From 11076be0ee7c0c223d3dd3623417f5175a42ab06 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Sun, 12 May 2019 16:26:23 -0400 Subject: [PATCH] review fixes --- irc/config.go | 5 +++++ irc/utils/crypto.go | 8 ++++++++ oragono.go | 4 ++++ oragono.yaml | 3 +-- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/irc/config.go b/irc/config.go index 11121495..fb0aff27 100644 --- a/irc/config.go +++ b/irc/config.go @@ -731,6 +731,11 @@ func LoadConfig(filename string) (config *Config, err error) { } config.Server.Cloaks.Initialize() + if config.Server.Cloaks.Enabled { + if config.Server.Cloaks.Secret == "" || config.Server.Cloaks.Secret == "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4" { + return nil, fmt.Errorf("You must generate a new value of ip-cloaking.secret to enable cloaking") + } + } for _, listenAddress := range config.Server.TorListeners.Listeners { found := false diff --git a/irc/utils/crypto.go b/irc/utils/crypto.go index 8eb15440..010b3401 100644 --- a/irc/utils/crypto.go +++ b/irc/utils/crypto.go @@ -7,6 +7,7 @@ import ( "crypto/rand" "crypto/subtle" "encoding/base32" + "encoding/base64" ) var ( @@ -37,3 +38,10 @@ func SecretTokensMatch(storedToken string, suppliedToken string) bool { return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1 } + +// generate a 256-bit secret key that can be written into a config file +func GenerateSecretKey() string { + var buf [32]byte + rand.Read(buf[:]) + return base64.RawURLEncoding.EncodeToString(buf[:]) +} diff --git a/oragono.go b/oragono.go index 0c1bf88e..77f8a1fb 100644 --- a/oragono.go +++ b/oragono.go @@ -17,6 +17,7 @@ import ( "github.com/oragono/oragono/irc" "github.com/oragono/oragono/irc/logger" "github.com/oragono/oragono/irc/mkcerts" + "github.com/oragono/oragono/irc/utils" "golang.org/x/crypto/bcrypt" "golang.org/x/crypto/ssh/terminal" ) @@ -46,6 +47,7 @@ Usage: oragono upgradedb [--conf ] [--quiet] oragono genpasswd [--conf ] [--quiet] oragono mkcerts [--conf ] [--quiet] + oragono mksecret [--conf ] [--quiet] oragono run [--conf ] [--quiet] oragono -h | --help oragono --version @@ -128,6 +130,8 @@ Options: log.Fatal(" Could not create certificate:", err.Error()) } } + } else if arguments["mksecret"].(bool) { + fmt.Println(utils.GenerateSecretKey()) } else if arguments["run"].(bool) { if !arguments["--quiet"].(bool) { logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer)) diff --git a/oragono.yaml b/oragono.yaml index 9a244cb6..bd3c7534 100644 --- a/oragono.yaml +++ b/oragono.yaml @@ -204,8 +204,7 @@ server: # secret key to prevent dictionary attacks against cloaked IPs # any high-entropy secret is valid for this purpose: # you MUST generate a new one for your installation. - # suggestion: use the output of this command: - # python3 -c "import secrets; print(secrets.token_urlsafe())" + # suggestion: use the output of `oragono mksecret` # note that rotating this key will invalidate all existing ban masks. secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"