diff --git a/Makefile b/Makefile index fdd1d8e..5b2d5f6 100644 --- a/Makefile +++ b/Makefile @@ -37,6 +37,14 @@ pkg/login-validator: pkg/login-validator/cmd/login.go pkg/login-validator/cmd/ma $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/login-validator/ touch pkg/login-validator +pkg/minichecker: pkg/minichecker/build.yml pkg/minichecker/cmd/main.go pkg/minichecker/cmd/adlin.token pkg/minichecker/cmd/adlin.conf pkg/minichecker/cmd/checker.go pkg/minichecker/cmd/encode.go pkg/minichecker/cmd/wg.go pkg/minichecker/Dockerfile + $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/minichecker/ + touch pkg/minichecker + +pkg/resolver: pkg/resolver/build.yml pkg/resolver/docker-entrypoint.sh pkg/resolver/Dockerfile + $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/resolver/ + touch pkg/resolver + pkg/monit: pkg/monit/build.yml pkg/monit/Dockerfile $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/monit/ touch pkg/monit @@ -77,7 +85,7 @@ pkg/tinydeb: pkg/tinydeb/sshd_config pkg/tinydeb/gai.conf pkg/tinydeb/build.yml touch pkg/tinydeb pkg/nsd: pkg/nsd/sshd_config pkg/nsd/build.yml pkg/nsd/init pkg/nsd/Dockerfile - $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/tinydeb/ + $(LINUXKIT) pkg build --platforms linux/amd64 -org nemunaire pkg/nsd/ touch pkg/nsd tuto2-kernel: tuto2.yml @@ -109,7 +117,7 @@ tuto3-initrd.img: tuto3.yml tuto3-cmdline: tuto3.yml $(LINUXKIT) build -docker $< -tuto3.iso: tuto3.yml pkg/debian-tuto3 pkg/router-tuto3 pkg/tinydeb pkg/unbound pkg/nsd +tuto3.iso: tuto3.yml pkg/debian-tuto3 pkg/router-tuto3 pkg/minichecker pkg/tinydeb pkg/resolver pkg/nsd $(LINUXKIT) build -docker -format iso-bios $< diff --git a/pkg/resolver/build.yml b/pkg/resolver/build.yml index 74febfd..e8314fe 100644 --- a/pkg/resolver/build.yml +++ b/pkg/resolver/build.yml @@ -1,4 +1,4 @@ -image: unbound +image: resolver network: true arches: - x86_64 diff --git a/pkg/router-tuto3/Dockerfile b/pkg/router-tuto3/Dockerfile index 942dd1b..65760e3 100644 --- a/pkg/router-tuto3/Dockerfile +++ b/pkg/router-tuto3/Dockerfile @@ -1,4 +1,4 @@ -FROM openwrtorg/rootfs:x86-64-19.07.7 +FROM openwrtorg/rootfs:x86-64-21.02.2 RUN mkdir -p /var/lock/ && opkg update && opkg install \ bind-dig \ @@ -6,9 +6,9 @@ RUN mkdir -p /var/lock/ && opkg update && opkg install \ ethtool \ luci-proto-wireguard \ nano \ - ssmtp \ - python \ + msmtp \ + python3 \ tcpdump \ + && rm /etc/resolv.conf \ && rm -rf /var/lock \ - && rm -rf /etc/ssh/ssh_host_*_key* \ - && echo "alias ip='ip -c'" >> /etc/profile + && rm -rf /etc/ssh/ssh_host_*_key* diff --git a/pkg/tinydeb/Dockerfile b/pkg/tinydeb/Dockerfile index 4a105c7..95cb4b4 100644 --- a/pkg/tinydeb/Dockerfile +++ b/pkg/tinydeb/Dockerfile @@ -4,8 +4,8 @@ RUN apt-get update && apt-get install --no-install-recommends -y \ busybox \ nano \ openssh-server \ - python \ - python-apt \ + python3 \ + python3-apt \ systemd-sysv \ vim.tiny \ && rm -rf /var/lib/apt/lists/* \ diff --git a/token-validator/remote-challenge.go b/token-validator/remote-challenge.go new file mode 100644 index 0000000..91dfb4c --- /dev/null +++ b/token-validator/remote-challenge.go @@ -0,0 +1,123 @@ +package main + +import ( + "bytes" + "crypto/ed25519" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "log" + "net/http" + "time" + + "github.com/julienschmidt/httprouter" + + "git.nemunai.re/srs/adlin/libadlin" +) + +func init() { + router.POST("/remote", rawHandler(responseHandler(remoteChallHandler(receiveRemoteChallenge)))) +} + +type SendMeta struct { + Time time.Time `json:"time"` + Login string `json:"login"` + Test string `json:"test"` +} + +type SendContent struct { + Meta []byte `json:"meta"` + Data []byte `json:"data"` + Sign []byte `json:"sign"` + Key []byte `json:"key"` + KeySign []byte `json:"keysign"` +} + +func remoteChallHandler(f func(*http.Request, *adlin.Student, SendContent) (interface{}, error)) func(*http.Request, httprouter.Params, []byte) (interface{}, error) { + return func(r *http.Request, ps httprouter.Params, body []byte) (v interface{}, err error) { + var data SendContent + err = json.Unmarshal(body, &data) + if err != nil { + return + } + + // Check signatures + if !ed25519.Verify(adlin.GetCollectorPublic(), data.Key, data.KeySign) { + return nil, fmt.Errorf("Bad KSK signature") + } + + if !ed25519.Verify(data.Key, append(data.Meta, data.Data...), data.Sign) { + return nil, fmt.Errorf("Bad DSK signature") + } + + var meta SendMeta + err = json.NewDecoder(base64.NewDecoder(base64.StdEncoding, bytes.NewBuffer(data.Meta))).Decode(&meta) + if err != nil { + return + } + + // Find pubkeys associated with login + var std *adlin.Student + std, err = adlin.GetStudentByLogin(string(meta.Login)) + if err != nil { + return + } + + var tps []ed25519.PublicKey + tps, err = std.GetActivesTunnelsPubKey() + if err != nil { + return + } + + // Check signature + found := false + for _, pubk := range tps { + if pubk.Equal(ed25519.PublicKey(data.Key)) { + found = true + break + } + } + + if !found { + return nil, fmt.Errorf("Unable to find key for user") + } + + return f(r, std, data) + } +} + +func receiveRemoteChallenge(r *http.Request, std *adlin.Student, data SendContent) (interface{}, error) { + var tests map[string]*string + err := json.NewDecoder(base64.NewDecoder(base64.StdEncoding, bytes.NewBuffer(data.Data))).Decode(&tests) + if err != nil { + return nil, err + } + + for k, v := range tests { + var chalid int + switch k { + case "wks-cm1": + chalid = 210 + case "wks-dg1": + chalid = 209 + case "wks-rh1": + chalid = 208 + case "wks-rh2": + chalid = 208 + } + + if chalid != 0 { + if v == nil { + if _, err := std.UnlockChallenge(chalid, ""); err != nil { + log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) + } + } else if errreg := std.RegisterChallengeError(chalid, errors.New(*v)); errreg != nil { + log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg) + } + + } + } + + return true, err +}