mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 66 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5277 Commits
19 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
oragono/irc/gateways.go

gateways.go 4.1KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 
  1. // Copyright (c) 2012-2014 Jeremy Latt

  2. // Copyright (c) 2014-2015 Edmund Huber

  3. // Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>

  4. // released under the MIT license

  5. 

  6. package irc

  7. 

  8. import (

  9. 	"errors"

  10. 	"net"

  11. 

  12. 	"github.com/ergochat/ergo/irc/flatip"

  13. 	"github.com/ergochat/ergo/irc/modes"

  14. 	"github.com/ergochat/ergo/irc/utils"

  15. )

  16. 

  17. var (

  18. 	errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")

  19. 	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")

  20. )

  21. 

  22. const (

  23. 	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

  24. 	// "a 108-byte buffer is always enough to store all the line and a trailing zero

  25. 	// for string processing."

  26. 	maxProxyLineLen = 107

  27. )

  28. 

  29. type webircConfig struct {

  30. 	PasswordString string  `yaml:"password"`

  31. 	Password       []byte  `yaml:"password-bytes"`

  32. 	Fingerprint    *string // legacy name for certfp, #1050

  33. 	Certfp         string

  34. 	Hosts          []string

  35. 	AcceptHostname bool `yaml:"accept-hostname"`

  36. 	allowedNets    []net.IPNet

  37. }

  38. 

  39. // Populate fills out our password or fingerprint.

  40. func (wc *webircConfig) Populate() (err error) {

  41. 	if wc.PasswordString != "" {

  42. 		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)

  43. 		if err != nil {

  44. 			return

  45. 		}

  46. 	}

  47. 

  48. 	certfp := wc.Certfp

  49. 	if certfp == "" && wc.Fingerprint != nil {

  50. 		certfp = *wc.Fingerprint

  51. 	}

  52. 	if certfp != "" {

  53. 		wc.Certfp, err = utils.NormalizeCertfp(certfp)

  54. 	}

  55. 	if err != nil {

  56. 		return

  57. 	}

  58. 

  59. 	if wc.Certfp == "" && wc.PasswordString == "" {

  60. 		return errors.New("webirc block has no certfp or password specified")

  61. 	}

  62. 

  63. 	wc.allowedNets, err = utils.ParseNetList(wc.Hosts)

  64. 	return err

  65. }

  66. 

  67. // ApplyProxiedIP applies the given IP to the client.

  68. func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) {

  69. 	// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself

  70. 	// is whitelisted. Furthermore, don't accept PROXY or WEBIRC if we already accepted

  71. 	// a proxied IP from any source (PROXY, WEBIRC, or X-Forwarded-For):

  72. 	if session.isTor || session.proxiedIP != nil {

  73. 		return errBadProxyLine, ""

  74. 	}

  75. 

  76. 	// ensure IP is sane

  77. 	if proxiedIP == nil {

  78. 		return errBadProxyLine, "proxied IP is not valid"

  79. 	}

  80. 	proxiedIP = proxiedIP.To16()

  81. 

  82. 	isBanned, requireSASL, banMsg := client.server.checkBans(client.server.Config(), proxiedIP, true)

  83. 	if isBanned {

  84. 		return errBanned, banMsg

  85. 	}

  86. 	client.requireSASL = requireSASL

  87. 	if requireSASL {

  88. 		client.requireSASLMessage = banMsg

  89. 	}

  90. 	// successfully added a limiter entry for the proxied IP;

  91. 	// remove the entry for the real IP if applicable (#197)

  92. 	client.server.connectionLimiter.RemoveClient(flatip.FromNetIP(session.realIP))

  93. 

  94. 	// given IP is sane! override the client's current IP

  95. 	client.server.logger.Info("connect-ip", "Accepted proxy IP for client", proxiedIP.String())

  96. 

  97. 	client.stateMutex.Lock()

  98. 	defer client.stateMutex.Unlock()

  99. 	client.proxiedIP = proxiedIP

  100. 	session.proxiedIP = proxiedIP

  101. 	// nickmask will be updated when the client completes registration

  102. 	// set tls info

  103. 	session.certfp = ""

  104. 	session.peerCerts = nil

  105. 	client.SetMode(modes.TLS, tls)

  106. 

  107. 	return nil, ""

  108. }

  109. 

  110. // handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

  111. // PROXY must be sent as the first message in the session and has the syntax:

  112. // PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n

  113. // unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,

  114. // the message is invalid IRC and can't be parsed normally, hence the special handling.

  115. func handleProxyCommand(server *Server, client *Client, session *Session, line string) (err error) {

  116. 	var quitMsg string

  117. 	defer func() {

  118. 		if err != nil {

  119. 			if quitMsg == "" {

  120. 				quitMsg = client.t("Bad or unauthorized PROXY command")

  121. 			}

  122. 			client.Quit(quitMsg, session)

  123. 		}

  124. 	}()

  125. 

  126. 	ip, err := utils.ParseProxyLineV1(line)

  127. 	if err != nil {

  128. 		return err

  129. 	} else if ip == nil {

  130. 		return nil

  131. 	}

  132. 

  133. 	if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {

  134. 		// assume PROXY connections are always secure

  135. 		err, quitMsg = client.ApplyProxiedIP(session, ip, true)

  136. 		return

  137. 	} else {

  138. 		// real source IP is not authorized to issue PROXY:

  139. 		return errBadGatewayAddress

  140. 	}

  141. }