[thirdparty/pdns.git] / regression-tests.dnsdist / test_TLS.py

#!/usr/bin/env python
import base64
import dns
import socket
import ssl
import subprocess
import time
import unittest
from dnsdisttests import DNSDistTest, pickAvailablePort

class TLSTests(object):

    def getServerCertificate(self):
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        cert = conn.getpeercert()
        conn.close()
        return cert

    def getTLSProvider(self):
        return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()

    def testTLSSimple(self):
        """
        TLS: Single query
        """
        name = 'single.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)

        # check the certificate
        cert = self.getServerCertificate()
        self.assertIn('subject', cert)
        self.assertIn('serialNumber', cert)
        self.assertIn('subjectAltName', cert)
        subject = cert['subject']
        altNames = cert['subjectAltName']
        self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
        self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
        names = []
        for entry in altNames:
            names.append(entry[1])
        self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
        serialNumber = cert['serialNumber']

        self.generateNewCertificateAndKey('server-tls')
        self.sendConsoleCommand("reloadAllCertificates()")

        conn.close()
        # open a new connection
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)

        # check that the certificate is OK
        cert = self.getServerCertificate()
        self.assertIn('subject', cert)
        self.assertIn('serialNumber', cert)
        self.assertIn('subjectAltName', cert)
        subject = cert['subject']
        altNames = cert['subjectAltName']
        self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
        self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
        names = []
        for entry in altNames:
            names.append(entry[1])
        self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])

        # and that the serial is different
        self.assertNotEqual(serialNumber, cert['serialNumber'])
        conn.close()

    def testTLKA(self):
        """
        TLS: Several queries over the same connection
        """
        name = 'ka.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        for idx in range(5):
            self.sendTCPQueryOverConnection(conn, query, response=response)
            (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
            self.assertTrue(receivedQuery)
            self.assertTrue(receivedResponse)
            receivedQuery.id = query.id
            self.assertEqual(query, receivedQuery)
            self.assertEqual(response, receivedResponse)

        conn.close()

    def testTLSPipelining(self):
        """
        TLS: Several queries over the same connection without waiting for the responses
        """
        name = 'pipelining.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        for idx in range(100):
            self.sendTCPQueryOverConnection(conn, query, response=response)

        for idx in range(100):
            (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
            self.assertTrue(receivedQuery)
            self.assertTrue(receivedResponse)
            receivedQuery.id = query.id
            self.assertEqual(query, receivedQuery)
            self.assertEqual(response, receivedResponse)

        conn.close()

    def testTLSSNIRouting(self):
        """
        TLS: SNI Routing
        """
        name = 'sni.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.flags &= ~dns.flags.RD
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)
        expectedResponse = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '1.2.3.4')
        expectedResponse.answer.append(rrset)

        # this SNI should match so we should get a spoofed answer
        conn = self.openTLSConnection(self._tlsServerPort, 'powerdns.com', self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)

        conn.close()
        # this one should not
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)

        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

    def testTLSSNIRoutingAfterResumption(self):
        # we have more complicated tests about session resumption itself,
        # but here we want to make sure the SNI is still present after resumption
        """
        TLS: SNI Routing after resumption
        """
        name = 'sni-resumed.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.flags &= ~dns.flags.RD
        response = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '127.0.0.1')
        response.answer.append(rrset)
        expectedResponse = dns.message.make_response(query)
        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.A,
                                    '1.2.3.4')
        expectedResponse.answer.append(rrset)

        # this SNI should match so we should get a spoofed answer
        sslctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
        sslctx.check_hostname = True
        sslctx.verify_mode = ssl.CERT_REQUIRED
        sslctx.load_verify_locations(self._caCert)

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)
        self.assertFalse(sslsock.session_reused)
        session = sslsock.session

        # this one should not (different SNI)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname=self._serverName)
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(sslsock, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        self.assertFalse(sslsock.session_reused)

