AdGuardHome/internal/home/tls.go

783 lines
21 KiB
Go
Raw Normal View History

package home
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"fmt"
"net/http"
"os"
"path/filepath"
"runtime"
"strings"
"sync"
"time"
"github.com/AdguardTeam/AdGuardHome/internal/aghalgo"
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
"github.com/AdguardTeam/golibs/errors"
"github.com/AdguardTeam/golibs/log"
"github.com/google/go-cmp/cmp"
"golang.org/x/sys/cpu"
)
var tlsWebHandlersRegistered = false
// TLSMod - TLS module object
type TLSMod struct {
certLastMod time.Time // last modification time of the certificate file
status tlsConfigStatus
confLock sync.Mutex
conf tlsConfigSettings
}
// Create TLS module
func tlsCreate(conf tlsConfigSettings) *TLSMod {
t := &TLSMod{}
t.conf = conf
if t.conf.Enabled {
if !t.load() {
// Something is not valid - return an empty TLS config
return &TLSMod{conf: tlsConfigSettings{
Enabled: conf.Enabled,
ServerName: conf.ServerName,
PortHTTPS: conf.PortHTTPS,
PortDNSOverTLS: conf.PortDNSOverTLS,
2020-08-27 15:03:07 +03:00
PortDNSOverQUIC: conf.PortDNSOverQUIC,
AllowUnencryptedDoH: conf.AllowUnencryptedDoH,
}}
}
t.setCertFileTime()
}
return t
}
func (t *TLSMod) load() bool {
if !tlsLoadConfig(&t.conf, &t.status) {
log.Error("failed to load TLS config: %s", t.status.WarningValidation)
return false
}
// validate current TLS config and update warnings (it could have been loaded from file)
data := validateCertificates(string(t.conf.CertificateChainData), string(t.conf.PrivateKeyData), t.conf.ServerName)
if !data.ValidPair {
log.Error("failed to validate certificate: %s", data.WarningValidation)
return false
}
t.status = data
return true
}
// Close - close module
func (t *TLSMod) Close() {
}
// WriteDiskConfig - write config
func (t *TLSMod) WriteDiskConfig(conf *tlsConfigSettings) {
t.confLock.Lock()
*conf = t.conf
t.confLock.Unlock()
}
func (t *TLSMod) setCertFileTime() {
if len(t.conf.CertificatePath) == 0 {
return
}
fi, err := os.Stat(t.conf.CertificatePath)
if err != nil {
log.Error("TLS: %s", err)
return
}
t.certLastMod = fi.ModTime().UTC()
}
// Start updates the configuration of TLSMod and starts it.
func (t *TLSMod) Start() {
if !tlsWebHandlersRegistered {
tlsWebHandlersRegistered = true
t.registerWebHandlers()
}
t.confLock.Lock()
tlsConf := t.conf
t.confLock.Unlock()
// The background context is used because the TLSConfigChanged wraps
// context with timeout on its own and shuts down the server, which
// handles current request.
Context.web.TLSConfigChanged(context.Background(), tlsConf)
}
// Reload updates the configuration of TLSMod and restarts it.
func (t *TLSMod) Reload() {
t.confLock.Lock()
tlsConf := t.conf
t.confLock.Unlock()
if !tlsConf.Enabled || len(tlsConf.CertificatePath) == 0 {
return
}
fi, err := os.Stat(tlsConf.CertificatePath)
if err != nil {
log.Error("TLS: %s", err)
return
}
if fi.ModTime().UTC().Equal(t.certLastMod) {
log.Debug("TLS: certificate file isn't modified")
return
}
log.Debug("TLS: certificate file is modified")
t.confLock.Lock()
r := t.load()
t.confLock.Unlock()
if !r {
return
}
t.certLastMod = fi.ModTime().UTC()
_ = reconfigureDNSServer()
t.confLock.Lock()
tlsConf = t.conf
t.confLock.Unlock()
// The background context is used because the TLSConfigChanged wraps
// context with timeout on its own and shuts down the server, which
// handles current request.
