[thirdparty/pdns.git] / regression-tests.dnsdist / test_TLS.py

#!/usr/bin/env python
import base64
import dns
import socket
import ssl
import subprocess
import time
import unittest
from dnsdisttests import DNSDistTest

class TLSTests(object):

    @classmethod
    def setUpClass(cls):

        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()
        time.sleep(1)

        print("Launching tests..")

    def getServerCertificate(self):
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        cert = conn.getpeercert()
        conn.close()
        return cert

    def getTLSProvider(self):
        return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()

    def testTLSSimple(self):
        """
        TLS: Single query
        """
        name = 'single.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)

        # check the certificate
        cert = self.getServerCertificate()
        self.assertIn('subject', cert)
        self.assertIn('serialNumber', cert)
        self.assertIn('subjectAltName', cert)
        subject = cert['subject']
        altNames = cert['subjectAltName']
        self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
        self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
        names = []
        for entry in altNames:
            names.append(entry[1])
        self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
        serialNumber = cert['serialNumber']

        self.generateNewCertificateAndKey()
        self.sendConsoleCommand("reloadAllCertificates()")

        conn.close()
        # open a new connection
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)

        # check that the certificate is OK
        cert = self.getServerCertificate()
        self.assertIn('subject', cert)
        self.assertIn('serialNumber', cert)
        self.assertIn('subjectAltName', cert)
        subject = cert['subject']
        altNames = cert['subjectAltName']
        self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
        self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
        names = []
        for entry in altNames:
            names.append(entry[1])
        self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])

        # and that the serial is different
        self.assertNotEqual(serialNumber, cert['serialNumber'])
        conn.close()

    def testTLKA(self):
        """
        TLS: Several queries over the same connection
        """
        name = 'ka.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        for idx in range(5):
            self.sendTCPQueryOverConnection(conn, query, response=response)
            (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
            self.assertTrue(receivedQuery)
            self.assertTrue(receivedResponse)
            receivedQuery.id = query.id
            self.assertEqual(query, receivedQuery)
            self.assertEqual(response, receivedResponse)

        conn.close()

    def testTLSPipelining(self):
        """
        TLS: Several queries over the same connection without waiting for the responses
        """
        name = 'pipelining.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        for idx in range(100):
            self.sendTCPQueryOverConnection(conn, query, response=response)

        for idx in range(100):
            (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
            self.assertTrue(receivedQuery)
            self.assertTrue(receivedResponse)
            receivedQuery.id = query.id
            self.assertEqual(query, receivedQuery)
            self.assertEqual(response, receivedResponse)

        conn.close()

    def testTLSSNIRouting(self):
        """
        TLS: SNI Routing
        """
        name = 'sni.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.flags &= ~dns.flags.RD
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)
        expectedResponse = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '1.2.3.4')
        expectedResponse.answer.append(rrset)

        # this SNI should match so we should get a spoofed answer
        conn = self.openTLSConnection(self._tlsServerPort, 'powerdns.com', self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)

        conn.close()
        # this one should not
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

    def testTLSSNIRoutingAfterResumption(self):
        # we have more complicated tests about session resumption itself,
        # but here we want to make sure the SNI is still present after resumption
        """
        TLS: SNI Routing after resumption
        """
        name = 'sni-resumed.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.flags &= ~dns.flags.RD
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)
        expectedResponse = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '1.2.3.4')
        expectedResponse.answer.append(rrset)

        # this SNI should match so we should get a spoofed answer
        sslctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
        sslctx.check_hostname = True
        sslctx.verify_mode = ssl.CERT_REQUIRED
        sslctx.load_verify_locations(self._caCert)

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)
        self.assertFalse(sslsock.session_reused)
        session = sslsock.session

        # this one should not (different SNI)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname=self._serverName)
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(sslsock, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        self.assertFalse(sslsock.session_reused)

        # and now we should be able to resume the session
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
        sslsock.session = session
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)
        self.assertTrue(sslsock.session_reused)

class TestOpenSSL(DNSDistTest, TLSTests):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testProvider(self):
        self.assertEquals(self.getTLSProvider(), "openssl")

class TestGnuTLS(DNSDistTest, TLSTests):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testProvider(self):
        self.assertEquals(self.getTLSProvider(), "gnutls")

class TestDOTWithCache(DNSDistTest):
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453
    _config_template = """
    newServer{address="127.0.0.1:%s"}

    addTLSLocal("127.0.0.1:%s", "%s", "%s")

    pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
    getPool(""):setCache(pc)
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testDOTCacheLargeAnswer(self):
        """
        DOT with cache: Check that we can cache (and retrieve) large answers
        """
        numberOfQueries = 10
        name = 'large.dot-with-cache.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.id = 0
        expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
        expectedQuery.id = 0
        response = dns.message.make_response(query)
        # we prepare a large answer
        content = ""
        for i in range(44):
            if len(content) > 0:
                content = content + ', '
            content = content + (str(i)*50)
        # pad up to 4096
        content = content + 'A'*40

