Restrict cookies to a single IP address.

src/ipc.proto

@@ -166,6 +166,7 @@ message cookie
 	required string username = 1;
 	required string groupname = 2;
 	required string hostname = 3;
+	required string ip = 4;
 	required bytes session_id = 5;
 	required uint32 expiration = 6;
 	required uint32 ipv4_seed = 7;

src/main-auth.c

@@ -156,6 +156,7 @@ int ret;
 Cookie *cmsg;
 time_t now = time(0);
 gnutls_datum_t key = {s->cookie_key, sizeof(s->cookie_key)};
+char str_ip[MAX_IP_STR+1];
 PROTOBUF_ALLOCATOR(pa, proc);
 
 	if (req->cookie.len == 0) {
@@ -181,6 +182,16 @@ PROTOBUF_ALLOCATOR(pa, proc);
 		return -1;
 	snprintf(proc->username, sizeof(proc->username), "%s", cmsg->username);
 
+	/* check whether the IP matches */
+	if (cmsg->ip == NULL || human_addr2((struct sockaddr *)&proc->remote_addr, proc->remote_addr_len,
+					    str_ip, sizeof(str_ip), 0) == NULL)
+		return -1;
+	if (strcmp(str_ip, cmsg->ip) != 0) {
+		mslog(s, proc, LOG_INFO, "user '%s' is re-using cookie from different IP (prev: %s, current: %s); rejecting",
+			cmsg->username, cmsg->ip, str_ip);
+		return -1;
+	}
+
 	if (cmsg->groupname)
 		snprintf(proc->groupname, sizeof(proc->groupname), "%s", cmsg->groupname);
 

src/sec-mod-auth.c

@@ -82,6 +82,7 @@ static int generate_cookie(sec_mod_st * sec, client_entry_st * entry)
 	msg.username = entry->username;
 	msg.groupname = entry->groupname;
 	msg.hostname = entry->hostname;
+	msg.ip = entry->ip;
 
 	/* Fixme: possibly we should allow for completely random seeds */
 	if (sec->config->predictable_ips != 0) {