6 files changed, 69 insertions, 56 deletions

diff --git a/src/app/config/config.c b/src/app/config/config.c
index fa74907b3d..1e4d18116c 100644
--- a/src/app/config/config.c
+++ b/src/app/config/config.c
@@ -428,19 +428,6 @@ static const config_var_t option_vars_[] = {
   V(DormantTimeoutDisabledByIdleStreams, BOOL,     "1"),
   V(DormantOnFirstStartup,       BOOL,      "0"),
   V(DormantCanceledByStartup,    BOOL,      "0"),
-  /* DoS circuit creation options. */
-  V(DoSCircuitCreationEnabled,   AUTOBOOL, "auto"),
-  V(DoSCircuitCreationMinConnections,      POSINT, "0"),
-  V(DoSCircuitCreationRate,      POSINT,     "0"),
-  V(DoSCircuitCreationBurst,     POSINT,     "0"),
-  V(DoSCircuitCreationDefenseType,         INT,  "0"),
-  V(DoSCircuitCreationDefenseTimePeriod,   INTERVAL, "0"),
-  /* DoS connection options. */
-  V(DoSConnectionEnabled,        AUTOBOOL, "auto"),
-  V(DoSConnectionMaxConcurrentCount,       POSINT, "0"),
-  V(DoSConnectionDefenseType,    INT,      "0"),
-  /* DoS single hop client options. */
-  V(DoSRefuseSingleHopClientRendezvous,    AUTOBOOL, "auto"),
   V(DownloadExtraInfo,           BOOL,     "0"),
   V(TestingEnableConnBwEvent,    BOOL,     "0"),
   V(TestingEnableCellStatsEvent, BOOL,     "0"),
@@ -2466,6 +2453,7 @@ static const struct {
     .command=CMD_DUMP_CONFIG,
     .quiet=QUIET_SILENT },
   { .name="--list-fingerprint",
+    .takes_argument=ARGUMENT_OPTIONAL,
     .command=CMD_LIST_FINGERPRINT },
   { .name="--keygen",
     .command=CMD_KEYGEN },
@@ -2584,8 +2572,11 @@ config_parse_commandline(int argc, char **argv, int ignore_errors)
         parsed_cmdline_free(result);
         return NULL;
       }
-    } else if (want_arg == ARGUMENT_OPTIONAL && is_last) {
+    } else if (want_arg == ARGUMENT_OPTIONAL &&
+               /* optional arguments may never start with '-'. */
+               (is_last || argv[i+1][0] == '-')) {
       arg = tor_strdup("");
+      want_arg = ARGUMENT_NONE; // prevent skipping the next flag.
     } else {
       arg = (want_arg != ARGUMENT_NONE) ? tor_strdup(argv[i+1]) :
                                               tor_strdup("");
@@ -3274,7 +3265,7 @@ options_validate_cb(const void *old_options_, void *options_, char **msg)
   }
 #else /* defined(HAVE_SYS_UN_H) */
   if (options->ControlSocketsGroupWritable && !options->ControlSocket) {
-    *msg = tor_strdup("Setting ControlSocketGroupWritable without setting "
+    *msg = tor_strdup("Setting ControlSocketsGroupWritable without setting "
                       "a ControlSocket makes no sense.");
     return -1;
   }
@@ -4317,6 +4308,7 @@ find_torrc_filename(const config_line_t *cmd_arg,
   const config_line_t *p_index;
   const char *fname_opt = defaults_file ? "--defaults-torrc" : "-f";
   const char *ignore_opt = defaults_file ? NULL : "--ignore-missing-torrc";
+  const char *keygen_opt = "--keygen";
 
   if (defaults_file)
     *ignore_missing_torrc = 1;
@@ -4338,7 +4330,8 @@ find_torrc_filename(const config_line_t *cmd_arg,
       }
 
       *using_default_fname = 0;
-    } else if (ignore_opt && !strcmp(p_index->key,ignore_opt)) {
+    } else if ((ignore_opt && !strcmp(p_index->key, ignore_opt)) ||
+               (keygen_opt && !strcmp(p_index->key, keygen_opt))) {
       *ignore_missing_torrc = 1;
     }
   }
@@ -4485,6 +4478,25 @@ options_init_from_torrc(int argc, char **argv)
 
   if (config_line_find(cmdline_only_options, "--version")) {
     printf("Tor version %s.\n",get_version());
+    printf("Tor is running on %s with Libevent %s, "
+            "%s %s, Zlib %s, Liblzma %s, Libzstd %s and %s %s as libc.\n",
+            get_uname(),
+            tor_libevent_get_version_str(),
+            crypto_get_library_name(),
+            crypto_get_library_version_string(),
+            tor_compress_supports_method(ZLIB_METHOD) ?
+            tor_compress_version_str(ZLIB_METHOD) : "N/A",
+            tor_compress_supports_method(LZMA_METHOD) ?
+            tor_compress_version_str(LZMA_METHOD) : "N/A",
+            tor_compress_supports_method(ZSTD_METHOD) ?
+            tor_compress_version_str(ZSTD_METHOD) : "N/A",
+            tor_libc_get_name() ?
+            tor_libc_get_name() : "Unknown",
+            tor_libc_get_version_str());
+    printf("Tor compiled with %s version %s\n",
+            strcmp(COMPILER_VENDOR, "gnu") == 0?
+            COMPILER:COMPILER_VENDOR, COMPILER_VERSION);
+
     return 1;
   }
 