Context.web.TLSConfigChanged(context.Background(), tlsConf)
}
// Set certificate and private key data
func tlsLoadConfig(tls *tlsConfigSettings, status *tlsConfigStatus) bool {
tls.CertificateChainData = []byte(tls.CertificateChain)
tls.PrivateKeyData = []byte(tls.PrivateKey)
var err error
if tls.CertificatePath != "" {
if tls.CertificateChain != "" {
status.WarningValidation = "certificate data and file can't be set together"
return false
}
tls.CertificateChainData, err = os.ReadFile(tls.CertificatePath)
if err != nil {
status.WarningValidation = err.Error()
return false
}
status.ValidCert = true
}
if tls.PrivateKeyPath != "" {
if tls.PrivateKey != "" {
status.WarningValidation = "private key data and file can't be set together"
return false
}
tls.PrivateKeyData, err = os.ReadFile(tls.PrivateKeyPath)
if err != nil {
status.WarningValidation = err.Error()
return false
}
status.ValidKey = true
}
return true
}
type tlsConfigStatus struct {
ValidCert bool `json:"valid_cert"` // ValidCert is true if the specified certificates chain is a valid chain of X509 certificates
ValidChain bool `json:"valid_chain"` // ValidChain is true if the specified certificates chain is verified and issued by a known CA
Subject string `json:"subject,omitempty"` // Subject is the subject of the first certificate in the chain
Issuer string `json:"issuer,omitempty"` // Issuer is the issuer of the first certificate in the chain
NotBefore time.Time `json:"not_before,omitempty"` // NotBefore is the NotBefore field of the first certificate in the chain
NotAfter time.Time `json:"not_after,omitempty"` // NotAfter is the NotAfter field of the first certificate in the chain
DNSNames []string `json:"dns_names"` // DNSNames is the value of SubjectAltNames field of the first certificate in the chain
// key status
ValidKey bool `json:"valid_key"` // ValidKey is true if the key is a valid private key
KeyType string `json:"key_type,omitempty"` // KeyType is one of RSA or ECDSA
// is usable? set by validator
ValidPair bool `json:"valid_pair"` // ValidPair is true if both certificate and private key are correct
// warnings
WarningValidation string `json:"warning_validation,omitempty"` // WarningValidation is a validation warning message with the issue description
}
// field ordering is important -- yaml fields will mirror ordering from here
type tlsConfig struct {
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
tlsConfigStatus `json:",inline"`
tlsConfigSettingsExt `json:",inline"`
}
// tlsConfigSettingsExt is used to (un)marshal PrivateKeySaved to ensure that
// clients don't send and receive previously saved private keys.
type tlsConfigSettingsExt struct {
tlsConfigSettings `json:",inline"`
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
// If private key saved as a string, we set this flag to true
// and omit key from answer.
PrivateKeySaved bool `yaml:"-" json:"private_key_saved,inline"`
}
func (t *TLSMod) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
t.confLock.Lock()
data := tlsConfig{
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
tlsConfigSettingsExt: tlsConfigSettingsExt{
tlsConfigSettings: t.conf,
},
tlsConfigStatus: t.status,
}
t.confLock.Unlock()
marshalTLS(w, r, data)
}
func (t *TLSMod) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
setts, err := unmarshalTLS(r)
if err != nil {
aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
return
}
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
if setts.PrivateKeySaved {
setts.PrivateKey = t.conf.PrivateKey
}
if setts.Enabled {
uv := aghalgo.UniquenessValidator{}
addPorts(
uv,
config.BindPort,
config.BetaBindPort,
config.DNS.Port,
setts.PortHTTPS,
setts.PortDNSOverTLS,
setts.PortDNSOverQUIC,
setts.PortDNSCrypt,
)
err = uv.Validate(aghalgo.IntIsBefore)
if err != nil {
aghhttp.Error(r, w, http.StatusBadRequest, "validating ports: %s", err)
return
}
}
if !WebCheckPortAvailable(setts.PortHTTPS) {
aghhttp.Error(
r,
w,
http.StatusBadRequest,
"port %d is not available, cannot enable HTTPS on it",
setts.PortHTTPS,
)
return
}
status := tlsConfigStatus{}
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
if tlsLoadConfig(&setts.tlsConfigSettings, &status) {
status = validateCertificates(string(setts.CertificateChainData), string(setts.PrivateKeyData), setts.ServerName)
}
data := tlsConfig{
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
tlsConfigSettingsExt: setts,
tlsConfigStatus: status,
}
marshalTLS(w, r, data)
}
func (t *TLSMod) setConfig(newConf tlsConfigSettings, status tlsConfigStatus) (restartHTTPS bool) {
t.confLock.Lock()
defer t.confLock.Unlock()
// Reset the DNSCrypt data before comparing, since we currently do not
// accept these from the frontend.
