Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x86_64-unknown-linux-gnux32 no longer works with 0.4.5 #311

Closed
trinity-1686a opened this issue Jun 27, 2024 · 1 comment · Fixed by #312
Closed

x86_64-unknown-linux-gnux32 no longer works with 0.4.5 #311

trinity-1686a opened this issue Jun 27, 2024 · 1 comment · Fixed by #312

Comments

@trinity-1686a
Copy link

x86_64-unknown-linux-gnux32 compiled fine with 0.4.4, but no longer does 0.4.5.

I don't actually use that target, but it happened to be in our CI, so i'm letting you know.

error[E0308]: arguments to this function are incorrect
  --> src/biguint/addition.rs:52:17
   |
52 |         carry = adc(carry, *a, *b, a);
   |                 ^^^        --  --  - expected `&mut u64`, found `&mut u32`
   |                            |   |
   |                            |   expected `u64`, found `u32`
   |                            expected `u64`, found `u32`
   |
   = note: expected mutable reference `&mut u64`
              found mutable reference `&mut u32`
note: function defined here
  --> src/biguint/addition.rs:13:4
   |
13 | fn adc(carry: u8, a: u64, b: u64, out: &mut u64) -> u8 {
   |    ^^^ ---------  ------  ------  -------------
help: you can convert a `u32` to a `u64`
   |
52 |         carry = adc(carry, (*a).into(), *b, a);
   |                            +  ++++++++
help: you can convert a `u32` to a `u64`
   |
52 |         carry = adc(carry, *a, (*b).into(), a);
   |                                +  ++++++++

error[E0308]: arguments to this function are incorrect
  --> src/biguint/addition.rs:57:21
   |
57 |             carry = adc(carry, *a, 0, a);
   |                     ^^^        --     - expected `&mut u64`, found `&mut u32`
   |                                |
   |                                expected `u64`, found `u32`
   |
   = note: expected mutable reference `&mut u64`
              found mutable reference `&mut u32`
note: function defined here
  --> src/biguint/addition.rs:13:4
   |
13 | fn adc(carry: u8, a: u64, b: u64, out: &mut u64) -> u8 {
   |    ^^^ ---------  ------  ------  -------------
help: you can convert a `u32` to a `u64`
   |
57 |             carry = adc(carry, (*a).into(), 0, a);
   |                                +  ++++++++

warning: formatting may not be suitable for sub-register argument
  --> src/biguint/division.rs:48:18
   |
48 |             "div {}",
   |                  ^^
49 |             in(reg) divisor,
   |                     ------- for this argument
   |
   = help: use `{0:e}` to have the register formatted as `eax` (for 32-bit values)
   = help: or use `{0:r}` to keep the default formatting of `rax` (for 64-bit values)
   = note: `#[warn(asm_sub_register)]` on by default

error[E0308]: arguments to this function are incorrect
  --> src/biguint/subtraction.rs:48:18
   |
48 |         borrow = sbb(borrow, *a, *b, a);
   |                  ^^^         --  --  - expected `&mut u64`, found `&mut u32`
   |                              |   |
   |                              |   expected `u64`, found `u32`
   |                              expected `u64`, found `u32`
   |
   = note: expected mutable reference `&mut u64`
              found mutable reference `&mut u32`
note: function defined here
  --> src/biguint/subtraction.rs:13:4
   |
13 | fn sbb(borrow: u8, a: u64, b: u64, out: &mut u64) -> u8 {
   |    ^^^ ----------  ------  ------  -------------
help: you can convert a `u32` to a `u64`
   |
48 |         borrow = sbb(borrow, (*a).into(), *b, a);
   |                              +  ++++++++
help: you can convert a `u32` to a `u64`
   |
48 |         borrow = sbb(borrow, *a, (*b).into(), a);
   |                                  +  ++++++++

error[E0308]: arguments to this function are incorrect
  --> src/biguint/subtraction.rs:53:22
   |
53 |             borrow = sbb(borrow, *a, 0, a);
   |                      ^^^         --     - expected `&mut u64`, found `&mut u32`
   |                                  |
   |                                  expected `u64`, found `u32`
   |
   = note: expected mutable reference `&mut u64`
              found mutable reference `&mut u32`
note: function defined here
  --> src/biguint/subtraction.rs:13:4
   |
13 | fn sbb(borrow: u8, a: u64, b: u64, out: &mut u64) -> u8 {
   |    ^^^ ----------  ------  ------  -------------
help: you can convert a `u32` to a `u64`
   |
53 |             borrow = sbb(borrow, (*a).into(), 0, a);
   |                                  +  ++++++++

error[E0308]: arguments to this function are incorrect
  --> src/biguint/subtraction.rs:75:18
   |
75 |         borrow = sbb(borrow, *ai, *bi, bi);
   |                  ^^^         ---  ---  -- expected `&mut u64`, found `&mut u32`
   |                              |    |
   |                              |    expected `u64`, found `u32`
   |                              expected `u64`, found `u32`
   |
   = note: expected mutable reference `&mut u64`
              found mutable reference `&mut u32`
note: function defined here
  --> src/biguint/subtraction.rs:13:4
   |
13 | fn sbb(borrow: u8, a: u64, b: u64, out: &mut u64) -> u8 {
   |    ^^^ ----------  ------  ------  -------------
help: you can convert a `u32` to a `u64`
   |
75 |         borrow = sbb(borrow, (*ai).into(), *bi, bi);
   |                              +   ++++++++
help: you can convert a `u32` to a `u64`
   |
75 |         borrow = sbb(borrow, *ai, (*bi).into(), bi);
   |                                   +   ++++++++

For more information about this error, try `rustc --explain E0308`.
warning: `num-bigint` (lib) generated 1 warning
error: could not compile `num-bigint` (lib) due to 5 previous errors; 1 warning emitted
@cuviper
Copy link
Member

cuviper commented Jun 27, 2024

I see, #300 made a bad assumption that "x86_64" always uses 64-bit digits, when we actually follow target_pointer_width. It might actually be desirable for x32 to use 64-bit digits, since it does have 64-bit ALU, but for the time being I'll just fix up these add/sub cfgs.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 1, 2024
# Arti 1.3.0 - 31 October 2024

Arti 1.3.0 is a significant milestone: we have achieved parity on most
major client features with C Tor.  The last big security feature needed for
Onion Services (resistance to out-of-memory DoS) landed in this release.
And, in Arti client 1.3.0, connecting to `.onion` domains is enabled by
default.

Much other major work is taking place, too!  We have continued our work on
Arti Relay.  The work-in-progress RPC system is significantly more clearly
defined and implementation is proceeding.

### Breaking changes

 * **Reject (managed) pluggable transport on non-localhost address:** If a
   pluggable transport we spawn tells us it is listening on a non-localhost
   address, reject that transport, since this is almost certainly a
   security risk.  (The goal is to detect buggy PTs.  We aren't aware of
   any such PTs.)  ([!2454], [#1636])

 * **API:** Several methods (mostly in `tor-chanmgr` and `tor-proto`)
   take new memory quota tracking arguments.  If memory tracking is not
   required, you can create a no-op memory quota account with
   `SpecificAccount::new_noop()` or `Account::new_noop().

 * **API:** New API for `tor-socksproto`, which is more robust and avoids
   many kinds of misuse, including bugs like TROVE-2024-010.  The old
   `.handshake` method still available, but deprecated, and now part of the
   new `Handshake` trait.  ([#1590], [#1627], [#1592], [!2436])

 * **API:** Many places where a `SleepProvider` bound was used now also
   require `CoarseTimeProvider`.  In-tree `SleepProvider`s all implement
   `CoarseTimeProvider`, so for most callers this can be fixed by
   propagating the bounds.  ([!2482])

 * **cargo features:** Some cargo features of lower-layer crates are no
   longer enabled by implication by higher-layer crates.  External callers
   may need to add feature requesgts to `Cargo.toml`s.  ([!2498])

### Major new features

 * **Support memory quota tracking.**  (Feature compiled in by default.)
   Specifically: Arti can now try to limit the amount of memory it uses for
   data that might be originated by untrusted parties.  This is currently
   useful as DoS resistance measure for Hidden Services (`.onion`
   services).  To actually enable this, a specific limit must be imposed in
   the `[system]` section of of the Arti configuration.  ([!2459], [!2461],
   [!2484], [!2493], [!2508], [!2509], [!2518], [!2531], [!2536], [!2537], [!2545],
   [!2555], [!2560], [!2569], [#1682], [#351])
 * **Enabled connecting to `.onion` addresses (Hidden Services) by
   default,** by making `allow_onion_addrs` default to `true` in the
   configuration.  (This is appropriate now that we have Vanguard support.)
   [#1402], [!2506])

### Bugfixes

 * Fixed the build of `arti-client` with just the features `experimental-api`
   and `onion-service-client` enabled.  ([!2457], [#1638])
 * Fixed the build on FreeBSD.  ([!2533], [#1686])
 * Fixed the build on NetBSD.  ([!2540], [rust-pwd-grp#4], [rust-pwd-grp!25])
 * Fixed config file watching (file notifier) on non-Windows platforms
   without inotify.  ([!2547], [#1644], [notify-rs#644])
 * Fixed a bug that rendered Arti unable to connect to the Tor network
   when built with certain library combinations.
   This could occur
   when an out-of-tree user of the Arti libraries ends up enabling
   `time-rs`'s `large-dates` cargo feature, by replacing `simple_asn1`
   dependency with `der-parser` in `tor-llcrypto`.  ([!2462], [#1632],
   [simple_asn1#34], [simple_asn1!35], [time-rs#683])
 * Fixed the logging of backtraces, when an internal error occurs.
   (Bug first appeared in Arti 1.2.7.)  [!2588], [#1713])
 * Removed a false claim that we don't support pluggable transports.  ([!2507])
 * Documented the `vanguards` cargo feature flag.  ([!2507])

### Other user-facing improvements

 * Warn if we're configured to listen for SOCKS or DNS queries on a
   non-localhost address, or if we're configured to use an
   externally-managed pluggable transport with a non-localhost address,
   These are very questionable configurations, but there may be unusual
   situations where this is a sensible setup.  ([!2454], [#1636])
 * Use new "restricted discovery" terminology throughout (for Hidden
   Services, aka `.onion` services), replacing previous (misleading)
   "client authorization".  ([!2495], [#1476])
 * Experimental ability to read private keys from C Tor's on-disk keystore.
   ([!2481], [!2514])
 * Experimental proof-of-work client-side support for Hidden Services
   (`.onion` services).  ([!2486], [!2026])

### New library and API features

 * Added `general::SocketAddr` type for unifying IP and AF\_UNIX (and
   potentially other) sockets.  ([!2519], [#1681], [!2553], [!2554], [#1701],
   [!2592])
 * Added type-erased `DynTimeProvider` in `tor-rtcompat`.  ([!2460], [!2500])
 * Added `SinkTrySend` and `SinkCloseChannel` traits, making the
   functionality of `mpsc::Sender::try_send` and `::close` available as a
   trait method and implementable for other types.  ([!2468], [!2485], [!2490])
 * Added `SometimesUnboundedSink::as_inner` method.  ([!2483])
 * Guarantee that `Slug`s will never contain colons (`:`), and explain why.
   ([!2576])
 * Moved `tor-config`'s `path` module to a new crate `tor-config-path`.
   ([!2590])
 * Added `default-runtime` feature in `arti`, to simplify building without
   default features.  ([!2551])

### Relay development

 * Support multiple channels for a single relay ID.  ([!2442], [#1633])
 * Improved channel selection code.  ([!2477], [#1602], [!2544])
 * Much other cleanup and refactoring in `tor-chanmgr`.  ([!2523], [!2538],
   [#1654], [!2566])
 * Made `arti-relay` be a binary crate only, for now at least, and abolish
   the `relay` subcommand of the main `arti` CLI.  ([!2525], [#1674], [!2542])

### RPC system development

 * Reorganised RPC documentation; soon it will be a mdbook.  ([!2581])
 * Improved documentation for writing RPC callers, including a new Python
   tool to build RPC method and type documentation.  ([!2479], [!2489]
   [!2574])
 * Finalised specifications for how RPC clients should find the Arti RPC
   server, how the server should decide where to listen, and how
   authentication will be done.  ([!2439], [!2440], [!2439], [#1521], [!2563],
   [#1702], [!2582], [#1711])
 * Finalised specifications for version compatibility (interworking of
   newer/older Arti with newer/older RPC clients).  ([!2475], [#1634], [!2510],
   [#1665], [!2511], [#1662], [!2512])
 * Improvements to error handling, especially in the client library.
   ([!2556])
 * Improved and clarified objectid/isolation rules in SOCKS interaction.
   ([!2474], [torspec!292], [proposal 351], [socks-extensions.md])
 * Clarified (and weakened) guarantees provided on request cancellation.
   ([!2564], [#818])
 * Changed `release` method to be a method on the object itself.  ([!2573],
   [#1663])
 * Other specification fixes/improvements.  ([#1678], [!2539])
 * Fixed the shared library extension on OSX and Windows.  ([!2469])
 * Removed the `Echo` testing/demo method.  ([!2549], [#1525])
 * Started a Python client API, and adopted it for some integration
   tests.  ([!2515], [#1295], [!2567])
 * Reduced the dependencies of the client library.  ([!2522], [!2524])
 * Internal cleanups.  ([!2456], [#1587], [!2558])

### Documentation

 * Clarified `launch_onion_service_with_hsid()`.  ([!2494], [#1626])
 * Use new "circuit stem" terminology.  ([#1479], [!2410])
 * Added missing docs for `keypair_specifier`.  ([!2532])

### Testing

 * Much better testing for the CircMgr.  ([!2444], [!2513])
 * Fixed the flaky `circuit::test::accept_valid_sendme` CI test.  ([!2501])
 * Added more miri tests.  ([!2502])
 * Avoid writing `_ => panic!()` even in tests.  ([!2534])
 * Allow more precise testing of conditional compilation which affects the
   configuration reader.  ([!2561])
 * Updated to the latest version of Shadow.  ([!2585], [shadow!3428], [!2587])
 * Include more output from Shadow in CI artifacts.  ([!2586])
 * Pin the version of Chutney used in Shadow tests to make arti.git CI more
   hermetic.  ([!2596])

### Cleanups and housekeeping

 * Updated the list of fallback directories. Clients use these to fetch
   directory information when they have no cached directory or guard
   nodes.  ([!2589])
 * Updated some previous entries in `CHANGELOG.md` to more fully document
   changes in `tor-circmgr` 0.23.0.
 * Now we run a typechecker, linter, and autoformatter, on all our Python
   scripts (and fix the issues identified).  ([!2476], [!2578], [!2579],
   [#1689], [!2584])
 * Minor cleanups and reformatting in `tor-key-forge`.  ([!2552])
 * Commented out (temporarily) ill-shaped `RelaySigningKeySpecifier`.  ([!2527])
 * Reduced the number of "unused" warnings arising from conditional
   compilation (eg, cargo features).  ([!2431], [!2463], [#1645], [!2551])
 * In `Cargo.toml`, avoid updating to a `typed-index-collections` which
   would break our MSRV by requiring Rust 1.81.  ([!2471], [#1647])
 * Tidied up the sealing of a pair of traits.  ([!2472])
 * Use `{u64,usize}::div_ceil` where applicable.  ([!2473])
 * Now we avoid some warnings about certain elided lifetimes.  ([!2478], [!2575])
 * Fixed docs-rs cargo feature decorations on certain items.  ([!2487])
 * Forbid hard tabs (in most files) in tree.  ([!2488])
 * Fixed `no_default_features = true` typo in many `Cargo.toml`.  ([!2498])
 * Bumped dependency requirements for `futures-*` `notify`.  ([!2499])
 * Fixed indentation in a doc comment to address a new clippy lint.  ([!2516],
   [!2520])
 * Changed to depend on `slotmap-careful` instead of `slotmap`.  ([!2530],
   [#1531])
 * Abolished unneeded use of `python-is-python3` package in CI.  ([!2535])
 * Reinstated the `tor-proto` circuit hop check in `test_create()`.  ([!2546])
 * Updated download size numbers (for Project 101 Q3-2024).  ([!2571])
 * Simplified `tor-config` path handling by using `path` feature of
   `shellexpand`.  ([!2583])
 * Work around a bug in `cargo license` by permitting a weird licence
   string.  ([!2591], [cargo-license#78])
 * Removed an obsolete TODO.  ([!2562])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Morgan, and Neel Chauhan.
Also, our welcome to Clara Engler as they join the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.8 — 1 October 2024

Arti 1.2.8 continues development on onion services,
the RPC subsystem, key management, and relay infrastructure.
It also includes fixes for two security issues in
handling the SOCKS protocol, the most severe of which is rated at
"medium" according to our [security policy].

Arti 1.2.8 also increases our MSRV (Minimum Supported Rust Version)
to 1.77, in accordance with our [MSRV policy].

### Breaking changes

- Arti now requires Rust 1.77 or later. ([!2421], [!2451])
- The `arti hsc` subcommand is now gated behind the experimental `hsc`
  feature until it is ready for general use. ([ab41a9d330ed1db])

### Security fixes

- Temporarily reject attempts to send optimistic data before
  the SOCKS handshake is complete.
  Previously, we would discard data in this case,
  which has the potential to cause mis-framing bugs that could enable
  cross-protocol attacks under some circumstances.
  This is tracked as TROVE-2024-010.
  We intend to add full support for optimistic data soon;
  this is a temporary workaround.
  ([#1627], [!2443])
- Prevent an infinite loop that could occur in our SOCKS code
  if a local connection was closed at the wrong time.
  This is tracked as TROVE-2024-011.
  ([#1635], [!2447])

### Breaking changes in lower-level crates

- The `tor-bytes` crate now reports `Incomplete` rather than `Truncated`
  for most reader types. ([#1614], [!2407])
- Removed some deprecated code in `tor-hsservice`. ([7a838da0ff2359f9])
- The "ephemeral keystore" feature in `tor-keymgr` is now marked as
  experimental, and available behind an `ephemeral-keystore` feature.
  ([!2426])
- The `tor-rtcompat` crate now supports AF_UNIX sockets,
  and provides a more generic API
  for opening and listening for network streams.
  To this end, several of its APIs have been renamed or refactored,
  and the `Runtime` trait now depends on more supertraits.
  ([#1152], [!2437])
- In `tor-rtcompat`, `TcpListener::accept()` no longer exists.
  Use `NetStreamListener::incoming()` instead.
  ([168f55df05f4b56f])
- In `arti-client`, the type for `StorageConfig::keystore` has changed.
  ([5e4e7b69b8cd2791])
- In `tor-circmgr`, the `CircMgr` `reload_persistent_state`,
  `store_persistent_state`, and `upgrade_to_owned_persistent_state` functions
  have been removed. ([!2420])
- In `tor-circmgr`, the function `CircMgr::new` now returns a `CircMgr` rather
  than an `Arc<CircMgr>`. ([!2420])
- In `tor-circmgr`, the deprecated `CircMgr::update_network_parameters`
  function has been removed. ([!2420])
- In `tor-hsservice`, numerous types related to initialization and status
  have been renamed or refactored.
  ([!2397], [!2413])
- In `tor-keymgr`, several types have been renamed.
  ([5e4e7b69b8cd279], [80095da1aa47978])
- In `tor-netdir`, several test-network construction callbacks
  now take an extra parameter.
  ([b2b75302ab095bc])

### Onion service development

- Remove the number of cases in which an onion service needs to know
  its secret identity key `KS_hs_id`.
  This will help with implementing offline key support.
  ([#1194], [!2393])
- Add support for adding externally generated keys;
  this will also help with offline key support.
  ([#1613], [!2396])
- Report onion service status correctly based on upload results.
  This includes major refactoring to onion service status reporting,
  and significant tests.
  ([#1572], [!2397])
- Remove setting for non-anonymous ("single onion") services.
  We don't actually support them yet.
  ([!2413])
- Defer generating service identity keys (`K_hs_id`)
  until the service is actually launched.
  This allows tools like `onion-name` to check whether these keys are present.
  ([!2417])
- The `arti hss onion-name` subcommand now has support for generating
  identity keys on demand. ([#1621], [!2419])
- Experimental support for launching onion service with user-provided
  identity keys. ([#1612], [!2402])
- Allow arti to run with onion services only, and SOCKS/DNS ports  disabled.
  ([#1569], [!2423])
- Move onion service client key management functionality
  into a new `arti hsc key` sub-command,
  which supports key inspection, rotation, and deletion.
  The old `arti hsc get-key` subcommand is now deprecated.
  ([#1475], [!2432], [!2435])
- Support making an `InertTorClient` with an emphemeral key manager.
  ([#1610], [!2394])
- The "default" keystore has been renamed to "primary".
  ([!2438])

### Relay development

- Give `TorRelay` an instance of `ChanMgr` to keep track of open channels.
  ([!2361])
- Continued development on memory-quota support,
  to prevent memory-based denial-of-service attacks
  against relays and onion services. ([!2374], [!2404])
- New `tor-key-forge` crate
  for defining specific key and keypair wrappers,
  for use with relay keys.
  ([#1137], [#1619], [!2356], [!2430], [!2433])
- Define a set of high-level error wrappers for use by the `TorRelay` code.
  ([!2392])
- The channel manager now has (partial) support for receiving and handling
  incoming channels. ([!2389])
- Initial key generation and management support for relays.
  ([#1604], [!2411])
- Move Arti's (in-progress) `relay` subcommand to its own module. ([!2455)

### RPC development

- Add support throughout the RPC stack
  for opening data streams and registering them with the RPC system,
  using the protocol developed in [proposal 351].
  ([#1524], [!2373], [!2401], [!2406], [!2409], [!2434], [!2452])
- Update RPC specification draft to match current reality and plans.
  ([!2386], [!2453])
- Refactor the way that the RPC service handles errors,
  to ensure that framing errors are never silently tolerated,
  and other errors are handled uniformly.
  ([#1591], [!2400])
- Expose a list of object delegation types,
  to make it possible to generate full documentation
  of which objects support which methods.
  ([#1624], [!2418])
- Add a (work-in-progress! unstable! experimental!) Python wrapper
  for our similarly unstable RPC client library.
  ([!2446])

### Testing

- Partially fix test nondeterminism in the `reload_cfg::watch_single_file` test.
  ([#1549], [!2375], [!2391])
- Improve performance for the `reload_cfg::watch_multiple` test.
  ([#1589], [!2387])
- [Chutney] network integration tests are now
  run inside the [Shadow] discrete event simulator.
  ([!2427])

### Documentation

- Typo fixes in our documentation. ([!2403])
- Improved documentation for onion service descriptor publication.
  ([#1216], [b87b9f44ae05d4f0])
- Clean up documentation for `InertTorClient`. ([!2414])
- Clarify behavior of `ArtiEphemeralKeystore`. ([!2424])
- New example: running an axum router as an onion service.
  ([!2445])
- Add an example for an onion service's `reject` option to our
  sample configuration ([!2458])

### Infrastructure

- Clean-ups to CI jobs that generate debian packages.
  ([!2368])
- Adjust exceptions for `downgrade-dependencies` script.
  ([!2398], [!2451], [cf7f25851ac0319f])

### Cleanups, minor features, and bugfixes

- Move Arti's `proxy` subcommand to its own module. ([!2416])
- Clean up needless abstraction, and add smarter abstraction,
  to make `tor-circmgr` easier to test.
  ([!2412], [!2420])
- When encountering truncated data, the `tor-bytes` crates now
  gives a lower-bound estimate for how much more data would be needed
  in order produce a successful parse. ([!2390])
- The `tor-bytes` crate now tracks whether its inputs are possibly
  incomplete, and only reports "Truncated" data as a recoverable error
  on a possibly incomplete data.
  This helps to prevent a category of bug
  (which it appears our code doesn't actually have)
  where we might erroneously
  keep reading more data without limit.
  ([#1614], [!2407])
- Fix a bug in our SOCKS handling
  that would cause us to exceed the bounds of a buffer,
  causing the SOCKS task to exit with a panic.
  ([dceeb82f7d115489])
- Upgrade to the latest versions of `float-cmp` and `derive-more`.
  ([!2450])
- Keystore configuration options have been significantly revised;
  there is now a `keystore.primary.kind` option
  to configure the primary keystore.
  ([!2441])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Adam Joseph, Alexander Hansen Færøy, Anonym, Morgan,
Pier Angelo Vendrame, Steven Engler, tidely, and Wesley Aptekar-Cassels.
Also, our welcome to Wesley Aptekar-Cassels as they join the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.7 — 3 September 2024

Arti 1.2.7 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.

### Breaking changes in lower-level crates
- In [`tor-hsservice`],
  `OnionServiceProxyConfigBuilder` no longer derives `Eq` and `PartialEq`,
  and `DescEncryptionConfig`, `DescEncryptionConfig`,
  `AuthorizedClientConfig,` and `AuthorizedClientParseError` are removed.
  ([!2266])
- In [`tor-ptmgr`], `PtClientMethod` is now exported from the top-level.
  ([5774dd456265ef4cb8771342538a07ba76e5a5d9])

### RPC development
- Expose the OS errno of the FFI error types that have one. ([!2311])
- Fix typos in an FFI comment. ([!2310])
- Always re-encode requests and responses, and preserve unrecognized struct fields.
  ([#1491], [!2312])
- Expose the object ID for the session object. ([!2318])
- Use `JsonValue` to re-encode responses and requests.
  ([#1512], [#1511], [!2315])
- Add support for request handles in our FFI code. ([!2317])
- Add an unstable RPC method to list every RPC method. ([!2332])
- Build [`arti-rpc-client-core`] as a C dynamic library. ([!2331])
- Use more sophisticated handling for `ConnectionError`s in `arti-rpcserver`.
  ([#1517], [!2335])
- New `slotmap-careful` crate to use when we mustn't re-use keys. ([!2298])
- Rename various identifiers in our FFI code. ([!2344])
- Use the new `slotmap-careful` instead of `generational-arena` in
  `arti-rpcserver`. ([#1282], [!2343])
- Implement RPC method delegation support. ([#1523], [!2342])
- Allow simultaneous calls to `arti_rpc_handle_wait()`.
  ([#1532], [!2360])
- Add experimental method to list SOCKS proxy addresses. ([#1523], [!2359])

### Relay development
- Add initial support for relay configuration. ([#1534], [!2352])

### Internal cleanup and refactoring
- Major refactoring to the `tor-proto` circuit reactor code,
  which simplifies the implementation and will enable us to support
  opportunistic packing for [proposal 340].
  Introduce `StreamPollSet` for polling streams in priority order.
  ([!2285], [#1513], [!2319], [!2334])
- Refactoring in our key management code to prevent accidental misuse
  of relative key paths. ([#1494], [!2291])
- Refactor `KeyedFuturesUnordered` so that the underlying futures
  are accessible. ([!2321])
- Allow access to the inner streams of `StreamPollSet`,
  refactor `StreamMap` ([#1421], [!2326], [!2333]).
- Make `GuardMgr` mandatory throughout our circuit management code.
  ([#1465], [!2339], [!2347])
- Encapsulate flow-control into a separate object,
  abstracting away the difference between window-based (legacy) flow control and
  xon-based ([proposal 324]) flow control. ([!2340], [!2358])
- Introduce a `PeekableStream` trait to get rid of redundant buffering.
  ([!2345])

### Onion service development
- Implement hidden service restricted discovery mode (previously known as
  "client authorization"). ([#1292], [!2266], [!2336], [!2316])
- Add support for live-reloading the restricted discovery configuration.
  ([#1505], [!2329], [!2353], [!2369])
- Provide an MPSC queue with memory quota tracking. ([#351], [!2292])
- Make arrangements in `tor-memquota` for memory tracking to be optional,
  and gate `MemoryQuotaTracker::new` behind the `memquota` feature.
  ([!2351])

### Minor features
- Stop requiring the TRANSPORT key in pluggable transport STATUS messages.
  ([#1488], [!2307])
- In [`fs-mistrust`], add a `CheckedDir::metadata()` function
  for retrieving file metadata.
  ([72c3a1a661284844806b34e9ca5e81a43b8d0913], [!2324])
- In [`tor-ptmgr`], make managed pluggable transports optional.
  ([#1334], [!2354])
- Add an `InertTorClient` for accessing client state. ([#1496], [!2370],
  [!2314])
- Move `tor_async_utils::oneshot` into a new [`oneshot-fused-workaround`] crate.
  ([!2371], [!2383])

### Testing
- Make the `hsc` subcommand documentation serve as a test case. ([!2304])
- In the expected output of the CLI tests,
  match any number of lines in the `-c` help.
  ([#1509], [!2313])
- Fix broken reference to `apt-install` script in the Shadow integration tests.
  ([!2309])
- Add a Shadow integration test for restricted discovery mode. ([#1292],
  [!2272])
- Don't explicitly set `storage.keystore.enabled` in the Shadow CI tests.
  ([222b0eae48ae88d1a64cf5f0c11e662bf61dda4d])
- Test `cbindgen` correctness in CI. ([#1502], [!2320], [!2322], [!2330])
- Add `LogState` tests in `tor-log-ratelim`. ([!2349])
- Fix `arti_socket_closed` RPC test, which was previously flakey on OSX.
  ([#1510], [!2348])
- Add an arti obfs4 managed pluggable transport client and a tor obfs4
  server to the Shadow CI tests ([#1538], [!2355]).
- Temporarily disable a flaky configuration watcher test. ([!2364])
- Add circuit reactor test for stream handling fairness. ([!2365])
- Rewrite the `hsc` tests using `InertTorClient`.
  ([#1496], [1d3e59f2e9572a9710de2c2a9c925c5c38a6874c])
- Set the `COLUMNS` env var in the CLI tests.
  ([#1574], [f1779cfbb3e27b04ba3cca9206170f1e1ea904db])

### Documentation
- Remove obsolete documentation from [`tor-proto`]. ([!2366])
- Discourage use of `tor_rtmock_test_with_*` macros. ([!2372])

### Infrastructure
- Add a few more Tor employees to exclude from our acknowledgments. ([!2306])
- Remove the no-longer-necessary `--cfg docsrs` flag from our rustdoc invocation.
  ([!2308])
- Fix handling of items ending in `;` in `check_doc_features`
  maintenance script. ([!2316])
- Use the `via-cargo-install-in-ci` maintenance script to cache `grcov`
  in the `coverage-aggregated` job. ([!2325])
- Add initial support for building an Arti deb package. ([!2323], [!2367])
- Add script for testing without any features enabled.
  ([7a9bf49870533cc052b12680336f067f77d87b34])
- Run tests of every crate, with all features disabled. ([!2350])
- Explicitly specify the deployment target of macOS to 10.7
  to fix the failing `build-repro-macos` job.
  ([#1394], [#1507], [!2377], [!2346])
- Rename "Sponsor 101" to "Project 101". ([!2379])

### Cleanups, minor features, and bugfixes
- Make `arti hss onion-name` return a non-zero status if the service doesn't
  exist. ([!2305])
- Use `std::backtrace` instead of the [`backtrace`] crate. ([!2301])
- Add missing `docsrs` `cfg_attr` to fix a `cargo doc` warning. ([!2337])
- Resolve `unreachable_patterns` warnings from nightly. ([!2338])
- Make `blind_keypair` build without the `hsv3-client` feature.
  ([#1504], [!2341])
- Move `Qty` to [`tor-basic-utils`] as `ByteQty` and significantly improve it.
  ([!2363])
- Move `stream_peek` to [`tor-async-utils`]. ([!2362], [!2357])
- Various typo fixes in comments and messages. ([!2380])

### Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander
Hansen Færøy, ambiso, Dimitris Apostolou, kn0sys, Kunal Mehta, NoisyCoil, opara,
Robin Leander Schröder, and Steven Engler.
Also, our welcome to Steven Engler as he joins the team!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.6 — 1 August 2024

Arti 1.2.6 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.

### Security fixes

- Update `openssl` to avoid undefined behavior in `MemBio::get_buf`.
  ([RUSTSEC-2024-0357], [TROVE-2024-009], [#1495], [!2276])

### Major bugfixes

- When opening a SQLite directory cache in read-only mode, do not attempt to
  create it. This bug would sometimes prevent Arti from starting correctly
  when running multiple processes at once.
  ([#1497], [!2283])

### RPC development

- Initial work on a [wrapper library][arti-rpc-client-core]
  for invoking Arti RPC functionality from other processes.
  ([!2270], [!2277], [!2279])
- Initial work on [FFI support][arti-rpc-client-core-header]
  for invoking Arti RPC functionality from other languages.
  ([#737], [!2273])
- Clean up the RPC method dispatch implementation,
  remove some unneeded functions, and refactor the syntax
  for declaring error types. ([!2284])

### Relay development

- Infrastructure work for out-of-memory prevention.
  ([#351], [!2280], [!2281])

### Onion service development

- New `arti hsc` command for managing client state and keys for connecting
  to onion services. ([#1281], [#1291], [!2212], [!2257])
- Support parsing client restricted discovery (a.k.a. "client authorization") keys
  from C Tor's `descriptor:x25519:<base32-encoded-x25519-public-key>` key format.
  ([!2246])
- Ensure that `hsc` subcommand can build correctly with unusual combinations
  of features. ([!2254])
- Remove some unused code for publishing and authentication support.
  ([!2251])
- Add an `OnionServiceBuilder` API; deprecate `OnionService::new()`.
  ([#1490], [!2262])

### Minor features

- The obsolete and unused "TAP" keys are now optional
  when parsing network documents.
  This is phase one of [our plan][prop350] to eventually remove them entirely.
  ([!2227], [prop350])
- New `TorClient::wait_for_stop` method, for code that needs to wait
  until a TorClient instance has definitely shut down.
  ([#1418], [!2259], [!2278])
- In `tor-netdoc`, expose fields from `AnnotatedRouterDesc` and
  `RouterAnnotation` when `dangerous-expose-struct-fields is set.
  ([#1469], [!2213])

### Testing

- Exclude `maint` and `examples` from coverage reports. ([!2256])
- More tests throughout RPC codebase. ([!2264])
- Improvements and clean-ups to circuit reactor tests. ([!2287])
- CLI tests for the `arti hss` and `arti hsc` subcommands. ([#1250], [!2275])

### Documentation

- Clarify meaning of `peer_cert` in `UnverifiedChannel`. ([!2260])
- Improve documentation for mocked time in `tor-rtmock`. ([!2286])

### Infrastructure

- Improvements in release process and utilities for managing the changelog.
  ([!2240])
- Fix gitlab CI to always use `amd64` architecture images.
  Previously, it would sometimes choose a docker image for the wrong
  architecture. ([!2249])
- Split and refactor reproducible-build CI job. ([!2252])
- Improvements to script for detecting crate ownership problems.
  ([#1485], [!2255])
- Script to make sure that every crate has a valid set of crates.io
  categories. ([#1481], [!2256])
- Move our commonly used rust maintenance scripts to a separate repository,
  imported with `git-subtree`. ([#1300], [!2267])
- In gitlab CI, pin the compiler version we use to build cargo-audit
  and some other tools. ([!2289], [!2290])


### Cleanups, minor features, and bugfixes

- Remove an unused constant from `equix`. ([!2243])
- Suppress and resolve a few warnings about documentation and dead code.
  ([!2244])
- Fix parsing time-periods from "key slug" identifiers. ([!2248])
- Fix error messages related to filesystem access failures,
  so that they do not all erroneously claim to be permissions failures.
  ([#1473], [!2253])
- Return correct error type when trying to extend a circuit via `ntor` to a
  relay with no known RSA identity. ([!2261])
- Fix a bug in the implementation of
  `ArtiNativeKeystore::contains()` that caused it to always return false.
  ([#1492], [!2274])
- Fixes for various new warnings from the nightly version of `clippy`.
  ([!2288])
- Disallow the error-prone `Path::exists()` function in our code,
  and use `try_exists()` instead. ([#1493], [!2293])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Clara Engler, Jim Newsome, and trinity-1686a!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.5 — 27 June 2024

### Breaking

- `TorClientBuilder::create_*` now take `&self`.
  ([!2198])
- Stop publishing the obsolete `arti-hyper` crate.
  ([!2225], [#1204])

### Security fixes

- Update curve25519-dalek to avoid a low-severity timing vulnerability.
  ([TROVE-2024-007], [#1468], [!2211])
- With full vanguards, client rendezvous circuits
  do not reuse the final vanguard as the rendezvous point.
  ([TROVE-2024-008], [#1474], [!2230])

### RPC development

- New overview document, at the crate root for `tor-rpcbase`.
  ([!2210])
- Much improvement to method invocation arrangements.
  ([!2190])
- Change approach to method invocation on data-stream-like objects.
  ([!2192])

### Relay development

- Add skeleton, including (experimental): arti-relay crate,
  `relay` cargo feature in `arti-client`,
  `relay` command line argument to `arti`.
  ([!2182])
- Add a key material export facility for some of our TLS implementations.
  ([IETF RFC 5705], [#1432], [!2185])

### Bugfixes

- Tolerate removal of files from Arti's cache directory.
  Fixes
  `Bad permissions in cache directory: File or directory ${HOME}/.cache/arti/dir_blobs/... not found`.
  ([#1466], [!2200])
- Ensure that obsolete files are removed from Arti's cache directory.
  ([!2200])

### New features and other improvements

- Add `TorClientBuilder::local_resource_timeout` feature,
  asking Arti to wait (a short while) for a previous instance to exit.
  ([#1464], [!2198])
- Improve memory usage by disabling built-in X.509 root certificates
  when building `tor-rtcompat` with openssl.
  ([!2203], [#1027])
- Improve memory usage by limiting the batch size
  when reading directory information from the on-disk cache.
  ([!2202], [#1027])

### Documentation

- Documentation tweaks in `tor_persist::StorageConfig`.
  ([!2197])

### Testing

- Use a new version of [Shadow].
  ([!2195])
- Improvements to the tests to prevent a recurrence of
  [TROVE-2024-003] /
  [TROVE-2024-006].
  ([!2199])
- Stop build-testing the `gsoc2023/download-manager` example
  (it uses an obsolete version of `hyper` and the obsolete `arti-hyper` crate).
  ([!2225], [#1471])
- Fixes to test builds on MacOS,
  ([#1394], [!2226], [#1472], [!2234])
- Disable test builds on x32 (the not-widely-used Linux x86_64 32-bit hybrid ABI)
  ([#1480], [!2235], [!2236],
  [num-bigint#311](https://github.com/rust-num/num-bigint/issues/311))

### Internal cleanup and refactoring

- Improve the path construction logic to try to help avoid future bugs like
  [TROVE-2024-003] and
  [TROVE-2024-004].
  ([#1459], [!2199], [!2205])
- Refactoring in the circuit reactor, including new `SometimesUnboundedSink`.
  ([!2172])
- Refactoring in the arti command line utility,
  pursuant to client support for hidden services with restricted discovery
  (previously misleadingly known as "client authorisation").
  ([!2206])
- Rename the internal type `OptTimestamp` to `AtomicOptTimestamp` in `tor-proto`.
  ([!2218], [#1412])
- Fix a rustdoc warning.
  ([!2215])
- Update to new syntax for [`derive-deftly`] 0.12.1.
  ([!2209])

### Infrastructure and support

- Portability improvement to the script for maintaining links in this changelog.
  ([!2194], [#1460])
- New script for checking crate ownership on crates.io.
  ([!2196], [!2201], [!2220], [#1462])
- Try to work around bugs where container systems
  use images of the wrong architecture.
  ([!2207],
  [docker](https://github.com/docker/cli/issues/2590),
  [podman](https://github.com/containers/podman/issues/22998))

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, pinkforest, and trinity-1686a!

Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.4 — 5 June 2024

Arti 1.2.4 continues development on onion services,
and on the RPC subsystem.

This release restores the `faravahar` directory authority, which has a new
location and keys.

We have also fixed two-medium security issues, tracked as [TROVE-2024-005]
and [TROVE-2024-006], respectively, and a number of other, smaller bugs.

[TROVE-2024-005] affects hidden service circuits using non-default vanguard
configurations (where the vanguard mode is set to 'disabled' or 'full'),
causing hidden service circuits to be built from circuit stubs that are
incompatible with the circuit target, and to have an incorrect length.

[TROVE-2024-006] affects hidden services and clients using non-default
vanguard configurations, where the vanguard mode is set to 'disabled', or that
have the `vanguards` feature compiled out. In some circumstances, this bug can
lead to building hidden service circuits that contain the same relay in
multiple positions.

Both issues make users of this code more vulnerable to traffic analysis when
running or accessing onion services.

### Network updates

- Restore the `faravahar` directory authority, with new location and keys.
  ([!2175])

### Major bugfixes

- Ensure that `DataWriter::close()` actually closes its associated stream.
  Previously, this `close()` method would have no effect until the
  `DataReader` was also dropped. ([#1368], [!2170])
- Fix a bug where the vanguard circuit stub selection code would fail to ensure
  that the last two hops of the selected circuit stub are different from the
  circuit target. ([#1417], [!2167], [!2181])
- Fix a medium-severity issue causing the hidden service circuit pool code to
  ignore the configured vanguard mode.
  This is also tracked as [TROVE-2024-005]. ([#1424], [!2168])
- Use `HasRelayIds::has_any_relay_id_from` to check for relay equality
  when checking if a circuit contains duplicate relays. ([!2181])
- Fix a medium-severity issue, which would, in some circumstances, cause
  hidden service circuits to be built without applying the necessary same-hop
  restrictions.
  This is also tracked as [TROVE-2024-006]. ([#1425], [!2179])

### Breaking changes in lower-level crates

- The `Channel` type in `tor-proto` has been significantly refactored:
  it is now always wrapped in an explicit `Arc`, it no longer implements
  `Sink` on its own, and it can no longer be used to send raw cells
  from outside the `tor-proto` crate. ([!2163])
- `HsCircPool::reconfigure` has been removed
- `VanguardConfig` and `VanguardConfigBuilder` are now reexported from
  the root of the `tor-guardmgr` crate. ([!2146])
- `SshKeyData` is now an opaque type
- `SshKeyData::into_public` and `SshKeyData::into_private` have been removed

### Deprecated functionality

- The `arti-hyper` example crate is now deprecated and unmaintained.
  ([!2127])

### Onion service development

- Major refactoring to reduce technical debt in key manager code.
  ([#1362], [#1367], [!2131], [!2141])
- Address various pending "TODO" items in the vanguard code.
  ([!2139])
- Adjust terminology for vanguard stub circuits. ([#1339], [!2161])
- Add tests for vanguard configuration, and configuration backend logic as
  needed to simplify some of the vanguard configuration code. ([!2146])