@@ -4801,7 +4813,7 @@ addressmap_register_auto(const char *from, const char *to,
   }
 
   addressmap_register(from, tor_strdup(to), expires, addrmap_source,
-                      from_wildcard, to_wildcard);
+                      from_wildcard, to_wildcard, 0);
 
   return 0;
 }
@@ -6030,7 +6042,7 @@ port_parse_config(smartlist_t *out,
       tor_free(addrtmp);
     } else {
       /* Try parsing integer port before address, because, who knows?
-         "9050" might be a valid address. */
+       * "9050" might be a valid address. */
       port = (int) tor_parse_long(addrport, 10, 0, 65535, &ok, NULL);
       if (ok) {
         tor_addr_copy(&addr, &default_addr);
diff --git a/src/app/config/fallback_dirs.inc b/src/app/config/fallback_dirs.inc
index a7ef39bb96..83834890ce 100644
--- a/src/app/config/fallback_dirs.inc
+++ b/src/app/config/fallback_dirs.inc
@@ -354,6 +354,7 @@ URL: https:onionoo.torproject.orguptime?typerelay&first_seen_days90-&last_seen_d
 /* ===== */
 ,
 "193.11.114.45:9031 orport=9002 id=80AAF8D5956A43C197104CEF2550CD42D165C6FB"
+" ipv6=[2001:6b0:30:1000::100]:9050"
 /* nickname=mdfnet2 */
 /* extrainfo=0 */
 /* ===== */
@@ -552,6 +553,7 @@ URL: https:onionoo.torproject.orguptime?typerelay&first_seen_days90-&last_seen_d
 /* ===== */
 ,
 "193.11.114.46:9032 orport=9003 id=B83DC1558F0D34353BB992EF93AFEAFDB226A73E"
+" ipv6=[2001:6b0:30:1000::101]:9050"
 /* nickname=mdfnet3 */
 /* extrainfo=0 */
 /* ===== */
diff --git a/src/app/config/or_options_st.h b/src/app/config/or_options_st.h
index 4364f145ed..714034b28d 100644
--- a/src/app/config/or_options_st.h
+++ b/src/app/config/or_options_st.h
@@ -1031,35 +1031,6 @@ struct or_options_t {
    */
   int DisableSignalHandlers;
 
-  /** Autobool: Is the circuit creation DoS mitigation subsystem enabled? */
-  int DoSCircuitCreationEnabled;
-  /** Minimum concurrent connection needed from one single address before any
-   * defense is used. */
-  int DoSCircuitCreationMinConnections;
-  /** Circuit rate used to refill the token bucket. */
-  int DoSCircuitCreationRate;
-  /** Maximum allowed burst of circuits. Reaching that value, the address is
-   * detected as malicious and a defense might be used. */
-  int DoSCircuitCreationBurst;
-  /** When an address is marked as malicious, what defense should be used
-   * against it. See the dos_cc_defense_type_t enum. */
-  int DoSCircuitCreationDefenseType;
-  /** For how much time (in seconds) the defense is applicable for a malicious
-   * address. A random time delta is added to the defense time of an address
-   * which will be between 1 second and half of this value. */
-  int DoSCircuitCreationDefenseTimePeriod;
-
-  /** Autobool: Is the DoS connection mitigation subsystem enabled? */
-  int DoSConnectionEnabled;
-  /** Maximum concurrent connection allowed per address. */
-  int DoSConnectionMaxConcurrentCount;
-  /** When an address is reaches the maximum count, what defense should be
-   * used against it. See the dos_conn_defense_type_t enum. */
-  int DoSConnectionDefenseType;
-
-  /** Autobool: Do we refuse single hop client rendezvous? */
-  int DoSRefuseSingleHopClientRendezvous;
-
   /** Interval: how long without activity does it take for a client
    * to become dormant?
    **/
diff --git a/src/app/include.am b/src/app/include.am
index 8bb315fff1..2e2180deca 100644
--- a/src/app/include.am
+++ b/src/app/include.am
@@ -28,7 +28,7 @@ src_app_tor_cov_SOURCES = $(src_app_tor_SOURCES)
 src_app_tor_cov_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS)
 src_app_tor_cov_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
 src_app_tor_cov_LDFLAGS = @TOR_LDFLAGS_zlib@ $(TOR_LDFLAGS_CRYPTLIB) \
-	@TOR_LDFLAGS_libevent@ @TOR_STATIC_LDFALGS@
+	@TOR_LDFLAGS_libevent@ @TOR_STATIC_LDFLAGS@
 src_app_tor_cov_LDADD = src/test/libtor-testing.a \
 	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ @TOR_LIBEVENT_LIBS@ $(TOR_LIBS_CRYPTLIB) \
 	@TOR_LIB_WS32@ @TOR_LIB_IPHLPAPI@ @TOR_LIB_SHLWAPI@ @TOR_LIB_GDI@ \
diff --git a/src/app/main/main.c b/src/app/main/main.c
index 589d365add..e7ffb31b4f 100644
--- a/src/app/main/main.c
+++ b/src/app/main/main.c
@@ -58,6 +58,7 @@
 #include "feature/stats/rephist.h"
 #include "lib/compress/compress.h"
 #include "lib/buf/buffers.h"
+#include "lib/crypt_ops/crypto_format.h"
 #include "lib/crypt_ops/crypto_rand.h"
 #include "lib/crypt_ops/crypto_s2k.h"
 #include "lib/net/resolve.h"
@@ -735,29 +736,52 @@ tor_remove_file(const char *filename)
 static int
 do_list_fingerprint(void)
 {
-  char buf[FINGERPRINT_LEN+1];
+  const or_options_t *options = get_options();
+  const char *arg = options->command_arg;
+  char rsa[FINGERPRINT_LEN + 1];
   crypto_pk_t *k;
-  const char *nickname = get_options()->Nickname;
+  const ed25519_public_key_t *edkey;
+  const char *nickname = options->Nickname;
   sandbox_disable_getaddrinfo_cache();
-  if (!server_mode(get_options())) {
+
+  bool show_rsa = !strcmp(arg, "") || !strcmp(arg, "rsa");
+  bool show_ed25519 = !strcmp(arg, "ed25519");
+  if (!show_rsa && !show_ed25519) {
+    log_err(LD_GENERAL,
+      "If you give a key type, you must specify 'rsa' or 'ed25519'. Exiting.");
+    return -1;
+  }
+
+  if (!server_mode(options)) {
     log_err(LD_GENERAL,
             "Clients don't have long-term identity keys. Exiting.");
     return -1;
   }
   tor_assert(nickname);
   if (init_keys() < 0) {
-    log_err(LD_GENERAL,"Error initializing keys; exiting.");
+    log_err(LD_GENERAL, "Error initializing keys; exiting.");
     return -1;
   }
   if (!(k = get_server_identity_key())) {
-    log_err(LD_GENERAL,"Error: missing identity key.");
+    log_err(LD_GENERAL, "Error: missing RSA identity key.");
+    return -1;
+  }
+  if (crypto_pk_get_fingerprint(k, rsa, 1) < 0) {
+    log_err(LD_BUG, "Error computing RSA fingerprint");
     return -1;
   }
-  if (crypto_pk_get_fingerprint(k, buf, 1)<0) {
-    log_err(LD_BUG, "Error computing fingerprint");
+  if (!(edkey = get_master_identity_key())) {
+    log_err(LD_GENERAL,"Error: missing ed25519 identity key.");
     return -1;
   }
-  printf("%s %s\n", nickname, buf);
+  if (show_rsa) {
+    printf("%s %s\n", nickname, rsa);
+  }
+  if (show_ed25519) {
+    char ed25519[ED25519_BASE64_LEN + 1];
+    digest256_to_base64(ed25519, (const char *) edkey->pubkey);
+    printf("%s %s\n", nickname, ed25519);
+  }
   return 0;
 }
 
@@ -1080,6 +1104,7 @@ sandbox_init_filter(void)
     OPEN_DATADIR2_SUFFIX("stats", "buffer-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "conn-stats", ".tmp");
     OPEN_DATADIR2_SUFFIX("stats", "hidserv-stats", ".tmp");
+    OPEN_DATADIR2_SUFFIX("stats", "hidserv-v3-stats", ".tmp");
 
     OPEN_DATADIR("approved-routers");
     OPEN_DATADIR_SUFFIX("fingerprint", ".tmp");
@@ -1105,6 +1130,7 @@ sandbox_init_filter(void)
     RENAME_SUFFIX2("stats", "buffer-stats", ".tmp");
     RENAME_SUFFIX2("stats", "conn-stats", ".tmp");
     RENAME_SUFFIX2("stats", "hidserv-stats", ".tmp");
+    RENAME_SUFFIX2("stats", "hidserv-v3-stats", ".tmp");
     RENAME_SUFFIX("hashed-fingerprint", ".tmp");
     RENAME_SUFFIX("router-stability", ".tmp");
 
diff --git a/src/app/main/subsystem_list.c b/src/app/main/subsystem_list.c
index cb79909e69..4b417f57e2 100644
--- a/src/app/main/subsystem_list.c
+++ b/src/app/main/subsystem_list.c
@@ -14,6 +14,7 @@
 #include "lib/cc/torint.h"
 
 #include "core/mainloop/mainloop_sys.h"
+#include "core/or/dos_sys.h"
 #include "core/or/or_sys.h"
 #include "feature/control/btrack_sys.h"
 #include "lib/compress/compress_sys.h"
@@ -64,6 +65,7 @@ const subsys_fns_t *tor_subsystems[] = {
 
   &sys_mainloop,
   &sys_or,
+  &sys_dos,
 
   &sys_relay,
   &sys_hs,