Thumbnail

rani/matterbridge.git

Clone URL: https://git.buni.party/rani/matterbridge.git

Info Tree Commits Branches Tags Show Grep
commit 829993d506748310b54541dda2b3aebf47a3fae3 Author: Wim <wim@42.be> Date: Sat Feb 05 21:12:03 2022 +0000 Add support for client certificate (irc) (#1710) Supports https://libera.chat/guides/certfp.html diff --git a/bridge/irc/irc.go b/bridge/irc/irc.go index 260f66d..4b7b144 100644 --- a/bridge/irc/irc.go +++ b/bridge/irc/irc.go @@ -26 +27 @@ package birc    import (   "crypto/tls" + "errors"   "fmt"   "hash/crc32"   "io/ioutil" @@ -726 +7310 @@ func (b *Birc) Command(msg *config.Message) string {  }    func (b *Birc) Connect() error { + if b.GetBool("UseSASL") && b.GetString("TLSClientCertificate") != "" { + return errors.New("you can't enable SASL and TLSClientCertificate at the same time") + } +   b.Local = make(chan config.Message, b.MessageQueue+10)   b.Log.Infof("Connecting %s", b.GetString("Server"))   @@ -3006 +30511 @@ func (b *Birc) getClient() (*girc.Client, error) {     b.Log.Debugf("setting pingdelay to %s", pingDelay)   + tlsConfig, err := b.getTLSConfig() + if err != nil { + return nil, err + } +   i := girc.New(girc.Config{   Server: server,   ServerPass: b.GetString("Password"), @@ -3097 +3197 @@ func (b *Birc) getClient() (*girc.Client, error) {   Name: realName,   SSL: b.GetBool("UseTLS"),   Bind: b.GetString("Bind"), - TLSConfig: &tls.Config{InsecureSkipVerify: b.GetBool("SkipTLSVerify"), ServerName: server}, //nolint:gosec + TLSConfig: tlsConfig,   PingDelay: pingDelay,   // skip gIRC internal rate limiting, since we have our own throttling   AllowFlood: true, @@ -3813 +39123 @@ func (b *Birc) storeNames(client *girc.Client, event girc.Event) {  func (b *Birc) formatnicks(nicks []string) string {   return strings.Join(nicks, ", ") + " currently on IRC"  } + +func (b *Birc) getTLSConfig() (*tls.Config, error) { + server, _, _ := net.SplitHostPort(b.GetString("server")) + + tlsConfig := &tls.Config{ + InsecureSkipVerify: b.GetBool("skiptlsverify"), //nolint:gosec + ServerName: server, + } + + if filename := b.GetString("TLSClientCertificate"); filename != "" { + cert, err := tls.LoadX509KeyPair(filename, filename) + if err != nil { + return nil, err + } + + tlsConfig.Certificates = []tls.Certificate{cert} + } + + return tlsConfig, nil +} diff --git a/matterbridge.toml.sample b/matterbridge.toml.sample index fd341ff..8bc0f6c 100644 --- a/matterbridge.toml.sample +++ b/matterbridge.toml.sample @@ -246 +2413 @@ Password=""  #OPTIONAL (default false)  UseTLS=false   +#Use client certificate - see CertFP https://libera.chat/guides/certfp.html +#Specify filename which contains private key and cert +#OPTIONAL (default "") +# +#TLSClientCertificate="cert.pem" +TLSClientCertificate="" +  #Enable SASL (PLAIN) authentication. (libera requires this from eg AWS hosts)  #It uses NickServNick and NickServPassword as login and password  #OPTIONAL (default false)