diff --git a/irc/client.go b/irc/client.go index 1c5ecffa..c69ed9bb 100644 --- a/irc/client.go +++ b/irc/client.go @@ -193,7 +193,7 @@ func (server *Server) RunClient(conn clientConn) { var isBanned bool var banMsg string var realIP net.IP - if conn.IsTor { + if conn.Config.IsTor { realIP = utils.IPv4LoopbackAddress isBanned, banMsg = server.checkTorLimits() } else { @@ -220,7 +220,7 @@ func (server *Server) RunClient(conn clientConn) { atime: now, channels: make(ChannelSet), ctime: now, - isTor: conn.IsTor, + isTor: conn.Config.IsTor, languages: server.Languages().Default(), loginThrottle: connection_limits.GenericThrottle{ Duration: config.Accounts.LoginThrottling.Duration, @@ -246,13 +246,13 @@ func (server *Server) RunClient(conn clientConn) { session.SetMaxlenRest() client.sessions = []*Session{session} - if conn.IsTLS { + if conn.Config.TLSConfig != nil { client.SetMode(modes.TLS, true) // error is not useful to us here anyways so we can ignore it client.certfp, _ = socket.CertFP() } - if conn.IsTor { + if conn.Config.IsTor { client.SetMode(modes.TLS, true) // cover up details of the tor proxying infrastructure (not a user privacy concern, // but a hardening measure): diff --git a/irc/config.go b/irc/config.go index 8897636d..7e10da15 100644 --- a/irc/config.go +++ b/irc/config.go @@ -41,16 +41,17 @@ type TLSListenConfig struct { Key string } -// Config returns the TLS contiguration assicated with this TLSListenConfig. -func (conf *TLSListenConfig) Config() (*tls.Config, error) { - cert, err := tls.LoadX509KeyPair(conf.Cert, conf.Key) - if err != nil { - return nil, ErrInvalidCertKeyPair - } +// This is the YAML-deserializable type of the value of the `Server.Listeners` map +type listenerConfigBlock struct { + TLS TLSListenConfig + Tor bool +} - return &tls.Config{ - Certificates: []tls.Certificate{cert}, - }, err +// listenerConfig is the config governing a particular listener (bound address), +// in particular whether it has TLS or Tor (or both) enabled. +type listenerConfig struct { + TLSConfig *tls.Config + IsTor bool } type AccountConfig struct { @@ -257,8 +258,8 @@ type FakelagConfig struct { } type TorListenersConfig struct { - Listeners []string - RequireSasl bool `yaml:"require-sasl"` + Listeners []string // legacy only + RequireSasl bool `yaml:"require-sasl"` Vhost string MaxConnections int `yaml:"max-connections"` ThrottleDuration time.Duration `yaml:"throttle-duration"` @@ -272,14 +273,19 @@ type Config struct { } Server struct { - Password string - passwordBytes []byte - Name string - nameCasefolded string - Listen []string - UnixBindMode os.FileMode `yaml:"unix-bind-mode"` - TLSListeners map[string]*TLSListenConfig `yaml:"tls-listeners"` - TorListeners TorListenersConfig `yaml:"tor-listeners"` + Password string + passwordBytes []byte + Name string + nameCasefolded string + // Listeners is the new style for configuring listeners: + Listeners map[string]listenerConfigBlock + UnixBindMode os.FileMode `yaml:"unix-bind-mode"` + TorListeners TorListenersConfig `yaml:"tor-listeners"` + // Listen and TLSListeners are the legacy style: + Listen []string + TLSListeners map[string]TLSListenConfig `yaml:"tls-listeners"` + // either way, the result is this: + trueListeners map[string]listenerConfig STS STSConfig CheckIdent bool `yaml:"check-ident"` MOTD string @@ -485,22 +491,63 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error return operators, nil } -// TLSListeners returns a list of TLS listeners and their configs. -func (conf *Config) TLSListeners() (map[string]*tls.Config, error) { - tlsListeners := make(map[string]*tls.Config) - for s, tlsListenersConf := range conf.Server.TLSListeners { - config, err := tlsListenersConf.Config() - if err != nil { - return nil, err - } - config.ClientAuth = tls.RequestClientCert - tlsListeners[s] = config +func loadTlsConfig(config TLSListenConfig) (tlsConfig *tls.Config, err error) { + cert, err := tls.LoadX509KeyPair(config.Cert, config.Key) + if err != nil { + return nil, ErrInvalidCertKeyPair } - return tlsListeners, nil + result := tls.Config{ + Certificates: []tls.Certificate{cert}, + ClientAuth: tls.RequestClientCert, + } + return &result, nil } -// LoadConfig loads the given YAML configuration file. -func LoadConfig(filename string) (config *Config, err error) { +// prepareListeners populates Config.Server.trueListeners +func (conf *Config) prepareListeners() (err error) { + listeners := make(map[string]listenerConfig) + if 0 < len(conf.Server.Listeners) { + for addr, block := range conf.Server.Listeners { + var lconf listenerConfig + lconf.IsTor = block.Tor + if block.TLS.Cert != "" { + tlsConfig, err := loadTlsConfig(block.TLS) + if err != nil { + return err + } + lconf.TLSConfig = tlsConfig + } + listeners[addr] = lconf + } + } else if 0 < len(conf.Server.Listen) { + log.Printf("WARNING: configuring listeners via the legacy `server.listen` config option") + log.Printf("This will be removed in a later release: you should update to use `server.listeners`") + torListeners := make(map[string]bool, len(conf.Server.TorListeners.Listeners)) + for _, addr := range conf.Server.TorListeners.Listeners { + torListeners[addr] = true + } + for _, addr := range conf.Server.Listen { + var lconf listenerConfig + lconf.IsTor = torListeners[addr] + tlsListenConf, ok := conf.Server.TLSListeners[addr] + if ok { + tlsConfig, err := loadTlsConfig(tlsListenConf) + if err != nil { + return err + } + lconf.TLSConfig = tlsConfig + } + listeners[addr] = lconf + } + } else { + return fmt.Errorf("No listeners were configured") + } + conf.Server.trueListeners = listeners + return nil +} + +// LoadRawConfig loads the config without doing any consistency checks or postprocessing +func LoadRawConfig(filename string) (config *Config, err error) { data, err := ioutil.ReadFile(filename) if err != nil { return nil, err @@ -510,6 +557,15 @@ func LoadConfig(filename string) (config *Config, err error) { if err != nil { return nil, err } + return +} + +// LoadConfig loads the given YAML configuration file. +func LoadConfig(filename string) (config *Config, err error) { + config, err = LoadRawConfig(filename) + if err != nil { + return nil, err + } config.Filename = filename @@ -525,9 +581,6 @@ func LoadConfig(filename string) (config *Config, err error) { if config.Datastore.Path == "" { return nil, ErrDatastorePathMissing } - if len(config.Server.Listen) == 0 { - return nil, ErrNoListenersDefined - } //dan: automagically fix identlen until a few releases in the future (from now, 0.12.0), being a newly-introduced limit if config.Limits.IdentLen < 1 { config.Limits.IdentLen = 20 @@ -757,5 +810,10 @@ func LoadConfig(filename string) (config *Config, err error) { } } + err = config.prepareListeners() + if err != nil { + return nil, fmt.Errorf("failed to prepare listeners: %v", err) + } + return config, nil } diff --git a/irc/server.go b/irc/server.go index f3b3f1d2..938bdb58 100644 --- a/irc/server.go +++ b/irc/server.go @@ -50,12 +50,11 @@ var ( // ListenerWrapper wraps a listener so it can be safely reconfigured or stopped type ListenerWrapper struct { + // protects atomic update of config and shouldStop: + sync.Mutex // tier 1 listener net.Listener - tlsConfig *tls.Config - isTor bool + config listenerConfig shouldStop bool - // protects atomic update of tlsConfig and shouldStop: - configMutex sync.Mutex // tier 1 } // Server is the main Oragono server. @@ -100,9 +99,8 @@ var ( ) type clientConn struct { - Conn net.Conn - IsTLS bool - IsTor bool + Conn net.Conn + Config listenerConfig } // NewServer returns a new Oragono server. @@ -262,7 +260,7 @@ func (server *Server) checkTorLimits() (banned bool, message string) { // // createListener starts a given listener. -func (server *Server) createListener(addr string, tlsConfig *tls.Config, isTor bool, bindMode os.FileMode) (*ListenerWrapper, error) { +func (server *Server) createListener(addr string, conf listenerConfig, bindMode os.FileMode) (*ListenerWrapper, error) { // make listener var listener net.Listener var err error @@ -284,8 +282,7 @@ func (server *Server) createListener(addr string, tlsConfig *tls.Config, isTor b // throw our details to the server so we can be modified/killed later wrapper := ListenerWrapper{ listener: listener, - tlsConfig: tlsConfig, - isTor: isTor, + config: conf, shouldStop: false, } @@ -297,28 +294,29 @@ func (server *Server) createListener(addr string, tlsConfig *tls.Config, isTor b conn, err := listener.Accept() // synchronously access config data: - wrapper.configMutex.Lock() + wrapper.Lock() shouldStop = wrapper.shouldStop - tlsConfig = wrapper.tlsConfig - isTor = wrapper.isTor - wrapper.configMutex.Unlock() + conf := wrapper.config + wrapper.Unlock() - if err == nil { - if tlsConfig != nil { - conn = tls.Server(conn, tlsConfig) + if shouldStop { + if conn != nil { + conn.Close() + } + listener.Close() + return + } else if err == nil { + if conf.TLSConfig != nil { + conn = tls.Server(conn, conf.TLSConfig) } newConn := clientConn{ - Conn: conn, - IsTLS: tlsConfig != nil, - IsTor: isTor, + Conn: conn, + Config: conf, } // hand off the connection go server.RunClient(newConn) - } - - if shouldStop { - listener.Close() - return + } else { + server.logger.Error("internal", "accept error", addr, err.Error()) } } }() @@ -885,52 +883,24 @@ func (server *Server) loadDatastore(config *Config) error { } func (server *Server) setupListeners(config *Config) (err error) { - logListener := func(addr string, tlsconfig *tls.Config, isTor bool) { + logListener := func(addr string, config listenerConfig) { server.logger.Info("listeners", - fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (tlsconfig != nil), isTor), + fmt.Sprintf("now listening on %s, tls=%t, tor=%t.", addr, (config.TLSConfig != nil), config.IsTor), ) } - tlsListeners, err := config.TLSListeners() - if err != nil { - server.logger.Error("server", "failed to reload TLS certificates, aborting rehash", err.Error()) - return - } - - isTorListener := func(listener string) bool { - for _, torListener := range config.Server.TorListeners.Listeners { - if listener == torListener { - return true - } - } - return false - } - // update or destroy all existing listeners for addr := range server.listeners { currentListener := server.listeners[addr] - var stillConfigured bool - for _, newaddr := range config.Server.Listen { - if newaddr == addr { - stillConfigured = true - break - } - } + newConfig, stillConfigured := config.Server.trueListeners[addr] - // pass new config information to the listener, to be picked up after - // its next Accept(). this is like sending over a buffered channel of - // size 1, but where sending a second item overwrites the buffered item - // instead of blocking. - tlsConfig := tlsListeners[addr] - isTor := isTorListener(addr) - currentListener.configMutex.Lock() + currentListener.Lock() currentListener.shouldStop = !stillConfigured - currentListener.tlsConfig = tlsConfig - currentListener.isTor = isTor - currentListener.configMutex.Unlock() + currentListener.config = newConfig + currentListener.Unlock() if stillConfigured { - logListener(addr, tlsConfig, isTor) + logListener(addr, newConfig) } else { // tell the listener it should stop by interrupting its Accept() call: currentListener.listener.Close() @@ -940,35 +910,34 @@ func (server *Server) setupListeners(config *Config) (err error) { } // create new listeners that were not previously configured - for _, newaddr := range config.Server.Listen { - _, exists := server.listeners[newaddr] + numTlsListeners := 0 + hasStandardTlsListener := false + for newAddr, newConfig := range config.Server.trueListeners { + if newConfig.TLSConfig != nil { + numTlsListeners += 1 + if strings.HasSuffix(newAddr, ":6697") { + hasStandardTlsListener = true + } + } + _, exists := server.listeners[newAddr] if !exists { // make new listener - isTor := isTorListener(newaddr) - tlsConfig := tlsListeners[newaddr] - listener, listenerErr := server.createListener(newaddr, tlsConfig, isTor, config.Server.UnixBindMode) + listener, listenerErr := server.createListener(newAddr, newConfig, config.Server.UnixBindMode) if listenerErr != nil { - server.logger.Error("server", "couldn't listen on", newaddr, listenerErr.Error()) + server.logger.Error("server", "couldn't listen on", newAddr, listenerErr.Error()) err = listenerErr continue } - server.listeners[newaddr] = listener - logListener(newaddr, tlsConfig, isTor) + server.listeners[newAddr] = listener + logListener(newAddr, newConfig) } } - if len(tlsListeners) == 0 { + if numTlsListeners == 0 { server.logger.Warning("server", "You are not exposing an SSL/TLS listening port. You should expose at least one port (typically 6697) to accept TLS connections") } - var usesStandardTLSPort bool - for addr := range tlsListeners { - if strings.HasSuffix(addr, ":6697") { - usesStandardTLSPort = true - break - } - } - if 0 < len(tlsListeners) && !usesStandardTLSPort { + if !hasStandardTlsListener { server.logger.Warning("server", "Port 6697 is the standard TLS port for IRC. You should (also) expose port 6697 as a TLS port to ensure clients can connect securely") } diff --git a/oragono.go b/oragono.go index fe2f9069..b0e434ef 100644 --- a/oragono.go +++ b/oragono.go @@ -39,6 +39,46 @@ func getPassword() string { return strings.TrimSpace(text) } +// implements the `oragono mkcerts` command +func doMkcerts(configFile string, quiet bool) { + config, err := irc.LoadRawConfig(configFile) + if err != nil { + log.Fatal(err) + } + if !quiet { + log.Println("making self-signed certificates") + } + + certToKey := make(map[string]string) + for name, conf := range config.Server.Listeners { + if conf.TLS.Cert == "" { + continue + } + existingKey, ok := certToKey[conf.TLS.Cert] + if ok { + if existingKey == conf.TLS.Key { + continue + } else { + log.Fatal("Conflicting TLS key files for", conf.TLS.Cert) + } + } + if !quiet { + log.Printf(" making cert for %s listener\n", name) + } + host := config.Server.Name + cert, key := conf.TLS.Cert, conf.TLS.Key + err := mkcerts.CreateCert("Oragono", host, cert, key) + if err == nil { + if !quiet { + log.Printf(" Certificate created at %s : %s\n", cert, key) + } + certToKey[cert] = key + } else { + log.Fatal(" Could not create certificate:", err.Error()) + } + } +} + func main() { version := irc.SemVer usage := `oragono. @@ -88,11 +128,14 @@ Options: } else if arguments["mksecret"].(bool) { fmt.Println(utils.GenerateSecretKey()) return + } else if arguments["mkcerts"].(bool) { + doMkcerts(arguments["--conf"].(string), arguments["--quiet"].(bool)) + return } configfile := arguments["--conf"].(string) config, err := irc.LoadConfig(configfile) - if err != nil { + if err != nil && !(err == irc.ErrInvalidCertKeyPair && arguments["mkcerts"].(bool)) { log.Fatal("Config file did not load successfully: ", err.Error()) } @@ -114,25 +157,6 @@ Options: if !arguments["--quiet"].(bool) { log.Println("database upgraded: ", config.Datastore.Path) } - } else if arguments["mkcerts"].(bool) { - if !arguments["--quiet"].(bool) { - log.Println("making self-signed certificates") - } - - for name, conf := range config.Server.TLSListeners { - if !arguments["--quiet"].(bool) { - log.Printf(" making cert for %s listener\n", name) - } - host := config.Server.Name - err := mkcerts.CreateCert("Oragono", host, conf.Cert, conf.Key) - if err == nil { - if !arguments["--quiet"].(bool) { - log.Printf(" Certificate created at %s : %s\n", conf.Cert, conf.Key) - } - } else { - log.Fatal(" Could not create certificate:", err.Error()) - } - } } else if arguments["run"].(bool) { if !arguments["--quiet"].(bool) { logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer)) diff --git a/oragono.yaml b/oragono.yaml index 6ca5f1c7..d56c1da2 100644 --- a/oragono.yaml +++ b/oragono.yaml @@ -11,14 +11,30 @@ server: name: oragono.test # addresses to listen on - listen: - - ":6697" # SSL/TLS port - - ":6667" # plaintext port - # To disable plaintext over the Internet, comment out :6667 and replace with: - # - "127.0.0.1:6667" # (loopback ipv4, localhost-only) - # - "[::1]:6667" # (loopback ipv6, localhost-only) - # Unix domain socket for proxying: - # - "/tmp/oragono_sock" + listeners: + # The standard plaintext port for IRC is 6667. This will listen on all interfaces: + ":6667": + + # The standard SSL/TLS port for IRC is 6697. This will listen on all interfaces: + ":6697": + tls: + key: tls.key + cert: tls.crt + + # Since using plaintext over the public Internet poses security and privacy issues, + # you may wish to use plaintext only on local interfaces. To do so, comment out + # the `":6667":` line, then uncomment these two lines: + # "127.0.0.1:6667": # (loopback ipv4, localhost-only) + # "[::1]:6667": # (loopback ipv6, localhost-only) + + # Example of a Unix domain socket for proxying: + # "/tmp/oragono_sock": + + # Example of a Tor listener: any connection that comes in on this listener will + # be considered a Tor connection. It is strongly recommended that this listener + # *not* be on a public interface --- it should be on 127.0.0.0/8 or unix domain: + # "/tmp/oragono_tor_sock": + # tor: true # sets the permissions for Unix listen sockets. on a typical Linux system, # the default is 0775 or 0755, which prevents other users/groups from connecting @@ -26,23 +42,8 @@ server: # where anyone can connect. unix-bind-mode: 0777 - # tls listeners - tls-listeners: - # listener on ":6697" - ":6697": - key: tls.key - cert: tls.crt - - # tor listeners: designate listeners for use by a tor hidden service / .onion address - # WARNING: if you are running oragono as a pure hidden service, see the - # anonymization / hardening recommendations in docs/MANUAL.md + # configure the behavior of Tor listeners (ignored if you didn't enable any): tor-listeners: - # any connections that come in on these listeners will be considered - # Tor connections. it is strongly recommended that these listeners *not* - # be on public interfaces: they should be on 127.0.0.0/8 or unix domain - listeners: - # - "/tmp/oragono_tor_sock" - # if this is true, connections from Tor must authenticate with SASL require-sasl: false