Added encryption to sessions and contact tokens to protect data.

11 years ago · cc255be4c5
3 changed files with 30 additions and 12 deletions
--- a/server.conf.in
+++ b/server.conf.in
@ -60,6 +60,11 @@ listen = 127.0.0.1:8080
 ; Session secret to use for session id generator. 32 or 64 bytes of random data
 ; are recommented.
 sessionSecret = the-default-secret-do-not-keep-me
 ; Encryption secret protecting the data in generated server side tokens. Use
 ; 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. When you change
 ; the encryption secret, stored authentications, sessions and contacts become
 ; invalid.
 encryptionSecret = tne-default-encryption-block-key
 ; Full path to a text file containig client tokens which a user needs to enter
 ; when accessing the web client. Each line in this file represents a valid
 ; token.
--- a/src/app/spreed-webrtc-server/hub.go
+++ b/src/app/spreed-webrtc-server/hub.go
@ -23,6 +23,7 @@ package main
 import (
 	"bytes"
 	"crypto/aes"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
@ -72,6 +73,7 @@ type Hub struct {
 	version               string
 	config                *Config
 	sessionSecret         []byte
 	encryptionSecret      []byte
 	turnSecret            []byte
 	tickets               *securecookie.SecureCookie
 	count                 uint64
@ -86,29 +88,35 @@ type Hub struct {
 	contacts              *securecookie.SecureCookie
 }
-func NewHub(version string, config *Config, sessionSecret, turnSecret, realm string) *Hub {
+func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret, realm string) *Hub {
 	h := &Hub{
-		connectionTable: make(map[string]*Connection),
+		connectionTable:  make(map[string]*Connection),
-		sessionTable:    make(map[string]*Session),
+		sessionTable:     make(map[string]*Session),
-		roomTable:       make(map[string]*RoomWorker),
+		roomTable:        make(map[string]*RoomWorker),
-		version:         version,
+		version:          version,
-		config:          config,
+		config:           config,
-		sessionSecret:   []byte(sessionSecret),
+		sessionSecret:    []byte(sessionSecret),
-		turnSecret:      []byte(turnSecret),
+		encryptionSecret: []byte(encryptionSecret),
-		realm:           realm,
+		turnSecret:       []byte(turnSecret),
 		realm:            realm,
 	}
 	if len(h.sessionSecret) < 32 {
 		log.Printf("Weak sessionSecret (only %d bytes). It is recommended to use a key with 32 or 64 bytes.\n", len(h.sessionSecret))
 	}
-	h.tickets = securecookie.New(h.sessionSecret, nil)
+	h.tickets = securecookie.New(h.sessionSecret, h.encryptionSecret)
 	h.tickets.MaxAge(86400 * 30) // 30 days
 	h.tickets.HashFunc(sha256.New)
 	h.tickets.BlockFunc(aes.NewCipher)
 	h.buffers = NewBufferCache(1024, bytes.MinRead)
 	h.buddyImages = NewImageCache()
 	h.tokenName = fmt.Sprintf("token@%s", h.realm)
-	h.contacts = securecookie.New(h.sessionSecret, nil)
+	h.contacts = securecookie.New(h.sessionSecret, h.encryptionSecret)
 	h.contacts.MaxAge(0)
 	h.contacts.HashFunc(sha256.New)
 	h.contacts.BlockFunc(aes.NewCipher)
 	return h
 }
--- a/src/app/spreed-webrtc-server/main.go
+++ b/src/app/spreed-webrtc-server/main.go
@ -211,6 +211,11 @@ func runner(runtime phoenix.Runtime) error {
 		return fmt.Errorf("No sessionSecret in config file.")
 	}
 	encryptionSecret, err := runtime.GetString("app", "encryptionSecret")
 	if err != nil {
 		return fmt.Errorf("No encryptionSecret in config file.")
 	}
 	tokenFile, err := runtime.GetString("app", "tokenFile")
 	if err == nil {
 		if !httputils.HasFilePath(path.Clean(tokenFile)) {
@ -340,7 +345,7 @@ func runner(runtime phoenix.Runtime) error {
 	computedRealm := fmt.Sprintf("%s.%s", serverRealm, serverToken)
 	// Create our hub instance.
-	hub := NewHub(runtimeVersion, config, sessionSecret, turnSecret, computedRealm)
+	hub := NewHub(runtimeVersion, config, sessionSecret, encryptionSecret, turnSecret, computedRealm)
 	// Set number of go routines if it is 1
 	if goruntime.GOMAXPROCS(0) == 1 {