mirror of
https://github.com/ergochat/ergo.git
synced 2024-12-22 10:42:52 +01:00
fix #1428
Tor listeners should never see an STS cap. Add an undocumented 'hide-sts' key for listeners that hides the STS cap. This can be used if the listener is secured at layer 3 or 4 (VPNs, E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
This commit is contained in:
parent
23a7221137
commit
7bdbb01238
@ -159,6 +159,7 @@ type Session struct {
|
|||||||
proxiedIP net.IP
|
proxiedIP net.IP
|
||||||
rawHostname string
|
rawHostname string
|
||||||
isTor bool
|
isTor bool
|
||||||
|
hideSTS bool
|
||||||
|
|
||||||
fakelag Fakelag
|
fakelag Fakelag
|
||||||
deferredFakelagCount int
|
deferredFakelagCount int
|
||||||
@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
|
|||||||
realIP: realIP,
|
realIP: realIP,
|
||||||
proxiedIP: proxiedIP,
|
proxiedIP: proxiedIP,
|
||||||
isTor: wConn.Config.Tor,
|
isTor: wConn.Config.Tor,
|
||||||
|
hideSTS: wConn.Config.Tor || wConn.Config.HideSTS,
|
||||||
}
|
}
|
||||||
client.sessions = []*Session{session}
|
client.sessions = []*Session{session}
|
||||||
|
|
||||||
|
@ -59,6 +59,7 @@ type listenerConfigBlock struct {
|
|||||||
Tor bool
|
Tor bool
|
||||||
STSOnly bool `yaml:"sts-only"`
|
STSOnly bool `yaml:"sts-only"`
|
||||||
WebSocket bool
|
WebSocket bool
|
||||||
|
HideSTS bool `yaml:"hide-sts"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type PersistentStatus uint
|
type PersistentStatus uint
|
||||||
@ -532,6 +533,7 @@ type Config struct {
|
|||||||
SecureNetDefs []string `yaml:"secure-nets"`
|
SecureNetDefs []string `yaml:"secure-nets"`
|
||||||
secureNets []net.IPNet
|
secureNets []net.IPNet
|
||||||
supportedCaps *caps.Set
|
supportedCaps *caps.Set
|
||||||
|
supportedCapsWithoutSTS *caps.Set
|
||||||
capValues caps.Values
|
capValues caps.Values
|
||||||
Casemapping Casemapping
|
Casemapping Casemapping
|
||||||
EnforceUtf8 bool `yaml:"enforce-utf8"`
|
EnforceUtf8 bool `yaml:"enforce-utf8"`
|
||||||
@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
|
|||||||
}
|
}
|
||||||
lconf.RequireProxy = block.TLS.Proxy || block.Proxy
|
lconf.RequireProxy = block.TLS.Proxy || block.Proxy
|
||||||
lconf.WebSocket = block.WebSocket
|
lconf.WebSocket = block.WebSocket
|
||||||
|
lconf.HideSTS = block.HideSTS
|
||||||
conf.Server.trueListeners[addr] = lconf
|
conf.Server.trueListeners[addr] = lconf
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
|
|||||||
return nil, fmt.Errorf("failed to prepare listeners: %v", err)
|
return nil, fmt.Errorf("failed to prepare listeners: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// #1428: Tor listeners should never see STS
|
||||||
|
config.Server.supportedCapsWithoutSTS = caps.NewSet()
|
||||||
|
config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
|
||||||
|
config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
|
||||||
|
|
||||||
return config, nil
|
return config, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
|
|||||||
supportedCaps := config.Server.supportedCaps
|
supportedCaps := config.Server.supportedCaps
|
||||||
if client.isSTSOnly {
|
if client.isSTSOnly {
|
||||||
supportedCaps = stsOnlyCaps
|
supportedCaps = stsOnlyCaps
|
||||||
|
} else if rb.session.hideSTS {
|
||||||
|
supportedCaps = config.Server.supportedCapsWithoutSTS
|
||||||
}
|
}
|
||||||
|
|
||||||
badCaps := false
|
badCaps := false
|
||||||
|
@ -54,6 +54,7 @@ type ListenerConfig struct {
|
|||||||
Tor bool
|
Tor bool
|
||||||
STSOnly bool
|
STSOnly bool
|
||||||
WebSocket bool
|
WebSocket bool
|
||||||
|
HideSTS bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// read a PROXY header (either v1 or v2), ensuring we don't read anything beyond
|
// read a PROXY header (either v1 or v2), ensuring we don't read anything beyond
|
||||||
|
Loading…
Reference in New Issue
Block a user