mirror
/
oragono
kopia lustrzana https://github.com/oragono/oragono
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Wydania 69 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2348 Commity
21 Gałęzie
Drzewo: 0880f20f4b
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '0880f20f4b'
${ noResults }
oragono/irc/gateways.go

gateways.go 4.6KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. // Copyright (c) 2012-2014 Jeremy Latt

  2. // Copyright (c) 2014-2015 Edmund Huber

  3. // Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>

  4. // released under the MIT license

  5. 

  6. package irc

  7. 

  8. import (

  9. 	"errors"

  10. 	"fmt"

  11. 	"net"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"github.com/oragono/oragono/irc/modes"

  16. 	"github.com/oragono/oragono/irc/utils"

  17. )

  18. 

  19. var (

  20. 	errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")

  21. 	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")

  22. )

  23. 

  24. const (

  25. 	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

  26. 	// "a 108-byte buffer is always enough to store all the line and a trailing zero

  27. 	// for string processing."

  28. 	maxProxyLineLen = 107

  29. )

  30. 

  31. type webircConfig struct {

  32. 	PasswordString string `yaml:"password"`

  33. 	Password       []byte `yaml:"password-bytes"`

  34. 	Fingerprint    string

  35. 	Hosts          []string

  36. 	allowedNets    []net.IPNet

  37. }

  38. 

  39. // Populate fills out our password or fingerprint.

  40. func (wc *webircConfig) Populate() (err error) {

  41. 	if wc.Fingerprint == "" && wc.PasswordString == "" {

  42. 		return ErrNoFingerprintOrPassword

  43. 	}

  44. 

  45. 	if wc.PasswordString != "" {

  46. 		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)

  47. 	}

  48. 

  49. 	if err == nil {

  50. 		wc.allowedNets, err = utils.ParseNetList(wc.Hosts)

  51. 	}

  52. 

  53. 	return err

  54. }

  55. 

  56. // ApplyProxiedIP applies the given IP to the client.

  57. func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls bool) (err error, quitMsg string) {

  58. 	// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself

  59. 	// is whitelisted:

  60. 	if client.isTor {

  61. 		return errBadProxyLine, ""

  62. 	}

  63. 

  64. 	// ensure IP is sane

  65. 	parsedProxiedIP := net.ParseIP(proxiedIP).To16()

  66. 	if parsedProxiedIP == nil {

  67. 		return errBadProxyLine, fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP)

  68. 	}

  69. 

  70. 	isBanned, banMsg := client.server.checkBans(parsedProxiedIP)

  71. 	if isBanned {

  72. 		return errBanned, banMsg

  73. 	}

  74. 	// successfully added a limiter entry for the proxied IP;

  75. 	// remove the entry for the real IP if applicable (#197)

  76. 	client.server.connectionLimiter.RemoveClient(session.realIP)

  77. 

  78. 	// given IP is sane! override the client's current IP

  79. 	ipstring := parsedProxiedIP.String()

  80. 	client.server.logger.Info("localconnect-ip", "Accepted proxy IP for client", ipstring)

  81. 	rawHostname := utils.LookupHostname(ipstring)

  82. 	cloakedHostname := client.server.Config().Server.Cloaks.ComputeCloak(parsedProxiedIP)

  83. 

  84. 	client.stateMutex.Lock()

  85. 	defer client.stateMutex.Unlock()

  86. 	client.proxiedIP = parsedProxiedIP

  87. 	client.rawHostname = rawHostname

  88. 	session.proxiedIP = parsedProxiedIP

  89. 	session.rawHostname = rawHostname

  90. 	client.cloakedHostname = cloakedHostname

  91. 	// nickmask will be updated when the client completes registration

  92. 	// set tls info

  93. 	client.certfp = ""

  94. 	client.SetMode(modes.TLS, tls)

  95. 

  96. 	return nil, ""

  97. }

  98. 

  99. // handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

  100. // PROXY must be sent as the first message in the session and has the syntax:

  101. // PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n

  102. // unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,

  103. // the message is invalid IRC and can't be parsed normally, hence the special handling.

  104. func handleProxyCommand(server *Server, client *Client, session *Session, line string) (err error) {

  105. 	var quitMsg string

  106. 	defer func() {

  107. 		if err != nil {

  108. 			if quitMsg == "" {

  109. 				quitMsg = client.t("Bad or unauthorized PROXY command")

  110. 			}

  111. 			client.Quit(quitMsg, session)

  112. 		}

  113. 	}()

  114. 

  115. 	params := strings.Fields(line)

  116. 	if len(params) != 6 {

  117. 		return errBadProxyLine

  118. 	}

  119. 

  120. 	if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {

  121. 		// assume PROXY connections are always secure

  122. 		err, quitMsg = client.ApplyProxiedIP(session, params[2], true)

  123. 		return

  124. 	} else {

  125. 		// real source IP is not authorized to issue PROXY:

  126. 		return errBadGatewayAddress

  127. 	}

  128. }

  129. 

  130. // read a PROXY line one byte at a time, to ensure we don't read anything beyond

  131. // that into a buffer, which would break the TLS handshake

  132. func readRawProxyLine(conn net.Conn) (result string) {

  133. 	// normally this is covered by ping timeouts, but we're doing this outside

  134. 	// of the normal client goroutine:

  135. 	conn.SetDeadline(time.Now().Add(time.Minute))

  136. 	defer conn.SetDeadline(time.Time{})

  137. 

  138. 	var buf [maxProxyLineLen]byte

  139. 	oneByte := make([]byte, 1)

  140. 	i := 0

  141. 	for i < maxProxyLineLen {

  142. 		n, err := conn.Read(oneByte)

  143. 		if err != nil {

  144. 			return

  145. 		} else if n == 1 {

  146. 			buf[i] = oneByte[0]

  147. 			if buf[i] == '\n' {

  148. 				candidate := string(buf[0 : i+1])

  149. 				if strings.HasPrefix(candidate, "PROXY") {

  150. 					return candidate

  151. 				} else {

  152. 					return

  153. 				}

  154. 			}

  155. 			i += 1

  156. 		}

  157. 	}

  158. 

  159. 	// no \r\n, fail out

  160. 	return

  161. }