From 3f89b14700daa30f456902f22f6c22ecdd35a48a Mon Sep 17 00:00:00 2001 From: "C. McEnroe" Date: Thu, 27 Feb 2020 18:36:44 -0500 Subject: Advertise STS policy Duration is set to INT_MAX since pounce will never accept cleartext connections. --- bounce.c | 4 +++- bounce.h | 2 ++ client.c | 10 ++++++++-- pounce.1 | 15 ++++++++++++++- state.c | 2 +- 5 files changed, 28 insertions(+), 5 deletions(-) diff --git a/bounce.c b/bounce.c index 19e2dd4..efcc59d 100644 --- a/bounce.c +++ b/bounce.c @@ -272,7 +272,7 @@ int main(int argc, char *argv[]) { const char *join = NULL; const char *quit = "connection reset by purr"; - const char *Opts = "!A:C:H:K:NP:S:U:W:a:c:ef:g:h:j:k:n:p:q:r:s:u:vw:xy:"; + const char *Opts = "!A:C:H:K:NP:S:TU:W:a:c:ef:g:h:j:k:n:p:q:r:s:u:vw:xy:"; const struct option LongOpts[] = { { "insecure", no_argument, NULL, '!' }, { "local-ca", required_argument, NULL, 'A' }, @@ -282,6 +282,7 @@ int main(int argc, char *argv[]) { { "no-names", no_argument, NULL, 'N' }, { "local-port", required_argument, NULL, 'P' }, { "bind", required_argument, NULL, 'S' }, + { "no-sts", no_argument, NULL, 'T' }, { "local-path", required_argument, NULL, 'U' }, { "local-pass", required_argument, NULL, 'W' }, { "sasl-plain", required_argument, NULL, 'a' }, @@ -324,6 +325,7 @@ int main(int argc, char *argv[]) { break; case 'N': stateNoNames = true; break; case 'P': bindPort = optarg; break; case 'S': serverBindHost = optarg; + break; case 'T': clientSTS = false; break; case 'U': strlcpy(bindPath, optarg, sizeof(bindPath)); break; case 'W': clientPass = optarg; break; case 'a': sasl = true; plain = optarg; diff --git a/bounce.h b/bounce.h index f8ab0c0..ffbd24b 100644 --- a/bounce.h +++ b/bounce.h @@ -81,6 +81,7 @@ static inline struct Message parse(char *line) { X("sasl", CapSASL) \ X("server-time", CapServerTime) \ X("setname", CapSetname) \ + X("sts", CapSTS) \ X("userhost-in-names", CapUserhostInNames) \ X("", CapUnsupported) @@ -166,6 +167,7 @@ void serverFormat(const char *format, ...) __attribute__((format(printf, 1, 2))); extern bool clientCA; +extern bool clientSTS; extern char *clientPass; extern char *clientAway; struct Client *clientAlloc(struct tls *tls); diff --git a/client.c b/client.c index 66d07d0..25707a8 100644 --- a/client.c +++ b/client.c @@ -31,6 +31,7 @@ #include "bounce.h" bool clientCA; +bool clientSTS = true; char *clientPass; char *clientAway; @@ -168,8 +169,13 @@ static void handleCap(struct Client *client, struct Message *msg) { if (!msg->params[0]) msg->params[0] = ""; enum Cap avail = (stateCaps & ~CapSASL) - | CapServerTime | CapConsumer | CapPassive | (clientCA ? CapSASL : 0); - const char *values[CapBits] = { [CapSASLBit] = "EXTERNAL" }; + | CapServerTime | CapConsumer | CapPassive + | (clientCA ? CapSASL : 0) + | (clientSTS ? CapSTS : 0); + const char *values[CapBits] = { + [CapSASLBit] = "EXTERNAL", + [CapSTSBit] = "duration=2147483647", + }; if (!strcmp(msg->params[0], "END")) { if (!client->need) return; diff --git a/pounce.1 b/pounce.1 index 7b3e5bf..b61527a 100644 --- a/pounce.1 +++ b/pounce.1 @@ -8,7 +8,7 @@ . .Sh SYNOPSIS .Nm -.Op Fl Nev +.Op Fl NTev .Op Fl A Ar cert .Op Fl C Ar cert .Op Fl H Ar host @@ -127,6 +127,11 @@ Bind to source address .Ar host when connecting to the server. . +.It Fl T +Do not advertise a +strict transport security (STS) policy +to clients. +. .It Fl U Ar path , Cm local-path = Ar path Bind to a UNIX-domain socket at .Ar path . @@ -511,6 +516,14 @@ daemon implements the following: .It .Rs .%A Attila Molnar +.%A James Wheare +.%T IRCv3 Strict Transport Security +.%I IRCv3 Working Group +.%U https://ircv3.net/specs/extensions/sts +.Re +.It +.Rs +.%A Attila Molnar .%A William Pitcock .%T IRCv3.2 SASL Authentication .%I IRCv3 Working Group diff --git a/state.c b/state.c index d667971..dc69547 100644 --- a/state.c +++ b/state.c @@ -80,7 +80,7 @@ static void handleCap(struct Message *msg) { } if (!strcmp(msg->params[1], "LS") || !strcmp(msg->params[1], "NEW")) { - caps &= ~(CapSASL | CapUnsupported); + caps &= ~(CapSASL | CapSTS | CapUnsupported); if (caps) serverFormat("CAP REQ :%s\r\n", capList(caps, NULL)); } else if (!strcmp(msg->params[1], "ACK")) { -- cgit 1.4.1