🐛 detect if tls is enabled (#5531)

The `tls` resource is part of multiple core providers, it requires a `socket`
to know the host, port and protocol, many fields of this resource require
that the server (configured in the socket) speaks TLS and not plain text
(like HTTP), therefore this change makes it so that we only detect once if
the socket is running on TLS or not. If not, we return null properly to
indicate that there are no certificates, if it does, then we collect TLS
information.

Additionally, I am setting a default timeout of one minute to dial to the
socket compared to what was before (unlimited=no timeout).

Finally, if the TLS tester returns a timeout, we don't error the detection
but instead, we set the fields as null.

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>

Author: afiune

providers/network/resources/socket.go

@@ -3,8 +3,11 @@
 
 package resources
 
-import "strconv"
+import (
+	"net"
+	"strconv"
+)
 
 func (s *mqlSocket) id() (string, error) {
-	return s.Protocol.Data + "://" + s.Address.Data + ":" + strconv.Itoa(int(s.Port.Data)), nil
+	return s.Protocol.Data + "://" + net.JoinHostPort(s.Address.Data, strconv.Itoa(int(s.Port.Data))), nil
 }

providers/network/resources/tls.go

@@ -13,8 +13,10 @@ import (
 	"time"
 
 	"github.com/cockroachdb/errors"
+	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v11/llx"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/util/convert"
 	"go.mondoo.com/cnquery/v11/providers/core/resources/regex"
 	"go.mondoo.com/cnquery/v11/providers/network/connection"
 	"go.mondoo.com/cnquery/v11/providers/network/resources/certificates"
@@ -26,6 +28,8 @@ var reTarget = regexp.MustCompile("([^/:]+?)(:\\d+)?$")
 
 var rexUrlDomain = regexp.MustCompile(regex.UrlDomain)
 
+var DefaultDialerTimeout = time.Minute * 1
+
 // Returns the connection's port adjusted for TLS.
 // If no port is set, we estimate what it might be from the scheme.
 // If that doesn't help, we set it to 443.
@@ -108,7 +112,15 @@ func initTls(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]
 }
 
 type mqlTlsInternal struct {
+	// This mutex is used to protect the tls resource from doing multiple dections at once
 	lock sync.Mutex
+	// we only detect once if the a socket is running on TLS or not, once the detection runs,
+	// this boolean gets set and tells other functions if the socket has tls enabled or not
+	tlsEnabled *bool
+	// if the socket has TLS enabled, this tester will have findings, ciphers and versions
+	tester *tlsshake.Tester
+	// during TLS detection, if we find any issue, we record it here
+	Error error
 }
 
 func (s *mqlTls) id() (string, error) {
@@ -185,24 +197,20 @@ func parseCertificates(runtime *plugin.Runtime, domainName string, certificateLi
 }
 
 func (s *mqlTls) params(socket *mqlSocket, domainName string) (map[string]interface{}, error) {
-	s.lock.Lock()
-	defer s.lock.Unlock()
-
-	host := socket.Address.Data
-	port := socket.Port.Data
-	proto := socket.Protocol.Data
-
-	tester := tlsshake.New(proto, domainName, host, int(port))
-	if err := tester.Test(tlsshake.DefaultScanConfig()); err != nil {
-		if errors.Is(err, tlsshake.ErrFailedToConnect) || errors.Is(err, tlsshake.ErrFailedToTlsResponse) {
-			s.Params.State = plugin.StateIsSet | plugin.StateIsNull
-			return nil, nil
-		}
+	enabled, err := s.TLSEnabled(socket, domainName)
+	if err != nil {
 		return nil, err
 	}
 
+	if !enabled {
+		return nil, nil
+	}
+
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
 	res := map[string]interface{}{}
-	findings := tester.Findings
+	findings := s.tester.Findings
 
 	lists := map[string][]string{
 		"errors": findings.Errors,
@@ -303,9 +311,16 @@ func (s *mqlTls) extensions(params interface{}) ([]interface{}, error) {
 	return res, nil
 }
 
-func gatherTlsCertificates(host, port, domainName string) ([]*x509.Certificate, []*x509.Certificate, error) {
+func gatherTlsCertificates(proto, host, port, domainName string) ([]*x509.Certificate, []*x509.Certificate, error) {
 	isSNIcert := map[string]struct{}{}
-	conn, err := tls.Dial("tcp", net.JoinHostPort(host, port), &tls.Config{
+	dialer := &net.Dialer{Timeout: DefaultDialerTimeout}
+	addr := net.JoinHostPort(host, port)
+	log.Trace().
+		Str("address", addr).
+		Str("domain_name", domainName).
+		Dur("timeout", DefaultDialerTimeout).
+		Msg("network.tls> gathering tls certificates")
+	conn, err := tls.DialWithDialer(dialer, proto, addr, &tls.Config{
 		InsecureSkipVerify: true,
 		ServerName:         domainName,
 	})
@@ -321,7 +336,7 @@ func gatherTlsCertificates(host, port, domainName string) ([]*x509.Certificate,
 	}
 
 	nonSniCerts := []*x509.Certificate{}
-	nonSniConn, err := tls.Dial("tcp", net.JoinHostPort(host, port), &tls.Config{
+	nonSniConn, err := tls.DialWithDialer(dialer, proto, addr, &tls.Config{
 		InsecureSkipVerify: true,
 	})
 	if err != nil {
@@ -338,11 +353,93 @@ func gatherTlsCertificates(host, port, domainName string) ([]*x509.Certificate,
 	return sniCerts, nonSniCerts, nil
 }
 
+// we should only detect once if the socket is running on TLS or not, if we have already detected it and, it
+// is NOT a TLS connection, we should exit fast.
+//
+// NOTE that this method should be called by functions once they have locked the Mutex inside `mqlTlsInternal`
+func (s *mqlTls) unsafeTLSTest(socket *mqlSocket, domainName string) error {
+	if s.tlsEnabled != nil {
+		return s.Error
+	}
+
+	host := socket.Address.Data
+	port := socket.Port.Data
+	proto := socket.Protocol.Data
+
+	s.tester = tlsshake.New(proto, domainName, host, int(port))
+	if err := s.tester.Test(tlsshake.DefaultScanConfig()); err != nil {
+
+		log.Debug().
+			Str("host", host).
+			Str("proto", proto).
+			Int64("port", port).
+			Interface("findings", s.tester.Findings).
+			Bool("tls_enabled", false).
+			Msg("network.tls> detection")
+		s.tlsEnabled = convert.ToPtr(false)
+
+		if errors.Is(err, tlsshake.ErrFailedToConnect) ||
+			errors.Is(err, tlsshake.ErrFailedToWrite) ||
+			errors.Is(err, tlsshake.ErrTimeout) ||
+			errors.Is(err, tlsshake.ErrFailedToTlsResponse) {
+
+			s.Params.State = plugin.StateIsSet | plugin.StateIsNull
+			s.Certificates.State = plugin.StateIsSet | plugin.StateIsNull
+			s.NonSniCertificates.State = plugin.StateIsSet | plugin.StateIsNull
+			return nil
+		}
+
+		s.Error = err
+		return s.Error
+	}
+
+	s.tlsEnabled = convert.ToPtr(len(s.tester.Findings.Versions) != 0)
+
+	log.Debug().
+		Str("host", host).
+		Str("proto", proto).
+		Int64("port", port).
+		Strs("versions", s.tester.Findings.Errors).
+		Interface("versions", s.tester.Findings.Versions).
+		Bool("tls_enabled", *s.tlsEnabled).
+		Msg("network.tls> detection")
+	return nil
+}
+
+// TLSEnabled checks if the provider socket speaks TLS or plain text (like HTTP)
+func (s *mqlTls) TLSEnabled(socket *mqlSocket, domainName string) (enabled bool, err error) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
+	if s.tlsEnabled == nil {
+		// we only detect once
+		err = s.unsafeTLSTest(socket, domainName)
+	} else {
+		err = s.Error
+	}
+
+	enabled = *s.tlsEnabled
+
+	return
+}
 func (s *mqlTls) populateCertificates(socket *mqlSocket, domainName string) error {
+	enabled, err := s.TLSEnabled(socket, domainName)
+	if err != nil {
+		return err
+	}
+
+	if !enabled {
+		return nil
+	}
+
+	s.lock.Lock()
+	defer s.lock.Unlock()
+
 	host := socket.Address.Data
 	port := socket.Port.Data
+	proto := socket.Protocol.Data
 
-	certs, nonSniCerts, err := gatherTlsCertificates(host, strconv.FormatInt(port, 10), domainName)
+	certs, nonSniCerts, err := gatherTlsCertificates(proto, host, strconv.FormatInt(port, 10), domainName)
 	if err != nil {
 		s.Certificates = plugin.TValue[[]interface{}]{Error: err, State: plugin.StateIsSet}
 		s.NonSniCertificates = plugin.TValue[[]interface{}]{Error: err, State: plugin.StateIsSet}

providers/network/resources/tlsshake/tlsshake.go

@@ -46,8 +46,12 @@ const DefaultTimeout = 2 * time.Second
 
 var ErrFailedToConnect = errors.New("failed to connect")
 
+var ErrFailedToWrite = errors.New("failed to write")
+
 var ErrFailedToTlsResponse = errors.New("failed to get a TLS response")
 
+var ErrTimeout = errors.New("timeout failure")
+
 func DefaultScanConfig() ScanConfig {
 	return ScanConfig{
 		SNIsupported:              true,
@@ -247,7 +251,7 @@ func (s *Tester) testTLSWithConn(conn net.Conn, conf *ScanConfig) (int, error) {
 
 	_, err = conn.Write(msg)
 	if err != nil {
-		return 0, multierr.Wrap(err, "failed to send TLS hello")
+		return 0, ErrFailedToWrite
 	}
 
 	success, err := s.parseHello(conn, conf)
@@ -545,6 +549,8 @@ func (s *Tester) parseHello(conn net.Conn, conf *ScanConfig) (bool, error) {
 					s.sync.Unlock()
 				}
 				return false, nil
+			} else if strings.Contains(err.Error(), "i/o timeout") {
+				return false, ErrTimeout
 			}
 			return false, err
 		}

providers/os/resources/lsof/lsof.go

@@ -5,12 +5,14 @@ package lsof
 
 import (
 	"bufio"
-	"errors"
 	"fmt"
 	"io"
+	"net"
 	"regexp"
 	"strconv"
 	"strings"
+
+	"github.com/cockroachdb/errors"
 )
 
 func init() {
@@ -113,7 +115,6 @@ type FileDescriptor struct {
 
 // n127.0.0.1:3000->127.0.0.1:54335
 var networkNameRegexp = regexp.MustCompile(`(.*):(.*)->(.*):(.*)`)
-var networkLoopbackRegexp = regexp.MustCompile(`(.*):(.*)`)
 
 // local and remote Internet addresses of a network file
 func (f *FileDescriptor) NetworkFile() (string, int64, string, int64, error) {
@@ -144,20 +145,20 @@ func (f *FileDescriptor) NetworkFile() (string, int64, string, int64, error) {
 	}
 
 	// loop-back address [::1]:17223 or *:56863
-	address := networkLoopbackRegexp.FindStringSubmatch(f.Name)
-	if len(address) < 3 {
-		return "", 0, "", 0, errors.New("network name not supported: " + f.Name)
+	host, port, err := net.SplitHostPort(f.Name)
+	if err != nil {
+		return "", 0, "", 0, errors.Wrapf(err, "network name not supported: %s", f.Name)
 	}
+
 	localPort := 0
-	var err error
-	if address[2] != "*" {
-		localPort, err = strconv.Atoi(address[2])
+	if port != "*" {
+		localPort, err = strconv.Atoi(port)
 		if err != nil {
 			return "", 0, "", 0, errors.New("network name not supported: " + f.Name)
 		}
 	}
 
-	return address[1], int64(localPort), "", 0, nil
+	return host, int64(localPort), "", 0, nil
 }
 
 // maps lsof state to tcp states

providers/os/resources/port.go

@@ -602,8 +602,12 @@ func (p *mqlPorts) listMacos() ([]interface{}, error) {
 			}
 			// lsof presents a process listening on any ipv6 address as listening on "*"
 			// change this to a more ipv6-friendly formatting
-			if protocol == "ipv6" && strings.HasPrefix(localAddress, "*") {
-				localAddress = strings.Replace(localAddress, "*", "[::]", 1)
+			if strings.HasPrefix(localAddress, "*") {
+				if strings.HasSuffix(protocol, "6") {
+					localAddress = strings.Replace(localAddress, "*", "::1", 1)
+				} else {
+					localAddress = strings.Replace(localAddress, "*", "127.0.0.1", 1)
+				}
 			}
 
 			state, ok := TCP_STATES[fd.TcpState()]
@@ -649,7 +653,11 @@ func (s *mqlPort) id() (string, error) {
 
 func (s *mqlPort) tls(address string, port int64, proto string) (plugin.Resource, error) {
 	if address == "" || address == "0.0.0.0" {
-		address = "127.0.0.1"
+		if proto == "tcp6" {
+			address = "::1"
+		} else {
+			address = "127.0.0.1"
+		}
 	}
 
 	socket, err := s.MqlRuntime.CreateSharedResource("socket", map[string]*llx.RawData{