Merge pull request #694 from slingamn/issue688_forward_confirmed_dns.4

#688: forward-confirmed reverse dns
2019-12-18 10:22:50 -05:00 · 2019-12-18 10:22:50 -05:00 · 9d56677691
parent 62473468f0 f1e2bbc0e4
commit 9d56677691
9 changed files with 151 additions and 71 deletions
--- a/irc/client.go
+++ b/irc/client.go
@ -259,11 +259,10 @@ func (server *Server) RunClient(conn clientConn, proxyLine string) {
 		// cover up details of the tor proxying infrastructure (not a user privacy concern,
 		// but a hardening measure):
 		session.proxiedIP = utils.IPv4LoopbackAddress
 		client.proxiedIP = session.proxiedIP
 		session.rawHostname = config.Server.TorListeners.Vhost
 		client.rawHostname = session.rawHostname
 	} else {
 		// set the hostname for this client (may be overridden later by PROXY or WEBIRC)
 		session.rawHostname = utils.LookupHostname(session.realIP.String())
 		client.cloakedHostname = config.Server.Cloaks.ComputeCloak(session.realIP)
 		remoteAddr := conn.Conn.RemoteAddr()
 		if utils.AddrIsLocal(remoteAddr) {
 			// treat local connections as secure (may be overridden later by WEBIRC)
@ -274,13 +273,71 @@ func (server *Server) RunClient(conn clientConn, proxyLine string) {
 		}
 	}
 	client.realIP = session.realIP
 	client.rawHostname = session.rawHostname
 	client.proxiedIP = session.proxiedIP
 	server.stats.Add()
 	client.run(session, proxyLine)
 }
 // resolve an IP to an IRC-ready hostname, using reverse DNS, forward-confirming if necessary,
 // and sending appropriate notices to the client
 func (client *Client) lookupHostname(session *Session, overwrite bool) {
 	if client.isTor {
 		return
 	} // else: even if cloaking is enabled, look up the real hostname to show to operators
 	config := client.server.Config()
 	ip := session.realIP
 	if session.proxiedIP != nil {
 		ip = session.proxiedIP
 	}
 	ipString := ip.String()
 	var hostname, candidate string
 	if config.Server.lookupHostnames {
 		session.Notice("*** Looking up your hostname...")
 		names, err := net.LookupAddr(ipString)
 		if err == nil && 0 < len(names) {
 			candidate = strings.TrimSuffix(names[0], ".")
 		}
 		if utils.IsHostname(candidate) {
 			if config.Server.ForwardConfirmHostnames {
 				addrs, err := net.LookupHost(candidate)
 				if err == nil {
 					for _, addr := range addrs {
 						if addr == ipString {
 							hostname = candidate // successful forward confirmation
 							break
 						}
 					}
 				}
 			} else {
 				hostname = candidate
 			}
 		}
 	}
 	if hostname != "" {
 		session.Notice("*** Found your hostname")
 	} else {
 		if config.Server.lookupHostnames {
 			session.Notice("*** Couldn't look up your hostname")
 		}
 		hostname = utils.IPStringToHostname(ipString)
 	}
 	session.rawHostname = hostname
 	cloakedHostname := config.Server.Cloaks.ComputeCloak(ip)
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	// update the hostname if this is a new connection or a resume, but not if it's a reattach
 	if overwrite || client.rawHostname == "" {
 		client.rawHostname = hostname
 		client.cloakedHostname = cloakedHostname
 		client.updateNickMaskNoMutex()
 	}
 }
 func (client *Client) doIdentLookup(conn net.Conn) {
 	_, serverPortString, err := net.SplitHostPort(conn.LocalAddr().String())
 	if err != nil {
@ -617,7 +674,7 @@ func (session *Session) playResume() {
 	details := client.Details()
 	oldNickmask := details.nickMask
-	client.SetRawHostname(session.rawHostname)
+	client.lookupHostname(session, true)
 	hostname := client.Hostname() // may be a vhost
 	timestampString := timestamp.Format(IRCv3TimestampFormat)
@ -887,6 +944,10 @@ func (client *Client) updateNickMaskNoMutex() {
 		}
 	}
 	if client.hostname == "" {
 		return // pre-registration, don't bother generating the hostname
 	}
 	cfhostname, err := Casefold(client.hostname)
 	if err != nil {
 		client.server.logger.Error("internal", "hostname couldn't be casefolded", client.hostname, err.Error())
@ -1255,6 +1316,10 @@ func (client *Client) Notice(text string) {
 	client.Send(nil, client.server.name, "NOTICE", client.Nick(), text)
 }
 func (session *Session) Notice(text string) {
