Merge branch 'maint-0.3.5' into bug31107_035

.appveyor.yml

@@ -0,0 +1,119 @@
+version: 1.0.{build}
+
+clone_depth: 50
+
+# Appveyor images are named after the Visual Studio version they contain.
+# But we compile using MinGW, not Visual Studio.
+# We use these images because they have different Windows versions.
+image:
+  # Windows Server 2016
+  - Visual Studio 2017
+  # Windows Server 2012 R2
+  - Visual Studio 2015
+
+environment:
+  compiler: mingw
+
+  matrix:
+  - target: i686-w64-mingw32
+    compiler_path: mingw32
+    mingw_prefix: mingw-w64-i686
+    hardening:
+  - target: x86_64-w64-mingw32
+    compiler_path: mingw64
+    mingw_prefix: mingw-w64-x86_64
+    # hardening doesn't work with mingw-w64-x86_64-gcc, because it's gcc 8
+    hardening: --disable-gcc-hardening
+
+matrix:
+  # Don't keep building failing jobs
+  fast_finish: true
+  # Skip the 32-bit Windows Server 2016 job, and the 64-bit Windows Server
+  # 2012 R2 job, to speed up the build.
+  # The environment variables must be listed without the 'environment' tag.
+  exclude:
+    - image: Visual Studio 2017
+      target: i686-w64-mingw32
+      compiler_path: mingw32
+      mingw_prefix: mingw-w64-i686
+      hardening:
+    - image: Visual Studio 2015
+      target: x86_64-w64-mingw32
+      compiler_path: mingw64
+      mingw_prefix: mingw-w64-x86_64
+      # hardening doesn't work with mingw-w64-x86_64-gcc, because it's gcc 8
+      hardening: --disable-gcc-hardening
+
+install:
+- ps: >-
+    Function Execute-Command ($commandPath)
+    {
+        & $commandPath $args 2>&1
+        if ( $LastExitCode -ne 0 ) {
+            $host.SetShouldExit( $LastExitCode )
+        }
+    }
+    Function Execute-Bash ()
+    {
+        Execute-Command 'c:\msys64\usr\bin\bash' '-e' '-c' $args
+    }
+    <# mingw packages start with ${env:mingw_prefix}
+     # unprefixed packages are from MSYS2, which is like Cygwin. Avoid them.
+     #
+     # Use pacman --debug to show package downloads and install locations
+     #>
+    Execute-Command "C:\msys64\usr\bin\pacman" -Sy --verbose --needed --noconfirm ${env:mingw_prefix}-libevent ${env:mingw_prefix}-pkg-config ${env:mingw_prefix}-xz ${env:mingw_prefix}-zstd ;
+
+build_script:
+- ps: >-
+    if ($env:compiler -eq "mingw") {
+            <# use the MSYS2 compiler and user binaries to build and install #>
+            $oldpath = ${env:Path} -split ';'
+            $buildpath = @("C:\msys64\${env:compiler_path}\bin", "C:\msys64\usr\bin") + $oldpath
+            $env:Path = @($buildpath) -join ';'
+            $env:build = @("${env:APPVEYOR_BUILD_FOLDER}", $env:target) -join '\'
+            Set-Location "${env:APPVEYOR_BUILD_FOLDER}"
+            Execute-Bash 'autoreconf -i'
+            mkdir "${env:build}"
+            Set-Location "${env:build}"
+            Execute-Bash "which ${env:target}-gcc"
+            Execute-Bash "${env:target}-gcc --version"
+            <# compile for mingw
+             # mingw zstd doesn't come with a pkg-config file, so we manually
+             # configure its flags. liblzma just works.
+             #>
+            Execute-Bash "ZSTD_CFLAGS='-L/${env:compiler_path}/include' ZSTD_LIBS='-L/${env:compiler_path}/lib -lzstd' ../configure --prefix=/${env:compiler_path} --build=${env:target} --host=${env:target} --with-openssl-dir=/${env:compiler_path} --disable-asciidoc --enable-fatal-warnings ${env:hardening}"
+            Execute-Bash "V=1 make -j2"
+            Execute-Bash "V=1 make -j2 install"
+     }
+
+test_script:
+- ps: >-
+    if ($env:compiler -eq "mingw") {
+            <# use the MSYS2 compiler binaries to make check #>
+            $oldpath = ${env:Path} -split ';'
+            $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
+            $env:Path = $buildpath -join ';'
+            Set-Location "${env:build}"
+            Execute-Bash "VERBOSE=1 make -j2 check"
+    }
+
+on_finish:
+- ps: >-
+    if ($env:compiler -eq "mingw") {
+            <# use the MSYS2 user binaries to archive failures #>
+            $oldpath = ${env:Path} -split ';'
+            $buildpath = @("C:\msys64\usr\bin") + $oldpath
+            $env:Path = @($buildpath) -join ';'
+            Set-Location "${env:build}"
+            <# store logs as appveyor artifacts: see the artifacts tab #>
+            Execute-Bash "7z a logs.zip config.log || true"
+            Execute-Bash "7z a logs.zip test-suite.log || true"
+            Execute-Bash "appveyor PushArtifact logs.zip || true"
+            Execute-Bash "tail -1000 config.log || true"
+            Execute-Bash "cat test-suite.log || true"
+    }
+
+# notify the IRC channel of any failures
+on_failure:
+- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure

.gitignore

@@ -3,6 +3,7 @@
 .#*
 *~
 *.swp
+*.swo
 # C stuff
 *.o
 *.obj
@@ -18,6 +19,8 @@
 .dirstamp
 *.trs
 *.log
+# Calltool stuff
+.*.graph
 # Stuff made by our makefiles
 *.bak
 # Python droppings
@@ -38,9 +41,11 @@ uptime-*.json
 /Makefile
 /Makefile.in
 /aclocal.m4
+/ar-lib
 /autom4te.cache
 /build-stamp
 /compile
+/config.rust
 /configure
 /Doxyfile
 /orconfig.h
@@ -51,6 +56,7 @@ uptime-*.json
 /config.guess
 /config.sub
 /conftest*
+/link_rust.sh
 /micro-revision.*
 /patch-stamp
 /stamp-h
@@ -66,7 +72,11 @@ uptime-*.json
 /mkinstalldirs
 /Tor*Bundle.dmg
 /tor-*-win32.exe
+/warning_flags
+
 /coverage_html/
+/callgraph/
+
 
 # /contrib/
 /contrib/dist/tor.sh
@@ -94,11 +104,6 @@ uptime-*.json
 /doc/tor.html
 /doc/tor.html.in
 /doc/tor.1.xml
-/doc/tor-fw-helper.1
-/doc/tor-fw-helper.1.in
-/doc/tor-fw-helper.html
-/doc/tor-fw-helper.html.in
-/doc/tor-fw-helper.1.xml
 /doc/tor-gencert.1
 /doc/tor-gencert.1.in
 /doc/tor-gencert.html
@@ -114,6 +119,11 @@ uptime-*.json
 /doc/torify.html
 /doc/torify.html.in
 /doc/torify.1.xml
+/doc/tor-print-ed-signing-cert.1
+/doc/tor-print-ed-signing-cert.1.in
+/doc/tor-print-ed-signing-cert.html
+/doc/tor-print-ed-signing-cert.html.in
+/doc/tor-print-ed-signing-cert.1.xml
 
 # /doc/spec/
 /doc/spec/Makefile
@@ -127,23 +137,8 @@ uptime-*.json
 /src/Makefile
 /src/Makefile.in
 
-# /src/common/
-/src/common/Makefile
-/src/common/Makefile.in
-/src/common/libor.a
-/src/common/libor-testing.a
-/src/common/libor.lib
-/src/common/libor-ctime.a
-/src/common/libor-ctime-testing.a
-/src/common/libor-ctime.lib
-/src/common/libor-crypto.a
-/src/common/libor-crypto-testing.a
-/src/common/libor-crypto.lib
-/src/common/libor-event.a
-/src/common/libor-event-testing.a
-/src/common/libor-event.lib
-/src/common/libcurve25519_donna.a
-/src/common/libcurve25519_donna.lib
+# /src/trace
+/src/trace/libor-trace.a
 
 # /src/config/
 /src/config/Makefile
@@ -161,16 +156,81 @@ uptime-*.json
 /src/ext/keccak-tiny/libkeccak-tiny.a
 /src/ext/keccak-tiny/libkeccak-tiny.lib
 
-# /src/or/
-/src/or/Makefile
-/src/or/Makefile.in
-/src/or/tor
-/src/or/tor.exe
-/src/or/tor-cov
-/src/or/tor-cov.exe
-/src/or/libtor.a
-/src/or/libtor-testing.a
-/src/or/libtor.lib
+# /src/lib
+/src/lib/libcurve25519_donna.a
+/src/lib/libtor-compress.a
+/src/lib/libtor-compress-testing.a
+/src/lib/libtor-container.a
+/src/lib/libtor-container-testing.a
+/src/lib/libtor-crypt-ops.a
+/src/lib/libtor-crypt-ops-testing.a
+/src/lib/libtor-ctime.a
+/src/lib/libtor-ctime-testing.a
+/src/lib/libtor-encoding.a
+/src/lib/libtor-encoding-testing.a
+/src/lib/libtor-evloop.a
+/src/lib/libtor-evloop-testing.a
+/src/lib/libtor-err.a
+/src/lib/libtor-err-testing.a
+/src/lib/libtor-fdio.a
+/src/lib/libtor-fdio-testing.a
+/src/lib/libtor-fs.a
+/src/lib/libtor-fs-testing.a
+/src/lib/libtor-geoip.a
+/src/lib/libtor-geoip-testing.a
+/src/lib/libtor-intmath.a
+/src/lib/libtor-intmath-testing.a
+/src/lib/libtor-lock.a
+/src/lib/libtor-lock-testing.a
+/src/lib/libtor-log.a
+/src/lib/libtor-log-testing.a
+/src/lib/libtor-malloc.a
+/src/lib/libtor-malloc-testing.a
+/src/lib/libtor-math.a
+/src/lib/libtor-math-testing.a
+/src/lib/libtor-memarea.a
+/src/lib/libtor-memarea-testing.a
+/src/lib/libtor-meminfo.a
+/src/lib/libtor-meminfo-testing.a
+/src/lib/libtor-net.a
+/src/lib/libtor-net-testing.a
+/src/lib/libtor-osinfo.a
+/src/lib/libtor-osinfo-testing.a
+/src/lib/libtor-process.a
+/src/lib/libtor-process-testing.a
+/src/lib/libtor-sandbox.a
+/src/lib/libtor-sandbox-testing.a
+/src/lib/libtor-string.a
+/src/lib/libtor-string-testing.a
+/src/lib/libtor-smartlist-core.a
+/src/lib/libtor-smartlist-core-testing.a
+/src/lib/libtor-term.a
+/src/lib/libtor-term-testing.a
+/src/lib/libtor-thread.a
+/src/lib/libtor-thread-testing.a
+/src/lib/libtor-time.a
+/src/lib/libtor-time-testing.a
+/src/lib/libtor-tls.a
+/src/lib/libtor-tls-testing.a
+/src/lib/libtor-trace.a
+/src/lib/libtor-wallclock.a
+/src/lib/libtor-wallclock-testing.a
+
+# /src/tor
+/src/core/libtor-app.a
+/src/core/libtor-app-testing.a
+
+# /src/app
+/src/app/tor
+/src/app/tor.exe
+/src/app/tor-cov
+/src/app/tor-cov.exe
+
+# /src/rust
+/src/rust/.cargo/config
+/src/rust/.cargo/registry
+/src/rust/target
+/src/rust/registry
 
 # /src/test
 /src/test/Makefile
@@ -183,6 +243,7 @@ uptime-*.json
 /src/test/test-child
 /src/test/test-memwipe
 /src/test/test-ntor-cl
+/src/test/test-hs-ntor-cl
 /src/test/test-switch-id
 /src/test/test-timers
 /src/test/test_workqueue
@@ -191,16 +252,24 @@ uptime-*.json
 /src/test/test-bt-cl.exe
 /src/test/test-child.exe
 /src/test/test-ntor-cl.exe
+/src/test/test-hs-ntor-cl.exe
 /src/test/test-memwipe.exe
 /src/test/test-switch-id.exe
 /src/test/test-timers.exe
 /src/test/test_workqueue.exe
 
+# /src/test/fuzz
+/src/test/fuzz/fuzz-*
+/src/test/fuzz/lf-fuzz-*
+
 # /src/tools/
+/src/tools/libtorrunner.a
 /src/tools/tor-checkkey
 /src/tools/tor-resolve
 /src/tools/tor-cov-resolve
 /src/tools/tor-gencert
+/src/tools/tor-print-ed-signing-cert
+/src/tools/tor-print-ed-signing-cert.exe
 /src/tools/tor-cov-gencert
 /src/tools/tor-checkkey.exe
 /src/tools/tor-resolve.exe
@@ -214,12 +283,6 @@ uptime-*.json
 /src/trunnel/libor-trunnel-testing.a
 /src/trunnel/libor-trunnel.a
 
-# /src/tools/tor-fw-helper/
-/src/tools/tor-fw-helper/tor-fw-helper
-/src/tools/tor-fw-helper/tor-fw-helper.exe
-/src/tools/tor-fw-helper/Makefile
-/src/tools/tor-fw-helper/Makefile.in
-
 # /src/win32/
 /src/win32/Makefile
 /src/win32/Makefile.in

.gitlab-ci.yml

@@ -0,0 +1,45 @@
+before_script:
+    - apt-get update -qq
+    - apt-get upgrade -qy
+
+build:
+  script:
+    - apt-get install -qy --fix-missing automake build-essential
+      libevent-dev libssl-dev zlib1g-dev
+      libseccomp-dev liblzma-dev libscrypt-dev
+    - ./autogen.sh
+    - ./configure --disable-asciidoc --enable-fatal-warnings
+      --disable-silent-rules
+    - make check || (e=$?; cat test-suite.log; exit $e)
+    - make install
+
+update:
+  only:
+    - schedules
+  script: 
+    - "apt-get install -y --fix-missing git openssh-client"
+    
+    # Run ssh-agent (inside the build environment)
+    - eval $(ssh-agent -s)
+
+    # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
+    - ssh-add <(echo "$DEPLOY_KEY")
+
+    # For Docker builds disable host key checking. Be aware that by adding that
+    # you are susceptible to man-in-the-middle attacks.
+    # WARNING: Use this only with the Docker executor, if you use it with shell
+    # you will overwrite your user's SSH config.
+    - mkdir -p ~/.ssh
+    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
+    # In order to properly check the server's host key, assuming you created the
+    # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
+    # instead.
+    - mkdir -p ~/.ssh
+    - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
+    - echo "merging from torgit"
+    - git config --global user.email "labadmin@oniongit.eu"
+    - git config --global user.name "gitadmin"
+    - "mkdir tor"
+    - "cd tor" 
+    - git clone --bare https://git.torproject.org/tor.git
+    - git push --mirror git@oniongit.eu:network/tor.git

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "src/ext/rust"]
+	path = src/ext/rust
+	url = https://git.torproject.org/tor-rust-dependencies

.travis.yml

@@ -2,6 +2,13 @@ language: c
 
 cache:
   ccache: true
+  ## cargo: true
+  directories:
+    - $HOME/.cargo
+    ## caching CARGO_TARGET_DIR actually slows down the build over time,
+    ## because old build products are never deleted.
+    ## where we point CARGO_TARGET_DIR in all our cargo invocations
+    #- $TRAVIS_BUILD_DIR/src/rust/target
 
 compiler:
   - gcc
@@ -28,6 +35,8 @@ env:
     ## We don't list default variable values, because we set the defaults
     ## in global (or the default is unset)
     -
+    ## TOR_RUST_DEPENDENCIES is spelt RUST_DEPENDENCIES in 0.3.2
+    - RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
 
 matrix:
   ## include creates builds with gcc, linux
@@ -36,13 +45,22 @@ matrix:
     - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS=""
     ## We only want to check these build option combinations once
     ## (they shouldn't vary by compiler or OS)
-    ## We run coverage with hardening off, which seems like enough
+    ## We run rust and coverage with hardening off, which seems like enough
     # - env: HARDENING_OPTIONS=""
     ## We check asciidoc with distcheck, to make sure we remove doc products
     - env: DISTCHECK="yes" ASCIIDOC_OPTIONS="" SKIP_MAKE_CHECK="yes"
     # We also try running a hardened clang build with chutney on Linux.
     - env: CHUTNEY="yes" SKIP_MAKE_CHECK="yes" CHUTNEY_ALLOW_FAILURES="2"
       compiler: clang
+    # We clone our stem repo and run `make test-stem`
+    - env: TEST_STEM="yes" SKIP_MAKE_CHECK="yes"
+    ## Check rust online with distcheck, to make sure we remove rust products
+    - env: DISTCHECK="yes" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
+    ## Check disable module dirauth with and without rust
+    - env: MODULES_OPTIONS="--disable-module-dirauth" RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
+    - env: MODULES_OPTIONS="--disable-module-dirauth"
+    ## Check NSS
+    - env: NSS_OPTIONS="--enable-nss"
 
   ## Uncomment to allow the build to report success (with non-required
   ## sub-builds continuing to run) if all required sub-builds have
@@ -55,6 +73,10 @@ matrix:
   ## Careful! We use global envs, which makes it hard to exclude or
   ## allow failures by env:
   ## https://docs.travis-ci.com/user/customizing-the-build#matching-jobs-with-allow_failures
+  allow_failures:
+    ## test-stem sometimes hangs on Travis
+    - env: TEST_STEM="yes" SKIP_MAKE_CHECK="yes"
+
   exclude:
     ## gcc on OSX is less useful, because the default compiler is clang.
     - compiler: gcc
@@ -64,6 +86,12 @@ matrix:
     - compiler: gcc
       os: linux
       env:
+    ## offline rust builds for gcc on Linux are redundant, because we do an
+    ## online rust build for gcc on Linux
+    - compiler: gcc
+      os: linux
+      ## TOR_RUST_DEPENDENCIES is spelt RUST_DEPENDENCIES in 0.3.2
+      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
 
