2021-02-11 15:20:30 +03:00
|
|
|
package dnsforward
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"fmt"
|
|
|
|
"path"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
2021-05-24 17:28:11 +03:00
|
|
|
"github.com/AdguardTeam/golibs/errors"
|
2021-08-09 16:03:37 +03:00
|
|
|
"github.com/AdguardTeam/golibs/netutil"
|
2021-02-11 15:20:30 +03:00
|
|
|
"github.com/lucas-clemente/quic-go"
|
|
|
|
)
|
|
|
|
|
2022-02-10 15:42:59 +03:00
|
|
|
// ValidateClientID returns an error if id is not a valid ClientID.
|
|
|
|
func ValidateClientID(id string) (err error) {
|
|
|
|
err = netutil.ValidateDomainNameLabel(id)
|
2021-03-25 16:00:27 +03:00
|
|
|
if err != nil {
|
2021-05-06 13:02:48 +03:00
|
|
|
// Replace the domain name label wrapper with our own.
|
2022-02-10 15:42:59 +03:00
|
|
|
return fmt.Errorf("invalid clientid %q: %w", id, errors.Unwrap(err))
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-08-12 18:35:30 +03:00
|
|
|
// hasLabelSuffix returns true if s ends with suffix preceded by a dot. It's
|
|
|
|
// a helper function to prevent unnecessary allocations in code like:
|
|
|
|
//
|
|
|
|
// if strings.HasSuffix(s, "." + suffix) { /* … */ }
|
|
|
|
//
|
|
|
|
// s must be longer than suffix.
|
|
|
|
func hasLabelSuffix(s, suffix string) (ok bool) {
|
|
|
|
return strings.HasSuffix(s, suffix) && s[len(s)-len(suffix)-1] == '.'
|
|
|
|
}
|
|
|
|
|
2022-02-10 15:42:59 +03:00
|
|
|
// clientIDFromClientServerName extracts and validates a ClientID. hostSrvName
|
2021-02-11 15:20:30 +03:00
|
|
|
// is the server name of the host. cliSrvName is the server name as sent by the
|
|
|
|
// client. When strict is true, and client and host server name don't match,
|
|
|
|
// clientIDFromClientServerName will return an error.
|
2021-08-12 18:35:30 +03:00
|
|
|
func clientIDFromClientServerName(
|
|
|
|
hostSrvName string,
|
|
|
|
cliSrvName string,
|
|
|
|
strict bool,
|
|
|
|
) (clientID string, err error) {
|
2021-02-11 15:20:30 +03:00
|
|
|
if hostSrvName == cliSrvName {
|
|
|
|
return "", nil
|
|
|
|
}
|
|
|
|
|
2021-08-12 18:35:30 +03:00
|
|
|
if !hasLabelSuffix(cliSrvName, hostSrvName) {
|
2021-02-11 15:20:30 +03:00
|
|
|
if !strict {
|
|
|
|
return "", nil
|
|
|
|
}
|
|
|
|
|
2021-08-12 18:35:30 +03:00
|
|
|
return "", fmt.Errorf(
|
|
|
|
"client server name %q doesn't match host server name %q",
|
|
|
|
cliSrvName,
|
|
|
|
hostSrvName,
|
|
|
|
)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
clientID = cliSrvName[:len(cliSrvName)-len(hostSrvName)-1]
|
|
|
|
err = ValidateClientID(clientID)
|
|
|
|
if err != nil {
|
2021-03-25 16:00:27 +03:00
|
|
|
// Don't wrap the error, because it's informative enough as is.
|
|
|
|
return "", err
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2022-05-04 21:01:41 +03:00
|
|
|
return strings.ToLower(clientID), nil
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// clientIDFromDNSContextHTTPS extracts the client's ID from the path of the
|
2021-02-11 15:20:30 +03:00
|
|
|
// client's DNS-over-HTTPS request.
|
2021-06-29 15:53:28 +03:00
|
|
|
func clientIDFromDNSContextHTTPS(pctx *proxy.DNSContext) (clientID string, err error) {
|
2021-02-11 15:20:30 +03:00
|
|
|
r := pctx.HTTPRequest
|
|
|
|
if r == nil {
|
2021-06-29 15:53:28 +03:00
|
|
|
return "", fmt.Errorf(
|
|
|
|
"proxy ctx http request of proto %s is nil",
|
|
|
|
pctx.Proto,
|
|
|
|
)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
origPath := r.URL.Path
|
|
|
|
parts := strings.Split(path.Clean(origPath), "/")
|
|
|
|
if parts[0] == "" {
|
|
|
|
parts = parts[1:]
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(parts) == 0 || parts[0] != "dns-query" {
|
2022-02-10 15:42:59 +03:00
|
|
|
return "", fmt.Errorf("clientid check: invalid path %q", origPath)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
switch len(parts) {
|
|
|
|
case 1:
|
2022-02-10 15:42:59 +03:00
|
|
|
// Just /dns-query, no ClientID.
