From 833d3198f2ef1d7fa3c203c62e5ec66e11d3e771 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 18 Feb 2021 01:14:10 +0100
Subject: [PATCH] tokens: use adlin to transmit wg-adlin

---
 challenge.yml                  |  6 ++----
 pkg/wg-manager/cmd/register.go | 22 ++++++++++++++++++----
 token-validator/challenge.go   | 18 ++++++++++++++++++
 3 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/challenge.yml b/challenge.yml
index 62f73b5..4ba9268 100644
--- a/challenge.yml
+++ b/challenge.yml
@@ -97,8 +97,6 @@ files:
       PrivateKey = $privatekey
       EOF
 
-      curl -f -d @- http://wg.adlin.nemunai.re:81/register <<EOF >> /etc/wireguard/adlin.conf &&
-      {"PubKey": "${publickey}"}
-      EOF
-      echo -e "[\\e[01;32m+] \\e[01;32mSuccess.\\e[0m Tunnel configuration written to \\e[01m/etc/wireguard/adlin.conf\\e[0m; you have to use the address: \\e[01m$(grep Address= /etc/wireguard/adlin.conf | sed -r 's/^.*=(.*)$/\1/')\\e[0m" || echo -e "[\\e[01;31m-\\e[0m] \\e[01;31mFailure\\e[0m"
+      adlin "${publickey}" | curl -f -d @- http://wg.adlin.nemunai.re/register >> /etc/wireguard/adlin.conf &&
+      echo -e "[\\e[01;32m+\\e[0m] \\e[01;32mSuccess.\\e[0m Tunnel configuration written to \\e[01m/etc/wireguard/adlin.conf\\e[0m; you have to use the address: \\e[01m$(grep Address= /etc/wireguard/adlin.conf | sed -r 's/^.*=(.*)$/\1/')\\e[0m" || echo -e "[\\e[01;31m-\\e[0m] \\e[01;31mFailure\\e[0m"
     mode: "0755"
diff --git a/pkg/wg-manager/cmd/register.go b/pkg/wg-manager/cmd/register.go
index 9c643ce..a69732e 100644
--- a/pkg/wg-manager/cmd/register.go
+++ b/pkg/wg-manager/cmd/register.go
@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	IFaceName = "wg0"
+	IFaceName  = "wg0"
 	TunnelPort = 12912
 )
 
@@ -48,7 +48,6 @@ func init() {
 		log.Fatal(err)
 	}
 
-
 	// Calculate public key
 	cmdPubK := exec.Command("wg", "pubkey")
 	cmdPubK.Stdin = bytes.NewReader(outPrvK)
@@ -70,7 +69,9 @@ func init() {
 }
 
 type PubTunnel struct {
-	PubKey []byte
+	Login  string   `json:"login"`
+	PubKey [][]byte `json:"data"`
+	Token  string   `json:"token"`
 }
 
 func register(w http.ResponseWriter, r *http.Request) {
@@ -91,11 +92,24 @@ func register(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Validate wg token
+	if j, err := json.Marshal(pt); err != nil {
+		http.Error(w, fmt.Sprintf("{errmsg:%q}", err), http.StatusInternalServerError)
+		return
+	} else if r, err := http.NewRequest("POST", "https://adlin.nemunai.re/wg-step", bytes.NewReader(j)); err != nil {
+		http.Error(w, fmt.Sprintf("{errmsg:%q}", err), http.StatusInternalServerError)
+		return
+	} else if resp, err := http.DefaultClient.Do(r); err == nil {
+		resp.Body.Close()
+	} else {
+		log.Printf("Unable to register wg-step on token-validator:", err)
+	}
+
 	if next_ip, err := findNextIP(); err != nil {
 		http.Error(w, fmt.Sprintf("{errmsg:%q}", err), http.StatusBadRequest)
 		return
 	} else {
-		addWgPeer(pt.PubKey, next_ip)
+		addWgPeer(pt.PubKey[0], next_ip)
 
 		w.Header().Set("Content-Type", "text/plain")
 		w.Write([]byte(fmt.Sprintf(`# Address=%s/18
diff --git a/token-validator/challenge.go b/token-validator/challenge.go
index 97630b6..d21db5d 100644
--- a/token-validator/challenge.go
+++ b/token-validator/challenge.go
@@ -72,6 +72,17 @@ func sslOnly(_ *adlin.Student, r *http.Request) error {
 
 /* Challenges */
 
+func challengeOk(s *adlin.Student, t *givenToken, chid int) error {
+	pkey := s.GetPKey()
+	if expectedToken, err := GenerateToken(pkey, 0, []byte(t.Data[0])); err != nil {
+		return err
+	} else if !hmac.Equal(expectedToken, t.token) {
+		return errors.New("This is not the expected token.")
+	} else {
+		return nil
+	}
+}
+
 func challenge42(s *adlin.Student, t *givenToken, chid int) error {
 	pkey := s.GetPKey()
 	if expectedToken, err := GenerateToken(pkey, chid, []byte("42")); err != nil {
@@ -257,6 +268,12 @@ func init() {
 			Check:      challengeEMail,
 		},
 
+		/* wg step */
+		Challenge{
+			Accessible: []func(*adlin.Student, *http.Request) error{noAccessRestriction},
+			Check:      challengeOk,
+		},
+
 		/* Last : SSH key, see ssh.go:156 in NewKey function */
 		Challenge{
 			Accessible: []func(*adlin.Student, *http.Request) error{noAccess},
@@ -270,6 +287,7 @@ func init() {
 	router.POST("/toctoc", rawHandler(responseHandler(definedChallengeHandler(receiveToken, 6))))
 	router.POST("/echorequest", rawHandler(responseHandler(definedChallengeHandler(receiveToken, 7))))
 	router.POST("/testdisk", rawHandler(responseHandler(definedChallengeHandler(receiveToken, 8))))
+	router.POST("/wg-step", rawHandler(responseHandler(definedChallengeHandler(receiveToken, 10))))
 }
 
 type givenToken struct {