added several external services

Author: randomlogin

cmd/sane/main.go

@@ -44,7 +44,7 @@ var (
 	hnsdPath           = flag.String("hnsd", os.Getenv("HNSD_PATH"), "path to hnsd executable, also may be set as environment variable HNSD_PATH")
 	hnsdCheckpointPath = flag.String("checkpoint", "", "path to hnsd checkpoint location, default ~/.hnsd")
 	resyncInterval     = flag.Duration("resync-interval", 24*time.Hour, "interval for roots resyncronization")
-	externalService    = flag.String("external-service", "", "uri to an external service providing SANE data")
+	externalService    = flag.String("external-service", "", "uri to an external service providing SANE data, can be a comma-separated list")
 )
 
 func getConfPath() string {
@@ -213,6 +213,8 @@ func main() {
 		return
 	}
 
+	services := strings.Split(*externalService, ",")
+
 	if *verbose {
 		log.SetFlags(log.LstdFlags | log.Lshortfile)
 		debuglog.Logger.Verbose = true
@@ -224,6 +226,9 @@ func main() {
 	if *hnsdCheckpointPath == "" {
 		home, _ := os.UserHomeDir() //above already fails if it doesn't exist
 		*hnsdCheckpointPath = path.Join(home, ".hnsd")
+		if err := os.MkdirAll(*hnsdCheckpointPath, 0777); err != nil {
+			log.Fatalf("error creating directory at %s : %s", *hnsdCheckpointPath, err)
+		}
 	}
 
 	sync.GetRoots(*hnsdPath, p, *hnsdCheckpointPath)
@@ -278,7 +283,7 @@ func main() {
 		SkipNameChecks:  *skipNameChecks,
 		Verbose:         *verbose,
 		RootsPath:       path.Join(p, "roots.json"),
-		ExternalService: *externalService,
+		ExternalService: services,
 	}
 	log.Printf("Listening on %s", *addr)
 	log.Fatal(c.Run(*addr))

prove/external.go

@@ -6,6 +6,9 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
+
+	"github.com/randomlogin/sane/debuglog"
 )
 
 type UrkelJson struct {
@@ -16,14 +19,37 @@ type DNSSECJson struct {
 	Dnssec string `json:"dnssec"`
 }
 
-var defaultURL = "https://sdaneproofs.htools.work/proofs/"
+var timeout = 1 * time.Second
 
-func fetchDNSSEC(domain, server string) ([]byte, error) {
+func fetchDNSSEC(domain string, externalServices []string) ([]byte, error) {
+	for _, link := range externalServices {
+		if result, err := fetchOneDNSSEC(domain, link); err == nil {
+			return result, nil
+		}
+		debuglog.Logger.Debugf("couldn't fetch dnssec data for domain %s from %s", domain, link)
+	}
+	return nil, fmt.Errorf("could not fetch any external services")
+}
+
+func fetchUrkel(domain string, externalServices []string) ([]byte, error) {
+	for _, link := range externalServices {
+		if result, err := fetchOneUrkel(domain, link); err == nil {
+			return result, nil
+		}
+		debuglog.Logger.Debugf("couldn't fetch urkel data for domain %s from %s", domain, link)
+	}
+	return nil, fmt.Errorf("could not fetch any external services")
+}
+
+func fetchOneDNSSEC(domain, server string) ([]byte, error) {
 	if !strings.HasSuffix(server, "/") {
 		server += "/"
 	}
 	url := server + domain + "?dnssec"
-	response, err := http.Get(url)
+	client := http.Client{
+		Timeout: timeout,
+	}
+	response, err := client.Get(url)
 	if err != nil {
 		return nil, fmt.Errorf("error making GET request: %s", err)
 	}
@@ -44,12 +70,16 @@ func fetchDNSSEC(domain, server string) ([]byte, error) {
 	return val, nil
 }
 
-func fetchUrkel(domain, server string) ([]byte, error) {
+func fetchOneUrkel(domain, server string) ([]byte, error) {
 	if !strings.HasSuffix(server, "/") {
 		server += "/"
 	}
 	url := server + domain + "?urkel"
-	response, err := http.Get(url)
+	client := http.Client{
+		Timeout: timeout,
+	}
+	response, err := client.Get(url)
+	// response, err := http.Get(url)
 	if err != nil {
 		return nil, fmt.Errorf("Error making GET request: %s", err)
 	}

prove/lazydane

@@ -80,24 +80,24 @@ func verifyUrkelExt(extensionValue []byte, domain string, roots []sync.BlockInfo
 		for _, block := range roots {
 			// found tree root among stored ones
 			if hexstr == block.TreeRoot {
-				debuglog.Logger.Debug("found tree root ", hexstr, " from the certificate in the stored roots")
+				debuglog.Logger.Debug("found tree root", hexstr, "from the certificate in the stored roots")
 				return nil
 			}
 		}
 		extensionValue = extensionValue[32+*length:]
-		debuglog.Logger.Debug("could not find tree root ", hexstr, " from the certificate in the stored roots")
+		debuglog.Logger.Debug("could not find tree root", hexstr, "from the certificate in the stored roots")
 	}
 	return fmt.Errorf("could not find tree root in the stored ones")
 }
 
 // extracts proof data from the certificate then verifies if the proof is correct
-func VerifyCertificateExtensions(roots []sync.BlockInfo, cert x509.Certificate, tlsa *dns.TLSA, externalService string) error {
+func VerifyCertificateExtensions(roots []sync.BlockInfo, cert x509.Certificate, tlsa *dns.TLSA, externalServices []string) error {
 	if len(cert.DNSNames) == 0 {
 		return fmt.Errorf("certificate has empty dns names")
 	}
 
 	for _, domain := range cert.DNSNames {
-		err := verifyDomain(domain, cert, roots, tlsa, externalService)
+		err := verifyDomain(domain, cert, roots, tlsa, externalServices)
 		if err == nil {
 			debuglog.Logger.Debug("successfully verified certificate extensions for the domain " + domain)
 			return nil
@@ -108,7 +108,7 @@ func VerifyCertificateExtensions(roots []sync.BlockInfo, cert x509.Certificate,
 }
 