 ## (Linux only) Use the latest Linux image (Ubuntu Trusty)
 dist: trusty
@@ -80,14 +108,21 @@ addons:
       - zlib1g-dev
       ## Optional dependencies
       - libcap-dev
+      - liblzma-dev
+      - libnss3-dev
       - libscrypt-dev
       - libseccomp-dev
+      ## zstd doesn't exist in Ubuntu Trusty
+      #- libzstd
       ## Conditional build dependencies
       ## Always installed, so we don't need sudo
       - asciidoc
       - docbook-xsl
       - docbook-xml
       - xmlto
+      ## Utilities
+      ## preventing or diagnosing hangs
+      - timelimit
   ## (OSX only)
   homebrew:
     packages:
@@ -100,6 +135,8 @@ addons:
       #- zlib
       ## Optional dependencies
       - libscrypt
+      - xz
+      - zstd
       ## Required build dependencies
       ## Tor needs pkg-config to find some dependencies at build time
       - pkg-config
@@ -109,12 +146,19 @@ addons:
       ## Always installed, because manual brew installs are hard to get right
       - asciidoc
       - xmlto
+      ## Utilities
+      ## preventing or diagnosing hangs
+      - timelimit
 
 ## (OSX only) Use the default OSX image
 ## See https://docs.travis-ci.com/user/reference/osx#os-x-version
 ## Default is Xcode 9.4 on macOS 10.13 as of August 2018
 #osx_image: xcode9.4
 
+before_install:
+  ## Create empty rust directories for non-Rust builds, so caching succeeds
+  - if [[ "$RUST_OPTIONS" == "" ]]; then mkdir -p $HOME/.cargo $TRAVIS_BUILD_DIR/src/rust/target; fi
+
 install:
   ## If we're on OSX, configure ccache (ccache is automatically installed and configured on Linux)
   - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then export PATH="/usr/local/opt/ccache/libexec:$PATH"; fi
@@ -125,25 +169,49 @@ install:
   - if [[ "$COVERAGE_OPTIONS" != "" ]]; then pip install --user cpp-coveralls; fi
   ## If we're on OSX, and using asciidoc, configure asciidoc
   - if [[ "$ASCIIDOC_OPTIONS" == "" ]] && [[ "$TRAVIS_OS_NAME" == "osx" ]]; then export XML_CATALOG_FILES="/usr/local/etc/xml/catalog"; fi
+  ## If we're using Rust, download rustup
+  - if [[ "$RUST_OPTIONS" != "" ]]; then curl -Ssf -o rustup.sh https://sh.rustup.rs; fi
+  ## Install the nightly channels of rustc and cargo and setup our toolchain environment
+  - if [[ "$RUST_OPTIONS" != "" ]]; then sh rustup.sh -y --default-toolchain nightly; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then source $HOME/.cargo/env; fi
+  ## If we're testing rust builds in offline-mode, then set up our vendored dependencies
+  - if [[ "$TOR_RUST_DEPENDENCIES" == "true" ]]; then export TOR_RUST_DEPENDENCIES=$PWD/src/ext/rust/crates; fi
   ## If we're running chutney, install it.
   - if [[ "$CHUTNEY" != "" ]]; then git clone --depth 1 https://github.com/torproject/chutney.git ; export CHUTNEY_PATH="$(pwd)/chutney"; fi
+  ## If we're running stem, install it.
+  - if [[ "$TEST_STEM" != "" ]]; then git clone --depth 1 https://github.com/torproject/stem.git ; export STEM_SOURCE_DIR=`pwd`/stem; fi
+  ##
   ## Finally, list installed package versions
   - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then dpkg-query --show; fi
   - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew list --versions; fi
+  ## Get some info about rustup, rustc and cargo
+  - if [[ "$RUST_OPTIONS" != "" ]]; then which rustup; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then which rustc; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then which cargo; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then rustup --version; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then rustc --version; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then cargo --version; fi
   ## Get python version
   - python --version
   ## If we're running chutney, show the chutney commit
   - if [[ "$CHUTNEY" != "" ]]; then pushd "$CHUTNEY_PATH"; git log -1 ; popd ; fi
+  ## If we're running stem, show the stem version and commit
+  - if [[ "$TEST_STEM" != "" ]]; then pushd stem; python -c "from stem import stem; print(stem.__version__);"; git log -1; popd; fi
 
 script:
+  # Skip test_rebind on macOS
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then export TOR_SKIP_TEST_REBIND=true; fi
   - ./autogen.sh
-  - CONFIGURE_FLAGS="$ASCIIDOC_OPTIONS $COVERAGE_OPTIONS $HARDENING_OPTIONS $OPENSSL_OPTIONS --enable-fatal-warnings --disable-silent-rules"
+  - CONFIGURE_FLAGS="$ASCIIDOC_OPTIONS $COVERAGE_OPTIONS $HARDENING_OPTIONS $MODULES_OPTIONS $NSS_OPTIONS $OPENSSL_OPTIONS $RUST_OPTIONS --enable-fatal-warnings --disable-silent-rules"
   - echo "Configure flags are $CONFIGURE_FLAGS"
   - ./configure $CONFIGURE_FLAGS
   ## We run `make check` because that's what https://jenkins.torproject.org does.
   - if [[ "$SKIP_MAKE_CHECK" == "" ]]; then make check; fi
   - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$CONFIGURE_FLAGS"; fi
   - if [[ "$CHUTNEY" != "" ]]; then make test-network-all; fi
+  ## Diagnostic for bug 29437: kill stem if it hangs for 9.5 minutes
+  ## Travis will kill the job after 10 minutes with no output
+  - if [[ "$TEST_STEM" != "" ]]; then make src/app/tor; timelimit -p -t 540 -s USR1 -T 30 -S ABRT python3 "$STEM_SOURCE_DIR"/run_tests.py --tor src/app/tor --integ --test control.controller --test control.base_controller --test process --log TRACE --log-file stem.log; fi
   ## If this build was one that produced coverage, upload it.
   - if [[ "$COVERAGE_OPTIONS" != "" ]]; then coveralls -b . --exclude src/test --exclude src/trunnel --gcov-options '\-p' || echo "Coverage failed"; fi
 
@@ -155,11 +223,17 @@ after_failure:
   - if [[ "$SKIP_MAKE_CHECK" == "" ]]; then cat test-suite.log || echo "cat failed"; fi
   ## `make distcheck` puts it somewhere different.
   - if [[ "$DISTCHECK" != "" ]]; then make show-distdir-testlog || echo "make failed"; fi
+  - if [[ "$DISTCHECK" != "" ]]; then make show-distdir-core || echo "make failed"; fi
   - if [[ "$CHUTNEY" != "" ]]; then ls test_network_log || echo "ls failed"; cat test_network_log/* || echo "cat failed"; fi
+  - if [[ "$TEST_STEM" != "" ]]; then tail -1000 "$STEM_SOURCE_DIR"/test/data/tor_log || echo "tail failed"; fi
+  - if [[ "$TEST_STEM" != "" ]]; then grep -v "SocketClosed" stem.log | tail -1000 || echo "grep | tail failed"; fi
 
 before_cache:
   ## Delete all gcov files.
   - if [[ "$COVERAGE_OPTIONS" != "" ]]; then make reset-gcov; fi
+  ## Delete the cargo registry before caching .cargo, because it's cheaper to
+  ## download the registry and throw it away, rather than caching it
+  - rm -rf $HOME/.cargo/registry
 
 notifications:
   irc:

CODE_OF_CONDUCT

@@ -0,0 +1,7 @@
+The Tor Project is committed to fostering a inclusive community
+where people feel safe to engage, share their points of view, and
+participate. For the latest version of our Code of Conduct, please
+see
+
+https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
+

CONTRIBUTING

@@ -0,0 +1,39 @@
+Contributing to Tor
+-------------------
+
+### Getting started
+
+Welcome!
+
+We have a bunch of documentation about how to develop Tor in the
+doc/HACKING/ directory.  We recommend that you start with
+doc/HACKING/README.1st.md , and then go from there.  It will tell
+you how to find your way around the source code, how to get
+involved with the Tor community, how to write patches, and much
+more!
+
+You don't have to be a C developer to help with Tor: have a look
+at https://www.torproject.org/getinvolved/volunteer !
+
+The Tor Project is committed to fostering a inclusive community
+where people feel safe to engage, share their points of view, and
+participate. For the latest version of our Code of Conduct, please
+see
+
+https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
+
+
+
+### License issues
+
+Tor is distributed under the license terms in the LICENSE -- in
+brief, the "3-clause BSD license".  If you send us code to
+distribute with Tor, it needs to be code that we can distribute
+under those terms.  Please don't send us patches unless you agree
+to allow this.
+
+Some compatible licenses include:
+
+  - 3-clause BSD
+  - 2-clause BSD
+  - CC0 Public Domain Dedication

INSTALL

@@ -16,37 +16,3 @@ If it doesn't build for you:
     ./configure --with-libevent-dir=/usr/local
   rather than simply ./configure.
 
-  If you have mysterious autoconf failures while linking openssl,
-  consider setting your LD_LIBRARY_PATH to the openssl lib directory.
-  For example, "setenv LD_LIBRARY_PATH /usr/athena/lib".
-
-  Lastly, check out
-  https://www.torproject.org/docs/faq#DoesntWork
-
-How to do static builds of tor:
-
-Tor supports linking each of the libraries it needs statically. Use the
---enable-static-X ./configure option in conjunction with the --with-X-dir
-option for libevent, zlib, and openssl. For this to work sanely, libevent
-should be built with --disable-shared --enable-static --with-pic, and
-OpenSSL should be built with no-shared no-dso.
-
-If you need to build tor so that system libraries are also statically linked,
-use the --enable-static-tor ./configure option. This won't work on OS X
-unless you build the required crt0.o yourself. It is also incompatible with
-the --enable-gcc-hardening option.
-
-An example of how to build a mostly static tor:
-./configure --enable-static-libevent \
-            --enable-static-openssl  \
-            --enable-static-zlib     \
-            --with-libevent-dir=/tmp/static-tor/libevent-1.4.14b-stable \
-            --with-openssl-dir=/tmp/static-tor/openssl-0.9.8r/ \
-            --with-zlib-dir=/tmp/static-tor/zlib-1.2.5
-
-An example of how to build an entirely static tor:
-./configure --enable-static-tor \
-            --with-libevent-dir=/tmp/static-tor/libevent-1.4.14b-stable \
-            --with-openssl-dir=/tmp/static-tor/openssl-0.9.8r/ \
-            --with-zlib-dir=/tmp/static-tor/zlib-1.2.5
-

LICENSE

@@ -13,7 +13,7 @@ Tor is distributed under this license:
 
 Copyright (c) 2001-2004, Roger Dingledine
 Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-Copyright (c) 2007-2016, The Tor Project, Inc.
+Copyright (c) 2007-2019, The Tor Project, Inc.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -155,6 +155,36 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+===============================================================================
+getdelim.c is distributed under this license:
+
+ Copyright (c) 2011 The NetBSD Foundation, Inc.
+ All rights reserved.
+
+ This code is derived from software contributed to The NetBSD Foundation
+ by Christos Zoulas.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
 ===============================================================================
 src/config/geoip is licensed under the following license:
 

Makefile.am

@@ -1,6 +1,6 @@
 # Copyright (c) 2001-2004, Roger Dingledine
 # Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-# Copyright (c) 2007-2015, The Tor Project, Inc.
+# Copyright (c) 2007-2019, The Tor Project, Inc.
 # See LICENSE for licensing information
 
 ACLOCAL_AMFLAGS = -I m4
@@ -9,32 +9,157 @@ noinst_LIBRARIES=
 EXTRA_DIST=
 noinst_HEADERS=
 bin_PROGRAMS=
+EXTRA_PROGRAMS=
 CLEANFILES=
 TESTS=
 noinst_PROGRAMS=
 DISTCLEANFILES=
 bin_SCRIPTS=
-AM_CPPFLAGS=
-AM_CFLAGS=@TOR_SYSTEMD_CFLAGS@ @CFLAGS_BUGTRAP@
+AM_CPPFLAGS=\
+	-I$(top_srcdir)/src \
+	-I$(top_srcdir)/src/ext \
+	-I$(top_srcdir)/src/ext/trunnel \
+	-I$(top_srcdir)/src/trunnel
+
+AM_CFLAGS=@TOR_SYSTEMD_CFLAGS@ @CFLAGS_BUGTRAP@ @TOR_LZMA_CFLAGS@ @TOR_ZSTD_CFLAGS@
 SHELL=@SHELL@
 
 if COVERAGE_ENABLED
-TESTING_TOR_BINARY=$(top_builddir)/src/or/tor-cov$(EXEEXT)
+TESTING_TOR_BINARY=$(top_builddir)/src/app/tor-cov$(EXEEXT)
 else
-TESTING_TOR_BINARY=$(top_builddir)/src/or/tor$(EXEEXT)
+TESTING_TOR_BINARY=$(top_builddir)/src/app/tor$(EXEEXT)
 endif
 
+if USE_RUST
+## this MUST be $(), otherwise am__DEPENDENCIES will not track it
+rust_ldadd=$(top_builddir)/$(TOR_RUST_LIB_PATH) \
+	$(TOR_RUST_EXTRA_LIBS)
+else
+rust_ldadd=
+endif
+
+# "Common" libraries used to link tor's utility code.
+TOR_UTIL_LIBS = \
+        src/lib/libtor-geoip.a \
+	src/lib/libtor-process.a \
+	src/lib/libtor-time.a \
+	src/lib/libtor-fs.a \
+	src/lib/libtor-encoding.a \
+	src/lib/libtor-sandbox.a \
+	src/lib/libtor-container.a \
+	src/lib/libtor-net.a \
+	src/lib/libtor-thread.a \
+	src/lib/libtor-memarea.a \
+	src/lib/libtor-math.a \
+	src/lib/libtor-meminfo.a \
+	src/lib/libtor-osinfo.a \
+	src/lib/libtor-log.a \
+	src/lib/libtor-lock.a \
+	src/lib/libtor-fdio.a \
+	src/lib/libtor-string.a \
+	src/lib/libtor-term.a \
+	src/lib/libtor-smartlist-core.a \
+	src/lib/libtor-malloc.a \
+	src/lib/libtor-wallclock.a \
+	src/lib/libtor-err.a \
+	src/lib/libtor-intmath.a \
+	src/lib/libtor-ctime.a
+
+# Variants of the above for linking the testing variant of tor (for coverage
+# and tests)
+if UNITTESTS_ENABLED
+TOR_UTIL_TESTING_LIBS = \
+        src/lib/libtor-geoip-testing.a \
+	src/lib/libtor-process-testing.a \
+	src/lib/libtor-time-testing.a \
+	src/lib/libtor-fs-testing.a \
+	src/lib/libtor-encoding-testing.a \
+	src/lib/libtor-sandbox-testing.a \
+	src/lib/libtor-container-testing.a \
+	src/lib/libtor-net-testing.a \
+	src/lib/libtor-thread-testing.a \
+	src/lib/libtor-memarea-testing.a \
+	src/lib/libtor-math-testing.a \
+	src/lib/libtor-meminfo-testing.a \
+	src/lib/libtor-osinfo-testing.a \
+	src/lib/libtor-term-testing.a \
+	src/lib/libtor-log-testing.a \
+	src/lib/libtor-lock-testing.a \
+	src/lib/libtor-fdio-testing.a \
+	src/lib/libtor-string-testing.a \
+	src/lib/libtor-smartlist-core-testing.a \
+	src/lib/libtor-malloc-testing.a \
+	src/lib/libtor-wallclock-testing.a \
+	src/lib/libtor-err-testing.a \
+	src/lib/libtor-intmath.a \
+	src/lib/libtor-ctime-testing.a
+endif
+
+# Internal crypto libraries used in Tor
+TOR_CRYPTO_LIBS = \
+	src/lib/libtor-tls.a \
+	src/lib/libtor-crypt-ops.a \
+	$(LIBKECCAK_TINY) \
+	$(LIBDONNA)
+
+# Variants of the above for linking the testing variant of tor (for coverage
+# and tests)
+if UNITTESTS_ENABLED
+TOR_CRYPTO_TESTING_LIBS = \
+	src/lib/libtor-tls-testing.a \
+	src/lib/libtor-crypt-ops-testing.a \
+	$(LIBKECCAK_TINY) \
+	$(LIBDONNA)
+endif
+
+# All static libraries used to link tor.
+TOR_INTERNAL_LIBS = \
+	src/core/libtor-app.a \
+	src/lib/libtor-compress.a \
+	src/lib/libtor-evloop.a \
+	$(TOR_CRYPTO_LIBS) \
+	$(TOR_UTIL_LIBS) \
+	src/trunnel/libor-trunnel.a \
+	src/lib/libtor-trace.a
+
+# Variants of the above for linking the testing variant of tor (for coverage
+# and tests)
+if UNITTESTS_ENABLED
+TOR_INTERNAL_TESTING_LIBS = \
+	src/core/libtor-app-testing.a \
+	src/lib/libtor-compress-testing.a \
+	src/lib/libtor-evloop-testing.a \
+	$(TOR_CRYPTO_TESTING_LIBS) \
+	$(TOR_UTIL_TESTING_LIBS) \
+	src/trunnel/libor-trunnel-testing.a \
+	src/lib/libtor-trace.a
+endif
+
+TOR_LDFLAGS_CRYPTLIB=@TOR_LDFLAGS_openssl@
+TOR_LIBS_CRYPTLIB=@TOR_OPENSSL_LIBS@
+TOR_CFLAGS_CRYPTLIB=
+if USE_NSS
+TOR_CFLAGS_CRYPTLIB+=@NSS_CFLAGS@
+TOR_LIBS_CRYPTLIB+=@NSS_LIBS@
+endif
+
+# All libraries used to link tor-cov
+
 include src/include.am
 include doc/include.am
 include contrib/include.am
 
 EXTRA_DIST+= \
 	ChangeLog					\
+	CONTRIBUTING					\
+	CODE_OF_CONDUCT                                 \
 	INSTALL						\
 	LICENSE						\
 	Makefile.nmake					\
 	README						\
-	ReleaseNotes
+	ReleaseNotes					\
+	scripts/maint/checkIncludes.py                  \
+	scripts/maint/checkSpace.pl
 
 ## This tells etags how to find mockable function definitions.
 AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
@@ -42,16 +167,22 @@ AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
 if COVERAGE_ENABLED
 TEST_CFLAGS=-fno-inline -fprofile-arcs -ftest-coverage
 if DISABLE_ASSERTS_IN_UNIT_TESTS
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
 else
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE @TOR_MODULES_ALL_ENABLED@
 endif
 TEST_NETWORK_FLAGS=--coverage --hs-multi-client 1
 else
 TEST_CFLAGS=
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
+TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
+
+if LIBFUZZER_ENABLED
+TEST_CFLAGS += -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div
+# not "edge"
+endif
 
 TEST_NETWORK_ALL_LOG_DIR=$(top_builddir)/test_network_log
 TEST_NETWORK_ALL_DRIVER_FLAGS=--color-tests yes
@@ -82,6 +213,8 @@ doxygen:
 test: all
 	$(top_builddir)/src/test/test
 
