proxy: Generate random session hash keys.
This is to ensure that session ids are only valid until the proxy is restarted.
This commit is contained in:
parent
73903315a9
commit
bde0301637
|
@ -20,16 +20,6 @@
|
||||||
# - etcd: Token information are retrieved from an etcd cluster (see below).
|
# - etcd: Token information are retrieved from an etcd cluster (see below).
|
||||||
tokentype = static
|
tokentype = static
|
||||||
|
|
||||||
[sessions]
|
|
||||||
# Secret value used to generate checksums of sessions. This should be a random
|
|
||||||
# string of 32 or 64 bytes.
|
|
||||||
hashkey = secret-for-session-checksums
|
|
||||||
|
|
||||||
# Optional key for encrypting data in the sessions. Must be either 16, 24 or
|
|
||||||
# 32 bytes.
|
|
||||||
# If no key is specified, data will not be encrypted (not recommended).
|
|
||||||
blockkey = -encryption-key-
|
|
||||||
|
|
||||||
[nats]
|
[nats]
|
||||||
# Url of NATS backend to use. This can also be a list of URLs to connect to
|
# Url of NATS backend to use. This can also be a list of URLs to connect to
|
||||||
# multiple backends. For local development, this can be set to ":loopback:"
|
# multiple backends. For local development, this can be set to ":loopback:"
|
||||||
|
|
|
@ -23,6 +23,7 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/rand"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
|
@ -108,24 +109,14 @@ type ProxyServer struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, nats signaling.NatsClient) (*ProxyServer, error) {
|
func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, nats signaling.NatsClient) (*ProxyServer, error) {
|
||||||
hashKey, _ := config.GetString("sessions", "hashkey")
|
hashKey := make([]byte, 64)
|
||||||
switch len(hashKey) {
|
if _, err := rand.Read(hashKey); err != nil {
|
||||||
case 32:
|
return nil, fmt.Errorf("Could not generate random hash key: %s", err)
|
||||||
case 64:
|
|
||||||
default:
|
|
||||||
log.Printf("WARNING: The sessions hash key should be 32 or 64 bytes but is %d bytes", len(hashKey))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
blockKey, _ := config.GetString("sessions", "blockkey")
|
blockKey := make([]byte, 32)
|
||||||
blockBytes := []byte(blockKey)
|
if _, err := rand.Read(blockKey); err != nil {
|
||||||
switch len(blockKey) {
|
return nil, fmt.Errorf("Could not generate random block key: %s", err)
|
||||||
case 0:
|
|
||||||
blockBytes = nil
|
|
||||||
case 16:
|
|
||||||
case 24:
|
|
||||||
case 32:
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("The sessions block key must be 16, 24 or 32 bytes but is %d bytes", len(blockKey))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var tokens ProxyTokens
|
var tokens ProxyTokens
|
||||||
|
@ -191,7 +182,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, na
|
||||||
tokens: tokens,
|
tokens: tokens,
|
||||||
statsAllowedIps: statsAllowedIps,
|
statsAllowedIps: statsAllowedIps,
|
||||||
|
|
||||||
cookie: securecookie.New([]byte(hashKey), blockBytes).MaxAge(0),
|
cookie: securecookie.New(hashKey, blockKey).MaxAge(0),
|
||||||
sessions: make(map[uint64]*ProxySession),
|
sessions: make(map[uint64]*ProxySession),
|
||||||
|
|
||||||
clients: make(map[string]signaling.McuClient),
|
clients: make(map[string]signaling.McuClient),
|
||||||
|
|
Loading…
Reference in New Issue