-
Notifications
You must be signed in to change notification settings - Fork 27
/
dns_serve.py
179 lines (161 loc) · 6.31 KB
/
dns_serve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
import dnslib.server
import dnslib
import time
import binascii
import struct
NAME_LIMIT_HARD = 63
A = ord("A")
Z = ord("Z")
a = ord("a")
z = ord("z")
ZERO = ord("0")
FIVE = ord("5")
ir1 = lambda c: c <= Z and c >= A
ir2 = lambda c: c <= z and c >= a
ir3 = lambda c: c <= FIVE and c >= ZERO
BASE32_SRC = b"abcdefghijklmnopqrstuvwxyz012345"
# q: why not use python's base64 module?
# a: <+irungentoo> notsecure, I told you we should have used standard base32
# <notsecure> Jfreegman, irungentoo wanted to use a-z,2-7 for base32,
# I chose a-z,0-5
# <notsecure> he said it would fuck with people using standard base32
# functions
def notsecure32_decode(src):
ret = []
bits = 0
op = 0
for char in (ord(s) for s in src):
if ir1(char):
char -= A
elif ir2(char):
char -= a
elif ir3(char):
char = (char - ZERO + 26)
else:
raise ValueError("this is an error apparently")
op = (op | (char << bits)) % 256;
bits += 5;
if bits >= 8:
bits -= 8
ret.append(op)
op = (char >> (5 - bits)) % 256;
return bytes(ret)
# TODO optimize
def notsecure32_encode(src):
sl = len(src)
ret = []
bits = 0
i = 0
while(i < sl):
c1 = src[i]
try:
c2 = src[i + 1]
except IndexError:
c2 = 0
a = BASE32_SRC[((c1 >> bits) | (c2 << (8 - bits))) & 0x1F]
ret.append(a)
bits += 5
if bits >= 8:
bits -= 8
i += 1
return bytes(ret)
class ToxResolver(dnslib.server.BaseResolver):
def __init__(self, cryptocore, store, cfg):
self.cryptocore = cryptocore
self.store = store
self.ttl = cfg["dns_record_ttl"]
self.ireg = cfg["registration_domain"]
self.home_addresses = cfg.get("home_addresses")
self.home_addresses_6 = cfg.get("home_addresses_6")
if not self.ireg.endswith("."):
self.ireg = "".join((self.ireg, "."))
self.auth = cfg["dns_authority_name"]
self.soa_rd = dnslib.SOA(cfg["dns_authority_name"],
cfg["dns_hostmaster"].replace("@", "."))
self.soa = dnslib.RR("_tox.{0}".format(self.ireg), 6, ttl=86400,
rdata=self.soa_rd)
def update_soa(self):
self.soa_rd.times = (int(time.strftime("%Y%m%d99")), 3600, 600, 86400,
self.ttl)
def resolve(self, request, handler):
print(repr(request.get_q().qtype))
question = request.get_q()
req_name = str(question.get_qname())
# TXT = 16
reply = request.reply()
suffix = "._tox.{0}".format(self.ireg)
if question.qtype != 16 and not req_name.endswith(self.ireg):
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
if question.qtype == 16:
if not req_name.endswith(suffix):
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
user_name = req_name[:req_name.rfind(suffix)]
if len(user_name) > NAME_LIMIT_HARD and user_name[0] == "_":
encrypted = user_name.replace(".", "")[1:]
try:
b = notsecure32_decode(encrypted)
nonce = b[:4] + (b"\0" * 20)
ck = b[4:36]
payload = b[36:]
name = self.cryptocore.dsrep_decode_name(ck, nonce, payload)
except Exception:
print("error >_<")
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
rec = self.store.get(name.decode("utf8"))
if not rec:
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
base = b"v=tox3;id="
if rec.pin:
r_payload = "{0}{1}{2}".format(rec.public_key, rec.pin,
rec.checksum)
else:
r_payload = "{0}00000000{1}".format(rec.public_key,
rec.checksum)
msg = binascii.unhexlify(r_payload)
nonce_reply = b[:4] + b"\x01" + (b"\0" * 19)
ct = self.cryptocore.dsrec_encrypt_key(ck, nonce_reply, msg)
key_part = notsecure32_encode(ct)
reply.add_answer(dnslib.RR(req_name, 16, ttl=0,
rdata=dnslib.TXT(b"".join((base, key_part)))))
return reply
else:
rec = self.store.get(user_name)
if not rec:
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
else:
reply.add_answer(dnslib.RR(req_name, 16, ttl=0,
rdata=dnslib.TXT(rec.record(0)
.encode("utf8"))))
return reply
elif question.qtype == 6:
self.update_soa()
reply.add_answer(self.soa)
return reply
elif question.qtype == 2:
reply.add_answer(dnslib.RR(req_name, 2, ttl=86400,
rdata=dnslib.NS(self.auth.encode("utf8"))
))
return reply
elif question.qtype == 1 and self.home_addresses:
for ip in self.home_addresses:
reply.add_answer(dnslib.RR(req_name, 1, ttl=3600,
rdata=dnslib.A(ip)))
elif question.qtype == 28 and self.home_addresses_6:
for ip in self.home_addresses_6:
reply.add_answer(dnslib.RR(req_name, 28, ttl=3600,
rdata=dnslib.AAAA(ip)))
else:
reply.header.rcode = dnslib.RCODE.NXDOMAIN
return reply
return reply
# TODO tornado ioloop integration
def server(cryptocore, store, cfg):
return dnslib.server.DNSServer(ToxResolver(cryptocore, store, cfg),
port=53, address=cfg["dns_listen_addr"],
logger=None,
tcp=False)