diff --git a/cmd/ck-client/ck-client.go b/cmd/ck-client/ck-client.go index f5e9bff..9c0cafa 100644 --- a/cmd/ck-client/ck-client.go +++ b/cmd/ck-client/ck-client.go @@ -4,6 +4,7 @@ package main import ( "encoding/base64" + "encoding/binary" "flag" "fmt" "github.com/cbeuw/Cloak/internal/common" @@ -151,10 +152,11 @@ func main() { if adminUID != nil { log.Infof("API base is %v", localConfig.LocalAddr) authInfo.UID = adminUID + authInfo.SessionId = 0 remoteConfig.NumConn = 1 seshMaker = func() *mux.Session { - return client.MakeSession(remoteConfig, authInfo, d, true) + return client.MakeSession(remoteConfig, authInfo, d) } } else { var network string @@ -165,7 +167,12 @@ func main() { } log.Infof("Listening on %v %v for %v client", network, localConfig.LocalAddr, authInfo.ProxyMethod) seshMaker = func() *mux.Session { - return client.MakeSession(remoteConfig, authInfo, d, false) + // sessionID is usergenerated. There shouldn't be a security concern because the scope of + // sessionID is limited to its UID. + quad := make([]byte, 4) + common.RandRead(authInfo.WorldState.Rand, quad) + authInfo.SessionId = binary.BigEndian.Uint32(quad) + return client.MakeSession(remoteConfig, authInfo, d) } } diff --git a/internal/client/connector.go b/internal/client/connector.go index 120733e..3f152e9 100644 --- a/internal/client/connector.go +++ b/internal/client/connector.go @@ -1,7 +1,6 @@ package client import ( - "encoding/binary" "github.com/cbeuw/Cloak/internal/common" "net" "sync" @@ -12,18 +11,9 @@ import ( log "github.com/sirupsen/logrus" ) -func MakeSession(connConfig RemoteConnConfig, authInfo AuthInfo, dialer common.Dialer, isAdmin bool) *mux.Session { +// On different invocations to MakeSession, authInfo.SessionId MUST be different +func MakeSession(connConfig RemoteConnConfig, authInfo AuthInfo, dialer common.Dialer) *mux.Session { log.Info("Attempting to start a new session") - //TODO: let caller set this - if !isAdmin { - // sessionID is usergenerated. There shouldn't be a security concern because the scope of - // sessionID is limited to its UID. - quad := make([]byte, 4) - common.RandRead(authInfo.WorldState.Rand, quad) - authInfo.SessionId = binary.BigEndian.Uint32(quad) - } else { - authInfo.SessionId = 0 - } connsCh := make(chan net.Conn, connConfig.NumConn) var _sessionKey atomic.Value @@ -48,6 +38,7 @@ func MakeSession(connConfig RemoteConnConfig, authInfo AuthInfo, dialer common.D time.Sleep(time.Second * 3) goto makeconn } + // sessionKey given by each connection should be identical _sessionKey.Store(sk) connsCh <- transportConn wg.Done() diff --git a/internal/test/integration_test.go b/internal/test/integration_test.go index ad301e7..1e21c61 100644 --- a/internal/test/integration_test.go +++ b/internal/test/integration_test.go @@ -3,6 +3,7 @@ package test import ( "bytes" "encoding/base64" + "encoding/binary" "fmt" "github.com/cbeuw/Cloak/internal/client" "github.com/cbeuw/Cloak/internal/common" @@ -185,7 +186,10 @@ func establishSession(lcc client.LocalConnConfig, rcc client.RemoteConnConfig, a netToCkServerD, ckServerListener := connutil.DialerListener(10 * 1024) clientSeshMaker := func() *mux.Session { - return client.MakeSession(rcc, ai, netToCkServerD, false) + quad := make([]byte, 4) + common.RandRead(ai.WorldState.Rand, quad) + ai.SessionId = binary.BigEndian.Uint32(quad) + return client.MakeSession(rcc, ai, netToCkServerD) } var proxyToCkClientD common.Dialer