From 7bdbb01238a2d7c196579487b2ad004970055677 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sat, 5 Dec 2020 23:06:23 -0500
Subject: [PATCH] fix #1428

Tor listeners should never see an STS cap.

Add an undocumented 'hide-sts' key for listeners that hides the STS cap.
This can be used if the listener is secured at layer 3 or 4 (VPNs,
E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
---
 irc/client.go      | 2 ++
 irc/config.go      | 8 ++++++++
 irc/handlers.go    | 2 ++
 irc/utils/proxy.go | 1 +
 4 files changed, 13 insertions(+)

diff --git a/irc/client.go b/irc/client.go
index bc00f7a1..38b7287e 100644
--- a/irc/client.go
+++ b/irc/client.go
@@ -159,6 +159,7 @@ type Session struct {
 	proxiedIP   net.IP
 	rawHostname string
 	isTor       bool
+	hideSTS     bool
 
 	fakelag              Fakelag
 	deferredFakelagCount int
@@ -376,6 +377,7 @@ func (server *Server) RunClient(conn IRCConn) {
 		realIP:     realIP,
 		proxiedIP:  proxiedIP,
 		isTor:      wConn.Config.Tor,
+		hideSTS:    wConn.Config.Tor || wConn.Config.HideSTS,
 	}
 	client.sessions = []*Session{session}
 
diff --git a/irc/config.go b/irc/config.go
index 72c414fa..f07a8e43 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -59,6 +59,7 @@ type listenerConfigBlock struct {
 	Tor       bool
 	STSOnly   bool `yaml:"sts-only"`
 	WebSocket bool
+	HideSTS   bool `yaml:"hide-sts"`
 }
 
 type PersistentStatus uint
@@ -532,6 +533,7 @@ type Config struct {
 		SecureNetDefs            []string                        `yaml:"secure-nets"`
 		secureNets               []net.IPNet
 		supportedCaps            *caps.Set
+		supportedCapsWithoutSTS  *caps.Set
 		capValues                caps.Values
 		Casemapping              Casemapping
 		EnforceUtf8              bool         `yaml:"enforce-utf8"`
@@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
 		}
 		lconf.RequireProxy = block.TLS.Proxy || block.Proxy
 		lconf.WebSocket = block.WebSocket
+		lconf.HideSTS = block.HideSTS
 		conf.Server.trueListeners[addr] = lconf
 	}
 	return nil
@@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
 		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
 	}
 
+	// #1428: Tor listeners should never see STS
+	config.Server.supportedCapsWithoutSTS = caps.NewSet()
+	config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
+	config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
+
 	return config, nil
 }
 
diff --git a/irc/handlers.go b/irc/handlers.go
index d31b44b3..19de3fa4 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -442,6 +442,8 @@ func capHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Respo
 	supportedCaps := config.Server.supportedCaps
 	if client.isSTSOnly {
 		supportedCaps = stsOnlyCaps
+	} else if rb.session.hideSTS {
+		supportedCaps = config.Server.supportedCapsWithoutSTS
 	}
 
 	badCaps := false
diff --git a/irc/utils/proxy.go b/irc/utils/proxy.go
index 5b14be68..584e3f34 100644
--- a/irc/utils/proxy.go
+++ b/irc/utils/proxy.go
@@ -54,6 +54,7 @@ type ListenerConfig struct {
 	Tor       bool
 	STSOnly   bool
 	WebSocket bool
+	HideSTS   bool
 }
 
 // read a PROXY header (either v1 or v2), ensuring we don't read anything beyond