From 5de3767e7071c5a3ea665a309f11748d734a63b0 Mon Sep 17 00:00:00 2001 From: Bolke de Bruin <bolke@xs4all.nl> Date: Fri, 24 Jul 2020 16:22:13 +0200 Subject: [PATCH] Use encryption for cookies --- README.md | 3 ++- api/web.go | 27 ++++++++++++++------------- config/configuration.go | 17 +++++++++-------- main.go | 1 + protocol/handler.go | 3 +-- 5 files changed, 27 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 9e8e425..aaec994 100644 --- a/README.md +++ b/README.md @@ -42,9 +42,10 @@ server: - any # if true the server randomly selects a host to connect to roundRobin: false - # a random string of at least 32 characters to secure cookies on the client + # a random strings of at least 32 characters to secure cookies on the client # make sure to share this across the different pods sessionKey: thisisasessionkeyreplacethisjetzt + sessionEncryptionKey: thisisasessionkeyreplacethisnunu! # Open ID Connect specific settings openId: providerUrl: http://keycloak/auth/realms/test diff --git a/api/web.go b/api/web.go index 27abe64..7dd24ad 100644 --- a/api/web.go +++ b/api/web.go @@ -24,18 +24,19 @@ const ( type TokenGeneratorFunc func(string, string) (string, error) type Config struct { - SessionKey []byte - TokenGenerator TokenGeneratorFunc - OAuth2Config *oauth2.Config - store *sessions.CookieStore - TokenVerifier *oidc.IDTokenVerifier - stateStore *cache.Cache - Hosts []string - GatewayAddress string - UsernameTemplate string - NetworkAutoDetect int - BandwidthAutoDetect int - ConnectionType int + SessionKey []byte + SessionEncryptionKey []byte + TokenGenerator TokenGeneratorFunc + OAuth2Config *oauth2.Config + store *sessions.CookieStore + TokenVerifier *oidc.IDTokenVerifier + stateStore *cache.Cache + Hosts []string + GatewayAddress string + UsernameTemplate string + NetworkAutoDetect int + BandwidthAutoDetect int + ConnectionType int } func (c *Config) NewApi() { @@ -45,7 +46,7 @@ func (c *Config) NewApi() { if len(c.Hosts) < 1 { log.Fatal("Not enough hosts to connect to specified") } - c.store = sessions.NewCookieStore(c.SessionKey) + c.store = sessions.NewCookieStore(c.SessionKey, c.SessionEncryptionKey) c.stateStore = cache.New(time.Minute*2, 5*time.Minute) } diff --git a/config/configuration.go b/config/configuration.go index db75289..55da5ea 100644 --- a/config/configuration.go +++ b/config/configuration.go @@ -10,17 +10,18 @@ type Configuration struct { OpenId OpenIDConfig Caps RDGCapsConfig Security SecurityConfig - Client ClientConfig + Client ClientConfig } type ServerConfig struct { - GatewayAddress string - Port int - CertFile string - KeyFile string - Hosts []string - RoundRobin bool - SessionKey string + GatewayAddress string + Port int + CertFile string + KeyFile string + Hosts []string + RoundRobin bool + SessionKey string + SessionEncryptionKey string } type OpenIDConfig struct { diff --git a/main.go b/main.go index 9cc8381..f59dd12 100644 --- a/main.go +++ b/main.go @@ -61,6 +61,7 @@ func main() { TokenVerifier: verifier, TokenGenerator: security.GeneratePAAToken, SessionKey: []byte(conf.Server.SessionKey), + SessionEncryptionKey: []byte(conf.Server.SessionEncryptionKey), Hosts: conf.Server.Hosts, NetworkAutoDetect: conf.Client.NetworkAutoDetect, UsernameTemplate: conf.Client.UsernameTemplate, diff --git a/protocol/handler.go b/protocol/handler.go index 4437b3a..5ee4468 100644 --- a/protocol/handler.go +++ b/protocol/handler.go @@ -100,7 +100,7 @@ func (h *Handler) Process() error { _, cookie := readCreateTunnelRequest(pkt) if h.VerifyTunnelCreate != nil { if ok, _ := h.VerifyTunnelCreate(h.Session, cookie); !ok { - log.Printf("Invalid PAA cookie: %s", cookie) + log.Printf("Invalid PAA cookie received") return errors.New("invalid PAA cookie") } } @@ -284,7 +284,6 @@ func readCreateTunnelRequest(data []byte) (caps uint32, cookie string) { r.Read(cookieB) cookie, _ = DecodeUTF16(cookieB) } - log.Printf("Create tunnel caps: %d, cookie: %s", caps, cookie) return } -- GitLab