diff --git a/go.mod b/go.mod index 466e7b00..20eca46d 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,7 @@ module github.com/square/certigo +replace github.com/denisenkom/go-mssqldb => github.com/rgl/dump-sql-server-certificate-chain-go-mssqldb v0.0.0-20200817180720-ba140bec3a68 + require ( github.com/Masterminds/goutils v1.1.0 // indirect github.com/Masterminds/semver v1.4.2 // indirect @@ -7,6 +9,7 @@ require ( github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/denisenkom/go-mssqldb v0.0.0-00010101000000-000000000000 github.com/fatih/color v1.9.0 github.com/google/uuid v1.0.0 // indirect github.com/huandu/xstrings v1.2.0 // indirect @@ -15,9 +18,10 @@ require ( github.com/mitchellh/copystructure v1.0.0 // indirect github.com/mwitkow/go-http-dialer v0.0.0-20161116154839-378f744fb2b8 github.com/stretchr/testify v1.6.1 - golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e + golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 + gopkg.in/yaml.v2 v2.3.0 // indirect ) go 1.13 diff --git a/go.sum b/go.sum index b308f385..f072ed65 100644 --- a/go.sum +++ b/go.sum @@ -13,6 +13,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= +github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/huandu/xstrings v1.2.0 h1:yPeWdRnmynF7p+lLYz0H2tthW9lqhMJrQV/U7yy4wX0= @@ -37,16 +39,15 @@ github.com/mwitkow/go-http-dialer v0.0.0-20161116154839-378f744fb2b8 h1:BhQQWYKJ github.com/mwitkow/go-http-dialer v0.0.0-20161116154839-378f744fb2b8/go.mod h1:ntWhh7pzdiiRKBMxUB5iG+Q2gmZBxGxpX1KyK6N8kX8= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rgl/dump-sql-server-certificate-chain-go-mssqldb v0.0.0-20200817180720-ba140bec3a68 h1:367KwCmYa0P2+9uIQxRgFzuwOcm+HsOd2n5KhZtIoRg= +github.com/rgl/dump-sql-server-certificate-chain-go-mssqldb v0.0.0-20200817180720-ba140bec3a68/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e h1:IzypfodbhbnViNUO/MEh0FzCUooG97cIGfdggUrUSyU= -golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c h1:Vj5n4GlwjmQteupaxJ9+0FNOmBrHfq7vN4btdGoDZgI= +golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= @@ -61,7 +62,7 @@ gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 h1:JBwmEvLfCqgPcIq8MjVMQ gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/starttls/mssql.go b/starttls/mssql.go new file mode 100644 index 00000000..1754b7d2 --- /dev/null +++ b/starttls/mssql.go @@ -0,0 +1,43 @@ +package starttls + +import ( + "crypto/tls" + "database/sql" + "net" + + mssql "github.com/denisenkom/go-mssqldb" +) + +func mssqlDumpTLS(connectionString string, tlsConfig *tls.Config) (*tls.ConnectionState, error) { + var tlsConn *tls.Conn + + connector, err := mssql.NewConnector(connectionString) + if err != nil { + return nil, err + } + + connector.NewTLSConn = func(conn net.Conn, config *tls.Config) *tls.Conn { + // NB we must copy the tls config settings required for the tls + // connection to work over the mssql tds connection. + // see https://github.com/denisenkom/go-mssqldb/blob/0f454e2ecd6ad8fb4691cdbf10e399e05ca03784/tds.go#L928-L933 + tlsConfig.DynamicRecordSizingDisabled = config.DynamicRecordSizingDisabled + + tlsConn = tls.Client(conn, tlsConfig) + + return tlsConn + } + + db := sql.OpenDB(connector) + defer db.Close() + + // NB this is expected to fail with "invalid login" class of errors, + // so if we have a tlsConn, we ignore any error. + err = db.Ping() + if tlsConn == nil && err != nil { + return nil, err + } + + state := tlsConn.ConnectionState() + + return &state, nil +} diff --git a/starttls/starttls.go b/starttls/starttls.go index fa49b511..b664fb2f 100644 --- a/starttls/starttls.go +++ b/starttls/starttls.go @@ -33,7 +33,7 @@ import ( ) // Protocols are the names of supported protocols -var Protocols = []string{"mysql", "postgres", "psql", "smtp", "ldap", "ftp", "imap"} +var Protocols = []string{"mssql", "mysql", "postgres", "psql", "smtp", "ldap", "ftp", "imap"} type connectResult struct { state *tls.ConnectionState @@ -107,9 +107,9 @@ func withDefaultPort(addr string, portN uint16) string { } // GetConnectionState connects to a TLS server, returning the connection state. -// Currently, startTLSType can be one of "mysql", "postgres" or "psql", or the -// empty string, which does a normal TLS connection. connectTo specifies the -// address to connect to. connectName sets SNI. identity sets DB username, +// Currently, startTLSType can be one of "mssql", "mysql", "postgres" or "psql", +// or the empty string, which does a normal TLS connection. connectTo specifies +// the address to connect to. connectName sets SNI. identity sets DB username, // SMTP EHLO. connectCert and connectKey are client cert/key. func GetConnectionState(startTLSType, connectName, connectTo, identity, clientCert, clientKey string, connectProxy *url.URL, timeout time.Duration) (*tls.ConnectionState, *tls.CertificateRequestInfo, error) { var err error @@ -178,6 +178,20 @@ func GetConnectionState(startTLSType, connectName, connectTo, identity, clientCe return } res <- connectResult{state, nil} + case "mssql": + server, port, err := net.SplitHostPort(withDefaultPort(connectTo, 1433)) + connectionString := fmt.Sprintf( + "Server=%s; Port=%s; Encrypt=true; Dial Timeout=%d; Connection Timeout=%d; App Name=certigo;", + server, + port, + timeout/time.Second, + timeout/time.Second) + state, err = mssqlDumpTLS(connectionString, tlsConfig) + if err != nil { + res <- connectResult{nil, err} + return + } + res <- connectResult{state, nil} case "mysql": mysql.RegisterTLSConfig("certigo", tlsConfig) addr := withDefaultPort(connectTo, 3306)