### RPC development

- Expose methods on TorClient to get and observe the status of the client
  object. ([#1384], [!2110], [!2130])
- Infrastructure to allow the RPC system to interact with SOCKS streams,
  provide them with context, and name them as RPC objects.
  ([!2143])
- Based on difficulties encountered with earlier RPC development,
  add an improved facility for RPC methods that can be invoked internally
  without serializing their inputs and outputs ([#1403], [!2152])
- Enforce consistent style and formatting on RPC method names. ([#823], [!2149])
- Other miscellaneous lower-level improvements to the RPC type
  system. ([!2124], [!2140], [!2142])

### Other major features

- If the circuit manager has retired all of its circuits,
  unconditionally retire all the circuits from the hidden service circuit pool.
  ([!2168])

### Testing

- Improved test layout in `tor-keymgr`. ([#1363], [!2125])
- Automate enforcement of our convention that scripts not be named with
  their implementation languages. ([!2153])
- Include script needed to generate `keymgr` test data. ([!2121])
- Add tests for vanguard state file serialization. ([!2167])
- Add a [Shadow] CI test involving an onion service that uses full vanguards.
  ([!2167])
- Add a test that ensures the hidden service circuit pool reads the vanguard mode
  from the configuration. ([!2168])
- Make the Shadow CI tests fail if any internal errors are reported in the logs.
  ([!2186])

### Documentation

- New example in arti-client for creating a one-hop circuit. ([!2148])
- Recommend `cargo --locked` in our examples, to encourage people
  to get audited versions of our dependencies. ([!2157])
- Clean up old changelogs to have a more uniform style, based on
  our updated `gen_md_links` script. ([!2126], [!2165])

### Infrastructure

- Disable automated Chutney tests in coverage CI. ([#1299], [!2120])
- Improve our `add_warning` script so that it can adjust our warnings during
  CI.  Previously we used a compiler `--cfg` flag for conditional warnings,
  but unrecognized `cfg` flags now provoke a warning. ([#1395], [!2129])
- Use `add_warning` to maintain the list of lints in our examples. ([!2132])
- Improved scripts to list our crates, and publish our crates,
  to make accidents less likely while
  we're trying to release.  ([#1390], [!2118], [!2138], [!2158])
- Improve our `gen_md_links` script to provide more uniform output,
  and generate its results in a more useful format. ([#1388], [!2126], [!2169])
- Ensure that our CI scripts delete unnecessary data on completion.
  (This helps keep us from running our infrastructure out of disk space
  and making the other gitlab users sad.) ([!2159])
- Adjust our license-checking code to accommodate
  license clarifications in `priority-queue` and `tinystr`.
  ([!2177])

### Cleanups, minor features, and bugfixes

- Resolve several Clippy warnings from the latest version of Rust. ([!2128])
- Clarify control-flow in our (currently convoluted) circuit reactor code.
  ([!2122])
- Refactor to avoid most use of `cfg(fuzzing)`. ([#1395], [!2134])
- The `DataStream` type now has a method to wait for a connection to
  complete. ([489aa72d1eee8a56])
- Clarify or resolve several dead-code warnings. ([#1383], [!2151])
- Explicitly enforce maxima on SENDME windows.  (Formerly, we did this
  implicitly.)  ([#1383], [!2150])
- Avoid the appearance of an infinite loop in
  `engage_padding_activities`. ([!2164])
- Refactor the `Channel` type to be more explicitly `Arc`,
  better documented, and to have less information shared between its
  front-end and reactor pieces. ([!2163])
- Refactor the `poll_ready` method on `ChannelSender` to
  have a more conventional interface. ([!2171])
- Replace debug assertions with internal errors
  in the post-build checks for vanguard circuits,
  to prevent issues such as [TROVE-2024-003] and [TROVE-2024-004].
  ([!2167])
- When building vanguard circuits, ensure the target relay does not occur
  as one of the last two hops. ([!2186]]
- Upgrade to the latest versions of [priority-queue]. ([!2177])
- Validate the properties of the circuits retrieved
  from the hidden service circuit pool. ([97868349ed695ec8])
- Fix hidden service circuit stubs sometimes being unnecessarily extended
  when lite vanguards are in use. ([#1458], [!2183])
- Refactor vanguards configuration handling to be less error-prone.
  ([#1456], [!2183])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.3 — 15 May 2024

Arti 1.2.3 fixes a high-severity issue affecting onion services and clients
connecting to onion services with 'lite' vanguards (the default) enabled:
when building anonymizing circuits to or from an onion service
the circuit manager code would build the circuits with one hop too few.
This makes users of this code more vulnerable to some kinds of traffic analysis
when they run or visit onion services.

This release also fixes a medium-severity issue affecting 'full' vanguards.
With 'full' vanguards enabled, client HsDir circuits, client introduction
circuits and service rendezvous-circuits are extended with an extra hop to
minimize the linkability of the guard nodes.
In some circumstances, the circuit manager would build circuits with one
hop too few, making it easier for an adversary to discover the L2 and L3
guards of the affected clients and services.

In Arti 1.2.1 and earlier, vanguards were still an experimental feature, or
absent, so those versions are classified as "not affected", even though
downgrading does not fix the security problem.

### Major bugfixes

- Fix a high-severity issue affecting onion service circuits using 'lite'
  vanguards. Previously, with 'lite' vanguards enabled, any circuit to or from
  an onion service was one hop too short, making clients and services vulnerable
  to certain types of traffic analysis. This is also tracked as
  [TROVE-2024-003]. ([#1409])

- Fix a medium-severity issue affecting onion service circuits using 'full'
  vanguards. Previously, with 'full' vanguards enabled, *some* circuits to or from
  an onion service were one hop too short, making linkability attacks more
  likely to succeed.
  [TROVE-2024-004]. ([#1400])

[#1400]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1400
[#1409]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1409
[TROVE-2024-003]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
[TROVE-2024-004]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE



# Arti 1.2.2 — 30 April 2024

Arti 1.2.2 continues improvements on previous releases,
by improving onion service security with [Vanguards].
This release also includes an as-yet-unused backend
to help resist memory-exhaustion attacks,
and numerous other smaller improvements.

### Breaking changes in lower-level crates

- Refactor our [`Relay`] code to move low-level information
  into a [`RelayDetails`] type.
  ([#504], [!2057], [!2073])
- The internal API for the RPC object system has been greatly revised.
  ([!2079])

### Network updates

- Update to use the new identity key
  for the `tor26` directory authority.
  ([!2080])

### Major bugfixes

- Fix an inadvertent recursion bug when converting
  ` TorAddrError` to `arti_client::Error`.
  ([#1379], [3f2dcaca31992018f825])
- Improve reliability of bootstrap status reporting.
  ([!2107])

### Onion service development

- Arti now supports [Vanguards] for improved security
  against guard discovery for onion service circuits.
  By default, we use the `vanguards-lite` algorithm;
  the `vanguards-full` algorithm can be configured.
  ([#1272], [#1273], [#1275], [#1340], [#1353], [#1364], [#1366],
  [!2075], [!2082], [!2083], [!2088], [!2090], [!2093], [!2099],
  [!2102], [!2104], [!2105], [!2109], [!2111])
- Export `KeyMgrBuilderError` as a public type,
  to help external code construct its own [`KeyMgr`].
  ([!2078])
- Initial implementation for
  an in-memory ephemeral key store, which will be useful
  in implementing ephemeral onion services.
  ([#1358], [!2076])
- Fix a bug that prevented reporting of onion service status updates.
  ([#1361], [!2086])
- Fix a bug that would cause onion service circuit pools
  to pre-build fewer circuits than actually desired.
  ([!2101])

### RPC development

- The RPC object system has been refactored to use `derive-deftly`
  and an improved system of method invocation.
  Together, these changes make it easier to write RPC methods,
  and allow support for RPC methods on generic types.
  ([#838], [#1380], [!2079], [!2084], [!2103])

### Other major features

- Convert to use [`figment`] instead of [`config-rs`]
  as our configuration backend,
  for improved error messages.
  ([#1267], [#1268], [!2041])
- New `tor-memquota` backend crate to keep track of our memory usage,
  and to help us react appropriately when we are out of memory.
  We will use this as part of our DoS-resistance system.
  ([#1381], [!2091], [!2100])


### Documentation

- Add cross-references to explain limitations of [`NetDir::by_ids`].
  ([#1365], [!2081])
- Fix a link to our Code of Conduct.
  ([!2085])
- Miscellaneous documentation fixes.
  ([!2087])
- Document some tricky assumptions and requirements in `tor-proto`'s
  circuit reactor code.
  ([#1373], [!2089])
- Improve documentation and license presence for our two
  LGPL-licensed crates.
  ([#1375], [!2094], [!2106])

### Testing

- Add high-level tests for pluggable transport configuration.
  ([#1333])

### Infrastructure

- Adjust our license-checking code to accommodate
  license clarifications in `rustls-webpki` and `option-ext`.
  ([!2070])
- Fix compilation breakage in our relaymsg fuzzing code.
  ([#1349], [!2069])
- Add an option to the `fuzz_it_all` script
  for it to run only against the static corups.
  ([#1350], [!2071])

### Cleanups, minor features, and bugfixes

- Remove unused dependencies from several crates.
  ([!2068])
- Expose `BridgesConfig` from `TorClientConfig`
  so it can be inspected by other modules.
  ([c5a91130fff6af25])
- Refactor code for scheduling events in onion service code.
  ([#1259], [!2064])
- Update our code to use [`derive-deftly`],
  formerly called `derive-adhoc`.
  ([!2066])
- Refactor `same_relay_ids` to be automatically derived.
  ([!2072])
- Refactor `StreamMap`'s stream-counting code to be less
  error-prone.
  ([#1344], [!2058])
- Add an experimental method to expose the HS circuit pool
  from `TorClient`.
  ([!2077])
- Clean up new warnings from the nightly version of Clippy.
  ([!2096], [!2097])
- Upgrade to rustls version 0.23.
  ([#1377], [!2095])
- Suppress or resolve some dead-code warnings. ([!2098])


### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Richard Pospesel, trinity-1686a,
Wiktor Kwapisiewicz, and VaiTon.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.2.1 — 2 April 2024

Arti 1.2.1 continues development on onion services,
and adds several important security features.
More such improvements are on the way.
See [`doc/OnionService.md`] for instructions and caveats about running
onion services with Arti today.

This release also adds support for
[unmanaged pluggable transports][#755],
and begins work to improve Tor's relay cell protocol
with support for [packed and fragmented messages][prop340].

### New versioning policy

Starting with this version,
we are no longer independently tracking
breaking and non-breaking version changes
for the `arti-client` crate and each of the `tor-*` crates below it.
Instead, we will _assume_
that every release of these crates breaks API compatibility
with the one before, and update our semantic versioning accordingly.
(We will continue not to make gratuitous API compatiblity breaks
on purpose.)

Previously, our efforts to track
which changes in these crates were breaking
and which were not
created a great deal of overhead in our development process,
and tended to be somewhat error-prone.

This change affects developers only; users should not be affected.
This does not affect crates already at version `1.x` or higher,
or published utility crates whose names don't start with `tor-` or `arti-`.

See [`doc/Semver.md`] for more information on this policy.
([#1005], [!2051])

### Breaking changes in lower-level crates

- Refactored `tor-config` to hide implementation details.
  This will eventually allow us to migrate from `config-rs`
  to a configuration provider with better error handling.
  ([!2040])
- Renamed several types in `tor-ptmgr`
  to reflect new support for unmanaged pluggable transports.
  ([d63d966d79f0f988])
- The `tor_circmgr::path` module is now crate-private.
  ([4c1eb94173521bc5])
- The [`Runtime`] trait now includes functionality for "coarse" time,
  backed (by default) by the [`coarsetime`] crate.
  We use these timestamps in cases
  where we need fast time checking more than precision.
  Putting them into `Runtime` lets us replace them with mock functions
  for testing purposes.
  ([!2050], [!2052])
- The `tor-cell` relay cell API is significantly revised.
  ([!2034], [!2045], [prop340])
- The `allow_stream_requests()` method in `tor-proto`
  now takes an extra argument.
  ([!2047])

### Onion service development

- Reorganize onion service code,
  to remove an unnecessary (and inconsistently used) internal module,
  to simplify needless imports,
  and to generally tidy up the implementation.
  ([#1212], [!2020])
- Avoid using `futures::oneshot`:
  our own `tor_basic_utils::oneshot` is safer to use
  when `select!` may be involved.
  ([95ed432c13c2c4b2])
- Design work for out-of-memory handling,
  which is necessary for onion service security.
  ([!1997])
- Onion services have now support a `max_concurrent_streams_per_circuit` option.
  ([#1124], [!2047])
- Initial implementation work
  for onion service [vanguards],
  which are needed to improve onion service security.
  This is not yet complete.
  ([#1272], [#1275], [#1276], [#1277], [#1340],
  [!2035], [!2038], [!2046], [!2049], [!2053])

### Other major features

- New relay cell decoding API, in order to eventually handle
  packed and fragmented messages.
  ([!2034], [!2045], [prop340])
- We now support unmanaged pluggable transports.
  Previously, Arti only supported _managed_ pluggable transports:
  that is, ones that it launched itself.
  Now you can configure Arti to use a pluggable transport
  running at a known SOCKS port.
  ([#755], [!2043])

### Documentation and examples

- Improve windows documentation in `fslock-guard` and `test-temp-dir`.
  ([!2011])
- More documentation for our internal build and release tools.
  ([!2028])
- Fixed broken links in the documentation for `NetParameters`.
  ([!2054])
- Fixed the disclaimer about onion services in our configuration file.
  ([!2055])

### Testing

- More unit tests in `fslock-guard`.
  ([!2013])
- More tests for `arti_client::address`.
  ([!2029])

### Cleanups, minor features, and bugfixes

- We've fixed a bug in our arguments parser
  that previously caused `arti` to panic when run without arguments.
  ([#1311], [!2021])
- The `tor-checkable` module now uses checked time arithmetic,
  to avoid overflows or panics when extending tolerances.
  ([!2031])
- We now enforce Clippy's [`unchecked_duration_subtraction`] lint by default.
  ([#1304], [!2008])
- Refactor configuration watcher to receive a `Runtime`.
  Previously it took an entire `TorClient`, unnecessarily.
  ([!2017])
- We now ban `std::Path::display`,
  since it is lossy in an easy-to-overlook way.
  We've given it a `PathExt::display_lossy` implementation
  to be used instead.
  ([!2027])
- The `tor-bytes` module now behaves more sensibly
  (typically panicking)
  if someone tries to use `write_zeros` to extend a buffer beyond `usize::MAX`.
  Previously it might truncate its buffer.
  ([!2033])
- Refactoring and improvements on the `BackoffSchedule` logic.
  ([#1259], [!2024])
- Moved logic for picking relays into a new `tor-relay-selection` crate,
  to avoid duplicated code
  and the risk of missing necessary checks when picking or examining relays.
  ([#504], [#789], [!2002])
- Clarify implementation of onion service timeout calculation logic,
  to avoid possible confusion about the `hs_hops` variable.
  ([#1332], [!2044])
- Simplified logic and API for creating relay encryption layers.
  ([!2048])
- Various typo fixes in comments and messages. ([!2030], [!2032], [!2036])


### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Brady Fomegne, Dimitris Apostolou, Jim Newsome,
Neel Chauhan, Tobias Stoeckmann, and trinity-1686a.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!



# Arti 1.2.0 — 4 March 2024

Arti 1.2.0 continues work on support for running onion services.
You can now launch an onion service and expect it to run,
although you may well encounter bugs.

We have fixed a number of bugs and security issues,
and have made the `onion-service-service` feature non-experimental.

In the next releases, we will focus on implementing
the missing security features and on improving stability.

Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.

See [`doc/OnionService.md`] for instructions and caveats.

### Major bugfixes

- Empty DATA messages are a way to inject an undetected traffic signal, so we
  now reject empty DATA messages, and prevent them from being constructed
  through the [`tor-cell`] API.  This is tracked as [TROVE-2024-001].
  ([!1981], [#1269])

### Breaking changes in lower-level crates

- In [`tor-circmgr`], `Error::GuardNotUsable`, `Error::CircTimeout`,
  and `Error::Protocol` now contain the process-unique identifier of the circuit
  that caused the error. ([!2003])
- In [`tor-hsclient`], remove `HsClientNickname` and the nickname argument from
  `HsClientDescEncKeypairSpecifier::new`. ([!1998], [#1283])
- In [`tor-hsrproxy`], add a `String` representing the error message to
  `ProxyConfigError::UnrecognizedTargetType`,
  `ProxyConfigError::InvalidTargetAddr`, `ProxyConfigError::InvalidPort`
  ([!1973], [#1266])
- In [`tor-hsservice`], remove the unimplemented `max_concurrent_streams_per_circuit`
  configuration option from `OnionServiceConfigBuilder`.  We may implement and
  reinstate it in a future release. ([!1996])
- In [`tor-keymgr`], rename `KeyInfoExtractor` to `KeyPathInfoExtractor`.
  ([bd85bffd0a388f57])
- In [`tor-keymgr`], rename `{to,from}_component()` to `{to,from}_slug()`.
  ([1040df929f643a2f])