        # and now we should be able to resume the session
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
        sock.settimeout(2.0)
        sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
        sslsock.session = session
        sslsock.connect(("127.0.0.1", self._tlsServerPort))

        self.sendTCPQueryOverConnection(sslsock, query, response=None)
        receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
        self.assertTrue(receivedResponse)
        self.assertEqual(expectedResponse, receivedResponse)
        self.assertTrue(sslsock.session_reused)

class TestOpenSSL(DNSDistTest, TLSTests):

    _extraStartupSleep = 1
    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-tls.key'
    _serverCert = 'server-tls.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    @classmethod
    def setUpClass(cls):
        cls.generateNewCertificateAndKey('server-tls')
        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()

    def testProvider(self):
        self.assertEqual(self.getTLSProvider(), "openssl")

class TestGnuTLS(DNSDistTest, TLSTests):

    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverKey = 'server-tls.key'
    _serverCert = 'server-tls.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")

    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    @classmethod
    def setUpClass(cls):
        cls.generateNewCertificateAndKey('server-tls')
        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()

    def testProvider(self):
        self.assertEqual(self.getTLSProvider(), "gnutls")

class TestDOTWithCache(DNSDistTest):
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    newServer{address="127.0.0.1:%s"}

    addTLSLocal("127.0.0.1:%s", "%s", "%s")

    pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
    getPool(""):setCache(pc)
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testDOTCacheLargeAnswer(self):
        """
        DOT with cache: Check that we can cache (and retrieve) large answers
        """
        numberOfQueries = 10
        name = 'large.dot-with-cache.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
        query.id = 0
        expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
        expectedQuery.id = 0
        response = dns.message.make_response(query)
        # we prepare a large answer
        content = ""
        for i in range(44):
            if len(content) > 0:
                content = content + ', '
            content = content + (str(i)*50)
        # pad up to 4096
        content = content + 'A'*40

        rrset = dns.rrset.from_text(name,
                                    3600,
                                    dns.rdataclass.IN,
                                    dns.rdatatype.TXT,
                                    content)
        response.answer.append(rrset)
        self.assertEqual(len(response.to_wire()), 4096)

        # first query to fill the cache
        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)

        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = expectedQuery.id
        self.assertEqual(expectedQuery, receivedQuery)
        self.checkQueryNoEDNS(expectedQuery, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

        for _ in range(numberOfQueries):
            conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
            self.sendTCPQueryOverConnection(conn, query, response=None)
            receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
            self.assertEqual(receivedResponse, response)
            conn.close()

class TestTLSFrontendLimits(DNSDistTest):

    # this test suite uses a different responder port
    # because it uses a different health check configuration
    _testServerPort = pickAvailablePort()
    _answerUnexpected = True

    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()

    _skipListeningOnCL = True
    _tcpIdleTimeout = 2
    _maxTCPConnsPerTLSFrontend = 5
    _config_template = """
    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", maxConcurrentTCPConnections=%d })
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_maxTCPConnsPerTLSFrontend']
    _alternateListeningAddr = '127.0.0.1'
    _alternateListeningPort = _tlsServerPort

    def testTCPConnsPerTLSFrontend(self):
        """
        TLS Frontend Limits: Maximum number of conns per TLS frontend
        """
        name = 'maxconnspertlsfrontend.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN')
        conns = []

        for idx in range(self._maxTCPConnsPerTLSFrontend + 1):
            try:
                conns.append(self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert))
            except:
                conns.append(None)

        count = 0
        failed = 0
        for conn in conns:
            if not conn:
                failed = failed + 1
                continue

            try:
                self.sendTCPQueryOverConnection(conn, query)
                response = self.recvTCPResponseOverConnection(conn)
                if response:
                    count = count + 1
                else:
                    failed = failed + 1
            except:
                failed = failed + 1

        for conn in conns:
            if conn:
                conn.close()

        # wait a bit to be sure that dnsdist closed the connections
        # and decremented the counters on its side, otherwise subsequent
        # connections will be dropped
        time.sleep(1)

        self.assertEqual(count, self._maxTCPConnsPerTLSFrontend)
        self.assertEqual(failed, 1)

class TestProtocols(DNSDistTest):
    _serverKey = 'server.key'
    _serverCert = 'server.chain'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()

    _config_template = """
    function checkDOT(dq)
      if dq:getProtocol() ~= "DNS over TLS" then
        return DNSAction.Spoof, '1.2.3.4'
      end
      return DNSAction.None
    end

    addAction("protocols.tls.tests.powerdns.com.", LuaAction(checkDOT))
    newServer{address="127.0.0.1:%s"}
    addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
    """
    _config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']

    def testProtocolDOT(self):
        """
        DoT: Test DNSQuestion.Protocol
        """
        name = 'protocols.tls.tests.powerdns.com.'
        query = dns.message.make_query(name, 'A', 'IN')
        response = dns.message.make_response(query)

        conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
        self.sendTCPQueryOverConnection(conn, query, response=response)
        (receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
        self.assertTrue(receivedQuery)
        self.assertTrue(receivedResponse)
        receivedQuery.id = query.id
        self.assertEqual(query, receivedQuery)
        self.assertEqual(response, receivedResponse)
        conn.close()

class TestPKCSTLSCertificate(DNSDistTest, TLSTests):
    _consoleKey = DNSDistTest.generateConsoleKey()
    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
    _serverCert = 'server-tls.p12'
    _pkcsPassphrase = 'passw0rd'
    _serverName = 'tls.tests.dnsdist.org'
    _caCert = 'ca.pem'
    _tlsServerPort = pickAvailablePort()
    _config_template = """
    setKey("%s")
    controlSocket("127.0.0.1:%s")
    newServer{address="127.0.0.1:%s"}
    cert=newTLSCertificate("%s", {password="%s"})
    addTLSLocal("127.0.0.1:%s", cert, "", { provider="openssl" })
    addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
    """
    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_serverCert', '_pkcsPassphrase', '_tlsServerPort']