+check-local: check-spaces check-changes check-includes
+
 need-chutney-path:
 	@if test ! -d "$$CHUTNEY_PATH"; then \
 		echo '$$CHUTNEY_PATH was not set.'; \
@@ -101,18 +234,20 @@ test-network: need-chutney-path $(TESTING_TOR_BINARY) src/tools/tor-gencert
 
 # Run all available tests using automake's test-driver
 # only run IPv6 tests if we can ping6 ::1 (localhost)
+# only run IPv6 tests if we can ping ::1 (localhost)
 # some IPv6 tests will fail without an IPv6 DNS server (see #16971 and #17011)
 # only run mixed tests if we have a tor-stable binary
-# Try both the BSD and the Linux ping6 syntax, because they're incompatible
+# Try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
+# because they're incompatible
 test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	mkdir -p $(TEST_NETWORK_ALL_LOG_DIR)
 	rm -f $(TEST_NETWORK_ALL_LOG_DIR)/*.log $(TEST_NETWORK_ALL_LOG_DIR)/*.trs
 	@flavors="$(TEST_CHUTNEY_FLAVORS)"; \
-	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1; then \
-		echo "ping6 ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1 || ping -6 -c 1 -W 1 ::1 >/dev/null 2>&1; then \
+		echo "ping6 ::1 or ping ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		flavors="$$flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	else \
-		echo "ping6 ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+		echo "ping6 ::1 and ping ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		skip_flavors="$$skip_flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	fi; \
 	if command -v tor-stable >/dev/null 2>&1; then \
@@ -127,6 +262,7 @@ test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/
 	done; \
 	for f in $$flavors; do \
 		$(SHELL) $(top_srcdir)/test-driver --test-name $$f --log-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.log --trs-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.trs $(TEST_NETWORK_ALL_DRIVER_FLAGS) $(top_srcdir)/src/test/test-network.sh --flavor $$f $(TEST_NETWORK_FLAGS); \
+		$(top_srcdir)/src/test/test-network.sh $(TEST_NETWORK_WARNING_FLAGS); \
 	done; \
 	echo "Log and result files are available in $(TEST_NETWORK_ALL_LOG_DIR)."; \
 	! grep -q FAIL $(TEST_NETWORK_ALL_LOG_DIR)/*.trs
@@ -139,7 +275,7 @@ need-stem-path:
 	fi
 
 test-stem: need-stem-path $(TESTING_TOR_BINARY)
-	@$(PYTHON) "$$STEM_SOURCE_DIR"/run_tests.py --tor "$(TESTING_TOR_BINARY)" --all --log notice --target RUN_ALL;
+	@$(PYTHON) "$$STEM_SOURCE_DIR"/run_tests.py --tor "$(TESTING_TOR_BINARY)" --integ --test control.controller --test control.base_controller --test process --log notice;
 
 test-stem-full: need-stem-path $(TESTING_TOR_BINARY)
 	@$(PYTHON) "$$STEM_SOURCE_DIR"/run_tests.py --tor "$(TESTING_TOR_BINARY)" --all --log notice --target RUN_ALL,ONLINE -v;
@@ -184,11 +320,21 @@ coverage-html-full: all
 # Avoid strlcpy.c, strlcat.c, aes.c, OpenBSD_malloc_Linux.c, sha256.c,
 # tinytest*.[ch]
 check-spaces:
-	$(top_srcdir)/scripts/maint/checkSpace.pl -C \
-		$(top_srcdir)/src/common/*.[ch] \
-		$(top_srcdir)/src/or/*.[ch] \
+if USE_PERL
+	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+		$(top_srcdir)/src/lib/*/*.[ch] \
+		$(top_srcdir)/src/core/*/*.[ch] \
+		$(top_srcdir)/src/feature/*/*.[ch] \
+		$(top_srcdir)/src/app/*/*.[ch] \
 		$(top_srcdir)/src/test/*.[ch] \
+		$(top_srcdir)/src/test/*/*.[ch] \
 		$(top_srcdir)/src/tools/*.[ch]
+endif
+
+check-includes:
+if USEPYTHON
+	$(PYTHON) $(top_srcdir)/scripts/maint/checkIncludes.py
+endif
 
 check-docs: all
 	$(PERL) $(top_builddir)/scripts/maint/checkOptionDocs.pl
@@ -197,16 +343,87 @@ check-logs:
 	$(top_srcdir)/scripts/maint/checkLogs.pl \
 		$(top_srcdir)/src/*/*.[ch] | sort -n
 
+.PHONY: check-typos
+check-typos:
+	@if test -x "`which misspell 2>&1;true`"; then \
+		echo "Checking for Typos ..."; \
+		(misspell \
+			$(top_srcdir)/src/[^e]*/*.[ch] \
+			$(top_srcdir)/doc \
+			$(top_srcdir)/contrib \
+			$(top_srcdir)/scripts \
+			$(top_srcdir)/README \
+			$(top_srcdir)/ChangeLog \
+			$(top_srcdir)/INSTALL \
+			$(top_srcdir)/ReleaseNotes \
+			$(top_srcdir)/LICENSE); \
+	else \
+		echo "Tor can use misspell to check for typos."; \
+		echo "It seems that you don't have misspell installed."; \
+		echo "You can install the latest version of misspell here: https://github.com/client9/misspell#install"; \
+	fi
+
+.PHONY: rustfmt
+rustfmt:
+if USE_RUST
+	@if test -x "`which cargo-fmt 2>&1;true`"; then \
+		echo "Formatting Rust code ..."; \
+		(cd "$(top_srcdir)/src/rust" && cargo fmt --all --); \
+	else \
+		echo "Tor uses rustfmt (via cargo-fmt) to format Rust code."; \
+		echo "However, it seems that you don't have rustfmt installed."; \
+		printf "You can install rustfmt by following the directions here:"; \
+		echo " https://github.com/rust-lang-nursery/rustfmt"; \
+	fi
+endif
+
+.PHONY: check-rustfmt
+check-rustfmt:
+if USE_RUST
+	@if test -x "`which cargo-fmt 2>&1;true`"; then \
+		printf "Running rustfmt..."; \
+		(cd "$(top_srcdir)/src/rust" && cargo fmt --all -- --check && echo "done.") || \
+		(echo "**************** check-rustfmt failed. ****************"; \
+		 echo "   Run \`make rustfmt\` to apply the above changes."; \
+		 exit 1); \
+	else \
+		echo "Tor uses rustfmt (via cargo-fmt) to format Rust code."; \
+		echo "However, it seems that you don't have rustfmt installed."; \
+		printf "You can install rustfmt by following the directions here:"; \
+		echo " https://github.com/rust-lang-nursery/rustfmt"; \
+	fi
+endif
+
+.PHONY: clippy
+clippy:
+if USE_RUST
+	@if test -x "`which cargo-clippy 2>&1;true`"; then \
+		echo "Running cargo clippy ..."; \
+		echo "Prepare yourself for the onslaught of suggestions ..."; \
+		(cd "$(top_srcdir)/src/rust" && cargo clippy); \
+	else \
+		echo "Tor can use clippy to lint Rust code."; \
+		echo "However, it seems that you don't have clippy installed."; \
+		echo "You can install the latest version of clippy by following the directions here: https://github.com/rust-lang-nursery/rust-clippy"; \
+	fi
+endif
+
 .PHONY: check-changes
 check-changes:
+if USEPYTHON
 	@if test -d "$(top_srcdir)/changes"; then \
-		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes/*; \
+		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
 		fi
+endif
 
 .PHONY: update-versions
 update-versions:
 	$(PERL) $(top_builddir)/scripts/maint/updateVersions.pl
 
+.PHONY: callgraph
+callgraph:
+	$(top_builddir)/scripts/maint/run_calltool.sh
+
 version:
 	@echo "Tor @VERSION@"
 	@if test -d "$(top_srcdir)/.git" && test -x "`which git 2>&1;true`"; then \
@@ -220,6 +437,14 @@ mostlyclean-local:
 	rm -rf $(top_builddir)/doc/doxygen
 	rm -rf $(TEST_NETWORK_ALL_LOG_DIR)
 
+clean-local:
+	rm -rf $(top_builddir)/src/rust/target
+	rm -rf $(top_builddir)/src/rust/.cargo/registry
+
+if USE_RUST
+distclean-local: distclean-rust
+endif
+
 # This relies on some internal details of how automake implements
 # distcheck.  We check two directories because automake-1.15 changed
 # from $(distdir)/_build to $(distdir)/_build/sub.
@@ -228,3 +453,18 @@ show-distdir-testlog:
 	  cat $(distdir)/_build/sub/$(TEST_SUITE_LOG); \
 	else \
 	  cat $(distdir)/_build/$(TEST_SUITE_LOG); fi
+
+# Similarly, this relies on automake internals to run file on an
+# intermittent core file whose provenance is not known to us.  See
+# ticket 26787.
+show-distdir-core:
+	@if test -d "$(distdir)/_build/sub"; then \
+	  file $(distdir)/_build/sub/core ; \
+	else \
+	  file $(distdir)/_build/core; fi
+
+show-libs:
+	@echo $(TOR_INTERNAL_LIBS)
+
+show-testing-libs:
+	@echo $(TOR_INTERNAL_TESTING_LIBS)

README

@@ -27,3 +27,6 @@ Frequently Asked Questions:
 
