proxy: Generate random session hash keys.

This is to ensure that session ids are only valid until the proxy is restarted.
christiansicari · Sep 7, 2020 · bde0301 · bde0301
1 parent 7390331
commit bde0301
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 27 deletions.
diff --git a/proxy.conf.in b/proxy.conf.in
@@ -20,16 +20,6 @@
 # - etcd: Token information are retrieved from an etcd cluster (see below).
 tokentype = static
 
-[sessions]
-# Secret value used to generate checksums of sessions. This should be a random
-# string of 32 or 64 bytes.
-hashkey = secret-for-session-checksums
-
-# Optional key for encrypting data in the sessions. Must be either 16, 24 or
-# 32 bytes.
-# If no key is specified, data will not be encrypted (not recommended).
-blockkey = -encryption-key-
-
 [nats]
 # Url of NATS backend to use. This can also be a list of URLs to connect to
 # multiple backends. For local development, this can be set to ":loopback:"

diff --git a/src/proxy/proxy_server.go b/src/proxy/proxy_server.go
@@ -23,6 +23,7 @@ package main
 
 import (
 	"context"
+	"crypto/rand"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -108,24 +109,14 @@ type ProxyServer struct {
 }
 
 func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, nats signaling.NatsClient) (*ProxyServer, error) {
-	hashKey, _ := config.GetString("sessions", "hashkey")
-	switch len(hashKey) {
-	case 32:
-	case 64:
-	default:
-		log.Printf("WARNING: The sessions hash key should be 32 or 64 bytes but is %d bytes", len(hashKey))
+	hashKey := make([]byte, 64)
+	if _, err := rand.Read(hashKey); err != nil {
+		return nil, fmt.Errorf("Could not generate random hash key: %s", err)
 	}
 
-	blockKey, _ := config.GetString("sessions", "blockkey")
-	blockBytes := []byte(blockKey)
-	switch len(blockKey) {
-	case 0:
-		blockBytes = nil
-	case 16:
-	case 24:
-	case 32:
-	default:
-		return nil, fmt.Errorf("The sessions block key must be 16, 24 or 32 bytes but is %d bytes", len(blockKey))
+	blockKey := make([]byte, 32)
+	if _, err := rand.Read(blockKey); err != nil {
+		return nil, fmt.Errorf("Could not generate random block key: %s", err)
 	}
 
 	var tokens ProxyTokens
@@ -191,7 +182,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile, na
 		tokens:          tokens,
 		statsAllowedIps: statsAllowedIps,
 
-		cookie:   securecookie.New([]byte(hashKey), blockBytes).MaxAge(0),
+		cookie:   securecookie.New(hashKey, blockKey).MaxAge(0),
 		sessions: make(map[uint64]*ProxySession),
 
 		clients:   make(map[string]signaling.McuClient),