mirror
/
oragono
spegling av https://github.com/oragono/oragono
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 69 Wiki Aktiviteter
Bläddra i källkod

fix #1428 

Tor listeners should never see an STS cap.

Add an undocumented 'hide-sts' key for listeners that hides the STS cap.
This can be used if the listener is secured at layer 3 or 4 (VPNs,
E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
tags/v2.5.0-rc1
Shivaram Lingamneni 3 år sedan
förälder
23a7221137
incheckning
7bdbb01238
4 ändrade filer med 13 tillägg och 0 borttagningar
Delad Vy Visa Diff Statistik
  1. 2
    0
      irc/client.go
  2. 8
    0
      irc/config.go
  3. 2
    0
      irc/handlers.go
  4. 1
    0
      irc/utils/proxy.go

+ 2
- 0
irc/client.go Visa fil 

@@ -159,6 +159,7 @@ type Session struct {
159 159 
 	proxiedIP   net.IP
160 160 
 	rawHostname string
161 161 
 	isTor       bool
162 
+	hideSTS     bool
162 163
163 164 
 	fakelag              Fakelag
164 165 
 	deferredFakelagCount int
 
@@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
376 377 
 		realIP:     realIP,
377 378 
 		proxiedIP:  proxiedIP,
378 379 
 		isTor:      wConn.Config.Tor,
380 
+		hideSTS:    wConn.Config.Tor || wConn.Config.HideSTS,
379 381 
 	}
380 382 
 	client.sessions = []*Session{session}
381 383

+ 8
- 0
irc/config.go Visa fil 

@@ -59,6 +59,7 @@ type listenerConfigBlock struct {
59 59 
 	Tor       bool
60 60 
 	STSOnly   bool `yaml:"sts-only"`
61 61 
 	WebSocket bool
62 
+	HideSTS   bool `yaml:"hide-sts"`
62 63 
 }
63 64
64 65 
 type PersistentStatus uint
 
@@ -532,6 +533,7 @@ type Config struct {
532 533 
 		SecureNetDefs            []string                        `yaml:"secure-nets"`
533 534 
 		secureNets               []net.IPNet
534 535 
 		supportedCaps            *caps.Set
536 
+		supportedCapsWithoutSTS  *caps.Set
535 537 
 		capValues                caps.Values
536 538 
 		Casemapping              Casemapping
537 539 
 		EnforceUtf8              bool         `yaml:"enforce-utf8"`
 
@@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
834 836 
 		}
835 837 
 		lconf.RequireProxy = block.TLS.Proxy || block.Proxy
836 838 
 		lconf.WebSocket = block.WebSocket
839 
+		lconf.HideSTS = block.HideSTS
837 840 
 		conf.Server.trueListeners[addr] = lconf
838 841 
 	}
839 842 
 	return nil
 
@@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
1371 1374 
 		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
1372 1375 
 	}
1373 1376
1377 
+	// #1428: Tor listeners should never see STS
1378 
+	config.Server.supportedCapsWithoutSTS = caps.NewSet()
1379 
+	config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
1380 
+	config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
1381 
+
1374 1382 
 	return config, nil
1375 1383 
 }
1376 1384

+ 2
- 0
irc/handlers.go Visa fil 

@@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
442 442 
 	supportedCaps := config.Server.supportedCaps
443 443 
 	if client.isSTSOnly {
444 444 
 		supportedCaps = stsOnlyCaps
445 
+	} else if rb.session.hideSTS {
446 
+		supportedCaps = config.Server.supportedCapsWithoutSTS
445 447 
 	}
446 448
447 449 
 	badCaps := false

+ 1
- 0
irc/utils/proxy.go Visa fil 

@@ -54,6 +54,7 @@ type ListenerConfig struct {
54 54 
 	Tor       bool
55 55 
 	STSOnly   bool
56 56 
 	WebSocket bool
57 
+	HideSTS   bool
57 58 
 }
58 59
59 60 
 // read a PROXY header (either v1 or v2), ensuring we don't read anything beyond

Write Förhandsgranska
Laddar…
Avbryt
Spara