AdGuardHome/home/control_tls.go

391 lines
11 KiB
Go
Raw Normal View History

// Control: TLS configuring handlers
package home
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io/ioutil"
"net/http"
"reflect"
"strings"
"time"
Fix #1069 install: check static ip Squashed commit of the following: commit 57466233cbeb89aff82d8610778f7c3b60fe8426 Merge: 2df5f281 867bf545 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:39:15 2020 +0300 Merge branch 'master' into 1069-install-static-ip commit 2df5f281c4f5949b92edd4747ece60ff73799e54 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:35:54 2020 +0300 *: lang fix commit b4649a6b2781741979531faf862b88c2557f1445 Merge: c2785253 f61d5f0f Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 16:47:30 2020 +0300 *(home): fixed issues with setting static IP on Mac commit c27852537d2f5ce62b16c43f4241a15d0fb8c9fd Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 14:14:30 2020 +0300 +(dhcpd): added static IP for MacOS commit f61d5f0f85a954120b2676a5153f10a05662cf42 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 14:13:35 2020 +0300 + client: show confirm before setting static IP commit 7afa16fbe76dff4485d166f6164bae171e0110c9 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:51:52 2020 +0300 - client: fix text commit 019bff0851c584302fa44317fc748b3319be9470 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:49:16 2020 +0300 - client: pass all params to the check_config request commit 194bed72f567ae815cbd424e2df1ac5be65e0c02 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 17:12:16 2020 +0300 *: fix home_test commit 9359f6b55f5e36dd311fb85b6a83bb6227308f03 Merge: ae299058 c5ca2a77 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:54:54 2020 +0300 Merge with master commit ae2990582defd8062b99c546b2a932a8ba06c35d Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:53:36 2020 +0300 *(global): refactoring - moved runtime properties to Context commit d8d48c53869a94d18c5ea7bcf78613e83b24bfd8 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:04:25 2020 +0300 *(dhcpd): refactoring, use dhcpd/network_utils where possible commit 8d039c572f0e5f5245bd155a4e4d35400e6962c6 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:37:39 2020 +0300 - client: fix button position commit 26c47e59dd63317bdb959cb416e7c1c0bfdf7dc1 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:08:56 2020 +0300 - client: fix static ip description commit cb12babc4698d048478570303af8955a35e8531d Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 17:08:39 2020 +0300 *: lower log level for some commands commit d9001ff84852d708e400d039503141929e06d774 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 16:17:59 2020 +0300 *(documentation): updated openapi commit 1d213d53c88d5009a4b1d33d4cfa9e215c644bec Merge: 8406d7d2 80861860 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 15:16:46 2020 +0300 *: merge with master commit 8406d7d28827ce1ed9d9f6770ce1700681811535 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Jan 31 16:52:22 2020 +0300 - client: fix locales commit fb476b011768367be51010c89754dcd23b383f5a Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:29:03 2020 +0300 linter commit 84b5708e71c88a9643d402ab630270f5e7bf35b8 Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:27:53 2020 +0300 linter commit 143a86a28a3465776f803f6b99b9f3c64b26400e Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:26:47 2020 +0300 linter ... and 7 more commits
2020-02-13 18:42:07 +03:00
"github.com/AdguardTeam/AdGuardHome/util"
"github.com/AdguardTeam/golibs/log"
"github.com/joomcode/errorx"
)
// Set certificate and private key data
func tlsLoadConfig(tls *tlsConfig, status *tlsConfigStatus) bool {
tls.CertificateChainData = []byte(tls.CertificateChain)
tls.PrivateKeyData = []byte(tls.PrivateKey)
var err error
if tls.CertificatePath != "" {
if tls.CertificateChain != "" {
status.WarningValidation = "certificate data and file can't be set together"
return false
}
tls.CertificateChainData, err = ioutil.ReadFile(tls.CertificatePath)
if err != nil {
status.WarningValidation = err.Error()
return false
}
status.ValidCert = true
}
if tls.PrivateKeyPath != "" {
if tls.PrivateKey != "" {
status.WarningValidation = "private key data and file can't be set together"
return false
}
tls.PrivateKeyData, err = ioutil.ReadFile(tls.PrivateKeyPath)
if err != nil {
status.WarningValidation = err.Error()
return false
}
status.ValidKey = true
}
return true
}
// RegisterTLSHandlers registers HTTP handlers for TLS configuration
func RegisterTLSHandlers() {
httpRegister(http.MethodGet, "/control/tls/status", handleTLSStatus)
httpRegister(http.MethodPost, "/control/tls/configure", handleTLSConfigure)
httpRegister(http.MethodPost, "/control/tls/validate", handleTLSValidate)
}
func handleTLSStatus(w http.ResponseWriter, r *http.Request) {
marshalTLS(w, config.TLS)
}
func handleTLSValidate(w http.ResponseWriter, r *http.Request) {
data, err := unmarshalTLS(r)
if err != nil {
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
return
}
// check if port is available
// BUT: if we are already using this port, no need
alreadyRunning := false
Merge: * use upstream servers directly for the internal DNS resolver Close #1212 * Server.Start(config *ServerConfig) -> Start() + Server.Prepare(config *ServerConfig) + Server.Resolve(host string) + Server.Exchange() * rDNS: use internal DNS resolver - clients: fix race in WriteDiskConfig() - fix race: move 'clients' object from 'configuration' to 'HomeContext' Go race detector didn't like our 'clients' object in 'configuration'. + add AGH startup test . Create a configuration file . Start AGH instance . Check Web server . Check DNS server . Wait until the filters are downloaded . Stop and cleanup * move module objects from config.* to Context.* * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning * ci.sh: 'make' and then run tests Squashed commit of the following: commit 86500c7f749307f37af4cc8c2a1066f679d0cfad Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:53 2019 +0300 minor commit 6e6abb9dca3cd250c458bec23aa30d2250a9eb40 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:31 2019 +0300 * ci.sh: 'make' and then run tests commit 114192eefea6800e565ba9ab238202c006516c27 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:50:04 2019 +0300 fix commit d426deea7f02cdfd4c7217a38c59e51251956a0f Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:46:33 2019 +0300 tests commit 7b350edf03027895b4e43dee908d0155a9b0ac9b Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:56:12 2019 +0300 fix test commit 2f5f116873bbbfdd4bb7f82a596f9e1f5c2bcfd8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:48:56 2019 +0300 fix tests commit 3fbdc77f9c34726e2295185279444983652d559e Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:45:00 2019 +0300 linter commit 9da0b6965a2b6863bcd552fa83a4de2866600bb8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:33:23 2019 +0300 * config.dnsctx.whois -> Context.whois commit c71ebdbdf6efd88c877b2f243c69d3bc00a997d7 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:31:08 2019 +0300 * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning commit 0f250220133cefdcb0843a50000cb932802b8324 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:28:19 2019 +0300 * rdns: refactor commit c460d8c9414940dac852e390b6c1b4d4fb38dff9 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 14:08:08 2019 +0300 Revert: * stats: serialize access to 'limit' Use 'conf *Config' and update it atomically, as in querylog module. (Note: Race detector still doesn't like it) commit 488bcb884971276de0d5629384b29e22c59ee7e6 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:50:23 2019 +0300 * config.dnsFilter -> Context.dnsFilter commit 86c0a6827a450414b50acec7ebfc5220d13b81e4 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:45:05 2019 +0300 * config.dnsServer -> Context.dnsServer commit ee35ef095ccaabc89e3de0ef52c9b5ed56b36873 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:42:10 2019 +0300 * config.dhcpServer -> Context.dhcpServer commit 1537001cd211099d5fad01696c0b806ae5d257b1 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:39:45 2019 +0300 * config.queryLog -> Context.queryLog commit e5955fe4ff1ef6f41763461b37b502ea25a3d04c Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:03:18 2019 +0300 * config.httpsServer -> Context.httpsServer commit 6153c10a9ac173e159d1f05e0db1512579b9203c Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:12:24 2019 +0300 * config.httpServer -> Context.httpServer commit abd021fb94039015cd45c97614e8b78d4694f956 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:08:05 2019 +0300 * stats: serialize access to 'limit' commit 38c2decfd87c712100edcabe62a6d4518719cb53 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:57:04 2019 +0300 * config.stats -> Context.stats commit 6caf8965ad44db9dce9a7a5103aa8fa305ad9a06 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:45:23 2019 +0300 fix Restart() ... and 6 more commits
