mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-13 07:29:30 +01:00
WEBIRC: Allow protecting with fingerprint and parse tls
flag
This commit is contained in:
parent
07a16b2502
commit
b0649cb5d3
@ -402,7 +402,7 @@ func LoadConfig(filename string) (config *Config, err error) {
|
||||
continue
|
||||
}
|
||||
|
||||
err = webirc.ProcessPassword()
|
||||
err = webirc.Populate()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Could not parse WebIRC config: %s", err.Error())
|
||||
}
|
||||
|
@ -6,8 +6,10 @@
|
||||
package irc
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
"github.com/oragono/oragono/irc/passwd"
|
||||
|
||||
@ -18,23 +20,51 @@ import (
|
||||
type webircConfig struct {
|
||||
PasswordString string `yaml:"password"`
|
||||
Password []byte `yaml:"password-bytes"`
|
||||
Fingerprint string
|
||||
Hosts []string
|
||||
}
|
||||
|
||||
// ProcessPassword populates our password.
|
||||
func (wc *webircConfig) ProcessPassword() error {
|
||||
password, error := passwd.DecodePasswordHash(wc.PasswordString)
|
||||
wc.Password = password
|
||||
return error
|
||||
// Populate fills out our password or fingerprint.
|
||||
func (wc *webircConfig) Populate() (err error) {
|
||||
if wc.Fingerprint == "" && wc.PasswordString == "" {
|
||||
return errors.New("Fingerprint or password needs to be specified")
|
||||
}
|
||||
|
||||
if wc.PasswordString != "" {
|
||||
var password []byte
|
||||
password, err = passwd.DecodePasswordHash(wc.PasswordString)
|
||||
wc.Password = password
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// WEBIRC password gateway hostname ip
|
||||
// WEBIRC <password> <gateway> <hostname> <ip> [:flag1 flag2=x flag3]
|
||||
func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {
|
||||
// only allow unregistered clients to use this command
|
||||
if client.registered {
|
||||
return false
|
||||
}
|
||||
|
||||
// process flags
|
||||
var secure bool
|
||||
if 4 < len(msg.Params) {
|
||||
for _, x := range strings.Split(msg.Params[4], " ") {
|
||||
// split into key=value
|
||||
var key string
|
||||
if strings.Contains(x, "=") {
|
||||
y := strings.SplitN(x, "=", 2)
|
||||
key, _ = y[0], y[1]
|
||||
} else {
|
||||
key = x
|
||||
}
|
||||
|
||||
// only accept "tls" flag if the gateway's connection to us is secure as well
|
||||
if strings.ToLower(key) == "tls" && client.flags[TLS] {
|
||||
secure = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
clientAddress := utils.IPString(client.socket.conn.RemoteAddr())
|
||||
clientHostname := client.hostname
|
||||
server.configurableStateMutex.RLock()
|
||||
@ -42,13 +72,17 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {
|
||||
for _, info := range server.webirc {
|
||||
for _, address := range info.Hosts {
|
||||
if clientHostname == address || clientAddress == address {
|
||||
// confirm password
|
||||
// confirm password and/or fingerprint
|
||||
givenPassword := msg.Params[0]
|
||||
if passwd.ComparePasswordString(info.Password, givenPassword) == nil {
|
||||
proxiedIP := msg.Params[3]
|
||||
|
||||
return client.ApplyProxiedIP(proxiedIP)
|
||||
if 0 < len(info.Password) && passwd.ComparePasswordString(info.Password, givenPassword) != nil {
|
||||
continue
|
||||
}
|
||||
if 0 < len(info.Fingerprint) && client.certfp != info.Fingerprint {
|
||||
continue
|
||||
}
|
||||
|
||||
proxiedIP := msg.Params[3]
|
||||
return client.ApplyProxiedIP(proxiedIP, secure)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -73,7 +107,8 @@ func proxyHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {
|
||||
if clientHostname == address || clientAddress == address {
|
||||
proxiedIP := msg.Params[1]
|
||||
|
||||
return client.ApplyProxiedIP(proxiedIP)
|
||||
// assume PROXY connections are always secure
|
||||
return client.ApplyProxiedIP(proxiedIP, true)
|
||||
}
|
||||
}
|
||||
client.Quit("PROXY command is not usable from your address")
|
||||
@ -81,7 +116,7 @@ func proxyHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {
|
||||
}
|
||||
|
||||
// ApplyProxiedIP applies the given IP to the client.
|
||||
func (client *Client) ApplyProxiedIP(proxiedIP string) (exiting bool) {
|
||||
func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool) {
|
||||
// ensure IP is sane
|
||||
parsedProxiedIP := net.ParseIP(proxiedIP)
|
||||
if parsedProxiedIP == nil {
|
||||
@ -99,5 +134,14 @@ func (client *Client) ApplyProxiedIP(proxiedIP string) (exiting bool) {
|
||||
client.proxiedIP = proxiedIP
|
||||
client.rawHostname = utils.LookupHostname(proxiedIP)
|
||||
client.hostname = client.rawHostname
|
||||
|
||||
// set tls info
|
||||
client.certfp = ""
|
||||
if tls {
|
||||
client.flags[TLS] = true
|
||||
} else {
|
||||
delete(client.flags, TLS)
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
@ -463,11 +463,16 @@ Views the version of software and the RPL_ISUPPORT tokens for the given server.`
|
||||
},
|
||||
"webirc": {
|
||||
oper: true, // not really, but it's restricted anyways
|
||||
text: `WEBIRC <password> <gateway> <hostname> <ip>
|
||||
text: `WEBIRC <password> <gateway> <hostname> <ip> [:<flags>]
|
||||
|
||||
Used by web<->IRC gateways and bouncers, the WEBIRC command allows gateways to
|
||||
pass-through the real IP addresses of clients:
|
||||
ircv3.net/specs/extensions/webirc.html`,
|
||||
ircv3.net/specs/extensions/webirc.html
|
||||
|
||||
<flags> is a list of space-separated strings indicating various details about
|
||||
the connection from the client to the gateway, such as:
|
||||
|
||||
- tls: this flag indicates that the client->gateway connection is secure`,
|
||||
},
|
||||
"who": {
|
||||
text: `WHO <name> [o]
|
||||
|
@ -69,6 +69,9 @@ server:
|
||||
webirc:
|
||||
# one webirc block -- should correspond to one set of gateways
|
||||
-
|
||||
# tls fingerprint the gateway must connect with to use this webirc block
|
||||
fingerprint: 938dd33f4b76dcaf7ce5eb25c852369cb4b8fb47ba22fc235aa29c6623a5f182
|
||||
|
||||
# password the gateway uses to connect, made with oragono genpasswd
|
||||
password: JDJhJDA0JG9rTTVERlNRa0hpOEZpNkhjZE95SU9Da1BseFdlcWtOTEQxNEFERVlqbEZNTkdhOVlYUkMu
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user