 To get started working on Tor development:
         See the doc/HACKING directory.
+
+Release timeline:
+         https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases

acinclude.m4

@@ -2,7 +2,7 @@ dnl Helper macros for Tor configure.ac
 dnl Copyright (c) 2001-2004, Roger Dingledine
 dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
 dnl Copyright (c) 2007-2008, Roger Dingledine, Nick Mathewson
-dnl Copyright (c) 2007-2015, The Tor Project, Inc.
+dnl Copyright (c) 2007-2019, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_DEFUN([TOR_EXTEND_CODEPATH],
@@ -51,12 +51,12 @@ AC_DEFUN([TOR_TRY_COMPILE_WITH_CFLAGS], [
   AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
     tor_saved_CFLAGS="$CFLAGS"
     CFLAGS="$CFLAGS -pedantic -Werror $1"
-    AC_TRY_COMPILE([], [return 0;],
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
                    [AS_VAR_SET(VAR,yes)],
                    [AS_VAR_SET(VAR,no)])
     if test x$2 != x; then
       AS_VAR_PUSHDEF([can_link],[tor_can_link_$1])
-      AC_TRY_LINK([], [return 0;],
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
                   [AS_VAR_SET(can_link,yes)],
                   [AS_VAR_SET(can_link,no)])
       AS_VAR_POPDEF([can_link])
@@ -93,7 +93,7 @@ AC_DEFUN([TOR_CHECK_LDFLAGS], [
     AC_RUN_IFELSE([AC_LANG_PROGRAM([#include <stdio.h>], [fputs("", stdout)])],
                   [AS_VAR_SET(VAR,yes)],
                   [AS_VAR_SET(VAR,no)],
-	          [AC_TRY_LINK([], [return 0;],
+                  [AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
                                    [AS_VAR_SET(VAR,yes)],
                                    [AS_VAR_SET(VAR,no)])])
     CFLAGS="$tor_saved_CFLAGS"
@@ -113,21 +113,21 @@ if test x$2 = xdevpkg; then
   h=" headers for"
 fi
 if test -f /etc/debian_version && test x"$tor_$1_$2_debian" != x; then
-  AC_WARN([On Debian, you can install$h $1 using "apt-get install $tor_$1_$2_debian"])
+  AC_MSG_WARN([On Debian, you can install$h $1 using "apt-get install $tor_$1_$2_debian"])
   if test x"$tor_$1_$2_debian" != x"$tor_$1_devpkg_debian"; then 
-    AC_WARN([   You will probably need $tor_$1_devpkg_debian too.])
+    AC_MSG_WARN([   You will probably need $tor_$1_devpkg_debian too.])
   fi 
 fi
 if test -f /etc/fedora-release && test x"$tor_$1_$2_redhat" != x; then
-  AC_WARN([On Fedora, you can install$h $1 using "dnf install $tor_$1_$2_redhat"])
+  AC_MSG_WARN([On Fedora, you can install$h $1 using "dnf install $tor_$1_$2_redhat"])
   if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-    AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
+    AC_MSG_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
   fi 
 else
   if test -f /etc/redhat-release && test x"$tor_$1_$2_redhat" != x; then
-    AC_WARN([On most Redhat-based systems, you can get$h $1 by installing the $tor_$1_$2_redhat RPM package])
+    AC_MSG_WARN([On most Redhat-based systems, you can get$h $1 by installing the $tor_$1_$2_redhat RPM package])
     if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-      AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
+      AC_MSG_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
     fi 
   fi
 fi
@@ -245,7 +245,10 @@ if test "$cross_compiling" != yes; then
        LDFLAGS="$tor_tryextra $orig_LDFLAGS"
      fi
      AC_RUN_IFELSE([AC_LANG_PROGRAM([$5], [$6])],
-                   [runnable=yes], [runnable=no])
+                   [runnable=yes], [runnable=no],
+                   [AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+                                   [runnable=yes],
+                                   [runnable=no])])
      if test "$runnable" = yes; then
         tor_cv_library_$1_linker_option=$tor_tryextra
         break

autogen.sh

@@ -1,12 +1,12 @@
 #!/bin/sh
 
 if [ -x "`which autoreconf 2>/dev/null`" ] ; then
-  opt="-if"
+  opt="-i -f -W all,error"
 
   for i in $@; do
     case "$i" in
       -v)
-        opt=$opt"v"
+        opt="${opt} -v"
         ;;
     esac
   done

changes/29241_diagnostic

@@ -0,0 +1,4 @@
+  o Minor features (NSS, diagnostic):
+    - Try to log an error from NSS (if there is any) and a more useful
+      description of our situation if we are using NSS and a call to
+      SSL_ExportKeyingMaterial() fails.  Diagnostic for ticket 29241.

changes/bug13221

@@ -0,0 +1,5 @@
+  o Minor bugfixes (logging):
+    - Correct a misleading error message when IPv4Only or IPv6Only
+      is used but the resolved address can not be interpreted as an
+      address of the specified IP version.  Fixes bug 13221; bugfix
+      on 0.2.3.9-alpha.  Patch from Kris Katterjohn.

changes/bug21394.2

@@ -1,7 +0,0 @@
-  o Minor bugfix (Exit node DNS retries):
-    - Re-attempt timed-out DNS queries 3 times before failure, since our
-      timeout is 5 seconds for them, but clients wait 10-15. Also allow
-      slightly more timeouts per resolver before giving up on it in the
-      case where an exit has multiple resolvers configured. Fixes bug 21394;
-      bugfix on 0.3.1.9.
-

changes/bug22619

@@ -0,0 +1,3 @@
+  o Minor bugfixes (circuit isolation):
+    - Fix a logic error that prevented the SessionGroup sub-option from
+      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

changes/bug23512

@@ -1,6 +0,0 @@
-  o Major bugfix (Relay bandwidth statistics):
-    - When we close relayed circuits, report the data in the circuit queues
-      as being written in our relay bandwidth stats. This mitigates guard
-      discovery and other attacks that close circuits for the explicit purpose
-      of noticing this discrepancy in statistics. Fixes bug 23512; bugfix
-      on 0.0.8pre3.

changes/bug23681

@@ -1,5 +0,0 @@
-  o Minor bugfixes (hidden service client):
-    - The introduction circuit was being timed out too quickly while waiting
-      for the rendezvous circuit to complete. Keep the intro circuit around
-      longer instead of timing out and reopening new ones constantly. Fixes
-      bug 23681; bugfix on 0.2.4.8-alpha.

changes/bug23790

@@ -1,6 +0,0 @@
-  o Minor bugfixes (hidden service v2):
-    - When reloading tor (HUP) configured with hidden service(s), some
-      information weren't copy to the new service object. One problem with this
-      was that tor would wait at least the RendPostPeriod time before uploading
-      the descriptor if the reload happened before the descriptor needed to be
-      published. Fixes bug 23790; bugfix on 0.2.1.9-alpha.

changes/bug24104

@@ -1,4 +0,0 @@
-  o Minor bugfix (relay statistics):
-    - Update relay descriptor on bandwidth changes only when the uptime is
-      smaller than 24h in order to reduce the efficiency of guard discovery
-      attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

changes/bug24661

@@ -0,0 +1,3 @@
+  o Minor bugfixes (client, guard selection):
+    - When Tor's consensus has expired, but is still reasonably live, use it
+      to select guards. Fixes bug 24661; bugfix on 0.3.0.1-alpha.

changes/bug24903

@@ -1,5 +0,0 @@
-  o Minor bugfixes (controller, reliability):
-    - Avoid a (nonfatal) assertion failure when extending a one-hop circuit
-      from the controller to become a multihop circuit. Fixes bug 24903;
-      bugfix on 0.2.5.2-alpha.
-

changes/bug25113

@@ -1,5 +0,0 @@
-  o Minor bugfixes (unit test, monotonic time):
-    - Bump a gap of 1msec to 10msec used in the monotonic time test that makes
-      sure the nsec/usec/msec time read are synchronized. This change was
-      needed to accommodate slow system like armel or when the clock_gettime()
-      is not a VDSO on the running kernel. Fixes bug 25113; bugfix on 0.2.9.1.

changes/bug25116

@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden service, heartbeat):
-    - Don't log in the heartbeat any long term established one hop rendezvous
-      points if tor is a single onion service. Fixes bug 25116; bugfix on
-      0.2.9.6-rc;

changes/bug25733

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Assert crash):
-    - Avoid an assert in the circuit build timeout code if we fail to
-      allow any circuits to actually complete. Fixes bug 25733;
-      bugfix on 0.2.2.2-alpha.

changes/bug27073

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Revise the "conditionvar_timeout" test so that it succeeds even
-      on heavily loaded systems where the test threads are not scheduled
-      within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha.

changes/bug27197

@@ -0,0 +1,3 @@
+  o Minor bugfixes (protover, rust):
+    - Reject extra commas in version string. Fixes bug 27197; bugfix on
+      0.3.3.3-alpha.

changes/bug27199

@@ -0,0 +1,3 @@
+  o Minor bugfixes (rust):
+    - Abort on panic in all build profiles, instead of potentially unwinding
+      into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.

changes/bug27316

@@ -1,3 +0,0 @@
-  o Minor bugfixes (protover):
-    - Reject protocol names containing bytes other than alphanumeric characters
-      and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.

changes/bug27658

@@ -1,6 +0,0 @@
-  o Minor bugfixes (testing):
-    - If a unit test running in a subprocess exits abnormally or with a
-      nonzero status code, treat the test as having failed, even if
-      the test reported success. Without this fix, memory leaks don't cause
-      cause the tests to fail, even with LeakSanitizer. Fixes bug 27658;
-      bugfix on 0.2.2.4-alpha.

changes/bug27709

@@ -1,4 +0,0 @@
-  o Minor bugfixes (code safety):
-    - Rewrite our assertion macros so that they no longer suppress
-      the compiler's -Wparentheses warnings on their inputs. Fixes bug 27709;
-      bugfix on 0.0.6.

changes/bug27740

@@ -0,0 +1,4 @@
+  o Minor bugfixes (rust):
+    - Return a string that can be safely freed by C code, not one created by
+      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
+      on 0.3.3.1-alpha.

changes/bug27741

@@ -0,0 +1,5 @@
+  o Minor bugfixes (rust, directory authority):
+    - Fix an API mismatch in the rust implementation of
+      protover_compute_vote(). This bug could have caused crashes on any
+      directory authorities running Tor with Rust (which we do not yet
+      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

changes/bug27750

@@ -0,0 +1,6 @@
+  o Minor bugfixes (connection, relay):
+    - Avoid a wrong BUG() stacktrace in case a closing connection is being held
+      open because the write side is rate limited but not the read side. Now,
+      the connection read side is simply shutdown instead of kept open until tor
+      is able to flush the connection and then fully close it. Fixes bug 27750;
+      bugfix on 0.3.4.1-alpha.

changes/bug27800

@@ -0,0 +1,4 @@
+  o Minor bugfixes (directory authority):
+    - Log additional info when we get a relay that shares an ed25519
+      ID with a different relay, instead making a BUG() warning.
+      Fixes bug 27800; bugfix on 0.3.2.1-alpha.

changes/bug27804

@@ -0,0 +1,3 @@
+  o Minor bugfixes (rust):
+    - Fix a potential null dereference in protover_all_supported().
+      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.

changes/bug27841

@@ -0,0 +1,7 @@
+  o Minor bugfixes (onion services):
+    - On an intro point for a version 3 onion service, we do not close
+      an introduction circuit on an NACK. This lets the client decide
+      whether to reuse the circuit or discard it. Previously, we closed
+      intro circuits on NACKs. Fixes bug 27841; bugfix on 0.3.2.1-alpha.
+      Patch by Neel Chaunan
+

changes/bug27963_timeradd

@@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation, opensolaris):
+    - Add a missing include to compat_pthreads.c, to fix compilation
+      on OpenSolaris and its descendants. Fixes bug 27963; bugfix
+      on 0.3.5.1-alpha.

changes/bug27968

@@ -0,0 +1,3 @@
+  o Minor bugfixes (testing):
+    - Avoid hangs and race conditions in test_rebind.py.
+      Fixes bug 27968; bugfix on 0.3.5.1-alpha.

changes/bug28115

@@ -0,0 +1,3 @@
+  o Minor bugfixes (portability):
+    - Make the OPE code (which is used for v3 onion services) run correctly
+      on big-endian platforms. Fixes bug 28115; bugfix on 0.3.5.1-alpha.

changes/bug28127

@@ -0,0 +1,7 @@
+  o Minor bugfixes (onion services):
+    - Unless we have explicitly set HiddenServiceVersion, detect the onion
+      service version and then look for invalid options. Previously, we
+      did the reverse, but that broke existing configs which were pointed
+      to a v2 hidden service and had options like HiddenServiceAuthorizeClient
+      set Fixes bug 28127; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan.
+

changes/bug28183

@@ -0,0 +1,4 @@
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - Permit the "shutdown()" system call, which is apparently
+      used by OpenSSL under some circumstances. Fixes bug 28183;
+      bugfix on 0.2.5.1-alpha.

changes/bug28298

@@ -0,0 +1,4 @@
+  o Minor bugfixes (configuration):
+    - Resume refusing to start with relative file paths and RunAsDaemon
+      set (regression from the fix for bug 22731). Fixes bug 28298;
+      bugfix on 0.3.3.1-alpha.

changes/bug28303

@@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix a pair of missing headers on OpenBSD. Fixes bug 28303;
+      bugfix on 0.3.5.1-alpha. Patch from  Kris Katterjohn.

changes/bug28348_034

@@ -0,0 +1,5 @@
+  o Major bugfixes (embedding, main loop):
+    - When DisableNetwork becomes set, actually disable periodic events that
+      are already enabled. (Previously, we would refrain from enabling new
+      ones, but we would leave the old ones turned on.)
+      Fixes bug 28348; bugfix on 0.3.4.1-alpha.

changes/bug28399

@@ -0,0 +1,4 @@
+  o Minor bugfixes (continuous integration, Windows):
+    - Stop using an external OpenSSL install, and stop installing MSYS2
+      packages, when building using mingw on Appveyor Windows CI.
+      Fixes bug 28399; bugfix on 0.3.4.1-alpha.

changes/bug28419

@@ -0,0 +1,3 @@
+  o Minor bugfixes (memory leaks):
+    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
+      bugfix on 0.3.3.1-alpha.  Patch from Martin Kepplinger.

changes/bug28435

@@ -0,0 +1,3 @@
+  o Minor bugfixes (documentation):
+    - Make Doxygen work again after the 0.3.5 source tree moves.
+      Fixes bug 28435; bugfix on 0.3.5.1-alpha.

changes/bug28441

@@ -0,0 +1,4 @@
+  o Minor bugfixes (logging):
+    - Stop talking about the Named flag in log messages. Clients have
+      ignored the Named flag since 0.3.2. Fixes bug 28441;
+      bugfix on 0.3.2.1-alpha.

changes/bug28454

@@ -0,0 +1,4 @@
+  o Minor bugfixes (continuous integration, Windows):
+    - Manually configure the zstd compiler options, when building using
+      mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does not
+      come with a pkg-config file. Fixes bug 28454; bugfix on 0.3.4.1-alpha.

changes/bug28485

@@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Add missing dependency on libgdi32.dll for tor-print-ed-signing-cert.exe
+      on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha.

changes/bug28524

@@ -0,0 +1,4 @@
+  o Minor bugfixes (restart-in-process, boostrap):
+    - Add missing resets of bootstrap tracking state when shutting
+      down (regression caused by ticket 27169).  Fixes bug 28524;
+      bugfix on 0.3.5.1-alpha.

changes/bug28554

@@ -0,0 +1,3 @@
+  o Minor bugfixes (unit tests, guard selection):
+    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
+      bugfix on 0.3.0.1-alpha.

changes/bug28562

@@ -0,0 +1,5 @@
+  o Minor bugfixes (testing):
+    - Use a separate DataDirectory for the test_rebind script.
+      Previously, this script would run using the default DataDirectory,
+      and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha.
+      Patch from Taylor R Campbell.

changes/bug28568

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing):
+    - Stop running stem's unit tests as part of "make test-stem". But continue
+      to run stem's unit and online tests during "make test-stem-full".
+      Fixes bug 28568; bugfix on 0.2.6.3-alpha.

changes/bug28569

@@ -0,0 +1,3 @@
+  o Minor bugfixes (unit tests, directory clients):
+    - Mark outdated dirservers when Tor only has a reasonably live consensus.
+      Fixes bug 28569; bugfix on 0.3.2.5-alpha.

changes/bug28612

@@ -0,0 +1,4 @@
+  o Minor bugfixes (windows services):
+    - Make Tor start correctly as an NT service again: previously it
+      was broken by refactoring.  Fixes bug 28612; bugfix on 0.3.5.3-alpha.
+      

changes/bug28619

@@ -0,0 +1,6 @@
+  o Minor bugfixes (hidden service v3):
+    - When deleting an ephemeral onion service (DEL_ONION), do not close any
+      rendezvous circuits in order to let the existing client connections
+      finish by themselves or closed by the application. The HS v2 is doing
+      that already so now we have the same behavior for all versions. Fixes
+      bug 28619; bugfix on 0.3.3.1-alpha.

changes/bug28656

@@ -0,0 +1,3 @@
+  o Minor bugfixes (logging):
+    - Stop logging a BUG() warning when tor is waiting for exit descriptors.
+      Fixes bug 28656; bugfix on 0.3.5.1-alpha.

changes/bug28698

@@ -0,0 +1,3 @@
+  o Minor bugfix (logging):
+    - Avoid logging about relaxing circuits when their time is fixed.
+      Fixes bug 28698; bugfix on 0.2.4.7-alpha

changes/bug28895

@@ -0,0 +1,5 @@
+  o Minor bugfixes (usability):
+    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate()
+      as that confusingly suggests that mentioned guard node is under control
+      and responsibility of end user, which it is not. Fixes bug 28895;
+      bugfix on Tor 0.3.0.1-alpha.

changes/bug28920

@@ -0,0 +1,6 @@
+  o Minor bugfixes (logging):
+    - Rework rep_hist_log_link_protocol_counts() to iterate through all link
+      protocol versions when logging incoming/outgoing connection counts. Tor
+      no longer skips version 5 and we don't have to remember to update this
+      function when new link protocol version is developed. Fixes bug 28920;
+      bugfix on 0.2.6.10.

changes/bug28938

@@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+    - Fix missing headers required for proper detection of
+      OpenBSD.  Fixes bug 28938; bugfix on 0.3.5.1-alpha.
+      Patch from Kris Katterjohn.

