tunsafe-clang15/tunsafe_wg_plugin.cpp
2018-12-16 23:02:13 +01:00

731 lines
24 KiB
C++

#include "stdafx.h"
#include "tunsafe_wg_plugin.h"
#include "wireguard.h"
#include "util.h"
#include "crypto/curve25519/curve25519-donna.h"
#include "crypto/sha/sha1.h"
#include "crypto/chacha20poly1305.h"
#include "crypto/siphash/siphash.h"
#include "crypto/blake2s/blake2s.h"
#include "tunsafe_endian.h"
#include <algorithm>
enum {
WG_SESSION_ID_LEN = 32,
WG_SESSION_AUTH_LEN = 16,
};
class PluginPeer;
class TunsafePluginImpl;
class ExtFieldWriter {
public:
ExtFieldWriter(uint8 *target, uint32 target_size) : target_(target), target_size_(target_size), target_pos_(0), fail_flag_(false) { }
bool WriteField(uint8 code, const uint8 *data, uint32 size);
void BlockLogin() { fail_flag_ = true; }
bool fail_flag() { return fail_flag_; }
uint32 length() {
return target_pos_;
}
private:
uint8 *target_;
uint32 target_size_;
uint32 target_pos_;
bool fail_flag_;
};
bool ExtFieldWriter::WriteField(uint8 code, const uint8 *data, uint32 size) {
assert(size < 256);
uint8 *dst = &target_[target_pos_];
if (target_pos_ + size + 2 > target_size_)
return false;
target_pos_ += size + 2;
dst[0] = code;
dst[1] = size;
memcpy(dst + 2, data, size);
return true;
}
enum {
// The other peer has no way of identifying a specific instance of
// a connection. There's no way to distinguish a periodic handshake from
// a new client connection. Add a session ID to the Peer to solve this.
// We don't send the actual session id, instead we send:
// Hash(plaintext ephemeral public key, session id)
kExtensionType_SessionIDAuth = 0x20,
kExtensionType_SetSessionID = 0x21,
// This is sent by the server to request an additional token to allow
// login, for example a TOTP token, or a password.
// By cleverly using session ids, the server can avoid having to request
// this for every new handshake, even when roaming.
kExtensionType_TokenRequest = 0x22,
// This holds the token reply.
kExtensionType_TokenReply = 0x23,
};
class TokenClientHandler {
public:
TokenClientHandler(PluginPeer *pp);
~TokenClientHandler();
void SetSessionId(const uint8 id[WG_SESSION_ID_LEN]);
void SetToken(const uint8 *token, size_t token_size);
void OnHandshakeCreate(WgPeer *peer, ExtFieldWriter &writer, const uint8 salt[WG_PUBLIC_KEY_LEN]);
void OnTokenRequest(const uint8 *data, uint32 data_size);
void OnHandshakeComplete();
bool waiting_for_token() { return waiting_for_token_; }
uint32 token_request() { return token_request_type_; }
bool WantHandshake() { return !waiting_for_token_; }
void WriteSessionId(ExtFieldWriter &writer, const uint8 salt[WG_PUBLIC_KEY_LEN]);
private:
PluginPeer *pp_;
// Set to true if we're waiting for the UI to set the TOTP-token, so login can continue.
