ircd/irc/gateways.go

// Copyright (c) 2012-2014 Jeremy Latt
// Copyright (c) 2014-2015 Edmund Huber
// Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package irc

import (
	"errors"
	"net"

	"github.com/oragono/oragono/irc/modes"
	"github.com/oragono/oragono/irc/utils"
)

var (
	errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")
	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")
)

const (
	// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
	// "a 108-byte buffer is always enough to store all the line and a trailing zero
	// for string processing."
	maxProxyLineLen = 107
)

type webircConfig struct {
	PasswordString string  `yaml:"password"`
	Password       []byte  `yaml:"password-bytes"`
	Fingerprint    *string // legacy name for certfp, #1050
	Certfp         string
	Hosts          []string
	allowedNets    []net.IPNet
}

// Populate fills out our password or fingerprint.
func (wc *webircConfig) Populate() (err error) {
	if wc.PasswordString != "" {
		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)
		if err != nil {
			return
		}
	}

	certfp := wc.Certfp
	if certfp == "" && wc.Fingerprint != nil {
		certfp = *wc.Fingerprint
	}
	if certfp != "" {
		wc.Certfp, err = utils.NormalizeCertfp(certfp)
	}
	if err != nil {
		return
	}

	if wc.Certfp == "" && wc.PasswordString == "" {
		return errors.New("webirc block has no certfp or password specified")
	}

	wc.allowedNets, err = utils.ParseNetList(wc.Hosts)
	return err
}

// ApplyProxiedIP applies the given IP to the client.
func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) {
	// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
	// is whitelisted. Furthermore, don't accept PROXY or WEBIRC if we already accepted
	// a proxied IP from any source (PROXY, WEBIRC, or X-Forwarded-For):
	if session.isTor || session.proxiedIP != nil {
		return errBadProxyLine, ""
	}

	// ensure IP is sane
	if proxiedIP == nil {
		return errBadProxyLine, "proxied IP is not valid"
	}
	proxiedIP = proxiedIP.To16()

	isBanned, requireSASL, banMsg := client.server.checkBans(client.server.Config(), proxiedIP, true)
	if isBanned {
		return errBanned, banMsg
	}
	client.requireSASL = requireSASL
	if requireSASL {
		client.requireSASLMessage = banMsg
	}
	// successfully added a limiter entry for the proxied IP;
	// remove the entry for the real IP if applicable (#197)
	client.server.connectionLimiter.RemoveClient(session.realIP)

	// given IP is sane! override the client's current IP
	client.server.logger.Info("connect-ip", "Accepted proxy IP for client", proxiedIP.String())

	client.stateMutex.Lock()
	defer client.stateMutex.Unlock()
	client.proxiedIP = proxiedIP
	session.proxiedIP = proxiedIP
	// nickmask will be updated when the client completes registration
	// set tls info
	session.certfp = ""
	session.peerCerts = nil
	client.SetMode(modes.TLS, tls)

	return nil, ""
}

// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
// PROXY must be sent as the first message in the session and has the syntax:
// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n
// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
// the message is invalid IRC and can't be parsed normally, hence the special handling.
func handleProxyCommand(server *Server, client *Client, session *Session, line string) (err error) {
	var quitMsg string
	defer func() {
		if err != nil {
			if quitMsg == "" {
				quitMsg = client.t("Bad or unauthorized PROXY command")
			}
			client.Quit(quitMsg, session)
		}
	}()

	ip, err := utils.ParseProxyLineV1(line)
	if err != nil {
		return err
	} else if ip == nil {
		return nil
	}

	if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {
		// assume PROXY connections are always secure
		err, quitMsg = client.ApplyProxiedIP(session, ip, true)
		return
	} else {
		// real source IP is not authorized to issue PROXY:
		return errBadGatewayAddress
	}
}
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`// Copyright (c) 2012-2014 Jeremy Latt`
			`// Copyright (c) 2014-2015 Edmund Huber`
			`// Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>`
			`// released under the MIT license`

			`package irc`

			`import (`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`"errors"`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`"net"`

