Merge branch 'maint-0.4.1' into bug33032_041

.appveyor.yml

@@ -95,6 +95,8 @@ test_script:
             $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
             $env:Path = $buildpath -join ';'
             Set-Location "${env:build}"
+            Copy-Item "C:/msys64/${env:compiler_path}/bin/libssp-0.dll" -Destination "${env:build}/src/test"
+            Copy-Item "C:/msys64/${env:compiler_path}/bin/zlib1.dll" -Destination "${env:build}/src/test"
             Execute-Bash "VERBOSE=1 make -k -j2 check"
     }
 

.gitignore

@@ -158,6 +158,8 @@ uptime-*.json
 
 # /src/lib
 /src/lib/libcurve25519_donna.a
+/src/lib/libtor-buf.a
+/src/lib/libtor-buf-testing.a
 /src/lib/libtor-compress.a
 /src/lib/libtor-compress-testing.a
 /src/lib/libtor-container.a
@@ -166,6 +168,8 @@ uptime-*.json
 /src/lib/libtor-crypt-ops-testing.a
 /src/lib/libtor-ctime.a
 /src/lib/libtor-ctime-testing.a
+/src/lib/libtor-dispatch.a
+/src/lib/libtor-dispatch-testing.a
 /src/lib/libtor-encoding.a
 /src/lib/libtor-encoding-testing.a
 /src/lib/libtor-evloop.a
@@ -198,6 +202,8 @@ uptime-*.json
 /src/lib/libtor-osinfo-testing.a
 /src/lib/libtor-process.a
 /src/lib/libtor-process-testing.a
+/src/lib/libtor-pubsub.a
+/src/lib/libtor-pubsub-testing.a
 /src/lib/libtor-sandbox.a
 /src/lib/libtor-sandbox-testing.a
 /src/lib/libtor-string.a
@@ -213,6 +219,8 @@ uptime-*.json
 /src/lib/libtor-tls.a
 /src/lib/libtor-tls-testing.a
 /src/lib/libtor-trace.a
+/src/lib/libtor-version.a
+/src/lib/libtor-version-testing.a
 /src/lib/libtor-wallclock.a
 /src/lib/libtor-wallclock-testing.a
 
@@ -240,20 +248,22 @@ uptime-*.json
 /src/test/test
 /src/test/test-slow
 /src/test/test-bt-cl
-/src/test/test-child
+/src/test/test-process
 /src/test/test-memwipe
 /src/test/test-ntor-cl
 /src/test/test-hs-ntor-cl
+/src/test/test-rng
 /src/test/test-switch-id
 /src/test/test-timers
 /src/test/test_workqueue
 /src/test/test.exe
 /src/test/test-slow.exe
 /src/test/test-bt-cl.exe
-/src/test/test-child.exe
+/src/test/test-process.exe
 /src/test/test-ntor-cl.exe
 /src/test/test-hs-ntor-cl.exe
 /src/test/test-memwipe.exe
+/src/test/test-rng.exe
 /src/test/test-switch-id.exe
 /src/test/test-timers.exe
 /src/test/test_workqueue.exe

.travis.yml

@@ -57,7 +57,7 @@ matrix:
     - env: DISTCHECK="yes" ASCIIDOC_OPTIONS="" SKIP_MAKE_CHECK="yes"
       compiler: clang
     ## We include a single coverage build with the best options for coverage
-    - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS=""
+    - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS="" TOR_TEST_RNG_SEED="636f766572616765"
     ## We run rust on Linux, because it's faster than rust on macOS
     ## We check rust offline
     - env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
@@ -114,6 +114,7 @@ addons:
       - libscrypt-dev
       - libseccomp-dev
       - libzstd-dev
+      - shellcheck
       ## Conditional build dependencies
       ## Always installed, so we don't need sudo
       - asciidoc
@@ -142,6 +143,7 @@ addons:
       - pkg-config
       ## Optional build dependencies
       - ccache
+      - shellcheck
       ## Conditional build dependencies
       ## Always installed, because manual brew installs are hard to get right
       - asciidoc

Makefile.am

@@ -31,9 +31,7 @@ TESTING_TOR_BINARY=$(top_builddir)/src/app/tor$(EXEEXT)
 endif
 
 if USE_RUST
-## this MUST be $(), otherwise am__DEPENDENCIES will not track it
-rust_ldadd=$(top_builddir)/$(TOR_RUST_LIB_PATH) \
-	$(TOR_RUST_EXTRA_LIBS)
+rust_ldadd=$(top_builddir)/$(TOR_RUST_LIB_PATH)
 else
 rust_ldadd=
 endif
@@ -42,6 +40,9 @@ endif
 TOR_UTIL_LIBS = \
         src/lib/libtor-geoip.a \
 	src/lib/libtor-process.a \
+        src/lib/libtor-buf.a \
+	src/lib/libtor-pubsub.a \
+	src/lib/libtor-dispatch.a \
 	src/lib/libtor-time.a \
 	src/lib/libtor-fs.a \
 	src/lib/libtor-encoding.a \
@@ -62,6 +63,7 @@ TOR_UTIL_LIBS = \
 	src/lib/libtor-malloc.a \
 	src/lib/libtor-wallclock.a \
 	src/lib/libtor-err.a \
+	src/lib/libtor-version.a \
 	src/lib/libtor-intmath.a \
 	src/lib/libtor-ctime.a
 
