fix #1428

Tor listeners should never see an STS cap. Add an undocumented 'hide-sts' key for listeners that hides the STS cap. This can be used if the listener is secured at layer 3 or 4 (VPNs, E2E mixnets). It will be necessary to add the relevant IPs to `secure-nets`.
2020-12-05 23:06:23 -05:00 · 2020-12-05 23:06:23 -05:00 · 7bdbb01238
commit 7bdbb01238
parent 23a7221137
4 changed files with 13 additions and 0 deletions
--- a/irc/config.go
+++ b/irc/config.go
@ -59,6 +59,7 @@ type listenerConfigBlock struct {
 	Tor       bool
 	STSOnly   bool `yaml:"sts-only"`
 	WebSocket bool
+	HideSTS   bool `yaml:"hide-sts"`
 }

 type PersistentStatus uint
@ -532,6 +533,7 @@ type Config struct {
 		SecureNetDefs            []string                        `yaml:"secure-nets"`
 		secureNets               []net.IPNet
 		supportedCaps            *caps.Set
+		supportedCapsWithoutSTS  *caps.Set
 		capValues                caps.Values
 		Casemapping              Casemapping
 		EnforceUtf8              bool         `yaml:"enforce-utf8"`
@ -834,6 +836,7 @@ func (conf *Config) prepareListeners() (err error) {
 		}
 		lconf.RequireProxy = block.TLS.Proxy || block.Proxy
 		lconf.WebSocket = block.WebSocket
+		lconf.HideSTS = block.HideSTS
 		conf.Server.trueListeners[addr] = lconf
 	}
 	return nil
@ -1371,6 +1374,11 @@ func LoadConfig(filename string) (config *Config, err error) {
 		return nil, fmt.Errorf("failed to prepare listeners: %v", err)
 	}

+	// #1428: Tor listeners should never see STS
+	config.Server.supportedCapsWithoutSTS = caps.NewSet()
+	config.Server.supportedCapsWithoutSTS.Union(config.Server.supportedCaps)
+	config.Server.supportedCapsWithoutSTS.Disable(caps.STS)
+
 	return config, nil
 }