Challenge

2025-03-31 22:29:43 +02:00 · 2025-03-31 22:29:43 +02:00 · e090b70dba
commit e090b70dba
parent b35120be22
7 changed files with 416 additions and 62 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -1,16 +1,23 @@
+mod challenge;
 mod http;
 mod policy;

 use http::HeaderLineIterator;
 use policy::{CompiledPolicies, Policy};

-use regex::bytes::Regex;
+use rand::Rng;
+use regex::{bytes::Regex, bytes::RegexSet};
 use std::{
-	io::{BufReader, Write},
-	net::SocketAddr,
-	time::Duration,
+	io::{BufReader, Write}, net::SocketAddr, sync::atomic::ATOMIC_BOOL_INIT, time::Duration
 };
-use tokio::{io::{ReadBuf, AsyncWriteExt}, time::timeout};
+use tokio::{
+	io::{AsyncWriteExt, ReadBuf}, net::TcpSocket, time::timeout
+};
+
+const SALT_LEN: usize = 16;
+const SECRET_LEN: usize = 32;
+const MAC_LEN: usize = 32;
+const CHALLENGE_TIMEOUT: u64 = 3600;

 static CHALLENGE_BODY: &str = include_str!("challenge.html");

@ -25,17 +32,31 @@ macro_rules! mk_static {

 #[tokio::main]
 async fn main() {
-	let listen_addr = "127.0.0.1:8000".parse().unwrap();
+	let mut rng = rand::thread_rng();
+
+	let listen_addr: SocketAddr = "127.0.0.1:8504".parse().unwrap();
+	let pass_addr: SocketAddr = "127.0.0.1:80".parse().unwrap();
 	let policy_groups = &[&[Policy {
 		name: String::from("Block"),
 		filter: policy::Filter::FirstLineMatch(String::from("GET /block")),
 		action: policy::Action::Drop,
 		priority: 0,
 	}]];
+	let secret: [u8; SECRET_LEN] = rng.r#gen();

-	let challenge_response = &*mk_static!(String, format!("HTTP/1.1 200\r\ncontent-type: text/html\r\ncontent-length: {}\r\n\r\n{}", CHALLENGE_BODY.len(), CHALLENGE_BODY));
+	let challenge_response = &*mk_static!(
+		String,
+		format!(
+			"HTTP/1.1 200\r\ncontent-type: text/html\r\ncontent-length: {}\r\n\r\n{}",
+			CHALLENGE_BODY.len(),
+			CHALLENGE_BODY
+		)
+	);

-	let policy_groups: Vec<CompiledPolicies> = policy_groups.into_iter().map(|policies| CompiledPolicies::new(*policies)).collect();
+	let policy_groups: Vec<CompiledPolicies> = policy_groups
+		.into_iter()
+		.map(|policies| CompiledPolicies::new(*policies))
+		.collect();

 	let socket = realm_syscall::new_tcp_socket(&listen_addr).unwrap();

@ -46,50 +67,120 @@ async fn main() {

 	let listener = tokio::net::TcpListener::from_std(socket.into()).unwrap();

-	let cookie_regex = Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa *= *([0-9a-zA-Z]{4})").unwrap();
+	let proof_regex =
+		Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-proof *= *([0-9a-zA-Z_-]{4})").unwrap();
+	let challenge_regex =
+		Regex::new(r"^Cookie: *(?:[^;=]+=[^;=]* *; *)*mesozoa-challenge *= *([0-9a-zA-Z_-]{75})").unwrap();
+	let ip_regex =
+		Regex::new(r"^X-Forwarded-For: *([a-fA-F0-9.:]+)$").unwrap();
+	let user_agent_regex =
+		Regex::new(r"^User-Agent: *([a-zA-Z0-9.,:;/ _()-]+)$").unwrap();

+	loop {
+		let Ok((mut client_stream, client_addr)) = listener.accept().await else {
+			continue;
+		};
+		//client_stream.set_nodelay(true).ok();