        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.TXT,
                                    content)
        response.answer.append(rrset)
        self.assertEqual(len(response.to_wire()), 4096)

        # first query to fill the cache
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)

        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = expectedQuery.id
        self.assertEqual(expectedQuery, receivedQuery)
        self.checkQueryNoEDNS(expectedQuery, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

        for _ in range(numberOfQueries):
            conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
            self.sendTCPQueryOverConnection(conn, query, response=None)
            receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
            self.assertEqual(receivedResponse, response)
            conn.close()

class TestTLSFrontendLimits(DNSDistTest):

    # this test suite uses a different responder port
    # because it uses a different health check configuration
    _testServerPort = 5395
    _answerUnexpected = True

    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453

    _skipListeningOnCL = True
    _tcpIdleTimeout = 2
    _maxTCPConnsPerTLSFrontend = 5
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", maxConcurrentTCPConnections=%d })
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_maxTCPConnsPerTLSFrontend']

    def testTCPConnsPerTLSFrontend(self):
        """
        TLS Frontend Limits: Maximum number of conns per TLS frontend
        """
        name = 'maxconnspertlsfrontend.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN')
        conns = []

        for idx in range(self._maxTCPConnsPerTLSFrontend + 1):
            try:
                conns.append(self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert))
            except:
                conns.append(None)

        count = 0
        failed = 0
        for conn in conns:
            if not conn:
                failed = failed + 1
                continue

            try:
                self.sendTCPQueryOverConnection(conn, query)
                response = self.recvTCPResponseOverConnection(conn)
                if response:
                    count = count + 1
                else:
                    failed = failed + 1
            except:
                failed = failed + 1

        for conn in conns:
            if conn:
                conn.close()

        # wait a bit to be sure that dnsdist closed the connections
        # and decremented the counters on its side, otherwise subsequent
        # connections will be dropped
        time.sleep(1)

        self.assertEqual(count, self._maxTCPConnsPerTLSFrontend)
        self.assertEqual(failed, 1)

class TestProtocols(DNSDistTest):
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453

    _config_template = """
    function checkDOT(dq)
      if dq:getProtocol() ~= "DNS over TLS" then
        return DNSAction.Spoof, '1.2.3.4'
      end
      return DNSAction.None
    end

    addAction("protocols.tls.tests.powerdns.com.", LuaAction(checkDOT))
    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testProtocolDOT(self):
        """
        DoT: Test DNSQuestion.Protocol
        """
        name = 'protocols.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN')
        response = dns.message.make_response(query)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

class TestPKCSTLSCertificate(DNSDistTest, TLSTests):
    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverCert = 'server.p12'
    _pkcsPassphrase = 'passw0rd'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = 8453
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")
    newServer{address="127.0.0.1:%s"}
    cert=newTLSCertificate("%s", {password="%s"})
    addTLSLocal("127.0.0.1:%s", cert, "", { provider="openssl" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_serverCert', '_pkcsPassphrase', '_tlsServerPort']
Commit	Line	Data
a227f47d	1	#!/usr/bin/env python
1d896c34	2	import base64
a227f47d	3	import dns
5f4156be RG	4	import socket
5f4156be RG	5	import ssl
1d896c34	6	import subprocess
d4d57f56	7	import time
5f4156be	8	import unittest
a227f47d RG	9	from dnsdisttests import DNSDistTest
a227f47d RG	10
5f4156be	11	class TLSTests(object):
a227f47d	12
ffabdc3e OM	13	@classmethod
	14	def setUpClass(cls):
	15
	16	cls.startResponders()
	17	cls.startDNSDist()
	18	cls.setUpSockets()
	19	time.sleep(1)
	20
	21	print("Launching tests..")
	22
1d896c34 RG	23	def getServerCertificate(self):
1d896c34 RG	24	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
75b536de RG	25	cert = conn.getpeercert()
	26	conn.close()
	27	return cert
1d896c34	28
98222dfc RG	29	def getTLSProvider(self):
	30	return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
	31
a227f47d RG	32	def testTLSSimple(self):
	33	"""
	34	TLS: Single query
	35	"""
	36	name = 'single.tls.tests.powerdns.com.'
	37	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	38	response = dns.message.make_response(query)
	39	rrset = dns.rrset.from_text(name,
	40	3600,
	41	dns.rdataclass.IN,
	42	dns.rdatatype.A,
	43	'127.0.0.1')
	44	response.answer.append(rrset)
	45
	46	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	47
	48	self.sendTCPQueryOverConnection(conn, query, response=response)
	49	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	50	self.assertTrue(receivedQuery)
	51	self.assertTrue(receivedResponse)
	52	receivedQuery.id = query.id
4bfebc93 CH	53	self.assertEqual(query, receivedQuery)
4bfebc93 CH	54	self.assertEqual(response, receivedResponse)
6db567d1	55
1d896c34 RG	56	# check the certificate
	57	cert = self.getServerCertificate()
	58	self.assertIn('subject', cert)
	59	self.assertIn('serialNumber', cert)
	60	self.assertIn('subjectAltName', cert)
	61	subject = cert['subject']
	62	altNames = cert['subjectAltName']
4bfebc93 CH	63	self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
4bfebc93 CH	64	self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
1d896c34 RG	65	names = []
	66	for entry in altNames:
	67	names.append(entry[1])
644eb242	68	self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
1d896c34 RG	69	serialNumber = cert['serialNumber']
	70
	71	self.generateNewCertificateAndKey()
	72	self.sendConsoleCommand("reloadAllCertificates()")
	73
75b536de	74	conn.close()
1d896c34 RG	75	# open a new connection
	76	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	77
	78	self.sendTCPQueryOverConnection(conn, query, response=response)
	79	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	80	self.assertTrue(receivedQuery)
	81	self.assertTrue(receivedResponse)
	82	receivedQuery.id = query.id
4bfebc93 CH	83	self.assertEqual(query, receivedQuery)
4bfebc93 CH	84	self.assertEqual(response, receivedResponse)
1d896c34 RG	85
	86	# check that the certificate is OK
	87	cert = self.getServerCertificate()
	88	self.assertIn('subject', cert)
	89	self.assertIn('serialNumber', cert)
	90	self.assertIn('subjectAltName', cert)
	91	subject = cert['subject']
	92	altNames = cert['subjectAltName']
4bfebc93 CH	93	self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
4bfebc93 CH	94	self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
1d896c34 RG	95	names = []
	96	for entry in altNames:
	97	names.append(entry[1])
644eb242	98	self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
1d896c34 RG	99
1d896c34 RG	100	# and that the serial is different
4bfebc93	101	self.assertNotEqual(serialNumber, cert['serialNumber'])
75b536de	102	conn.close()
1d896c34	103
6db567d1 RG	104	def testTLKA(self):
	105	"""
	106	TLS: Several queries over the same connection
	107	"""
	108	name = 'ka.tls.tests.powerdns.com.'
	109	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	110	response = dns.message.make_response(query)
	111	rrset = dns.rrset.from_text(name,
	112	3600,
	113	dns.rdataclass.IN,
	114	dns.rdatatype.A,
	115	'127.0.0.1')
	116	response.answer.append(rrset)
	117
	118	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	119
	120	for idx in range(5):
	121	self.sendTCPQueryOverConnection(conn, query, response=response)
