Merge branch 'maint-0.4.3'

.appveyor.yml

@@ -95,7 +95,9 @@ test_script:
             $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
             $env:Path = $buildpath -join ';'
             Set-Location "${env:build}"
-            Execute-Bash "VERBOSE=1 make -k -j2 check"
+            Copy-Item "C:/msys64/${env:compiler_path}/bin/libssp-0.dll" -Destination "${env:build}/src/test"
+            Copy-Item "C:/msys64/${env:compiler_path}/bin/zlib1.dll" -Destination "${env:build}/src/test"
+            Execute-Bash "VERBOSE=1 TOR_SKIP_TESTCASES=crypto/openssl_version make -k -j2 check"
     }
 
 on_finish:

.gitignore

@@ -158,14 +158,20 @@ uptime-*.json
 
 # /src/lib
 /src/lib/libcurve25519_donna.a
+/src/lib/libtor-buf.a
+/src/lib/libtor-buf-testing.a
 /src/lib/libtor-compress.a
 /src/lib/libtor-compress-testing.a
+/src/lib/libtor-confmgt.a
+/src/lib/libtor-confmgt-testing.a
 /src/lib/libtor-container.a
 /src/lib/libtor-container-testing.a
 /src/lib/libtor-crypt-ops.a
 /src/lib/libtor-crypt-ops-testing.a
 /src/lib/libtor-ctime.a
 /src/lib/libtor-ctime-testing.a
+/src/lib/libtor-dispatch.a
+/src/lib/libtor-dispatch-testing.a
 /src/lib/libtor-encoding.a
 /src/lib/libtor-encoding-testing.a
 /src/lib/libtor-evloop.a
@@ -198,6 +204,8 @@ uptime-*.json
 /src/lib/libtor-osinfo-testing.a
 /src/lib/libtor-process.a
 /src/lib/libtor-process-testing.a
+/src/lib/libtor-pubsub.a
+/src/lib/libtor-pubsub-testing.a
 /src/lib/libtor-sandbox.a
 /src/lib/libtor-sandbox-testing.a
 /src/lib/libtor-string.a
@@ -213,6 +221,8 @@ uptime-*.json
 /src/lib/libtor-tls.a
 /src/lib/libtor-tls-testing.a
 /src/lib/libtor-trace.a
+/src/lib/libtor-version.a
+/src/lib/libtor-version-testing.a
 /src/lib/libtor-wallclock.a
 /src/lib/libtor-wallclock-testing.a
 
@@ -240,20 +250,22 @@ uptime-*.json
 /src/test/test
 /src/test/test-slow
 /src/test/test-bt-cl
-/src/test/test-child
+/src/test/test-process
 /src/test/test-memwipe
 /src/test/test-ntor-cl
 /src/test/test-hs-ntor-cl
+/src/test/test-rng
 /src/test/test-switch-id
 /src/test/test-timers
 /src/test/test_workqueue
 /src/test/test.exe
 /src/test/test-slow.exe
 /src/test/test-bt-cl.exe
-/src/test/test-child.exe
+/src/test/test-process.exe
 /src/test/test-ntor-cl.exe
 /src/test/test-hs-ntor-cl.exe
 /src/test/test-memwipe.exe
+/src/test/test-rng.exe
 /src/test/test-switch-id.exe
 /src/test/test-timers.exe
 /src/test/test_workqueue.exe

.gitlab-ci.yml

@@ -13,33 +13,3 @@ build:
     - make check || (e=$?; cat test-suite.log; exit $e)
     - make install
 
-update:
-  only:
-    - schedules
-  script: 
-    - "apt-get install -y --fix-missing git openssh-client"
-    
-    # Run ssh-agent (inside the build environment)
-    - eval $(ssh-agent -s)
-
-    # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
-    - ssh-add <(echo "$DEPLOY_KEY")
-
-    # For Docker builds disable host key checking. Be aware that by adding that
-    # you are susceptible to man-in-the-middle attacks.
-    # WARNING: Use this only with the Docker executor, if you use it with shell
-    # you will overwrite your user's SSH config.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-    # In order to properly check the server's host key, assuming you created the
-    # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
-    # instead.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
-    - echo "merging from torgit"
-    - git config --global user.email "labadmin@oniongit.eu"
-    - git config --global user.name "gitadmin"
-    - "mkdir tor"
-    - "cd tor" 
-    - git clone --bare https://git.torproject.org/tor.git
-    - git push --mirror git@oniongit.eu:network/tor.git

.travis.yml

@@ -29,6 +29,8 @@ env:
     - HARDENING_OPTIONS="--enable-expensive-hardening"
     ## We turn off asciidoc by default, because it's slow
     - ASCIIDOC_OPTIONS="--disable-asciidoc"
+    ## Our default rust version is the minimum supported version
+    - RUST_VERSION="1.31.0"
     ## Turn off tor's sandbox in chutney, until we fix sandbox errors that are
     ## triggered by Ubuntu Xenial and Bionic. See #32722.
     - CHUTNEY_TOR_SANDBOX="0"
@@ -39,44 +41,54 @@ env:
 matrix:
   ## include creates builds with gcc, linux, unless we override those defaults
   include:
-    ## We run basic tests on macOS
+    ## We run chutney on macOS, because macOS Travis has IPv6
+    - env: CHUTNEY="yes" CHUTNEY_ALLOW_FAILURES="2" SKIP_MAKE_CHECK="yes"
+      os: osx
+
+    ## We also run basic tests on macOS
     - compiler: clang
       os: osx
       ## Turn off some newer features, turn on clang's -Wtypedef-redefinition
       env: C_DIALECT_OPTIONS="-std=gnu99"
-    ## We check NSS
+
-    ## Use -std=gnu99 to turn off some newer features, and maybe turn on some
-    ## extra gcc warnings?
-    - env: NSS_OPTIONS="--enable-nss" C_DIALECT_OPTIONS="-std=gnu99"
     ## We run chutney on Linux, because it's faster than chutney on macOS
     ## Chutney is a fast job, clang is slower on Linux, so we do Chutney clang
     - env: CHUTNEY="yes" CHUTNEY_ALLOW_FAILURES="2" SKIP_MAKE_CHECK="yes"
       compiler: clang
+
     ## We check asciidoc with distcheck, to make sure we remove doc products
-    ## We use Linux clang, because there are no other Linux clang jobs
     - env: DISTCHECK="yes" ASCIIDOC_OPTIONS="" SKIP_MAKE_CHECK="yes"
-      compiler: clang
+
-    ## We include a single coverage build with the best options for coverage
+    ## We check disable module relay
-    - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS=""
+    - env: MODULES_OPTIONS="--disable-module-relay"
+    ## We check disable module dirauth
+    - env: MODULES_OPTIONS="--disable-module-dirauth"
+
     ## We run rust on Linux, because it's faster than rust on macOS
     ## We check rust offline
     - env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
-    ## We check asciidoc with distcheck, to make sure we remove doc products
+
-    - env: DISTCHECK="yes" ASCIIDOC_OPTIONS="" SKIP_MAKE_CHECK="yes"
+    ## We check NSS
-    ## We check disable module dirauth
+    ## Use -std=gnu99 to turn off some newer features, and maybe turn on some
-    - env: MODULES_OPTIONS="--disable-module-dirauth"
+    ## extra gcc warnings?
+    - env: NSS_OPTIONS="--enable-nss" C_DIALECT_OPTIONS="-std=gnu99"
+
+    ## We include a single coverage build with the best options for coverage
+    - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS="" TOR_TEST_RNG_SEED="636f766572616765"
+
+    ## We clone our stem repo and run `make test-stem`
+    - env: TEST_STEM="yes" SKIP_MAKE_CHECK="yes"
+
+    ## We run `make doxygen` without `make check`.
+    - env: SKIP_MAKE_CHECK="yes" DOXYGEN="yes"
+
     ## macOS builds are very slow, and we have a limited number of
     ## concurrent macOS jobs. We're not actively developing Rust, so it is
     ## the lowest priority.
     ## We run rust on macOS, because we have seen macOS rust failures before
-    #- env: RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
+    #- env: RUST_VERSION="nightly" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
     #  compiler: clang
     #  os: osx
-    ## We run chutney on macOS, because macOS Travis has IPv6
-    - env: CHUTNEY="yes" CHUTNEY_ALLOW_FAILURES="2" SKIP_MAKE_CHECK="yes"
-      os: osx
-    ## We clone our stem repo and run `make test-stem`
-    - env: TEST_STEM="yes" SKIP_MAKE_CHECK="yes"
 
