diff options
author | Wim <wim@42.be> | 2019-09-07 21:35:45 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-07 21:35:45 +0200 |
commit | 1532f6e42798d1071c8a97423e838338bed7b570 (patch) | |
tree | 4ae23c4a5da97e8c1d86a28460340fa2cb5e1c78 /vendor/github.com/lrstanley/girc/cap.go | |
parent | 9327810bbfe9cf0da2415d223fc642d943ff2ade (diff) | |
download | matterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.tar.gz matterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.tar.bz2 matterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.zip |
Update lrstanley/girc vendor (#884)
Diffstat (limited to 'vendor/github.com/lrstanley/girc/cap.go')
-rw-r--r-- | vendor/github.com/lrstanley/girc/cap.go | 191 |
1 files changed, 154 insertions, 37 deletions
diff --git a/vendor/github.com/lrstanley/girc/cap.go b/vendor/github.com/lrstanley/girc/cap.go index 5995233f..38ff210c 100644 --- a/vendor/github.com/lrstanley/girc/cap.go +++ b/vendor/github.com/lrstanley/girc/cap.go @@ -5,7 +5,10 @@ package girc import ( + "fmt" + "strconv" "strings" + "time" ) // Something not in the list? Depending on the type of capability, you can @@ -19,13 +22,20 @@ var possibleCap = map[string][]string{ "chghost": nil, "extended-join": nil, "invite-notify": nil, + "message-tags": nil, + "msgid": nil, "multi-prefix": nil, "server-time": nil, "userhost-in-names": nil, + // Supported draft versions, some may be duplicated above, this is for backwards + // compatibility. "draft/message-tags-0.2": nil, "draft/msgid": nil, + // sts, sasl, etc are enabled dynamically/depending on client configuration, + // so aren't included on this list. + // "echo-message" is supported, but it's not enabled by default. This is // to prevent unwanted confusion and utilize less traffic if it's not needed. // echo messages aren't sent to girc.PRIVMSG and girc.NOTICE handlers, @@ -51,6 +61,17 @@ func possibleCapList(c *Client) map[string][]string { out["sasl"] = nil } + if !c.Config.DisableSTS && !c.Config.SSL { + // If fallback supported, and we failed recently, don't try negotiating STS. + // ONLY do this fallback if we're expired (primarily useful during the first + // sts negotation). + if time.Since(c.state.sts.lastFailed) < 5*time.Minute && !c.Config.DisableSTSFallback { + c.debug.Println("skipping strict transport policy negotiation; failed within the last 5 minutes") + } else { + out["sts"] = nil + } + } + for k := range c.Config.SupportedCaps { out[k] = c.Config.SupportedCaps[k] } @@ -62,8 +83,8 @@ func possibleCapList(c *Client) map[string][]string { return out } -func parseCap(raw string) map[string][]string { - out := make(map[string][]string) +func parseCap(raw string) map[string]map[string]string { + out := make(map[string]map[string]string) parts := strings.Split(raw, " ") var val int @@ -78,7 +99,16 @@ func parseCap(raw string) map[string][]string { continue } - out[parts[i][:val]] = strings.Split(parts[i][val+1:], ",") + out[parts[i][:val]] = make(map[string]string) + for _, option := range strings.Split(parts[i][val+1:], ",") { + j := strings.Index(option, "=") + + if j < 0 { + out[parts[i][:val]][option] = "" + } else { + out[parts[i][:val]][option[:j]] = option[j+1 : len(option)] + } + } } return out @@ -88,8 +118,15 @@ func parseCap(raw string) map[string][]string { // This will lock further registration until we have acknowledged (or denied) // the capabilities. func handleCAP(c *Client, e Event) { - if len(e.Params) >= 2 && (e.Params[1] == CAP_NEW || e.Params[1] == CAP_DEL) { - c.listCAP() + c.state.Lock() + defer c.state.Unlock() + + if len(e.Params) >= 2 && e.Params[1] == CAP_DEL { + caps := parseCap(e.Last()) + for cap := range caps { + // TODO: test the deletion. + delete(c.state.enabledCap, cap) + } return } @@ -101,27 +138,26 @@ func handleCAP(c *Client, e Event) { } possible := possibleCapList(c) - - if len(e.Params) >= 3 && e.Params[1] == CAP_LS { - c.state.Lock() - + // TODO: test the addition. + if len(e.Params) >= 3 && (e.Params[1] == CAP_LS || e.Params[1] == CAP_NEW) { caps := parseCap(e.Last()) - for k := range caps { - if _, ok := possible[k]; !ok { + for capName := range caps { + if _, ok := possible[capName]; !ok { continue } - if len(possible[k]) == 0 || len(caps[k]) == 0 { - c.state.tmpCap = append(c.state.tmpCap, k) + if len(possible[capName]) == 0 || len(caps[capName]) == 0 { + c.state.tmpCap[capName] = caps[capName] continue } var contains bool - for i := 0; i < len(caps[k]); i++ { - for j := 0; j < len(possible[k]); j++ { - if caps[k][i] == possible[k][j] { - // Assume we have a matching split value. + + for capAttr := range caps[capName] { + for i := 0; i < len(possible[capName]); i++ { + if _, ok := caps[capName][capAttr]; ok { + // Assuming we have a matching attribute for the capability. contains = true goto checkcontains } @@ -133,9 +169,8 @@ func handleCAP(c *Client, e Event) { continue } - c.state.tmpCap = append(c.state.tmpCap, k) + c.state.tmpCap[capName] = caps[capName] } - c.state.Unlock() // Indicates if this is a multi-line LS. (3 args means it's the // last LS). @@ -147,31 +182,113 @@ func handleCAP(c *Client, e Event) { } // Let them know which ones we'd like to enable. - c.write(&Event{Command: CAP, Params: []string{CAP_REQ, strings.Join(c.state.tmpCap, " ")}}) - - // Re-initialize the tmpCap, so if we get multiple 'CAP LS' requests - // due to cap-notify, we can re-evaluate what we can support. - c.state.Lock() - c.state.tmpCap = []string{} - c.state.Unlock() + reqKeys := make([]string, len(c.state.tmpCap)) + i := 0 + for k := range c.state.tmpCap { + reqKeys[i] = k + i++ + } + c.write(&Event{Command: CAP, Params: []string{CAP_REQ, strings.Join(reqKeys, " ")}}) } } if len(e.Params) == 3 && e.Params[1] == CAP_ACK { - c.state.Lock() - c.state.enabledCap = strings.Split(e.Last(), " ") - - // Do we need to do sasl auth? - wantsSASL := false - for i := 0; i < len(c.state.enabledCap); i++ { - if c.state.enabledCap[i] == "sasl" { - wantsSASL = true - break + enabled := strings.Split(e.Last(), " ") + for _, cap := range enabled { + if val, ok := c.state.tmpCap[cap]; ok { + c.state.enabledCap[cap] = val + } else { + c.state.enabledCap[cap] = nil + } + } + + // Anything client side that needs to be setup post-capability-acknowledgement, + // should be done here. + + // Handle STS, and only if it's something specifically we enabled (client + // may choose to disable girc automatic STS, and do it themselves). + if sts, sok := c.state.enabledCap["sts"]; sok && !c.Config.DisableSTS { + var isError bool + + // Some things are updated in the policy depending on if the current + // connection is over tls or not. + var hasTLSConnection bool + if tlsState, _ := c.TLSConnectionState(); tlsState != nil { + hasTLSConnection = true + } + + // "This key indicates the port number for making a secure connection. + // This key’s value MUST be a single port number. If the client is not + // already connected securely to the server at the requested hostname, + // it MUST close the insecure connection and reconnect securely on the + // stated port. + // + // To enforce an STS upgrade policy, servers MUST send this key to + // insecurely connected clients. Servers MAY send this key to securely + // connected clients, but it will be ignored." + // + // See: https://ircv3.net/specs/extensions/sts#the-port-key + if !hasTLSConnection { + if port, ok := sts["port"]; ok { + c.state.sts.upgradePort, _ = strconv.Atoi(port) + if c.state.sts.upgradePort < 21 { + isError = true + } + } else { + isError = true + } + } + + // "This key is used on secure connections to indicate how long clients + // MUST continue to use secure connections when connecting to the server + // at the requested hostname. The value of this key MUST be given as a + // single integer which represents the number of seconds until the persistence + // policy expires. + // + // To enforce an STS persistence policy, servers MUST send this key to + // securely connected clients. Servers MAY send this key to all clients, + // but insecurely connected clients MUST ignore it." + // + // See: https://ircv3.net/specs/extensions/sts#the-duration-key + if hasTLSConnection { + if duration, ok := sts["duration"]; ok { + c.state.sts.persistenceDuration, _ = strconv.Atoi(duration) + c.state.sts.persistenceReceived = time.Now() + } else { + isError = true + } + } + + // See: https://ircv3.net/specs/extensions/sts#the-preload-key + if hasTLSConnection { + if preload, ok := sts["preload"]; ok { + c.state.sts.preload, _ = strconv.ParseBool(preload) + } + } + + if isError { + c.rx <- &Event{Command: ERROR, Params: []string{ + fmt.Sprintf("closing connection: strict transport policy provided by server is invalid; possible MITM? config: %#v", sts), + }} + return + } + + // Only upgrade if not already upgraded. + if !hasTLSConnection { + c.state.sts.beginUpgrade = true + + c.RunHandlers(&Event{Command: STS_UPGRADE_INIT}) + c.debug.Println("strict transport security policy provided by server; closing connection to begin upgrade...") + c.Close() + return } } - c.state.Unlock() - if wantsSASL { + // Re-initialize the tmpCap, so if we get multiple 'CAP LS' requests + // due to cap-notify, we can re-evaluate what we can support. + c.state.tmpCap = make(map[string]map[string]string) + + if _, ok := c.state.enabledCap["sasl"]; ok && c.Config.SASL != nil { c.write(&Event{Command: AUTHENTICATE, Params: []string{c.Config.SASL.Method()}}) // Don't "CAP END", since we want to authenticate. return |