diff --git a/README.md b/README.md index 1f10fac..63bf4cb 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,19 @@ # dane + Go library for DANE TLSA authentication -### Pre-requisites +## Pre-requisites * Go * Go dns package from https://github.com/miekg/dns -### Documentation +## Documentation Formatted documentation for this module can be found at: https://pkg.go.dev/github.com/shuque/dane?tab=doc -### Description +## Description Package dane provides a set of functions to perform DANE authentication of a TLS server, with fall back to PKIX authentication if no DANE TLSA @@ -74,12 +75,11 @@ will return a working TLS connection handle even if server authentication fails (rather than an error), but will populate the dane.Config's DiagError member with the appropriate error instead. - -### Example code +## Example code The basic steps in summary form are: -``` +```go import ( ... "github.com/shuque/dane" @@ -94,24 +94,24 @@ tlsa, err := dane.GetTLSA(resolver, hostname, port) iplist, err := dane.GetAddresses(resolver, hostname, true) for _, ip := range iplist { - daneconfig := dane.NewConfig(hostname, ip, 443) - daneconfig.SetTLSA(tlsa) - conn, err := dane.DialTLS(daneconfig) - if err != nil { - fmt.Printf("Result: FAILED: %s\n", err.Error()) - continue - } - if daneconfig.Okdane { - fmt.Printf("Result: DANE OK\n") - } else if daneconfig.Okpkix { - fmt.Printf("Result: PKIX OK\n") - } else { - fmt.Printf("Result: FAILED\n") - } - // - // do some stuff with the obtained TLS connection here - // - conn.Close() + daneconfig := dane.NewConfig(hostname, ip, 443) + daneconfig.SetTLSA(tlsa) + conn, err := dane.DialTLS(daneconfig) + if err != nil { + fmt.Printf("Result: FAILED: %s\n", err.Error()) + continue + } + if daneconfig.Okdane { + fmt.Printf("Result: DANE OK\n") + } else if daneconfig.Okpkix { + fmt.Printf("Result: PKIX OK\n") + } else { + fmt.Printf("Result: FAILED\n") + } + // + // do some stuff with the obtained TLS connection here + // + conn.Close() } ``` diff --git a/byname.go b/byname.go index 4a43914..aacc38f 100644 --- a/byname.go +++ b/byname.go @@ -8,9 +8,7 @@ import ( "time" ) -// // Response - response information -// type Response struct { config *Config conn *tls.Conn @@ -23,7 +21,6 @@ var IPv6Headstart = 25 * time.Millisecond // Maximum number of parallel connections attempted var MaxParallelConnections = 30 -// // ConnectByName takes a hostname and port, resolves the addresses for // the hostname (IPv6 followed by IPv4), and then attempts to connect to // them and establish TLS using DANE or PKIX authentication - DANE is @@ -33,7 +30,6 @@ var MaxParallelConnections = 30 // // Uses a default DANE configuration. For a custom DANE configuration, // use the DialTLS or DialStartTLS functions instead. -// func ConnectByName(hostname string, port int) (*tls.Conn, *Config, error) { var conn *tls.Conn @@ -74,10 +70,8 @@ func ConnectByName(hostname string, port int) (*tls.Conn, *Config, error) { hostname) } -// // ConnectByNameAsyncBase. Should not be called directly. Instead call // either ConnectByNameAsync or ConnectByNameAsync2 -// func ConnectByNameAsyncBase(hostname string, port int, pkixfallback bool) (*tls.Conn, *Config, error) { var conn *tls.Conn @@ -149,23 +143,19 @@ func ConnectByNameAsyncBase(hostname string, port int, pkixfallback bool) (*tls. hostname) } -// // ConnectByNameAsync is an async version of ConnectByName that tries // to connect to all server addresses in parallel, and returns the first // successful connection. IPv4 connections are intentionally delayed by // an IPv6HeadStart amount of time. Performs DANE authentication with // fallback to PKIX if no secure TLSA records are found. -// func ConnectByNameAsync(hostname string, port int) (*tls.Conn, *Config, error) { return ConnectByNameAsyncBase(hostname, port, true) } -// // ConnectByNameAsync2 is the same as ConnectByNameAsync, but supports // an additional argument to specify whether PKIX fallback should be performed. // By setting that argument to false, we can require DANE only authentication. -// func ConnectByNameAsync2(hostname string, port int, pkixfallback bool) (*tls.Conn, *Config, error) { return ConnectByNameAsyncBase(hostname, port, pkixfallback) diff --git a/dns.go b/dns.go index c5aee93..63fabf5 100644 --- a/dns.go +++ b/dns.go @@ -8,19 +8,15 @@ import ( "github.com/miekg/dns" ) -// // Query contains parameters of a DNS query: name, type, and class. -// type Query struct { Name string Type uint16 Class uint16 } -// // NewQuery returns an initialized Query structure from the given query // parameters. -// func NewQuery(qname string, qtype uint16, qclass uint16) *Query { q := new(Query) q.Name = dns.Fqdn(qname) @@ -29,10 +25,8 @@ func NewQuery(qname string, qtype uint16, qclass uint16) *Query { return q } -// // MakeQuery constructs a DNS query message (*dns.Msg) from the given // query and resolver parameters. -// func makeQueryMessage(query *Query, resolver *Resolver) *dns.Msg { m := new(dns.Msg) @@ -47,10 +41,8 @@ func makeQueryMessage(query *Query, resolver *Resolver) *dns.Msg { return m } -// // SendQueryUDP sends a DNS query via UDP with timeout and retries if // necessary. -// func sendQueryUDP(query *Query, resolver *Resolver) (*dns.Msg, error) { var response *dns.Msg @@ -79,9 +71,7 @@ func sendQueryUDP(query *Query, resolver *Resolver) (*dns.Msg, error) { return nil, err } -// // SendQueryTCP sends a DNS query via TCP. -// func sendQueryTCP(query *Query, resolver *Resolver) (*dns.Msg, error) { var response *dns.Msg @@ -103,9 +93,7 @@ func sendQueryTCP(query *Query, resolver *Resolver) (*dns.Msg, error) { } -// // SendQuery sends a DNS query via UDP with fallback to TCP upon truncation. -// func sendQuery(query *Query, resolver *Resolver) (*dns.Msg, error) { var response *dns.Msg @@ -126,10 +114,8 @@ func sendQuery(query *Query, resolver *Resolver) (*dns.Msg, error) { return response, err } -// // responseOK determines whether we have an authoritative response in // the given DNS message (NOERROR or NXDOMAIN). -// func responseOK(response *dns.Msg) bool { switch response.MsgHdr.Rcode { @@ -140,9 +126,7 @@ func responseOK(response *dns.Msg) bool { } } -// // GetAddresses obtains a list of IPv4 and IPv6 addresses for given hostname. -// func GetAddresses(resolver *Resolver, hostname string, secure bool) ([]net.IP, error) { var ipList []net.IP @@ -187,12 +171,10 @@ func GetAddresses(resolver *Resolver, hostname string, secure bool) ([]net.IP, e return ipList, nil } -// // Message2TSLAinfo returns a populated TLSAinfo structure from the // contents of a given dns message that contains a response to a // TLSA query. The qname parameter provides the expected TLSA query // name string. -// func Message2TSLAinfo(qname string, message *dns.Msg) *TLSAinfo { var tr *TLSArdata @@ -216,10 +198,8 @@ func Message2TSLAinfo(qname string, message *dns.Msg) *TLSAinfo { return tlsa } -// // GetTLSA returns the DNS TLSA RRset information for the given hostname, // port and resolver parameters. -// func GetTLSA(resolver *Resolver, hostname string, port int) (*TLSAinfo, error) { var q *Query diff --git a/go.mod b/go.mod index c4f766e..194962a 100644 --- a/go.mod +++ b/go.mod @@ -2,11 +2,12 @@ module github.com/shuque/dane go 1.18 -require github.com/miekg/dns v1.1.55 +require github.com/miekg/dns v1.1.61 require ( - golang.org/x/mod v0.12.0 // indirect - golang.org/x/net v0.12.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/tools v0.11.0 // indirect + golang.org/x/mod v0.19.0 // indirect + golang.org/x/net v0.27.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.22.0 // indirect + golang.org/x/tools v0.23.0 // indirect ) diff --git a/go.sum b/go.sum index 78c1cab..0c4fc56 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,23 @@ github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo= github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= +github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= +github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8= golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8= +golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= +golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= diff --git a/http.go b/http.go index f6cc9a9..b301a5f 100644 --- a/http.go +++ b/http.go @@ -8,12 +8,10 @@ import ( "strings" ) -// // GetHttpClient returns a net/http Client structure configured to perform // DANE TLS authentication of the HTTPS server. If the argument pkixfallback // is set to true, then PKIX authentication will be attempted if the server // does not have any published secure DANE TLSA records. -// func GetHttpClient(pkixfallback bool) http.Client { t := &http.Transport{ diff --git a/http_test.go b/http_test.go index 820f118..50f8226 100644 --- a/http_test.go +++ b/http_test.go @@ -8,7 +8,7 @@ package dane import ( "fmt" - "io/ioutil" + "io" "net/http" "testing" ) @@ -35,7 +35,7 @@ func TestGetHttpClient(t *testing.T) { defer response.Body.Close() } - body, err := ioutil.ReadAll(response.Body) + body, err := io.ReadAll(response.Body) if err != nil { t.Fatalf("Reading HTTP response body: %s\n", err.Error()) } diff --git a/tls.go b/tls.go index b913364..5cfecfe 100644 --- a/tls.go +++ b/tls.go @@ -47,7 +47,7 @@ func verifyChain(certs []*x509.Certificate, config *tls.Config, // Config data structure that performs DANE and PKIX authentication of // the server certificate as appropriate. func verifyServer(rawCerts [][]byte, - verifiedChains [][]*x509.Certificate, + _ [][]*x509.Certificate, tlsconfig *tls.Config, daneconfig *Config) error { var err error