support TLS client certificates

ergochat · Feb 6, 2023 · c10a0fe · c10a0fe
1 parent 0e02fd0
commit c10a0fe
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/ircdog.go b/ircdog.go
@@ -64,6 +64,7 @@ Sending Escapes:
 Options:
 	--tls               Connect using TLS.
 	--tls-noverify      Don't verify the provided TLS certificates.
+	--tls-cert=<file>   A file containing a TLS client cert & key, to use for TLS connections.
 	--listen=<address>  Listen on an address like ":7778", pass through traffic.
 	--hide=<messages>   Comma-separated list of commands/numerics to not print.
 	--origin=<url>      URL to send as the Origin header for a WebSocket connection
@@ -152,11 +153,20 @@ func parseConnectionConfig(arguments map[string]any) (config lib.ConnectionConfi
 		config.Origin = originString.(string)
 	}
 
+	config.TLSConfig = &tls.Config{}
 	if tlsNoverify {
-		config.TLSConfig = &tls.Config{
-			InsecureSkipVerify: true,
+		config.TLSConfig.InsecureSkipVerify = true
+	}
+	if tlsCert := arguments["--tls-cert"]; tlsCert != nil {
+		tlsCert, tErr := tls.LoadX509KeyPair(tlsCert.(string), tlsCert.(string))
+
+		if tErr != nil {
+			err = fmt.Errorf("Cannot load TLS cert/key: %w", uErr)
+			return
 		}
+		config.TLSConfig.Certificates = []tls.Certificate{tlsCert}
 	}
+
 	return
 }
 

diff --git a/lib/connection.go b/lib/connection.go
@@ -29,7 +29,7 @@ func NewConnection(config ConnectionConfig) (IRCSocket, error) {
 			return nil, err
 		}
 	} else {
-		socket, err = NewIRCWebSocket(config.WebsocketURL, config.Origin, config.TLSConfig)
+		socket, err = NewIRCWebSocket(config.WebsocketURL, config.Origin, config.TLS, config.TLSConfig)
 		if err != nil {
 			return nil, err
 		}

diff --git a/lib/websocket.go b/lib/websocket.go
@@ -20,7 +20,7 @@ type IRCWebSocket struct {
 	websocket  *websocket.Conn
 }
 
-func NewIRCWebSocket(wsUrl, origin string, tlsConfig *tls.Config) (IRCSocket, error) {
+func NewIRCWebSocket(wsUrl, origin string, useTLS bool, tlsConfig *tls.Config) (IRCSocket, error) {
 	var headers http.Header
 	if origin != "" {
 		headers = make(http.Header)
@@ -36,8 +36,11 @@ func NewIRCWebSocket(wsUrl, origin string, tlsConfig *tls.Config) (IRCSocket, er
 
 	dialer := websocket.Dialer{
 		Subprotocols:    []string{"text.ircv3.net", "binary.ircv3.net"},
-		TLSClientConfig: tlsConfig,
 	}
+	if useTLS {
+		dialer.TLSClientConfig = tlsConfig
+	}
+
 	ws, resp, err := dialer.Dial(wsUrl, headers)
 	if err != nil {
 		explanation := "no HTTP response"

diff --git a/lib/websocket_stub.go b/lib/websocket_stub.go
@@ -11,6 +11,6 @@ var (
 	errNoWSSupport = errors.New("websocket support disabled at compile time")
 )
 
-func NewIRCWebSocket(wsUrl, origin string, tlsConfig *tls.Config) (IRCSocket, error) {
+func NewIRCWebSocket(wsUrl, origin string, useTLS bool, tlsConfig *tls.Config) (IRCSocket, error) {
 	return nil, errNoWSSupport
 }