *
- * We solve this problem by marking some events as "post-loop".  A post-loop
- * event behaves like any ordinary event, but any events that _it_ activates
- * cannot run until Libevent has checked for other events at least once.
- *
- * @{ */
-
-/**
- * An event that stops Libevent from running any more events on the current
- * iteration of its loop, until it has re-checked for socket events, signal
- * events, timeouts, etc.
- */
-static struct event *rescan_mainloop_ev = NULL;
-
-/**
- * Callback to implement rescan_mainloop_ev: it simply exits the mainloop,
- * and relies on Tor to re-enter the mainloop since no error has occurred.
- */
-static void
-rescan_mainloop_cb(evutil_socket_t fd, short events, void *arg)
-{
-  (void)fd;
-  (void)events;
-  struct event_base *the_base = arg;
-  event_base_loopbreak(the_base);
-}
-
-/** @} */
-
 /* This is what passes for version detection on OSX.  We set
  * MACOSX_KQUEUE_IS_BROKEN to true iff we're on a version of OSX before
  * 10.4.0 (aka 1040). */
@@ -167,15 +130,6 @@ tor_libevent_initialize(tor_libevent_cfg *torcfg)
     /* LCOV_EXCL_STOP */
   }
 
-  rescan_mainloop_ev = event_new(the_event_base, -1, 0,
-                                 rescan_mainloop_cb, the_event_base);
-  if (!rescan_mainloop_ev) {
-    /* LCOV_EXCL_START */
-    log_err(LD_GENERAL, "Unable to create rescan event: cannot continue.");
-    exit(1); // exit ok: libevent is broken.
-    /* LCOV_EXCL_STOP */
-  }
-
   log_info(LD_GENERAL,
       "Initialized libevent version %s using method %s. Good.",
       event_get_version(), tor_libevent_get_method());
@@ -253,39 +207,10 @@ periodic_timer_new(struct event_base *base,
   }
   timer->cb = cb;
   timer->data = data;
-  periodic_timer_launch(timer, tv);
+  event_add(timer->ev, (struct timeval *)tv); /*drop const for old libevent*/
   return timer;
 }
 
-/**
- * Launch the timer <b>timer</b> to run at <b>tv</b> from now, and every
- * <b>tv</b> thereafter.
- *
- * If the timer is already enabled, this function does nothing.
- */
-void
-periodic_timer_launch(periodic_timer_t *timer, const struct timeval *tv)
-{
-  tor_assert(timer);
-  if (event_pending(timer->ev, EV_TIMEOUT, NULL))
-    return;
-  event_add(timer->ev, tv);
-}
-
-/**
- * Disable the provided <b>timer</b>, but do not free it.
- *
- * You can reenable the same timer later with periodic_timer_launch.
- *
- * If the timer is already disabled, this function does nothing.
- */
-void
-periodic_timer_disable(periodic_timer_t *timer)
-{
-  tor_assert(timer);
-  (void) event_del(timer->ev);
-}
-
 /** Stop and free a periodic timer */
 void
 periodic_timer_free_(periodic_timer_t *timer)
@@ -296,173 +221,6 @@ periodic_timer_free_(periodic_timer_t *timer)
   tor_free(timer);
 }
 