bool waiting_for_token_;
uint8 token_size_;
bool has_session_id_;
uint32 token_request_type_;
// The session id
uint8 session_id_[WG_SESSION_ID_LEN];
// Crypto key for tokens
uint8 token_crypto_key_[WG_SYMMETRIC_KEY_LEN];
// This is set to the token given by the UI
uint8 token_[TunsafePlugin::kMaxTokenLen];
};
class TotpTokenAuthenticator {
public:
TotpTokenAuthenticator() : secret_size_(0), window_size_(30), block_reuse_(false), digits_(6), precision_(0), next_allowed_code_(0) {}
bool Initialize(const char *config);
bool Authenticate(const uint8 *data, size_t size, uint64 *last_code);
bool configured() { return secret_size_ != 0; }
uint8 digits() { return digits_; }
private:
uint32 GetValueForTimestamp(uint64 now);
uint16 window_size_;
uint16 precision_;
bool block_reuse_;
uint8 digits_;
uint8 secret_size_;
uint64 next_allowed_code_;
uint8 secret_[64];
};
class TokenServerHandler {
public:
TokenServerHandler();
~TokenServerHandler();
bool OnHandshake(uint8 *token_reply, int token_reply_size, bool has_valid_session_id, ExtFieldWriter &writer, const siphash_key_t *siphash_key);
bool OnHandshake2(bool has_valid_session_id);
bool OnUnknownPeerSetting(const char *key, const char *value);
bool WantHandshake() { return !stop_reconnects_; }
bool VerifySessionId(const uint8 session_id_auth[WG_SESSION_AUTH_LEN], const uint8 salt[WG_PUBLIC_KEY_LEN]);
private:
bool has_session_id_;
bool is_session_id_authed_;
bool stop_reconnects_;
uint8 num_failures_;
uint8 reset_recovery_counter_;
uint8 token_bucket_;
uint8 authentication_type_;
uint8 last_login_status_;
uint64 last_attempt_;
uint64 reset_recovery_last_code_;
uint64 last_cksum_;
uint64 cksum_equal_timestamp_;
enum {
// Allow one token attempt every 30 seconds
kTokenBucketCost = 30,
// And the bucket size is 8, so you can perform 8 attempts
// in a row.
kTokenBucketFull = 240,
// Failed attempts until lockout. When locked out, you need to
// perform 3 successful 2fa attempts in a row before it's unlocked
// for 3 different codes.
kAttemptsUntilLockout = 10,
kAttemptsUntilLockoutRemoved = 3,
};
TotpTokenAuthenticator token_authenticator_;
uint8 session_id_[WG_SESSION_ID_LEN];
uint8 token_crypto_key_[WG_SYMMETRIC_KEY_LEN];
};
class PluginPeer : public WgPeerExtraData {
public:
PluginPeer(TunsafePluginImpl *plugin, WgPeer *peer) : plugin(plugin), peer(peer), token_client_handler(this) {}
~PluginPeer();
virtual void OnPeerDestroy() override {
delete this;
}
WgPeer *peer;
TunsafePluginImpl *plugin;
TokenClientHandler token_client_handler;
TokenServerHandler token_server_handler;
};
// Toplevel wireguard plugin
class TunsafePluginImpl : public TunsafePlugin {
friend class PluginPeer;
public:
TunsafePluginImpl(PluginDelegate *del, WireguardProcessor *proc) {
delegate_ = del;
proc_ = proc;
peer_doing_2fa_ = NULL;
OsGetRandomBytes((uint8*)&siphash_key_, sizeof(siphash_key_));
}
void DeletingPeer(PluginPeer *peer) {
if (peer_doing_2fa_ == peer)
peer_doing_2fa_ = NULL;
}
PluginDelegate *delegate() { return delegate_; }
void OnTokenRequest(PluginPeer *peer);
private:
virtual bool HandleUnknownPeerId(uint8 public_key[WG_PUBLIC_KEY_LEN], Packet *packet) override { return false; }
virtual bool OnUnknownInterfaceSetting(const char *key, const char *value) override;
virtual bool OnUnknownPeerSetting(WgPeer *peer, const char *key, const char *value) override;
virtual bool WantHandshake(WgPeer *peer) override;