 	session.Send(nil, session.client.server.name, "NOTICE", session.client.Nick(), text)
 }
 func (client *Client) addChannel(channel *Channel) {
 	client.stateMutex.Lock()
 	client.channels[channel] = true
--- a/irc/config.go
+++ b/irc/config.go
@ -295,6 +295,9 @@ type Config struct {
 		// either way, the result is this:
 		trueListeners           map[string]listenerConfig
 		STS                     STSConfig
 		LookupHostnames         *bool `yaml:"lookup-hostnames"`
 		lookupHostnames         bool
 		ForwardConfirmHostnames bool `yaml:"forward-confirm-hostnames"`
 		CheckIdent              bool `yaml:"check-ident"`
 		MOTD                    string
 		motdLines               []string
@ -590,7 +593,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 	if config.Server.Name == "" {
 		return nil, ErrServerNameMissing
 	}
-	if !utils.IsHostname(config.Server.Name) {
+	if !utils.IsServerName(config.Server.Name) {
 		return nil, ErrServerNameNotHostname
 	}
 	if config.Datastore.Path == "" {
@ -635,6 +638,13 @@ func LoadConfig(filename string) (config *Config, err error) {
 	// set this even if STS is disabled
 	config.Server.capValues[caps.STS] = config.Server.STS.Value()
 	// lookup-hostnames defaults to true if unset
 	if config.Server.LookupHostnames != nil {
 		config.Server.lookupHostnames = *config.Server.LookupHostnames
 	} else {
 		config.Server.lookupHostnames = true
 	}
 	// process webirc blocks
 	var newWebIRC []webircConfig
 	for _, webirc := range config.Server.WebIRC {
--- a/irc/gateways.go
+++ b/irc/gateways.go
@ -76,18 +76,12 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls boo
 	client.server.connectionLimiter.RemoveClient(session.realIP)
 	// given IP is sane! override the client's current IP
-	ipstring := parsedProxiedIP.String()
+	client.server.logger.Info("localconnect-ip", "Accepted proxy IP for client", parsedProxiedIP.String())
 	client.server.logger.Info("localconnect-ip", "Accepted proxy IP for client", ipstring)
 	rawHostname := utils.LookupHostname(ipstring)
 	cloakedHostname := client.server.Config().Server.Cloaks.ComputeCloak(parsedProxiedIP)
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	client.proxiedIP = parsedProxiedIP
 	client.rawHostname = rawHostname
 	session.proxiedIP = parsedProxiedIP
 	session.rawHostname = rawHostname
 	client.cloakedHostname = cloakedHostname
 	// nickmask will be updated when the client completes registration
 	// set tls info
 	client.certfp = ""
--- a/irc/getters.go
+++ b/irc/getters.go
@ -239,14 +239,6 @@ func (client *Client) RawHostname() (result string) {
 	return
 }
 func (client *Client) SetRawHostname(rawHostname string) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	client.rawHostname = rawHostname
 	client.updateNickMaskNoMutex()
 }
 func (client *Client) AwayMessage() (result string) {
 	client.stateMutex.RLock()
 	result = client.awayMessage
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@ -802,16 +802,16 @@ func nsSessionsHandler(server *Server, client *Client, command string, params []
 	target := client
 	if 0 < len(params) {
 		// same permissions check as RPL_WHOISACTUALLY for now:
 		if !client.HasMode(modes.Operator) {
 			nsNotice(rb, client.t("Command restricted"))
 			return
 		}
 		target = server.clients.Get(params[0])
 		if target == nil {
 			nsNotice(rb, client.t("No such nick"))
 			return
 		}
 		// same permissions check as RPL_WHOISACTUALLY for now:
 		if target != client && !client.HasMode(modes.Operator) {
 			nsNotice(rb, client.t("Command restricted"))
 			return
 		}
 	}
 	sessionData, currentIndex := target.AllSessionData(rb.session)
--- a/irc/server.go
+++ b/irc/server.go
@ -377,12 +377,9 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 		return
 	}
-	// check KLINEs
+	// we have nickname, username, and the final value of the IP address:
-	isBanned, info := server.klines.CheckMasks(c.AllNickmasks()...)
+	// do the hostname lookup and set the nickmask
-	if isBanned {
+	session.client.lookupHostname(session, false)
 		c.Quit(info.BanMessage(c.t("You are banned from this server (%s)")), nil)
 		return true
 	}
 	if session.client != c {
 		// reattached, bail out.
@ -392,6 +389,13 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 		return
 	}
 	// check KLINEs
 	isBanned, info := server.klines.CheckMasks(c.AllNickmasks()...)
 	if isBanned {
 		c.Quit(info.BanMessage(c.t("You are banned from this server (%s)")), nil)
 		return true
 	}
 	// registration has succeeded:
 	c.SetRegistered()
--- a/irc/utils/net.go
+++ b/irc/utils/net.go
@ -6,6 +6,7 @@ package utils
 import (
 	"net"
 	"regexp"
 	"strings"
 )
@ -13,6 +14,8 @@ var (
 	// subnet mask for an ipv6 /128:
 	mask128             = net.CIDRMask(128, 128)
 	IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()
 	validHostnameLabelRegexp = regexp.MustCompile(`^[0-9A-Za-z.\-]+$`)
 )
 // AddrIsLocal returns whether the address is from a trusted local connection (loopback or unix).
@ -40,30 +43,19 @@ func AddrIsUnix(addr net.Addr) bool {
 	return ok
 }
-// LookupHostname returns the hostname for `addr` if it has one. Otherwise, just returns `addr`.
+// IPStringToHostname converts a string representation of an IP address to an IRC-ready hostname
-func LookupHostname(addr string) string {
+func IPStringToHostname(ipStr string) string {
-	names, err := net.LookupAddr(addr)
+	if 0 < len(ipStr) && ipStr[0] == ':' {
 	if err == nil && len(names) > 0 {
 		candidate := strings.TrimSuffix(names[0], ".")
 		if IsHostname(candidate) {
 			return candidate
 		}
 	}
 	// return original address if no hostname found
 	if len(addr) > 0 && addr[0] == ':' {
 		// fix for IPv6 hostnames (so they don't start with a colon), same as all other IRCds
-		addr = "0" + addr
+		ipStr = "0" + ipStr
 	}
-	return addr
+	return ipStr
 }
 var allowedHostnameChars = "abcdefghijklmnopqrstuvwxyz1234567890-."
 // IsHostname returns whether we consider `name` a valid hostname.
 func IsHostname(name string) bool {
-	// IRC hostnames specifically require a period
+	name = strings.TrimSuffix(name, ".")
-	if !strings.Contains(name, ".") || len(name) < 1 || len(name) > 253 {
+	if len(name) < 1 || len(name) > 253 {
 		return false
 	}
@ -72,11 +64,7 @@ func IsHostname(name string) bool {
 		if len(part) < 1 || len(part) > 63 || strings.HasPrefix(part, "-") || strings.HasSuffix(part, "-") {
 			return false
 		}
-	}
+		if !validHostnameLabelRegexp.MatchString(part) {
 	// ensure all chars of hostname are valid
 	for _, char := range strings.Split(strings.ToLower(name), "") {
 		if !strings.Contains(allowedHostnameChars, char) {
 			return false
 		}
 	}
@ -84,6 +72,12 @@ func IsHostname(name string) bool {
 	return true
 }
 // IsServerName returns whether we consider `name` a valid IRC server name.
 func IsServerName(name string) bool {
 	// IRC server names specifically require a period
 	return IsHostname(name) && strings.IndexByte(name, '.') != -1
 }
 // Convenience to test whether `ip` is contained in any of `nets`.
 func IPInNets(ip net.IP, nets []net.IPNet) bool {
 	for _, network := range nets {
--- a/irc/utils/net_test.go
+++ b/irc/utils/net_test.go
@ -24,14 +24,18 @@ var (
 		"gsf.ds342.co.uk",
 		"324.net.uk",
 		"xn--bcher-kva.ch",
 		"pentos",
 		"pentos.",
 		"www.google.com.",
 	}
 	badHostnames = []string{
 		"-lol-.net.uk",
 		"-lol.net.uk",
 		"_irc._sctp.lol.net.uk",
-		"irc",
+		"irc.l%l.net.uk",
-		"com",
+		"irc..net.uk",
 		".",
 		"",
 	}
 )
@ -56,6 +60,15 @@ func TestIsHostname(t *testing.T) {
 	}
 }
 func TestIsServerName(t *testing.T) {
 	if IsServerName("pentos") {
 		t.Error("irc server names must contain a period")
 	}
 	if !IsServerName("darwin.network") {
 		t.Error("failed to validate a perfectly good server name")
 	}
 }
 func TestNormalizeToNet(t *testing.T) {
 	a := net.ParseIP("8.8.8.8")
 	b := net.ParseIP("8.8.4.4")
--- a/oragono.yaml
+++ b/oragono.yaml
@ -85,6 +85,14 @@ server:
        # should clients include this STS policy when they ship their inbuilt preload lists?
        preload: false
    # whether to look up user hostnames with reverse DNS
    # (to suppress this for privacy purposes, use the ip-cloaking options below)
    lookup-hostnames: true
    # whether to confirm hostname lookups using "forward-confirmed reverse DNS", i.e., for
    # any hostname returned from reverse DNS, resolve it back to an IP address and reject it
    # unless it matches the connecting IP
    forward-confirm-hostnames: true
    # use ident protocol to get usernames
    check-ident: false