Support verify TLS hostname

ReadMe.md

@@ -562,8 +562,8 @@ https://github.com/pymumu/smartdns/releases
 |conf-file|附加配置文件|无|文件路径|conf-file /etc/smartdns/smartdns.more.conf
 |server|上游UDP DNS|无|可重复<br>`[ip][:port]`：服务器IP，端口可选。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1
 |server-tcp|上游TCP DNS|无|可重复<br>`[ip][:port]`：服务器IP，端口可选。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53
-|server-tls|上游TLS DNS|无|可重复<br>`[ip][:port]`：服务器IP，端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值，base64编码的sha256 SPKI pin值<br>`[-host-name]`：TLS SNI名称。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
+|server-tls|上游TLS DNS|无|可重复<br>`[ip][:port]`：服务器IP，端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值，base64编码的sha256 SPKI pin值<br>`[-host-name]`：TLS SNI名称。<br>`[-tls-host-check]`: TLS证书主机名校验。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
-|server-https|上游HTTPS DNS|无|可重复<br>`https://[host][:port]/path`：服务器IP，端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值，base64编码的sha256 SPKI pin值<br>`[-host-name]`：TLS SNI名称<br>`[-http-host]`：http协议头主机名。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
+|server-https|上游HTTPS DNS|无|可重复<br>`https://[host][:port]/path`：服务器IP，端口可选。<br>`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值，base64编码的sha256 SPKI pin值<br>`[-host-name]`：TLS SNI名称<br>`[-http-host]`：http协议头主机名。<br>`[-tls-host-check]`: TLS证书主机名校验。<br>`[-blacklist-ip]`：blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。<br>`[-whitelist-ip]`：whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。<br>`[-group [group] ...]`：DNS服务器所属组，比如office, foreign，和nameserver配套使用。<br>`[-exclude-default-group]`：将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
 |address|指定域名IP地址|无|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6] <br>`-`表示忽略 <br>`#`表示返回SOA <br>`4`表示IPV4 <br>`6`表示IPV6| address /www.example.com/1.2.3.4
 |nameserver|指定域名使用server组解析|无|nameserver /domain/[group\|-], `group`为组名，`-`表示忽略此规则，配套server中的`-group`参数使用| nameserver /www.example.com/office
 |ipset|域名IPSET|None|ipset /domain/[ipset\|-], `-`表示忽略|ipset /www.example.com/pass

ReadMe_en.md

@@ -557,8 +557,8 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
 |conf-file|additional conf file|None|File path|conf-file /etc/smartdns/smartdns.more.conf
 |server|Upstream UDP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip
 |server-tcp|Upstream TCP DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53
-|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
+|server-tls|Upstream TLS DNS server|None|Repeatable <br>`[ip][:port]`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name. <br>`[-tls-host-check]`: TLS cert hostname to verify.<br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
-|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name<br>`[-http-host]`：http header host. <br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
+|server-https|Upstream HTTPS DNS server|None|Repeatable <br>`https://[host][:port]/path`: Server IP, port optional. <br>`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash<br>`[-host-name]`:TLS Server name<br>`[-http-host]`：http header host. <br>`[-tls-host-check]`: TLS cert hostname to verify.<br>`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip". <br>`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted. <br>`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver. <br>`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
 |address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
 |nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office
 |ipset|Domain IPSet|None|ipset /domain/[ipset\|-], `-` for ignore|ipset /www.example.com/pass

etc/smartdns/smartdns.conf

@@ -118,6 +118,8 @@ log-level info
 # remote tls dns server list
 # server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
 #   -spki-pin: TLS spki pin to verify.
+#   -tls-host-check: cert hostname to verify.
+#   -hostname: TLS sni hostname.
 # Get SPKI with this command:
 #    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
 # default port is 853
@@ -127,6 +129,9 @@ log-level info
 # remote https dns server list
 # server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
 #   -spki-pin: TLS spki pin to verify.
+#   -tls-host-check: cert hostname to verify.
+#   -hostname: TLS sni hostname.
+#   -http-host: http host.
 # default port is 443
 # server-https https://cloudflare-dns.com/dns-query
 

package/luci/files/luci/i18n/smartdns.zh-cn.po

@@ -139,6 +139,12 @@ msgstr "协议类型"
 msgid "Domain Address"
 msgstr "域名地址"
 