@@ -71,6 +73,9 @@ if UNITTESTS_ENABLED
 TOR_UTIL_TESTING_LIBS = \
         src/lib/libtor-geoip-testing.a \
 	src/lib/libtor-process-testing.a \
+        src/lib/libtor-buf-testing.a \
+	src/lib/libtor-pubsub-testing.a \
+	src/lib/libtor-dispatch-testing.a \
 	src/lib/libtor-time-testing.a \
 	src/lib/libtor-fs-testing.a \
 	src/lib/libtor-encoding-testing.a \
@@ -91,6 +96,7 @@ TOR_UTIL_TESTING_LIBS = \
 	src/lib/libtor-malloc-testing.a \
 	src/lib/libtor-wallclock-testing.a \
 	src/lib/libtor-err-testing.a \
+	src/lib/libtor-version-testing.a \
 	src/lib/libtor-intmath.a \
 	src/lib/libtor-ctime-testing.a
 endif
@@ -159,7 +165,12 @@ EXTRA_DIST+= \
 	README						\
 	ReleaseNotes					\
 	scripts/maint/checkIncludes.py                  \
-	scripts/maint/checkSpace.pl
+	scripts/maint/checkSpace.pl 			\
+	scripts/maint/practracker/exceptions.txt	\
+	scripts/maint/practracker/metrics.py		\
+	scripts/maint/practracker/practracker.py	\
+	scripts/maint/practracker/problem.py		\
+	scripts/maint/practracker/util.py
 
 ## This tells etags how to find mockable function definitions.
 AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
@@ -213,7 +224,16 @@ doxygen:
 test: all
 	$(top_builddir)/src/test/test
 
-check-local: check-spaces check-changes check-includes
+shellcheck:
+        # Only use shellcheck if it is present
+	if command -v shellcheck; then \
+	        find $(top_srcdir)/scripts/ -name "*.sh" -exec shellcheck {} +; \
+	        if [ -d "$(top_srcdir)/scripts/test" ]; then \
+                        shellcheck $(top_srcdir)/scripts/test/cov-diff $(top_srcdir)/scripts/test/coverage; \
+                fi; \
+	fi
+
+check-local: check-spaces check-changes check-includes shellcheck
 
 need-chutney-path:
 	@if test ! -d "$$CHUTNEY_PATH"; then \
@@ -317,11 +337,8 @@ coverage-html-full: all
 	lcov --remove "$(HTML_COVER_DIR)/lcov.tmp" --rc lcov_branch_coverage=1 'test/*' 'ext/tinytest*' '/usr/*' --output-file "$(HTML_COVER_DIR)/lcov.info"
 	genhtml --branch-coverage -o "$(HTML_COVER_DIR)" "$(HTML_COVER_DIR)/lcov.info"
 
-# Avoid strlcpy.c, strlcat.c, aes.c, OpenBSD_malloc_Linux.c, sha256.c,
-# tinytest*.[ch]
-check-spaces:
-if USE_PERL
-	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+# For scripts: avoid src/ext and src/trunnel.
+OWNED_TOR_C_FILES=\
 		$(top_srcdir)/src/lib/*/*.[ch] \
 		$(top_srcdir)/src/core/*/*.[ch] \
 		$(top_srcdir)/src/feature/*/*.[ch] \
@@ -329,6 +346,11 @@ if USE_PERL
 		$(top_srcdir)/src/test/*.[ch] \
 		$(top_srcdir)/src/test/*/*.[ch] \
 		$(top_srcdir)/src/tools/*.[ch]
+
+check-spaces:
+if USE_PERL
+	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+		$(OWNED_TOR_C_FILES)
 endif
 
 check-includes:
@@ -336,6 +358,14 @@ if USEPYTHON
 	$(PYTHON) $(top_srcdir)/scripts/maint/checkIncludes.py
 endif
 
+check-best-practices:
+if USEPYTHON
+	$(PYTHON) $(top_srcdir)/scripts/maint/practracker/practracker.py $(top_srcdir)
+endif
+
+practracker-regen:
+	$(PYTHON) $(top_srcdir)/scripts/maint/practracker/practracker.py --regen $(top_srcdir)
+
 check-docs: all
 	$(PERL) $(top_builddir)/scripts/maint/checkOptionDocs.pl
 
@@ -412,13 +442,13 @@ endif
 check-changes:
 if USEPYTHON
 	@if test -d "$(top_srcdir)/changes"; then \
-		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
+		PACKAGE_VERSION=$(PACKAGE_VERSION) $(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
 		fi
 endif
 
