package main import ( "encoding/json" "errors" "fmt" "io/ioutil" "log" "net" "net/http" "strings" "time" "github.com/miekg/dns" "github.com/sparrc/go-ping" "git.nemunai.re/lectures/adlin/libadlin" ) const ( DEFAULT_RESOLVER = "2a01:e0a:2b:2250::1" year68 = 1 << 31 // For RFC1982 (Serial Arithmetic) calculations in 32 bits. Taken from miekg/dns ) var ( verbose = false domainsHostingMap = map[string]string{} ) // ICMP func check_ping(ip string, cb func(pkt *ping.Packet)) (err error) { var pinger *ping.Pinger pinger, err = ping.NewPinger(ip) if err != nil { return } defer pinger.Stop() pinger.Timeout = time.Second * 5 pinger.Count = 1 pinger.OnRecv = cb pinger.SetPrivileged(true) pinger.Run() return } // PORT 53 func get_GLUE(domain string) (aaaa net.IP, err error) { client := dns.Client{Net: "tcp", Timeout: time.Second * 5} dnssrv := "[2a01:e0a:2b:2250::b]:53" if strings.HasSuffix(domain, adlin.DelegatedDomainSuffix) { dnssrv = "[2a01:e0a:2b:2250::b]:53" } else if v, ok := domainsHostingMap[domain]; ok { dnssrv = v } else { // Looking for root NS m := new(dns.Msg) m.SetQuestion(".", dns.TypeNS) m.RecursionDesired = false m.SetEdns0(4096, true) var r *dns.Msg r, _, err = client.Exchange(m, dnssrv) if err != nil { return } if r == nil { return nil, errors.New("response is nil during initial recursion") } if r.Rcode != dns.RcodeSuccess { return nil, errors.New("failed to get a valid answer during initial recursion") } for _, answer := range r.Answer { if t, ok := answer.(*dns.NS); ok { dnssrv = t.Ns + ":53" } } // Do casual recursion i := 0 recursion: for i = 0; i < 10; i++ { m := new(dns.Msg) m.SetQuestion(domain, dns.TypeNS) m.RecursionDesired = false m.SetEdns0(4096, true) var r *dns.Msg r, _, err = client.Exchange(m, dnssrv) if err != nil { return } if r == nil { return nil, errors.New("response is nil during recursion") } if r.Rcode != dns.RcodeSuccess { return nil, errors.New("failed to get a valid answer during recursion") } for _, answer := range r.Ns { if t, ok := answer.(*dns.NS); ok { dnssrv = t.Ns + ":53" if t.Header().Name == domain { break recursion } } } } if i >= 10 { return nil, fmt.Errorf("too much name recursions") } else { domainsHostingMap[domain] = dnssrv } } m := new(dns.Msg) m.SetQuestion(domain, dns.TypeNS) m.RecursionDesired = false m.SetEdns0(4096, true) var r *dns.Msg r, _, err = client.Exchange(m, dnssrv) if err != nil { return } if r == nil { return nil, errors.New("response is nil") } if r.Rcode != dns.RcodeSuccess { return nil, errors.New("failed to get a valid answer") } for _, extra := range r.Extra { if t, ok := extra.(*dns.AAAA); ok { aaaa = t.AAAA } } return } func check_dns(domain, ip string) (aaaa net.IP, err error) { client := dns.Client{Timeout: time.Second * 5} m := new(dns.Msg) m.SetQuestion(domain, dns.TypeAAAA) var r *dns.Msg r, _, err = client.Exchange(m, fmt.Sprintf("[%s]:53", ip)) if err != nil { return } if r == nil { err = errors.New("response is nil") return } if r.Rcode != dns.RcodeSuccess { err = errors.New("failed to get a valid answer") return } for _, answer := range r.Answer { if t, ok := answer.(*dns.AAAA); ok { aaaa = t.AAAA } } return } func check_dnssec(domain, ip string) (err error) { client := dns.Client{Net: "tcp", Timeout: time.Second * 10} // Get DNSKEY m := new(dns.Msg) m.SetEdns0(4096, true) m.SetQuestion(domain, dns.TypeDNSKEY) var r *dns.Msg r, _, err = client.Exchange(m, fmt.Sprintf("[%s]:53", ip)) if err != nil { return } if r == nil { return errors.New("response is nil") } if r.Rcode != dns.RcodeSuccess { return errors.New("failed to get a valid answer when getting DNSKEY") } var rrs []dns.RR var dnskeys []*dns.DNSKEY var dnskeysig *dns.RRSIG for _, answer := range r.Answer { if t, ok := answer.(*dns.DNSKEY); ok { dnskeys = append(dnskeys, t) rrs = append(rrs, dns.RR(t)) } else if t, ok := answer.(*dns.RRSIG); ok { dnskeysig = t } } if dnskeysig == nil { return fmt.Errorf("Unable to verify DNSKEY record signature: No RRSIG found for DNSKEY record.") } found := false for _, dnskey := range dnskeys { if err = dnskeysig.Verify(dnskey, rrs); err == nil { found = true break } } if !found { return fmt.Errorf("Unable to verify DNSKEY record signature: %w", err) } // Check AAAA validity m = new(dns.Msg) m.SetEdns0(4096, true) m.SetQuestion(domain, dns.TypeAAAA) r, _, err = client.Exchange(m, fmt.Sprintf("[%s]:53", ip)) if err != nil { return } if r == nil { return errors.New("response is nil") } if r.Rcode != dns.RcodeSuccess { return errors.New("failed to get a valid answer when getting AAAA records") } rrs = []dns.RR{} var aaaas []*dns.AAAA var aaaasig *dns.RRSIG for _, answer := range r.Answer { if t, ok := answer.(*dns.AAAA); ok { aaaas = append(aaaas, t) rrs = append(rrs, t) } else if t, ok := answer.(*dns.RRSIG); ok { aaaasig = t } } if len(aaaas) == 0 { return errors.New("Something odd happen: no AAAA record found.") } if aaaasig == nil { return fmt.Errorf("Unable to verify AAAA record signature: No RRSIG found for AAAA record.") } found = false for _, dnskey := range dnskeys { if err = aaaasig.Verify(dnskey, rrs); err == nil { found = true if !aaaasig.ValidityPeriod(time.Now()) { utc := time.Now().UTC().Unix() modi := (int64(aaaasig.Inception) - utc) / year68 ti := int64(aaaasig.Inception) + modi*year68 mode := (int64(aaaasig.Expiration) - utc) / year68 te := int64(aaaasig.Expiration) + mode*year68 if ti > utc { return fmt.Errorf("Unable to verify AAAA record signature: signature not yet valid") } else if utc > te { return fmt.Errorf("Unable to verify AAAA record signature: signature expired") } else { return fmt.Errorf("Unable to verify AAAA record signature: signature expired or not yet valid") } } break } } if !found { return fmt.Errorf("Unable to verify AAAA record signature: %w", err) } // Check DS m = new(dns.Msg) m.SetQuestion(domain, dns.TypeDS) m.RecursionDesired = false m.SetEdns0(4096, true) r, _, err = client.Exchange(m, "[2a01:e0a:2b:2250::b]:53") if err != nil { return } if r == nil { return errors.New("response is nil") } if r.Rcode != dns.RcodeSuccess { return errors.New("failed to get a valid answer when getting DS records in parent server") } found = false for _, answer := range r.Answer { if t, ok := answer.(*dns.DS); ok { for _, dnskey := range dnskeys { expectedDS := dnskey.ToDS(dns.SHA256) if expectedDS.KeyTag == t.KeyTag && expectedDS.Algorithm == t.Algorithm && expectedDS.DigestType == t.DigestType && expectedDS.Digest == t.Digest { found = true err = nil break } else { err = fmt.Errorf("DS record found in parent zone differs from DNSKEY %v vs. %v.", expectedDS, t) } } } } if !found { if err == nil { return fmt.Errorf("Unable to find a valid DS record in parent zone.") } else { return err } } return } // PORT 80 func check_http(ip, dn string) (err error) { client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } req, errr := http.NewRequest("GET", fmt.Sprintf("http://[%s]/", ip), nil) if errr != nil { return errr } if dn != "" { req.Header.Add("Host", strings.TrimSuffix(dn, ".")) } var resp *http.Response resp, err = client.Do(req) if err != nil { return } defer resp.Body.Close() if dn != "" && resp.StatusCode >= 400 { return fmt.Errorf("Bad status, got: %d (%s)", resp.StatusCode, resp.Status) } _, err = ioutil.ReadAll(resp.Body) return } // PORT 443 func check_https(domain, ip string) (err error) { var resp *http.Response resp, err = http.Get(fmt.Sprintf("https://%s/", strings.TrimSuffix(domain, "."))) if err != nil { return } defer resp.Body.Close() if resp.StatusCode >= 300 && resp.StatusCode < 400 { loc := resp.Header.Get("Location") if loc != "" && strings.HasSuffix(dns.Fqdn(loc), domain) { if dns.Fqdn(loc) == domain { return fmt.Errorf("Redirection loop %s redirect to %s", domain, loc) } else if err = check_https(dns.Fqdn(loc), ip); err != nil { return fmt.Errorf("Error after following redirection to %s: %w", loc, err) } else { return } } } if resp.StatusCode >= 300 { return fmt.Errorf("Bad status, got: %d (%s)", resp.StatusCode, resp.Status) } _, err = ioutil.ReadAll(resp.Body) return } // MATRIX type matrix_result struct { WellKnownResult struct { Server string `json:"m.server"` Result string `json:"result"` } DNSResult struct { SRVError *struct { Message string } } ConnectionReports map[string]struct { Errors []string } ConnectionErrors map[string]struct { Message string } Version struct { Name string `json:"name"` Version string `json:"version"` } FederationOK bool `json:"FederationOK"` } func check_matrix(domain string) (version string, err error) { var resp *http.Response resp, err = http.Get(fmt.Sprintf("https://federation-tester.adlin.nemunai.re/api/report?server_name=%s", strings.TrimSuffix(domain, "."))) if err != nil { return } defer resp.Body.Close() if resp.StatusCode >= 300 { return "", fmt.Errorf("Sorry, the federation tester is broken. Check on https://federationtester.matrix.org/#%s", strings.TrimSuffix(domain, ".")) } var federationTest matrix_result if err = json.NewDecoder(resp.Body).Decode(&federationTest); err != nil { log.Printf("Error in check_matrix, when decoding json: %w", err.Error()) return "", fmt.Errorf("Sorry, the federation tester is broken. Check on https://federationtester.matrix.org/#%s", strings.TrimSuffix(domain, ".")) } else if federationTest.FederationOK { version = federationTest.Version.Name + " " + federationTest.Version.Version return version, nil } else if federationTest.DNSResult.SRVError != nil && federationTest.WellKnownResult.Result != "" { return "", fmt.Errorf("%s OR %s", federationTest.DNSResult.SRVError.Message, federationTest.WellKnownResult.Result) } else if len(federationTest.ConnectionErrors) > 0 { var msg strings.Builder for srv, cerr := range federationTest.ConnectionErrors { if msg.Len() > 0 { msg.WriteString("; ") } msg.WriteString(srv) msg.WriteString(": ") msg.WriteString(cerr.Message) } return "", fmt.Errorf("Connection errors: %s", msg.String()) } else if federationTest.WellKnownResult.Server != strings.TrimSuffix(domain, ".") { return "", fmt.Errorf("Bad homeserver_name: got %s, expected %s.", federationTest.WellKnownResult.Server, strings.TrimSuffix(domain, ".")) } else { return "", fmt.Errorf("An unimplemented error occurs. Please report to nemunaire. But know that federation seems to be broken. Check https://federationtester.matrix.org/#%s", strings.TrimSuffix(domain, ".")) } } // Main func minTunnelVersion(std *adlin.Student, suffixip int) (int, error) { tunnels, err := std.GetTunnelTokens() if err != nil { return 0, err } var minversion int = 2147483647 for _, tunnel := range tunnels { if tunnel.Version == 0 { continue } if tunnel.Dump != nil && tunnel.Version < minversion && suffixip == tunnel.SuffixIP { minversion = tunnel.Version } } return minversion, nil } func studentsChecker() { students, err := adlin.GetStudents() if err != nil { log.Println("Unable to check students:", err) return } check_matrix_for := (time.Now().Second()/30)*5 + time.Now().Minute()%5 log.Printf("Checking students... (std_matrix%%10=%d)\n", check_matrix_for) for istd, s := range students { time.Sleep(250 * time.Millisecond) // Check ping std := s tuns, err := std.GetActivesTunnels() if err != nil { continue } for _, tun := range tuns { stdIP := tun.GetStudentIP() go check_ping(stdIP, func(pkt *ping.Packet) { tunnel_version, err := minTunnelVersion(std, tun.SuffixIP) if verbose { log.Printf("%s PONG (on %x); version=%d (%v)\n", std.Login, tun.SuffixIP, tunnel_version, err) } std.OnPong(true) if tunnel_version == 2147483647 || tunnel_version == 0 { log.Printf("%s unknown tunnel version: %d skipping tests (%v)", std.Login, tunnel_version, err) return } // PingResolver if tunnel_version == 3 { tmp := strings.Split(stdIP, ":") tmp[len(tmp)-1] = "2" stdResolverIP := strings.Join(tmp, ":") go check_ping(stdResolverIP, func(_ *ping.Packet) { if verbose { log.Printf("%s resolver PONG", std.Login) } if _, err := std.UnlockChallenge(CheckMap[tunnel_version][PingResolver], ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } }) } dnsIP := stdIP var glueErr error // Is GLUE defined? if glueIP, err := get_GLUE(std.MyDelegatedDomain()); glueIP != nil { dnsIP = glueIP.String() if verbose { log.Printf("%s has defined GLUE: %s\n", std.Login, dnsIP) } } else if err != nil { log.Printf("%s and GLUE: %s\n", std.Login, err) glueErr = err } // Check DNS if addr, err := check_dns(std.MyDelegatedDomain(), dnsIP); err == nil { if addr == nil { dnsAt := " at " + dnsIP if glueErr != nil { dnsAt = " + there is a problem with the GLUE record: " + glueErr.Error() } if errreg := std.RegisterChallengeError(100*(tunnel_version-1)+3, fmt.Errorf("%s: empty response from the server%s", std.MyDelegatedDomain(), dnsAt)); errreg != nil { log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg) } } else { if verbose { log.Printf("%s just unlocked DNS challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+3, addr.String()); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } // Check HTTP with DNS if glueErr != nil { std.RegisterChallengeError(100*(tunnel_version-1)+4, fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) } else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil { if verbose { log.Printf("%s just unlocked HTTP challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+4, ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+4, err) if verbose { log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), err) } } // Check HTTPs with DNS if glueErr != nil { std.RegisterChallengeError(100*(tunnel_version-1)+5, fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr)) } else if err := check_https(std.MyDelegatedDomain(), addr.String()); err == nil { if verbose { log.Printf("%s just unlocked HTTPS challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+5, ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+5, err) if verbose { log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), err) } } // Check Matrix (only if GLUE Ok and defer contraint) if glueErr == nil && istd%10 == check_matrix_for { if v, err := check_matrix(std.MyDelegatedDomain()); err == nil { if verbose { log.Printf("%s just unlocked Matrix challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+6, v); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+6, err) if verbose { log.Printf("%s and Matrix: %s\n", std.Login, err) } } } // Check DNSSEC (only if GLUE Ok) if glueErr == nil { if err := check_dnssec(std.MyDelegatedDomain(), dnsIP); err == nil { if verbose { log.Printf("%s just unlocked DNSSEC challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+7, ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+7, err) if verbose { log.Printf("%s and DNSSEC: %s\n", std.Login, err) } } } } } else { if errreg := std.RegisterChallengeError(100*(tunnel_version-1)+3, err); errreg != nil { log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg) } if verbose { log.Printf("%s and DNS: %s\n", std.Login, err) } } // Check HTTP without DNS if err := check_http(stdIP, ""); err == nil { if verbose { log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login) } if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], err) if verbose { log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, err) } } // Check DNS for association if addr, err := check_dns(std.MyAssociatedDomain(), DEFAULT_RESOLVER); err == nil { // Check HTTP on delegated domain if err := check_http(addr.String(), std.MyAssociatedDomain()); err == nil { if verbose { log.Printf("%s just unlocked HTTP (without DNS) challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+1, ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+1, err) if verbose { log.Printf("%s and HTTP (without DNS): %s\n", std.Login, err) } } // Check HTTPs without DNS if err := check_https(std.MyAssociatedDomain(), stdIP); err == nil { if verbose { log.Printf("%s just unlocked HTTPS challenge\n", std.Login) } if _, err := std.UnlockChallenge(100*(tunnel_version-1)+2, ""); err != nil { log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) } } else { std.RegisterChallengeError(100*(tunnel_version-1)+2, err) if verbose { log.Printf("%s and HTTPS (without DNS): %s\n", std.Login, err) } } } return }) } } }