Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
DNS testing tools
Remoh
Commits
30b011b7
Commit
30b011b7
authored
Nov 24, 2019
by
Stephane Bortzmeyer
Browse files
Some comments transformed into issues
parent
cdb5e381
Changes
1
Hide whitespace changes
Inline
Side-by-side
homer.py
View file @
30b011b7
...
...
@@ -29,19 +29,18 @@ import os.path
# Values that can be changed from the command line
dot
=
False
# DoH by default
post
=
False
verbose
=
False
insecure
=
False
post
=
False
head
=
False
rtype
=
'AAAA'
vhostname
=
None
tests
=
1
# Number of repeated tests
ifile
=
None
# Input file
delay
=
None
# Monitoring plugin only:
host
=
None
vhostname
=
None
path
=
None
# TODO add an option: a string which is expected in the DNS response
# Do not change these
re_host
=
re
.
compile
(
r
'^([0-9a-z][0-9a-z-\.]*)|([0-9:]+)|([0-9\.])$'
)
...
...
@@ -112,7 +111,7 @@ def validate_hostname(hostname, cert):
base
=
base
.
lower
()
if
base
.
endswith
(
"
\n
"
):
base
=
base
[:
-
1
]
if
hostname
==
base
:
# TODO better canonicalization of IP addresses with the netaddr module
if
hostname
==
base
:
return
True
else
:
pass
# Ignore unknown alternative name types
...
...
@@ -125,6 +124,11 @@ class Connection:
if
not
dot
and
not
is_valid_url
(
url
):
error
(
"DoH requires a valid HTTPS URL, not
\"
%s
\"
"
%
server
)
self
.
server
=
server
self
.
servername
=
servername
if
self
.
servername
is
not
None
:
check
=
self
.
servername
else
:
check
=
self
.
server
self
.
dot
=
dot
if
not
self
.
dot
:
self
.
post
=
post
...
...
@@ -133,13 +137,12 @@ class Connection:
self
.
insecure
=
insecure
if
self
.
dot
:
addrinfo
=
socket
.
getaddrinfo
(
server
,
853
)
# May be loop over the results of getaddrinfo, to test all the IP addresses?
# May be loop over the results of getaddrinfo, to test all the IP addresses?
See #13
self
.
sock
=
socket
.
socket
(
addrinfo
[
0
][
0
],
socket
.
SOCK_STREAM
)
# With typical DoT servers, we *must* use TLS 1.2 (otherwise,
# do_handshake fails with "OpenSSL.SSL.SysCallError: (-1, 'Unexpected
# EOF')" Typical HTTP servers are more lax.
self
.
context
=
OpenSSL
.
SSL
.
Context
(
OpenSSL
.
SSL
.
TLSv1_2_METHOD
)
# TODO set_tlsext_host_name(name) for SNI?
if
self
.
insecure
:
self
.
context
.
set_verify
(
OpenSSL
.
SSL
.
VERIFY_NONE
,
lambda
*
x
:
True
)
else
:
...
...
@@ -149,18 +152,14 @@ class Connection:
OpenSSL
.
SSL
.
VERIFY_CLIENT_ONCE
,
lambda
conn
,
cert
,
errno
,
depth
,
preverify_ok
:
preverify_ok
)
self
.
session
=
OpenSSL
.
SSL
.
Connection
(
self
.
context
,
self
.
sock
)
self
.
session
.
set_tlsext_host_name
(
check
.
encode
())
# Server Name Indication (SNI)
self
.
session
.
connect
((
self
.
server
,
853
))
self
.
session
.
do_handshake
()
self
.
cert
=
self
.
session
.
get_peer_certificate
()
if
not
insecure
:
if
servername
is
not
None
:
check
=
servername
else
:
check
=
server
valid
=
validate_hostname
(
check
,
self
.
cert
)
if
not
valid
:
error
(
"Certificate error:
\"
%s
\"
is not in the certificate"
%
(
check
))
# TODO validate with SPKI?
else
:
# DoH
self
.
curl
=
pycurl
.
Curl
()
self
.
url
=
server
...
...
@@ -195,14 +194,13 @@ def do_test(connection, qname, qtype=rtype):
message
=
dns
.
message
.
make_query
(
qname
,
dns
.
rdatatype
.
from_text
(
qtype
))
size
=
None
if
connection
.
dot
:
# TODO Check what the Query ID is. Really random?
messagew
=
message
.
to_wire
()
length
=
len
(
messagew
)
n
=
connection
.
session
.
send
(
length
.
to_bytes
(
2
,
byteorder
=
'big'
)
+
messagew
)
buf
=
connection
.
session
.
recv
(
2
)
received
=
int
.
from_bytes
(
buf
,
byteorder
=
'big'
)
buf
=
connection
.
session
.
recv
(
received
)
response
=
dns
.
message
.
from_wire
(
buf
)
# TODO check the Query ID
response
=
dns
.
message
.
from_wire
(
buf
)
return
(
True
,
response
,
received
)
else
:
# DoH
message
.
id
=
0
# DoH requests that
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment