From 8bea679e7b97e152620ae90033b2f193694d4f61 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Tue, 5 Sep 2023 22:37:11 +0200
Subject: [PATCH] Unofficially support DoH/ODoH over HTTP

---
 dnscrypt-proxy/serversInfo.go | 59 ++++++++++++++++++++---------------
 1 file changed, 34 insertions(+), 25 deletions(-)

diff --git a/dnscrypt-proxy/serversInfo.go b/dnscrypt-proxy/serversInfo.go
index fa6d99fa..edbfeb43 100644
--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
@@ -854,10 +854,17 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
 		if msg.Rcode != dns.RcodeNameError {
 			dlog.Criticalf("[%s] may be a lying resolver", name)
 		}
-
-		protocol := tls.NegotiatedProtocol
-		if len(protocol) == 0 {
-			protocol = "http/1.x"
+		protocol := "http"
+		tlsVersion := uint16(0)
+		tlsCipherSuite := uint16(0)
+		if tls != nil {
+			protocol = tls.NegotiatedProtocol
+			if len(protocol) == 0 {
+				protocol = "http/1.x"
+			} else {
+				tlsVersion = tls.Version
+				tlsCipherSuite = tls.CipherSuite
+			}
 		}
 		if strings.HasPrefix(protocol, "http/1.") {
 			dlog.Warnf("[%s] does not support HTTP/2", name)
@@ -865,37 +872,39 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
 		dlog.Infof(
 			"[%s] TLS version: %x - Protocol: %v - Cipher suite: %v",
 			name,
-			tls.Version,
+			tlsVersion,
 			protocol,
-			tls.CipherSuite,
+			tlsCipherSuite,
 		)
 		showCerts := proxy.showCerts
 		found := false
 		var wantedHash [32]byte
-		for _, cert := range tls.PeerCertificates {
-			h := sha256.Sum256(cert.RawTBSCertificate)
-			if showCerts {
-				dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
-			} else {
-				dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
-			}
-			for _, hash := range stamp.Hashes {
-				if len(hash) == len(wantedHash) {
-					copy(wantedHash[:], hash)
-					if h == wantedHash {
-						found = true
-						break
+		if tls != nil {
+			for _, cert := range tls.PeerCertificates {
+				h := sha256.Sum256(cert.RawTBSCertificate)
+				if showCerts {
+					dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
+				} else {
+					dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
+				}
+				for _, hash := range stamp.Hashes {
+					if len(hash) == len(wantedHash) {
+						copy(wantedHash[:], hash)
+						if h == wantedHash {
+							found = true
+							break
+						}
 					}
 				}
+				if found {
+					break
+				}
 			}
-			if found {
-				break
+			if !found && len(stamp.Hashes) > 0 {
+				dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
+				return ServerInfo{}, fmt.Errorf("Certificate hash not found")
 			}
 		}
-		if !found && len(stamp.Hashes) > 0 {
-			dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
-			return ServerInfo{}, fmt.Errorf("Certificate hash not found")
-		}
 		if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize ||
 			serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 {
 			dlog.Info("Webserver returned an unexpected response")