### Onion service development

- Improve the key manager APIs. ([!1952], [#1115])
- Add more context to [`tor-hsrproxy`] configuration error messages. ([!1973])
- Design an API for vanguards. ([!1970])
- Make the descriptor publisher conform with the specification, by periodically
  republishing the hidden service descriptor.  This fixes a serious reachability
  bug. ([!1971], [#1241], [#1280])
- Rotate old introduction point relays even if they are not working.
  ([72c021555e1095f1])
- Expire old on-disk introduction point state. ([!1977], [!1982], [#1198])
- Expose `HsNickname::new`. ([f3720ac2c0f16883])
- Design the client and service configuration, and a CLI subcommand, for hidden
  service client authorization. ([!1987])
- Improve the ergonomics of our key listing and removal APIs. ([!1988], [#1271])
- Include the `ArtiPath` in key path errors. ([!1960], [#1115])
- Improve circuit error logging by including the process-unique identifier of
  the circuit in error messages. ([!2003], [#1297])
- Improve status reporting from onion services. ([!1966], [#1083])
- Design an API for bandwidth rate limiting. ([!1965])
- Improve descriptor publisher error reporting. ([!1991])
- Remove the client nickname from onion service client key specifiers. ([!1998],
  [#1283])
- When reconfiguring an onion service, reject any changes that are inappropriate
  or would put the service in a bad state. ([!1996], [#1209])
- Remove the keystore directory configuration option, pending design work
  relating to RPC and multi-user Arti. ([!1995], [#1202])
- Mark `onion-service-service` and every feature it depends on as
  non-experimental. ([!1993], [#1182])
- Fix a bug that prevented the descriptor publisher from fully processing the
  results of publish tasks, causing it to republish the descriptor unnecessarily
  in some circumstances. ([!1983])

### Other major new features in our Rust APIs

- [`tor-persist`] now provides new `state_dir` APIs for instance iteration and
  expiry needed for onion service state expiry.  ([!1968], [#1163])

### Documentation and examples

- Fix the casing of our recognized key paths. ([1a900081e945679e])
- Minor updates to the release process. ([!1959], [!1963])
- Fix typos in the [`tor-guardmgr`] README. ([!1980])
- Reword the [`tor-keymgr`] README for clarity. ([489a2555f28daa6d])
- Update onion service documentation. ([!1994], [#1287])
- Clarify the onion service configuration instructions from
  `doc/OnionService.md`, remove unsupported "unix:" example ([!1972], [#1266])

### Testing

- Improve replay log fork test. ([!1974], [!2010], [#1264])
- In the introduction point manager tests, avoid reusing the RNG seed.
  ([b515baf27f194470])
- Our [Shadow] CI tests now use the latest versions of `shadow` and `tgen`, and
  no longer pull `libigraph` from bullseye. ([!1958])
- Upgrade docker image for reproducible builds. ([!2016])
- Fix several tests on Windows. ([!2015])

### Cleanups, minor features, and bugfixes

- Allow overriding `cargo` in [`semver-checks`]. ([83c29b0d805f908e])
- Introduce a [`list_crates_publish`] script. ([b03e5d5e11c52faf])
- Fix compilation with musl. ([!1961], [#1264])
- Add `fixup-features` to the main workspace, make various improvements to
  `fixup-features`, `check_toposort`, `list_crates` ([!1969], [#1263])
- Use `std::default::Default` instead of [educe]'s `Default` in a number of
  places in preparation for the upgrade to educe 0.5. ([!1975], [#1257])
- Require the Fast and Stable flags as appropriate. ([!1976], [#1100])
- Refactor and improve error hinting in [`arti`] and [`arti-client`]. ([!1986],
  [#1165])
- Do not output ANSI escape codes when logging to file. ([!1999], [#1298])
- Upgrade our dependency on [curve25519-dalek] from 4.1.1 to 4.1.2 ([!2000])
- Upgrade to the latest versions of [event-listener], [rusqlite],
  [async-broadcast], [signature], [config]. ([!2001], [!2004], [!2451])
- Fix `ArtiPath` creation on Windows. ([!2012])
- Fix compilation and warnings on Windows. ([!2014], [!2009])
- Gate `RpcConfig` behind `rpc` feature. ([6c9e70e39ab279aa]])

### Acknowledgments

Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Tobias Stoeckmann, and trinity-1686a.

Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!


# Arti 1.1.13 — 5 February 2024

Arti 1.1.13 continues work on support for running onion services.
You can now launch an onion service and expect it to run.

We have fixed a number of bugs.  The user experience is still not
great, and the onion-service-service feature is still experimental.
We have reorganised the on-disk state and key storage, to make it more
sensible; we hope (but don't promise!) it's now the final layout.
Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.

See `doc/OnionService.md` for instructions and caveats.

### Breaking changes in lower-level crates

- [`tor-hsclient`]\: Replaced `HsClientKeyRole`,
  `HsClientSecretKeySpecifier` with `HsClientDescEncKeypairSpecifier`.
  Renamed `HsClientSpecifier` to `HsClientNickname`.
  ([!1864], [!1931])
- [`tor-hscrypto`]\: `AesOpeKey::encrypt` now takes a
  `SrvPeriodOffset`; Replaced `TimePeriodOffset` with
  `SrvPeriodOffset`; Removed `TimePeriod::offset_within_period`.
  ([!1904], [#1166])
- [`tor-netdir`]\: `hs_dirs_download` parameters changed;
  `hs_intro_*_lifetime` parameters renamed.
  ([!1903], [!1904], [#1254])

### Onion service development

- Complete overhaul of the way the hidden service code stores non-key
  persistent state.  Pathnames have changed as a result.
  ([!1853], [#1183], [!1941])
- Many improvements to keystore, key and `KeySpecifier` handling,
  including incompatible changes to on-disk key paths.
  ([!1864], [!1863], [!1883], [#1260], [!1949], [#1074], [!1948])
- Fix "service fails after approx 12 hours" bug.
  ([#1242], [!1901])
- Fix time period processing bugs including `HSS: "internal error"
  "current wallclock time not within TP?!"`.
  ([#1155], [#1166], [#1254], [!1903], [!1904], [!1914])
- Correctly rate-limit descriptor publication.
  ([!1951])
- Fixes to services shutdown.
  ([!1875], [!1895], [!1897], [#1236], [!1899], [!1917], [!1921])
- Improve error and corner case handling in descriptor publisher.
  ([!1861])
- Work on expiring keys: we expire descriptor keys now (although we
  don't actually properly delete all keys when we need to, yet).
  ([!1909])
- Only choose Stable relays for introduction points.
  ([!1884], [#1240], [#1211])
- Better handling of introduction point establishment failures.
  ([!1889], [!1915])
- Better handling of anomalous situations (including excessive
  requests) on introduction circuits.
  ([#1188], [#1189], [!1892], [!1916])
- Tolerate `INTRO_ESTABLISHED` messages with (unknown) extensions.
  ([!1898])
- Correct and improve various timing and tuning parameters.
  ([!1911], [!1924])
- Improve status reporting from hidden services.
  ([!1902])
- Public API of `tor-hsservice` crate overhauled.
  ([#1227], [#1220], [!1887])
- Mark lower-level hs-service features non-experimental.
  ([!1908])
- Defend against partial writes of introduction point replay log
  entries.
  ([!1920])
- Corrections to error handling, including to handling of introduction
  point failures, and attempts to launch the same service
  concurrently.
  ([!1906], [#1237], [#1225], [#1255])
- Detect and reject configurations with onion services, when
  onion-service-server support has been compiled out.
  ([!1885], [#1184])
- Temporarily disable parsing of AF_UNIX socket addresses (which
  aren't implemented right now anyway).
  ([!1886])
- Rate limit one log message, downgrade one, and remove another.
  ([!1871], [!1951])
- Add higher-level documentation to tor-hsservice (and fix a broken
  docs link).
  ([!1918], [!1945])
- Hide the `OnionServiceState` type.
  ([!1946], [#1261])
- Many internal cleanups including much triage of TODO comments in the code.
  ([!1859], [!1862], [!1861], [!1868], [!1866], [!1863], [!1870], [!1874])
  ([!1872], [!1869], [!1876] !1867 [!1873], [!1877], [!1878], [!1875])
  ([!1879], [!1882], [!1881], [!1880], [!1894], [!1888], [!1887], [!1896])
  ([!1864], [!1951])

### Other major new features in our Rust APIs

- New `fslock-guard` crate for on-disk lockfiles which can be deleted,
  and which have a Rust API that returns a guard object.
  [fslock!15](https://github.com/brunoczim/fslock/pull/15)
  !1900 !1910
- `tor-persist` has a `Slug` type which is used for nicknames, key
  paths, etc., un…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants