add support for tor (#369)

docs/MANUAL.md

 - Commands
 - Integrating with other software
     - HOPM
+    - ZNC
+    - Tor
 - Acknowledgements
 
 
 Versions of ZNC prior to 1.7 have a [bug](https://github.com/znc/znc/issues/1212) in their SASL implementation that renders them incompatible with Oragono. However, you should be able to authenticate from ZNC using its [NickServ](https://wiki.znc.in/Nickserv) module.
 
 
+## Tor
+
+Oragono has code support for adding an .onion address to an IRC server, or operating an IRC server as a Tor hidden service. This is subtle, so you should be familiar with the [Tor Project](https://www.torproject.org/) and the concept of a [hidden service](https://www.torproject.org/docs/tor-onion-service.html.en).
+
+There are two possible ways to serve Oragono over Tor. One is to add a .onion address to a server that also serves non-Tor clients, and whose IP address is public information. This is relatively straightforward. Add a separate listener, for example `127.0.0.2:6668`, to Oragono's `server.listen`, then add it to `server.tor-listeners.listeners`  Configure Tor like this:
+
+````
+HiddenServiceDir /var/lib/tor/oragono_hidden_service
+HiddenServicePort 6667 127.0.0.2:6668
+
+# these are optional, but can be used to speed up the circuits in the case
+# where the server's own IP is public information (clients will remain anonymous):
+HiddenServiceNonAnonymousMode 1
+HiddenServiceSingleHopMode 1
+````
+
+The second way is to run Oragono as a true hidden service, where the server's actual IP address is a secret. This requires hardening measures on the Oragono side:
+
+* Oragono should not accept any connections on its public interfaces. You should remove any listener that starts with the address of a public interface, or with `:`, which means "listen on all available interfaces". You should listen only on `127.0.0.1:6667` and a Unix domain socket such as `/hidden_service_sockets/oragono.sock`.
+* In this mode, it is especially important that all operator passwords are strong and all operators are trusted (operators have a larger attack surface to deanonymize the server).
+* Tor hidden services are at risk of being deanonymized if a client can trick the server into performing a non-Tor network request. Oragono should not perform any such requests (such as hostname resolution or ident lookups) in response to input received over a correctly configured Tor listener. However, Oragono has not been thoroughly audited against such deanonymization attacks --- therefore, Oragono should be deployed with additional sandboxing to protect against this:
+  * Oragono should run with no direct network connectivity, e.g., by running in its own Linux network namespace. systemd implements this with the [PrivateNetwork](https://www.freedesktop.org/software/systemd/man/systemd.exec.html) configuration option: add `PrivateNetwork=true` to Oragono's systemd unit file.
+  * Since the loopback adapters are local to a specific network namespace, Oragono must be configured to listen on a Unix domain socket that the Tor daemon can connect to. However, distributions typically package Tor with its own hardening profiles, which will restrict which sockets it can connect to. Below is a recipe for configuring this with the official Tor packages for Debian:
+
+1. Create a directory with `0777` permissions such as `/hidden_service_sockets`.
+1. Configure Oragono to listen on `/hidden_service_sockets/oragono.sock`, and add this socket to `server.tor-listeners.listeners`.
+1. Ensure that Oragono has no direct network access as described above, e.g., with `PrivateNetwork=true`.
+1. Next, modify Tor's apparmor profile so that it can connect to this socket, by adding the line `  /hidden_service_sockets/** rw,` to `/etc/apparmor.d/local/system_tor`.
+1. Finally, configure Tor with:
+
+````
+HiddenServiceDir /var/lib/tor/oragono_hidden_service
+HiddenServicePort 6667 unix:/hidden_service_sockets/oragono.sock
+# DO NOT enable HiddenServiceNonAnonymousMode
+````
+
+Instructions on how client software should connect to an .onion address are outside the scope of this manual. However:
+
+1. [Hexchat](https://hexchat.github.io/) is known to support .onion addresses, once it has been configured to use a local Tor daemon as a SOCKS proxy (Settings -> Preferences -> Network Setup -> Proxy Server).
+1. Pidgin should work with [torsocks](https://trac.torproject.org/projects/tor/wiki/doc/torsocks).
+
+
 --------------------------------------------------------------------------------------------
 
 

irc/client.go

 	idletimer          *IdleTimer
 	invitedTo          map[string]bool
 	isDestroyed        bool
+	isTor              bool
 	isQuitting         bool
 	languages          []string
 	loginThrottle      connection_limits.GenericThrottle
 	accountName        string
 }
 
-// NewClient sets up a new client and starts its goroutine.
-func NewClient(server *Server, conn net.Conn, isTLS bool) {
+// NewClient sets up a new client and runs its goroutine.
+func RunNewClient(server *Server, conn clientConn) {
 	now := time.Now()
 	config := server.Config()
 	fullLineLenLimit := config.Limits.LineLen.Tags + config.Limits.LineLen.Rest
-	socket := NewSocket(conn, fullLineLenLimit*2, config.Server.MaxSendQBytes)
+	socket := NewSocket(conn.Conn, fullLineLenLimit*2, config.Server.MaxSendQBytes)
 	client := &Client{
 		atime:        now,
 		capabilities: caps.NewSet(),
 		channels:     make(ChannelSet),
 		ctime:        now,
 		flags:        modes.NewModeSet(),
+		isTor:        conn.IsTor,
 		loginThrottle: connection_limits.GenericThrottle{
 			Duration: config.Accounts.LoginThrottling.Duration,
 			Limit:    config.Accounts.LoginThrottling.MaxAttempts,
 	}
 	client.languages = server.languages.Default()
 
-	remoteAddr := conn.RemoteAddr()
-	client.realIP = utils.AddrToIP(remoteAddr)
-	if client.realIP == nil {
-		server.logger.Error("internal", "bad remote address", remoteAddr.String())
-		return
-	}
 	client.recomputeMaxlens()
-	if isTLS {
-		client.SetMode(modes.TLS, true)
 
+	if conn.IsTLS {
+		client.SetMode(modes.TLS, true)
 		// error is not useful to us here anyways so we can ignore it
 		client.certfp, _ = client.socket.CertFP()
 	}
-	if config.Server.CheckIdent && !utils.AddrIsUnix(remoteAddr) {
-		_, serverPortString, err := net.SplitHostPort(conn.LocalAddr().String())
-		if err != nil {
-			server.logger.Error("internal", "bad server address", err.Error())
-			return
-		}
-		serverPort, _ := strconv.Atoi(serverPortString)
-		clientHost, clientPortString, err := net.SplitHostPort(conn.RemoteAddr().String())
-		if err != nil {
-			server.logger.Error("internal", "bad client address", err.Error())
-			return
+
+	if conn.IsTor {
+		client.SetMode(modes.TLS, true)
+		client.realIP = utils.IPv4LoopbackAddress
+		client.rawHostname = config.Server.TorListeners.Vhost
+	} else {
+		remoteAddr := conn.Conn.RemoteAddr()
+		client.realIP = utils.AddrToIP(remoteAddr)
+		// Set the hostname for this client
+		// (may be overridden by a later PROXY command from stunnel)
+		client.rawHostname = utils.LookupHostname(client.realIP.String())
+		if config.Server.CheckIdent && !utils.AddrIsUnix(remoteAddr) {
+			client.doIdentLookup(conn.Conn)
 		}
-		clientPort, _ := strconv.Atoi(clientPortString)
+	}
+
+	client.run()
+}
+
+func (client *Client) doIdentLookup(conn net.Conn) {
+	_, serverPortString, err := net.SplitHostPort(conn.LocalAddr().String())
+	if err != nil {
+		client.server.logger.Error("internal", "bad server address", err.Error())
+		return
+	}
+	serverPort, _ := strconv.Atoi(serverPortString)
+	clientHost, clientPortString, err := net.SplitHostPort(conn.RemoteAddr().String())
+	if err != nil {
+		client.server.logger.Error("internal", "bad client address", err.Error())
+		return
+	}
+	clientPort, _ := strconv.Atoi(clientPortString)
 
-		client.Notice(client.t("*** Looking up your username"))
-		resp, err := ident.Query(clientHost, serverPort, clientPort, IdentTimeoutSeconds)
+	client.Notice(client.t("*** Looking up your username"))
+	resp, err := ident.Query(clientHost, serverPort, clientPort, IdentTimeoutSeconds)
+	if err == nil {
+		err := client.SetNames(resp.Identifier, "", true)
 		if err == nil {
-			err := client.SetNames(resp.Identifier, "", true)
-			if err == nil {
-				client.Notice(client.t("*** Found your username"))
-				// we don't need to updateNickMask here since nickMask is not used for anything yet
-			} else {
-				client.Notice(client.t("*** Got a malformed username, ignoring"))
-			}
+			client.Notice(client.t("*** Found your username"))
+			// we don't need to updateNickMask here since nickMask is not used for anything yet
 		} else {
-			client.Notice(client.t("*** Could not find your username"))
+			client.Notice(client.t("*** Got a malformed username, ignoring"))
 		}
+	} else {
+		client.Notice(client.t("*** Could not find your username"))
 	}
-	go client.run()
 }
 
 func (client *Client) isAuthorized(config *Config) bool {
 	saslSent := client.account != ""
-	passRequirementMet := (config.Server.passwordBytes == nil) || client.sentPassCommand || (config.Accounts.SkipServerPassword && saslSent)
-	if !passRequirementMet {
+	// PASS requirement
+	if !((config.Server.passwordBytes == nil) || client.sentPassCommand || (config.Accounts.SkipServerPassword && saslSent)) {
 		return false
 	}
-	saslRequirementMet := !config.Accounts.RequireSasl.Enabled || saslSent || utils.IPInNets(client.IP(), config.Accounts.RequireSasl.exemptedNets)
-	return saslRequirementMet
+	// Tor connections may be required to authenticate with SASL
+	if config.Server.TorListeners.RequireSasl && !saslSent {
+		return false
+	}
+	// finally, enforce require-sasl
+	return !config.Accounts.RequireSasl.Enabled || saslSent || utils.IPInNets(client.IP(), config.Accounts.RequireSasl.exemptedNets)
 }
 
 func (client *Client) resetFakelag() {
 
 	client.resetFakelag()
 
-	// Set the hostname for this client
-	// (may be overridden by a later PROXY command from stunnel)
-	client.rawHostname = utils.LookupHostname(client.realIP.String())
-
 	firstLine := true
 
 	for {
 	}
 
 	// remove from connection limits
-	ipaddr := client.IP()
-	// this check shouldn't be required but eh
-	if ipaddr != nil {
-		client.server.connectionLimiter.RemoveClient(ipaddr)
+	if client.isTor {
+		client.server.torLimiter.RemoveClient()
+	} else {
+		client.server.connectionLimiter.RemoveClient(client.IP())
 	}
 
 	client.server.resumeManager.Delete(client)

irc/config.go

 	Cooldown          time.Duration
 }
 
+type TorListenersConfig struct {
+	Listeners                 []string
+	RequireSasl               bool `yaml:"require-sasl"`
+	Vhost                     string
+	MaxConnections            int           `yaml:"max-connections"`
+	ThrottleDuration          time.Duration `yaml:"throttle-duration"`
+	MaxConnectionsPerDuration int           `yaml:"max-connections-per-duration"`
+}
+
 // Config defines the overall configuration.
 type Config struct {
 	Network struct {
 		Listen               []string
 		UnixBindMode         os.FileMode                 `yaml:"unix-bind-mode"`
 		TLSListeners         map[string]*TLSListenConfig `yaml:"tls-listeners"`
+		TorListeners         TorListenersConfig          `yaml:"tor-listeners"`
 		STS                  STSConfig
 		CheckIdent           bool `yaml:"check-ident"`
 		MOTD                 string
 		config.History.ClientLength = 0
 	}
 