 .PHONY: update-versions
 update-versions:
-	$(PERL) $(top_builddir)/scripts/maint/updateVersions.pl
+	abs_top_srcdir="$(abs_top_srcdir)" $(PYTHON) $(top_srcdir)/scripts/maint/update_versions.py
 
 .PHONY: callgraph
 callgraph:
@@ -431,6 +461,25 @@ version:
 	   (cd "$(top_srcdir)" && git rev-parse --short=16 HEAD); \
 	fi
 
+.PHONY: autostyle-ifdefs
+autostyle-ifdefs:
+	$(PYTHON) scripts/maint/annotate_ifdef_directives $(OWNED_TOR_C_FILES)
+
+.PHONY: autostyle-ifdefs
+autostyle-operators:
+	$(PERL) scripts/coccinelle/test-operator-cleanup $(OWNED_TOR_C_FILES)
+
+.PHONY: rectify-includes
+rectify-includes:
+	$(PYTHON) scripts/maint/rectify_include_paths.py
+
+.PHONY: update-copyright
+update-copyright:
+	$(PERL) scripts/maint/updateCopyright.pl $(OWNED_TOR_C_FILES)
+
+.PHONY: autostyle
+autostyle: update-versions rustfmt autostyle-ifdefs rectify-includes
+
 mostlyclean-local:
 	rm -f $(top_builddir)/src/*/*.gc{da,no} $(top_builddir)/src/*/*/*.gc{da,no}
 	rm -rf $(HTML_COVER_DIR)

autogen.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-if [ -x "`which autoreconf 2>/dev/null`" ] ; then
+if command -v autoreconf; then
   opt="-i -f -W all,error"
 
-  for i in $@; do
+  for i in "$@"; do
     case "$i" in
       -v)
         opt="${opt} -v"
@@ -11,6 +11,7 @@ if [ -x "`which autoreconf 2>/dev/null`" ] ; then
     esac
   done
 
+  # shellcheck disable=SC2086
   exec autoreconf $opt
 fi
 

changes/29241_diagnostic

@@ -1,4 +0,0 @@
-  o Minor features (NSS, diagnostic):
-    - Try to log an error from NSS (if there is any) and a more useful
-      description of our situation if we are using NSS and a call to
-      SSL_ExportKeyingMaterial() fails.  Diagnostic for ticket 29241.

changes/bug13221

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Correct a misleading error message when IPv4Only or IPv6Only
-      is used but the resolved address can not be interpreted as an
-      address of the specified IP version.  Fixes bug 13221; bugfix
-      on 0.2.3.9-alpha.  Patch from Kris Katterjohn.

changes/bug24661

@@ -1,3 +0,0 @@
-  o Minor bugfixes (client, guard selection):
-    - When Tor's consensus has expired, but is still reasonably live, use it
-      to select guards. Fixes bug 24661; bugfix on 0.3.0.1-alpha.

changes/bug27197

@@ -1,3 +0,0 @@
-  o Minor bugfixes (protover, rust):
-    - Reject extra commas in version string. Fixes bug 27197; bugfix on
-      0.3.3.3-alpha.

changes/bug27199

@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Abort on panic in all build profiles, instead of potentially unwinding
-      into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.

changes/bug27740

@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - Return a string that can be safely freed by C code, not one created by
-      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
-      on 0.3.3.1-alpha.

changes/bug27741

@@ -1,5 +0,0 @@
-  o Minor bugfixes (rust, directory authority):
-    - Fix an API mismatch in the rust implementation of
-      protover_compute_vote(). This bug could have caused crashes on any
-      directory authorities running Tor with Rust (which we do not yet
-      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

changes/bug27750

@@ -1,6 +0,0 @@
-  o Minor bugfixes (connection, relay):
-    - Avoid a wrong BUG() stacktrace in case a closing connection is being held
-      open because the write side is rate limited but not the read side. Now,
-      the connection read side is simply shutdown instead of kept open until tor
-      is able to flush the connection and then fully close it. Fixes bug 27750;
-      bugfix on 0.3.4.1-alpha.

changes/bug27800

@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Log additional info when we get a relay that shares an ed25519
-      ID with a different relay, instead making a BUG() warning.
-      Fixes bug 27800; bugfix on 0.3.2.1-alpha.

changes/bug27804

@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Fix a potential null dereference in protover_all_supported().
-      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.

changes/bug27841

@@ -1,7 +0,0 @@
-  o Minor bugfixes (onion services):
-    - On an intro point for a version 3 onion service, we do not close
-      an introduction circuit on an NACK. This lets the client decide
-      whether to reuse the circuit or discard it. Previously, we closed
-      intro circuits on NACKs. Fixes bug 27841; bugfix on 0.3.2.1-alpha.
-      Patch by Neel Chaunan
-

changes/bug27948

@@ -1,6 +0,0 @@
-  o Minor bugfixes (tests):
-    - Treat backtrace test failures as expected on BSD-derived systems
-      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
-      (FreeBSD failures have been treated as expected since 18204 in 0.2.8.)
-      Fixes bug 27948; bugfix on 0.2.5.2-alpha.
-

changes/bug27963_timeradd

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation, opensolaris):
-    - Add a missing include to compat_pthreads.c, to fix compilation
-      on OpenSolaris and its descendants. Fixes bug 27963; bugfix
-      on 0.3.5.1-alpha.

changes/bug27968

@@ -1,3 +0,0 @@
-  o Minor bugfixes (testing):
-    - Avoid hangs and race conditions in test_rebind.py.
-      Fixes bug 27968; bugfix on 0.3.5.1-alpha.

changes/bug28096

@@ -1,13 +0,0 @@
-  o Minor bugfixes (Windows):
-    - Correctly identify Windows 8.1, Windows 10, and Windows Server 2008
-      and later from their NT versions.
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
-    - On recent Windows versions, the GetVersionEx() function may report
-      an earlier Windows version than the running OS. To avoid user
-      confusion, add "[or later]" to Tor's version string on affected
-      versions of Windows.
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
-    - Remove Windows versions that were never supported by the
-      GetVersionEx() function. Stop duplicating the latest Windows
-      version in get_uname().
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.

changes/bug28115

@@ -1,3 +0,0 @@
-  o Minor bugfixes (portability):
-    - Make the OPE code (which is used for v3 onion services) run correctly
-      on big-endian platforms. Fixes bug 28115; bugfix on 0.3.5.1-alpha.

changes/bug28127

@@ -1,7 +0,0 @@
-  o Minor bugfixes (onion services):
-    - Unless we have explicitly set HiddenServiceVersion, detect the onion
-      service version and then look for invalid options. Previously, we
-      did the reverse, but that broke existing configs which were pointed
-      to a v2 hidden service and had options like HiddenServiceAuthorizeClient
-      set Fixes bug 28127; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan.
-

changes/bug28183

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Linux seccomp2 sandbox):
-    - Permit the "shutdown()" system call, which is apparently
-      used by OpenSSL under some circumstances. Fixes bug 28183;
-      bugfix on 0.2.5.1-alpha.

changes/bug28202

@@ -1,4 +0,0 @@
-  o Minor bugfixes (C correctness):
-    - Avoid undefined behavior in an end-of-string check when parsing the
-      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
-      0.2.0.3-alpha.

changes/bug28245

@@ -1,6 +0,0 @@
-  o Major bugfixes (OpenSSL, portability):
-    - Fix our usage of named groups when running as a TLS 1.3 client in
-      OpenSSL 1.1.1. Previously, we only initialized EC groups when running
-      as a server, which caused clients to fail to negotiate TLS 1.3 with
-      relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
-      added.

changes/bug28298

@@ -1,4 +0,0 @@
-  o Minor bugfixes (configuration):
-    - Resume refusing to start with relative file paths and RunAsDaemon
-      set (regression from the fix for bug 22731). Fixes bug 28298;
-      bugfix on 0.3.3.1-alpha.

changes/bug28303

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix a pair of missing headers on OpenBSD. Fixes bug 28303;
-      bugfix on 0.3.5.1-alpha. Patch from  Kris Katterjohn.

changes/bug28348_034

@@ -1,5 +0,0 @@
-  o Major bugfixes (embedding, main loop):
-    - When DisableNetwork becomes set, actually disable periodic events that
-      are already enabled. (Previously, we would refrain from enabling new
-      ones, but we would leave the old ones turned on.)
-      Fixes bug 28348; bugfix on 0.3.4.1-alpha.

changes/bug28399

@@ -1,4 +0,0 @@
-  o Minor bugfixes (continuous integration, Windows):
-    - Stop using an external OpenSSL install, and stop installing MSYS2
-      packages, when building using mingw on Appveyor Windows CI.
-      Fixes bug 28399; bugfix on 0.3.4.1-alpha.

changes/bug28413

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Initialize a variable in aes_new_cipher(), since some compilers
-      cannot tell that we always initialize it before use. Fixes bug 28413;
-      bugfix on 0.2.9.3-alpha.

changes/bug28419

@@ -1,3 +0,0 @@
-  o Minor bugfixes (memory leaks):
-    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
-      bugfix on 0.3.3.1-alpha.  Patch from Martin Kepplinger.

changes/bug28435

@@ -1,3 +0,0 @@
-  o Minor bugfixes (documentation):
-    - Make Doxygen work again after the 0.3.5 source tree moves.
-      Fixes bug 28435; bugfix on 0.3.5.1-alpha.

changes/bug28441

@@ -1,4 +0,0 @@
-  o Minor bugfixes (logging):
-    - Stop talking about the Named flag in log messages. Clients have
-      ignored the Named flag since 0.3.2. Fixes bug 28441;
-      bugfix on 0.3.2.1-alpha.

changes/bug28454

@@ -1,4 +0,0 @@
-  o Minor bugfixes (continuous integration, Windows):
-    - Manually configure the zstd compiler options, when building using
-      mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does not
-      come with a pkg-config file. Fixes bug 28454; bugfix on 0.3.4.1-alpha.

changes/bug28485

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Add missing dependency on libgdi32.dll for tor-print-ed-signing-cert.exe
-      on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha.

changes/bug28524

@@ -1,4 +0,0 @@
-  o Minor bugfixes (restart-in-process, boostrap):
-    - Add missing resets of bootstrap tracking state when shutting
-      down (regression caused by ticket 27169).  Fixes bug 28524;
-      bugfix on 0.3.5.1-alpha.

changes/bug28525

@@ -1,7 +0,0 @@
-  o Minor features (address selection):
-    - Make Tor aware of the RFC 6598 (Carrier Grade NAT) IP range, which is the
-      subnet 100.64.0.0/10. This is deployed by many ISPs as an alternative to
-      RFC 1918 that does not break existing internal networks. This patch fixes
-      security issues caused by RFC 6518 by blocking control ports on these
-      addresses and warns users if client ports or ExtORPorts are listening on
-      a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan.

changes/bug28554

@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests, guard selection):
-    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
-      bugfix on 0.3.0.1-alpha.

changes/bug28562

@@ -1,5 +0,0 @@
-  o Minor bugfixes (testing):
-    - Use a separate DataDirectory for the test_rebind script.
-      Previously, this script would run using the default DataDirectory,
-      and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha.
-      Patch from Taylor R Campbell.

changes/bug28568

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Stop running stem's unit tests as part of "make test-stem". But continue
-      to run stem's unit and online tests during "make test-stem-full".
-      Fixes bug 28568; bugfix on 0.2.6.3-alpha.

changes/bug28569

@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests, directory clients):
-    - Mark outdated dirservers when Tor only has a reasonably live consensus.
-      Fixes bug 28569; bugfix on 0.3.2.5-alpha.

changes/bug28612

@@ -1,4 +0,0 @@
-  o Minor bugfixes (windows services):
-    - Make Tor start correctly as an NT service again: previously it
-      was broken by refactoring.  Fixes bug 28612; bugfix on 0.3.5.3-alpha.
-      

changes/bug28619

@@ -1,6 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - When deleting an ephemeral onion service (DEL_ONION), do not close any
-      rendezvous circuits in order to let the existing client connections
-      finish by themselves or closed by the application. The HS v2 is doing
-      that already so now we have the same behavior for all versions. Fixes
-      bug 28619; bugfix on 0.3.3.1-alpha.

changes/bug28656

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Stop logging a BUG() warning when tor is waiting for exit descriptors.
-      Fixes bug 28656; bugfix on 0.3.5.1-alpha.

changes/bug28698

@@ -1,3 +0,0 @@
-  o Minor bugfix (logging):
-    - Avoid logging about relaxing circuits when their time is fixed.
-      Fixes bug 28698; bugfix on 0.2.4.7-alpha

changes/bug28895

@@ -1,5 +0,0 @@
-  o Minor bugfixes (usability):
-    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate()
-      as that confusingly suggests that mentioned guard node is under control
-      and responsibility of end user, which it is not. Fixes bug 28895;
-      bugfix on Tor 0.3.0.1-alpha.

changes/bug28920

@@ -1,6 +0,0 @@
-  o Minor bugfixes (logging):
-    - Rework rep_hist_log_link_protocol_counts() to iterate through all link
-      protocol versions when logging incoming/outgoing connection counts. Tor
-      no longer skips version 5 and we don't have to remember to update this
-      function when new link protocol version is developed. Fixes bug 28920;
-      bugfix on 0.2.6.10.

changes/bug28938

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix missing headers required for proper detection of
-      OpenBSD.  Fixes bug 28938; bugfix on 0.3.5.1-alpha.
-      Patch from Kris Katterjohn.

changes/bug28974

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix compilation for Android by adding a missing header to
-      freespace.c.  Fixes bug 28974; bugfix on 0.3.5.1-alpha.

changes/bug28979

@@ -1,4 +0,0 @@
-  o Minor bugfixes (documentation):
-    - Describe the contents of the v3 onion service client authorization
-      files correctly: They hold public keys, not private keys. Fixes bug
-      28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

changes/bug28981

@@ -1,5 +0,0 @@
-  o Minor bugfixes (misc):
-    - The amount of total available physical memory is now determined
-      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
-      when it is defined and a 64-bit variant is not available.  Fixes
-      bug 28981; bugfix on 0.2.5.4-alpha.  Patch from Kris Katterjohn.

changes/bug28995

@@ -1,5 +0,0 @@
-  o Minor bugfix (IPv6):
-    Fix tor_ersatz_socketpair on IPv6-only systems.  Previously,
-    the IPv6 socket was bound using an address family of AF_INET
-    instead of AF_INET6.  Fixes bug 28995; bugfix on 0.3.5.1-alpha.
-    Patch from Kris Katterjohn.

