1 files changed, 58 insertions, 26 deletions

diff --git a/src/app/main/main.c b/src/app/main/main.c
index 5043caedb6..838e129d04 100644
--- a/src/app/main/main.c
+++ b/src/app/main/main.c
@@ -1,7 +1,7 @@
 /* Copyright (c) 2001 Matej Pfajfar.
  * Copyright (c) 2001-2004, Roger Dingledine.
  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
- * Copyright (c) 2007-2020, The Tor Project, Inc. */
+ * Copyright (c) 2007-2021, The Tor Project, Inc. */
 /* See LICENSE for licensing information */
 
 /**
@@ -27,6 +27,8 @@
 #include "core/or/channel.h"
 #include "core/or/channelpadding.h"
 #include "core/or/circuitpadding.h"
+#include "core/or/congestion_control_common.h"
+#include "core/or/congestion_control_flow.h"
 #include "core/or/circuitlist.h"
 #include "core/or/command.h"
 #include "core/or/connection_or.h"
@@ -44,6 +46,7 @@
 #include "feature/dirparse/routerparse.h"
 #include "feature/hibernate/hibernate.h"
 #include "feature/hs/hs_dos.h"
+#include "feature/hs/hs_service.h"
 #include "feature/nodelist/authcert.h"
 #include "feature/nodelist/networkstatus.h"
 #include "feature/nodelist/routerlist.h"
@@ -51,13 +54,12 @@
 #include "feature/relay/ext_orport.h"
 #include "feature/relay/routerkeys.h"
 #include "feature/relay/routermode.h"
-#include "feature/rend/rendcache.h"
-#include "feature/rend/rendservice.h"
 #include "feature/stats/predict_ports.h"
 #include "feature/stats/bwhist.h"
 #include "feature/stats/rephist.h"
 #include "lib/compress/compress.h"
 #include "lib/buf/buffers.h"
+#include "lib/crypt_ops/crypto_format.h"
 #include "lib/crypt_ops/crypto_rand.h"
 #include "lib/crypt_ops/crypto_s2k.h"
 #include "lib/net/resolve.h"
@@ -100,12 +102,6 @@
 #include <systemd/sd-daemon.h>
 #endif /* defined(HAVE_SYSTEMD) */
 
-#ifdef HAVE_RUST
-// helper function defined in Rust to output a log message indicating if tor is
-// running with Rust enabled. See src/rust/tor_util
-void rust_log_welcome_string(void);
-#endif
-
 /********* PROTOTYPES **********/
 
 static void dumpmemusage(int severity);
@@ -309,7 +305,7 @@ process_win32_console_ctrl(DWORD ctrl_type)
   activate_signal(SIGINT);
   return TRUE;
 }
-#endif
+#endif /* defined(_WIN32) */
 
 /**
  * Write current memory usage information to the log.
@@ -425,7 +421,6 @@ dumpstats(int severity)
   dumpmemusage(severity);
 
   rep_hist_dump_stats(now,severity);
-  rend_service_dump_stats(severity);
   hs_service_dump_stats(severity);
 }
 
@@ -515,7 +510,7 @@ handle_signals(void)
      * to handle control signals like Ctrl+C in the console, we can use this to
      * simulate the SIGINT signal */
     if (enabled) SetConsoleCtrlHandler(process_win32_console_ctrl, TRUE);
-#endif
+#endif /* defined(_WIN32) */
 }
 
 /* Cause the signal handler for signal_num to be called in the event loop. */
@@ -551,7 +546,6 @@ tor_init(int argc, char *argv[])
   rep_hist_init();
   bwhist_init();
   /* Initialize the service cache. */
-  rend_cache_init();
   addressmap_init(); /* Init the client dns cache. Do it always, since it's
                       * cheap. */
 
@@ -611,10 +605,6 @@ tor_init(int argc, char *argv[])
     tor_compress_log_init_warnings();
   }
 
-#ifdef HAVE_RUST
-  rust_log_welcome_string();
-#endif /* defined(HAVE_RUST) */
-
   /* Warn _if_ the tracing subsystem is built in. */
   tracing_log_warning();
 
@@ -632,6 +622,8 @@ tor_init(int argc, char *argv[])
    * until we get a consensus */
   channelpadding_new_consensus_params(NULL);
   circpad_new_consensus_params(NULL);
+  congestion_control_new_consensus_params(NULL);
+  flow_control_new_consensus_params(NULL);
 
   /* Initialize circuit padding to defaults+torrc until we get a consensus */
   circpad_machines_init();
@@ -734,29 +726,52 @@ tor_remove_file(const char *filename)
 static int
 do_list_fingerprint(void)
 {
-  char buf[FINGERPRINT_LEN+1];
+  const or_options_t *options = get_options();
+  const char *arg = options->command_arg;
+  char rsa[FINGERPRINT_LEN + 1];
   crypto_pk_t *k;
-  const char *nickname = get_options()->Nickname;
+  const ed25519_public_key_t *edkey;
+  const char *nickname = options->Nickname;
   sandbox_disable_getaddrinfo_cache();
-  if (!server_mode(get_options())) {
+
+  bool show_rsa = !strcmp(arg, "") || !strcmp(arg, "rsa");
+  bool show_ed25519 = !strcmp(arg, "ed25519");
+  if (!show_rsa && !show_ed25519) {
+    log_err(LD_GENERAL,
+      "If you give a key type, you must specify 'rsa' or 'ed25519'. Exiting.");
+    return -1;
+  }
+
+  if (!server_mode(options)) {
     log_err(LD_GENERAL,
             "Clients don't have long-term identity keys. Exiting.");
     return -1;
   }
   tor_assert(nickname);
   if (init_keys() < 0) {
-    log_err(LD_GENERAL,"Error initializing keys; exiting.");
+    log_err(LD_GENERAL, "Error initializing keys; exiting.");
     return -1;
   }
   if (!(k = get_server_identity_key())) {
-    log_err(LD_GENERAL,"Error: missing identity key.");
+    log_err(LD_GENERAL, "Error: missing RSA identity key.");
     return -1;
   }
-  if (crypto_pk_get_fingerprint(k, buf, 1)<0) {
-    log_err(LD_BUG, "Error computing fingerprint");
+  if (crypto_pk_get_fingerprint(k, rsa, 1) < 0) {
+    log_err(LD_BUG, "Error computing RSA fingerprint");
     return -1;
   }
-  printf("%s %s\n", nickname, buf);
+  if (!(edkey = get_master_identity_key())) {
+    log_err(LD_GENERAL,"Error: missing ed25519 identity key.");
+    return -1;
+  }
+  if (show_rsa) {
+    printf("%s %s\n", nickname, rsa);
+  }
+  if (show_ed25519) {
+    char ed25519[ED25519_BASE64_LEN + 1];
+    digest256_to_base64(ed25519, (const char *) edkey->pubkey);
+    printf("%s %s\n", nickname, ed25519);
+  }
   return 0;
 }
 
@@ -907,8 +922,11 @@ sandbox_init_filter(void)
   if (options->BridgeAuthoritativeDir)
     OPEN_DATADIR_SUFFIX("networkstatus-bridges", ".tmp");
 
-  if (authdir_mode(options))
+  if (authdir_mode(options)) {
     OPEN_DATADIR("approved-routers");
+    OPEN_DATADIR_SUFFIX("my-consensus-microdesc", ".tmp");
+    OPEN_DATADIR_SUFFIX("my-consensus-ns", ".tmp");
+  }
 
   if (options->ServerDNSResolvConfFile)
     sandbox_cfg_allow_open_filename(&cfg,
@@ -986,6 +1004,11 @@ sandbox_init_filter(void)
   if (options->BridgeAuthoritativeDir)
     RENAME_SUFFIX("networkstatus-bridges", ".tmp");
 
+  if (authdir_mode(options)) {
+    RENAME_SUFFIX("my-consensus-microdesc", ".tmp");
+    RENAME_SUFFIX("my-consensus-ns", ".tmp");
+  }
+
 #define STAT_DATADIR(name)                      \
   sandbox_cfg_allow_stat_filename(&cfg, get_datadir_fname(name))
 
@@ -1091,6 +1114,7 @@ sandbox_init_filter(void)
     OPEN_DATADIR2_SUFFIX("stats", "buffer-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "conn-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "hidserv-stats", ".tmp");
+    OPEN_DATADIR2_SUFFIX("stats", "hidserv-v3-stats", ".tmp");
 
     OPEN_DATADIR("approved-routers");
     OPEN_DATADIR_SUFFIX("fingerprint", ".tmp");
@@ -1116,6 +1140,7 @@ sandbox_init_filter(void)
     RENAME_SUFFIX2("stats", "buffer-stats", ".tmp");
     RENAME_SUFFIX2("stats", "conn-stats", ".tmp");
     RENAME_SUFFIX2("stats", "hidserv-stats", ".tmp");
+    RENAME_SUFFIX2("stats", "hidserv-v3-stats", ".tmp");
     RENAME_SUFFIX("hashed-fingerprint", ".tmp");
     RENAME_SUFFIX("router-stability", ".tmp");
 
@@ -1320,6 +1345,13 @@ tor_run_main(const tor_main_configuration_t *tor_cfg)
   pubsub_connect();
 
   if (get_options()->Sandbox && get_options()->command == CMD_RUN_TOR) {
+#ifdef ENABLE_FRAGILE_HARDENING
+    log_warn(LD_CONFIG, "Sandbox is enabled but this Tor was built using "
+             "fragile compiler hardening. The sandbox may be unable to filter "
+             "requests to open files and directories and its overall "
+             "effectiveness will be reduced.");
+#endif
+
     sandbox_cfg_t* cfg = sandbox_init_filter();
 
     if (sandbox_init(cfg)) {