+	for _, listenAddress := range config.Server.TorListeners.Listeners {
+		found := false
+		for _, configuredListener := range config.Server.Listen {
+			if listenAddress == configuredListener {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return nil, fmt.Errorf("%s is configured as a Tor listener, but is not in server.listen", listenAddress)
+		}
+	}
+
 	return config, nil
 }

irc/connection_limits/tor.go

+// Copyright (c) 2019 Shivaram Lingamneni <slingamn@cs.stanford.edu>
+// released under the MIT license
+
+package connection_limits
+
+import (
+	"errors"
+	"sync"
+	"time"
+)
+
+var (
+	ErrLimitExceeded    = errors.New("too many concurrent connections")
+	ErrThrottleExceeded = errors.New("too many recent connection attempts")
+)
+
+// TorLimiter is a combined limiter and throttler for use on connections
+// proxied from a Tor hidden service (so we don't have meaningful IPs,
+// a notion of CIDR width, etc.)
+type TorLimiter struct {
+	sync.Mutex
+
+	numConnections int
+	maxConnections int
+	throttle       GenericThrottle
+}
+
+func (tl *TorLimiter) Configure(maxConnections int, duration time.Duration, maxConnectionsPerDuration int) {
+	tl.Lock()
+	defer tl.Unlock()
+	tl.maxConnections = maxConnections
+	tl.throttle.Duration = duration
+	tl.throttle.Limit = maxConnectionsPerDuration
+}
+
+func (tl *TorLimiter) AddClient() error {
+	tl.Lock()
+	defer tl.Unlock()
+
+	if tl.maxConnections != 0 && tl.maxConnections <= tl.numConnections {
+		return ErrLimitExceeded
+	}
+	throttled, _ := tl.throttle.Touch()
+	if throttled {
+		return ErrThrottleExceeded
+	}
+	tl.numConnections += 1
+	return nil
+}
+
+func (tl *TorLimiter) RemoveClient() {
+	tl.Lock()
+	tl.numConnections -= 1
+	tl.Unlock()
+}

irc/gateways.go

 
 // ApplyProxiedIP applies the given IP to the client.
 func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (success bool) {
+	// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
+	// is whitelisted:
+	if client.isTor {
+		return false
+	}
+
 	// ensure IP is sane
 	parsedProxiedIP := net.ParseIP(proxiedIP).To16()
 	if parsedProxiedIP == nil {

irc/getters.go

 	client.stateMutex.Unlock()
 }
 
+func (client *Client) RawHostname() (result string) {
+	client.stateMutex.Lock()
+	result = client.rawHostname
+	client.stateMutex.Unlock()
+	return
+}
+
 func (client *Client) AwayMessage() (result string) {
 	client.stateMutex.RLock()
 	result = client.awayMessage

irc/handlers.go

 	targets := strings.Split(msg.Params[0], ",")
 	message := msg.Params[1]
 
+	if client.isTor && isRestrictedCTCPMessage(message) {
+		rb.Add(nil, server.name, "NOTICE", client.t("CTCP messages are disabled over Tor"))
+		return false
+	}
+
 	// split privmsg
 	splitMsg := utils.MakeSplitMessage(message, !client.capabilities.Has(caps.MaxLine))
 
 			msgid := server.generateMessageID()
 			// restrict messages appropriately when +R is set
 			// intentionally make the sending user think the message went through fine
-			if !user.HasMode(modes.RegisteredOnly) || client.LoggedIntoAccount() {
+			allowedPlusR := !user.HasMode(modes.RegisteredOnly) || client.LoggedIntoAccount()
+			allowedTor := !user.isTor || !isRestrictedCTCPMessage(message)
+			if allowedPlusR && allowedTor {
 				user.SendSplitMsgFromClient(msgid, client, clientOnlyTags, "NOTICE", user.nick, splitMsg)
 			}
 			nickMaskString := client.NickMaskString()
 	return false
 }
 