Split modes into a subpackage (this is painful, but will force us to simplify and improve the API for interacting with modes) 2018-02-03 10:21:32 +00:00			`"github.com/oragono/oragono/irc/modes"`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`"github.com/oragono/oragono/irc/utils"`
			`)`

fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`var (`
			`errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")`
			`errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command")`
			`)`

fix #561, take 2 2019-11-20 22:14:42 +00:00			`const (`
			`// https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt`
			`// "a 108-byte buffer is always enough to store all the line and a trailing zero`
			`// for string processing."`
			`maxProxyLineLen = 107`
			`)`

Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`type webircConfig struct {`
fix #1050 2020-06-21 19:46:08 +00:00			PasswordString string `yaml:"password"`
			Password []byte `yaml:"password-bytes"`
			`Fingerprint *string // legacy name for certfp, #1050`
			`Certfp string`
WEBIRC: Export fields so the config loads properly 2017-10-15 08:15:18 +00:00			`Hosts []string`
add sasl-only config option 2019-02-05 05:19:03 +00:00			`allowedNets []net.IPNet`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`}`

WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-15 22:47:49 +00:00			`// Populate fills out our password or fingerprint.`
			`func (wc *webircConfig) Populate() (err error) {`
fix #1050 2020-06-21 19:46:08 +00:00			`if wc.PasswordString != "" {`
refactor the password hashing / password autoupgrade system 2018-08-06 02:51:39 +00:00			`wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)`
fix #1050 2020-06-21 19:46:08 +00:00			`if err != nil {`
			`return`
			`}`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-15 22:47:49 +00:00			`}`
support unix domain sockets 2018-02-01 20:53:49 +00:00
fix #1050 2020-06-21 19:46:08 +00:00			`certfp := wc.Certfp`
			`if certfp == "" && wc.Fingerprint != nil {`
			`certfp = *wc.Fingerprint`
			`}`
			`if certfp != "" {`
			`wc.Certfp, err = utils.NormalizeCertfp(certfp)`
			`}`
			`if err != nil {`
			`return`
fix #530, #721 2019-12-29 16:59:49 +00:00			`}`

fix #1050 2020-06-21 19:46:08 +00:00			`if wc.Certfp == "" && wc.PasswordString == "" {`
Move config errors to call sites Since allocating them is rare. 2020-08-03 16:55:52 +00:00			`return errors.New("webirc block has no certfp or password specified")`
support unix domain sockets 2018-02-01 20:53:49 +00:00			`}`

fix #1050 2020-06-21 19:46:08 +00:00			`wc.allowedNets, err = utils.ParseNetList(wc.Hosts)`
add sasl-only config option 2019-02-05 05:19:03 +00:00			`return err`
support unix domain sockets 2018-02-01 20:53:49 +00:00			`}`

Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`// ApplyProxiedIP applies the given IP to the client.`
more work on websocket support 2020-05-05 02:29:10 +00:00			`func (client Client) ApplyProxiedIP(session Session, proxiedIP net.IP, tls bool) (err error, quitMsg string) {`
add support for tor (#369) 2019-02-26 02:50:43 +00:00			`// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself`
fix untrusted PROXY lines being accepted As of 3dc5c8de787309, the PROXY-before-TLS proxy line and any proxy information carried in X-Forwarded-For do not count as the "first line", so an additional client-supplied PROXY line would have been accepted. 2020-05-10 23:12:18 +00:00			`// is whitelisted. Furthermore, don't accept PROXY or WEBIRC if we already accepted`
			`// a proxied IP from any source (PROXY, WEBIRC, or X-Forwarded-For):`
			`if session.isTor \|\| session.proxiedIP != nil {`
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`return errBadProxyLine, ""`
add support for tor (#369) 2019-02-26 02:50:43 +00:00			`}`

Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`// ensure IP is sane`
more work on websocket support 2020-05-05 02:29:10 +00:00			`if proxiedIP == nil {`
			`return errBadProxyLine, "proxied IP is not valid"`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`}`
more work on websocket support 2020-05-05 02:29:10 +00:00			`proxiedIP = proxiedIP.To16()`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00
scripting API for IP bans See discussion on #68. 2020-09-14 08:28:12 +00:00			`isBanned, requireSASL, banMsg := client.server.checkBans(client.server.Config(), proxiedIP, true)`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`if isBanned {`
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`return errBanned, banMsg`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`}`
scripting API for IP bans See discussion on #68. 2020-09-14 08:28:12 +00:00			`client.requireSASL = requireSASL`
pass the require-sasl message through from the script 2020-09-14 12:11:56 +00:00			`if requireSASL {`
			`client.requireSASLMessage = banMsg`
			`}`
fix #197 2019-09-01 06:36:56 +00:00			`// successfully added a limiter entry for the proxied IP;`
			`// remove the entry for the real IP if applicable (#197)`
			`client.server.connectionLimiter.RemoveClient(session.realIP)`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00
			`// given IP is sane! override the client's current IP`
more work on websocket support 2020-05-05 02:29:10 +00:00			`client.server.logger.Info("connect-ip", "Accepted proxy IP for client", proxiedIP.String())`
clean something up in ApplyProxiedIP 2019-02-05 18:44:33 +00:00
review fixes, bug fixes 2018-04-23 06:38:35 +00:00			`client.stateMutex.Lock()`
clean something up in ApplyProxiedIP 2019-02-05 18:44:33 +00:00			`defer client.stateMutex.Unlock()`
more work on websocket support 2020-05-05 02:29:10 +00:00			`client.proxiedIP = proxiedIP`
			`session.proxiedIP = proxiedIP`
review fixes, bug fixes 2018-04-23 06:38:35 +00:00			`// nickmask will be updated when the client completes registration`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-15 22:47:49 +00:00			`// set tls info`
move authentication data from Client to Session 2020-02-19 02:42:27 +00:00			`session.certfp = ""`
fix #414 2020-09-23 06:23:35 +00:00			`session.peerCerts = nil`
modes refactor, #255 2018-04-22 22:47:10 +00:00			`client.SetMode(modes.TLS, tls)`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-15 22:47:49 +00:00
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`return nil, ""`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`}`

			`// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt`
			`// PROXY must be sent as the first message in the session and has the syntax:`
			`// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n`
			`// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,`
			`// the message is invalid IRC and can't be parsed normally, hence the special handling.`
initial implementation of bouncer functionality 2019-04-12 04:08:46 +00:00			`func handleProxyCommand(server Server, client Client, session *Session, line string) (err error) {`
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`var quitMsg string`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`defer func() {`
			`if err != nil {`
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`if quitMsg == "" {`
			`quitMsg = client.t("Bad or unauthorized PROXY command")`
			`}`
			`client.Quit(quitMsg, session)`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`}`
			`}()`

fix #1389 Support PROXY protocol v2, including ahead of plaintext connections 2020-11-19 17:31:58 +00:00			`ip, err := utils.ParseProxyLineV1(line)`
more work on websocket support 2020-05-05 02:29:10 +00:00			`if err != nil {`
			`return err`
fix #1389 Support PROXY protocol v2, including ahead of plaintext connections 2020-11-19 17:31:58 +00:00			`} else if ip == nil {`
			`return nil`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`}`

add sasl-only config option 2019-02-05 05:19:03 +00:00			`if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {`
			`// assume PROXY connections are always secure`
more work on websocket support 2020-05-05 02:29:10 +00:00			`err, quitMsg = client.ApplyProxiedIP(session, ip, true)`
pass the correct quit message when a proxied client is banned If you were banned and the ban was only detected when you proxied (because you were proxying from a DLINE'd IP), you'd get an incorrect quit message: `QUIT: Bad or unauthorized PROXY command`. This propagates the correct ban message as the quit line. 2019-05-13 05:54:50 +00:00			`return`
			`} else {`
			`// real source IP is not authorized to issue PROXY:`
			`return errBadGatewayAddress`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 04:19:10 +00:00			`}`
Allow WEBIRC from specified hosts 2017-10-15 06:18:14 +00:00			`}`