//
// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
newConf.DNSCryptConfigFile = t.conf.DNSCryptConfigFile
newConf.PortDNSCrypt = t.conf.PortDNSCrypt
if !cmp.Equal(t.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
log.Info("tls config has changed, restarting https server")
restartHTTPS = true
} else {
log.Info("tls config has not changed")
}
// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
t.conf.Enabled = newConf.Enabled
t.conf.ServerName = newConf.ServerName
t.conf.ForceHTTPS = newConf.ForceHTTPS
t.conf.PortHTTPS = newConf.PortHTTPS
t.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
t.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
t.conf.CertificateChain = newConf.CertificateChain
t.conf.CertificatePath = newConf.CertificatePath
t.conf.CertificateChainData = newConf.CertificateChainData
t.conf.PrivateKey = newConf.PrivateKey
t.conf.PrivateKeyPath = newConf.PrivateKeyPath
t.conf.PrivateKeyData = newConf.PrivateKeyData
t.status = status
return restartHTTPS
}
func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
data, err := unmarshalTLS(r)
if err != nil {
aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
return
}
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
if data.PrivateKeySaved {
data.PrivateKey = t.conf.PrivateKey
}
if data.Enabled {
uv := aghalgo.UniquenessValidator{}
addPorts(
uv,
config.BindPort,
config.BetaBindPort,
config.DNS.Port,
data.PortHTTPS,
data.PortDNSOverTLS,
data.PortDNSOverQUIC,
data.PortDNSCrypt,
)
err = uv.Validate(aghalgo.IntIsBefore)
if err != nil {
aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
return
}
}
// TODO(e.burkov): Investigate and perhaps check other ports.
if !WebCheckPortAvailable(data.PortHTTPS) {
aghhttp.Error(
r,
w,
http.StatusBadRequest,
"port %d is not available, cannot enable HTTPS on it",
data.PortHTTPS,
)
return
}
status := tlsConfigStatus{}
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
if !tlsLoadConfig(&data.tlsConfigSettings, &status) {
data2 := tlsConfig{
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
tlsConfigSettingsExt: data,
tlsConfigStatus: t.status,
}
marshalTLS(w, r, data2)
return
}
status = validateCertificates(string(data.CertificateChainData), string(data.PrivateKeyData), data.ServerName)
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
restartHTTPS := t.setConfig(data.tlsConfigSettings, status)
t.setCertFileTime()
onConfigModified()
err = reconfigureDNSServer()
if err != nil {
aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
return
}
data2 := tlsConfig{
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
tlsConfigSettingsExt: data,
tlsConfigStatus: t.status,
}
marshalTLS(w, r, data2)
if f, ok := w.(http.Flusher); ok {
f.Flush()
}
// The background context is used because the TLSConfigChanged wraps context
// with timeout on its own and shuts down the server, which handles current
// request. It is also should be done in a separate goroutine due to the
// same reason.
if restartHTTPS {
go func() {
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
Context.web.TLSConfigChanged(context.Background(), data.tlsConfigSettings)
}()
}
}
func verifyCertChain(data *tlsConfigStatus, certChain, serverName string) error {
2019-10-21 16:07:55 +03:00
log.Tracef("TLS: got certificate: %d bytes", len(certChain))
// now do a more extended validation
var certs []*pem.Block // PEM-encoded certificates
pemblock := []byte(certChain)
for {
var decoded *pem.Block
decoded, pemblock = pem.Decode(pemblock)
if decoded == nil {
break
}
if decoded.Type == "CERTIFICATE" {
certs = append(certs, decoded)
}
}
var parsedCerts []*x509.Certificate
for _, cert := range certs {
parsed, err := x509.ParseCertificate(cert.Bytes)
if err != nil {
data.WarningValidation = fmt.Sprintf("Failed to parse certificate: %s", err)
return errors.Error(data.WarningValidation)
}
parsedCerts = append(parsedCerts, parsed)
}
if len(parsedCerts) == 0 {
data.WarningValidation = "You have specified an empty certificate"
return errors.Error(data.WarningValidation)
}
data.ValidCert = true
// spew.Dump(parsedCerts)
opts := x509.VerifyOptions{
DNSName: serverName,
Roots: Context.tlsRoots,
}
log.Printf("number of certs - %d", len(parsedCerts))
if len(parsedCerts) > 1 {
// set up an intermediate
pool := x509.NewCertPool()
for _, cert := range parsedCerts[1:] {
log.Printf("got an intermediate cert")
pool.AddCert(cert)
}
opts.Intermediates = pool
}
// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
mainCert := parsedCerts[0]
_, err := mainCert.Verify(opts)
if err != nil {
// let self-signed certs through
data.WarningValidation = fmt.Sprintf("Your certificate does not verify: %s", err)
} else {
data.ValidChain = true
}
// spew.Dump(chains)
// update status
if mainCert != nil {
notAfter := mainCert.NotAfter
data.Subject = mainCert.Subject.String()
data.Issuer = mainCert.Issuer.String()
data.NotAfter = notAfter
data.NotBefore = mainCert.NotBefore
data.DNSNames = mainCert.DNSNames
}
return nil
}
func validatePkey(data *tlsConfigStatus, pkey string) error {
// now do a more extended validation
var key *pem.Block // PEM-encoded certificates
// go through all pem blocks, but take first valid pem block and drop the rest
pemblock := []byte(pkey)
for {
var decoded *pem.Block
decoded, pemblock = pem.Decode(pemblock)
if decoded == nil {
break
}
if decoded.Type == "PRIVATE KEY" || strings.HasSuffix(decoded.Type, " PRIVATE KEY") {
key = decoded
break
}
}
if key == nil {
data.WarningValidation = "No valid keys were found"
return errors.Error(data.WarningValidation)
}
// parse the decoded key
_, keyType, err := parsePrivateKey(key.Bytes)
if err != nil {
data.WarningValidation = fmt.Sprintf("Failed to parse private key: %s", err)
return errors.Error(data.WarningValidation)
} else if keyType == keyTypeED25519 {
data.WarningValidation = "ED25519 keys are not supported by browsers; " +
"did you mean to use X25519 for key exchange?"
return errors.Error(data.WarningValidation)
}
data.ValidKey = true
data.KeyType = keyType
return nil
}
2019-02-28 15:28:38 +03:00
// Process certificate data and its private key.
// All parameters are optional.
