Commit 30b011b7 authored by Stephane Bortzmeyer's avatar Stephane Bortzmeyer
Browse files

Some comments transformed into issues

parent cdb5e381
......@@ -29,19 +29,18 @@ import os.path
# Values that can be changed from the command line
dot = False # DoH by default
post = False
verbose = False
insecure = False
post = False
head = False
rtype = 'AAAA'
vhostname = None
tests = 1 # Number of repeated tests
ifile = None # Input file
delay = None
# Monitoring plugin only:
host = None
vhostname = None
path = None
# TODO add an option: a string which is expected in the DNS response
# Do not change these
re_host = re.compile(r'^([0-9a-z][0-9a-z-\.]*)|([0-9:]+)|([0-9\.])$')
......@@ -112,7 +111,7 @@ def validate_hostname(hostname, cert):
base = base.lower()
if base.endswith("\n"):
base = base[:-1]
if hostname == base: # TODO better canonicalization of IP addresses with the netaddr module
if hostname == base:
return True
else:
pass # Ignore unknown alternative name types
......@@ -125,6 +124,11 @@ class Connection:
if not dot and not is_valid_url(url):
error("DoH requires a valid HTTPS URL, not \"%s\"" % server)
self.server = server
self.servername = servername
if self.servername is not None:
check = self.servername
else:
check = self.server
self.dot = dot
if not self.dot:
self.post = post
......@@ -133,13 +137,12 @@ class Connection:
self.insecure = insecure
if self.dot:
addrinfo = socket.getaddrinfo(server, 853)
# May be loop over the results of getaddrinfo, to test all the IP addresses?
# May be loop over the results of getaddrinfo, to test all the IP addresses? See #13
self.sock = socket.socket(addrinfo[0][0], socket.SOCK_STREAM)
# With typical DoT servers, we *must* use TLS 1.2 (otherwise,
# do_handshake fails with "OpenSSL.SSL.SysCallError: (-1, 'Unexpected
# EOF')" Typical HTTP servers are more lax.
self.context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_2_METHOD)
# TODO set_tlsext_host_name(name) for SNI?
if self.insecure:
self.context.set_verify(OpenSSL.SSL.VERIFY_NONE, lambda *x: True)
else:
......@@ -149,18 +152,14 @@ class Connection:
OpenSSL.SSL.VERIFY_CLIENT_ONCE,
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
self.session = OpenSSL.SSL.Connection(self.context, self.sock)
self.session.set_tlsext_host_name(check.encode()) # Server Name Indication (SNI)
self.session.connect((self.server, 853))
self.session.do_handshake()
self.cert = self.session.get_peer_certificate()
if not insecure:
if servername is not None:
check = servername
else:
check = server
valid = validate_hostname(check, self.cert)
if not valid:
error("Certificate error: \"%s\" is not in the certificate" % (check))
# TODO validate with SPKI?
else: # DoH
self.curl = pycurl.Curl()
self.url = server
......@@ -195,14 +194,13 @@ def do_test(connection, qname, qtype=rtype):
message = dns.message.make_query(qname, dns.rdatatype.from_text(qtype))
size = None
if connection.dot:
# TODO Check what the Query ID is. Really random?
messagew = message.to_wire()
length = len(messagew)
n = connection.session.send(length.to_bytes(2, byteorder='big') + messagew)
buf = connection.session.recv(2)
received = int.from_bytes(buf, byteorder='big')
buf = connection.session.recv(received)
response = dns.message.from_wire(buf) # TODO check the Query ID
response = dns.message.from_wire(buf)
return (True, response, received)
else: # DoH
message.id = 0 # DoH requests that
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment