Fix check and use 256 bit

This commit is contained in:
Bolke de Bruin 2020-07-25 21:27:03 +02:00
parent 0b299619ff
commit 263312dc7b
4 changed files with 9 additions and 7 deletions

View file

@ -24,7 +24,7 @@ RDPGW wants to be secure when you set it up from the beginning. It does this by
Connect integration enabled by default. Cookies are encrypted and signed on the client side relying Connect integration enabled by default. Cookies are encrypted and signed on the client side relying
on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens) on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens)
are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go) are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go)
signed with a 512 bit HMAC. Hosts provided by the user are verified against what was provided by signed with a 256 bit HMAC. Hosts provided by the user are verified against what was provided by
the server. Finally, the client's ip address needs to match the one it obtained the token with. the server. Finally, the client's ip address needs to match the one it obtained the token with.
## How to build ## How to build

View file

@ -2,6 +2,7 @@ package client
import ( import (
"context" "context"
"net"
"net/http" "net/http"
"strings" "strings"
) )
@ -31,10 +32,10 @@ func EnrichContext(next http.Handler) http.Handler {
ctx = context.WithValue(ctx, ProxyAddressesCtx, proxies) ctx = context.WithValue(ctx, ProxyAddressesCtx, proxies)
} }
remote := r.Header.Get("REMOTE_ADDR") ctx = context.WithValue(ctx, RemoteAddressCtx, r.RemoteAddr)
ctx = context.WithValue(ctx, RemoteAddressCtx, remote)
if h == "" { if h == "" {
ctx = context.WithValue(ctx, ClientIPCtx, remote) clientIp, _, _ := net.SplitHostPort(r.RemoteAddr)
ctx = context.WithValue(ctx, ClientIPCtx, clientIp)
} }
next.ServeHTTP(w, r.WithContext(ctx)) next.ServeHTTP(w, r.WithContext(ctx))
}) })

View file

@ -78,7 +78,7 @@ func (h *Handler) Process(ctx context.Context) error {
switch pt { switch pt {
case PKT_TYPE_HANDSHAKE_REQUEST: case PKT_TYPE_HANDSHAKE_REQUEST:
log.Printf("Handshake") log.Printf("Client handshake from %s", client.GetClientIp(ctx))
if h.State != SERVER_STATE_INITIAL { if h.State != SERVER_STATE_INITIAL {
log.Printf("Handshake attempted while in wrong state %d != %d", h.State, SERVER_STATE_INITIAL) log.Printf("Handshake attempted while in wrong state %d != %d", h.State, SERVER_STATE_INITIAL)
return errors.New("wrong state") return errors.New("wrong state")

View file

@ -36,7 +36,7 @@ func VerifyPAAToken(ctx context.Context, tokenString string) (bool, error) {
if c, ok := token.Claims.(*customClaims); ok && token.Valid { if c, ok := token.Claims.(*customClaims); ok && token.Valid {
s := getSessionInfo(ctx) s := getSessionInfo(ctx)
s.RemoteServer = c.RemoteServer s.RemoteServer = c.RemoteServer
s.ClientIp = client.GetClientIp(ctx) s.ClientIp = c.ClientIP
return true, nil return true, nil
} }
@ -78,6 +78,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
c := customClaims{ c := customClaims{
RemoteServer: server, RemoteServer: server,
ClientIP: client.GetClientIp(ctx),
StandardClaims: jwt.StandardClaims{ StandardClaims: jwt.StandardClaims{
ExpiresAt: exp, ExpiresAt: exp,
IssuedAt: now, IssuedAt: now,
@ -86,7 +87,7 @@ func GeneratePAAToken(ctx context.Context, username string, server string) (stri
}, },
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS512, c) token := jwt.NewWithClaims(jwt.SigningMethodHS256, c)
if ss, err := token.SignedString(SigningKey); err != nil { if ss, err := token.SignedString(SigningKey); err != nil {
log.Printf("Cannot sign PAA token %s", err) log.Printf("Cannot sign PAA token %s", err)
return "", err return "", err