Browse Source

review fixes

tags/v1.1.0-rc1
Shivaram Lingamneni 5 years ago
parent
commit
11076be0ee
4 changed files with 18 additions and 2 deletions
  1. 5
    0
      irc/config.go
  2. 8
    0
      irc/utils/crypto.go
  3. 4
    0
      oragono.go
  4. 1
    2
      oragono.yaml

+ 5
- 0
irc/config.go View File

@@ -731,6 +731,11 @@ func LoadConfig(filename string) (config *Config, err error) {
731 731
 	}
732 732
 
733 733
 	config.Server.Cloaks.Initialize()
734
+	if config.Server.Cloaks.Enabled {
735
+		if config.Server.Cloaks.Secret == "" || config.Server.Cloaks.Secret == "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4" {
736
+			return nil, fmt.Errorf("You must generate a new value of ip-cloaking.secret to enable cloaking")
737
+		}
738
+	}
734 739
 
735 740
 	for _, listenAddress := range config.Server.TorListeners.Listeners {
736 741
 		found := false

+ 8
- 0
irc/utils/crypto.go View File

@@ -7,6 +7,7 @@ import (
7 7
 	"crypto/rand"
8 8
 	"crypto/subtle"
9 9
 	"encoding/base32"
10
+	"encoding/base64"
10 11
 )
11 12
 
12 13
 var (
@@ -37,3 +38,10 @@ func SecretTokensMatch(storedToken string, suppliedToken string) bool {
37 38
 
38 39
 	return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1
39 40
 }
41
+
42
+// generate a 256-bit secret key that can be written into a config file
43
+func GenerateSecretKey() string {
44
+	var buf [32]byte
45
+	rand.Read(buf[:])
46
+	return base64.RawURLEncoding.EncodeToString(buf[:])
47
+}

+ 4
- 0
oragono.go View File

@@ -17,6 +17,7 @@ import (
17 17
 	"github.com/oragono/oragono/irc"
18 18
 	"github.com/oragono/oragono/irc/logger"
19 19
 	"github.com/oragono/oragono/irc/mkcerts"
20
+	"github.com/oragono/oragono/irc/utils"
20 21
 	"golang.org/x/crypto/bcrypt"
21 22
 	"golang.org/x/crypto/ssh/terminal"
22 23
 )
@@ -46,6 +47,7 @@ Usage:
46 47
 	oragono upgradedb [--conf <filename>] [--quiet]
47 48
 	oragono genpasswd [--conf <filename>] [--quiet]
48 49
 	oragono mkcerts [--conf <filename>] [--quiet]
50
+	oragono mksecret [--conf <filename>] [--quiet]
49 51
 	oragono run [--conf <filename>] [--quiet]
50 52
 	oragono -h | --help
51 53
 	oragono --version
@@ -128,6 +130,8 @@ Options:
128 130
 				log.Fatal("  Could not create certificate:", err.Error())
129 131
 			}
130 132
 		}
133
+	} else if arguments["mksecret"].(bool) {
134
+		fmt.Println(utils.GenerateSecretKey())
131 135
 	} else if arguments["run"].(bool) {
132 136
 		if !arguments["--quiet"].(bool) {
133 137
 			logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer))

+ 1
- 2
oragono.yaml View File

@@ -204,8 +204,7 @@ server:
204 204
         # secret key to prevent dictionary attacks against cloaked IPs
205 205
         # any high-entropy secret is valid for this purpose:
206 206
         # you MUST generate a new one for your installation.
207
-        # suggestion: use the output of this command:
208
-        # python3 -c "import secrets; print(secrets.token_urlsafe())"
207
+        # suggestion: use the output of `oragono mksecret`
209 208
         # note that rotating this key will invalidate all existing ban masks.
210 209
         secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"
211 210
 

Loading…
Cancel
Save