2019-12-11 12:38:58 +03:00
if Context.httpsServer.server != nil {
alreadyRunning = true
}
if !alreadyRunning {
Fix #1069 install: check static ip Squashed commit of the following: commit 57466233cbeb89aff82d8610778f7c3b60fe8426 Merge: 2df5f281 867bf545 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:39:15 2020 +0300 Merge branch 'master' into 1069-install-static-ip commit 2df5f281c4f5949b92edd4747ece60ff73799e54 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:35:54 2020 +0300 *: lang fix commit b4649a6b2781741979531faf862b88c2557f1445 Merge: c2785253 f61d5f0f Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 16:47:30 2020 +0300 *(home): fixed issues with setting static IP on Mac commit c27852537d2f5ce62b16c43f4241a15d0fb8c9fd Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 14:14:30 2020 +0300 +(dhcpd): added static IP for MacOS commit f61d5f0f85a954120b2676a5153f10a05662cf42 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 14:13:35 2020 +0300 + client: show confirm before setting static IP commit 7afa16fbe76dff4485d166f6164bae171e0110c9 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:51:52 2020 +0300 - client: fix text commit 019bff0851c584302fa44317fc748b3319be9470 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:49:16 2020 +0300 - client: pass all params to the check_config request commit 194bed72f567ae815cbd424e2df1ac5be65e0c02 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 17:12:16 2020 +0300 *: fix home_test commit 9359f6b55f5e36dd311fb85b6a83bb6227308f03 Merge: ae299058 c5ca2a77 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:54:54 2020 +0300 Merge with master commit ae2990582defd8062b99c546b2a932a8ba06c35d Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:53:36 2020 +0300 *(global): refactoring - moved runtime properties to Context commit d8d48c53869a94d18c5ea7bcf78613e83b24bfd8 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:04:25 2020 +0300 *(dhcpd): refactoring, use dhcpd/network_utils where possible commit 8d039c572f0e5f5245bd155a4e4d35400e6962c6 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:37:39 2020 +0300 - client: fix button position commit 26c47e59dd63317bdb959cb416e7c1c0bfdf7dc1 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:08:56 2020 +0300 - client: fix static ip description commit cb12babc4698d048478570303af8955a35e8531d Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 17:08:39 2020 +0300 *: lower log level for some commands commit d9001ff84852d708e400d039503141929e06d774 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 16:17:59 2020 +0300 *(documentation): updated openapi commit 1d213d53c88d5009a4b1d33d4cfa9e215c644bec Merge: 8406d7d2 80861860 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 15:16:46 2020 +0300 *: merge with master commit 8406d7d28827ce1ed9d9f6770ce1700681811535 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Jan 31 16:52:22 2020 +0300 - client: fix locales commit fb476b011768367be51010c89754dcd23b383f5a Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:29:03 2020 +0300 linter commit 84b5708e71c88a9643d402ab630270f5e7bf35b8 Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:27:53 2020 +0300 linter commit 143a86a28a3465776f803f6b99b9f3c64b26400e Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:26:47 2020 +0300 linter ... and 7 more commits
2020-02-13 18:42:07 +03:00
err = util.CheckPortAvailable(config.BindHost, data.PortHTTPS)
if err != nil {
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
return
}
}
status := tlsConfigStatus{}
if tlsLoadConfig(&data, &status) {
status = validateCertificates(string(data.CertificateChainData), string(data.PrivateKeyData), data.ServerName)
}
data.tlsConfigStatus = status
marshalTLS(w, data)
}
func handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
data, err := unmarshalTLS(r)
if err != nil {
httpError(w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
return
}
// check if port is available
// BUT: if we are already using this port, no need
alreadyRunning := false
