proxy: Generate random session hash keys.

This is to ensure that session ids are only valid until the proxy is restarted.
This commit is contained in:
Joachim Bauch 2020-09-07 09:01:34 +02:00
parent 73903315a9
commit bde0301637
Failed to extract signature
2 changed files with 8 additions and 27 deletions

View File

@ -20,16 +20,6 @@
# - etcd: Token information are retrieved from an etcd cluster (see below). # - etcd: Token information are retrieved from an etcd cluster (see below).
tokentype = static tokentype = static
[sessions]
# Secret value used to generate checksums of sessions. This should be a random
# string of 32 or 64 bytes.
hashkey = secret-for-session-checksums
# Optional key for encrypting data in the sessions. Must be either 16, 24 or
# 32 bytes.
# If no key is specified, data will not be encrypted (not recommended).
blockkey = -encryption-key-
[nats] [nats]
# Url of NATS backend to use. This can also be a list of URLs to connect to # Url of NATS backend to use. This can also be a list of URLs to connect to
# multiple backends. For local development, this can be set to ":loopback:" # multiple backends. For local development, this can be set to ":loopback:"

View File

@ -23,6 +23,7 @@ package main
import ( import (
"context" "context"
"crypto/rand"
"encoding/json" "encoding/json"
"fmt" "fmt"
"log" "log"
@ -108,24 +109,14 @@ type ProxyServer struct {
} }
func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, nats signaling.NatsClient) (*ProxyServer, error) { func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, nats signaling.NatsClient) (*ProxyServer, error) {
hashKey, _ := config.GetString("sessions", "hashkey") hashKey := make([]byte, 64)
switch len(hashKey) { if _, err := rand.Read(hashKey); err != nil {
case 32: return nil, fmt.Errorf("Could not generate random hash key: %s", err)
case 64:
default:
log.Printf("WARNING: The sessions hash key should be 32 or 64 bytes but is %d bytes", len(hashKey))
} }
blockKey, _ := config.GetString("sessions", "blockkey") blockKey := make([]byte, 32)
blockBytes := []byte(blockKey) if _, err := rand.Read(blockKey); err != nil {
switch len(blockKey) { return nil, fmt.Errorf("Could not generate random block key: %s", err)
case 0:
blockBytes = nil
case 16:
case 24:
case 32:
default:
return nil, fmt.Errorf("The sessions block key must be 16, 24 or 32 bytes but is %d bytes", len(blockKey))
} }
var tokens ProxyTokens var tokens ProxyTokens
@ -191,7 +182,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, na
tokens: tokens, tokens: tokens,
statsAllowedIps: statsAllowedIps, statsAllowedIps: statsAllowedIps,
cookie: securecookie.New([]byte(hashKey), blockBytes).MaxAge(0), cookie: securecookie.New(hashKey, blockKey).MaxAge(0),
sessions: make(map[uint64]*ProxySession), sessions: make(map[uint64]*ProxySession),
clients: make(map[string]signaling.McuClient), clients: make(map[string]signaling.McuClient),