Initial commit

checker/rules_handshake.go

@@ -0,0 +1,57 @@
+package checker
+
+import (
+	"context"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// handshakeOKRule reports whether the TLS handshake succeeded on every
+// endpoint that has been probed. A failing handshake means DANE cannot be
+// validated regardless of what TLSA records are published.
+type handshakeOKRule struct{}
+
+func (r *handshakeOKRule) Name() string { return "dane.handshake_ok" }
+func (r *handshakeOKRule) Description() string {
+	return "Verifies the TLS handshake succeeds on every DANE endpoint so the presented chain can be compared to TLSA records."
+}
+
+func (r *handshakeOKRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if probe == nil {
+			continue // covered by probeAvailableRule
+		}
+		tested++
+		if !probeUsable(probe) {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusCrit,
+				Code:    "dane_handshake_failed",
+				Subject: targetSubject(t),
+				Message: "TLS handshake failed, cannot validate DANE: " + probe.Error,
+				Meta:    targetMeta(t),
+			})
+		}
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_handshake_ok_skipped",
+				Message: "No probed endpoint to evaluate (waiting for checker-tls).",
+			}}
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_handshake_ok",
+			Message: "TLS handshake succeeds on every probed endpoint.",
+		}}
+	}
+	return out
+}