    @classmethod
    def setUpClass(cls):
        cls.generateNewCertificateAndKey('server-tls')
        cls.startResponders()
        cls.startDNSDist()
        cls.setUpSockets()
Commit	Line	Data
a227f47d	1	#!/usr/bin/env python
1d896c34	2	import base64
a227f47d	3	import dns
5f4156be RG	4	import socket
5f4156be RG	5	import ssl
1d896c34	6	import subprocess
d4d57f56	7	import time
5f4156be	8	import unittest
630eb526	9	from dnsdisttests import DNSDistTest, pickAvailablePort
a227f47d	10
5f4156be	11	class TLSTests(object):
a227f47d	12
1d896c34 RG	13	def getServerCertificate(self):
1d896c34 RG	14	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
75b536de RG	15	cert = conn.getpeercert()
	16	conn.close()
	17	return cert
1d896c34	18
98222dfc RG	19	def getTLSProvider(self):
	20	return self.sendConsoleCommand("getBind(0):getEffectiveTLSProvider()").rstrip()
	21
a227f47d RG	22	def testTLSSimple(self):
	23	"""
	24	TLS: Single query
	25	"""
	26	name = 'single.tls.tests.powerdns.com.'
	27	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	28	response = dns.message.make_response(query)
	29	rrset = dns.rrset.from_text(name,
	30	3600,
	31	dns.rdataclass.IN,
	32	dns.rdatatype.A,
	33	'127.0.0.1')
	34	response.answer.append(rrset)
	35
	36	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	37
	38	self.sendTCPQueryOverConnection(conn, query, response=response)
	39	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	40	self.assertTrue(receivedQuery)
	41	self.assertTrue(receivedResponse)
	42	receivedQuery.id = query.id
4bfebc93 CH	43	self.assertEqual(query, receivedQuery)
4bfebc93 CH	44	self.assertEqual(response, receivedResponse)
6db567d1	45
1d896c34 RG	46	# check the certificate
	47	cert = self.getServerCertificate()
	48	self.assertIn('subject', cert)
	49	self.assertIn('serialNumber', cert)
	50	self.assertIn('subjectAltName', cert)
	51	subject = cert['subject']
	52	altNames = cert['subjectAltName']
4bfebc93 CH	53	self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
4bfebc93 CH	54	self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
1d896c34 RG	55	names = []
	56	for entry in altNames:
	57	names.append(entry[1])
644eb242	58	self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
1d896c34 RG	59	serialNumber = cert['serialNumber']
1d896c34 RG	60
58ae5410	61	self.generateNewCertificateAndKey('server-tls')
1d896c34 RG	62	self.sendConsoleCommand("reloadAllCertificates()")
1d896c34 RG	63
75b536de	64	conn.close()
1d896c34 RG	65	# open a new connection
	66	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	67
	68	self.sendTCPQueryOverConnection(conn, query, response=response)
	69	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	70	self.assertTrue(receivedQuery)
	71	self.assertTrue(receivedResponse)
	72	receivedQuery.id = query.id
4bfebc93 CH	73	self.assertEqual(query, receivedQuery)
4bfebc93 CH	74	self.assertEqual(response, receivedResponse)
1d896c34 RG	75
	76	# check that the certificate is OK
	77	cert = self.getServerCertificate()
	78	self.assertIn('subject', cert)
	79	self.assertIn('serialNumber', cert)
	80	self.assertIn('subjectAltName', cert)
	81	subject = cert['subject']
	82	altNames = cert['subjectAltName']
4bfebc93 CH	83	self.assertEqual(dict(subject[0])['commonName'], 'tls.tests.dnsdist.org')
4bfebc93 CH	84	self.assertEqual(dict(subject[1])['organizationalUnitName'], 'PowerDNS.com BV')
1d896c34 RG	85	names = []
	86	for entry in altNames:
	87	names.append(entry[1])
644eb242	88	self.assertEqual(names, ['tls.tests.dnsdist.org', 'powerdns.com', '127.0.0.1'])
1d896c34 RG	89
1d896c34 RG	90	# and that the serial is different
4bfebc93	91	self.assertNotEqual(serialNumber, cert['serialNumber'])
75b536de	92	conn.close()
1d896c34	93
6db567d1 RG	94	def testTLKA(self):
	95	"""
	96	TLS: Several queries over the same connection
	97	"""
	98	name = 'ka.tls.tests.powerdns.com.'
