Merge branch 'master' into 1472-edns-custom-ip

CHANGELOG.md

@@ -14,29 +14,46 @@ and this project adheres to
 <!--
 ## [v0.108.0] - TBA
 
-## [v0.107.25] - 2023-03-09 (APPROX.)
+## [v0.107.26] - 2023-03-09 (APPROX.)
 
-See also the [v0.107.25 GitHub milestone][ms-v0.107.25].
+See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
 
-[ms-v0.107.25]: https://github.com/AdguardTeam/AdGuardHome/milestone/61?closed=1
+[ms-v0.107.26]: https://github.com/AdguardTeam/AdGuardHome/milestone/62?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
 ### Fixed
 
-- Panic when using unencrypted DNS-over-HTTPS ([#5518]).
+- Requirements to domain names in domain-specific upstream configurations have
+  been relaxed to meet those from [RFC 3696][rfc3696] ([#4884]).
 - Failing service installation via script on FreeBSD ([#5431]).
 
-[#5518]: https://github.com/AdguardTeam/AdGuardHome/issues/5518
+[#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884
 [#5431]: https://github.com/AdguardTeam/AdGuardHome/issues/5431
 
+[rfc3696]: https://datatracker.ietf.org/doc/html/rfc3696
+
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->
 
 
 
+## [v0.107.25] - 2023-02-21
+
+See also the [v0.107.25 GitHub milestone][ms-v0.107.25].
+
+### Fixed
+
+- Panic when using unencrypted DNS-over-HTTPS ([#5518]).
+
+[#5518]: https://github.com/AdguardTeam/AdGuardHome/issues/5518
+
+[ms-v0.107.25]: https://github.com/AdguardTeam/AdGuardHome/milestone/61?closed=1
+
+
+
 ## [v0.107.24] - 2023-02-15
 
 See also the [v0.107.24 GitHub milestone][ms-v0.107.24].
@@ -1677,11 +1694,12 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.25...HEAD
-[v0.107.25]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.24...v0.107.25
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.26...HEAD
+[v0.107.26]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.25...v0.107.26
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.24...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.25...HEAD
+[v0.107.25]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.24...v0.107.25
 [v0.107.24]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.23...v0.107.24
 [v0.107.23]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.22...v0.107.23
 [v0.107.22]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.21...v0.107.22

Makefile

@@ -4,17 +4,26 @@
 # See https://pubs.opengroup.org/onlinepubs/9699919799/utilities/make.html.
 .POSIX:
 
+# This comment is used to simplify checking local copies of the
+# Makefile.  Bump this number every time a significant change is made to
+# this Makefile.
+#
+# AdGuard-Project-Version: 2
+
+# Don't name these macros "GO" etc., because GNU Make apparently makes
+# them exported environment variables with the literal value of
+# "${GO:-go}" and so on, which is not what we need.  Use a dot in the
+# name to make sure that users don't have an environment variable with
+# the same name.
+#
+# See https://unix.stackexchange.com/q/646255/105635.
+GO.MACRO = $${GO:-go}
+VERBOSE.MACRO = $${VERBOSE:-0}
+
 CHANNEL = development
 CLIENT_DIR = client
 COMMIT = $$( git rev-parse --short HEAD )
 DIST_DIR = dist
-# Don't name this macro "GO", because GNU Make apparenly makes it an
-# exported environment variable with the literal value of "${GO:-go}",
-# which is not what we need.  Use a dot in the name to make sure that
-# users don't have an environment variable with the same name.
-#
-# See https://unix.stackexchange.com/q/646255/105635.
-GO.MACRO = $${GO:-go}
 GOPROXY = https://goproxy.cn|https://proxy.golang.org|direct
 GOSUMDB = sum.golang.google.cn
 GPG_KEY = devteam@adguard.com
@@ -25,7 +34,6 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\
 	--ignore-optional --ignore-platform --ignore-scripts
 RACE = 0
 SIGN = 1
-VERBOSE = 0
 VERSION = v0.0.0
 YARN = yarn
 
@@ -59,13 +67,13 @@ ENV = env\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
 	NEXTAPI='$(NEXTAPI)'\
-	VERBOSE='$(VERBOSE)'\
+	VERBOSE="$(VERBOSE.MACRO)"\
 	VERSION='$(VERSION)'\
 
 # Keep the line above blank.
 
-# Keep this target first, so that a naked make invocation triggers
-# a full build.
+# Keep this target first, so that a naked make invocation triggers a
+# full build.
 build: deps quick-build
 
 quick-build: js-build go-build
@@ -119,4 +127,4 @@ go-os-check:
 openapi-lint: ; cd ./openapi/ && $(YARN) test
 openapi-show: ; cd ./openapi/ && $(YARN) start
 
-txt-lint:  ; $(ENV) "$(SHELL)" ./scripts/make/txt-lint.sh
+txt-lint: ; $(ENV) "$(SHELL)" ./scripts/make/txt-lint.sh

go.mod

@@ -4,8 +4,8 @@ go 1.19
 
 require (
 	// TODO(a.garipov): Use v0.48.0 when it's released.
-	github.com/AdguardTeam/dnsproxy v0.47.1-0.20230207130636-533058b17239
-	github.com/AdguardTeam/golibs v0.11.4
+	github.com/AdguardTeam/dnsproxy v0.48.0
+	github.com/AdguardTeam/golibs v0.12.0
 	github.com/AdguardTeam/urlfilter v0.16.1
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.2.5

go.sum

@@ -1,9 +1,9 @@
-github.com/AdguardTeam/dnsproxy v0.47.1-0.20230207130636-533058b17239 h1:n1oOiywOvdeqWLto809bK1rK1EPDkpaSfT/r1OiCVaQ=
-github.com/AdguardTeam/dnsproxy v0.47.1-0.20230207130636-533058b17239/go.mod h1:+Sdi5ISrjDFbeCsKNqzcC1Ag7pJ5Hh9y+UBNb3dfqJ4=
+github.com/AdguardTeam/dnsproxy v0.48.0 h1:sGViYy2pV0cEp2zCsxPjFd9rlgD0+yELpIeLkBxHAoI=
+github.com/AdguardTeam/dnsproxy v0.48.0/go.mod h1:9OHoeaVod+moWwrLjHF95RQnFWGi/6B1tfKsxWc/yGE=
 github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
 github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
-github.com/AdguardTeam/golibs v0.11.4 h1:IltyvxwCTN+xxJF5sh6VadF8Zfbf8elgCm9dgijSVzM=
-github.com/AdguardTeam/golibs v0.11.4/go.mod h1:87bN2x4VsTritptE3XZg9l8T6gznWsIxHBcQ1DeRIXA=
+github.com/AdguardTeam/golibs v0.12.0 h1:z4Q3Mz0pHJ2Zag4B0RBaIXEUue1TPOKkbRiYkwC4r7I=
+github.com/AdguardTeam/golibs v0.12.0/go.mod h1:87bN2x4VsTritptE3XZg9l8T6gznWsIxHBcQ1DeRIXA=
 github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
 github.com/AdguardTeam/urlfilter v0.16.1 h1:ZPi0rjqo8cQf2FVdzo6cqumNoHZx2KPXj2yZa1A5BBw=
 github.com/AdguardTeam/urlfilter v0.16.1/go.mod h1:46YZDOV1+qtdRDuhZKVPSSp7JWWes0KayqHrKAFBdEI=

internal/aghnet/arpdb_bsd.go

@@ -67,7 +67,7 @@ func parseArpA(sc *bufio.Scanner, lenHint int) (ns []Neighbor) {
 		}
 
 		host := fields[0]
-		err = netutil.ValidateDomainName(host)
+		err = netutil.ValidateHostname(host)
 		if err != nil {
 			log.Debug("arpdb: parsing arp output: host: %s", err)
 		} else {

internal/aghnet/arpdb_linux.go

@@ -198,7 +198,7 @@ func parseArpA(sc *bufio.Scanner, lenHint int) (ns []Neighbor) {
 		}
 
 		host := fields[0]
-		if verr := netutil.ValidateDomainName(host); verr != nil {
+		if verr := netutil.ValidateHostname(host); verr != nil {
 			log.Debug("arpdb: parsing arp output: host: %s", verr)
 		} else {
 			n.Name = host

internal/aghnet/hostscontainer.go

@@ -343,7 +343,7 @@ func (hp *hostsParser) parseLine(line string) (ip netip.Addr, hosts []string) {
 		// See https://github.com/AdguardTeam/AdGuardHome/issues/3946.
 		//
 		// TODO(e.burkov):  Investigate if hosts may contain DNS-SD domains.
-		err = netutil.ValidateDomainName(f)
+		err = netutil.ValidateHostname(f)
 		if err != nil {
 			log.Error("%s: host %q is invalid, ignoring", hostsContainerPref, f)
 

internal/dhcpd/v4_unix.go

@@ -108,7 +108,7 @@ func (s *v4Server) validHostnameForClient(cliHostname string, ip net.IP) (hostna
 		hostname = aghnet.GenerateHostname(ip)
 	}
 
-	err = netutil.ValidateDomainName(hostname)
+	err = netutil.ValidateHostname(hostname)
 	if err != nil {
 		log.Info("dhcpv4: %s", err)
 		hostname = ""
@@ -372,7 +372,7 @@ func (s *v4Server) AddStaticLease(l *Lease) (err error) {
 			return err
 		}
 
-		err = netutil.ValidateDomainName(hostname)
+		err = netutil.ValidateHostname(hostname)
 		if err != nil {
 			return fmt.Errorf("validating hostname: %w", err)
 		}

internal/dhcpd/v4_unix_test.go

@@ -251,8 +251,8 @@ func TestV4Server_AddRemove_static(t *testing.T) {
 		},
 		name: "bad_hostname",
 		wantErrMsg: `dhcpv4: adding static lease: validating hostname: ` +
-			`bad domain name "bad-lbl-.local": ` +
-			`bad domain name label "bad-lbl-": bad domain name label rune '-'`,
+			`bad hostname "bad-lbl-.local": ` +
+			`bad hostname label "bad-lbl-": bad hostname label rune '-'`,
 	}}
 
 	for _, tc := range testCases {

internal/dnsforward/clientid.go

@@ -14,7 +14,7 @@ import (
 
 // ValidateClientID returns an error if id is not a valid ClientID.
 func ValidateClientID(id string) (err error) {
-	err = netutil.ValidateDomainNameLabel(id)
+	err = netutil.ValidateHostnameLabel(id)
 	if err != nil {
 		// Replace the domain name label wrapper with our own.
 		return fmt.Errorf("invalid clientid %q: %w", id, errors.Unwrap(err))

internal/dnsforward/clientid_test.go

@@ -119,7 +119,7 @@ func TestServer_clientIDFromDNSContext(t *testing.T) {
 		cliSrvName:   "!!!.example.com",
 		wantClientID: "",
 		wantErrMsg: `clientid check: invalid clientid "!!!": ` +
-			`bad domain name label rune '!'`,
+			`bad hostname label rune '!'`,
 		inclHTTPTLS: false,
 		strictSNI:   true,
 	}, {
@@ -131,7 +131,7 @@ func TestServer_clientIDFromDNSContext(t *testing.T) {
 		wantClientID: "",
 		wantErrMsg: `clientid check: invalid clientid "abcdefghijklmno` +
 			`pqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz0123456789": ` +
-			`domain name label is too long: got 72, max 63`,
+			`hostname label is too long: got 72, max 63`,
 		inclHTTPTLS: false,
 		strictSNI:   true,
 	}, {
@@ -330,7 +330,7 @@ func TestClientIDFromDNSContextHTTPS(t *testing.T) {
 		path:         "/dns-query/!!!",
 		cliSrvName:   "example.com",
 		wantClientID: "",
-		wantErrMsg:   `clientid check: invalid clientid "!!!": bad domain name label rune '!'`,
+		wantErrMsg:   `clientid check: invalid clientid "!!!": bad hostname label rune '!'`,
 	}, {
 		name:         "both_ids",
 		path:         "/dns-query/right",

internal/dnsforward/config.go

@@ -7,7 +7,6 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"sort"
 	"strings"
 	"time"
 
@@ -23,6 +22,7 @@ import (
 	"github.com/AdguardTeam/golibs/stringutil"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/ameshkov/dnscrypt/v2"
+	"golang.org/x/exp/slices"
 )
 
 // BlockingMode is an enum of all allowed blocking modes.
@@ -523,7 +523,7 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) {
 		if len(cert.DNSNames) != 0 {
 			s.conf.dnsNames = cert.DNSNames
 			log.Debug("dnsforward: using certificate's SAN as DNS names: %v", cert.DNSNames)
-			sort.Strings(s.conf.dnsNames)
+			slices.Sort(s.conf.dnsNames)
 		} else {
 			s.conf.dnsNames = append(s.conf.dnsNames, cert.Subject.CommonName)
 			log.Debug("dnsforward: using certificate's CN as DNS name: %s", cert.Subject.CommonName)
@@ -539,16 +539,6 @@ func (s *Server) prepareTLS(proxyConfig *proxy.Config) (err error) {
 	return nil
 }
 
-// isInSorted returns true if s is in the sorted slice strs.
-func isInSorted(strs []string, s string) (ok bool) {
-	i := sort.SearchStrings(strs, s)
-	if i == len(strs) || strs[i] != s {
-		return false
-	}
-
-	return true
-}
-
 // isWildcard returns true if host is a wildcard hostname.
 func isWildcard(host string) (ok bool) {
 	return len(host) >= 2 && host[0] == '*' && host[1] == '.'
@@ -563,11 +553,12 @@ func matchesDomainWildcard(host, pat string) (ok bool) {
 // anyNameMatches returns true if sni, the client's SNI value, matches any of
 // the DNS names and patterns from certificate.  dnsNames must be sorted.
 func anyNameMatches(dnsNames []string, sni string) (ok bool) {
-	if netutil.ValidateDomainName(sni) != nil {
+	// Check sni is either a valid hostname or a valid IP address.
+	if netutil.ValidateHostname(sni) != nil && net.ParseIP(sni) == nil {
 		return false
 	}
 
-	if isInSorted(dnsNames, sni) {
+	if _, ok = slices.BinarySearch(dnsNames, sni); ok {
 		return true
 	}
 

internal/dnsforward/config_test.go

@@ -1,15 +1,15 @@
 package dnsforward
 
 import (
-	"sort"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/exp/slices"
 )
 
 func TestAnyNameMatches(t *testing.T) {
 	dnsNames := []string{"host1", "*.host2", "1.2.3.4"}
-	sort.Strings(dnsNames)
+	slices.Sort(dnsNames)
 
 	testCases := []struct {
 		name    string
@@ -31,6 +31,10 @@ func TestAnyNameMatches(t *testing.T) {
 		name:    "match",
 		dnsName: "1.2.3.4",
 		want:    true,
+	}, {
+		name:    "mismatch_bad_ip",
+		dnsName: "1.2.3.256",
+		want:    false,
 	}, {
 		name:    "mismatch",
 		dnsName: "host2",

internal/dnsforward/dns.go

@@ -230,7 +230,7 @@ func (s *Server) onDHCPLeaseChanged(flags int) {
 	for _, l := range ll {
 		// TODO(a.garipov): Remove this after we're finished with the client
 		// hostname validations in the DHCP server code.
-		err := netutil.ValidateDomainName(l.Hostname)
+		err := netutil.ValidateHostname(l.Hostname)
 		if err != nil {
 			log.Debug("dnsforward: skipping invalid hostname %q from dhcp: %s", l.Hostname, err)
 
@@ -468,7 +468,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
 			return resultCodeError
 		}
 
-		log.Debug("dnsforward: request is for a service domain")
+		log.Debug("dnsforward: request is not for arpa domain")
 
 		return resultCodeSuccess
 	}

internal/dnsforward/dnsforward_test.go

@@ -1171,7 +1171,8 @@ func TestNewServer(t *testing.T) {
 			LocalDomain: "!!!",
 		},
 		wantErrMsg: `local domain: bad domain name "!!!": ` +
-			`bad domain name label "!!!": bad domain name label rune '!'`,
+			`bad top-level domain name label "!!!": ` +
+			`bad top-level domain name label rune '!'`,
 	}}
 
 	for _, tc := range testCases {

internal/dnsforward/http_test.go

@@ -337,7 +337,8 @@ func TestValidateUpstreams(t *testing.T) {
 	}, {
 		name: "bad_domain",
 		wantErr: `bad upstream for domain "[/!/]8.8.8.8": domain at index 0: ` +
-			`bad domain name "!": bad domain name label "!": bad domain name label rune '!'`,
+			`bad domain name "!": bad top-level domain name label "!": ` +
+			`bad top-level domain name label rune '!'`,
 		set: []string{"[/!/]8.8.8.8"},
 	}}