+func isRestrictedCTCPMessage(message string) bool {
+	// block all CTCP privmsgs to Tor clients except for ACTION
+	// DCC can potentially be used for deanonymization, the others for fingerprinting
+	return strings.HasPrefix(message, "\x01") && !strings.HasPrefix(message, "\x01ACTION")
+}
+
 // PRIVMSG <target>{,<target>} <message>
 func privmsgHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
 	clientOnlyTags := utils.GetClientOnlyTags(msg.Tags)
 	targets := strings.Split(msg.Params[0], ",")
 	message := msg.Params[1]
 
+	if client.isTor && isRestrictedCTCPMessage(message) {
+		rb.Add(nil, server.name, "NOTICE", client.t("CTCP messages are disabled over Tor"))
+		return false
+	}
+
 	// split privmsg
 	splitMsg := utils.MakeSplitMessage(message, !client.capabilities.Has(caps.MaxLine))
 
 			msgid := server.generateMessageID()
 			// restrict messages appropriately when +R is set
 			// intentionally make the sending user think the message went through fine
-			if !user.HasMode(modes.RegisteredOnly) || client.LoggedIntoAccount() {
+			allowedPlusR := !user.HasMode(modes.RegisteredOnly) || client.LoggedIntoAccount()
+			allowedTor := !user.isTor || !isRestrictedCTCPMessage(message)
+			if allowedPlusR && allowedTor {
 				user.SendSplitMsgFromClient(msgid, client, clientOnlyTags, "PRIVMSG", user.nick, splitMsg)
 			}
 			nickMaskString := client.NickMaskString()

irc/roleplay.go

 	if isAction {
 		message = fmt.Sprintf("\x01ACTION %s (%s)\x01", message, client.nick)
 	} else {
+		// block attempts to send CTCP messages to Tor clients
+		// TODO(#395) clean this up
+		if len(message) != 0 && message[0] == '\x01' {
+			return
+		}
 		message = fmt.Sprintf("%s (%s)", message, client.nick)
 	}
 

irc/server.go

 	"time"
 
 	"github.com/goshuirc/irc-go/ircfmt"
-	"github.com/goshuirc/irc-go/ircmsg"
 	"github.com/oragono/oragono/irc/caps"
 	"github.com/oragono/oragono/irc/connection_limits"
 	"github.com/oragono/oragono/irc/isupport"
 
 var (
 	// common error line to sub values into
-	errorMsg, _ = (&[]ircmsg.IrcMessage{ircmsg.MakeMessage(nil, "", "ERROR", "%s ")}[0]).Line()
-
-	// common error responses
-	couldNotParseIPMsg, _ = (&[]ircmsg.IrcMessage{ircmsg.MakeMessage(nil, "", "ERROR", "Unable to parse your IP address")}[0]).Line()
+	errorMsg = "ERROR :%s\r\n"
 
 	// supportedUserModesString acts as a cache for when we introduce users
 	supportedUserModesString = modes.SupportedUserModes.String()
 type ListenerWrapper struct {
 	listener   net.Listener
 	tlsConfig  *tls.Config
+	isTor      bool
 	shouldStop bool
 	// protects atomic update of tlsConfig and shouldStop:
 	configMutex sync.Mutex // tier 1
 	signals                chan os.Signal
 	snomasks               *SnoManager
 	store                  *buntdb.DB
+	torLimiter             connection_limits.TorLimiter
 	whoWas                 *WhoWasList
 	stats                  *Stats
 	semaphores             *ServerSemaphores
 type clientConn struct {
 	Conn  net.Conn
 	IsTLS bool
+	IsTor bool
 }
 