-/**
- * Type used to represent events that run directly from the main loop,
- * either because they are activated from elsewhere in the code, or
- * because they have a simple timeout.
- *
- * We use this type to avoid exposing Libevent's API throughout the rest
- * of the codebase.
- *
- * This type can't be used for all events: it doesn't handle events that
- * are triggered by signals or by sockets.
- */
-struct mainloop_event_t {
-  struct event *ev;
-  void (*cb)(mainloop_event_t *, void *);
-  void *userdata;
-};
-
-/**
- * Internal: Implements mainloop event using a libevent event.
- */
-static void
-mainloop_event_cb(evutil_socket_t fd, short what, void *arg)
-{
-  (void)fd;
-  (void)what;
-  mainloop_event_t *mev = arg;
-  mev->cb(mev, mev->userdata);
-}
-
-/**
- * As mainloop_event_cb, but implements a post-loop event.
- */
-static void
-mainloop_event_postloop_cb(evutil_socket_t fd, short what, void *arg)
-{
-  (void)fd;
-  (void)what;
-
-  /* Note that if rescan_mainloop_ev is already activated,
-   * event_active() will do nothing: only the first post-loop event that
-   * happens each time through the event loop will cause it to be
-   * activated.
-   *
-   * Because event_active() puts events on a FIFO queue, every event
-   * that is made active _after_ rescan_mainloop_ev will get its
-   * callback run after rescan_mainloop_cb is called -- that is, on the
-   * next iteration of the loop.
-   */
-  event_active(rescan_mainloop_ev, EV_READ, 1);
-
-  mainloop_event_t *mev = arg;
-  mev->cb(mev, mev->userdata);
-}
-
-/**
- * Helper for mainloop_event_new() and mainloop_event_postloop_new().
- */
-static mainloop_event_t *
-mainloop_event_new_impl(int postloop,
-                        void (*cb)(mainloop_event_t *, void *),
-                        void *userdata)
-{
-  tor_assert(cb);
-
-  struct event_base *base = tor_libevent_get_base();
-  mainloop_event_t *mev = tor_malloc_zero(sizeof(mainloop_event_t));
-  mev->ev = tor_event_new(base, -1, 0,
-                  postloop ? mainloop_event_postloop_cb : mainloop_event_cb,
-                  mev);
-  tor_assert(mev->ev);
-  mev->cb = cb;
-  mev->userdata = userdata;
-  return mev;
-}
-
-/**
- * Create and return a new mainloop_event_t to run the function <b>cb</b>.
- *
- * When run, the callback function will be passed the mainloop_event_t
- * and <b>userdata</b> as its arguments.  The <b>userdata</b> pointer
- * must remain valid for as long as the mainloop_event_t event exists:
- * it is your responsibility to free it.
- *
- * The event is not scheduled by default: Use mainloop_event_activate()
- * or mainloop_event_schedule() to make it run.
- */
-mainloop_event_t *
-mainloop_event_new(void (*cb)(mainloop_event_t *, void *),
-                   void *userdata)
-{
-  return mainloop_event_new_impl(0, cb, userdata);
-}
-
-/**
- * As mainloop_event_new(), but create a post-loop event.
- *
- * A post-loop event behaves like any ordinary event, but any events
- * that _it_ activates cannot run until Libevent has checked for other
- * events at least once.
- */
-mainloop_event_t *
-mainloop_event_postloop_new(void (*cb)(mainloop_event_t *, void *),
-                            void *userdata)
-{
-  return mainloop_event_new_impl(1, cb, userdata);
-}
-
-/**
- * Schedule <b>event</b> to run in the main loop, immediately.  If it is
- * not scheduled, it will run anyway. If it is already scheduled to run
- * later, it will run now instead.  This function will have no effect if
- * the event is already scheduled to run.
- *
- * This function may only be called from the main thread.
- */
-void
-mainloop_event_activate(mainloop_event_t *event)
-{
-  tor_assert(event);
-  event_active(event->ev, EV_READ, 1);
-}
-
-/** Schedule <b>event</b> to run in the main loop, after a delay of <b>tv</b>.
- *
- * If the event is scheduled for a different time, cancel it and run
- * after this delay instead.  If the event is currently pending to run
- * <em>now</b>, has no effect.
- *
- * Do not call this function with <b>tv</b> == NULL -- use
- * mainloop_event_activate() instead.
- *
- * This function may only be called from the main thread.
- */
-int
-mainloop_event_schedule(mainloop_event_t *event, const struct timeval *tv)
-{
-  tor_assert(event);
-  if (BUG(tv == NULL)) {
-    // LCOV_EXCL_START
-    mainloop_event_activate(event);
-    return 0;
-    // LCOV_EXCL_STOP
-  }
-  return event_add(event->ev, tv);
-}
-
-/** Cancel <b>event</b> if it is currently active or pending. (Do nothing if
- * the event is not currently active or pending.) */
-void
-mainloop_event_cancel(mainloop_event_t *event)
-{
-  if (!event)
-    return;
-  (void) event_del(event->ev);
-}
-
-/** Cancel <b>event</b> and release all storage associated with it. */
-void
-mainloop_event_free_(mainloop_event_t *event)
-{
-  if (!event)
-    return;
-  tor_event_free(event->ev);
-  memset(event, 0xb8, sizeof(*event));
-  tor_free(event);
-}
-
 int
 tor_init_libevent_rng(void)
 {
@@ -485,45 +243,56 @@ tor_init_libevent_rng(void)
 void
 tor_libevent_free_all(void)
 {
-  tor_event_free(rescan_mainloop_ev);
   if (the_event_base)
     event_base_free(the_event_base);
   the_event_base = NULL;
 }
 
-/**
- * Run the event loop for the provided event_base, handling events until
- * something stops it.  If <b>once</b> is set, then just poll-and-run
- * once, then exit.  Return 0 on success, -1 if an error occurred, or 1
- * if we exited because no events were pending or active.
- *
- * This isn't reentrant or multithreaded.
- */
-int
-tor_libevent_run_event_loop(struct event_base *base, int once)
-{
-  const int flags = once ? EVLOOP_ONCE : 0;
-  return event_base_loop(base, flags);
-}
-
-/** Tell the event loop to exit after <b>delay</b>.  If <b>delay</b> is NULL,
- * instead exit after we're done running the currently active events. */
+#if defined(LIBEVENT_VERSION_NUMBER) &&         \
+  LIBEVENT_VERSION_NUMBER >= V(2,1,1) &&        \
+  !defined(TOR_UNIT_TESTS)
 void
-tor_libevent_exit_loop_after_delay(struct event_base *base,
-                                   const struct timeval *delay)
+tor_gettimeofday_cached(struct timeval *tv)
 {
-  event_base_loopexit(base, delay);
+  event_base_gettimeofday_cached(the_event_base, tv);
 }
-
-/** Tell the event loop to exit after running whichever callback is currently
- * active. */
 void
-tor_libevent_exit_loop_after_callback(struct event_base *base)
+tor_gettimeofday_cache_clear(void)
 {
-  event_base_loopbreak(base);
+  event_base_update_cache_time(the_event_base);
+}
+#else /* !(defined(LIBEVENT_VERSION_NUMBER) &&         ...) */
+/** Cache the current hi-res time; the cache gets reset when libevent
+ * calls us. */
+static struct timeval cached_time_hires = {0, 0};
+
+/** Return a fairly recent view of the current time. */
+void
+tor_gettimeofday_cached(struct timeval *tv)
+{
+  if (cached_time_hires.tv_sec == 0) {
+    tor_gettimeofday(&cached_time_hires);
+  }
+  *tv = cached_time_hires;
+}
+
+/** Reset the cached view of the current time, so that the next time we try
+ * to learn it, we will get an up-to-date value. */
+void
+tor_gettimeofday_cache_clear(void)
+{
+  cached_time_hires.tv_sec = 0;
+}
+
+#ifdef TOR_UNIT_TESTS
+/** For testing: force-update the cached time to a given value. */
+void
+tor_gettimeofday_cache_set(const struct timeval *tv)
+{
+  tor_assert(tv);
+  memcpy(&cached_time_hires, tv, sizeof(*tv));
 }
 
-#if defined(TOR_UNIT_TESTS)
 /** For testing: called post-fork to make libevent reinitialize
  * kernel structures. */
 void
@@ -533,4 +302,5 @@ tor_libevent_postfork(void)
   tor_assert(r == 0);
 }
 #endif /* defined(TOR_UNIT_TESTS) */
+#endif /* defined(LIBEVENT_VERSION_NUMBER) &&         ... */
 

src/common/compat_libevent.h

@@ -7,6 +7,8 @@
 #include "orconfig.h"
 #include "testsupport.h"
 
+#include <event2/event.h>
+
 void configure_libevent_logging(void);
 void suppress_libevent_log_msg(const char *msg);
 
@@ -17,9 +19,6 @@ void suppress_libevent_log_msg(const char *msg);
   evdns_add_server_port_with_base(tor_libevent_get_base(), \
   (sock),(tcp),(cb),(data));
 
-struct event;
-struct event_base;
-
 void tor_event_free_(struct event *ev);
 #define tor_event_free(ev) \
   FREE_AND_NULL(struct event, tor_event_free_, (ev))
@@ -31,24 +30,11 @@ periodic_timer_t *periodic_timer_new(struct event_base *base,
              void (*cb)(periodic_timer_t *timer, void *data),
              void *data);
 void periodic_timer_free_(periodic_timer_t *);
-void periodic_timer_launch(periodic_timer_t *, const struct timeval *tv);
-void periodic_timer_disable(periodic_timer_t *);
 #define periodic_timer_free(t) \
   FREE_AND_NULL(periodic_timer_t, periodic_timer_free_, (t))
 
-typedef struct mainloop_event_t mainloop_event_t;
-mainloop_event_t *mainloop_event_new(void (*cb)(mainloop_event_t *, void *),
-                                     void *userdata);
-mainloop_event_t * mainloop_event_postloop_new(
-                                     void (*cb)(mainloop_event_t *, void *),
-                                     void *userdata);
-void mainloop_event_activate(mainloop_event_t *event);
-int mainloop_event_schedule(mainloop_event_t *event,
-                            const struct timeval *delay);
-void mainloop_event_cancel(mainloop_event_t *event);
-void mainloop_event_free_(mainloop_event_t *event);
-#define mainloop_event_free(event) \
-  FREE_AND_NULL(mainloop_event_t, mainloop_event_free_, (event))
+#define tor_event_base_loopexit event_base_loopexit
+#define tor_event_base_loopbreak event_base_loopbreak
 