virtual uint32 OnHandshake0(WgPeer *peer, uint8 *extout, uint32 extout_size, const uint8 salt[WG_PUBLIC_KEY_LEN]) override;
virtual uint32 OnHandshake1(WgPeer *peer, const uint8 *ext, uint32 ext_size, const uint8 salt_in[WG_PUBLIC_KEY_LEN], uint8 *extout, uint32 extout_size, const uint8 salt_out[WG_PUBLIC_KEY_LEN]) override;
virtual uint32 OnHandshake2(WgPeer *peer, const uint8 *ext, uint32 ext_size, const uint8 salt[WG_PUBLIC_KEY_LEN]) override;
virtual bool OnAfterSettingsParsed() override;
virtual void OnOutgoingHandshakePacket(WgPeer *peer, Packet *packet) override;
PluginPeer *GetPluginPeer(WgPeer *peer);
virtual void SubmitToken(const uint8 *text, size_t text_len) override;
WireguardProcessor *proc_;
PluginPeer *peer_doing_2fa_;
PluginDelegate *delegate_;
siphash_key_t siphash_key_;
};
PluginPeer::~PluginPeer() {
plugin->DeletingPeer(this);
}
TokenClientHandler::TokenClientHandler(PluginPeer *pp) {
pp_ = pp;
waiting_for_token_ = false;
token_size_ = false;
has_session_id_ = false;
token_request_type_ = 0;
memset(token_crypto_key_, 0, sizeof(token_crypto_key_));
}
TokenClientHandler::~TokenClientHandler() {
}
void TokenClientHandler::SetSessionId(const uint8 id[WG_SESSION_ID_LEN]) {
has_session_id_ = true;
memcpy(session_id_, id, WG_SESSION_ID_LEN);
}
void TokenClientHandler::SetToken(const uint8 *token, size_t token_size) {
if (token_size > TunsafePlugin::kMaxTokenLen || !waiting_for_token_)
return;
waiting_for_token_ = false;
token_size_ = (uint8)token_size;
memcpy(token_, token, token_size);
}
void TokenClientHandler::WriteSessionId(ExtFieldWriter &writer, const uint8 salt[WG_PUBLIC_KEY_LEN]) {
if (has_session_id_) {
uint8 buf[WG_SESSION_AUTH_LEN];
blake2s(buf, WG_SESSION_AUTH_LEN, salt, WG_PUBLIC_KEY_LEN, session_id_, sizeof(session_id_));
writer.WriteField(kExtensionType_SessionIDAuth, buf, WG_SESSION_AUTH_LEN);
}
}
// This is called to include a token (if the server has set one) in outgoing handshakes.
void TokenClientHandler::OnHandshakeCreate(WgPeer *peer, ExtFieldWriter &writer, const uint8 salt[WG_PUBLIC_KEY_LEN]) {
WriteSessionId(writer, salt);
if (token_size_ && has_session_id_) {
// Encrypt and include the token in the response
// NOTE: Must not reuse the key to send different tokens, but we send
// only one token as a reply to TokenRequest so that's fine.
uint8 buf[TunsafePlugin::kMaxTokenLen + 16];
chacha20poly1305_encrypt(buf, token_, token_size_, NULL, 0, 0, token_crypto_key_);
writer.WriteField(kExtensionType_TokenReply, buf, 16 + token_size_);
static const uint8 kPadding[16] = {0};
writer.WriteField(kExtensionType_Padding, kPadding, -token_size_ & 0xF);
}
}
// This runs on the initiator, after the handshake has been parsed
void TokenClientHandler::OnHandshakeComplete() {
// Forget an old token, we'll request it again if needed.
token_size_ = 0;
memset(token_crypto_key_, 0, sizeof(token_crypto_key_));
}
// This runs when backend requests a token, ask the user for the token
// and then call SetToken.
void TokenClientHandler::OnTokenRequest(const uint8 *data, uint32 data_size) {
if (data_size >= WG_SYMMETRIC_KEY_LEN + 2 && !waiting_for_token_) {
memcpy(token_crypto_key_, data, WG_SYMMETRIC_KEY_LEN);
token_request_type_ = ReadLE16(data + WG_SYMMETRIC_KEY_LEN);
if (token_size_ && (token_request_type_ & kTokenRequestStatus_Mask) == kTokenRequestStatus_None)
token_request_type_ |= kTokenRequestStatus_NotAccepted;
waiting_for_token_ = true;
pp_->plugin->OnTokenRequest(pp_);
}
}
// Decode a base32 string, skip whitespace and =.
// returns 0 on failure.
static size_t DecodeBase32String(const char *string, size_t string_len, uint8 *output, size_t output_len) {
// static const char kBase32Charset[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
size_t n = 0;
uint32 bitbuff = 0, nbits = 0, v;
for (size_t i = 0; i < string_len; i++) {
uint8 c = string[i];
if (c >= '2' && c <= '7') {
v = c - '2' + 26;
} else if ((c | 32) >= 'a' && (c | 32) <= 'z') {
v = (c | 32) - 'a';
} else if (c == ' ' || c == '=' || c == '\t') {
continue;
} else {
return 0;
}
bitbuff = bitbuff * 32 + v;
nbits += 5;
if (nbits >= 8) {
nbits -= 8;
if (n == output_len)
return 0;
output[n++] = (uint8)(bitbuff >> nbits);
}
}
return n;
}
// RequireToken=totp-sha1:ALPHABETAGAMMAOSCAR,digits=6,period=30,precision=15
bool TotpTokenAuthenticator::Initialize(const char *config) {
const char *end = config + strlen(config);
const char *comma = strchr(config, ',');
size_t rv = DecodeBase32String(config, (comma ? comma : end) - config, secret_, sizeof(secret_));
if (!rv)
return false;
secret_size_ = (uint8)rv;
bool has_precision = false;
while (comma) {
comma += 1;
while (*comma == ' ') comma++;
if (strncmp(comma, "digits=", 7) == 0) {
int v = atoi(comma + 7);
if (v < 6 || v > 8)
return false;
digits_ = (uint8)v;
} else if (strncmp(comma, "period=", 7) == 0) {
int v = atoi(comma + 7);
if (v < 1 || v > 3600)
return false;
window_size_ = (uint16)v;
} else if (strncmp(comma, "precision=", 10) == 0) {
int v = atoi(comma + 10);
if (v < 0 || v > 3600)
return false;
has_precision = true;
precision_ = (uint16)v;
} else if (strncmp(comma, "reuse=0", 7) == 0) {
block_reuse_ = true;
} else {
return false;
}
comma = strchr(comma, ',');
}
if (!has_precision)
precision_ = window_size_ >> 1;
return true;
}
extern int memcmp_crypto(const uint8 *a, const uint8 *b, size_t n);
uint32 TotpTokenAuthenticator::GetValueForTimestamp(uint64 now) {
uint8 hmacbuf[20];
SHA1HmacContext hmac;
SHA1HmacReset(&hmac, secret_, secret_size_);
uint8 timebuf[8];
WriteBE64(timebuf, now);
SHA1HmacInput(&hmac, timebuf, 8);
SHA1HmacFinish(&hmac, hmacbuf);
uint32 tmp;
memcpy(&tmp, hmacbuf + (hmacbuf[19] & 0xF), 4);
uint32 value = ReadBE32(&tmp) & 0x7FFFFFFF;
switch (digits_) {
case 6: value %= 1000000; break;
case 7: value %= 10000000; break;
case 8: value %= 100000000; break;
}
return value;
}
bool TotpTokenAuthenticator::Authenticate(const uint8 *data, size_t size, uint64 *code_out) {
uint64 now = time(NULL);
uint64 first_period = (now - precision_) / window_size_;
uint64 last_period = (now + precision_) / window_size_;
for (; first_period <= last_period; first_period++) {
char buf[16];
int r = snprintf(buf, sizeof(buf), "%.*u", digits_, GetValueForTimestamp(first_period));
// RINFO("Checking if %.*s equals %s", (int)size, data, buf);
if (r == size && memcmp_crypto((uint8*)buf, data, size) == 0) {
// Disable code reuse if requested.
if (block_reuse_ && first_period < next_allowed_code_)
return false;
next_allowed_code_ = first_period + 1;
*code_out = first_period;
return true;
}
}
return false;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////
TokenServerHandler::TokenServerHandler() {
num_failures_ = 0;
has_session_id_ = false;
is_session_id_authed_ = false;
stop_reconnects_ = false;
last_attempt_ = 0;
token_bucket_ = kTokenBucketFull;
reset_recovery_counter_ = 0;
reset_recovery_last_code_ = 0;
last_cksum_ = 0;
cksum_equal_timestamp_ = 0;
last_login_status_ = 0;
}
TokenServerHandler::~TokenServerHandler() {
}
bool TokenServerHandler::OnHandshake(uint8 *token_reply, int token_reply_size, bool has_valid_session_id, ExtFieldWriter &writer, const siphash_key_t *siphash_key) {
// Tokens not required for this peer?
