Bläddra i källkod

fix #1428

Tor listeners should never see an STS cap.

Add an undocumented 'hide-sts' key for listeners that hides the STS cap.
This can be used if the listener is secured at layer 3 or 4 (VPNs,
E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
tags/v2.5.0-rc1
Shivaram Lingamneni 3 år sedan
förälder
incheckning
7bdbb01238
4 ändrade filer med 13 tillägg och 0 borttagningar
  1. 2
    0
      irc/client.go
  2. 8
    0
      irc/config.go
  3. 2
    0
      irc/handlers.go
  4. 1
    0
      irc/utils/proxy.go

+ 2
- 0
irc/client.go Visa fil

@@ -159,6 +159,7 @@ type Session struct {
159 159
 	proxiedIP   net.IP
160 160
 	rawHostname string
161 161
 	isTor       bool
162
+	hideSTS     bool
162 163
 
163 164
 	fakelag              Fakelag
164 165
 	deferredFakelagCount int
@@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
376 377
 		realIP:     realIP,
377 378
 		proxiedIP:  proxiedIP,
378 379
 		isTor:      wConn.Config.Tor,
380
+		hideSTS:    wConn.Config.Tor || wConn.Config.HideSTS,
379 381
 	}
380 382
 	client.sessions = []*Session{session}
381 383
 

+ 8
- 0
irc/config.go Visa fil

@@ -59,6 +59,7 @@ type listenerConfigBlock struct {
59 59
 	Tor       bool
60 60
 	STSOnly   bool `yaml:"sts-only"`
61 61
 	WebSocket bool
62
+	HideSTS   bool `yaml:"hide-sts"`
62 63
 }
63 64
 
64 65
 type PersistentStatus uint
@@ -532,6 +533,7 @@ type Config struct {
532 533
 		SecureNetDefs            []string                        `yaml:"secure-nets"`
533 534
 		secureNets               []net.IPNet
534 535
 		supportedCaps            *caps.Set
536
+		supportedCapsWithoutSTS  *caps.Set
535 537
 		capValues                caps.Values
536 538
 		Casemapping              Casemapping
537 539
 		EnforceUtf8              bool         `yaml:"enforce-utf8"`
@@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
834 836
 		}
835 837
 		lconf.RequireProxy = block.TLS.Proxy || block.Proxy
836 838
 		lconf.WebSocket = block.WebSocket
839
+		lconf.HideSTS = block.HideSTS
837 840
 		conf.Server.trueListeners[addr] = lconf
838 841
 	}
839 842
 	return nil
@@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
1371 1374
 		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
1372 1375
 	}
1373 1376
 
1377
+	// #1428: Tor listeners should never see STS
1378
+	config.Server.supportedCapsWithoutSTS = caps.NewSet()
1379
+	config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
1380
+	config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
1381
+
1374 1382
 	return config, nil
1375 1383
 }
1376 1384
 

+ 2
- 0
irc/handlers.go Visa fil

@@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
442 442
 	supportedCaps := config.Server.supportedCaps
443 443
 	if client.isSTSOnly {
444 444
 		supportedCaps = stsOnlyCaps
445
+	} else if rb.session.hideSTS {
446
+		supportedCaps = config.Server.supportedCapsWithoutSTS
445 447
 	}
446 448
 
447 449
 	badCaps := false

+ 1
- 0
irc/utils/proxy.go Visa fil

@@ -54,6 +54,7 @@ type ListenerConfig struct {
54 54
 	Tor       bool
55 55
 	STSOnly   bool
56 56
 	WebSocket bool
57
+	HideSTS   bool
57 58
 }
58 59
 
59 60
 // read a PROXY header (either v1 or v2), ensuring we don't read anything beyond

Laddar…
Avbryt
Spara