 // verifyDomain is called to check every domain listed in the certificate
-func verifyDomain(domain string, cert x509.Certificate, roots []sync.BlockInfo, tlsa *dns.TLSA, externalService string) error {
+func verifyDomain(domain string, cert x509.Certificate, roots []sync.BlockInfo, tlsa *dns.TLSA, externalServices []string) error {
 	var foundUrkel, foundDnssec bool
 	var urkelExtension, dnssecExtension []byte
 	var UrkelVerificationError, DNSSECVerificationError error = errors.New("urkel tree proof extension not found"), errors.New("DNSSEC chain extension not found")
@@ -129,23 +129,24 @@ func verifyDomain(domain string, cert x509.Certificate, roots []sync.BlockInfo,
 	}
 
 	if !foundUrkel {
-		if externalService == "" {
+		if len(externalServices) == 0 {
 			return fmt.Errorf("certificate does not have urkel proof extension and external service is disabled")
 		}
-		urkelExtension, err = fetchUrkel(domain, externalService)
+		urkelExtension, err = fetchUrkel(domain, externalServices)
 		if err != nil {
-			debuglog.Logger.Debugf("failed to fetch DNSSEC data from %s for the domain %s: %s", externalService, domain, err)
+			debuglog.Logger.Debugf("failed to fetch DNSSEC data from %s for the domain %s: %s", externalServices, domain, err)
 			return err
 		}
 	}
 
 	if !foundDnssec {
-		if externalService == "" {
+		if len(externalServices) == 0 {
+			// if externalServices == []"" {
 			return fmt.Errorf("certificate does not have dnssec chain extension and external service is disabled")
 		}
-		dnssecExtension, err = fetchDNSSEC(domain, externalService)
+		dnssecExtension, err = fetchDNSSEC(domain, externalServices)
 		if err != nil {
-			debuglog.Logger.Debugf("failed to fetch DNSSEC data from %s for the domain %s: %s", externalService, domain, err)
+			debuglog.Logger.Debugf("failed to fetch DNSSEC data from %s for the domain %s: %s", externalServices, domain, err)
 			return err
 		}
 	}

prove/prove.go

@@ -22,10 +22,10 @@ func (t *tlsError) Error() string {
 }
 
 // newTLSConfig creates a new tls configuration capable of validating DANE.
-func newTLSConfig(host string, rrs []*dns.TLSA, nameCheck bool, roots []sync.BlockInfo, externalService string) *tls.Config {
+func newTLSConfig(host string, rrs []*dns.TLSA, nameCheck bool, roots []sync.BlockInfo, externalServices []string) *tls.Config {
 	return &tls.Config{
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
-		VerifyConnection:   verifyConnection(rrs, nameCheck, host, roots, externalService),
+		VerifyConnection:   verifyConnection(rrs, nameCheck, host, roots, externalServices),
 		ServerName:         host,
 		MinVersion:         tls.VersionTLS12,
 		// Supported TLS 1.2 cipher suites
@@ -45,7 +45,7 @@ func newTLSConfig(host string, rrs []*dns.TLSA, nameCheck bool, roots []sync.Blo
 }
 
 // verifyConnection returns a function that verifies the given tls connection state using the host and rrs
-func verifyConnection(rrs []*dns.TLSA, nameCheck bool, host string, roots []sync.BlockInfo, externalService string) func(cs tls.ConnectionState) error {
+func verifyConnection(rrs []*dns.TLSA, nameCheck bool, host string, roots []sync.BlockInfo, externalServices []string) func(cs tls.ConnectionState) error {
 	return func(cs tls.ConnectionState) error {
 		// the host can be ignored per RFC 7671. Not Before, Not After are ignored as well.
 		// https://tools.ietf.org/html/rfc7671
@@ -63,7 +63,7 @@ func verifyConnection(rrs []*dns.TLSA, nameCheck bool, host string, roots []sync
 				continue
 			}
 			if err := t.Verify(cs.PeerCertificates[0]); err == nil {
-				if err := prove.VerifyCertificateExtensions(roots, *cert, t, externalService); err != nil {
+				if err := prove.VerifyCertificateExtensions(roots, *cert, t, externalServices); err != nil {
 					debuglog.Logger.Debug(err)
 					return err
 				}

tls.go

@@ -21,7 +21,7 @@ import (
 )
 
 var (
-	Version = "0.0.7"
+	Version = "0.0.9"
 )
 
 const (
@@ -37,7 +37,7 @@ type Config struct {
 	SkipNameChecks  bool
 	Verbose         bool
 	RootsPath       string
-	ExternalService string
+	ExternalService []string
 
 	// For handling relative urls/non-proxy requests
 	ContentHandler http.Handler
@@ -47,7 +47,7 @@ type tunneler struct {
 	mitm            *mitmConfig
 	dialer          *dialer
 	RootsPath       string
-	ExternalService string
+	ExternalService []string
 	nameChecks      bool
 	constraints     map[string]struct{}
 	logger
@@ -230,7 +230,7 @@ func httpError(w http.ResponseWriter, error string, code int) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(code)
-	fmt.Fprintf(w, "<h1>%d %s</h1><p>%s</p><hr>letsdane/v%s",
+	fmt.Fprintf(w, "<h1>%d %s</h1><p>%s</p><hr>sane/v%s",
 		code, http.StatusText(code), html.EscapeString(error), Version)
 }