if (!token_authenticator_.configured())
return true;
// check that the client has a valid token session, otherwise block login.
if (!has_valid_session_id) {
OsGetRandomBytes(session_id_, sizeof(session_id_));
writer.WriteField(kExtensionType_SetSessionID, session_id_, WG_SESSION_ID_LEN);
is_session_id_authed_ = false;
has_session_id_ = true;
request_token:
// TODO: Make it optional to reveal last_login_status_
uint8 data[WG_SYMMETRIC_KEY_LEN + 2];
OsGetRandomBytes(token_crypto_key_, sizeof(token_crypto_key_));
data[WG_SYMMETRIC_KEY_LEN] = authentication_type_;
data[WG_SYMMETRIC_KEY_LEN + 1] = last_login_status_;
memcpy(data, token_crypto_key_, WG_SYMMETRIC_KEY_LEN);
writer.WriteField(kExtensionType_TokenRequest, data, sizeof(data));
writer.BlockLogin();
return true;
}
if (!is_session_id_authed_ && token_reply && token_reply_size >= 16) {
// allow only so many attempts per second
uint64 now = OsGetMilliseconds(), code_out;
uint64 secs = (now - last_attempt_) >> 10;
last_attempt_ += secs << 10;
token_bucket_ = (uint8)std::min<uint64>(token_bucket_ + secs, kTokenBucketFull);
bool authenticated = false;
// Decrypt and verify the supplied key. If this fails, we're likely using an old key.
if (chacha20poly1305_decrypt(token_reply, token_reply, token_reply_size, NULL, 0, 0, token_crypto_key_)) {
authenticated = token_authenticator_.Authenticate(token_reply, token_reply_size - 16, &code_out);
// Account is locked after 10 failed attempts. To unlock the account, you need to login 3 times successfully
// in a row, with distincts, increasing codes, with no failed attempts in between.
if (num_failures_ >= kAttemptsUntilLockout) {
if (authenticated && code_out > reset_recovery_last_code_) {
reset_recovery_last_code_ = code_out;
if (reset_recovery_counter_++ == kAttemptsUntilLockoutRemoved - 1) {
RINFO("Account unlocked.");
num_failures_ = 0;
reset_recovery_counter_ = 0;
token_bucket_ = kTokenBucketFull;
} else {
authenticated = false;
}
} else {
reset_recovery_counter_ = 0;
authenticated = false;
}
} else {
// Check if the password is the same as the previous attempt, this could indicate a retransmission of the packet.
// Don't increase num_failures_ based on this, but after a minute, force authenticated to false.
uint64 cksum = siphash(token_reply, token_reply_size - 16, siphash_key);
if (cksum == last_cksum_) {
if (now >= cksum_equal_timestamp_ + 60000) {
authenticated = false;
} else {
if (authenticated)
num_failures_ = 0;
}
} else {
cksum_equal_timestamp_ = now;
last_cksum_ = cksum;
num_failures_ = authenticated ? 0 : num_failures_ + 1;
if (num_failures_ == kAttemptsUntilLockout)
RINFO("Account locked because of %d failed login attempts.", num_failures_);
}
}
}
last_login_status_ = (num_failures_ >= kAttemptsUntilLockout) ? (kTokenRequestStatus_Locked >> 8) :
(token_bucket_ >= kTokenBucketCost) ? (kTokenRequestStatus_Wrong >> 8) :
(kTokenRequestStatus_Ratelimit >> 8);
// Fail when toket bucket is exceeded
if (token_bucket_ >= kTokenBucketCost) {
token_bucket_ -= kTokenBucketCost;
} else {
authenticated = false;
}
is_session_id_authed_ = authenticated;
}
if (!is_session_id_authed_)
goto request_token;
last_login_status_ = 0;
stop_reconnects_ = false;
return true;
}
bool TokenServerHandler::OnHandshake2(bool has_valid_session_id) {
// Tokens not required for this peer?
