e671f43a2f
Merge in DNS/adguard-home from 1947-hosts-opt to master
Updates #1947.
Updates #2829.
Squashed commit of the following:
commit d09285c3dbfa7816469eec223b88c320c255c8fe
Merge: cff8c4cd 7c6557b0
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 18:23:20 2021 +0300
Merge branch 'master' into 1947-hosts-opt
commit cff8c4cdbf4bcd1f5f413c541d7f4a9e42b8b05b
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 17:46:19 2021 +0300
home: fix help
commit 1fa01d5b30f5adeda564dcc85a7064e2921d5981
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 17:40:48 2021 +0300
home: fix option order
commit 9d83cb604aaddcc8cbe99bafa544636f8f0b7e54
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 17:28:30 2021 +0300
aghnet: add important todo
commit 7f1386ff5c3081e07e975b640164a7a05e1319c9
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 17:17:17 2021 +0300
all: correct naming
commit cbe2b2e4b21d5bceb3ee88e09cad154ba62b5cef
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 15:55:46 2021 +0300
all: mv functionality from util
commit e82ad53862682d903dd0dd10844db65997a758bc
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 15:41:35 2021 +0300
home: imp code, docs
commit 9058977f3ff99648fabaebbd7c1c354c71671327
Author: Eugene Burkov <e.burkov@adguard.com>
Date: Mon Apr 12 15:02:34 2021 +0300
home: add an option to disable autohosts
108 lines
3.0 KiB
Go
108 lines
3.0 KiB
Go
// Package util contains various utilities.
|
|
//
|
|
// TODO(a.garipov): Such packages are widely considered an antipattern. Remove
|
|
// this when we refactor our project structure.
|
|
package util
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"io/ioutil"
|
|
"os"
|
|
"runtime"
|
|
|
|
"github.com/AdguardTeam/golibs/log"
|
|
"golang.org/x/sys/cpu"
|
|
)
|
|
|
|
// LoadSystemRootCAs - load root CAs from the system
|
|
// Return the x509 certificate pool object
|
|
// Return nil if nothing has been found.
|
|
// This means that Go.crypto will use its default algorithm to find system root CA list.
|
|
// https://github.com/AdguardTeam/AdGuardHome/internal/issues/1311
|
|
func LoadSystemRootCAs() *x509.CertPool {
|
|
if runtime.GOOS != "linux" {
|
|
return nil
|
|
}
|
|
|
|
// Directories with the system root certificates, that aren't supported by Go.crypto
|
|
dirs := []string{
|
|
"/opt/etc/ssl/certs", // Entware
|
|
}
|
|
roots := x509.NewCertPool()
|
|
for _, dir := range dirs {
|
|
fis, err := ioutil.ReadDir(dir)
|
|
if err != nil {
|
|
if !errors.Is(err, os.ErrNotExist) {
|
|
log.Error("opening directory: %q: %s", dir, err)
|
|
}
|
|
|
|
continue
|
|
}
|
|
|
|
rootsAdded := false
|
|
for _, fi := range fis {
|
|
var certData []byte
|
|
certData, err = ioutil.ReadFile(dir + "/" + fi.Name())
|
|
if err == nil && roots.AppendCertsFromPEM(certData) {
|
|
rootsAdded = true
|
|
}
|
|
}
|
|
|
|
if rootsAdded {
|
|
return roots
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// InitTLSCiphers - the same as initDefaultCipherSuites() from src/crypto/tls/common.go
|
|
// but with the difference that we don't use so many other default ciphers.
|
|
func InitTLSCiphers() []uint16 {
|
|
var ciphers []uint16
|
|
|
|
// Check the cpu flags for each platform that has optimized GCM implementations.
|
|
// Worst case, these variables will just all be false.
|
|
var (
|
|
hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
|
|
hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
|
|
// Keep in sync with crypto/aes/cipher_s390x.go.
|
|
hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
|
|
|
|
hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
|
|
)
|
|
|
|
if hasGCMAsm {
|
|
// If AES-GCM hardware is provided then prioritise AES-GCM
|
|
// cipher suites.
|
|
ciphers = []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
}
|
|
} else {
|
|
// Without AES-GCM hardware, we put the ChaCha20-Poly1305
|
|
// cipher suites first.
|
|
ciphers = []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
}
|
|
}
|
|
|
|
otherCiphers := []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
}
|
|
ciphers = append(ciphers, otherCiphers...)
|
|
return ciphers
|
|
}
|