mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2025-08-17 14:03:50 +02:00
Fix check and use 256 bit
This commit is contained in:
parent
0b299619ff
commit
263312dc7b
4 changed files with 9 additions and 7 deletions
|
@ -24,7 +24,7 @@ RDPGW wants to be secure when you set it up from the beginning. It does this by
|
||||||
Connect integration enabled by default. Cookies are encrypted and signed on the client side relying
|
Connect integration enabled by default. Cookies are encrypted and signed on the client side relying
|
||||||
on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens)
|
on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens)
|
||||||
are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go)
|
are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go)
|
||||||
signed with a 512 bit HMAC. Hosts provided by the user are verified against what was provided by
|
signed with a 256 bit HMAC. Hosts provided by the user are verified against what was provided by
|
||||||
the server. Finally, the client's ip address needs to match the one it obtained the token with.
|
the server. Finally, the client's ip address needs to match the one it obtained the token with.
|
||||||
|
|
||||||
## How to build
|
## How to build
|
||||||
|
|
|
@ -2,6 +2,7 @@ package client
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
@ -31,10 +32,10 @@ func EnrichContext(next http.Handler) http.Handler {
|
||||||
ctx = context.WithValue(ctx, ProxyAddressesCtx, proxies)
|
ctx = context.WithValue(ctx, ProxyAddressesCtx, proxies)
|
||||||
}
|
}
|
||||||
|
|
||||||
remote := r.Header.Get("REMOTE_ADDR")
|
ctx = context.WithValue(ctx, RemoteAddressCtx, r.RemoteAddr)
|
||||||
ctx = context.WithValue(ctx, RemoteAddressCtx, remote)
|
|
||||||
if h == "" {
|
if h == "" {
|
||||||
ctx = context.WithValue(ctx, ClientIPCtx, remote)
|
clientIp, _, _ := net.SplitHostPort(r.RemoteAddr)
|
||||||
|
ctx = context.WithValue(ctx, ClientIPCtx, clientIp)
|
||||||
}
|
}
|
||||||
next.ServeHTTP(w, r.WithContext(ctx))
|
next.ServeHTTP(w, r.WithContext(ctx))
|
||||||
})
|
})
|
||||||
|
|
|
@ -78,7 +78,7 @@ func (h *Handler) Process(ctx context.Context) error {
|
||||||
|
|
||||||
switch pt {
|
switch pt {
|
||||||
case PKT_TYPE_HANDSHAKE_REQUEST:
|
case PKT_TYPE_HANDSHAKE_REQUEST:
|
||||||
log.Printf("Handshake")
|
log.Printf("Client handshake from %s", client.GetClientIp(ctx))
|
||||||
if h.State != SERVER_STATE_INITIAL {
|
if h.State != SERVER_STATE_INITIAL {
|
||||||
log.Printf("Handshake attempted while in wrong state %d != %d", h.State, SERVER_STATE_INITIAL)
|
log.Printf("Handshake attempted while in wrong state %d != %d", h.State, SERVER_STATE_INITIAL)
|
||||||
return errors.New("wrong state")
|
return errors.New("wrong state")
|
||||||
|
|
|
@ -36,7 +36,7 @@ func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
|
||||||
if c, ok := token.Claims.(*customClaims); ok && token.Valid {
|
if c, ok := token.Claims.(*customClaims); ok && token.Valid {
|
||||||
s := getSessionInfo(ctx)
|
s := getSessionInfo(ctx)
|
||||||
s.RemoteServer = c.RemoteServer
|
s.RemoteServer = c.RemoteServer
|
||||||
s.ClientIp = client.GetClientIp(ctx)
|
s.ClientIp = c.ClientIP
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,6 +78,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
|
||||||
|
|
||||||
c := customClaims{
|
c := customClaims{
|
||||||
RemoteServer: server,
|
RemoteServer: server,
|
||||||
|
ClientIP: client.GetClientIp(ctx),
|
||||||
StandardClaims: jwt.StandardClaims{
|
StandardClaims: jwt.StandardClaims{
|
||||||
ExpiresAt: exp,
|
ExpiresAt: exp,
|
||||||
IssuedAt: now,
|
IssuedAt: now,
|
||||||
|
@ -86,7 +87,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodHS512, c)
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, c)
|
||||||
if ss, err := token.SignedString(SigningKey); err != nil {
|
if ss, err := token.SignedString(SigningKey); err != nil {
|
||||||
log.Printf("Cannot sign PAA token %s", err)
|
log.Printf("Cannot sign PAA token %s", err)
|
||||||
return "", err
|
return "", err
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue