aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorC. McEnroe <june@causal.agency>2020-02-27 18:36:44 -0500
committerC. McEnroe <june@causal.agency>2020-02-27 18:36:44 -0500
commit3f89b14700daa30f456902f22f6c22ecdd35a48a (patch)
tree705759c24e1535dfcc37f3289362a40b030f89ff
parentDocument the causal.agency/consumer vendor capability (diff)
downloadpounce-3f89b14700daa30f456902f22f6c22ecdd35a48a.tar.gz
pounce-3f89b14700daa30f456902f22f6c22ecdd35a48a.zip
Advertise STS policy
Duration is set to INT_MAX since pounce will never accept cleartext connections.
-rw-r--r--bounce.c4
-rw-r--r--bounce.h2
-rw-r--r--client.c10
-rw-r--r--pounce.115
-rw-r--r--state.c2
5 files changed, 28 insertions, 5 deletions
diff --git a/bounce.c b/bounce.c
index 19e2dd4..efcc59d 100644
--- a/bounce.c
+++ b/bounce.c
@@ -272,7 +272,7 @@ int main(int argc, char *argv[]) {
const char *join = NULL;
const char *quit = "connection reset by purr";
- const char *Opts = "!A:C:H:K:NP:S:U:W:a:c:ef:g:h:j:k:n:p:q:r:s:u:vw:xy:";
+ const char *Opts = "!A:C:H:K:NP:S:TU:W:a:c:ef:g:h:j:k:n:p:q:r:s:u:vw:xy:";
const struct option LongOpts[] = {
{ "insecure", no_argument, NULL, '!' },
{ "local-ca", required_argument, NULL, 'A' },
@@ -282,6 +282,7 @@ int main(int argc, char *argv[]) {
{ "no-names", no_argument, NULL, 'N' },
{ "local-port", required_argument, NULL, 'P' },
{ "bind", required_argument, NULL, 'S' },
+ { "no-sts", no_argument, NULL, 'T' },
{ "local-path", required_argument, NULL, 'U' },
{ "local-pass", required_argument, NULL, 'W' },
{ "sasl-plain", required_argument, NULL, 'a' },
@@ -324,6 +325,7 @@ int main(int argc, char *argv[]) {
break; case 'N': stateNoNames = true;
break; case 'P': bindPort = optarg;
break; case 'S': serverBindHost = optarg;
+ break; case 'T': clientSTS = false;
break; case 'U': strlcpy(bindPath, optarg, sizeof(bindPath));
break; case 'W': clientPass = optarg;
break; case 'a': sasl = true; plain = optarg;
diff --git a/bounce.h b/bounce.h
index f8ab0c0..ffbd24b 100644
--- a/bounce.h
+++ b/bounce.h
@@ -81,6 +81,7 @@ static inline struct Message parse(char *line) {
X("sasl", CapSASL) \
X("server-time", CapServerTime) \
X("setname", CapSetname) \
+ X("sts", CapSTS) \
X("userhost-in-names", CapUserhostInNames) \
X("", CapUnsupported)
@@ -166,6 +167,7 @@ void serverFormat(const char *format, ...)
__attribute__((format(printf, 1, 2)));
extern bool clientCA;
+extern bool clientSTS;
extern char *clientPass;
extern char *clientAway;
struct Client *clientAlloc(struct tls *tls);
diff --git a/client.c b/client.c
index 66d07d0..25707a8 100644
--- a/client.c
+++ b/client.c
@@ -31,6 +31,7 @@
#include "bounce.h"
bool clientCA;
+bool clientSTS = true;
char *clientPass;
char *clientAway;
@@ -168,8 +169,13 @@ static void handleCap(struct Client *client, struct Message *msg) {
if (!msg->params[0]) msg->params[0] = "";
enum Cap avail = (stateCaps & ~CapSASL)
- | CapServerTime | CapConsumer | CapPassive | (clientCA ? CapSASL : 0);
- const char *values[CapBits] = { [CapSASLBit] = "EXTERNAL" };
+ | CapServerTime | CapConsumer | CapPassive
+ | (clientCA ? CapSASL : 0)
+ | (clientSTS ? CapSTS : 0);
+ const char *values[CapBits] = {
+ [CapSASLBit] = "EXTERNAL",
+ [CapSTSBit] = "duration=2147483647",
+ };
if (!strcmp(msg->params[0], "END")) {
if (!client->need) return;
diff --git a/pounce.1 b/pounce.1
index 7b3e5bf..b61527a 100644
--- a/pounce.1
+++ b/pounce.1
@@ -8,7 +8,7 @@
.
.Sh SYNOPSIS
.Nm
-.Op Fl Nev
+.Op Fl NTev
.Op Fl A Ar cert
.Op Fl C Ar cert
.Op Fl H Ar host
@@ -127,6 +127,11 @@ Bind to source address
.Ar host
when connecting to the server.
.
+.It Fl T
+Do not advertise a
+strict transport security (STS) policy
+to clients.
+.
.It Fl U Ar path , Cm local-path = Ar path
Bind to a UNIX-domain socket at
.Ar path .
@@ -511,6 +516,14 @@ daemon implements the following:
.It
.Rs
.%A Attila Molnar
+.%A James Wheare
+.%T IRCv3 Strict Transport Security
+.%I IRCv3 Working Group
+.%U https://ircv3.net/specs/extensions/sts
+.Re
+.It
+.Rs
+.%A Attila Molnar
.%A William Pitcock
.%T IRCv3.2 SASL Authentication
.%I IRCv3 Working Group
diff --git a/state.c b/state.c
index d667971..dc69547 100644
--- a/state.c
+++ b/state.c
@@ -80,7 +80,7 @@ static void handleCap(struct Message *msg) {
}
if (!strcmp(msg->params[1], "LS") || !strcmp(msg->params[1], "NEW")) {
- caps &= ~(CapSASL | CapUnsupported);
+ caps &= ~(CapSASL | CapSTS | CapUnsupported);
if (caps) serverFormat("CAP REQ :%s\r\n", capList(caps, NULL));
} else if (!strcmp(msg->params[1], "ACK")) {