Merge: * use upstream servers directly for the internal DNS resolver Close #1212 * Server.Start(config *ServerConfig) -> Start() + Server.Prepare(config *ServerConfig) + Server.Resolve(host string) + Server.Exchange() * rDNS: use internal DNS resolver - clients: fix race in WriteDiskConfig() - fix race: move 'clients' object from 'configuration' to 'HomeContext' Go race detector didn't like our 'clients' object in 'configuration'. + add AGH startup test . Create a configuration file . Start AGH instance . Check Web server . Check DNS server . Wait until the filters are downloaded . Stop and cleanup * move module objects from config.* to Context.* * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning * ci.sh: 'make' and then run tests Squashed commit of the following: commit 86500c7f749307f37af4cc8c2a1066f679d0cfad Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:53 2019 +0300 minor commit 6e6abb9dca3cd250c458bec23aa30d2250a9eb40 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:31 2019 +0300 * ci.sh: 'make' and then run tests commit 114192eefea6800e565ba9ab238202c006516c27 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:50:04 2019 +0300 fix commit d426deea7f02cdfd4c7217a38c59e51251956a0f Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:46:33 2019 +0300 tests commit 7b350edf03027895b4e43dee908d0155a9b0ac9b Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:56:12 2019 +0300 fix test commit 2f5f116873bbbfdd4bb7f82a596f9e1f5c2bcfd8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:48:56 2019 +0300 fix tests commit 3fbdc77f9c34726e2295185279444983652d559e Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:45:00 2019 +0300 linter commit 9da0b6965a2b6863bcd552fa83a4de2866600bb8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:33:23 2019 +0300 * config.dnsctx.whois -> Context.whois commit c71ebdbdf6efd88c877b2f243c69d3bc00a997d7 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:31:08 2019 +0300 * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning commit 0f250220133cefdcb0843a50000cb932802b8324 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:28:19 2019 +0300 * rdns: refactor commit c460d8c9414940dac852e390b6c1b4d4fb38dff9 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 14:08:08 2019 +0300 Revert: * stats: serialize access to 'limit' Use 'conf *Config' and update it atomically, as in querylog module. (Note: Race detector still doesn't like it) commit 488bcb884971276de0d5629384b29e22c59ee7e6 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:50:23 2019 +0300 * config.dnsFilter -> Context.dnsFilter commit 86c0a6827a450414b50acec7ebfc5220d13b81e4 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:45:05 2019 +0300 * config.dnsServer -> Context.dnsServer commit ee35ef095ccaabc89e3de0ef52c9b5ed56b36873 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:42:10 2019 +0300 * config.dhcpServer -> Context.dhcpServer commit 1537001cd211099d5fad01696c0b806ae5d257b1 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:39:45 2019 +0300 * config.queryLog -> Context.queryLog commit e5955fe4ff1ef6f41763461b37b502ea25a3d04c Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:03:18 2019 +0300 * config.httpsServer -> Context.httpsServer commit 6153c10a9ac173e159d1f05e0db1512579b9203c Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:12:24 2019 +0300 * config.httpServer -> Context.httpServer commit abd021fb94039015cd45c97614e8b78d4694f956 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:08:05 2019 +0300 * stats: serialize access to 'limit' commit 38c2decfd87c712100edcabe62a6d4518719cb53 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:57:04 2019 +0300 * config.stats -> Context.stats commit 6caf8965ad44db9dce9a7a5103aa8fa305ad9a06 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:45:23 2019 +0300 fix Restart() ... and 6 more commits
2019-12-11 12:38:58 +03:00
if Context.httpsServer.server != nil {
alreadyRunning = true
}
if !alreadyRunning {
Fix #1069 install: check static ip Squashed commit of the following: commit 57466233cbeb89aff82d8610778f7c3b60fe8426 Merge: 2df5f281 867bf545 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:39:15 2020 +0300 Merge branch 'master' into 1069-install-static-ip commit 2df5f281c4f5949b92edd4747ece60ff73799e54 Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 18:35:54 2020 +0300 *: lang fix commit b4649a6b2781741979531faf862b88c2557f1445 Merge: c2785253 f61d5f0f Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 16:47:30 2020 +0300 *(home): fixed issues with setting static IP on Mac commit c27852537d2f5ce62b16c43f4241a15d0fb8c9fd Author: Andrey Meshkov <am@adguard.com> Date: Thu Feb 13 14:14:30 2020 +0300 +(dhcpd): added static IP for MacOS commit f61d5f0f85a954120b2676a5153f10a05662cf42 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 14:13:35 2020 +0300 + client: show confirm before setting static IP commit 7afa16fbe76dff4485d166f6164bae171e0110c9 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:51:52 2020 +0300 - client: fix text commit 019bff0851c584302fa44317fc748b3319be9470 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Thu Feb 13 13:49:16 2020 +0300 - client: pass all params to the check_config request commit 194bed72f567ae815cbd424e2df1ac5be65e0c02 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 17:12:16 2020 +0300 *: fix home_test commit 9359f6b55f5e36dd311fb85b6a83bb6227308f03 Merge: ae299058 c5ca2a77 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:54:54 2020 +0300 Merge with master commit ae2990582defd8062b99c546b2a932a8ba06c35d Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:53:36 2020 +0300 *(global): refactoring - moved runtime properties to Context commit d8d48c53869a94d18c5ea7bcf78613e83b24bfd8 Author: Andrey Meshkov <am@adguard.com> Date: Wed Feb 12 15:04:25 2020 +0300 *(dhcpd): refactoring, use dhcpd/network_utils where possible commit 8d039c572f0e5f5245bd155a4e4d35400e6962c6 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:37:39 2020 +0300 - client: fix button position commit 26c47e59dd63317bdb959cb416e7c1c0bfdf7dc1 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Feb 7 18:08:56 2020 +0300 - client: fix static ip description commit cb12babc4698d048478570303af8955a35e8531d Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 17:08:39 2020 +0300 *: lower log level for some commands commit d9001ff84852d708e400d039503141929e06d774 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 16:17:59 2020 +0300 *(documentation): updated openapi commit 1d213d53c88d5009a4b1d33d4cfa9e215c644bec Merge: 8406d7d2 80861860 Author: Andrey Meshkov <am@adguard.com> Date: Fri Feb 7 15:16:46 2020 +0300 *: merge with master commit 8406d7d28827ce1ed9d9f6770ce1700681811535 Author: Ildar Kamalov <i.kamalov@adguard.com> Date: Fri Jan 31 16:52:22 2020 +0300 - client: fix locales commit fb476b011768367be51010c89754dcd23b383f5a Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:29:03 2020 +0300 linter commit 84b5708e71c88a9643d402ab630270f5e7bf35b8 Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:27:53 2020 +0300 linter commit 143a86a28a3465776f803f6b99b9f3c64b26400e Author: Simon Zolin <s.zolin@adguard.com> Date: Fri Jan 31 13:26:47 2020 +0300 linter ... and 7 more commits
2020-02-13 18:42:07 +03:00
err = util.CheckPortAvailable(config.BindHost, data.PortHTTPS)
if err != nil {
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
return
}
}
status := tlsConfigStatus{}
if !tlsLoadConfig(&data, &status) {
data.tlsConfigStatus = status
marshalTLS(w, data)
return
}
data.tlsConfigStatus = validateCertificates(string(data.CertificateChainData), string(data.PrivateKeyData), data.ServerName)
restartHTTPS := false
if !reflect.DeepEqual(config.TLS.tlsConfigSettings, data.tlsConfigSettings) {
log.Printf("tls config settings have changed, will restart HTTPS server")
restartHTTPS = true
}
config.TLS = data
err = writeAllConfigsAndReloadDNS()
if err != nil {
httpError(w, http.StatusInternalServerError, "Couldn't write config file: %s", err)
return
}
marshalTLS(w, data)
// this needs to be done in a goroutine because Shutdown() is a blocking call, and it will block
// until all requests are finished, and _we_ are inside a request right now, so it will block indefinitely
if restartHTTPS {
go func() {
time.Sleep(time.Second) // TODO: could not find a way to reliably know that data was fully sent to client by https server, so we wait a bit to let response through before closing the server