   ## Allow the build to report success (with non-required sub-builds
   ## continuing to run) if all required sub-builds have succeeded.
@@ -88,11 +100,17 @@ matrix:
     ## macOS rust and chutney are very slow, so we let the build finish before
     ## they are done.  We'd like to fast finish, but still eventually show
     ## any failures in the build status. But Travis doesn't have that ability.
-    - env: RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
+
-      compiler: clang
+    ## Since this job is disabled, there's not much point having an exception
-      os: osx
+    ## for it
-    - env: CHUTNEY="yes" CHUTNEY_ALLOW_FAILURES="2" SKIP_MAKE_CHECK="yes"
+    #- env: RUST_VERSION="nightly" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-      os: osx
+    #  compiler: clang
+    #  os: osx
+
+    ## Since we're actively developing IPv6, we want to require the IPv6
+    ## chutney tests
+    #- env: CHUTNEY="yes" CHUTNEY_ALLOW_FAILURES="2" SKIP_MAKE_CHECK="yes"
+    #  os: osx
 
 ## (Linux only) Use a recent Linux image (Ubuntu Bionic)
 dist: bionic
@@ -114,12 +132,16 @@ addons:
       - libscrypt-dev
       - libseccomp-dev
       - libzstd-dev
+      ## Optional build dependencies
+      - coccinelle
+      - shellcheck
       ## Conditional build dependencies
       ## Always installed, so we don't need sudo
       - asciidoc
       - docbook-xsl
       - docbook-xml
       - xmlto
+      - doxygen
       ## Utilities
       ## preventing or diagnosing hangs
       - timelimit
@@ -142,6 +164,8 @@ addons:
       - pkg-config
       ## Optional build dependencies
       - ccache
+      - coccinelle
+      - shellcheck
       ## Conditional build dependencies
       ## Always installed, because manual brew installs are hard to get right
       - asciidoc
@@ -157,6 +181,8 @@ addons:
 osx_image: xcode11.2
 
 before_install:
+  ## Set pipefail: we use pipes
+  - set -o pipefail || echo "pipefail failed"
   ## Create empty rust directories for non-Rust builds, so caching succeeds
   - if [[ "$RUST_OPTIONS" == "" ]]; then mkdir -p $HOME/.cargo $TRAVIS_BUILD_DIR/src/rust/target; fi
 
@@ -172,8 +198,8 @@ install:
   - if [[ "$ASCIIDOC_OPTIONS" == "" ]] && [[ "$TRAVIS_OS_NAME" == "osx" ]]; then export XML_CATALOG_FILES="/usr/local/etc/xml/catalog"; fi
   ## If we're using Rust, download rustup
   - if [[ "$RUST_OPTIONS" != "" ]]; then curl -Ssf -o rustup.sh https://sh.rustup.rs; fi
-  ## Install the nightly channels of rustc and cargo and setup our toolchain environment
+  ## Install the stable channels of rustc and cargo and setup our toolchain environment
-  - if [[ "$RUST_OPTIONS" != "" ]]; then sh rustup.sh -y --default-toolchain nightly; fi
+  - if [[ "$RUST_OPTIONS" != "" ]]; then sh rustup.sh -y --default-toolchain $RUST_VERSION; fi
   - if [[ "$RUST_OPTIONS" != "" ]]; then source $HOME/.cargo/env; fi
   ## If we're testing rust builds in offline-mode, then set up our vendored dependencies
   - if [[ "$TOR_RUST_DEPENDENCIES" == "true" ]]; then export TOR_RUST_DEPENDENCIES=$PWD/src/ext/rust/crates; fi
@@ -198,6 +224,13 @@ install:
   - if [[ "$CHUTNEY" != "" ]]; then pushd "$CHUTNEY_PATH"; git log -1 ; popd ; fi
   ## If we're running stem, show the stem version and commit
   - if [[ "$TEST_STEM" != "" ]]; then pushd stem; python -c "from stem import stem; print(stem.__version__);"; git log -1; popd; fi
+  ## Get the coccinelle version
+  ## Installs are unreliable on macOS, so we just rely on brew list --versions
+  - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then spatch --version; fi
+  ## We don't want Tor tests to depend on default configuration file at
+  ## ~/.torrc. So we put some random bytes in there, to make sure we get build
+  ## failures in case Tor is reading it during CI jobs.
+  - dd ibs=1 count=1024 if=/dev/urandom > ~/.torrc
 
 script:
   # Skip test_rebind on macOS
@@ -213,6 +246,7 @@ script:
   ## Diagnostic for bug 29437: kill stem if it hangs for 9.5 minutes
   ## Travis will kill the job after 10 minutes with no output
   - if [[ "$TEST_STEM" != "" ]]; then make src/app/tor; timelimit -p -t 540 -s USR1 -T 30 -S ABRT python3 "$STEM_SOURCE_DIR"/run_tests.py --tor src/app/tor --integ --test control.controller --test control.base_controller --test process --log TRACE --log-file stem.log; fi
+  - if [[ "$DOXYGEN" != "" ]]; then make doxygen; fi
   ## If this build was one that produced coverage, upload it.
   - if [[ "$COVERAGE_OPTIONS" != "" ]]; then coveralls -b . --exclude src/test --exclude src/trunnel --gcov-options '\-p' || echo "Coverage failed"; fi
 
@@ -225,7 +259,7 @@ after_failure:
   ## `make distcheck` puts it somewhere different.
   - if [[ "$DISTCHECK" != "" ]]; then make show-distdir-testlog || echo "make failed"; fi
   - if [[ "$DISTCHECK" != "" ]]; then make show-distdir-core || echo "make failed"; fi
-  - if [[ "$CHUTNEY" != "" ]]; then ls test_network_log || echo "ls failed"; cat test_network_log/* || echo "cat failed"; fi
+  - if [[ "$CHUTNEY" != "" ]]; then "$CHUTNEY_PATH/tools/diagnostics.sh" || echo "diagnostics failed"; ls test_network_log || echo "ls failed"; cat test_network_log/* || echo "cat failed"; fi
   - if [[ "$TEST_STEM" != "" ]]; then tail -1000 "$STEM_SOURCE_DIR"/test/data/tor_log || echo "tail failed"; fi
   - if [[ "$TEST_STEM" != "" ]]; then grep -v "SocketClosed" stem.log | tail -1000 || echo "grep | tail failed"; fi
 

LICENSE

@@ -9,7 +9,8 @@
         there may be other license terms that you should be aware of.
 
 ===============================================================================
-Tor is distributed under this license:
+Tor is distributed under the "3-clause BSD" license, a commonly used
+software license that means Tor is both free software and open source:
 
 Copyright (c) 2001-2004, Roger Dingledine
 Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson

Makefile.am

@@ -21,7 +21,12 @@ AM_CPPFLAGS=\
 	-I$(top_srcdir)/src/ext/trunnel \
 	-I$(top_srcdir)/src/trunnel
 
-AM_CFLAGS=@TOR_SYSTEMD_CFLAGS@ @CFLAGS_BUGTRAP@ @TOR_LZMA_CFLAGS@ @TOR_ZSTD_CFLAGS@
+AM_CFLAGS=					\
+	@TOR_SYSTEMD_CFLAGS@			\
+	@CFLAGS_BUGTRAP@			\
+	@TOR_LZMA_CFLAGS@			\
+	@TOR_ZSTD_CFLAGS@
+
 SHELL=@SHELL@
 
 if COVERAGE_ENABLED
@@ -31,9 +36,7 @@ TESTING_TOR_BINARY=$(top_builddir)/src/app/tor$(EXEEXT)
 endif
 
 if USE_RUST
-## this MUST be $(), otherwise am__DEPENDENCIES will not track it
+rust_ldadd=$(top_builddir)/$(TOR_RUST_LIB_PATH)
-rust_ldadd=$(top_builddir)/$(TOR_RUST_LIB_PATH) \
-	$(TOR_RUST_EXTRA_LIBS)
 else
 rust_ldadd=
 endif
@@ -42,6 +45,10 @@ endif
 TOR_UTIL_LIBS = \
         src/lib/libtor-geoip.a \
 	src/lib/libtor-process.a \
+        src/lib/libtor-buf.a \
+	src/lib/libtor-confmgt.a \
+	src/lib/libtor-pubsub.a \
+	src/lib/libtor-dispatch.a \
 	src/lib/libtor-time.a \
 	src/lib/libtor-fs.a \
 	src/lib/libtor-encoding.a \
@@ -62,6 +69,7 @@ TOR_UTIL_LIBS = \
 	src/lib/libtor-malloc.a \
 	src/lib/libtor-wallclock.a \
 	src/lib/libtor-err.a \
+	src/lib/libtor-version.a \
 	src/lib/libtor-intmath.a \
 	src/lib/libtor-ctime.a
 
@@ -71,6 +79,10 @@ if UNITTESTS_ENABLED
 TOR_UTIL_TESTING_LIBS = \
         src/lib/libtor-geoip-testing.a \
 	src/lib/libtor-process-testing.a \
+        src/lib/libtor-buf-testing.a \
+	src/lib/libtor-confmgt-testing.a \
+	src/lib/libtor-pubsub-testing.a \
+	src/lib/libtor-dispatch-testing.a \
 	src/lib/libtor-time-testing.a \
 	src/lib/libtor-fs-testing.a \
 	src/lib/libtor-encoding-testing.a \
@@ -91,6 +103,7 @@ TOR_UTIL_TESTING_LIBS = \
 	src/lib/libtor-malloc-testing.a \
 	src/lib/libtor-wallclock-testing.a \
 	src/lib/libtor-err-testing.a \
+	src/lib/libtor-version-testing.a \
 	src/lib/libtor-intmath.a \
 	src/lib/libtor-ctime-testing.a
 endif
@@ -150,16 +163,52 @@ include doc/include.am
 include contrib/include.am
 
 EXTRA_DIST+= \
-	ChangeLog					\
+	ChangeLog							\
-	CONTRIBUTING					\
+	CONTRIBUTING							\
-	CODE_OF_CONDUCT                                 \
+	CODE_OF_CONDUCT							\
-	INSTALL						\
+	INSTALL								\
-	LICENSE						\
+	LICENSE								\
-	Makefile.nmake					\
+	Makefile.nmake							\
-	README						\
+	README								\
-	ReleaseNotes					\
+	ReleaseNotes							\
-	scripts/maint/checkIncludes.py                  \
+	scripts/maint/checkIncludes.py					\
-	scripts/maint/checkSpace.pl
+	scripts/maint/checkSpace.pl					\
+	scripts/maint/checkSpaceTest.sh					\
+	scripts/maint/checkspace_tests/dubious.c			\
+	scripts/maint/checkspace_tests/dubious.h			\
+	scripts/maint/checkspace_tests/expected.txt			\
+	scripts/maint/checkspace_tests/good_guard.h			\
+	scripts/maint/checkspace_tests/same_guard.h			\
+	scripts/maint/checkspace_tests/subdir/dubious.c			\
+	scripts/maint/checkShellScripts.sh				\
+	scripts/maint/practracker/README				\
+	scripts/maint/practracker/exceptions.txt			\
+	scripts/maint/practracker/includes.py				\
+	scripts/maint/practracker/metrics.py				\
+	scripts/maint/practracker/practracker.py			\
+	scripts/maint/practracker/practracker_tests.py			\
+	scripts/maint/practracker/problem.py				\
+	scripts/maint/practracker/testdata/.may_include			\
+	scripts/maint/practracker/testdata/a.c				\
+	scripts/maint/practracker/testdata/b.c				\
+	scripts/maint/practracker/testdata/ex0-expected.txt		\
+	scripts/maint/practracker/testdata/ex0.txt			\
+	scripts/maint/practracker/testdata/ex1-expected.txt		\
+	scripts/maint/practracker/testdata/ex1.txt			\
+	scripts/maint/practracker/testdata/ex1-overbroad-expected.txt	\
+	scripts/maint/practracker/testdata/ex1-regen-expected.txt	\
+	scripts/maint/practracker/testdata/ex1-regen-overbroad-expected.txt \
+	scripts/maint/practracker/testdata/ex.txt			\
+	scripts/maint/practracker/testdata/header.h			\
+	scripts/maint/practracker/testdata/not_c_file			\
+	scripts/maint/practracker/test_practracker.sh			\
+	scripts/maint/practracker/util.py				\
+	scripts/coccinelle/apply.sh					\
+	scripts/coccinelle/check_cocci_parse.sh				\
+	scripts/coccinelle/exceptions.txt				\
+	scripts/coccinelle/test-operator-cleanup			\
+	scripts/coccinelle/tor-coccinelle.h				\
+	scripts/coccinelle/try_parse.sh
 