changes/bug29017

@@ -1,4 +0,0 @@
-  o Minor bugfixes (stats):
-    - When ExtraInfoStatistics is 0, stop including PaddingStatistics in
-      relay and bridge extra-info documents. Fixes bug 29017;
-      bugfix on 0.3.1.1-alpha.

changes/bug29029

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging, onion services):
-    - Stop logging "Tried to establish rendezvous on non-OR circuit..." as
-      a warning. Instead, log it as a protocol warning, because there is
-      nothing that relay operators can do to fix it. Fixes bug 29029;
-      bugfix on 0.2.5.7-rc.

changes/bug29036

@@ -1,5 +0,0 @@
-  o Minor bugfix (continuous integration):
-    - Reset coverage state on disk after Travis CI has finished. This is being
-      done to prevent future gcda file merge errors which causes the test suite
-      for the process subsystem to fail. The process subsystem was introduced
-      in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15.

changes/bug29040

@@ -1,4 +0,0 @@
-  o Minor bugfixes (onion services):
-    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains
-      more than one private key for a hidden service. Fixes bug 29040;
-      bugfix on 0.3.5.1-alpha.

changes/bug29042

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Log more information at "warning" level when unable to read a private
-      key; log more information ad "info" level when unable to read a public
-      key. We had warnings here before, but they were lost during our
-      NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

changes/bug29135

@@ -1,5 +0,0 @@
-  o Minor bugfixes (onion services, logging):
-    - In hs_cache_store_as_client() log an HSDesc we failed to parse at Debug
-      loglevel. Tor used to log it at Warning loglevel, which caused
-      very long log lines to appear for some users. Fixes bug 29135; bugfix on
-      0.3.2.1-alpha.

changes/bug29144

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Log the correct port number for listening sockets when "auto" is
-      used to let Tor pick the port number.  Previously, port 0 was
-      logged instead of the actual port number.  Fixes bug 29144;
-      bugfix on 0.3.5.1-alpha.  Patch from Kris Katterjohn.

changes/bug29145

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation, testing):
-    - Silence a compiler warning in test-memwipe.c on OpenBSD.  Fixes
-      bug 29145; bugfix on 0.2.9.3-alpha.  Patch from Kris Katterjohn.

changes/bug29161

@@ -1,3 +0,0 @@
-  o Minor bugfixes (tests):
-    - Detect and suppress "bug" warnings from the util/time test on Windows.
-      Fixes bug 29161; bugfix on 0.2.9.3-alpha.

changes/bug29175_035

@@ -1,4 +0,0 @@
-  o Major bugfixes (networking):
-    - Gracefully handle empty username/password fields in SOCKS5
-      username/password auth messsage and allow SOCKS5 handshake to
-      continue. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

changes/bug29241

@@ -1,6 +0,0 @@
-  o Major bugfixes (NSS, relay):
-    - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
-      for their PRF. Due to an NSS bug, the TLS key exporters for these
-      ciphersuites don't work -- which caused relays to fail to handshake
-      with one another when these ciphersuites were enabled.
-      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

changes/bug29244

@@ -1,4 +0,0 @@
-  o Minor bugfixes (build, compatibility):
-    - Update Cargo.lock file to match the version made by the latest
-      version of Rust, so that "make distcheck" will pass again.
-      Fixes bug 29244; bugfix on 0.3.3.4-alpha.

changes/bug29530_035

@@ -1,5 +0,0 @@
-  o Minor bugfixes (testing):
-    - Downgrade some LOG_ERR messages in the address/* tests to warnings.
-      The LOG_ERR messages were occurring when we had no configured network.
-      We were failing the unit tests, because we backported 28668 to 0.3.5.8,
-      but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8.

changes/bug29599

@@ -1,3 +0,0 @@
-  o Minor bugfixes (memory management, testing):
-    - Stop leaking parts of the shared random state in the shared-random unit
-      tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.

changes/bug29601

@@ -1,6 +0,0 @@
-  o Minor bugfixes (Windows, CI):
-    - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows
-      Server 2012 R2 job. The remaining 2 jobs still provide coverage of
-      64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so
-      failed jobs terminate the build immediately.
-      Fixes bug 29601; bugfix on 0.3.5.4-alpha.

changes/bug29665

@@ -1,7 +0,0 @@
-  o Minor bugfixes (single onion services):
-    - Allow connections to single onion services to remain idle without
-      being disconnected. Relays acting as rendezvous points for
-      single onion services were mistakenly closing idle established
-      rendezvous circuits after 60 seconds, thinking that they are unused
-      directory-fetching circuits that had served their purpose. Fixes
-      bug 29665; bugfix on 0.2.1.26.

