fix PROXY protocol support for IPv6

1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs.
2018-09-03 00:19:10 -04:00 · 2018-09-03 00:19:10 -04:00 · 10d4f77638
commit 10d4f77638
parent f0491c2254
5 changed files with 68 additions and 39 deletions
--- a/irc/gateways.go
+++ b/irc/gateways.go
@ -6,13 +6,20 @@
 package irc

 import (
+	"errors"
 	"fmt"
 	"net"
+	"strings"

 	"github.com/oragono/oragono/irc/modes"
 	"github.com/oragono/oragono/irc/utils"
 )

+var (
+	errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")
+	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")
+)
+
 type webircConfig struct {
 	PasswordString string `yaml:"password"`
 	Password       []byte `yaml:"password-bytes"`
@ -57,22 +64,29 @@ func isGatewayAllowed(addr net.Addr, gatewaySpec string) bool {
 }

 // ApplyProxiedIP applies the given IP to the client.
-func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool) {
+func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (success bool) {
 	// ensure IP is sane
 	parsedProxiedIP := net.ParseIP(proxiedIP)
 	if parsedProxiedIP == nil {
 		client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP))
-		return true
+		return false
+	}
+
+	// undo any mapping of v4 addresses into the v6 space: https://stackoverflow.com/a/1618259
+	// this is how a typical stunnel4 deployment on Linux will handle dual-stack
+	unmappedIP := parsedProxiedIP.To4()
+	if unmappedIP != nil {
+		parsedProxiedIP = unmappedIP
 	}

 	isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
 	if isBanned {
 		client.Quit(banMsg)
-		return true
+		return false
 	}

 	// given IP is sane! override the client's current IP
-	rawHostname := utils.LookupHostname(proxiedIP)
+	rawHostname := utils.LookupHostname(parsedProxiedIP.String())
 	client.stateMutex.Lock()
 	client.proxiedIP = parsedProxiedIP
 	client.rawHostname = rawHostname
@ -83,5 +97,37 @@ func (client *Client) ApplyProxiedIP(proxiedIP string, tls bool) (exiting bool)
 	client.certfp = ""
 	client.SetMode(modes.TLS, tls)

-	return false
+	return true
+}
+
+// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
+// PROXY must be sent as the first message in the session and has the syntax:
+// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n
+// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
+// the message is invalid IRC and can't be parsed normally, hence the special handling.
+func handleProxyCommand(server *Server, client *Client, line string) (err error) {
+	defer func() {
+		if err != nil {
+			client.Quit(client.t("Bad or unauthorized PROXY command"))
+		}
+	}()
+
+	params := strings.Fields(line)
+	if len(params) != 6 {
+		return errBadProxyLine
+	}
+
+	for _, gateway := range server.ProxyAllowedFrom() {
+		if isGatewayAllowed(client.socket.conn.RemoteAddr(), gateway) {
+			// assume PROXY connections are always secure
+			if client.ApplyProxiedIP(params[2], true) {
+				return nil
+			} else {
+				return errBadProxyLine
+			}
+		}
+	}
+
+	// real source IP is not authorized to issue PROXY:
+	return errBadGatewayAddress
 }