 ## This tells etags how to find mockable function definitions.
 AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
@@ -177,7 +226,7 @@ TEST_CFLAGS=
 TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
-TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
+TEST_NETWORK_SHOW_WARNINGS_FOR_LAST_RUN_FLAGS=--quiet --only-warnings
 
 if LIBFUZZER_ENABLED
 TEST_CFLAGS += -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div
@@ -207,13 +256,24 @@ dist-rpm: dist-gzip
 	echo "RPM build finished";						\
 	#end of dist-rpm
 
-doxygen:
+.PHONY: doxygen
-	doxygen && cd doc/doxygen/latex && make
+doxygen: Doxyfile
+	mkdir -p doc/doxygen
+	(cd "$(top_srcdir)" && doxygen "$(abs_top_builddir)/Doxyfile")
 
 test: all
 	$(top_builddir)/src/test/test
 
-check-local: check-spaces check-changes check-includes
+shellcheck:
+	$(top_srcdir)/scripts/maint/checkShellScripts.sh
+
+check-local:					\
+	check-spaces				\
+	check-changes				\
+	check-includes				\
+	check-best-practices			\
+	shellcheck				\
+	check-cocci
 
 need-chutney-path:
 	@if test ! -d "$$CHUTNEY_PATH"; then \
@@ -233,12 +293,15 @@ test-network: need-chutney-path $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	$(top_srcdir)/src/test/test-network.sh $(TEST_NETWORK_FLAGS)
 
 # Run all available tests using automake's test-driver
-# only run IPv6 tests if we can ping6 ::1 (localhost)
+#   - only run IPv6 tests if we can ping6 or ping -6 ::1 (localhost)
-# only run IPv6 tests if we can ping ::1 (localhost)
+#     we try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
-# some IPv6 tests will fail without an IPv6 DNS server (see #16971 and #17011)
+#     because they're incompatible
-# only run mixed tests if we have a tor-stable binary
+#   - some IPv6 tests may fail without an IPv6 DNS server
-# Try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
+#     (see #16971 and #17011)
-# because they're incompatible
+#   - only run mixed tests if we have a tor-stable binary
+#   - show tor warnings on the console after each network run
+#     (otherwise, warnings go to the logs, and people don't see them unless
+#     there is a network failure)
 test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	mkdir -p $(TEST_NETWORK_ALL_LOG_DIR)
 	rm -f $(TEST_NETWORK_ALL_LOG_DIR)/*.log $(TEST_NETWORK_ALL_LOG_DIR)/*.trs
@@ -262,7 +325,7 @@ test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/
 	done; \
 	for f in $$flavors; do \
 		$(SHELL) $(top_srcdir)/test-driver --test-name $$f --log-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.log --trs-file $(TEST_NETWORK_ALL_LOG_DIR)/$$f.trs $(TEST_NETWORK_ALL_DRIVER_FLAGS) $(top_srcdir)/src/test/test-network.sh --flavor $$f $(TEST_NETWORK_FLAGS); \
-		$(top_srcdir)/src/test/test-network.sh $(TEST_NETWORK_WARNING_FLAGS); \
+		$(top_srcdir)/src/test/test-network.sh $(TEST_NETWORK_SHOW_WARNINGS_FOR_LAST_RUN_FLAGS); \
 	done; \
 	echo "Log and result files are available in $(TEST_NETWORK_ALL_LOG_DIR)."; \
 	! grep -q FAIL $(TEST_NETWORK_ALL_LOG_DIR)/*.trs
@@ -280,9 +343,19 @@ test-stem: need-stem-path $(TESTING_TOR_BINARY)
 test-stem-full: need-stem-path $(TESTING_TOR_BINARY)
 	@$(PYTHON) "$$STEM_SOURCE_DIR"/run_tests.py --tor "$(TESTING_TOR_BINARY)" --all --log notice --target RUN_ALL,ONLINE -v;
 
-test-full: need-stem-path need-chutney-path check test-network test-stem
+test-full:					\
+	need-stem-path				\
+	need-chutney-path			\
+	check					\
+	test-network				\
+	test-stem
 
-test-full-online: need-stem-path need-chutney-path check test-network test-stem-full
+test-full-online:				\
+	need-stem-path				\
+	need-chutney-path			\
+	check					\
+	test-network				\
+	test-stem-full
 
 # We can't delete the gcno files, because they are created when tor is compiled
 reset-gcov:
@@ -317,11 +390,12 @@ coverage-html-full: all
 	lcov --remove "$(HTML_COVER_DIR)/lcov.tmp" --rc lcov_branch_coverage=1 'test/*' 'ext/tinytest*' '/usr/*' --output-file "$(HTML_COVER_DIR)/lcov.info"
 	genhtml --branch-coverage -o "$(HTML_COVER_DIR)" "$(HTML_COVER_DIR)/lcov.info"
 
-# Avoid strlcpy.c, strlcat.c, aes.c, OpenBSD_malloc_Linux.c, sha256.c,
+# For scripts: avoid src/ext and src/trunnel.
-# tinytest*.[ch]
+# Keep these lists consistent:
-check-spaces:
+#   - OWNED_TOR_C_FILES in Makefile.am
-if USE_PERL
+#   - CHECK_FILES in pre-commit.git-hook and pre-push.git-hook
-	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+#   - try_parse in check_cocci_parse.sh
+OWNED_TOR_C_FILES=\
 		$(top_srcdir)/src/lib/*/*.[ch] \
 		$(top_srcdir)/src/core/*/*.[ch] \
 		$(top_srcdir)/src/feature/*/*.[ch] \
@@ -329,13 +403,29 @@ if USE_PERL
 		$(top_srcdir)/src/test/*.[ch] \
 		$(top_srcdir)/src/test/*/*.[ch] \
 		$(top_srcdir)/src/tools/*.[ch]
+
+check-spaces:
+if USE_PERL
+	$(PERL) $(top_srcdir)/scripts/maint/checkSpace.pl -C \
+		$(OWNED_TOR_C_FILES)
 endif
 
 check-includes:
 if USEPYTHON
-	$(PYTHON) $(top_srcdir)/scripts/maint/checkIncludes.py
+	$(PYTHON) $(top_srcdir)/scripts/maint/practracker/includes.py $(top_srcdir)
 endif
 
+check-best-practices:
+if USEPYTHON
+	@$(PYTHON) $(top_srcdir)/scripts/maint/practracker/practracker.py $(top_srcdir) $(TOR_PRACTRACKER_OPTIONS)
+endif
+
+check-cocci:
+	VERBOSE=1 $(top_srcdir)/scripts/coccinelle/check_cocci_parse.sh $(OWNED_TOR_C_FILES)
+
+practracker-regen:
+	$(PYTHON) $(top_srcdir)/scripts/maint/practracker/practracker.py --regen $(top_srcdir)
+
 check-docs: all
 	$(PERL) $(top_builddir)/scripts/maint/checkOptionDocs.pl
 