// On error, return partially set object
// with 'WarningValidation' field containing error description.
func validateCertificates(certChain, pkey, serverName string) tlsConfigStatus {
var data tlsConfigStatus
// check only public certificate separately from the key
if certChain != "" {
if verifyCertChain(&data, certChain, serverName) != nil {
return data
}
}
// validate private key (right now the only validation possible is just parsing it)
if pkey != "" {
if validatePkey(&data, pkey) != nil {
return data
}
}
// if both are set, validate both in unison
if pkey != "" && certChain != "" {
_, err := tls.X509KeyPair([]byte(certChain), []byte(pkey))
if err != nil {
data.WarningValidation = fmt.Sprintf("Invalid certificate or key: %s", err)
return data
}
data.ValidPair = true
}
return data
}
// Key types.
const (
keyTypeECDSA = "ECDSA"
keyTypeED25519 = "ED25519"
keyTypeRSA = "RSA"
)
// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
//
// TODO(a.garipov): Find out if this version of parsePrivateKey from the stdlib
// is actually necessary.
func parsePrivateKey(der []byte) (key crypto.PrivateKey, typ string, err error) {
if key, err = x509.ParsePKCS1PrivateKey(der); err == nil {
return key, keyTypeRSA, nil
}
if key, err = x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey:
return key, keyTypeRSA, nil
case *ecdsa.PrivateKey:
return key, keyTypeECDSA, nil
case ed25519.PrivateKey:
return key, keyTypeED25519, nil
default:
return nil, "", fmt.Errorf(
"tls: found unknown private key type %T in PKCS#8 wrapping",
key,
)
}
}
if key, err = x509.ParseECPrivateKey(der); err == nil {
return key, keyTypeECDSA, nil
}
return nil, "", errors.Error("tls: failed to parse private key")
}
// unmarshalTLS handles base64-encoded certificates transparently
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
data := tlsConfigSettingsExt{}
err := json.NewDecoder(r.Body).Decode(&data)
if err != nil {
Pull request:* all: remove github.com/joomcode/errorx dependency Merge in DNS/adguard-home from 2240-removing-errorx-dependency to master Squashed commit of the following: commit 5bbe0567356f06e3b9ee5b3dc38d357b472cacb1 Merge: a6040850d 02d16a0b4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:32:22 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit a6040850da3cefb131208097477b0956e80063fb Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:23:36 2020 +0300 * dhcpd: convert some abbreviations to lowercase. commit d05bd51b994906b0ff52c5a8e779bd1f512f4bb7 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 12:47:20 2020 +0300 * agherr: last final fixes commit 164bca55035ff44e50b0abb33e129a0d24ffe87c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 19:11:10 2020 +0300 * all: final fixes again commit a0ac26f409c0b28a176cf2861d52c2f471b59484 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 18:51:39 2020 +0300 * all: final fixes commit 6147b02d402b513323b07e85856b348884f3a088 Merge: 9fd3af1a3 62cc334f4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:26:03 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit 9fd3af1a39a3189b5c41315a8ad1568ae5cb4fc9 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:23:08 2020 +0300 * all: remove useless helper commit 7cd9aeae639762b28b25f354d69c5cf74f670211 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 17:19:26 2020 +0300 * agherr: improved code tidiness commit a74a49236e9aaace070646dac710de9201105262 Merge: dc9dedbf2 df34ee5c0 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:54:29 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit dc9dedbf205756e3adaa3bc776d349bf3d8c69a5 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:40:08 2020 +0300 * agherr: improve and cover by tests commit fd6bfe9e282156cc60e006cb7cd46cce4d3a07a8 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 14:06:27 2020 +0300 * all: improve code quality commit ea00c2f8c5060e9611f9a80cfd0e4a039526d0c4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 13:03:57 2020 +0300 * all: fix linter style warnings commit 8e75e1a681a7218c2b4c69adfa2b7e1e2966f9ac Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 12:29:26 2020 +0300 * all: remove github.com/joomcode/errorx dependency Closes #2240.
2020-11-05 15:20:57 +03:00
return data, fmt.Errorf("failed to parse new TLS config json: %w", err)
}
if data.CertificateChain != "" {
var cert []byte
cert, err = base64.StdEncoding.DecodeString(data.CertificateChain)
if err != nil {
Pull request:* all: remove github.com/joomcode/errorx dependency Merge in DNS/adguard-home from 2240-removing-errorx-dependency to master Squashed commit of the following: commit 5bbe0567356f06e3b9ee5b3dc38d357b472cacb1 Merge: a6040850d 02d16a0b4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:32:22 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit a6040850da3cefb131208097477b0956e80063fb Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:23:36 2020 +0300 * dhcpd: convert some abbreviations to lowercase. commit d05bd51b994906b0ff52c5a8e779bd1f512f4bb7 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 12:47:20 2020 +0300 * agherr: last final fixes commit 164bca55035ff44e50b0abb33e129a0d24ffe87c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 19:11:10 2020 +0300 * all: final fixes again commit a0ac26f409c0b28a176cf2861d52c2f471b59484 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 18:51:39 2020 +0300 * all: final fixes commit 6147b02d402b513323b07e85856b348884f3a088 Merge: 9fd3af1a3 62cc334f4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:26:03 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit 9fd3af1a39a3189b5c41315a8ad1568ae5cb4fc9 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:23:08 2020 +0300 * all: remove useless helper commit 7cd9aeae639762b28b25f354d69c5cf74f670211 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 17:19:26 2020 +0300 * agherr: improved code tidiness commit a74a49236e9aaace070646dac710de9201105262 Merge: dc9dedbf2 df34ee5c0 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:54:29 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit dc9dedbf205756e3adaa3bc776d349bf3d8c69a5 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:40:08 2020 +0300 * agherr: improve and cover by tests commit fd6bfe9e282156cc60e006cb7cd46cce4d3a07a8 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 14:06:27 2020 +0300 * all: improve code quality commit ea00c2f8c5060e9611f9a80cfd0e4a039526d0c4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 13:03:57 2020 +0300 * all: fix linter style warnings commit 8e75e1a681a7218c2b4c69adfa2b7e1e2966f9ac Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 12:29:26 2020 +0300 * all: remove github.com/joomcode/errorx dependency Closes #2240.
2020-11-05 15:20:57 +03:00
return data, fmt.Errorf("failed to base64-decode certificate chain: %w", err)
}
data.CertificateChain = string(cert)
if data.CertificatePath != "" {
return data, fmt.Errorf("certificate data and file can't be set together")
}
}
if data.PrivateKey != "" {
var key []byte
key, err = base64.StdEncoding.DecodeString(data.PrivateKey)
if err != nil {
Pull request:* all: remove github.com/joomcode/errorx dependency Merge in DNS/adguard-home from 2240-removing-errorx-dependency to master Squashed commit of the following: commit 5bbe0567356f06e3b9ee5b3dc38d357b472cacb1 Merge: a6040850d 02d16a0b4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:32:22 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit a6040850da3cefb131208097477b0956e80063fb Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 14:23:36 2020 +0300 * dhcpd: convert some abbreviations to lowercase. commit d05bd51b994906b0ff52c5a8e779bd1f512f4bb7 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Nov 5 12:47:20 2020 +0300 * agherr: last final fixes commit 164bca55035ff44e50b0abb33e129a0d24ffe87c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 19:11:10 2020 +0300 * all: final fixes again commit a0ac26f409c0b28a176cf2861d52c2f471b59484 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 3 18:51:39 2020 +0300 * all: final fixes commit 6147b02d402b513323b07e85856b348884f3a088 Merge: 9fd3af1a3 62cc334f4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:26:03 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit 9fd3af1a39a3189b5c41315a8ad1568ae5cb4fc9 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 18:23:08 2020 +0300 * all: remove useless helper commit 7cd9aeae639762b28b25f354d69c5cf74f670211 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 17:19:26 2020 +0300 * agherr: improved code tidiness commit a74a49236e9aaace070646dac710de9201105262 Merge: dc9dedbf2 df34ee5c0 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:54:29 2020 +0300 Merge branch 'master' into 2240-removing-errorx-dependency commit dc9dedbf205756e3adaa3bc776d349bf3d8c69a5 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 16:40:08 2020 +0300 * agherr: improve and cover by tests commit fd6bfe9e282156cc60e006cb7cd46cce4d3a07a8 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 14:06:27 2020 +0300 * all: improve code quality commit ea00c2f8c5060e9611f9a80cfd0e4a039526d0c4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 13:03:57 2020 +0300 * all: fix linter style warnings commit 8e75e1a681a7218c2b4c69adfa2b7e1e2966f9ac Author: Eugene Burkov <e.burkov@adguard.com> Date: Tue Nov 3 12:29:26 2020 +0300 * all: remove github.com/joomcode/errorx dependency Closes #2240.
