5 years ago · 11076be0ee
--- a/irc/config.go
+++ b/irc/config.go
@@ -731,6 +731,11 @@ func LoadConfig(filename string) (config *Config, err error) {
 
				
				 	}
			
 
				
				 
			
 
				
				 	config.Server.Cloaks.Initialize()
			
 
				
				+	if config.Server.Cloaks.Enabled {
			
 
				
				+		if config.Server.Cloaks.Secret == "" || config.Server.Cloaks.Secret == "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4" {
			
 
				
				+			return nil, fmt.Errorf("You must generate a new value of ip-cloaking.secret to enable cloaking")
			
 
				
				+		}
			
 
				
				+	}
			
 
				
				 
			
 
				
				 	for _, listenAddress := range config.Server.TorListeners.Listeners {
			
 
				
				 		found := false
			
--- a/irc/utils/crypto.go
+++ b/irc/utils/crypto.go
@@ -7,6 +7,7 @@ import (
 
				
				 	"crypto/rand"
			
 
				
				 	"crypto/subtle"
			
 
				
				 	"encoding/base32"
			
 
				
				+	"encoding/base64"
			
 
				
				 )
			
 
				
				 
			
 
				
				 var (
			
@@ -37,3 +38,10 @@ func SecretTokensMatch(storedToken string, suppliedToken string) bool {
 
				
				 
			
 
				
				 	return subtle.ConstantTimeCompare([]byte(storedToken), []byte(suppliedToken)) == 1
			
 
				
				 }
			
 
				
				+
			
 
				
				+// generate a 256-bit secret key that can be written into a config file
			
 
				
				+func GenerateSecretKey() string {
			
 
				
				+	var buf [32]byte
			
 
				
				+	rand.Read(buf[:])
			
 
				
				+	return base64.RawURLEncoding.EncodeToString(buf[:])
			
 
				
				+}
			
--- a/oragono.go
+++ b/oragono.go
@@ -17,6 +17,7 @@ import (
 
				
				 	"github.com/oragono/oragono/irc"
			
 
				
				 	"github.com/oragono/oragono/irc/logger"
			
 
				
				 	"github.com/oragono/oragono/irc/mkcerts"
			
 
				
				+	"github.com/oragono/oragono/irc/utils"
			
 
				
				 	"golang.org/x/crypto/bcrypt"
			
 
				
				 	"golang.org/x/crypto/ssh/terminal"
			
 
				
				 )
			
@@ -46,6 +47,7 @@ Usage:
 
				
				 	oragono upgradedb [--conf <filename>] [--quiet]
			
 
				
				 	oragono genpasswd [--conf <filename>] [--quiet]
			
 
				
				 	oragono mkcerts [--conf <filename>] [--quiet]
			
 
				
				+	oragono mksecret [--conf <filename>] [--quiet]
			
 
				
				 	oragono run [--conf <filename>] [--quiet]
			
 
				
				 	oragono -h | --help
			
 
				
				 	oragono --version
			
@@ -128,6 +130,8 @@ Options:
 
				
				 				log.Fatal("  Could not create certificate:", err.Error())
			
 
				
				 			}
			
 
				
				 		}
			
 
				
				+	} else if arguments["mksecret"].(bool) {
			
 
				
				+		fmt.Println(utils.GenerateSecretKey())
			
 
				
				 	} else if arguments["run"].(bool) {
			
 
				
				 		if !arguments["--quiet"].(bool) {
			
 
				
				 			logman.Info("server", fmt.Sprintf("Oragono v%s starting", irc.SemVer))
			
--- a/oragono.yaml
+++ b/oragono.yaml
@@ -204,8 +204,7 @@ server:
 
				
				         # secret key to prevent dictionary attacks against cloaked IPs
			
 
				
				         # any high-entropy secret is valid for this purpose:
			
 
				
				         # you MUST generate a new one for your installation.
			
 
				
				-        # suggestion: use the output of this command:
			
 
				
				-        # python3 -c "import secrets; print(secrets.token_urlsafe())"
			
 
				
				+        # suggestion: use the output of `oragono mksecret`
			
 
				
				         # note that rotating this key will invalidate all existing ban masks.
			
 
				
				         secret: "siaELnk6Kaeo65K3RCrwJjlWaZ-Bt3WuZ2L8MXLbNb4"