Pull request #1269: tls: hide saved private key
Merge in DNS/adguard-home from 1898-hide-private-key to master Squashed commit of the following: commit 542569bbc098541f8e191cc5c1e5509a65fe2c5f Merge: a07d715f756c7064Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 27 13:29:15 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit a07d715f0f0932fdad4ec3f1e1a265b43809e21b Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:45:39 2021 +0300 fix bug commit 9f2b70719a24aab827c2dc300fc94bf2202527a7 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 19:07:17 2021 +0300 fixes commit e79f0e620844531a737fff5a88f5c2cffc403f51 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:35:32 2021 +0300 more documentation to god of documentation commit 47790964ed05f50c075f6b6497b1517b0d974bea Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:23:08 2021 +0300 changed var named && fixed description commit d35de5a34eafb3ffbd1148982dd31735a2000377 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 18:11:13 2021 +0300 revert locales commit 514ab1a5d90039bf9aad1389dd0ed966fd1a7e65 Merge: 5d9b992a16092e8bAuthor: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:27 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit 5d9b992a236dec276a46a035509da6938a7da7bf Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Thu Aug 26 14:41:13 2021 +0300 here we go again commit 2e7b30df5f19953f4e055394083be62b23028ad6 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:11:49 2021 +0300 update deps commit 5e58c3e22a77c42f321deb9707f34f031b345d75 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:10:19 2021 +0300 small fix commit c2096377de0a8ecf4f36567322ad9171c5fb5ab2 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 17:07:45 2021 +0300 fixes && updated translations commit ada2d4784e6288b1740b8564b6ffc1ef8f0dcf68 Merge: dc5ce072550b1798Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 20 13:17:34 2021 +0300 Merge branch 'master' into 1898-hide-private-key commit dc5ce0721b5c095ed79f2a302ad90d9616785f93 Author: Dmitriy Seregin <d.seregin@adguard.com> Date: Fri Aug 13 20:12:18 2021 +0300 tls: hide saved private key If private key saved as a string, then hide it from the answer to UI
This commit is contained in:
Dmitry Seregin
@@ -210,15 +210,26 @@ type tlsConfigStatus struct {
|
||||
|
||||
// field ordering is important -- yaml fields will mirror ordering from here
|
||||
type tlsConfig struct {
|
||||
tlsConfigStatus `json:",inline"`
|
||||
tlsConfigStatus `json:",inline"`
|
||||
tlsConfigSettingsExt `json:",inline"`
|
||||
}
|
||||
|
||||
// tlsConfigSettingsExt is used to (un)marshal PrivateKeySaved to ensure that
|
||||
// clients don't send and receive previously saved private keys.
|
||||
type tlsConfigSettingsExt struct {
|
||||
tlsConfigSettings `json:",inline"`
|
||||
// If private key saved as a string, we set this flag to true
|
||||
// and omit key from answer.
|
||||
PrivateKeySaved bool `yaml:"-" json:"private_key_saved,inline"`
|
||||
}
|
||||
|
||||
func (t *TLSMod) handleTLSStatus(w http.ResponseWriter, _ *http.Request) {
|
||||
t.confLock.Lock()
|
||||
data := tlsConfig{
|
||||
tlsConfigSettings: t.conf,
|
||||
tlsConfigStatus: t.status,
|
||||
tlsConfigSettingsExt: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: t.conf,
|
||||
},
|
||||
tlsConfigStatus: t.status,
|
||||
}
|
||||
t.confLock.Unlock()
|
||||
marshalTLS(w, data)
|
||||
@@ -231,19 +242,23 @@ func (t *TLSMod) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if setts.PrivateKeySaved {
|
||||
setts.PrivateKey = t.conf.PrivateKey
|
||||
}
|
||||
|
||||
if !WebCheckPortAvailable(setts.PortHTTPS) {
|
||||
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", setts.PortHTTPS)
|
||||
return
|
||||
}
|
||||
|
||||
status := tlsConfigStatus{}
|
||||
if tlsLoadConfig(&setts, &status) {
|
||||
if tlsLoadConfig(&setts.tlsConfigSettings, &status) {
|
||||
status = validateCertificates(string(setts.CertificateChainData), string(setts.PrivateKeyData), setts.ServerName)
|
||||
}
|
||||
|
||||
data := tlsConfig{
|
||||
tlsConfigSettings: setts,
|
||||
tlsConfigStatus: status,
|
||||
tlsConfigSettingsExt: setts,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
marshalTLS(w, data)
|
||||
}
|
||||
@@ -290,16 +305,20 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if data.PrivateKeySaved {
|
||||
data.PrivateKey = t.conf.PrivateKey
|
||||
}
|
||||
|
||||
if !WebCheckPortAvailable(data.PortHTTPS) {
|
||||
httpError(w, http.StatusBadRequest, "port %d is not available, cannot enable HTTPS on it", data.PortHTTPS)
|
||||
return
|
||||
}
|
||||
|
||||
status := tlsConfigStatus{}
|
||||
if !tlsLoadConfig(&data, &status) {
|
||||
if !tlsLoadConfig(&data.tlsConfigSettings, &status) {
|
||||
data2 := tlsConfig{
|
||||
tlsConfigSettings: data,
|
||||
tlsConfigStatus: t.status,
|
||||
tlsConfigSettingsExt: data,
|
||||
tlsConfigStatus: t.status,
|
||||
}
|
||||
marshalTLS(w, data2)
|
||||
|
||||
@@ -308,7 +327,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
status = validateCertificates(string(data.CertificateChainData), string(data.PrivateKeyData), data.ServerName)
|
||||
|
||||
restartHTTPS := t.setConfig(data, status)
|
||||
restartHTTPS := t.setConfig(data.tlsConfigSettings, status)
|
||||
t.setCertFileTime()
|
||||
onConfigModified()
|
||||
|
||||
@@ -320,8 +339,8 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
data2 := tlsConfig{
|
||||
tlsConfigSettings: data,
|
||||
tlsConfigStatus: t.status,
|
||||
tlsConfigSettingsExt: data,
|
||||
tlsConfigStatus: t.status,
|
||||
}
|
||||
|
||||
marshalTLS(w, data2)
|
||||
@@ -335,7 +354,7 @@ func (t *TLSMod) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
// goroutine due to the same reason.
|
||||
if restartHTTPS {
|
||||
go func() {
|
||||
Context.web.TLSConfigChanged(context.Background(), data)
|
||||
Context.web.TLSConfigChanged(context.Background(), data.tlsConfigSettings)
|
||||
}()
|
||||
}
|
||||
}
|
||||
@@ -514,8 +533,8 @@ func parsePrivateKey(der []byte) (crypto.PrivateKey, string, error) {
|
||||
}
|
||||
|
||||
// unmarshalTLS handles base64-encoded certificates transparently
|
||||
func unmarshalTLS(r *http.Request) (tlsConfigSettings, error) {
|
||||
data := tlsConfigSettings{}
|
||||
func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
|
||||
data := tlsConfigSettingsExt{}
|
||||
err := json.NewDecoder(r.Body).Decode(&data)
|
||||
if err != nil {
|
||||
return data, fmt.Errorf("failed to parse new TLS config json: %w", err)
|
||||
@@ -559,8 +578,8 @@ func marshalTLS(w http.ResponseWriter, data tlsConfig) {
|
||||
}
|
||||
|
||||
if data.PrivateKey != "" {
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte(data.PrivateKey))
|
||||
data.PrivateKey = encoded
|
||||
data.PrivateKeySaved = true
|
||||
data.PrivateKey = ""
|
||||
}
|
||||
|
||||
err := json.NewEncoder(w).Encode(data)
|
||||
|
||||
Reference in New Issue
Block a user