GitHub/ergo
3
0
Fork 0
mirror of https://github.com/ergochat/ergo.git synced 2025-02-17 14:10:39 +01:00
Code Issues Projects Releases Wiki Activity

fix #774

Browse Source 
Don't advertise sasl=EXTERNAL to clients who aren't connected over native TLS,
since even if they have TLS configured locally and they enable a client
certificate, that information will be discarded by the reverse proxy.
This commit is contained in:
Shivaram Lingamneni 2022-05-06 13:09:09 -04:00
parent a13235880c
commit 05eaf3a0d8
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
irc/client.go
View File

@ -195,6 +195,15 @@ type MultilineBatch struct {
tags map[string]string tags map[string]string
} }
// is this session connected in a way that could, in principle, allow certfp authentication?
// see #774
func (s *Session) IsCertFPCapable() bool {
conn := s.socket.conn.UnderlyingConn()
// no client certs on websockets:
// https://bugs.chromium.org/p/chromium/issues/detail?id=329884
return conn.Config.TLSConfig != nil && !conn.Config.WebSocket
}
// Starts a multiline batch, failing if there's one already open // Starts a multiline batch, failing if there's one already open
func (s *Session) StartMultilineBatch(label, target, responseLabel string, tags map[string]string) (err error) { func (s *Session) StartMultilineBatch(label, target, responseLabel string, tags map[string]string) (err error) {
if s.batch.label != "" { if s.batch.label != "" {

6
irc/config.go
View File

@ -591,6 +591,7 @@ type Config struct {
supportedCaps *caps.Set supportedCaps *caps.Set
supportedCapsWithoutSTS *caps.Set supportedCapsWithoutSTS *caps.Set
capValues caps.Values capValues caps.Values
capValuesNoExternal caps.Values
Casemapping Casemapping Casemapping Casemapping
EnforceUtf8 bool `yaml:"enforce-utf8"` EnforceUtf8 bool `yaml:"enforce-utf8"`
OutputPath string `yaml:"output-path"` OutputPath string `yaml:"output-path"`
@ -1388,7 +1389,7 @@ func LoadConfig(filename string) (config *Config, err error) {
config.Accounts.VHosts.validRegexp = defaultValidVhostRegex config.Accounts.VHosts.validRegexp = defaultValidVhostRegex
} }
saslCapValue := "PLAIN,EXTERNAL,SCRAM-SHA-256" saslCapValue := "PLAIN,SCRAM-SHA-256,EXTERNAL"
// TODO(#1782) clean this up: // TODO(#1782) clean this up:
if !config.Accounts.AdvertiseSCRAM { if !config.Accounts.AdvertiseSCRAM {
saslCapValue = "PLAIN,EXTERNAL" saslCapValue = "PLAIN,EXTERNAL"
@ -1544,6 +1545,9 @@ func LoadConfig(filename string) (config *Config, err error) {
config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps) config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
config.Server.supportedCapsWithoutSTS.Disable(caps.STS) config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
config.Server.capValuesNoExternal = utils.CopyMap(config.Server.capValues)
config.Server.capValuesNoExternal[caps.SASL] = strings.TrimSuffix(saslCapValue, ",EXTERNAL")
return config, nil return config, nil
} }

6
irc/handlers.go
View File

@ -591,7 +591,11 @@ func capHandler(server *Server, client *Client, msg ircmsg.Message, rb *Response
rb.session.capVersion = newVersion rb.session.capVersion = newVersion
} }
} }
sendCapLines(supportedCaps, config.Server.capValues) capValues := config.Server.capValues
if !rb.session.IsCertFPCapable() {
capValues = config.Server.capValuesNoExternal
}
sendCapLines(supportedCaps, capValues)
case "LIST": case "LIST":
// values not sent on LIST // values not sent on LIST