	122	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	123	self.assertTrue(receivedQuery)
	124	self.assertTrue(receivedResponse)
	125	receivedQuery.id = query.id
4bfebc93 CH	126	self.assertEqual(query, receivedQuery)
4bfebc93 CH	127	self.assertEqual(response, receivedResponse)
6db567d1	128
75b536de RG	129	conn.close()
75b536de RG	130
6db567d1 RG	131	def testTLSPipelining(self):
	132	"""
	133	TLS: Several queries over the same connection without waiting for the responses
	134	"""
	135	name = 'pipelining.tls.tests.powerdns.com.'
	136	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	137	response = dns.message.make_response(query)
	138	rrset = dns.rrset.from_text(name,
	139	3600,
	140	dns.rdataclass.IN,
	141	dns.rdatatype.A,
	142	'127.0.0.1')
	143	response.answer.append(rrset)
	144
	145	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	146
	147	for idx in range(100):
	148	self.sendTCPQueryOverConnection(conn, query, response=response)
	149
	150	for idx in range(100):
	151	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	152	self.assertTrue(receivedQuery)
	153	self.assertTrue(receivedResponse)
	154	receivedQuery.id = query.id
4bfebc93 CH	155	self.assertEqual(query, receivedQuery)
4bfebc93 CH	156	self.assertEqual(response, receivedResponse)
046bac5c	157
75b536de RG	158	conn.close()
75b536de RG	159
046bac5c RG	160	def testTLSSNIRouting(self):
	161	"""
	162	TLS: SNI Routing
	163	"""
	164	name = 'sni.tls.tests.powerdns.com.'
	165	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	166	query.flags &= ~dns.flags.RD
	167	response = dns.message.make_response(query)
	168	rrset = dns.rrset.from_text(name,
	169	3600,
	170	dns.rdataclass.IN,
	171	dns.rdatatype.A,
	172	'127.0.0.1')
	173	response.answer.append(rrset)
	174	expectedResponse = dns.message.make_response(query)
	175	rrset = dns.rrset.from_text(name,
	176	3600,
	177	dns.rdataclass.IN,
	178	dns.rdatatype.A,
	179	'1.2.3.4')
	180	expectedResponse.answer.append(rrset)
	181
	182	# this SNI should match so we should get a spoofed answer
	183	conn = self.openTLSConnection(self._tlsServerPort, 'powerdns.com', self._caCert)
	184
	185	self.sendTCPQueryOverConnection(conn, query, response=None)
	186	receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
	187	self.assertTrue(receivedResponse)
4bfebc93	188	self.assertEqual(expectedResponse, receivedResponse)
046bac5c	189
75b536de	190	conn.close()
046bac5c RG	191	# this one should not
	192	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	193
	194	self.sendTCPQueryOverConnection(conn, query, response=response)
	195	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	196	self.assertTrue(receivedQuery)
	197	self.assertTrue(receivedResponse)
	198	receivedQuery.id = query.id
4bfebc93 CH	199	self.assertEqual(query, receivedQuery)
4bfebc93 CH	200	self.assertEqual(response, receivedResponse)
75b536de	201	conn.close()
d27309a9	202
5f4156be RG	203	def testTLSSNIRoutingAfterResumption(self):
	204	# we have more complicated tests about session resumption itself,
	205	# but here we want to make sure the SNI is still present after resumption
	206	"""
	207	TLS: SNI Routing after resumption
	208	"""
	209	name = 'sni-resumed.tls.tests.powerdns.com.'
	210	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	211	query.flags &= ~dns.flags.RD
	212	response = dns.message.make_response(query)
	213	rrset = dns.rrset.from_text(name,
	214	3600,
	215	dns.rdataclass.IN,
	216	dns.rdatatype.A,
	217	'127.0.0.1')
	218	response.answer.append(rrset)
	219	expectedResponse = dns.message.make_response(query)
	220	rrset = dns.rrset.from_text(name,
	221	3600,
	222	dns.rdataclass.IN,
	223	dns.rdatatype.A,
	224	'1.2.3.4')
	225	expectedResponse.answer.append(rrset)
	226
	227	# this SNI should match so we should get a spoofed answer
	228	sslctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
	229	sslctx.check_hostname = True
	230	sslctx.verify_mode = ssl.CERT_REQUIRED
	231	sslctx.load_verify_locations(self._caCert)
	232
	233	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	234	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	235	sock.settimeout(2.0)
	236	sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
	237	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	238
	239	self.sendTCPQueryOverConnection(sslsock, query, response=None)
	240	receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
	241	self.assertTrue(receivedResponse)
4bfebc93	242	self.assertEqual(expectedResponse, receivedResponse)
5f4156be RG	243	self.assertFalse(sslsock.session_reused)
	244	session = sslsock.session
	245
	246	# this one should not (different SNI)
	247	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	248	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	249	sock.settimeout(2.0)
	250	sslsock = sslctx.wrap_socket(sock, server_hostname=self._serverName)
	251	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	252
	253	self.sendTCPQueryOverConnection(sslsock, query, response=response)
	254	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(sslsock, useQueue=True)
	255	self.assertTrue(receivedQuery)
	256	self.assertTrue(receivedResponse)
	257	receivedQuery.id = query.id
4bfebc93 CH	258	self.assertEqual(query, receivedQuery)
4bfebc93 CH	259	self.assertEqual(response, receivedResponse)
5f4156be RG	260	self.assertFalse(sslsock.session_reused)
	261
	262	# and now we should be able to resume the session
	263	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	264	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	265	sock.settimeout(2.0)
	266	sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
	267	sslsock.session = session
	268	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	269
	270	self.sendTCPQueryOverConnection(sslsock, query, response=None)
	271	receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
	272	self.assertTrue(receivedResponse)
4bfebc93	273	self.assertEqual(expectedResponse, receivedResponse)
5f4156be RG	274	self.assertTrue(sslsock.session_reused)
	275
	276	class TestOpenSSL(DNSDistTest, TLSTests):
	277
1d896c34 RG	278	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	279	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
5f4156be RG	280	_serverKey = 'server.key'
	281	_serverCert = 'server.chain'
	282	_serverName = 'tls.tests.dnsdist.org'
	283	_caCert = 'ca.pem'
	284	_tlsServerPort = 8453
	285	_config_template = """
1d896c34 RG	286	setKey("%s")
	287	controlSocket("127.0.0.1:%s")
	288
5f4156be RG	289	newServer{address="127.0.0.1:%s"}
	290	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
	291	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	292	"""
1d896c34	293	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
5f4156be	294
98222dfc RG	295	def testProvider(self):
	296	self.assertEquals(self.getTLSProvider(), "openssl")
	297
5f4156be RG	298	class TestGnuTLS(DNSDistTest, TLSTests):
5f4156be RG	299
1d896c34 RG	300	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	301	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
5f4156be RG	302	_serverKey = 'server.key'
	303	_serverCert = 'server.chain'
	304	_serverName = 'tls.tests.dnsdist.org'
	305	_caCert = 'ca.pem'
	306	_tlsServerPort = 8453
	307	_config_template = """
1d896c34 RG	308	setKey("%s")
	309	controlSocket("127.0.0.1:%s")
	310
5f4156be RG	311	newServer{address="127.0.0.1:%s"}
	312	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls" })
	313	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	314	"""
1d896c34	315	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
5f4156be	316
98222dfc RG	317	def testProvider(self):
	318	self.assertEquals(self.getTLSProvider(), "gnutls")
	319
d27309a9	320	class TestDOTWithCache(DNSDistTest):
d27309a9 RG	321	_serverKey = 'server.key'
	322	_serverCert = 'server.chain'
	323	_serverName = 'tls.tests.dnsdist.org'
	324	_caCert = 'ca.pem'
	325	_tlsServerPort = 8453
	326	_config_template = """
	327	newServer{address="127.0.0.1:%s"}
	328
	329	addTLSLocal("127.0.0.1:%s", "%s", "%s")
	330
	331	pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
	332	getPool(""):setCache(pc)
	333	"""
	334	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
	335
	336	def testDOTCacheLargeAnswer(self):
	337	"""
	338	DOT with cache: Check that we can cache (and retrieve) large answers
	339	"""
	340	numberOfQueries = 10
	341	name = 'large.dot-with-cache.tests.powerdns.com.'
	342	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	343	query.id = 0
	344	expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
	345	expectedQuery.id = 0
	346	response = dns.message.make_response(query)
	347	# we prepare a large answer
	348	content = ""
	349	for i in range(44):
	350	if len(content) > 0:
	351	content = content + ', '
	352	content = content + (str(i)*50)
	353	# pad up to 4096
	354	content = content + 'A'*40
	355
	356	rrset = dns.rrset.from_text(name,
	357	3600,
	358	dns.rdataclass.IN,
	359	dns.rdatatype.TXT,
	360	content)
	361	response.answer.append(rrset)
4bfebc93	362	self.assertEqual(len(response.to_wire()), 4096)
d27309a9 RG	363
	364	# first query to fill the cache
	365	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	366	self.sendTCPQueryOverConnection(conn, query, response=response)
	367	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	368
	369	self.assertTrue(receivedQuery)
	370	self.assertTrue(receivedResponse)
	371	receivedQuery.id = expectedQuery.id
4bfebc93	372	self.assertEqual(expectedQuery, receivedQuery)
d27309a9	373	self.checkQueryNoEDNS(expectedQuery, receivedQuery)
4bfebc93	374	self.assertEqual(response, receivedResponse)
75b536de	375	conn.close()
d27309a9 RG	376
	377	for _ in range(numberOfQueries):
	378	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	379	self.sendTCPQueryOverConnection(conn, query, response=None)
	380	receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
4bfebc93	381	self.assertEqual(receivedResponse, response)
75b536de	382	conn.close()
d4d57f56 RG	383
	384	class TestTLSFrontendLimits(DNSDistTest):
	385
	386	# this test suite uses a different responder port
	387	# because it uses a different health check configuration
	388	_testServerPort = 5395
	389	_answerUnexpected = True
	390
	391	_serverKey = 'server.key'
	392	_serverCert = 'server.chain'
	393	_serverName = 'tls.tests.dnsdist.org'
	394	_caCert = 'ca.pem'
	395	_tlsServerPort = 8453
	396
	397	_skipListeningOnCL = True
	398	_tcpIdleTimeout = 2
	399	_maxTCPConnsPerTLSFrontend = 5
	400	_config_template = """
	401	newServer{address="127.0.0.1:%s"}
	402	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", maxConcurrentTCPConnections=%d })
	403	"""
	404	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_maxTCPConnsPerTLSFrontend']
d4d57f56 RG	405
	406	def testTCPConnsPerTLSFrontend(self):
	407	"""
	408	TLS Frontend Limits: Maximum number of conns per TLS frontend
	409	"""
	410	name = 'maxconnspertlsfrontend.tls.tests.powerdns.com.'
	411	query = dns.message.make_query(name, 'A', 'IN')
	412	conns = []
	413
	414	for idx in range(self._maxTCPConnsPerTLSFrontend + 1):
	415	try:
	416	conns.append(self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert))
	417	except:
	418	conns.append(None)
	419
	420	count = 0
	421	failed = 0
	422	for conn in conns:
	423	if not conn:
	424	failed = failed + 1
	425	continue
	426
	427	try:
	428	self.sendTCPQueryOverConnection(conn, query)
	429	response = self.recvTCPResponseOverConnection(conn)
	430	if response:
	431	count = count + 1
	432	else:
	433	failed = failed + 1
	434	except:
	435	failed = failed + 1
	436
	437	for conn in conns:
	438	if conn:
	439	conn.close()
	440
	441	# wait a bit to be sure that dnsdist closed the connections
	442	# and decremented the counters on its side, otherwise subsequent
	443	# connections will be dropped
	444	time.sleep(1)
	445
	446	self.assertEqual(count, self._maxTCPConnsPerTLSFrontend)
	447	self.assertEqual(failed, 1)
7d808ff4 RG	448
	449	class TestProtocols(DNSDistTest):
	450	_serverKey = 'server.key'
	451	_serverCert = 'server.chain'
	452	_serverName = 'tls.tests.dnsdist.org'
	453	_caCert = 'ca.pem'
	454	_tlsServerPort = 8453
	455
	456	_config_template = """
	457	function checkDOT(dq)
	458	if dq:getProtocol() ~= "DNS over TLS" then
	459	return DNSAction.Spoof, '1.2.3.4'
	460	end
	461	return DNSAction.None
	462	end
	463
	464	addAction("protocols.tls.tests.powerdns.com.", LuaAction(checkDOT))
	465	newServer{address="127.0.0.1:%s"}
	466	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
	467	"""
	468	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
	469
	470	def testProtocolDOT(self):
	471	"""
	472	DoT: Test DNSQuestion.Protocol
	473	"""
	474	name = 'protocols.tls.tests.powerdns.com.'
	475	query = dns.message.make_query(name, 'A', 'IN')
	476	response = dns.message.make_response(query)
	477
	478	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	479	self.sendTCPQueryOverConnection(conn, query, response=response)
	480	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	481	self.assertTrue(receivedQuery)
	482	self.assertTrue(receivedResponse)
	483	receivedQuery.id = query.id
	484	self.assertEqual(query, receivedQuery)
	485	self.assertEqual(response, receivedResponse)
75b536de	486	conn.close()
5ac11505 CHB	487
	488	class TestPKCSTLSCertificate(DNSDistTest, TLSTests):
	489	_consoleKey = DNSDistTest.generateConsoleKey()
	490	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
	491	_serverCert = 'server.p12'
	492	_pkcsPassphrase = 'passw0rd'
	493	_serverName = 'tls.tests.dnsdist.org'
	494	_caCert = 'ca.pem'
	495	_tlsServerPort = 8453
	496	_config_template = """
	497	setKey("%s")
	498	controlSocket("127.0.0.1:%s")
	499	newServer{address="127.0.0.1:%s"}
	500	cert=newTLSCertificate("%s", {password="%s"})
	501	addTLSLocal("127.0.0.1:%s", cert, "", { provider="openssl" })
	502	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	503	"""
	504	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_serverCert', '_pkcsPassphrase', '_tlsServerPort']