@@ -412,17 +502,17 @@ endif
 check-changes:
 if USEPYTHON
 	@if test -d "$(top_srcdir)/changes"; then \
-		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
+		PACKAGE_VERSION=$(PACKAGE_VERSION) $(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
 		fi
 endif
 
 .PHONY: update-versions
 update-versions:
-	$(PERL) $(top_builddir)/scripts/maint/updateVersions.pl
+	abs_top_srcdir="$(abs_top_srcdir)" $(PYTHON) $(top_srcdir)/scripts/maint/update_versions.py
 
 .PHONY: callgraph
 callgraph:
-	$(top_builddir)/scripts/maint/run_calltool.sh
+	cd $(top_builddir); $(abs_top_srcdir)/scripts/maint/run_calltool.sh
 
 version:
 	@echo "Tor @VERSION@"
@@ -431,6 +521,25 @@ version:
 	   (cd "$(top_srcdir)" && git rev-parse --short=16 HEAD); \
 	fi
 
+.PHONY: autostyle-ifdefs
+autostyle-ifdefs:
+	$(PYTHON) $(top_srcdir)/scripts/maint/annotate_ifdef_directives.py $(OWNED_TOR_C_FILES)
+
+.PHONY: autostyle-ifdefs
+autostyle-operators:
+	$(PERL) $(top_srcdir)/scripts/coccinelle/test-operator-cleanup $(OWNED_TOR_C_FILES)
+
+.PHONY: rectify-includes
+rectify-includes:
+	cd $(top_srcdir); $(PYTHON) $(abs_top_srcdir)/scripts/maint/rectify_include_paths.py
+
+.PHONY: update-copyright
+update-copyright:
+	$(PERL) $(top_srcdir)/scripts/maint/updateCopyright.pl $(OWNED_TOR_C_FILES)
+
+.PHONY: autostyle
+autostyle: update-versions rustfmt autostyle-ifdefs rectify-includes
+
 mostlyclean-local:
 	rm -f $(top_builddir)/src/*/*.gc{da,no} $(top_builddir)/src/*/*/*.gc{da,no}
 	rm -rf $(HTML_COVER_DIR)

autogen.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-if [ -x "`which autoreconf 2>/dev/null`" ] ; then
+if command -v autoreconf; then
   opt="-i -f -W all,error"
 
-  for i in $@; do
+  for i in "$@"; do
     case "$i" in
       -v)
         opt="${opt} -v"
@@ -11,6 +11,7 @@ if [ -x "`which autoreconf 2>/dev/null`" ] ; then
     esac
   done
 
+  # shellcheck disable=SC2086
   exec autoreconf $opt
 fi
 

changes/29241_diagnostic

@@ -1,4 +0,0 @@
-  o Minor features (NSS, diagnostic):
-    - Try to log an error from NSS (if there is any) and a more useful
-      description of our situation if we are using NSS and a call to
-      SSL_ExportKeyingMaterial() fails.  Diagnostic for ticket 29241.

changes/bug12399

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Change log level of message "Hash of session info was not as expected"
-      to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha.

changes/bug13221

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Correct a misleading error message when IPv4Only or IPv6Only
-      is used but the resolved address can not be interpreted as an
-      address of the specified IP version.  Fixes bug 13221; bugfix
-      on 0.2.3.9-alpha.  Patch from Kris Katterjohn.

changes/bug22619

@@ -1,3 +0,0 @@
-  o Minor bugfixes (circuit isolation):
-    - Fix a logic error that prevented the SessionGroup sub-option from
-      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

changes/bug23507

@@ -1,5 +0,0 @@
-  o Minor bugfixes (v3 single onion services):
-    - Make v3 single onion services fall back to a 3-hop intro, when there
-      all intro points are unreachable via a 1-hop path. Previously, v3
-      single onion services failed when all intro nodes were unreachable
-      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

changes/bug23818_v2

@@ -1,6 +0,0 @@
-  o Minor bugfixes (v2 single onion services):
-    - Always retry v2 single onion service intro and rend circuits with a
-      3-hop path. Previously, v2 single onion services used a 3-hop path
-      when rend circuits were retried after a remote or delayed failure,
-      but a 1-hop path for immediate retries. Fixes bug 23818;
-      bugfix on 0.2.9.3-alpha.

changes/bug23818_v3

@@ -1,6 +0,0 @@
-  o Minor bugfixes (v3 single onion services):
-    - Always retry v3 single onion service intro and rend circuits with a
-      3-hop path. Previously, v3 single onion services used a 3-hop path
-      when rend circuits were retried after a remote or delayed failure,
-      but a 1-hop path for immediate retries. Fixes bug 23818;
-      bugfix on 0.3.2.1-alpha.

changes/bug24661

@@ -1,3 +0,0 @@
-  o Minor bugfixes (client, guard selection):
-    - When Tor's consensus has expired, but is still reasonably live, use it
-      to select guards. Fixes bug 24661; bugfix on 0.3.0.1-alpha.

changes/bug27197

@@ -1,3 +0,0 @@
-  o Minor bugfixes (protover, rust):
-    - Reject extra commas in version string. Fixes bug 27197; bugfix on
-      0.3.3.3-alpha.

changes/bug27199

@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Abort on panic in all build profiles, instead of potentially unwinding
-      into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.

changes/bug27740

@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - Return a string that can be safely freed by C code, not one created by
-      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
-      on 0.3.3.1-alpha.

changes/bug27741

@@ -1,5 +0,0 @@
-  o Minor bugfixes (rust, directory authority):
-    - Fix an API mismatch in the rust implementation of
-      protover_compute_vote(). This bug could have caused crashes on any
-      directory authorities running Tor with Rust (which we do not yet
-      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

changes/bug27750

@@ -1,6 +0,0 @@
-  o Minor bugfixes (connection, relay):
-    - Avoid a wrong BUG() stacktrace in case a closing connection is being held
-      open because the write side is rate limited but not the read side. Now,
-      the connection read side is simply shutdown instead of kept open until tor
-      is able to flush the connection and then fully close it. Fixes bug 27750;
-      bugfix on 0.3.4.1-alpha.

changes/bug27800

@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Log additional info when we get a relay that shares an ed25519
-      ID with a different relay, instead making a BUG() warning.
-      Fixes bug 27800; bugfix on 0.3.2.1-alpha.

changes/bug27804

@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Fix a potential null dereference in protover_all_supported().
-      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.

changes/bug27841

@@ -1,7 +0,0 @@
-  o Minor bugfixes (onion services):
-    - On an intro point for a version 3 onion service, we do not close
-      an introduction circuit on an NACK. This lets the client decide
-      whether to reuse the circuit or discard it. Previously, we closed
-      intro circuits on NACKs. Fixes bug 27841; bugfix on 0.3.2.1-alpha.
-      Patch by Neel Chaunan
-

changes/bug27948

@@ -1,6 +0,0 @@
-  o Minor bugfixes (tests):
-    - Treat backtrace test failures as expected on BSD-derived systems
-      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
-      (FreeBSD failures have been treated as expected since 18204 in 0.2.8.)
-      Fixes bug 27948; bugfix on 0.2.5.2-alpha.
-

changes/bug27963_timeradd

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation, opensolaris):
-    - Add a missing include to compat_pthreads.c, to fix compilation
-      on OpenSolaris and its descendants. Fixes bug 27963; bugfix
-      on 0.3.5.1-alpha.

