mirror of
https://github.com/ergochat/ergo.git
synced 2024-12-22 02:32:39 +01:00
fix #1428
Tor listeners should never see an STS cap. Add an undocumented 'hide-sts' key for listeners that hides the STS cap. This can be used if the listener is secured at layer 3 or 4 (VPNs, E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
This commit is contained in:
parent
23a7221137
commit
7bdbb01238
@ -159,6 +159,7 @@ type Session struct {
|
||||
proxiedIP net.IP
|
||||
rawHostname string
|
||||
isTor bool
|
||||
hideSTS bool
|
||||
|
||||
fakelag Fakelag
|
||||
deferredFakelagCount int
|
||||
@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
|
||||
realIP: realIP,
|
||||
proxiedIP: proxiedIP,
|
||||
isTor: wConn.Config.Tor,
|
||||
hideSTS: wConn.Config.Tor || wConn.Config.HideSTS,
|
||||
}
|
||||
client.sessions = []*Session{session}
|
||||
|
||||
|
@ -59,6 +59,7 @@ type listenerConfigBlock struct {
|
||||
Tor bool
|
||||
STSOnly bool `yaml:"sts-only"`
|
||||
WebSocket bool
|
||||
HideSTS bool `yaml:"hide-sts"`
|
||||
}
|
||||
|
||||
type PersistentStatus uint
|
||||
@ -532,6 +533,7 @@ type Config struct {
|
||||
SecureNetDefs []string `yaml:"secure-nets"`
|
||||
secureNets []net.IPNet
|
||||
supportedCaps *caps.Set
|
||||
supportedCapsWithoutSTS *caps.Set
|
||||
capValues caps.Values
|
||||
Casemapping Casemapping
|
||||
EnforceUtf8 bool `yaml:"enforce-utf8"`
|
||||
@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
|
||||
}
|
||||
lconf.RequireProxy = block.TLS.Proxy || block.Proxy
|
||||
lconf.WebSocket = block.WebSocket
|
||||
lconf.HideSTS = block.HideSTS
|
||||
conf.Server.trueListeners[addr] = lconf
|
||||
}
|
||||
return nil
|
||||
@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
|
||||
return nil, fmt.Errorf("failed to prepare listeners: %v", err)
|
||||
}
|
||||
|
||||
// #1428: Tor listeners should never see STS
|
||||
config.Server.supportedCapsWithoutSTS = caps.NewSet()
|
||||
config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
|
||||
config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
|
||||
|
||||
return config, nil
|
||||
}
|
||||
|
||||
|
@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
|
||||
supportedCaps := config.Server.supportedCaps
|
||||
if client.isSTSOnly {
|
||||
supportedCaps = stsOnlyCaps
|
||||
} else if rb.session.hideSTS {
|
||||
supportedCaps = config.Server.supportedCapsWithoutSTS
|
||||
}
|
||||
|
||||
badCaps := false
|
||||
|
@ -54,6 +54,7 @@ type ListenerConfig struct {
|
||||
Tor bool
|
||||
STSOnly bool
|
||||
WebSocket bool
|
||||
HideSTS bool
|
||||
}
|
||||
|
||||
// read a PROXY header (either v1 or v2), ensuring we don't read anything beyond
|
||||
|
Loading…
Reference in New Issue
Block a user