changes/bug29670

@@ -1,4 +0,0 @@
-  o Minor bugfixes (configuration, proxies):
-    - Fix a bug that prevented us from supporting SOCKS5 proxies that want
-      authentication along with configued (but unused!)
-      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

changes/bug29703

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Backport the 0.3.4 src/test/test-network.sh to 0.2.9.
-      We need a recent test-network.sh to use new chutney features in CI.
-      Fixes bug 29703; bugfix on 0.2.9.1-alpha.

changes/bug29706_minimal

@@ -1,4 +0,0 @@
-  o Minor bugfixes (memory management, testing):
-    - Stop leaking parts of the shared random state in the shared-random unit
-      tests. The previous fix in 29599 was incomplete.
-      Fixes bug 29706; bugfix on 0.2.9.1-alpha.

changes/bug29875

@@ -1,11 +0,0 @@
-  o Major bugfixes (bridges):
-    - Do not count previously configured working bridges towards our total of
-      working bridges. Previously, when Tor's list of bridges changed, it
-      would think that the old bridges were still usable, and delay fetching
-      router descriptors for the new ones.  Fixes part of bug 29875; bugfix
-      on 0.3.0.1-alpha.
-    - Consider our directory information to have changed when our list of
-      bridges changes. Previously, Tor would not re-compute the status of its
-      directory information when bridges changed, and therefore would not
-      realize that it was no longer able to build circuits. Fixes part of bug
-      29875.

changes/bug29922

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing, windows):
-    - Fix a test failure caused by an unexpected bug warning in
-      our test for tor_gmtime_r(-1). Fixes bug 29922;
-      bugfix on 0.2.9.3-alpha.

changes/bug30011

@@ -1,4 +0,0 @@
-  o Minor bugfixes (CI):
-    - Terminate test-stem if it takes more than 9.5 minutes to run.
-      (Travis terminates the job after 10 minutes of no output.)
-      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

changes/bug30021

@@ -1,8 +0,0 @@
-  o Minor bugfixes (TLS protocol, integration tests):
-    - When classifying a client's selection of TLS ciphers, if the client
-      ciphers are not yet available, do not cache the result. Previously,
-      we had cached the unavailability of the cipher list and never looked
-      again, which in turn led us to assume that the client only supported
-      the ancient V1 link protocol.  This, in turn, was causing Stem
-      integration tests to stall in some cases.
-      Fixes bug 30021; bugfix on 0.2.4.8-alpha.

changes/bug30040

@@ -1,9 +0,0 @@
-  o Minor bugfixes (security):
-    - Fix a potential double free bug when reading huge bandwidth files. The
-      issue is not exploitable in the current Tor network because the
-      vulnerable code is only reached when directory authorities read bandwidth
-      files, but bandwidth files come from a trusted source (usually the
-      authorities themselves). Furthermore, the issue is only exploitable in
-      rare (non-POSIX) 32-bit architectures which are not used by any of the
-      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
-      and fixed by Tobias Stoeckmann.

changes/bug30041

@@ -1,5 +0,0 @@
-  o Minor bugfixes (hardening):
-    - Verify in more places that we are not about to create a buffer
-      with more than INT_MAX bytes, to avoid possible OOB access in the event
-      of bugs.  Fixes bug 30041; bugfix on 0.2.0.16.  Found and fixed by
-      Tobias Stoeckmann.

changes/bug30148

@@ -1,4 +0,0 @@
-  o Minor bugfixes (memory leak):
-    - Avoid a minor memory leak that could occur on relays when
-      creating a keys directory failed. Fixes bug 30148; bugfix on
-      0.3.3.1-alpha.

changes/bug30189

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation, unusual configuration):
-    - Avoid failures when building with ALL_BUGS_ARE_FAILED due to
-      missing declarations of abort(), and prevent other such failures
-      in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

changes/bug30190

@@ -1,3 +0,0 @@
-  o Minor bugfixes (lib):
-    do not log a warning for OpenSSL versions that should be compatible
-    Fixes bug 30190; bugfix on 0.2.4.2-alpha

changes/bug30316

@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Move the "bandwidth-file-headers" line in directory authority votes
-      so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on
-      0.3.5.1-alpha.

changes/bug30452

@@ -1,3 +0,0 @@
-  o Minor features (compile-time modules):
-    - Add a --list-modules command to print a list of which compile-time
-      modules are enabled. Closes ticket 30452.

changes/bug30475

@@ -1,4 +0,0 @@
-  o Minor bugfixes ():
-    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
-      implemenation) when failing to load a hidden service client authorization
-      file.  Fixes bug 30475; bugfix on 0.3.5.1-alpha.

changes/bug30561

@@ -1,6 +0,0 @@
-  o Minor bugfixes (portability):
-    - Avoid crashing in our tor_vasprintf() implementation on systems that
-      define neither vasprintf() nor _vscprintf(). (This bug has been here
-      long enough that we question whether people are running Tor on such
-      systems, but we're applying the fix out of caution.) Fixes bug 30561;
-      bugfix on 0.2.8.2-alpha. Found and fixed by Tobias Stoeckmann.

changes/bug30649

@@ -0,0 +1,4 @@
+  o Minor bugfixes (circuit padding):
+    - On relays, properly check that a padding machine is absent before
+      logging a warn about it being absent. Fixes bug 30649;
+      bugfix on 0.4.0.1-alpha.

changes/bug30942

@@ -0,0 +1,4 @@
+  o Minor bugfixes (circuit padding):
+    - Ignore non-padding cells on padding circuits. This addresses various
+      warning messages from subsystems that were not expecting padding
+      circuits. Fixes bug 30942; bugfix on 0.4.1.1-alpha.

changes/bug30956

@@ -0,0 +1,4 @@
+  o Minor bugfixes (pluggable transports):
+    - Always publish bridge pluggable transport information in the extra info
+      descriptor, even if ExtraInfoStatistics is 0. This information is
+      needed by BridgeDB. Fixes bug 30956; bugfix on 0.4.1.1-alpha.

changes/bug31024

@@ -0,0 +1,4 @@
+  o Minor bugfixes (circuitpadding):
+    - Add two NULL checks in unreachable places to silence Coverity (CID 144729
+      and 1447291) and better future proof ourselves. Fixes bug 31024; bugfix
+      on 0.4.1.1-alpha.

changes/bug31027

@@ -0,0 +1,3 @@
+  o Code simplification and refactoring:
+    - Remove some dead code from circpad_machine_remove_token() to fix some
+      Coverity warnings (CID 1447298). Fixes bug 31027; bugfix on 0.4.1.1-alpha.

changes/bug31080_041

@@ -0,0 +1,4 @@
+  o Minor bugfixes (logging):
+    - Fix a conflict between the flag used for messaging-domain
+      log messages, and the LD_NO_MOCK testing flag. Fixes bug 31080;
+      bugfix on 0.4.1.1-alpha.

changes/bug31356_and_logs

@@ -0,0 +1,11 @@
+  o Minor bugfixes (circuit padding negotiation):
+    - Bump circuit padding protover to explicitly signify that the hs setup
+      machine support is finalized in 0.4.1.x-stable. This also means that
+      0.4.1.x-alpha clients will not negotiate padding with 0.4.1.x-stable
+      relays, and 0.4.1.x-stable clients will not negotiate padding with
+      0.4.1.x-alpha relays (or 0.4.0.x relays). Fixes bug 31356;
+      bugfix on 0.4.1.1-alpha.
+  o Minor features (circuit padding logging):
+    - Demote noisy client-side warn log to a protocol warning. Add additional
+      log messages and circuit id fields to help with fixing bug 30992 and any
+      other future issues.

changes/bug31552

@@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation):
+    - Add more stub functions to fix compilation on Android with LTO, when
+      --disable-module-dirauth is used. Previously, these compilation
+      settings would make the compiler look for functions that didn't exist.
+      Fixes bug 31552; bugfix on 0.4.1.1-alpha.

changes/bug31570

@@ -0,0 +1,5 @@
+  o Major bugfixes (crash, android):
+    - Tolerate systems (including some Android installations) where madvise
+      and MADV_DONTDUMP are available at build-time, but not at run time.
+      Previously, these systems would notice a failed syscall and abort.
+      Fixes bug 31570; bugfix on 0.4.1.1-alpha.

changes/bug31594

@@ -0,0 +1,5 @@
+  o Minor bugfixes (error handling):
+    - When tor aborts due to an error, close log file descriptors before
+      aborting. Closing the logs makes some OSes flush log file buffers,
+      rather than deleting buffered log lines. Fixes bug 31594;
+      bugfix on 0.2.5.2-alpha.

changes/bug31614

@@ -0,0 +1,9 @@
+  o Minor bugfixes (logging):
+    - Disable backtrace signal handlers when shutting down tor.
+      Fixes bug 31614; bugfix on 0.2.5.2-alpha.
+    - Add a missing check for HAVE_PTHREAD_H, because the backtrace code uses
+      mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
+  o Documentation:
+    - Explain why we can't destroy the backtrace buffer mutex. Explain why
+      we don't need to destroy the log mutex.
+      Closes ticket 31736.

changes/bug31696

@@ -0,0 +1,5 @@
+  o Major bugfixes (crash, Linux):
+    - Tolerate systems (including some Linux installations) where madvise
+      and/or MADV_DONTFORK are available at build-time, but not at run time.
+      Previously, these systems would notice a failed syscall and abort.
+      Fixes bug 31696; bugfix on 0.4.1.1-alpha.

changes/bug31736

@@ -0,0 +1,3 @@
+  o Minor bugfixes (multithreading):
+    - Avoid some undefined behaviour when freeing mutexes.
+      Fixes bug 31736; bugfix on 0.0.7.

changes/bug31810

@@ -0,0 +1,4 @@
+  o Minor bugfixes (process management):
+    - Remove assertion in the Unix process backend. This assertion would trigger
+      when a new process is spawned where the executable is not found leading to
+      a stack trace from the child process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.