 /** Defines a configuration for using libevent with Tor: passed as an argument
  * to tor_libevent_initialize() to describe how we want to set up. */
@@ -70,15 +56,13 @@ void tor_libevent_free_all(void);
 
 int tor_init_libevent_rng(void);
 
+void tor_gettimeofday_cached(struct timeval *tv);
+void tor_gettimeofday_cache_clear(void);
 #ifdef TOR_UNIT_TESTS
+void tor_gettimeofday_cache_set(const struct timeval *tv);
 void tor_libevent_postfork(void);
 #endif
 
-int tor_libevent_run_event_loop(struct event_base *base, int once);
-void tor_libevent_exit_loop_after_delay(struct event_base *base,
-                                        const struct timeval *delay);
-void tor_libevent_exit_loop_after_callback(struct event_base *base);
-
 #ifdef COMPAT_LIBEVENT_PRIVATE
 
 /** Macro: returns the number of a Libevent version as a 4-byte number,

src/common/compat_time.c

@@ -71,8 +71,8 @@ tor_sleep_msec(int msec)
 /** Set *timeval to the current time of day.  On error, log and terminate.
  * (Same as gettimeofday(timeval,NULL), but never returns -1.)
  */
-MOCK_IMPL(void,
-tor_gettimeofday, (struct timeval *timeval))
+void
+tor_gettimeofday(struct timeval *timeval)
 {
 #ifdef _WIN32
   /* Epoch bias copied from perl: number of units between windows epoch and
@@ -279,7 +279,6 @@ monotime_reset_ratchets_for_testing(void)
  * nanoseconds.
  */
 static struct mach_timebase_info mach_time_info;
-static struct mach_timebase_info mach_time_info_msec_cvt;
 static int monotime_shift = 0;
 
 static void
@@ -297,14 +296,6 @@ monotime_init_internal(void)
     // requires that tor_log2(0) == 0.
     monotime_shift = tor_log2(ms_per_tick);
   }
-  {
-    // For converting ticks to milliseconds in a 32-bit-friendly way, we
-    // will first right-shift by 20, and then multiply by 20/19, since
-    // (1<<20) * 19/20 is about 1e6.  We precompute a new numerate and
-    // denominator here to avoid multiple multiplies.
-    mach_time_info_msec_cvt.numer = mach_time_info.numer * 20;
-    mach_time_info_msec_cvt.denom = mach_time_info.denom * 19;
-  }
 }
 
 /**
@@ -354,22 +345,6 @@ monotime_diff_nsec(const monotime_t *start,
   return diff_nsec;
 }
 
-int32_t
-monotime_coarse_diff_msec32_(const monotime_coarse_t *start,
-                             const monotime_coarse_t *end)
-{
-  if (BUG(mach_time_info.denom == 0)) {
-    monotime_init();
-  }
-  const int64_t diff_ticks = end->abstime_ - start->abstime_;
-
-  /* We already require in di_ops.c that right-shift performs a sign-extend. */
-  const int32_t diff_microticks = (int32_t)(diff_ticks >> 20);
-
-  return (diff_microticks * mach_time_info_msec_cvt.numer) /
-    mach_time_info_msec_cvt.denom;
-}
-
 uint32_t
 monotime_coarse_to_stamp(const monotime_coarse_t *t)
 {
@@ -468,15 +443,6 @@ monotime_diff_nsec(const monotime_t *start,
   return diff_nsec;
 }
 
-int32_t
-monotime_coarse_diff_msec32_(const monotime_coarse_t *start,
-                             const monotime_coarse_t *end)
-{
-  const int32_t diff_sec = (int32_t)(end->ts_.tv_sec - start->ts_.tv_sec);
-  const int32_t diff_nsec = (int32_t)(end->ts_.tv_nsec - start->ts_.tv_nsec);
-  return diff_sec * 1000 + diff_nsec / ONE_MILLION;
-}
-
 /* This value is ONE_BILLION >> 20. */
 static const uint32_t STAMP_TICKS_PER_SECOND = 953;
 
@@ -626,13 +592,6 @@ monotime_coarse_diff_msec(const monotime_coarse_t *start,
   return diff_ticks;
 }
 