changes/bug28974

@@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix compilation for Android by adding a missing header to
+      freespace.c.  Fixes bug 28974; bugfix on 0.3.5.1-alpha.

changes/bug28979

@@ -0,0 +1,4 @@
+  o Minor bugfixes (documentation):
+    - Describe the contents of the v3 onion service client authorization
+      files correctly: They hold public keys, not private keys. Fixes bug
+      28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

changes/bug28981

@@ -0,0 +1,5 @@
+  o Minor bugfixes (misc):
+    - The amount of total available physical memory is now determined
+      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
+      when it is defined and a 64-bit variant is not available.  Fixes
+      bug 28981; bugfix on 0.2.5.4-alpha.  Patch from Kris Katterjohn.

changes/bug28995

@@ -0,0 +1,5 @@
+  o Minor bugfix (IPv6):
+    Fix tor_ersatz_socketpair on IPv6-only systems.  Previously,
+    the IPv6 socket was bound using an address family of AF_INET
+    instead of AF_INET6.  Fixes bug 28995; bugfix on 0.3.5.1-alpha.
+    Patch from Kris Katterjohn.

changes/bug29017

@@ -0,0 +1,4 @@
+  o Minor bugfixes (stats):
+    - When ExtraInfoStatistics is 0, stop including PaddingStatistics in
+      relay and bridge extra-info documents. Fixes bug 29017;
+      bugfix on 0.3.1.1-alpha.

changes/bug29034

@@ -0,0 +1,5 @@
+  o Major bugfixes (Onion service reachability):
+    - Properly clean up the introduction point map when circuits change purpose
+      from onion service circuits to pathbias, measurement, or other circuit types.
+      This should fix some service-side instances of introduction point failure.
+      Fixes bug 29034; bugfix on 0.3.2.1-alpha.

changes/bug29040

@@ -0,0 +1,4 @@
+  o Minor bugfixes (onion services):
+    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains
+      more than one private key for a hidden service. Fixes bug 29040;
+      bugfix on 0.3.5.1-alpha.

changes/bug29042

@@ -0,0 +1,5 @@
+  o Minor bugfixes (logging):
+    - Log more information at "warning" level when unable to read a private
+      key; log more information ad "info" level when unable to read a public
+      key. We had warnings here before, but they were lost during our
+      NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

changes/bug29135

@@ -0,0 +1,5 @@
+  o Minor bugfixes (onion services, logging):
+    - In hs_cache_store_as_client() log an HSDesc we failed to parse at Debug
+      loglevel. Tor used to log it at Warning loglevel, which caused
+      very long log lines to appear for some users. Fixes bug 29135; bugfix on
+      0.3.2.1-alpha.

changes/bug29144

@@ -0,0 +1,5 @@
+  o Minor bugfixes (logging):
+    - Log the correct port number for listening sockets when "auto" is
+      used to let Tor pick the port number.  Previously, port 0 was
+      logged instead of the actual port number.  Fixes bug 29144;
+      bugfix on 0.3.5.1-alpha.  Patch from Kris Katterjohn.

changes/bug29161

@@ -0,0 +1,3 @@
+  o Minor bugfixes (tests):
+    - Detect and suppress "bug" warnings from the util/time test on Windows.
+      Fixes bug 29161; bugfix on 0.2.9.3-alpha.

changes/bug29175_035

@@ -0,0 +1,4 @@
+  o Major bugfixes (networking):
+    - Gracefully handle empty username/password fields in SOCKS5
+      username/password auth messsage and allow SOCKS5 handshake to
+      continue. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

changes/bug29241

@@ -0,0 +1,6 @@
+  o Major bugfixes (NSS, relay):
+    - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
+      for their PRF. Due to an NSS bug, the TLS key exporters for these
+      ciphersuites don't work -- which caused relays to fail to handshake
+      with one another when these ciphersuites were enabled.
+      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

changes/bug29244

@@ -0,0 +1,4 @@
+  o Minor bugfixes (build, compatibility):
+    - Update Cargo.lock file to match the version made by the latest
+      version of Rust, so that "make distcheck" will pass again.
+      Fixes bug 29244; bugfix on 0.3.3.4-alpha.

changes/bug29530_035

@@ -0,0 +1,5 @@
+  o Minor bugfixes (testing):
+    - Downgrade some LOG_ERR messages in the address/* tests to warnings.
+      The LOG_ERR messages were occurring when we had no configured network.
+      We were failing the unit tests, because we backported 28668 to 0.3.5.8,
+      but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8.

changes/bug29601

@@ -0,0 +1,6 @@
+  o Minor bugfixes (Windows, CI):
+    - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows
+      Server 2012 R2 job. The remaining 2 jobs still provide coverage of
+      64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so
+      failed jobs terminate the build immediately.
+      Fixes bug 29601; bugfix on 0.3.5.4-alpha.

changes/bug29670

@@ -0,0 +1,4 @@
+  o Minor bugfixes (configuration, proxies):
+    - Fix a bug that prevented us from supporting SOCKS5 proxies that want
+      authentication along with configued (but unused!)
+      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

changes/bug29875

@@ -0,0 +1,11 @@
+  o Major bugfixes (bridges):
+    - Do not count previously configured working bridges towards our total of
+      working bridges. Previously, when Tor's list of bridges changed, it
+      would think that the old bridges were still usable, and delay fetching
+      router descriptors for the new ones.  Fixes part of bug 29875; bugfix
+      on 0.3.0.1-alpha.
+    - Consider our directory information to have changed when our list of
+      bridges changes. Previously, Tor would not re-compute the status of its
+      directory information when bridges changed, and therefore would not
+      realize that it was no longer able to build circuits. Fixes part of bug
+      29875.

changes/bug29922

@@ -0,0 +1,4 @@
+  o Minor bugfixes (testing, windows):
+    - Fix a test failure caused by an unexpected bug warning in
+      our test for tor_gmtime_r(-1). Fixes bug 29922;
+      bugfix on 0.2.9.3-alpha.

changes/bug30011

@@ -0,0 +1,4 @@
+  o Minor bugfixes (CI):
+    - Terminate test-stem if it takes more than 9.5 minutes to run.
+      (Travis terminates the job after 10 minutes of no output.)
+      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

changes/bug30040

@@ -0,0 +1,9 @@
+  o Minor bugfixes (security):
+    - Fix a potential double free bug when reading huge bandwidth files. The
+      issue is not exploitable in the current Tor network because the
+      vulnerable code is only reached when directory authorities read bandwidth
+      files, but bandwidth files come from a trusted source (usually the
+      authorities themselves). Furthermore, the issue is only exploitable in
+      rare (non-POSIX) 32-bit architectures which are not used by any of the
+      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
+      and fixed by Tobias Stoeckmann.

changes/bug30148

@@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leak):
+    - Avoid a minor memory leak that could occur on relays when
+      creating a keys directory failed. Fixes bug 30148; bugfix on
+      0.3.3.1-alpha.

changes/bug30189

@@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation, unusual configuration):
+    - Avoid failures when building with ALL_BUGS_ARE_FAILED due to
+      missing declarations of abort(), and prevent other such failures
+      in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

changes/bug30190

@@ -0,0 +1,3 @@
+  o Minor bugfixes (lib):
+    do not log a warning for OpenSSL versions that should be compatible
+    Fixes bug 30190; bugfix on 0.2.4.2-alpha

changes/bug30316

@@ -0,0 +1,4 @@
+  o Minor bugfixes (directory authority):
+    - Move the "bandwidth-file-headers" line in directory authority votes
+      so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on
+      0.3.5.1-alpha.

changes/bug30452

@@ -0,0 +1,3 @@
+  o Minor features (compile-time modules):
+    - Add a --list-modules command to print a list of which compile-time
+      modules are enabled. Closes ticket 30452.

changes/bug30475

@@ -0,0 +1,4 @@
+  o Minor bugfixes ():
+    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
+      implemenation) when failing to load a hidden service client authorization
+      file.  Fixes bug 30475; bugfix on 0.3.5.1-alpha.

changes/bug30713

@@ -0,0 +1,5 @@
+  o Minor bugfixes (testing):
+    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environmental variable is
+      set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
+    - Skip test_rebind on macOS in Travis, because it is unreliable on
+      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

changes/bug30744

@@ -0,0 +1,3 @@
+  o Minor bugfixes (continuous integration):
+    - Allow the test-stem job to fail in Travis, because it sometimes hangs.
+      Fixes bug 30744; bugfix on 0.3.5.4-alpha.

changes/bug30894

@@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leaks):
+    - Fix a trivial memory leak when parsing an invalid value
+      from a download schedule in the configuration. Fixes bug
+      30894; bugfix on 0.3.4.1-alpha.

changes/bug31003

@@ -0,0 +1,4 @@
+  o Minor bugfixes (crash on exit):
+    - Avoid a set of possible code paths that could use try to use freed memory
+      in routerlist_free() while Tor was exiting.  Fixes bug 31003; bugfix on
+      0.1.2.2-alpha.

changes/bug31463

@@ -0,0 +1,3 @@
+  o Minor bugfixes (rust):
+    - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463;
+      bugfix on 0.3.5.4-alpha.

changes/cid1444119

@@ -0,0 +1,3 @@
+  o Minor bugfixes (C correctness):
+    - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug 29824;
+      bugfix on 0.3.1.1-alpha. This is Coverity warning CID 1444119.