changes/bug27968

@@ -1,3 +0,0 @@
-  o Minor bugfixes (testing):
-    - Avoid hangs and race conditions in test_rebind.py.
-      Fixes bug 27968; bugfix on 0.3.5.1-alpha.

changes/bug28096

@@ -1,13 +0,0 @@
-  o Minor bugfixes (Windows):
-    - Correctly identify Windows 8.1, Windows 10, and Windows Server 2008
-      and later from their NT versions.
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
-    - On recent Windows versions, the GetVersionEx() function may report
-      an earlier Windows version than the running OS. To avoid user
-      confusion, add "[or later]" to Tor's version string on affected
-      versions of Windows.
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
-    - Remove Windows versions that were never supported by the
-      GetVersionEx() function. Stop duplicating the latest Windows
-      version in get_uname().
-      Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.

changes/bug28115

@@ -1,3 +0,0 @@
-  o Minor bugfixes (portability):
-    - Make the OPE code (which is used for v3 onion services) run correctly
-      on big-endian platforms. Fixes bug 28115; bugfix on 0.3.5.1-alpha.

changes/bug28127

@@ -1,7 +0,0 @@
-  o Minor bugfixes (onion services):
-    - Unless we have explicitly set HiddenServiceVersion, detect the onion
-      service version and then look for invalid options. Previously, we
-      did the reverse, but that broke existing configs which were pointed
-      to a v2 hidden service and had options like HiddenServiceAuthorizeClient
-      set Fixes bug 28127; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan.
-

changes/bug28183

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Linux seccomp2 sandbox):
-    - Permit the "shutdown()" system call, which is apparently
-      used by OpenSSL under some circumstances. Fixes bug 28183;
-      bugfix on 0.2.5.1-alpha.

changes/bug28202

@@ -1,4 +0,0 @@
-  o Minor bugfixes (C correctness):
-    - Avoid undefined behavior in an end-of-string check when parsing the
-      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
-      0.2.0.3-alpha.

changes/bug28245

@@ -1,6 +0,0 @@
-  o Major bugfixes (OpenSSL, portability):
-    - Fix our usage of named groups when running as a TLS 1.3 client in
-      OpenSSL 1.1.1. Previously, we only initialized EC groups when running
-      as a server, which caused clients to fail to negotiate TLS 1.3 with
-      relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
-      added.

changes/bug28298

@@ -1,4 +0,0 @@
-  o Minor bugfixes (configuration):
-    - Resume refusing to start with relative file paths and RunAsDaemon
-      set (regression from the fix for bug 22731). Fixes bug 28298;
-      bugfix on 0.3.3.1-alpha.

changes/bug28303

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix a pair of missing headers on OpenBSD. Fixes bug 28303;
-      bugfix on 0.3.5.1-alpha. Patch from  Kris Katterjohn.

changes/bug28348_034

@@ -1,5 +0,0 @@
-  o Major bugfixes (embedding, main loop):
-    - When DisableNetwork becomes set, actually disable periodic events that
-      are already enabled. (Previously, we would refrain from enabling new
-      ones, but we would leave the old ones turned on.)
-      Fixes bug 28348; bugfix on 0.3.4.1-alpha.

changes/bug28399

@@ -1,4 +0,0 @@
-  o Minor bugfixes (continuous integration, Windows):
-    - Stop using an external OpenSSL install, and stop installing MSYS2
-      packages, when building using mingw on Appveyor Windows CI.
-      Fixes bug 28399; bugfix on 0.3.4.1-alpha.

changes/bug28413

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Initialize a variable in aes_new_cipher(), since some compilers
-      cannot tell that we always initialize it before use. Fixes bug 28413;
-      bugfix on 0.2.9.3-alpha.

changes/bug28419

@@ -1,3 +0,0 @@
-  o Minor bugfixes (memory leaks):
-    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
-      bugfix on 0.3.3.1-alpha.  Patch from Martin Kepplinger.

changes/bug28435

@@ -1,3 +0,0 @@
-  o Minor bugfixes (documentation):
-    - Make Doxygen work again after the 0.3.5 source tree moves.
-      Fixes bug 28435; bugfix on 0.3.5.1-alpha.

changes/bug28441

@@ -1,4 +0,0 @@
-  o Minor bugfixes (logging):
-    - Stop talking about the Named flag in log messages. Clients have
-      ignored the Named flag since 0.3.2. Fixes bug 28441;
-      bugfix on 0.3.2.1-alpha.

changes/bug28454

@@ -1,4 +0,0 @@
-  o Minor bugfixes (continuous integration, Windows):
-    - Manually configure the zstd compiler options, when building using
-      mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does not
-      come with a pkg-config file. Fixes bug 28454; bugfix on 0.3.4.1-alpha.

changes/bug28485

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Add missing dependency on libgdi32.dll for tor-print-ed-signing-cert.exe
-      on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha.

changes/bug28524

@@ -1,4 +0,0 @@
-  o Minor bugfixes (restart-in-process, boostrap):
-    - Add missing resets of bootstrap tracking state when shutting
-      down (regression caused by ticket 27169).  Fixes bug 28524;
-      bugfix on 0.3.5.1-alpha.

changes/bug28525

@@ -1,7 +0,0 @@
-  o Minor features (address selection):
-    - Make Tor aware of the RFC 6598 (Carrier Grade NAT) IP range, which is the
-      subnet 100.64.0.0/10. This is deployed by many ISPs as an alternative to
-      RFC 1918 that does not break existing internal networks. This patch fixes
-      security issues caused by RFC 6518 by blocking control ports on these
-      addresses and warns users if client ports or ExtORPorts are listening on
-      a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan.

changes/bug28554

@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests, guard selection):
-    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
-      bugfix on 0.3.0.1-alpha.

changes/bug28562

@@ -1,5 +0,0 @@
-  o Minor bugfixes (testing):
-    - Use a separate DataDirectory for the test_rebind script.
-      Previously, this script would run using the default DataDirectory,
-      and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha.
-      Patch from Taylor R Campbell.

changes/bug28568

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Stop running stem's unit tests as part of "make test-stem". But continue
-      to run stem's unit and online tests during "make test-stem-full".
-      Fixes bug 28568; bugfix on 0.2.6.3-alpha.

changes/bug28569

@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests, directory clients):
-    - Mark outdated dirservers when Tor only has a reasonably live consensus.
-      Fixes bug 28569; bugfix on 0.3.2.5-alpha.

changes/bug28612

@@ -1,4 +0,0 @@
-  o Minor bugfixes (windows services):
-    - Make Tor start correctly as an NT service again: previously it
-      was broken by refactoring.  Fixes bug 28612; bugfix on 0.3.5.3-alpha.
-      

changes/bug28619

@@ -1,6 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - When deleting an ephemeral onion service (DEL_ONION), do not close any
-      rendezvous circuits in order to let the existing client connections
-      finish by themselves or closed by the application. The HS v2 is doing
-      that already so now we have the same behavior for all versions. Fixes
-      bug 28619; bugfix on 0.3.3.1-alpha.

