review fixes

2024-11-13 07:29:30 +01:00 · 2019-05-12 16:26:23 -04:00 · 2019-05-12 16:26:23 -04:00 · 11076be0ee
commit 11076be0ee
parent 2451737f87
4 changed files with 18 additions and 2 deletions
--- a/irc/config.go
+++ b/irc/config.go
@ -731,6 +731,11 @@ func LoadConfig(filename string) (config *Config, err error) {
 	}

 	config.Server.Cloaks.Initialize()
+	if config.Server.Cloaks.Enabled {
+		if config.Server.Cloaks.Secret == "" || config.Server.Cloaks.Secret == "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4" {
+			return nil, fmt.Errorf("You must generate a new value of ip-cloaking.secret to enable cloaking")
+		}
+	}

 	for _, listenAddress := range config.Server.TorListeners.Listeners {
 		found := false
--- a/irc/utils/crypto.go
+++ b/irc/utils/crypto.go
@ -7,6 +7,7 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base32"
+	"encoding/base64"
 )

 var (
@ -37,3 +38,10 @@ func SecretTokensMatch(storedToken string, suppliedToken string) bool {

 	return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1
 }
+
+// generate a 256-bit secret key that can be written into a config file
+func GenerateSecretKey() string {
+	var buf [32]byte
+	rand.Read(buf[:])
+	return base64.RawURLEncoding.EncodeToString(buf[:])
+}
--- a/oragono.go
+++ b/oragono.go
@ -17,6 +17,7 @@ import (
 	"github.com/oragono/oragono/irc"
 	"github.com/oragono/oragono/irc/logger"
 	"github.com/oragono/oragono/irc/mkcerts"
+	"github.com/oragono/oragono/irc/utils"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/ssh/terminal"
 )
@ -46,6 +47,7 @@ Usage:
 	oragono upgradedb [--conf <filename>] [--quiet]
 	oragono genpasswd [--conf <filename>] [--quiet]
 	oragono mkcerts [--conf <filename>] [--quiet]
+	oragono mksecret [--conf <filename>] [--quiet]
 	oragono run [--conf <filename>] [--quiet]
 	oragono -h | --help
 	oragono --version
@ -128,6 +130,8 @@ Options:
 				log.Fatal("  Could not create certificate:", err.Error())
 			}
 		}
+	} else if arguments["mksecret"].(bool) {
+		fmt.Println(utils.GenerateSecretKey())
 	} else if arguments["run"].(bool) {
 		if !arguments["--quiet"].(bool) {
 			logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer))
--- a/oragono.yaml
+++ b/oragono.yaml
@ -204,8 +204,7 @@ server:
        # secret key to prevent dictionary attacks against cloaked IPs
        # any high-entropy secret is valid for this purpose:
        # you MUST generate a new one for your installation.
-        # suggestion: use the output of this command:
-        # python3 -c "import secrets; print(secrets.token_urlsafe())"
+        # suggestion: use the output of `oragono mksecret`
        # note that rotating this key will invalidate all existing ban masks.
        secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"