summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/lrstanley/girc/cap.go
diff options
context:
space:
mode:
authorWim <wim@42.be>2019-09-07 21:35:45 +0200
committerGitHub <noreply@github.com>2019-09-07 21:35:45 +0200
commit1532f6e42798d1071c8a97423e838338bed7b570 (patch)
tree4ae23c4a5da97e8c1d86a28460340fa2cb5e1c78 /vendor/github.com/lrstanley/girc/cap.go
parent9327810bbfe9cf0da2415d223fc642d943ff2ade (diff)
downloadmatterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.tar.gz
matterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.tar.bz2
matterbridge-msglm-1532f6e42798d1071c8a97423e838338bed7b570.zip
Update lrstanley/girc vendor (#884)
Diffstat (limited to 'vendor/github.com/lrstanley/girc/cap.go')
-rw-r--r--vendor/github.com/lrstanley/girc/cap.go191
1 files changed, 154 insertions, 37 deletions
diff --git a/vendor/github.com/lrstanley/girc/cap.go b/vendor/github.com/lrstanley/girc/cap.go
index 5995233f..38ff210c 100644
--- a/vendor/github.com/lrstanley/girc/cap.go
+++ b/vendor/github.com/lrstanley/girc/cap.go
@@ -5,7 +5,10 @@
package girc
import (
+ "fmt"
+ "strconv"
"strings"
+ "time"
)
// Something not in the list? Depending on the type of capability, you can
@@ -19,13 +22,20 @@ var possibleCap = map[string][]string{
"chghost": nil,
"extended-join": nil,
"invite-notify": nil,
+ "message-tags": nil,
+ "msgid": nil,
"multi-prefix": nil,
"server-time": nil,
"userhost-in-names": nil,
+ // Supported draft versions, some may be duplicated above, this is for backwards
+ // compatibility.
"draft/message-tags-0.2": nil,
"draft/msgid": nil,
+ // sts, sasl, etc are enabled dynamically/depending on client configuration,
+ // so aren't included on this list.
+
// "echo-message" is supported, but it's not enabled by default. This is
// to prevent unwanted confusion and utilize less traffic if it's not needed.
// echo messages aren't sent to girc.PRIVMSG and girc.NOTICE handlers,
@@ -51,6 +61,17 @@ func possibleCapList(c *Client) map[string][]string {
out["sasl"] = nil
}
+ if !c.Config.DisableSTS && !c.Config.SSL {
+ // If fallback supported, and we failed recently, don't try negotiating STS.
+ // ONLY do this fallback if we're expired (primarily useful during the first
+ // sts negotation).
+ if time.Since(c.state.sts.lastFailed) < 5*time.Minute && !c.Config.DisableSTSFallback {
+ c.debug.Println("skipping strict transport policy negotiation; failed within the last 5 minutes")
+ } else {
+ out["sts"] = nil
+ }
+ }
+
for k := range c.Config.SupportedCaps {
out[k] = c.Config.SupportedCaps[k]
}
@@ -62,8 +83,8 @@ func possibleCapList(c *Client) map[string][]string {
return out
}
-func parseCap(raw string) map[string][]string {
- out := make(map[string][]string)
+func parseCap(raw string) map[string]map[string]string {
+ out := make(map[string]map[string]string)
parts := strings.Split(raw, " ")
var val int
@@ -78,7 +99,16 @@ func parseCap(raw string) map[string][]string {
continue
}
- out[parts[i][:val]] = strings.Split(parts[i][val+1:], ",")
+ out[parts[i][:val]] = make(map[string]string)
+ for _, option := range strings.Split(parts[i][val+1:], ",") {
+ j := strings.Index(option, "=")
+
+ if j < 0 {
+ out[parts[i][:val]][option] = ""
+ } else {
+ out[parts[i][:val]][option[:j]] = option[j+1 : len(option)]
+ }
+ }
}
return out
@@ -88,8 +118,15 @@ func parseCap(raw string) map[string][]string {
// This will lock further registration until we have acknowledged (or denied)
// the capabilities.
func handleCAP(c *Client, e Event) {
- if len(e.Params) >= 2 && (e.Params[1] == CAP_NEW || e.Params[1] == CAP_DEL) {
- c.listCAP()
+ c.state.Lock()
+ defer c.state.Unlock()
+
+ if len(e.Params) >= 2 && e.Params[1] == CAP_DEL {
+ caps := parseCap(e.Last())
+ for cap := range caps {
+ // TODO: test the deletion.
+ delete(c.state.enabledCap, cap)
+ }
return
}
@@ -101,27 +138,26 @@ func handleCAP(c *Client, e Event) {
}
possible := possibleCapList(c)
-
- if len(e.Params) >= 3 && e.Params[1] == CAP_LS {
- c.state.Lock()
-
+ // TODO: test the addition.
+ if len(e.Params) >= 3 && (e.Params[1] == CAP_LS || e.Params[1] == CAP_NEW) {
caps := parseCap(e.Last())
- for k := range caps {
- if _, ok := possible[k]; !ok {
+ for capName := range caps {
+ if _, ok := possible[capName]; !ok {
continue
}
- if len(possible[k]) == 0 || len(caps[k]) == 0 {
- c.state.tmpCap = append(c.state.tmpCap, k)
+ if len(possible[capName]) == 0 || len(caps[capName]) == 0 {
+ c.state.tmpCap[capName] = caps[capName]
continue
}
var contains bool
- for i := 0; i < len(caps[k]); i++ {
- for j := 0; j < len(possible[k]); j++ {
- if caps[k][i] == possible[k][j] {
- // Assume we have a matching split value.
+
+ for capAttr := range caps[capName] {
+ for i := 0; i < len(possible[capName]); i++ {
+ if _, ok := caps[capName][capAttr]; ok {
+ // Assuming we have a matching attribute for the capability.
contains = true
goto checkcontains
}
@@ -133,9 +169,8 @@ func handleCAP(c *Client, e Event) {
continue
}
- c.state.tmpCap = append(c.state.tmpCap, k)
+ c.state.tmpCap[capName] = caps[capName]
}
- c.state.Unlock()
// Indicates if this is a multi-line LS. (3 args means it's the
// last LS).
@@ -147,31 +182,113 @@ func handleCAP(c *Client, e Event) {
}
// Let them know which ones we'd like to enable.
- c.write(&Event{Command: CAP, Params: []string{CAP_REQ, strings.Join(c.state.tmpCap, " ")}})
-
- // Re-initialize the tmpCap, so if we get multiple 'CAP LS' requests
- // due to cap-notify, we can re-evaluate what we can support.
- c.state.Lock()
- c.state.tmpCap = []string{}
- c.state.Unlock()
+ reqKeys := make([]string, len(c.state.tmpCap))
+ i := 0
+ for k := range c.state.tmpCap {
+ reqKeys[i] = k
+ i++
+ }
+ c.write(&Event{Command: CAP, Params: []string{CAP_REQ, strings.Join(reqKeys, " ")}})
}
}
if len(e.Params) == 3 && e.Params[1] == CAP_ACK {
- c.state.Lock()
- c.state.enabledCap = strings.Split(e.Last(), " ")
-
- // Do we need to do sasl auth?
- wantsSASL := false
- for i := 0; i < len(c.state.enabledCap); i++ {
- if c.state.enabledCap[i] == "sasl" {
- wantsSASL = true
- break
+ enabled := strings.Split(e.Last(), " ")
+ for _, cap := range enabled {
+ if val, ok := c.state.tmpCap[cap]; ok {
+ c.state.enabledCap[cap] = val
+ } else {
+ c.state.enabledCap[cap] = nil
+ }
+ }
+
+ // Anything client side that needs to be setup post-capability-acknowledgement,
+ // should be done here.
+
+ // Handle STS, and only if it's something specifically we enabled (client
+ // may choose to disable girc automatic STS, and do it themselves).
+ if sts, sok := c.state.enabledCap["sts"]; sok && !c.Config.DisableSTS {
+ var isError bool
+
+ // Some things are updated in the policy depending on if the current
+ // connection is over tls or not.
+ var hasTLSConnection bool
+ if tlsState, _ := c.TLSConnectionState(); tlsState != nil {
+ hasTLSConnection = true
+ }
+
+ // "This key indicates the port number for making a secure connection.
+ // This key’s value MUST be a single port number. If the client is not
+ // already connected securely to the server at the requested hostname,
+ // it MUST close the insecure connection and reconnect securely on the
+ // stated port.
+ //
+ // To enforce an STS upgrade policy, servers MUST send this key to
+ // insecurely connected clients. Servers MAY send this key to securely
+ // connected clients, but it will be ignored."
+ //
+ // See: https://ircv3.net/specs/extensions/sts#the-port-key
+ if !hasTLSConnection {
+ if port, ok := sts["port"]; ok {
+ c.state.sts.upgradePort, _ = strconv.Atoi(port)
+ if c.state.sts.upgradePort < 21 {
+ isError = true
+ }
+ } else {
+ isError = true
+ }
+ }
+
+ // "This key is used on secure connections to indicate how long clients
+ // MUST continue to use secure connections when connecting to the server
+ // at the requested hostname. The value of this key MUST be given as a
+ // single integer which represents the number of seconds until the persistence
+ // policy expires.
+ //
+ // To enforce an STS persistence policy, servers MUST send this key to
+ // securely connected clients. Servers MAY send this key to all clients,
+ // but insecurely connected clients MUST ignore it."
+ //
+ // See: https://ircv3.net/specs/extensions/sts#the-duration-key
+ if hasTLSConnection {
+ if duration, ok := sts["duration"]; ok {
+ c.state.sts.persistenceDuration, _ = strconv.Atoi(duration)
+ c.state.sts.persistenceReceived = time.Now()
+ } else {
+ isError = true
+ }
+ }
+
+ // See: https://ircv3.net/specs/extensions/sts#the-preload-key
+ if hasTLSConnection {
+ if preload, ok := sts["preload"]; ok {
+ c.state.sts.preload, _ = strconv.ParseBool(preload)
+ }
+ }
+
+ if isError {
+ c.rx <- &Event{Command: ERROR, Params: []string{
+ fmt.Sprintf("closing connection: strict transport policy provided by server is invalid; possible MITM? config: %#v", sts),
+ }}
+ return
+ }
+
+ // Only upgrade if not already upgraded.
+ if !hasTLSConnection {
+ c.state.sts.beginUpgrade = true
+
+ c.RunHandlers(&Event{Command: STS_UPGRADE_INIT})
+ c.debug.Println("strict transport security policy provided by server; closing connection to begin upgrade...")
+ c.Close()
+ return
}
}
- c.state.Unlock()
- if wantsSASL {
+ // Re-initialize the tmpCap, so if we get multiple 'CAP LS' requests
+ // due to cap-notify, we can re-evaluate what we can support.
+ c.state.tmpCap = make(map[string]map[string]string)
+
+ if _, ok := c.state.enabledCap["sasl"]; ok && c.Config.SASL != nil {
c.write(&Event{Command: AUTHENTICATE, Params: []string{c.Config.SASL.Method()}})
// Don't "CAP END", since we want to authenticate.
return