2020-11-05 15:20:57 +03:00
return data, fmt.Errorf("failed to base64-decode private key: %w", err)
}
data.PrivateKey = string(key)
if data.PrivateKeyPath != "" {
return data, fmt.Errorf("private key data and file can't be set together")
}
}
return data, nil
}
func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
w.Header().Set("Content-Type", "application/json")
if data.CertificateChain != "" {
encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
data.CertificateChain = encoded
}
if data.PrivateKey != "" {
Pull request #1269: tls: hide saved private key Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f 756c7064 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a 16092e8b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072 550b1798 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
2021-08-27 13:42:31 +03:00
data.PrivateKeySaved = true
data.PrivateKey = ""
}
err := json.NewEncoder(w).Encode(data)
if err != nil {
aghhttp.Error(
r,
w,
http.StatusInternalServerError,
"Failed to marshal json with TLS status: %s",
err,
)
}
}
// registerWebHandlers registers HTTP handlers for TLS configuration
func (t *TLSMod) registerWebHandlers() {
httpRegister(http.MethodGet, "/control/tls/status", t.handleTLSStatus)
httpRegister(http.MethodPost, "/control/tls/configure", t.handleTLSConfigure)
httpRegister(http.MethodPost, "/control/tls/validate", t.handleTLSValidate)
}
// LoadSystemRootCAs tries to load root certificates from the operating system.
// It returns nil in case nothing is found so that that Go.crypto will use it's
// default algorithm to find system root CA list.
//
// See https://github.com/AdguardTeam/AdGuardHome/internal/issues/1311.
func LoadSystemRootCAs() (roots *x509.CertPool) {
// TODO(e.burkov): Use build tags instead.
if runtime.GOOS != "linux" {
return nil
}
// Directories with the system root certificates, which aren't supported
// by Go.crypto.
dirs := []string{
// Entware.
"/opt/etc/ssl/certs",
}
roots = x509.NewCertPool()
for _, dir := range dirs {
dirEnts, err := os.ReadDir(dir)
if errors.Is(err, os.ErrNotExist) {
continue
} else if err != nil {
log.Error("opening directory: %q: %s", dir, err)
}
var rootsAdded bool
for _, de := range dirEnts {
var certData []byte
certData, err = os.ReadFile(filepath.Join(dir, de.Name()))
if err == nil && roots.AppendCertsFromPEM(certData) {
rootsAdded = true
}
}
if rootsAdded {
return roots
}
}
return nil
}
// InitTLSCiphers performs the same work as initDefaultCipherSuites() from
// crypto/tls/common.go but don't uses lots of other default ciphers.
func InitTLSCiphers() (ciphers []uint16) {
// Check the cpu flags for each platform that has optimized GCM
// implementations. The worst case is when all these variables are
// false.
var (
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
// Keep in sync with crypto/aes/cipher_s390x.go.
hasGCMAsmS390X = cpu.S390X.HasAES &&
cpu.S390X.HasAESCBC &&
cpu.S390X.HasAESCTR &&
(cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
)
if hasGCMAsm {
// If AES-GCM hardware is provided then prioritize AES-GCM
// cipher suites.
ciphers = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
}
} else {
// Without AES-GCM hardware, we put the ChaCha20-Poly1305 cipher
// suites first.
ciphers = []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
}
}
return append(
ciphers,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
)
}