changes/bug28656

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Stop logging a BUG() warning when tor is waiting for exit descriptors.
-      Fixes bug 28656; bugfix on 0.3.5.1-alpha.

changes/bug28698

@@ -1,3 +0,0 @@
-  o Minor bugfix (logging):
-    - Avoid logging about relaxing circuits when their time is fixed.
-      Fixes bug 28698; bugfix on 0.2.4.7-alpha

changes/bug28895

@@ -1,5 +0,0 @@
-  o Minor bugfixes (usability):
-    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate()
-      as that confusingly suggests that mentioned guard node is under control
-      and responsibility of end user, which it is not. Fixes bug 28895;
-      bugfix on Tor 0.3.0.1-alpha.

changes/bug28920

@@ -1,6 +0,0 @@
-  o Minor bugfixes (logging):
-    - Rework rep_hist_log_link_protocol_counts() to iterate through all link
-      protocol versions when logging incoming/outgoing connection counts. Tor
-      no longer skips version 5 and we don't have to remember to update this
-      function when new link protocol version is developed. Fixes bug 28920;
-      bugfix on 0.2.6.10.

changes/bug28938

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix missing headers required for proper detection of
-      OpenBSD.  Fixes bug 28938; bugfix on 0.3.5.1-alpha.
-      Patch from Kris Katterjohn.

changes/bug28974

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix compilation for Android by adding a missing header to
-      freespace.c.  Fixes bug 28974; bugfix on 0.3.5.1-alpha.

changes/bug28979

@@ -1,4 +0,0 @@
-  o Minor bugfixes (documentation):
-    - Describe the contents of the v3 onion service client authorization
-      files correctly: They hold public keys, not private keys. Fixes bug
-      28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

changes/bug28981

@@ -1,5 +0,0 @@
-  o Minor bugfixes (misc):
-    - The amount of total available physical memory is now determined
-      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
-      when it is defined and a 64-bit variant is not available.  Fixes
-      bug 28981; bugfix on 0.2.5.4-alpha.  Patch from Kris Katterjohn.

changes/bug28995

@@ -1,5 +0,0 @@
-  o Minor bugfix (IPv6):
-    Fix tor_ersatz_socketpair on IPv6-only systems.  Previously,
-    the IPv6 socket was bound using an address family of AF_INET
-    instead of AF_INET6.  Fixes bug 28995; bugfix on 0.3.5.1-alpha.
-    Patch from Kris Katterjohn.

changes/bug29017

@@ -1,4 +0,0 @@
-  o Minor bugfixes (stats):
-    - When ExtraInfoStatistics is 0, stop including PaddingStatistics in
-      relay and bridge extra-info documents. Fixes bug 29017;
-      bugfix on 0.3.1.1-alpha.

changes/bug29029

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging, onion services):
-    - Stop logging "Tried to establish rendezvous on non-OR circuit..." as
-      a warning. Instead, log it as a protocol warning, because there is
-      nothing that relay operators can do to fix it. Fixes bug 29029;
-      bugfix on 0.2.5.7-rc.

changes/bug29034

@@ -1,5 +0,0 @@
-  o Major bugfixes (Onion service reachability):
-    - Properly clean up the introduction point map when circuits change purpose
-      from onion service circuits to pathbias, measurement, or other circuit types.
-      This should fix some service-side instances of introduction point failure.
-      Fixes bug 29034; bugfix on 0.3.2.1-alpha.

changes/bug29036

@@ -1,5 +0,0 @@
-  o Minor bugfix (continuous integration):
-    - Reset coverage state on disk after Travis CI has finished. This is being
-      done to prevent future gcda file merge errors which causes the test suite
-      for the process subsystem to fail. The process subsystem was introduced
-      in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15.

changes/bug29040

@@ -1,4 +0,0 @@
-  o Minor bugfixes (onion services):
-    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains
-      more than one private key for a hidden service. Fixes bug 29040;
-      bugfix on 0.3.5.1-alpha.

changes/bug29042

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Log more information at "warning" level when unable to read a private
-      key; log more information ad "info" level when unable to read a public
-      key. We had warnings here before, but they were lost during our
-      NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

changes/bug29135

@@ -1,5 +0,0 @@
-  o Minor bugfixes (onion services, logging):
-    - In hs_cache_store_as_client() log an HSDesc we failed to parse at Debug
-      loglevel. Tor used to log it at Warning loglevel, which caused
-      very long log lines to appear for some users. Fixes bug 29135; bugfix on
-      0.3.2.1-alpha.

changes/bug29144

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Log the correct port number for listening sockets when "auto" is
-      used to let Tor pick the port number.  Previously, port 0 was
-      logged instead of the actual port number.  Fixes bug 29144;
-      bugfix on 0.3.5.1-alpha.  Patch from Kris Katterjohn.

changes/bug29145

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation, testing):
-    - Silence a compiler warning in test-memwipe.c on OpenBSD.  Fixes
-      bug 29145; bugfix on 0.2.9.3-alpha.  Patch from Kris Katterjohn.

changes/bug29161

@@ -1,3 +0,0 @@
-  o Minor bugfixes (tests):
-    - Detect and suppress "bug" warnings from the util/time test on Windows.
-      Fixes bug 29161; bugfix on 0.2.9.3-alpha.

changes/bug29175_035

@@ -1,4 +0,0 @@
-  o Major bugfixes (networking):
-    - Gracefully handle empty username/password fields in SOCKS5
-      username/password auth messsage and allow SOCKS5 handshake to
-      continue. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

changes/bug29241

@@ -1,6 +0,0 @@
-  o Major bugfixes (NSS, relay):
-    - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
-      for their PRF. Due to an NSS bug, the TLS key exporters for these
-      ciphersuites don't work -- which caused relays to fail to handshake
-      with one another when these ciphersuites were enabled.
-      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

changes/bug29244

@@ -1,4 +0,0 @@
-  o Minor bugfixes (build, compatibility):
-    - Update Cargo.lock file to match the version made by the latest
-      version of Rust, so that "make distcheck" will pass again.
-      Fixes bug 29244; bugfix on 0.3.3.4-alpha.

changes/bug29530_035

@@ -1,5 +0,0 @@
-  o Minor bugfixes (testing):
-    - Downgrade some LOG_ERR messages in the address/* tests to warnings.
-      The LOG_ERR messages were occurring when we had no configured network.
-      We were failing the unit tests, because we backported 28668 to 0.3.5.8,
-      but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8.

changes/bug29599

@@ -1,3 +0,0 @@
-  o Minor bugfixes (memory management, testing):
-    - Stop leaking parts of the shared random state in the shared-random unit
-      tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.

changes/bug29601

@@ -1,6 +0,0 @@
-  o Minor bugfixes (Windows, CI):
-    - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows
-      Server 2012 R2 job. The remaining 2 jobs still provide coverage of
-      64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so
-      failed jobs terminate the build immediately.
-      Fixes bug 29601; bugfix on 0.3.5.4-alpha.

