57 lines
1.6 KiB
Go
57 lines
1.6 KiB
Go
package checker
|
|
|
|
import (
|
|
"context"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// handshakeOKRule reports whether the TLS handshake succeeded on every
|
|
// endpoint that has been probed. A failing handshake means DANE cannot be
|
|
// validated regardless of what TLSA records are published.
|
|
type handshakeOKRule struct{}
|
|
|
|
func (r *handshakeOKRule) Name() string { return "dane.handshake_ok" }
|
|
func (r *handshakeOKRule) Description() string {
|
|
return "Verifies the TLS handshake succeeds on every DANE endpoint so the presented chain can be compared to TLSA records."
|
|
}
|
|
|
|
func (r *handshakeOKRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
|
|
rc := loadRuleContext(ctx, obs)
|
|
if rc.err != nil {
|
|
return []sdk.CheckState{observationErrorState(rc.err)}
|
|
}
|
|
var out []sdk.CheckState
|
|
tested := 0
|
|
for _, t := range rc.data.Targets {
|
|
probe := rc.probes[t.Ref]
|
|
if probe == nil {
|
|
continue // covered by probeAvailableRule
|
|
}
|
|
tested++
|
|
if !probeUsable(probe) {
|
|
out = append(out, sdk.CheckState{
|
|
Status: sdk.StatusCrit,
|
|
Code: "dane_handshake_failed",
|
|
Subject: targetSubject(t),
|
|
Message: "TLS handshake failed, cannot validate DANE: " + probe.Error,
|
|
Meta: targetMeta(t),
|
|
})
|
|
}
|
|
}
|
|
if len(out) == 0 {
|
|
if tested == 0 {
|
|
return []sdk.CheckState{{
|
|
Status: sdk.StatusUnknown,
|
|
Code: "dane_handshake_ok_skipped",
|
|
Message: "No probed endpoint to evaluate (waiting for checker-tls).",
|
|
}}
|
|
}
|
|
return []sdk.CheckState{{
|
|
Status: sdk.StatusOK,
|
|
Code: "dane_handshake_ok",
|
|
Message: "TLS handshake succeeds on every probed endpoint.",
|
|
}}
|
|
}
|
|
return out
|
|
}
|