use provided port network for tlsa record query

hawell · Apr 28, 2021 · f36c629 · f36c629
1 parent c1408b8
commit f36c629
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 10 deletions.
diff --git a/dns.go b/dns.go
@@ -256,12 +256,11 @@ func (r *Resolver) queryAndVerify(qname string, qtype uint16, auth string, ns st
 	return queryResp, nil
 }
 
-func (r *Resolver) GetTLSA(qname string) ([]*dns.TLSA, error) {
-	originalQName := dns.Fqdn(qname)
-	if v, ok := r.tlsaRecords.Get(originalQName); ok {
+func (r *Resolver) GetTLSA(network string, qname string, port string) ([]*dns.TLSA, error) {
+	qname = "_" + port + "._" + network + "." + dns.Fqdn(qname)
+	if v, ok := r.tlsaRecords.Get(qname); ok {
 		return v.([]*dns.TLSA), nil
 	}
-	qname = "_443._tcp." + originalQName
 	auth := "."
 	ns := "m.root-servers.net."
 
@@ -312,7 +311,7 @@ func (r *Resolver) GetTLSA(qname string) ([]*dns.TLSA, error) {
 		}
 	}
 	if res != nil {
-		r.tlsaRecords.Set(originalQName, res, time.Duration(res[0].Hdr.Ttl)*time.Second)
+		r.tlsaRecords.Set(qname, res, time.Duration(res[0].Hdr.Ttl)*time.Second)
 	}
 	return res, nil
 }
diff --git a/example_test.go b/example_test.go
@@ -23,7 +23,7 @@ func Example() {
             conn, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{
                 InsecureSkipVerify: true,
                 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-                    return dane.VerifyPeerCertificate(addr, rawCerts, nil)
+                    return dane.VerifyPeerCertificate(network, addr, rawCerts, nil)
                 },
             })
             if err != nil {
@@ -34,7 +34,7 @@ func Example() {
     }
     client := http.Client{Transport: t}
 
-    resp, err := client.Get("https://getfedora.org")
+    resp, err := client.Get("https://www.fedoraproject.org")
     if err != nil {
         log.Fatal(err)
     }

diff --git a/tls.go b/tls.go
@@ -60,7 +60,7 @@ func hashCert(cert *x509.Certificate, selector uint8, hash uint8) (string, error
     return hex.EncodeToString(output), nil
 }
 
-func VerifyPeerCertificate(addr string, rawCerts [][]byte, roots *x509.CertPool) error {
+func VerifyPeerCertificate(network string, addr string, rawCerts [][]byte, roots *x509.CertPool) error {
     certs := make([]*x509.Certificate, len(rawCerts))
     for i, asn1Data := range rawCerts {
         cert, err := x509.ParseCertificate(asn1Data)
@@ -71,14 +71,14 @@ func VerifyPeerCertificate(addr string, rawCerts [][]byte, roots *x509.CertPool)
     }
 
     // FIXME: use correct port, network
-    host, _, err := net.SplitHostPort(addr)
+    host, port, err := net.SplitHostPort(addr)
     if err != nil {
         return err
     }
     if err := certs[0].VerifyHostname(host); err != nil {
         return err
     }
-    tlsaRecords, err := resolver.GetTLSA(dns.Fqdn(host))
+    tlsaRecords, err := resolver.GetTLSA(network, dns.Fqdn(host), port)
     if err != nil {
         return err
     }