-			loop {
-				let Ok((mut client_stream, client_addr)) = listener.accept().await else {
-					continue;
-				};
-				//client_stream.set_nodelay(true).ok();
-		
-				let cookie_regex = cookie_regex.clone();
-				tokio::spawn(async move {
-					let mut buf = [0u8; 1024];
-					let mut buf_reader = ReadBuf::new(&mut buf);
-					if let Err(_) = timeout(
-						Duration::from_millis(100),
-						std::future::poll_fn(|cx| client_stream.poll_peek(cx, &mut buf_reader)),
-					)
-					.await
-					{
-						println!("peek timeout");
-						return;
-					}
-		
-					let mut header_line_iter = HeaderLineIterator::new(&buf);
-					let Some(first_line) = header_line_iter.next() else {
-						println!("Not HTTP, or too long line");
-						return;
-					};
-					// TODO matching
-					// for test we will challenge everything!
-					if let Some(captures) = header_line_iter.find_map(|line| cookie_regex.captures(line)) {
-						if let Some(cookie) = captures.get(1) {
-							let mut stdout = std::io::stdout();
-							stdout.write_all(cookie.as_bytes()).unwrap();
-							stdout.flush().unwrap();
-							println!("");
-						} else {
-							println!("cookie header, but no cookie")
-						}
-					} else {
-						println!("no cookie");
-					}
-					client_stream.writable().await.unwrap();
-					client_stream.write_all(challenge_response.as_bytes()).await.unwrap();
-				});
+		let proof_regex = proof_regex.clone();
+		let challenge_regex = challenge_regex.clone();
+		let ip_regex = ip_regex.clone();
+		let user_agent_regex = user_agent_regex.clone();
+		tokio::spawn(async move {
+			let mut buf = [0u8; 1024];
+			let mut buf_reader = ReadBuf::new(&mut buf);
+			if let Err(_) = timeout(
+				Duration::from_millis(100),
+				std::future::poll_fn(|cx| client_stream.poll_peek(cx, &mut buf_reader)),
+			)
+			.await
+			{
+				println!("peek timeout");
+				return;
 			}
+
+			let mut stdout = std::io::stdout();
+			stdout.write_all(&buf).unwrap();
+			stdout.flush().unwrap();
+			println!("");
+
+			let mut header_line_iter = HeaderLineIterator::new(&buf);
+			let Some(first_line) = header_line_iter.next() else {
+				println!("Not HTTP, or too long line");
+				return;
+			};
+			// TODO matching
+			// for test we will challenge everything!
+			let mut req_challenge = None;
+			let mut req_proof = None;
+			let mut req_user_agent: &[u8] = &[];
+			let mut req_ip: &[u8] = &[];
+			for line in header_line_iter {
+				if let Some(Some(m)) = challenge_regex.captures(line).map(|c| c.get(1)) {
+					req_challenge = Some(m.as_bytes());
+				}
+				if let Some(Some(m)) = proof_regex.captures(line).map(|c| c.get(1)) {
+					req_proof = Some(m.as_bytes());
+				}
+				if let Some(Some(m)) = user_agent_regex.captures(line).map(|c| c.get(1)) {
+					req_user_agent = m.as_bytes();
+				}
+				if let Some(Some(m)) = ip_regex.captures(line).map(|c| c.get(1)) {
+					req_ip = m.as_bytes();
+				}
+			}
+
+			let mut allow = false;
+
+			if let Some(req_challenge) = req_challenge {
+				allow = challenge::verify_challenge_cookie(req_challenge, &secret, req_user_agent, req_ip);
+			}
+
+			if allow {
+				// TODO reuse connections
+				let pass_socket = realm_syscall::new_tcp_socket(&pass_addr).unwrap();
+
+				pass_socket.set_reuse_address(true).ok();
+
+				let pass_socket = TcpSocket::from_std_stream(pass_socket.into());
+
+				let mut pass_stream = pass_socket.connect(pass_addr).await.unwrap();
+
+				match realm_io::bidi_zero_copy(&mut client_stream, &mut pass_stream).await {
+					Ok(_) => {},
+					Err(ref e) if e.kind() == tokio::io::ErrorKind::InvalidInput => {
+						realm_io::bidi_copy(&mut client_stream, &mut pass_stream).await.unwrap();
+					}
+					Err(e) => panic!("err {}", e),
+				}
+			} else {
+				let salt: [u8; SALT_LEN] = rand::thread_rng().r#gen();
+
+				let timestamp = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs();
+				let timestamp_bytes = timestamp.to_be_bytes();
+
+				let challenge_mac = challenge::compute_challenge_mac(&secret, &salt, timestamp_bytes, req_ip, req_user_agent);
+
+				let challenge_cookie = challenge::format_challenge_cookie(&salt, timestamp_bytes, &challenge_mac);
+
+				let response = format!(
+					"HTTP/1.1 200\r\n\
+					content-type: text/html\r\n\
+					content-length: {}\r\n\
+					set-cookie: mesozoa-challenge={}; max-age=3600; samesite=strict\r\n\
+					\r\n\
+					{}",
+					CHALLENGE_BODY.len(),
+					challenge_cookie,
+					CHALLENGE_BODY,
+				);
+
+				client_stream.writable().await.unwrap();
+				client_stream
+					.write_all(response.as_bytes())
+					.await
+					.unwrap();
+			}
+		});
+	}
 }