Merge: * use upstream servers directly for the internal DNS resolver Close #1212 * Server.Start(config *ServerConfig) -> Start() + Server.Prepare(config *ServerConfig) + Server.Resolve(host string) + Server.Exchange() * rDNS: use internal DNS resolver - clients: fix race in WriteDiskConfig() - fix race: move 'clients' object from 'configuration' to 'HomeContext' Go race detector didn't like our 'clients' object in 'configuration'. + add AGH startup test . Create a configuration file . Start AGH instance . Check Web server . Check DNS server . Wait until the filters are downloaded . Stop and cleanup * move module objects from config.* to Context.* * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning * ci.sh: 'make' and then run tests Squashed commit of the following: commit 86500c7f749307f37af4cc8c2a1066f679d0cfad Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:53 2019 +0300 minor commit 6e6abb9dca3cd250c458bec23aa30d2250a9eb40 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:31 2019 +0300 * ci.sh: 'make' and then run tests commit 114192eefea6800e565ba9ab238202c006516c27 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:50:04 2019 +0300 fix commit d426deea7f02cdfd4c7217a38c59e51251956a0f Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:46:33 2019 +0300 tests commit 7b350edf03027895b4e43dee908d0155a9b0ac9b Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:56:12 2019 +0300 fix test commit 2f5f116873bbbfdd4bb7f82a596f9e1f5c2bcfd8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:48:56 2019 +0300 fix tests commit 3fbdc77f9c34726e2295185279444983652d559e Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:45:00 2019 +0300 linter commit 9da0b6965a2b6863bcd552fa83a4de2866600bb8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:33:23 2019 +0300 * config.dnsctx.whois -> Context.whois commit c71ebdbdf6efd88c877b2f243c69d3bc00a997d7 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:31:08 2019 +0300 * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning commit 0f250220133cefdcb0843a50000cb932802b8324 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:28:19 2019 +0300 * rdns: refactor commit c460d8c9414940dac852e390b6c1b4d4fb38dff9 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 14:08:08 2019 +0300 Revert: * stats: serialize access to 'limit' Use 'conf *Config' and update it atomically, as in querylog module. (Note: Race detector still doesn't like it) commit 488bcb884971276de0d5629384b29e22c59ee7e6 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:50:23 2019 +0300 * config.dnsFilter -> Context.dnsFilter commit 86c0a6827a450414b50acec7ebfc5220d13b81e4 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:45:05 2019 +0300 * config.dnsServer -> Context.dnsServer commit ee35ef095ccaabc89e3de0ef52c9b5ed56b36873 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:42:10 2019 +0300 * config.dhcpServer -> Context.dhcpServer commit 1537001cd211099d5fad01696c0b806ae5d257b1 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:39:45 2019 +0300 * config.queryLog -> Context.queryLog commit e5955fe4ff1ef6f41763461b37b502ea25a3d04c Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:03:18 2019 +0300 * config.httpsServer -> Context.httpsServer commit 6153c10a9ac173e159d1f05e0db1512579b9203c Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:12:24 2019 +0300 * config.httpServer -> Context.httpServer commit abd021fb94039015cd45c97614e8b78d4694f956 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:08:05 2019 +0300 * stats: serialize access to 'limit' commit 38c2decfd87c712100edcabe62a6d4518719cb53 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:57:04 2019 +0300 * config.stats -> Context.stats commit 6caf8965ad44db9dce9a7a5103aa8fa305ad9a06 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:45:23 2019 +0300 fix Restart() ... and 6 more commits
2019-12-11 12:38:58 +03:00
Context.httpsServer.cond.L.Lock()
Context.httpsServer.cond.Broadcast()
if Context.httpsServer.server != nil {
Context.httpsServer.server.Shutdown(context.TODO())
}
Merge: * use upstream servers directly for the internal DNS resolver Close #1212 * Server.Start(config *ServerConfig) -> Start() + Server.Prepare(config *ServerConfig) + Server.Resolve(host string) + Server.Exchange() * rDNS: use internal DNS resolver - clients: fix race in WriteDiskConfig() - fix race: move 'clients' object from 'configuration' to 'HomeContext' Go race detector didn't like our 'clients' object in 'configuration'. + add AGH startup test . Create a configuration file . Start AGH instance . Check Web server . Check DNS server . Wait until the filters are downloaded . Stop and cleanup * move module objects from config.* to Context.* * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning * ci.sh: 'make' and then run tests Squashed commit of the following: commit 86500c7f749307f37af4cc8c2a1066f679d0cfad Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:53 2019 +0300 minor commit 6e6abb9dca3cd250c458bec23aa30d2250a9eb40 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 18:08:31 2019 +0300 * ci.sh: 'make' and then run tests commit 114192eefea6800e565ba9ab238202c006516c27 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:50:04 2019 +0300 fix commit d426deea7f02cdfd4c7217a38c59e51251956a0f Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 17:46:33 2019 +0300 tests commit 7b350edf03027895b4e43dee908d0155a9b0ac9b Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:56:12 2019 +0300 fix test commit 2f5f116873bbbfdd4bb7f82a596f9e1f5c2bcfd8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:48:56 2019 +0300 fix tests commit 3fbdc77f9c34726e2295185279444983652d559e Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:45:00 2019 +0300 linter commit 9da0b6965a2b6863bcd552fa83a4de2866600bb8 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:33:23 2019 +0300 * config.dnsctx.whois -> Context.whois commit c71ebdbdf6efd88c877b2f243c69d3bc00a997d7 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:31:08 2019 +0300 * don't call log.SetLevel() if not necessary This helps to avoid Go race detector's warning commit 0f250220133cefdcb0843a50000cb932802b8324 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 15:28:19 2019 +0300 * rdns: refactor commit c460d8c9414940dac852e390b6c1b4d4fb38dff9 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 14:08:08 2019 +0300 Revert: * stats: serialize access to 'limit' Use 'conf *Config' and update it atomically, as in querylog module. (Note: Race detector still doesn't like it) commit 488bcb884971276de0d5629384b29e22c59ee7e6 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:50:23 2019 +0300 * config.dnsFilter -> Context.dnsFilter commit 86c0a6827a450414b50acec7ebfc5220d13b81e4 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:45:05 2019 +0300 * config.dnsServer -> Context.dnsServer commit ee35ef095ccaabc89e3de0ef52c9b5ed56b36873 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:42:10 2019 +0300 * config.dhcpServer -> Context.dhcpServer commit 1537001cd211099d5fad01696c0b806ae5d257b1 Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:39:45 2019 +0300 * config.queryLog -> Context.queryLog commit e5955fe4ff1ef6f41763461b37b502ea25a3d04c Author: Simon Zolin <s.zolin@adguard.com> Date: Tue Dec 10 13:03:18 2019 +0300 * config.httpsServer -> Context.httpsServer commit 6153c10a9ac173e159d1f05e0db1512579b9203c Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:12:24 2019 +0300 * config.httpServer -> Context.httpServer commit abd021fb94039015cd45c97614e8b78d4694f956 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 20:08:05 2019 +0300 * stats: serialize access to 'limit' commit 38c2decfd87c712100edcabe62a6d4518719cb53 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:57:04 2019 +0300 * config.stats -> Context.stats commit 6caf8965ad44db9dce9a7a5103aa8fa305ad9a06 Author: Simon Zolin <s.zolin@adguard.com> Date: Mon Dec 9 19:45:23 2019 +0300 fix Restart() ... and 6 more commits
2019-12-11 12:38:58 +03:00
Context.httpsServer.cond.L.Unlock()
}()
}
}
func verifyCertChain(data *tlsConfigStatus, certChain string, serverName string) error {
2019-10-21 16:07:55 +03:00
log.Tracef("TLS: got certificate: %d bytes", len(certChain))
// now do a more extended validation
var certs []*pem.Block // PEM-encoded certificates
var skippedBytes []string // skipped bytes
pemblock := []byte(certChain)
for {
var decoded *pem.Block
decoded, pemblock = pem.Decode(pemblock)
if decoded == nil {
break
}
if decoded.Type == "CERTIFICATE" {
certs = append(certs, decoded)
} else {
skippedBytes = append(skippedBytes, decoded.Type)
}
}
var parsedCerts []*x509.Certificate
for _, cert := range certs {
parsed, err := x509.ParseCertificate(cert.Bytes)
if err != nil {
data.WarningValidation = fmt.Sprintf("Failed to parse certificate: %s", err)
return errors.New(data.WarningValidation)
}
parsedCerts = append(parsedCerts, parsed)
}
if len(parsedCerts) == 0 {
data.WarningValidation = fmt.Sprintf("You have specified an empty certificate")
return errors.New(data.WarningValidation)
}
data.ValidCert = true
// spew.Dump(parsedCerts)
opts := x509.VerifyOptions{
DNSName: serverName,
}
log.Printf("number of certs - %d", len(parsedCerts))
if len(parsedCerts) > 1 {
// set up an intermediate
pool := x509.NewCertPool()
for _, cert := range parsedCerts[1:] {
log.Printf("got an intermediate cert")
pool.AddCert(cert)
}
opts.Intermediates = pool
}
// TODO: save it as a warning rather than error it out -- shouldn't be a big problem