changes/bug29665

@@ -1,7 +0,0 @@
-  o Minor bugfixes (single onion services):
-    - Allow connections to single onion services to remain idle without
-      being disconnected. Relays acting as rendezvous points for
-      single onion services were mistakenly closing idle established
-      rendezvous circuits after 60 seconds, thinking that they are unused
-      directory-fetching circuits that had served their purpose. Fixes
-      bug 29665; bugfix on 0.2.1.26.

changes/bug29670

@@ -1,4 +0,0 @@
-  o Minor bugfixes (configuration, proxies):
-    - Fix a bug that prevented us from supporting SOCKS5 proxies that want
-      authentication along with configued (but unused!)
-      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

changes/bug29703

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Backport the 0.3.4 src/test/test-network.sh to 0.2.9.
-      We need a recent test-network.sh to use new chutney features in CI.
-      Fixes bug 29703; bugfix on 0.2.9.1-alpha.

changes/bug29706_minimal

@@ -1,4 +0,0 @@
-  o Minor bugfixes (memory management, testing):
-    - Stop leaking parts of the shared random state in the shared-random unit
-      tests. The previous fix in 29599 was incomplete.
-      Fixes bug 29706; bugfix on 0.2.9.1-alpha.

changes/bug29819

@@ -1,8 +0,0 @@
-  o Minor bugfixes (linux seccomp sandbox):
-    - Correct how we use libseccomp. Particularly, stop assuming that
-      rules are applied in a particular order or that more rules are
-      processed after the first match. Neither is the case! In libseccomp
-      <2.4.0 this lead to some rules having no effect. Libseccomp 2.4.0
-      changed how rules are generated leading to a different ordering
-      which in turn lead to a fatal crash during startup. Fixes bug
-      29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber.

changes/bug29875

@@ -1,11 +0,0 @@
-  o Major bugfixes (bridges):
-    - Do not count previously configured working bridges towards our total of
-      working bridges. Previously, when Tor's list of bridges changed, it
-      would think that the old bridges were still usable, and delay fetching
-      router descriptors for the new ones.  Fixes part of bug 29875; bugfix
-      on 0.3.0.1-alpha.
-    - Consider our directory information to have changed when our list of
-      bridges changes. Previously, Tor would not re-compute the status of its
-      directory information when bridges changed, and therefore would not
-      realize that it was no longer able to build circuits. Fixes part of bug
-      29875.

changes/bug29922

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing, windows):
-    - Fix a test failure caused by an unexpected bug warning in
-      our test for tor_gmtime_r(-1). Fixes bug 29922;
-      bugfix on 0.2.9.3-alpha.

changes/bug30011

@@ -1,4 +0,0 @@
-  o Minor bugfixes (CI):
-    - Terminate test-stem if it takes more than 9.5 minutes to run.
-      (Travis terminates the job after 10 minutes of no output.)
-      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

changes/bug30021

@@ -1,8 +0,0 @@
-  o Minor bugfixes (TLS protocol, integration tests):
-    - When classifying a client's selection of TLS ciphers, if the client
-      ciphers are not yet available, do not cache the result. Previously,
-      we had cached the unavailability of the cipher list and never looked
-      again, which in turn led us to assume that the client only supported
-      the ancient V1 link protocol.  This, in turn, was causing Stem
-      integration tests to stall in some cases.
-      Fixes bug 30021; bugfix on 0.2.4.8-alpha.

changes/bug30040

@@ -1,9 +0,0 @@
-  o Minor bugfixes (security):
-    - Fix a potential double free bug when reading huge bandwidth files. The
-      issue is not exploitable in the current Tor network because the
-      vulnerable code is only reached when directory authorities read bandwidth
-      files, but bandwidth files come from a trusted source (usually the
-      authorities themselves). Furthermore, the issue is only exploitable in
-      rare (non-POSIX) 32-bit architectures which are not used by any of the
-      current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found
-      and fixed by Tobias Stoeckmann.

changes/bug30041

@@ -1,5 +0,0 @@
-  o Minor bugfixes (hardening):
-    - Verify in more places that we are not about to create a buffer
-      with more than INT_MAX bytes, to avoid possible OOB access in the event
-      of bugs.  Fixes bug 30041; bugfix on 0.2.0.16.  Found and fixed by
-      Tobias Stoeckmann.

changes/bug30148

@@ -1,4 +0,0 @@
-  o Minor bugfixes (memory leak):
-    - Avoid a minor memory leak that could occur on relays when
-      creating a keys directory failed. Fixes bug 30148; bugfix on
-      0.3.3.1-alpha.

changes/bug30189

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation, unusual configuration):
-    - Avoid failures when building with ALL_BUGS_ARE_FAILED due to
-      missing declarations of abort(), and prevent other such failures
-      in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

changes/bug30190

@@ -1,3 +0,0 @@
-  o Minor bugfixes (lib):
-    do not log a warning for OpenSSL versions that should be compatible
-    Fixes bug 30190; bugfix on 0.2.4.2-alpha

changes/bug30316

@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Move the "bandwidth-file-headers" line in directory authority votes
-      so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on
-      0.3.5.1-alpha.

changes/bug30344

@@ -1,4 +0,0 @@
-  o Minor bugfixes (connection):
-    - Avoid reading data from closed connections, which can cause needless
-      loops in libevent and infinite loops in Shadow. Fixes bug 30344; bugfix
-      on 0.1.1.1-alpha.

changes/bug30452

@@ -1,3 +0,0 @@
-  o Minor features (compile-time modules):
-    - Add a --list-modules command to print a list of which compile-time
-      modules are enabled. Closes ticket 30452.

changes/bug30475

@@ -1,4 +0,0 @@
-  o Minor bugfixes ():
-    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
-      implemenation) when failing to load a hidden service client authorization
-      file.  Fixes bug 30475; bugfix on 0.3.5.1-alpha.

changes/bug30561

@@ -1,6 +0,0 @@
-  o Minor bugfixes (portability):
-    - Avoid crashing in our tor_vasprintf() implementation on systems that
-      define neither vasprintf() nor _vscprintf(). (This bug has been here
-      long enough that we question whether people are running Tor on such
-      systems, but we're applying the fix out of caution.) Fixes bug 30561;
-      bugfix on 0.2.8.2-alpha. Found and fixed by Tobias Stoeckmann.

changes/bug30713

@@ -1,5 +0,0 @@
-  o Minor bugfixes (testing):
-    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environmental variable is
-      set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
-    - Skip test_rebind on macOS in Travis, because it is unreliable on
-      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

changes/bug30744

@@ -1,3 +0,0 @@
-  o Minor bugfixes (continuous integration):
-    - Allow the test-stem job to fail in Travis, because it sometimes hangs.
-      Fixes bug 30744; bugfix on 0.3.5.4-alpha.

changes/bug30781

@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authorities):
-    - Stop crashing after parsing an unknown descriptor purpose annotation.
-      We think this bug can only be triggered by modifying a local file.
-      Fixes bug 30781; bugfix on 0.2.0.8-alpha.