 // NewServer returns a new Oragono server.
 }
 
 func (server *Server) acceptClient(conn clientConn) {
-	// check IP address
-	ipaddr := utils.AddrToIP(conn.Conn.RemoteAddr())
-	if ipaddr != nil {
-		isBanned, banMsg := server.checkBans(ipaddr)
-		if isBanned {
-			// this might not show up properly on some clients, but our objective here is just to close the connection out before it has a load impact on us
-			conn.Conn.Write([]byte(fmt.Sprintf(errorMsg, banMsg)))
-			conn.Conn.Close()
-			return
-		}
+	var isBanned bool
+	var banMsg string
+	var ipaddr net.IP
+	if conn.IsTor {
+		ipaddr = utils.IPv4LoopbackAddress
+		isBanned, banMsg = server.checkTorLimits()
+	} else {
+		ipaddr = utils.AddrToIP(conn.Conn.RemoteAddr())
+		isBanned, banMsg = server.checkBans(ipaddr)
+	}
+
+	if isBanned {
+		// this might not show up properly on some clients, but our objective here is just to close the connection out before it has a load impact on us
+		conn.Conn.Write([]byte(fmt.Sprintf(errorMsg, banMsg)))
+		conn.Conn.Close()
+		return
 	}
 
 	server.logger.Info("localconnect-ip", fmt.Sprintf("Client connecting from %v", ipaddr))
-	// prolly don't need to alert snomasks on this, only on connection reg
 
-	NewClient(server, conn.Conn, conn.IsTLS)
+	go RunNewClient(server, conn)
 }
 
 func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) {
 	return false, ""
 }
 
+func (server *Server) checkTorLimits() (banned bool, message string) {
+	switch server.torLimiter.AddClient() {
+	case connection_limits.ErrLimitExceeded:
+		return true, "Too many clients from the Tor network"
+	case connection_limits.ErrThrottleExceeded:
+		return true, "Exceeded connection throttle for the Tor network"
+	default:
+		return false, ""
+	}
+}
+
 //
 // IRC protocol listeners
 //
 
 // createListener starts a given listener.
-func (server *Server) createListener(addr string, tlsConfig *tls.Config, bindMode os.FileMode) (*ListenerWrapper, error) {
+func (server *Server) createListener(addr string, tlsConfig *tls.Config, isTor bool, bindMode os.FileMode) (*ListenerWrapper, error) {
 	// make listener
 	var listener net.Listener
 	var err error
 	wrapper := ListenerWrapper{
 		listener:   listener,
 		tlsConfig:  tlsConfig,
+		isTor:      isTor,
 		shouldStop: false,
 	}
 
 			conn, err := listener.Accept()
 
 			// synchronously access config data:
-			// whether TLS is enabled and whether we should stop listening
 			wrapper.configMutex.Lock()
 			shouldStop = wrapper.shouldStop
 			tlsConfig = wrapper.tlsConfig
+			isTor = wrapper.isTor
 			wrapper.configMutex.Unlock()
 
 			if err == nil {
 				newConn := clientConn{
 					Conn:  conn,
 					IsTLS: tlsConfig != nil,
+					IsTor: isTor,
 				}
 				// hand off the connection
 				go server.acceptClient(newConn)
 		rb.Add(nil, client.server.name, RPL_WHOISOPERATOR, cnick, tnick, tOper.WhoisLine)
 	}
 	if client.HasMode(modes.Operator) || client == target {
-		rb.Add(nil, client.server.name, RPL_WHOISACTUALLY, cnick, tnick, fmt.Sprintf("%s@%s", target.username, utils.LookupHostname(target.IPString())), target.IPString(), client.t("Actual user@host, Actual IP"))
+		rb.Add(nil, client.server.name, RPL_WHOISACTUALLY, cnick, tnick, fmt.Sprintf("%s@%s", targetInfo.username, target.RawHostname()), target.IPString(), client.t("Actual user@host, Actual IP"))
 	}
 	if target.HasMode(modes.TLS) {
 		rb.Add(nil, client.server.name, RPL_WHOISSECURE, cnick, tnick, client.t("is using a secure connection"))
 		return err
 	}
 
+	tlConf := &config.Server.TorListeners
+	server.torLimiter.Configure(tlConf.MaxConnections, tlConf.ThrottleDuration, tlConf.MaxConnectionsPerDuration)
+
 	// reload logging config
 	wasLoggingRawIO := !initial && server.logger.IsLoggingRawIO()
 	err = server.logger.ApplyConfig(config.Logging)
 }
 
 func (server *Server) setupListeners(config *Config) (err error) {
-	logListener := func(addr string, tlsconfig *tls.Config) {
+	logListener := func(addr string, tlsconfig *tls.Config, isTor bool) {
 		server.logger.Info("listeners",
-			fmt.Sprintf("now listening on %s, tls=%t.", addr, (tlsconfig != nil)),
+			fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (tlsconfig != nil), isTor),
 		)
 	}
 
 		return
 	}
 
+	isTorListener := func(listener string) bool {
+		for _, torListener := range config.Server.TorListeners.Listeners {
+			if listener == torListener {
+				return true
+			}
+		}
+		return false
+	}
+
 	// update or destroy all existing listeners
 	for addr := range server.listeners {
 		currentListener := server.listeners[addr]
 		// its next Accept(). this is like sending over a buffered channel of
 		// size 1, but where sending a second item overwrites the buffered item
 		// instead of blocking.
+		tlsConfig := tlsListeners[addr]
+		isTor := isTorListener(addr)
 		currentListener.configMutex.Lock()
 		currentListener.shouldStop = !stillConfigured
-		currentListener.tlsConfig = tlsListeners[addr]
+		currentListener.tlsConfig = tlsConfig
+		currentListener.isTor = isTor
 		currentListener.configMutex.Unlock()
 
 		if stillConfigured {
-			logListener(addr, currentListener.tlsConfig)
+			logListener(addr, tlsConfig, isTor)
 		} else {
 			// tell the listener it should stop by interrupting its Accept() call:
 			currentListener.listener.Close()
 		_, exists := server.listeners[newaddr]
 		if !exists {
 			// make new listener
+			isTor := isTorListener(newaddr)
 			tlsConfig := tlsListeners[newaddr]
-			listener, listenerErr := server.createListener(newaddr, tlsConfig, config.Server.UnixBindMode)
+			listener, listenerErr := server.createListener(newaddr, tlsConfig, isTor, config.Server.UnixBindMode)
 			if listenerErr != nil {
 				server.logger.Error("server", "couldn't listen on", newaddr, listenerErr.Error())
 				err = listenerErr
 				continue
 			}
 			server.listeners[newaddr] = listener
-			logListener(newaddr, tlsConfig)
+			logListener(newaddr, tlsConfig, isTor)
 		}
 	}
 

oragono.yaml

             key: tls.key
             cert: tls.crt
 
+    # tor listeners: designate listeners for use by a tor hidden service / .onion address
+    # WARNING: if you are running oragono as a pure hidden service, see the
+    # anonymization / hardening recommendations in docs/MANUAL.md
+    tor-listeners:
+        # any connections that come in on these listeners will be considered
+        # Tor connections. it is strongly recommended that these listeners *not*
+        # be on public interfaces: they should be on 127.0.0.0/8 or unix domain
+        listeners:
+        #    - "/tmp/oragono_tor_sock"
+
+        # if this is true, connections from Tor must authenticate with SASL
+        require-sasl: false
+
+        # what hostname should be displayed for Tor connections?
+        vhost: "tor-network.onion"
+
+        # allow at most this many connections at once (0 for no limit):
+        max-connections: 64
+
+        # connection throttling (limit how many connection attempts are allowed at once):
+        throttle-duration: 10m
+        # set to 0 to disable throttling:
+        max-connections-per-duration: 64
+
     # strict transport security, to get clients to automagically use TLS
     sts:
         # whether to advertise STS