+msgid "TLS Hostname Verify"
+msgstr "校验TLS主机名"
+
+msgid "Set TLS hostname to verify"
+msgstr "设置校验TLS主机名"
+
 msgid "TLS SNI name"
 msgstr "TLS SNI名称"
 

package/luci/files/luci/model/cbi/smartdns/upstream.lua

@@ -39,6 +39,14 @@ o:value("https", translate("https"))
 o.default     = "udp"
 o.rempty      = false
 
+---- TLS host check
+o = s:option(Value, "tls_host_check", translate("TLS Hostname Verify"), translate("Set TLS hostname to verify"))
+o.default     = ""
+o.datatype    = "string"
+o.rempty      = true
+o:depends("type", "tls")
+o:depends("type", "https")
+
 ---- SNI host name
 o = s:option(Value, "host_name", translate("TLS SNI name"), translate("Sets the server name indication"))
 o.default     = ""

package/openwrt/files/etc/init.d/smartdns

@@ -160,6 +160,7 @@ load_server()
 	config_get "port" "$section" "port" ""
 	config_get "type" "$section" "type" "udp"
 	config_get "ip" "$section" "ip" ""
+	config_get "tls_host_check" "$section" "tls_host_check" ""
 	config_get "host_name" "$section" "host_name" ""
 	config_get "http_host" "$section" "http_host" ""
 	config_get "server_group" "$section" "server_group" ""
@@ -191,6 +192,10 @@ load_server()
 		fi
 	fi
 
+	if [ ! -z "$tls_host_check" ]; then
+		ADDITIONAL_ARGS="$ADDITIONAL_ARGS -tls-host-check $tls_host_check"
+	fi
+
 	if [ ! -z "$host_name" ]; then
 		ADDITIONAL_ARGS="$ADDITIONAL_ARGS -host-name $host_name"
 	fi

src/dns_client.c

@@ -29,6 +29,7 @@
 #include "util.h"
 #include <arpa/inet.h>
 #include <errno.h>
+#include <ctype.h>
 #include <fcntl.h>
 #include <linux/filter.h>
 #include <netdb.h>
@@ -623,6 +624,38 @@ int dns_client_spki_decode(const char *spki, unsigned char *spki_data_out)
 	return spki_data_len;
 }
 
+static char *_dns_client_server_get_tls_host_check(struct dns_server_info *server_info)
+{
+	char *tls_host_check = NULL;
+
+	switch (server_info->type) {
+	case DNS_SERVER_UDP: {
+	} break;
+	case DNS_SERVER_HTTPS: {
+		struct client_dns_server_flag_https *flag_https = &server_info->flags.https;
+		tls_host_check = flag_https->tls_host_check;
+	} break;
+	case DNS_SERVER_TLS: {
+		struct client_dns_server_flag_tls *flag_tls = &server_info->flags.tls;
+		tls_host_check = flag_tls->tls_host_check;
+	} break;
+		break;
+	case DNS_SERVER_TCP:
+		break;
+	default:
+		return NULL;
+		break;
+	}
+
+	if (tls_host_check) {
+		if (tls_host_check[0] == '\0') {
+			return NULL;
+		}
+	}
+
+	return tls_host_check;
+}
+
 static char *_dns_client_server_get_spki(struct dns_server_info *server_info, int *spki_len)
 {
 	*spki_len = 0;
@@ -1874,6 +1907,34 @@ static inline int _dns_client_to_hex(int c)
 	}
 }
 
+static int _dns_client_tls_matchName(const char *host, const char *pattern, int size)
+{
+	int match = -1;
+	int i = 0, j = 0;
+
+	while (i < size && host[j] != '\0') {
+		if (toupper(pattern[i]) == toupper(host[j])) {
+			i++;
+			j++;
+			continue;
+		}
+		if (pattern[i] == '*') {
+			while (host[j] != '.' && host[j] != '\0') {
+				j++;
+			}
+			i++;
+			continue;
+		}
+		break;
+	}
+
+	if (i == size && host[j] == '\0') {
+		match = 0;
+	}
+	
+	return match;
+}
+
 static int _dns_client_tls_verify(struct dns_server_info *server_info)
 {
 	X509 *cert = NULL;
@@ -1886,6 +1947,7 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
 	unsigned char *key_sha256 = NULL;
 	char *spki = NULL;
 	int spki_len = 0;
+	char *tls_host_check = NULL;
 
 	cert = SSL_get_peer_certificate(server_info->ssl);
 	if (cert == NULL) {
@@ -1896,6 +1958,15 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
 	X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, peer_CN, 256);
 	tlog(TLOG_DEBUG, "peer CN: %s", peer_CN);
 