	99	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	100	response = dns.message.make_response(query)
	101	rrset = dns.rrset.from_text(name,
	102	3600,
	103	dns.rdataclass.IN,
	104	dns.rdatatype.A,
	105	'127.0.0.1')
	106	response.answer.append(rrset)
	107
	108	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	109
	110	for idx in range(5):
	111	self.sendTCPQueryOverConnection(conn, query, response=response)
	112	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	113	self.assertTrue(receivedQuery)
	114	self.assertTrue(receivedResponse)
	115	receivedQuery.id = query.id
4bfebc93 CH	116	self.assertEqual(query, receivedQuery)
4bfebc93 CH	117	self.assertEqual(response, receivedResponse)
6db567d1	118
75b536de RG	119	conn.close()
75b536de RG	120
6db567d1 RG	121	def testTLSPipelining(self):
	122	"""
	123	TLS: Several queries over the same connection without waiting for the responses
	124	"""
	125	name = 'pipelining.tls.tests.powerdns.com.'
	126	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	127	response = dns.message.make_response(query)
	128	rrset = dns.rrset.from_text(name,
	129	3600,
	130	dns.rdataclass.IN,
	131	dns.rdatatype.A,
	132	'127.0.0.1')
	133	response.answer.append(rrset)
	134
	135	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	136
	137	for idx in range(100):
	138	self.sendTCPQueryOverConnection(conn, query, response=response)
	139
	140	for idx in range(100):
	141	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	142	self.assertTrue(receivedQuery)
	143	self.assertTrue(receivedResponse)
	144	receivedQuery.id = query.id
4bfebc93 CH	145	self.assertEqual(query, receivedQuery)
4bfebc93 CH	146	self.assertEqual(response, receivedResponse)
046bac5c	147
75b536de RG	148	conn.close()
75b536de RG	149
046bac5c RG	150	def testTLSSNIRouting(self):
	151	"""
	152	TLS: SNI Routing
	153	"""
	154	name = 'sni.tls.tests.powerdns.com.'
	155	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	156	query.flags &= ~dns.flags.RD
	157	response = dns.message.make_response(query)
	158	rrset = dns.rrset.from_text(name,
	159	3600,
	160	dns.rdataclass.IN,
	161	dns.rdatatype.A,
	162	'127.0.0.1')
	163	response.answer.append(rrset)
	164	expectedResponse = dns.message.make_response(query)
	165	rrset = dns.rrset.from_text(name,
	166	3600,
	167	dns.rdataclass.IN,
	168	dns.rdatatype.A,
	169	'1.2.3.4')
	170	expectedResponse.answer.append(rrset)
	171
	172	# this SNI should match so we should get a spoofed answer
	173	conn = self.openTLSConnection(self._tlsServerPort, 'powerdns.com', self._caCert)
	174
	175	self.sendTCPQueryOverConnection(conn, query, response=None)
	176	receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
	177	self.assertTrue(receivedResponse)
4bfebc93	178	self.assertEqual(expectedResponse, receivedResponse)
046bac5c	179
75b536de	180	conn.close()
046bac5c RG	181	# this one should not
	182	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	183
	184	self.sendTCPQueryOverConnection(conn, query, response=response)
	185	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	186	self.assertTrue(receivedQuery)
	187	self.assertTrue(receivedResponse)
	188	receivedQuery.id = query.id
4bfebc93 CH	189	self.assertEqual(query, receivedQuery)
4bfebc93 CH	190	self.assertEqual(response, receivedResponse)
75b536de	191	conn.close()
d27309a9	192
5f4156be RG	193	def testTLSSNIRoutingAfterResumption(self):
	194	# we have more complicated tests about session resumption itself,
	195	# but here we want to make sure the SNI is still present after resumption
	196	"""
	197	TLS: SNI Routing after resumption
	198	"""
	199	name = 'sni-resumed.tls.tests.powerdns.com.'
	200	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	201	query.flags &= ~dns.flags.RD
	202	response = dns.message.make_response(query)
	203	rrset = dns.rrset.from_text(name,
	204	3600,
	205	dns.rdataclass.IN,
	206	dns.rdatatype.A,
	207	'127.0.0.1')
	208	response.answer.append(rrset)
	209	expectedResponse = dns.message.make_response(query)
	210	rrset = dns.rrset.from_text(name,
	211	3600,
	212	dns.rdataclass.IN,
	213	dns.rdatatype.A,
	214	'1.2.3.4')
	215	expectedResponse.answer.append(rrset)
	216
	217	# this SNI should match so we should get a spoofed answer
	218	sslctx = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
	219	sslctx.check_hostname = True
	220	sslctx.verify_mode = ssl.CERT_REQUIRED
	221	sslctx.load_verify_locations(self._caCert)
	222
	223	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	224	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	225	sock.settimeout(2.0)
	226	sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
	227	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	228
	229	self.sendTCPQueryOverConnection(sslsock, query, response=None)
	230	receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
	231	self.assertTrue(receivedResponse)
4bfebc93	232	self.assertEqual(expectedResponse, receivedResponse)
5f4156be RG	233	self.assertFalse(sslsock.session_reused)
	234	session = sslsock.session
	235
	236	# this one should not (different SNI)
	237	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	238	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	239	sock.settimeout(2.0)
	240	sslsock = sslctx.wrap_socket(sock, server_hostname=self._serverName)
	241	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	242
	243	self.sendTCPQueryOverConnection(sslsock, query, response=response)
	244	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(sslsock, useQueue=True)
	245	self.assertTrue(receivedQuery)
	246	self.assertTrue(receivedResponse)
	247	receivedQuery.id = query.id
4bfebc93 CH	248	self.assertEqual(query, receivedQuery)
4bfebc93 CH	249	self.assertEqual(response, receivedResponse)
5f4156be RG	250	self.assertFalse(sslsock.session_reused)
	251
	252	# and now we should be able to resume the session
	253	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	254	sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
	255	sock.settimeout(2.0)
	256	sslsock = sslctx.wrap_socket(sock, server_hostname='powerdns.com')
	257	sslsock.session = session
	258	sslsock.connect(("127.0.0.1", self._tlsServerPort))
	259
	260	self.sendTCPQueryOverConnection(sslsock, query, response=None)
	261	receivedResponse = self.recvTCPResponseOverConnection(sslsock, useQueue=False)
	262	self.assertTrue(receivedResponse)
4bfebc93	263	self.assertEqual(expectedResponse, receivedResponse)
5f4156be RG	264	self.assertTrue(sslsock.session_reused)
	265
	266	class TestOpenSSL(DNSDistTest, TLSTests):
	267
b38aaeb5	268	_extraStartupSleep = 1
1d896c34 RG	269	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	270	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	271	_serverKey = 'server-tls.key'
58ae5410 RG	272	_serverCert = 'server-tls.chain'
5f4156be RG	273	_serverName = 'tls.tests.dnsdist.org'
5f4156be RG	274	_caCert = 'ca.pem'
630eb526	275	_tlsServerPort = pickAvailablePort()
5f4156be	276	_config_template = """
1d896c34 RG	277	setKey("%s")
	278	controlSocket("127.0.0.1:%s")
	279
5f4156be RG	280	newServer{address="127.0.0.1:%s"}
	281	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
	282	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	283	"""
1d896c34	284	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
5f4156be	285
58ae5410 RG	286	@classmethod
	287	def setUpClass(cls):
	288	cls.generateNewCertificateAndKey('server-tls')
	289	cls.startResponders()
	290	cls.startDNSDist()
	291	cls.setUpSockets()
	292
98222dfc	293	def testProvider(self):
630eb526	294	self.assertEqual(self.getTLSProvider(), "openssl")
98222dfc	295
5f4156be RG	296	class TestGnuTLS(DNSDistTest, TLSTests):
5f4156be RG	297
1d896c34 RG	298	_consoleKey = DNSDistTest.generateConsoleKey()
1d896c34 RG	299	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410 RG	300	_serverKey = 'server-tls.key'
58ae5410 RG	301	_serverCert = 'server-tls.chain'
5f4156be RG	302	_serverName = 'tls.tests.dnsdist.org'
5f4156be RG	303	_caCert = 'ca.pem'
630eb526	304	_tlsServerPort = pickAvailablePort()
5f4156be	305	_config_template = """
1d896c34 RG	306	setKey("%s")
	307	controlSocket("127.0.0.1:%s")
	308
5f4156be RG	309	newServer{address="127.0.0.1:%s"}
	310	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="gnutls" })
	311	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	312	"""
1d896c34	313	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
5f4156be	314
58ae5410 RG	315	@classmethod
	316	def setUpClass(cls):
	317	cls.generateNewCertificateAndKey('server-tls')
	318	cls.startResponders()
	319	cls.startDNSDist()
	320	cls.setUpSockets()
	321
98222dfc	322	def testProvider(self):
630eb526	323	self.assertEqual(self.getTLSProvider(), "gnutls")
98222dfc	324
d27309a9	325	class TestDOTWithCache(DNSDistTest):
d27309a9 RG	326	_serverKey = 'server.key'
	327	_serverCert = 'server.chain'
	328	_serverName = 'tls.tests.dnsdist.org'
	329	_caCert = 'ca.pem'
630eb526	330	_tlsServerPort = pickAvailablePort()
d27309a9 RG	331	_config_template = """
	332	newServer{address="127.0.0.1:%s"}
	333
	334	addTLSLocal("127.0.0.1:%s", "%s", "%s")
	335
	336	pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
	337	getPool(""):setCache(pc)
	338	"""
	339	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
	340
	341	def testDOTCacheLargeAnswer(self):
	342	"""
	343	DOT with cache: Check that we can cache (and retrieve) large answers
	344	"""
	345	numberOfQueries = 10
	346	name = 'large.dot-with-cache.tests.powerdns.com.'
	347	query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
	348	query.id = 0
	349	expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
	350	expectedQuery.id = 0
	351	response = dns.message.make_response(query)
	352	# we prepare a large answer
	353	content = ""
	354	for i in range(44):
	355	if len(content) > 0:
	356	content = content + ', '
	357	content = content + (str(i)*50)
	358	# pad up to 4096
	359	content = content + 'A'*40
	360
	361	rrset = dns.rrset.from_text(name,
	362	3600,
	363	dns.rdataclass.IN,
	364	dns.rdatatype.TXT,
	365	content)
	366	response.answer.append(rrset)
4bfebc93	367	self.assertEqual(len(response.to_wire()), 4096)
d27309a9 RG	368
	369	# first query to fill the cache
	370	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	371	self.sendTCPQueryOverConnection(conn, query, response=response)
	372	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	373
	374	self.assertTrue(receivedQuery)
	375	self.assertTrue(receivedResponse)
	376	receivedQuery.id = expectedQuery.id
4bfebc93	377	self.assertEqual(expectedQuery, receivedQuery)
d27309a9	378	self.checkQueryNoEDNS(expectedQuery, receivedQuery)
4bfebc93	379	self.assertEqual(response, receivedResponse)
75b536de	380	conn.close()
d27309a9 RG	381
	382	for _ in range(numberOfQueries):
	383	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	384	self.sendTCPQueryOverConnection(conn, query, response=None)
	385	receivedResponse = self.recvTCPResponseOverConnection(conn, useQueue=False)
4bfebc93	386	self.assertEqual(receivedResponse, response)
75b536de	387	conn.close()
d4d57f56 RG	388
	389	class TestTLSFrontendLimits(DNSDistTest):
	390
	391	# this test suite uses a different responder port
	392	# because it uses a different health check configuration
630eb526	393	_testServerPort = pickAvailablePort()
d4d57f56 RG	394	_answerUnexpected = True
	395
	396	_serverKey = 'server.key'
	397	_serverCert = 'server.chain'
	398	_serverName = 'tls.tests.dnsdist.org'
	399	_caCert = 'ca.pem'
630eb526	400	_tlsServerPort = pickAvailablePort()
d4d57f56 RG	401
	402	_skipListeningOnCL = True
	403	_tcpIdleTimeout = 2
	404	_maxTCPConnsPerTLSFrontend = 5
	405	_config_template = """
	406	newServer{address="127.0.0.1:%s"}
	407	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl", maxConcurrentTCPConnections=%d })
	408	"""
	409	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_maxTCPConnsPerTLSFrontend']
1953ab6c RG	410	_alternateListeningAddr = '127.0.0.1'
1953ab6c RG	411	_alternateListeningPort = _tlsServerPort
d4d57f56 RG	412
	413	def testTCPConnsPerTLSFrontend(self):
	414	"""
	415	TLS Frontend Limits: Maximum number of conns per TLS frontend
	416	"""
	417	name = 'maxconnspertlsfrontend.tls.tests.powerdns.com.'
	418	query = dns.message.make_query(name, 'A', 'IN')
	419	conns = []
	420
	421	for idx in range(self._maxTCPConnsPerTLSFrontend + 1):
	422	try:
	423	conns.append(self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert))
	424	except:
	425	conns.append(None)
	426
	427	count = 0
	428	failed = 0
	429	for conn in conns:
	430	if not conn:
	431	failed = failed + 1
	432	continue
	433
	434	try:
	435	self.sendTCPQueryOverConnection(conn, query)
	436	response = self.recvTCPResponseOverConnection(conn)
	437	if response:
	438	count = count + 1
	439	else:
	440	failed = failed + 1
	441	except:
	442	failed = failed + 1
	443
	444	for conn in conns:
	445	if conn:
	446	conn.close()
	447
	448	# wait a bit to be sure that dnsdist closed the connections
	449	# and decremented the counters on its side, otherwise subsequent
	450	# connections will be dropped
	451	time.sleep(1)
	452
	453	self.assertEqual(count, self._maxTCPConnsPerTLSFrontend)
	454	self.assertEqual(failed, 1)
7d808ff4 RG	455
	456	class TestProtocols(DNSDistTest):
	457	_serverKey = 'server.key'
	458	_serverCert = 'server.chain'
	459	_serverName = 'tls.tests.dnsdist.org'
	460	_caCert = 'ca.pem'
630eb526	461	_tlsServerPort = pickAvailablePort()
7d808ff4 RG	462
	463	_config_template = """
	464	function checkDOT(dq)
	465	if dq:getProtocol() ~= "DNS over TLS" then
	466	return DNSAction.Spoof, '1.2.3.4'
	467	end
	468	return DNSAction.None
	469	end
	470
	471	addAction("protocols.tls.tests.powerdns.com.", LuaAction(checkDOT))
	472	newServer{address="127.0.0.1:%s"}
	473	addTLSLocal("127.0.0.1:%s", "%s", "%s", { provider="openssl" })
	474	"""
	475	_config_params = ['_testServerPort', '_tlsServerPort', '_serverCert', '_serverKey']
	476
	477	def testProtocolDOT(self):
	478	"""
	479	DoT: Test DNSQuestion.Protocol
	480	"""
	481	name = 'protocols.tls.tests.powerdns.com.'
	482	query = dns.message.make_query(name, 'A', 'IN')
	483	response = dns.message.make_response(query)
	484
	485	conn = self.openTLSConnection(self._tlsServerPort, self._serverName, self._caCert)
	486	self.sendTCPQueryOverConnection(conn, query, response=response)
	487	(receivedQuery, receivedResponse) = self.recvTCPResponseOverConnection(conn, useQueue=True)
	488	self.assertTrue(receivedQuery)
	489	self.assertTrue(receivedResponse)
	490	receivedQuery.id = query.id
	491	self.assertEqual(query, receivedQuery)
	492	self.assertEqual(response, receivedResponse)
75b536de	493	conn.close()
5ac11505 CHB	494
	495	class TestPKCSTLSCertificate(DNSDistTest, TLSTests):
	496	_consoleKey = DNSDistTest.generateConsoleKey()
	497	_consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
58ae5410	498	_serverCert = 'server-tls.p12'
5ac11505 CHB	499	_pkcsPassphrase = 'passw0rd'
	500	_serverName = 'tls.tests.dnsdist.org'
	501	_caCert = 'ca.pem'
630eb526	502	_tlsServerPort = pickAvailablePort()
5ac11505 CHB	503	_config_template = """
	504	setKey("%s")
	505	controlSocket("127.0.0.1:%s")
	506	newServer{address="127.0.0.1:%s"}
	507	cert=newTLSCertificate("%s", {password="%s"})
	508	addTLSLocal("127.0.0.1:%s", cert, "", { provider="openssl" })
	509	addAction(SNIRule("powerdns.com"), SpoofAction("1.2.3.4"))
	510	"""
	511	_config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_serverCert', '_pkcsPassphrase', '_tlsServerPort']
58ae5410 RG	512
	513	@classmethod
	514	def setUpClass(cls):
	515	cls.generateNewCertificateAndKey('server-tls')
	516	cls.startResponders()
	517	cls.startDNSDist()
	518	cls.setUpSockets()