mainCert := parsedCerts[0]
_, err := mainCert.Verify(opts)
if err != nil {
// let self-signed certs through
data.WarningValidation = fmt.Sprintf("Your certificate does not verify: %s", err)
} else {
data.ValidChain = true
}
// spew.Dump(chains)
// update status
if mainCert != nil {
notAfter := mainCert.NotAfter
data.Subject = mainCert.Subject.String()
data.Issuer = mainCert.Issuer.String()
data.NotAfter = notAfter
data.NotBefore = mainCert.NotBefore
data.DNSNames = mainCert.DNSNames
}
return nil
}
func validatePkey(data *tlsConfigStatus, pkey string) error {
// now do a more extended validation
var key *pem.Block // PEM-encoded certificates
var skippedBytes []string // skipped bytes
// go through all pem blocks, but take first valid pem block and drop the rest
pemblock := []byte(pkey)
for {
var decoded *pem.Block
decoded, pemblock = pem.Decode(pemblock)
if decoded == nil {
break
}
if decoded.Type == "PRIVATE KEY" || strings.HasSuffix(decoded.Type, " PRIVATE KEY") {
key = decoded
break
} else {
skippedBytes = append(skippedBytes, decoded.Type)
}
}
if key == nil {
data.WarningValidation = "No valid keys were found"
return errors.New(data.WarningValidation)
}
// parse the decoded key
_, keytype, err := parsePrivateKey(key.Bytes)
if err != nil {
data.WarningValidation = fmt.Sprintf("Failed to parse private key: %s", err)
return errors.New(data.WarningValidation)
}
data.ValidKey = true
data.KeyType = keytype
return nil
}
2019-02-28 15:28:38 +03:00
// Process certificate data and its private key.
// All parameters are optional.
// On error, return partially set object
// with 'WarningValidation' field containing error description.
func validateCertificates(certChain, pkey, serverName string) tlsConfigStatus {
var data tlsConfigStatus
// check only public certificate separately from the key
if certChain != "" {
if verifyCertChain(&data, certChain, serverName) != nil {
return data
}
}
// validate private key (right now the only validation possible is just parsing it)
if pkey != "" {
if validatePkey(&data, pkey) != nil {
return data
}
}
// if both are set, validate both in unison
if pkey != "" && certChain != "" {
_, err := tls.X509KeyPair([]byte(certChain), []byte(pkey))
if err != nil {
data.WarningValidation = fmt.Sprintf("Invalid certificate or key: %s", err)
return data
}
data.ValidPair = true
}
return data
}
// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
func parsePrivateKey(der []byte) (crypto.PrivateKey, string, error) {
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, "RSA", nil
}
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
switch key := key.(type) {
case *rsa.PrivateKey:
return key, "RSA", nil
case *ecdsa.PrivateKey:
return key, "ECDSA", nil
default:
return nil, "", errors.New("tls: found unknown private key type in PKCS#8 wrapping")
}
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, "ECDSA", nil
}
return nil, "", errors.New("tls: failed to parse private key")
}
// unmarshalTLS handles base64-encoded certificates transparently
func unmarshalTLS(r *http.Request) (tlsConfig, error) {
data := tlsConfig{}
err := json.NewDecoder(r.Body).Decode(&data)
if err != nil {
return data, errorx.Decorate(err, "Failed to parse new TLS config json")
}
if data.CertificateChain != "" {
certPEM, err := base64.StdEncoding.DecodeString(data.CertificateChain)
if err != nil {
return data, errorx.Decorate(err, "Failed to base64-decode certificate chain")
}
data.CertificateChain = string(certPEM)
if data.CertificatePath != "" {
return data, fmt.Errorf("certificate data and file can't be set together")
}
}
if data.PrivateKey != "" {
keyPEM, err := base64.StdEncoding.DecodeString(data.PrivateKey)
if err != nil {
return data, errorx.Decorate(err, "Failed to base64-decode private key")
}
data.PrivateKey = string(keyPEM)
if data.PrivateKeyPath != "" {
return data, fmt.Errorf("private key data and file can't be set together")
}
}
return data, nil
}
func marshalTLS(w http.ResponseWriter, data tlsConfig) {
w.Header().Set("Content-Type", "application/json")
if data.CertificateChain != "" {
encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
data.CertificateChain = encoded
}
if data.PrivateKey != "" {
encoded := base64.StdEncoding.EncodeToString([]byte(data.PrivateKey))
data.PrivateKey = encoded
}
err := json.NewEncoder(w).Encode(data)
if err != nil {
httpError(w, http.StatusInternalServerError, "Failed to marshal json with TLS status: %s", err)
return
}
}