Documentation
¶
Index ¶
Constants ¶
const ( Quad9Provider = "https://dns11.quad9.net/dns-query" Quad9PortProvider = "https://dns11.quad9.net:5053/dns-query" GoogleProvider = "https://dns.google/dns-query" )
const TLSReportURI = "https://reports.proton.me/reports/tls"
TLSReportURI is the address where TLS reports should be sent.
Variables ¶
var DoHProviders = []string{ Quad9Provider, Quad9PortProvider, GoogleProvider, }
var ErrNoConnection = errors.New("no connection")
var ErrTLSMismatch = errors.New("no TLS fingerprint match found")
ErrTLSMismatch indicates that no TLS fingerprint match could be found.
var TrustedAPIPins = []string{
`pin-sha256="drtmcR2kFkM8qJClsuWgUzxgBkePfRCkRpqUesyDmeE="`,
`pin-sha256="YRGlaY0jyJ4Jw2/4M8FIftwbDIQfh8Sdro96CeEel54="`,
`pin-sha256="AfMENBVvOS8MnISprtvyPsjKlPooqh8nMB/pvCrpJpw="`,
`pin-sha256="8joiNBdqaYiQpKskgtkJsqRxF7zN0C0aqfi8DacknnI="`,
`pin-sha256="JMI8yrbc6jB1FYGyyWRLFTmDNgIszrNEMGlgy972e7w="`,
`pin-sha256="Iu44zU84EOCZ9vx/vz67/MRVrxF1IO4i4NIa8ETwiIY="`,
`pin-sha256="CT56BhOTmj5ZIPgb/xD5mH8rY3BLo/MlhP7oPyJUEDo="`,
`pin-sha256="35Dx28/uzN3LeltkCBQ8RHK0tlNSa2kCpCRGNp34Gxc="`,
`pin-sha256="qYIukVc63DEITct8sFT7ebIq5qsWmuscaIKeJx+5J5A="`,
`pin-sha256="EU6TS9MO0L/GsDHvVc9D5fChYLNy5JdGYpJw0ccgetM="`,
`pin-sha256="iKPIHPnDNqdkvOnTClQ8zQAIKG0XavaPkcEo0LBAABA="`,
`pin-sha256="MSlVrBCdL0hKyczvgYVSRNm88RicyY04Q2y5qrBt0xA="`,
`pin-sha256="C2UxW0T1Ckl9s+8cXfjXxlEqwAfPM4HiW2y3UdtBeCw="`,
}
TrustedAPIPins contains trusted public keys of the protonmail API and proxies. NOTE: the proxy pins are the same for all proxy servers, guaranteed by infra team ;).
Functions ¶
func CreateTransportWithDialer ¶
CreateTransportWithDialer creates an http.Transport that uses the given dialer to make TLS connections.
func SetBasicTransportTimeouts ¶ added in v3.10.0
Types ¶
type BasicTLSDialer ¶
type BasicTLSDialer struct {
// contains filtered or unexported fields
}
BasicTLSDialer implements TLSDialer.
func NewBasicTLSDialer ¶
func NewBasicTLSDialer(hostURL string) *BasicTLSDialer
NewBasicTLSDialer returns a new BasicTLSDialer.
func (*BasicTLSDialer) DialTLSContext ¶
func (d *BasicTLSDialer) DialTLSContext(ctx context.Context, network, address string) (conn net.Conn, err error)
DialTLSContext returns a connection to the given address using the given network.
func (*BasicTLSDialer) ShouldSkipCertificateChainVerification ¶ added in v3.21.2
func (d *BasicTLSDialer) ShouldSkipCertificateChainVerification(address string) bool
ShouldSkipCertificateChainVerification determines whether certificate chain validation should be skipped. It compares the domain of the requested address with the configured host URL domain. Returns true if the domains don't match (skip verification), false if they do (perform verification).
NOTE: This assumes single-part TLDs (.com, .me) and won't handle multi-part TLDs correctly.
type PinChecker ¶
type PinChecker interface {
CheckCertificate(conn net.Conn, certificateChainVerificationSkipped bool) error
}
PinChecker is used to check TLS keys of connections.
type PinningTLSDialer ¶
type PinningTLSDialer struct {
// contains filtered or unexported fields
}
PinningTLSDialer wraps a TLSDialer to check fingerprints after connecting and to report errors if the fingerprint check fails.
func NewPinningTLSDialer ¶
func NewPinningTLSDialer(dialer SecureTLSDialer, reporter Reporter, pinChecker PinChecker) *PinningTLSDialer
NewPinningTLSDialer constructs a new dialer which only returns TCP connections to servers which present known certificates. It checks pins using the given pinChecker and reports issues using the given reporter.
func (*PinningTLSDialer) DialTLSContext ¶
func (p *PinningTLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error)
DialTLSContext dials the given network/address, returning an error if the certificates don't match the trusted pins.
func (*PinningTLSDialer) GetTLSIssueCh ¶
func (p *PinningTLSDialer) GetTLSIssueCh() <-chan struct{}
GetTLSIssueCh returns a channel which notifies when a TLS issue is reported.
type ProxyTLSDialer ¶
type ProxyTLSDialer struct {
// contains filtered or unexported fields
}
ProxyTLSDialer wraps a TLSDialer to switch to a proxy if the initial dial fails.
func NewProxyTLSDialer ¶
func NewProxyTLSDialer(dialer TLSDialer, hostURL string, panicHandler async.PanicHandler) *ProxyTLSDialer
NewProxyTLSDialer constructs a dialer which provides a proxy-managing layer on top of an underlying dialer.
func (*ProxyTLSDialer) AllowProxy ¶
func (d *ProxyTLSDialer) AllowProxy()
AllowProxy allows the dialer to switch to a proxy if need be.
func (*ProxyTLSDialer) DialTLSContext ¶
func (d *ProxyTLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error)
DialTLSContext dials the given network/address. If it fails, it retries using a proxy.
func (*ProxyTLSDialer) DisallowProxy ¶
func (d *ProxyTLSDialer) DisallowProxy()
DisallowProxy prevents the dialer from switching to a proxy if need be.
type Reporter ¶
type Reporter interface {
ReportCertIssue(reportURI, host, port string, state tls.ConnectionState)
}
Reporter is used to report TLS issues.
type SecureTLSDialer ¶ added in v3.21.2
type TLSPinChecker ¶
type TLSPinChecker struct {
// contains filtered or unexported fields
}
func NewTLSPinChecker ¶
func NewTLSPinChecker(trustedPins []string) *TLSPinChecker
func (*TLSPinChecker) CheckCertificate ¶
func (p *TLSPinChecker) CheckCertificate(conn net.Conn, certificateChainVerificationSkipped bool) error
CheckCertificate verifies that the connection presents a known pinned leaf TLS certificate.
type TLSReporter ¶
type TLSReporter struct {
// contains filtered or unexported fields
}
func NewTLSReporter ¶
func NewTLSReporter(hostURL, appVersion string, userAgent *useragent.UserAgent, trustedPins []string) *TLSReporter
func (*TLSReporter) ReportCertIssue ¶
func (r *TLSReporter) ReportCertIssue(remoteURI, host, port string, connState tls.ConnectionState)
ReportCertIssue reports a TLS key mismatch.
Source Files