mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-12-21 14:24:26 +03:00
ff7c715c5f
Closes #6854.Updates #6875. Squashed commit of the following: commit b98adbc0cc6eeaffb262d57775c487e03b1d5ba5 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 10 19:21:44 2024 +0300 dnsforward: upd proxy, imp code, docs commit 4de1eb2bca1047426e02ba680c212f46782e5616 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 10 16:09:58 2024 +0300 WIP commit afa9d61e8dc129f907dc681cd2f831cb5c3b054a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 19:24:09 2024 +0300 all: log changes commit c8340676a448687a39acd26bc8ce5f94473e441f Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 19:06:10 2024 +0300 dnsforward: move code commit 08bb7d43d2a3f689ef2ef2409935dc3946752e94 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 18:09:46 2024 +0300 dnsforward: imp code commit b27547ec806dd9bce502d3c6a7c28f33693ed575 Merge: b7efca7886f36ebc06
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 17:33:19 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit b7efca788b66aa672598b088040d4534ce2e55b0 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Apr 9 17:27:14 2024 +0300 all: upd proxy finally commit 3e16fa87befe4c0ef3a3e7a638d7add28627f9b6 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Apr 5 18:20:13 2024 +0300 dnsforward: upd proxy commit f3cdfc86334a182effcd0de22fac5e678fa53ea7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:37:32 2024 +0300 all: upd proxy, golibs commit a79298d6d0504521893ee11fdc3a23c098aea911 Merge: 9feeba5c7fd25dcacb
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:34:01 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit 9feeba5c7f24ff1d308a216608d985cb2a7b7588 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 20:25:57 2024 +0300 all: imp code, docs commit 6c68d463db64293eb9c5e29ff91879fd68920a77 Merge: d8108e651ee619b2db
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Apr 4 18:46:11 2024 +0300 Merge branch 'master' into AGDNS-1982-upd-proxy commit d8108e65164df8d67aa4e95154a8768a06255b78 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 3 19:25:27 2024 +0300 all: imp code commit 20461565801c9fcd06a652c6066b524b06c80433 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Apr 3 17:10:33 2024 +0300 all: remove private rdns logic
155 lines
3.9 KiB
Go
155 lines
3.9 KiB
Go
package dnsforward
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/AdguardTeam/dnsproxy/proxy"
|
|
"github.com/AdguardTeam/golibs/errors"
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"github.com/AdguardTeam/golibs/netutil"
|
|
"github.com/quic-go/quic-go"
|
|
)
|
|
|
|
// ValidateClientID returns an error if id is not a valid ClientID.
|
|
//
|
|
// Keep in sync with [client.ValidateClientID].
|
|
func ValidateClientID(id string) (err error) {
|
|
err = netutil.ValidateHostnameLabel(id)
|
|
if err != nil {
|
|
// Replace the domain name label wrapper with our own.
|
|
return fmt.Errorf("invalid clientid %q: %w", id, errors.Unwrap(err))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// clientIDFromClientServerName extracts and validates a ClientID. hostSrvName
|
|
// is the server name of the host. cliSrvName is the server name as sent by the
|
|
// client. When strict is true, and client and host server name don't match,
|
|
// clientIDFromClientServerName will return an error.
|
|
func clientIDFromClientServerName(
|
|
hostSrvName string,
|
|
cliSrvName string,
|
|
strict bool,
|
|
) (clientID string, err error) {
|
|
if hostSrvName == cliSrvName {
|
|
return "", nil
|
|
}
|
|
|
|
if !netutil.IsImmediateSubdomain(cliSrvName, hostSrvName) {
|
|
if !strict {
|
|
return "", nil
|
|
}
|
|
|
|
return "", fmt.Errorf(
|
|
"client server name %q doesn't match host server name %q",
|
|
cliSrvName,
|
|
hostSrvName,
|
|
)
|
|
}
|
|
|
|
clientID = cliSrvName[:len(cliSrvName)-len(hostSrvName)-1]
|
|
err = ValidateClientID(clientID)
|
|
if err != nil {
|
|
// Don't wrap the error, because it's informative enough as is.
|
|
return "", err
|
|
}
|
|
|
|
return strings.ToLower(clientID), nil
|
|
}
|
|
|
|
// clientIDFromDNSContextHTTPS extracts the client's ID from the path of the
|
|
// client's DNS-over-HTTPS request.
|
|
func clientIDFromDNSContextHTTPS(pctx *proxy.DNSContext) (clientID string, err error) {
|
|
r := pctx.HTTPRequest
|
|
if r == nil {
|
|
return "", fmt.Errorf(
|
|
"proxy ctx http request of proto %s is nil",
|
|
pctx.Proto,
|
|
)
|
|
}
|
|
|
|
origPath := r.URL.Path
|
|
parts := strings.Split(path.Clean(origPath), "/")
|
|
if parts[0] == "" {
|
|
parts = parts[1:]
|
|
}
|
|
|
|
if len(parts) == 0 || parts[0] != "dns-query" {
|
|
return "", fmt.Errorf("clientid check: invalid path %q", origPath)
|
|
}
|
|
|
|
switch len(parts) {
|
|
case 1:
|
|
// Just /dns-query, no ClientID.
|
|
return "", nil
|
|
case 2:
|
|
clientID = parts[1]
|
|
default:
|
|
return "", fmt.Errorf("clientid check: invalid path %q: extra parts", origPath)
|
|
}
|
|
|
|
err = ValidateClientID(clientID)
|
|
if err != nil {
|
|
return "", fmt.Errorf("clientid check: %w", err)
|
|
}
|
|
|
|
return strings.ToLower(clientID), nil
|
|
}
|
|
|
|
// tlsConn is a narrow interface for *tls.Conn to simplify testing.
|
|
type tlsConn interface {
|
|
ConnectionState() (cs tls.ConnectionState)
|
|
}
|
|
|
|
// quicConnection is a narrow interface for quic.Connection to simplify testing.
|
|
type quicConnection interface {
|
|
ConnectionState() (cs quic.ConnectionState)
|
|
}
|
|
|
|
// clientServerName returns the TLS server name based on the protocol. For
|
|
// DNS-over-HTTPS requests, it will return the hostname part of the Host header
|
|
// if there is one.
|
|
func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string, err error) {
|
|
from := "tls conn"
|
|
|
|
switch proto {
|
|
case proxy.ProtoHTTPS:
|
|
r := pctx.HTTPRequest
|
|
if connState := r.TLS; connState != nil {
|
|
srvName = connState.ServerName
|
|
} else if r.Host != "" {
|
|
var host string
|
|
host, err = netutil.SplitHost(r.Host)
|
|
if err != nil {
|
|
return "", fmt.Errorf("parsing host: %w", err)
|
|
}
|
|
|
|
srvName = host
|
|
from = "host header"
|
|
}
|
|
case proxy.ProtoQUIC:
|
|
qConn := pctx.QUICConnection
|
|
conn, ok := qConn.(quicConnection)
|
|
if !ok {
|
|
return "", fmt.Errorf("pctx conn of proto %s is %T, want quic.Connection", proto, qConn)
|
|
}
|
|
|
|
srvName = conn.ConnectionState().TLS.ServerName
|
|
case proxy.ProtoTLS:
|
|
conn := pctx.Conn
|
|
tc, ok := conn.(tlsConn)
|
|
if !ok {
|
|
return "", fmt.Errorf("pctx conn of proto %s is %T, want *tls.Conn", proto, conn)
|
|
}
|
|
|
|
srvName = tc.ConnectionState().ServerName
|
|
}
|
|
|
|
log.Debug("dnsforward: got client server name %q from %s", srvName, from)
|
|
|
|
return srvName, nil
|
|
}
|