|
2021-06-29 15:53:28 +03:00
|
|
|
return "", nil
|
2021-02-11 15:20:30 +03:00
|
|
|
case 2:
|
|
|
|
clientID = parts[1]
|
|
|
|
default:
|
2022-02-10 15:42:59 +03:00
|
|
|
return "", fmt.Errorf("clientid check: invalid path %q: extra parts", origPath)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
err = ValidateClientID(clientID)
|
2021-02-11 15:20:30 +03:00
|
|
|
if err != nil {
|
2022-02-10 15:42:59 +03:00
|
|
|
return "", fmt.Errorf("clientid check: %w", err)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2022-05-04 21:01:41 +03:00
|
|
|
return strings.ToLower(clientID), nil
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// tlsConn is a narrow interface for *tls.Conn to simplify testing.
|
|
|
|
type tlsConn interface {
|
|
|
|
ConnectionState() (cs tls.ConnectionState)
|
|
|
|
}
|
|
|
|
|
2022-05-24 19:47:09 +03:00
|
|
|
// quicConnection is a narrow interface for quic.Connection to simplify testing.
|
|
|
|
type quicConnection interface {
|
2021-02-11 15:20:30 +03:00
|
|
|
ConnectionState() (cs quic.ConnectionState)
|
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
// clientIDFromDNSContext extracts the client's ID from the server name of the
|
|
|
|
// client's DoT or DoQ request or the path of the client's DoH. If the protocol
|
|
|
|
// is not one of these, clientID is an empty string and err is nil.
|
|
|
|
func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string, err error) {
|
2021-02-11 15:20:30 +03:00
|
|
|
proto := pctx.Proto
|
|
|
|
if proto == proxy.ProtoHTTPS {
|
2022-10-05 18:11:09 +03:00
|
|
|
clientID, err = clientIDFromDNSContextHTTPS(pctx)
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("checking url: %w", err)
|
|
|
|
} else if clientID != "" {
|
|
|
|
return clientID, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Go on and check the domain name as well.
|
2021-02-11 15:20:30 +03:00
|
|
|
} else if proto != proxy.ProtoTLS && proto != proxy.ProtoQUIC {
|
2021-06-29 15:53:28 +03:00
|
|
|
return "", nil
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2021-06-29 15:53:28 +03:00
|
|
|
hostSrvName := s.conf.ServerName
|
2021-02-11 15:20:30 +03:00
|
|
|
if hostSrvName == "" {
|
2021-06-29 15:53:28 +03:00
|
|
|
return "", nil
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2022-10-05 18:11:09 +03:00
|
|
|
cliSrvName, err := clientServerName(pctx, proto)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
clientID, err = clientIDFromClientServerName(
|
|
|
|
hostSrvName,
|
|
|
|
cliSrvName,
|
|
|
|
s.conf.StrictSNICheck,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("clientid check: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return clientID, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// clientServerName returns the TLS server name based on the protocol.
|
|
|
|
func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string, err error) {
|
2021-06-29 15:53:28 +03:00
|
|
|
switch proto {
|
2022-10-05 18:11:09 +03:00
|
|
|
case proxy.ProtoHTTPS:
|
|
|
|
if connState := pctx.HTTPRequest.TLS; connState != nil {
|
|
|
|
srvName = pctx.HTTPRequest.TLS.ServerName
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
2021-06-29 15:53:28 +03:00
|
|
|
case proxy.ProtoQUIC:
|
2022-10-05 18:11:09 +03:00
|
|
|
qConn := pctx.QUICConnection
|
|
|
|
conn, ok := qConn.(quicConnection)
|
2021-02-11 15:20:30 +03:00
|
|
|
if !ok {
|
2021-06-29 15:53:28 +03:00
|
|
|
return "", fmt.Errorf(
|
2022-05-24 19:47:09 +03:00
|
|
|
"proxy ctx quic conn of proto %s is %T, want quic.Connection",
|
2021-06-29 15:53:28 +03:00
|
|
|
proto,
|
2022-10-05 18:11:09 +03:00
|
|
|
qConn,
|
2021-06-29 15:53:28 +03:00
|
|
|
)
|
2021-02-11 15:20:30 +03:00
|
|
|
}
|
|
|
|
|
2022-10-05 18:11:09 +03:00
|
|
|
srvName = conn.ConnectionState().TLS.ServerName
|
|
|
|
case proxy.ProtoTLS:
|
|
|
|
conn := pctx.Conn
|
|
|
|
tc, ok := conn.(tlsConn)
|
|
|
|
if !ok {
|
|
|
|
return "", fmt.Errorf("proxy ctx conn of proto %s is %T, want *tls.Conn", proto, conn)
|
|
|
|
}
|
2021-02-11 15:20:30 +03:00
|
|
|
|
2022-10-05 18:11:09 +03:00
|
|
|
srvName = tc.ConnectionState().ServerName
|
2021-06-29 15:53:28 +03:00
|
|
|
}
|
2021-02-11 15:20:30 +03:00
|
|
|
|
2022-10-05 18:11:09 +03:00
|
|
|
return srvName, nil
|
2021-06-29 15:53:28 +03:00
|
|
|
}
|