3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-12-22 18:52:41 +01:00
Tor listeners should never see an STS cap.

Add an undocumented 'hide-sts' key for listeners that hides the STS cap.
This can be used if the listener is secured at layer 3 or 4 (VPNs,
E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
This commit is contained in:
Shivaram Lingamneni 2020-12-05 23:06:23 -05:00
parent 23a7221137
commit 7bdbb01238
4 changed files with 13 additions and 0 deletions

View File

@ -159,6 +159,7 @@ type Session struct {
proxiedIP net.IP proxiedIP net.IP
rawHostname string rawHostname string
isTor bool isTor bool
hideSTS bool
fakelag Fakelag fakelag Fakelag
deferredFakelagCount int deferredFakelagCount int
@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
realIP: realIP, realIP: realIP,
proxiedIP: proxiedIP, proxiedIP: proxiedIP,
isTor: wConn.Config.Tor, isTor: wConn.Config.Tor,
hideSTS: wConn.Config.Tor || wConn.Config.HideSTS,
} }
client.sessions = []*Session{session} client.sessions = []*Session{session}

View File

@ -59,6 +59,7 @@ type listenerConfigBlock struct {
Tor bool Tor bool
STSOnly bool `yaml:"sts-only"` STSOnly bool `yaml:"sts-only"`
WebSocket bool WebSocket bool
HideSTS bool `yaml:"hide-sts"`
} }
type PersistentStatus uint type PersistentStatus uint
@ -532,6 +533,7 @@ type Config struct {
SecureNetDefs []string `yaml:"secure-nets"` SecureNetDefs []string `yaml:"secure-nets"`
secureNets []net.IPNet secureNets []net.IPNet
supportedCaps *caps.Set supportedCaps *caps.Set
supportedCapsWithoutSTS *caps.Set
capValues caps.Values capValues caps.Values
Casemapping Casemapping Casemapping Casemapping
EnforceUtf8 bool `yaml:"enforce-utf8"` EnforceUtf8 bool `yaml:"enforce-utf8"`
@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
} }
lconf.RequireProxy = block.TLS.Proxy || block.Proxy lconf.RequireProxy = block.TLS.Proxy || block.Proxy
lconf.WebSocket = block.WebSocket lconf.WebSocket = block.WebSocket
lconf.HideSTS = block.HideSTS
conf.Server.trueListeners[addr] = lconf conf.Server.trueListeners[addr] = lconf
} }
return nil return nil
@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
return nil, fmt.Errorf("failed to prepare listeners: %v", err) return nil, fmt.Errorf("failed to prepare listeners: %v", err)
} }
// #1428: Tor listeners should never see STS
config.Server.supportedCapsWithoutSTS = caps.NewSet()
config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
return config, nil return config, nil
} }

View File

@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
supportedCaps := config.Server.supportedCaps supportedCaps := config.Server.supportedCaps
if client.isSTSOnly { if client.isSTSOnly {
supportedCaps = stsOnlyCaps supportedCaps = stsOnlyCaps
} else if rb.session.hideSTS {
supportedCaps = config.Server.supportedCapsWithoutSTS
} }
badCaps := false badCaps := false

View File

@ -54,6 +54,7 @@ type ListenerConfig struct {
Tor bool Tor bool
STSOnly bool STSOnly bool
WebSocket bool WebSocket bool
HideSTS bool
} }
// read a PROXY header (either v1 or v2), ensuring we don't read anything beyond // read a PROXY header (either v1 or v2), ensuring we don't read anything beyond