if (!token_authenticator_.configured())
return true;
// Only allow configuration in this direction if a valid session key was provided.
if (has_valid_session_id && is_session_id_authed_)
return true;
// Stop further reconnections to this peer until further notice.
stop_reconnects_ = true;
return false;
}
bool TokenServerHandler::OnUnknownPeerSetting(const char *key, const char *value) {
if (strcmp(key, "RequireToken") != 0)
return false;
if (strncmp(value, "totp-sha1:", 10) != 0)
return false;
if (!token_authenticator_.Initialize(value + 10))
return false;
authentication_type_ = kTokenRequestType_6digits + (token_authenticator_.digits() - 6);
return true;
}
bool TokenServerHandler::VerifySessionId(const uint8 session_id_auth[WG_SESSION_AUTH_LEN], const uint8 salt[WG_PUBLIC_KEY_LEN]) {
if (!has_session_id_)
return false;
uint8 buf[WG_SESSION_AUTH_LEN];
blake2s(buf, WG_SESSION_AUTH_LEN, salt, WG_PUBLIC_KEY_LEN, session_id_, sizeof(session_id_));
return memcmp_crypto(buf, session_id_auth, WG_SESSION_AUTH_LEN) == 0;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////
PluginPeer *TunsafePluginImpl::GetPluginPeer(WgPeer *peer) {
PluginPeer *rv = (PluginPeer *)peer->extradata();
if (!rv) {
rv = new PluginPeer(this, peer);
peer->SetExtradata(rv);
}
return rv;
}
bool TunsafePluginImpl::WantHandshake(WgPeer *peer) {
PluginPeer *pp = GetPluginPeer(peer);
if (WITH_TWO_FACTOR_AUTHENTICATION) {
return pp->token_server_handler.WantHandshake() &&
pp->token_client_handler.WantHandshake();
} else {
return true;
}
}
// This runs on client and appends data
uint32 TunsafePluginImpl::OnHandshake0(WgPeer *peer, uint8 *extout, uint32 extout_size, const uint8 salt[WG_PUBLIC_KEY_LEN]) {
PluginPeer *pp = GetPluginPeer(peer);
ExtFieldWriter writer(extout, extout_size);
if (WITH_TWO_FACTOR_AUTHENTICATION)
pp->token_client_handler.OnHandshakeCreate(peer, writer, salt);
return writer.length();
}
// This runs on the server to parse init and send response
uint32 TunsafePluginImpl::OnHandshake1(WgPeer *peer, const uint8 *ext, uint32 ext_size, const uint8 salt_in[WG_PUBLIC_KEY_LEN], uint8 *extout, uint32 extout_size, const uint8 salt_out[WG_PUBLIC_KEY_LEN]) {
PluginPeer *pp = GetPluginPeer(peer);
ExtFieldWriter writer(extout, extout_size);
// Skip the version
if (ext_size >= 4)
ext += 4, ext_size -= 4;
bool has_valid_session_id = false;
uint8 *token_reply = NULL;
uint8 token_reply_size = 0;
while (ext_size >= 2) {
uint8 type = ext[0], size = ext[1];
ext += 2, ext_size -= 2;
if (size > ext_size)
return false;
if (WITH_TWO_FACTOR_AUTHENTICATION) {
switch (type) {
case kExtensionType_SessionIDAuth:
if (size == WG_SESSION_AUTH_LEN)
has_valid_session_id = pp->token_server_handler.VerifySessionId(ext, salt_in);
break;
case kExtensionType_TokenReply:
token_reply = (uint8*)ext;
token_reply_size = size;
break;
}
}
ext += size, ext_size -= size;
}
if (ext_size != 0)
return kHandshakeResponseDrop;
if (WITH_TWO_FACTOR_AUTHENTICATION) {
// If this is a handshake in the other direction, also include session id.
pp->token_client_handler.WriteSessionId(writer, salt_out);
if (!pp->token_server_handler.OnHandshake(token_reply, token_reply_size, has_valid_session_id, writer, &siphash_key_))
return kHandshakeResponseDrop;
}
return writer.length() + writer.fail_flag() * WgPlugin::kHandshakeResponseFail;
}
// This runs on client and parses response
uint32 TunsafePluginImpl::OnHandshake2(WgPeer *peer, const uint8 *ext, uint32 ext_size, const uint8 salt[WG_PUBLIC_KEY_LEN]) {
PluginPeer *pp = GetPluginPeer(peer);
// Skip the version
if (ext_size >= 4)
ext += 4, ext_size -= 4;
bool has_valid_session_id = false;
while (ext_size >= 2) {
uint8 type = ext[0], size = ext[1];
ext += 2, ext_size -= 2;
if (size > ext_size)
return false;
if (WITH_TWO_FACTOR_AUTHENTICATION) {
switch (type) {
case kExtensionType_SessionIDAuth:
if (size == WG_SESSION_AUTH_LEN)
has_valid_session_id = pp->token_server_handler.VerifySessionId(ext, salt);
break;
// All token requests mean that handshake has failed.
case kExtensionType_TokenRequest:
pp->token_client_handler.OnTokenRequest(ext, size);
return kHandshakeResponseDrop;
case kExtensionType_SetSessionID:
if (size == WG_SESSION_ID_LEN)
pp->token_client_handler.SetSessionId(ext);
break;
}
}
ext += size, ext_size -= size;
}
if (ext_size != 0)
return kHandshakeResponseDrop;
if (WITH_TWO_FACTOR_AUTHENTICATION) {
// Stop outgoing handshakes if client didn't supply a valid session id.
if (!pp->token_server_handler.OnHandshake2(has_valid_session_id))
return kHandshakeResponseDrop;
pp->token_client_handler.OnHandshakeComplete();
}
return 0;
}
bool TunsafePluginImpl::OnUnknownInterfaceSetting(const char *key, const char *value) {
return false;
}
bool TunsafePluginImpl::OnUnknownPeerSetting(WgPeer *peer, const char *key, const char *value) {
PluginPeer *pp = GetPluginPeer(peer);
if (WITH_TWO_FACTOR_AUTHENTICATION && pp->token_server_handler.OnUnknownPeerSetting(key, value))
return true;
return false;
}
void TunsafePluginImpl::OnTokenRequest(PluginPeer *peer) {
if (!WITH_TWO_FACTOR_AUTHENTICATION || peer_doing_2fa_ != NULL)
return;
peer_doing_2fa_ = peer;
delegate_->OnRequestToken(peer->peer, peer->token_client_handler.token_request());
}
void TunsafePluginImpl::SubmitToken(const uint8 *text, size_t text_len) {
if (!WITH_TWO_FACTOR_AUTHENTICATION || peer_doing_2fa_ == NULL)
return;
assert(peer_doing_2fa_->peer->dev()->IsMainThread());
peer_doing_2fa_->token_client_handler.SetToken(text, text_len);
proc_->ForceSendHandshakeInitiation(peer_doing_2fa_->peer);
peer_doing_2fa_ = NULL;
// Find the next peer requiring a token
for (WgPeer *peer = proc_->dev().first_peer(); peer; peer = peer->next_peer()) {
PluginPeer *pp = (PluginPeer *)peer->extradata();
if (!pp)
continue;
if (pp->token_client_handler.waiting_for_token()) {
OnTokenRequest(pp);
return;
}
}
}
bool TunsafePluginImpl::OnAfterSettingsParsed() {
return true;
}
void TunsafePluginImpl::OnOutgoingHandshakePacket(WgPeer *peer, Packet *packet) {
}
TunsafePlugin *CreateTunsafePlugin(PluginDelegate *delegate, WireguardProcessor *wgp) {
return new TunsafePluginImpl(delegate, wgp);
}