-int32_t
-monotime_coarse_diff_msec32_(const monotime_coarse_t *start,
-                             const monotime_coarse_t *end)
-{
-  return (int32_t)monotime_coarse_diff_msec(start, end);
-}
-
 int64_t
 monotime_coarse_diff_usec(const monotime_coarse_t *start,
                           const monotime_coarse_t *end)
@@ -718,15 +677,6 @@ monotime_diff_nsec(const monotime_t *start,
   return (diff.tv_sec * ONE_BILLION + diff.tv_usec * 1000);
 }
 
-int32_t
-monotime_coarse_diff_msec32_(const monotime_coarse_t *start,
-                             const monotime_coarse_t *end)
-{
-  struct timeval diff;
-  timersub(&end->tv_, &start->tv_, &diff);
-  return diff.tv_sec * 1000 + diff.tv_usec / 1000;
-}
-
 /* This value is ONE_MILLION >> 10. */
 static const uint32_t STAMP_TICKS_PER_SECOND = 976;
 
@@ -880,24 +830,11 @@ monotime_coarse_stamp_units_to_approx_msec(uint64_t units)
   return (abstime_diff * mach_time_info.numer) /
     (mach_time_info.denom * ONE_MILLION);
 }
-uint64_t
-monotime_msec_to_approx_coarse_stamp_units(uint64_t msec)
-{
-  uint64_t abstime_val =
-    (((uint64_t)msec) * ONE_MILLION * mach_time_info.denom) /
-    mach_time_info.numer;
-  return abstime_val >> monotime_shift;
-}
 #else
 uint64_t
 monotime_coarse_stamp_units_to_approx_msec(uint64_t units)
 {
   return (units * 1000) / STAMP_TICKS_PER_SECOND;
 }
-uint64_t
-monotime_msec_to_approx_coarse_stamp_units(uint64_t msec)
-{
-  return (msec * STAMP_TICKS_PER_SECOND) / 1000;
-}
 #endif
 

src/common/compat_time.h

@@ -150,7 +150,6 @@ uint32_t monotime_coarse_to_stamp(const monotime_coarse_t *t);
  * into an approximate number of milliseconds.
  */
 uint64_t monotime_coarse_stamp_units_to_approx_msec(uint64_t units);
-uint64_t monotime_msec_to_approx_coarse_stamp_units(uint64_t msec);
 uint32_t monotime_coarse_get_stamp(void);
 
 #if defined(MONOTIME_COARSE_TYPE_IS_DIFFERENT)
@@ -173,34 +172,7 @@ void monotime_coarse_add_msec(monotime_coarse_t *out,
 #define monotime_coarse_add_msec monotime_add_msec
 #endif /* defined(MONOTIME_COARSE_TYPE_IS_DIFFERENT) */
 
-/**
- * As monotime_coarse_diff_msec, but avoid 64-bit division.
- *
- * Requires that the difference fit into an int32_t; not for use with
- * large time differences.
- */
-int32_t monotime_coarse_diff_msec32_(const monotime_coarse_t *start,
-                                     const monotime_coarse_t *end);
-
-/**
- * As monotime_coarse_diff_msec, but avoid 64-bit division if it is expensive.
- *
- * Requires that the difference fit into an int32_t; not for use with
- * large time differences.
- */
-static inline int32_t
-monotime_coarse_diff_msec32(const monotime_coarse_t *start,
-                            const monotime_coarse_t *end)
-{
-#if SIZEOF_VOID_P == 8
-  // on a 64-bit platform, let's assume 64/64 division is cheap.
-  return (int32_t) monotime_coarse_diff_msec(start, end);
-#else
-  return monotime_coarse_diff_msec32_(start, end);
-#endif
-}
-
-MOCK_DECL(void, tor_gettimeofday, (struct timeval *timeval));
+void tor_gettimeofday(struct timeval *timeval);
 
 #ifdef TOR_UNIT_TESTS
 void tor_sleep_msec(int msec);

src/common/compat_winthreads.c

@@ -18,6 +18,7 @@
 #include "util.h"
 #include "container.h"
 #include "torlog.h"
+#include <process.h>
 
 /* This value is more or less total cargo-cult */
 #define SPIN_COUNT 2000

src/common/compress.c

@@ -663,13 +663,3 @@ tor_compress_init(void)
   tor_zstd_init();
 }
 
-/** Warn if we had any problems while setting up our compression libraries.
- *
- * (This isn't part of tor_compress_init, since the logs aren't set up yet.)
- */
-void
-tor_compress_log_init_warnings(void)
-{
-  tor_zstd_warn_if_version_mismatched();
-}
-