+	/* check tls host */
+	tls_host_check = _dns_client_server_get_tls_host_check(server_info);
+	if (tls_host_check) {
+		if (_dns_client_tls_matchName(peer_CN, tls_host_check, strnlen(tls_host_check, DNS_MAX_CNAME_LEN)) != 0) {
+			tlog(TLOG_INFO, "server %s CN is invalid, peer CN: %s, expect CN: %s", server_info->ip, peer_CN, tls_host_check);
+			goto errout;
+		}
+	}
+
 	/* get spki pin */
 	key_len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
 	if (key_len <= 0) {

src/dns_client.h

@@ -45,6 +45,7 @@ struct client_dns_server_flag_tls {
 	char spki[DNS_SERVER_SPKI_LEN];
 	int spi_len;
 	char hostname[DNS_MAX_CNAME_LEN];
+	char tls_host_check[DNS_MAX_CNAME_LEN];
 };
 
 struct client_dns_server_flag_https {
@@ -53,6 +54,7 @@ struct client_dns_server_flag_https {
 	char hostname[DNS_MAX_CNAME_LEN];
 	char httphost[DNS_MAX_CNAME_LEN];
 	char path[DNS_MAX_CNAME_LEN];
+	char tls_host_check[DNS_MAX_CNAME_LEN];
 };
 
 struct client_dns_server_flags {

src/dns_conf.c

@@ -181,6 +181,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 		{"spki-pin", required_argument, NULL, 'p'}, /* check SPKI pin */
 		{"host-name", required_argument, NULL, 'h'}, /* host name */
 		{"http-host", required_argument, NULL, 'H'}, /* http host */
+		{"tls-host-check", required_argument, NULL, 'V' }, /* check tls hostname */
 		{"group", required_argument, NULL, 'g'}, /* add to group */
 		{"exclude-default-group", no_argument, NULL, 'E'}, /* ecluse this from default group */
 		{NULL, no_argument, NULL, 0}
@@ -201,6 +202,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 	server->path[0] = '\0';
 	server->hostname[0] = '\0';
 	server->httphost[0] = '\0';
+	server->tls_host_check[0] = '\0';
 
 	ip = argv[1];
 
@@ -269,6 +271,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 			safe_strncpy(server->spki, optarg, DNS_MAX_SPKI_LEN);
 			break;
 		}
+		case 'V': {
+			safe_strncpy(server->tls_host_check, optarg, DNS_MAX_CNAME_LEN);
+			break;
+		}
 		default:
 			break;
 		}

src/dns_conf.h

@@ -122,6 +122,7 @@ struct dns_servers {
 	char spki[DNS_MAX_SPKI_LEN];
 	char hostname[DNS_MAX_CNAME_LEN];
 	char httphost[DNS_MAX_CNAME_LEN];
+	char tls_host_check[DNS_MAX_CNAME_LEN];
 	char path[DNS_MAX_URL_LEN];
 };
 

src/smartdns.c

@@ -157,11 +157,13 @@ static int _smartdns_add_servers(void)
 			safe_strncpy(flag_http->hostname, dns_conf_servers[i].hostname, sizeof(flag_http->hostname));
 			safe_strncpy(flag_http->path, dns_conf_servers[i].path, sizeof(flag_http->path));
 			safe_strncpy(flag_http->httphost, dns_conf_servers[i].httphost, sizeof(flag_http->httphost));
+			safe_strncpy(flag_http->tls_host_check, dns_conf_servers[i].tls_host_check, sizeof(flag_http->tls_host_check));
 		} break;
 		case DNS_SERVER_TLS: {
 			struct client_dns_server_flag_tls *flag_tls = &flags.tls;
 			flag_tls->spi_len = dns_client_spki_decode(dns_conf_servers[i].spki, (unsigned char *)flag_tls->spki);
 			safe_strncpy(flag_tls->hostname, dns_conf_servers[i].hostname, sizeof(flag_tls->hostname));
+			safe_strncpy(flag_tls->tls_host_check, dns_conf_servers[i].tls_host_check, sizeof(flag_tls->tls_host_check));
 		} break;
 			break;
 		case DNS_SERVER_TCP: