Added encryption to sessions and contact tokens to protect data.

server.conf.in

@@ -60,6 +60,11 @@ listen = 127.0.0.1:8080
 ; Session secret to use for session id generator. 32 or 64 bytes of random data
 ; are recommented.
 sessionSecret = the-default-secret-do-not-keep-me
+; Encryption secret protecting the data in generated server side tokens. Use
+; 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. When you change
+; the encryption secret, stored authentications, sessions and contacts become
+; invalid.
+encryptionSecret = tne-default-encryption-block-key
 ; Full path to a text file containig client tokens which a user needs to enter
 ; when accessing the web client. Each line in this file represents a valid
 ; token.

src/app/spreed-webrtc-server/hub.go

@@ -23,6 +23,7 @@ package main
 
 import (
 	"bytes"
+	"crypto/aes"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
@@ -72,6 +73,7 @@ type Hub struct {
 	version               string
 	config                *Config
 	sessionSecret         []byte
+	encryptionSecret      []byte
 	turnSecret            []byte
 	tickets               *securecookie.SecureCookie
 	count                 uint64
@@ -86,7 +88,7 @@ type Hub struct {
 	contacts              *securecookie.SecureCookie
 }
 
-func NewHub(version string, config *Config, sessionSecret, turnSecret, realm string) *Hub {
+func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret, realm string) *Hub {
 
 	h := &Hub{
 		connectionTable:  make(map[string]*Connection),
@@ -95,6 +97,7 @@ func NewHub(version string, config *Config, sessionSecret, turnSecret, realm str
 		version:          version,
 		config:           config,
 		sessionSecret:    []byte(sessionSecret),
+		encryptionSecret: []byte(encryptionSecret),
 		turnSecret:       []byte(turnSecret),
 		realm:            realm,
 	}
@@ -103,12 +106,17 @@ func NewHub(version string, config *Config, sessionSecret, turnSecret, realm str
 		log.Printf("Weak sessionSecret (only %d bytes). It is recommended to use a key with 32 or 64 bytes.\n", len(h.sessionSecret))
 	}
 
-	h.tickets = securecookie.New(h.sessionSecret, nil)
+	h.tickets = securecookie.New(h.sessionSecret, h.encryptionSecret)
+	h.tickets.MaxAge(86400 * 30) // 30 days
+	h.tickets.HashFunc(sha256.New)
+	h.tickets.BlockFunc(aes.NewCipher)
 	h.buffers = NewBufferCache(1024, bytes.MinRead)
 	h.buddyImages = NewImageCache()
 	h.tokenName = fmt.Sprintf("token@%s", h.realm)
-	h.contacts = securecookie.New(h.sessionSecret, nil)
+	h.contacts = securecookie.New(h.sessionSecret, h.encryptionSecret)
 	h.contacts.MaxAge(0)
+	h.contacts.HashFunc(sha256.New)
+	h.contacts.BlockFunc(aes.NewCipher)
 	return h
 
 }

src/app/spreed-webrtc-server/main.go

@@ -211,6 +211,11 @@ func runner(runtime phoenix.Runtime) error {
 		return fmt.Errorf("No sessionSecret in config file.")
 	}
 
+	encryptionSecret, err := runtime.GetString("app", "encryptionSecret")
+	if err != nil {
+		return fmt.Errorf("No encryptionSecret in config file.")
+	}
+
 	tokenFile, err := runtime.GetString("app", "tokenFile")
 	if err == nil {
 		if !httputils.HasFilePath(path.Clean(tokenFile)) {
@@ -340,7 +345,7 @@ func runner(runtime phoenix.Runtime) error {
 	computedRealm := fmt.Sprintf("%s.%s", serverRealm, serverToken)
 
 	// Create our hub instance.
-	hub := NewHub(runtimeVersion, config, sessionSecret, turnSecret, computedRealm)
+	hub := NewHub(runtimeVersion, config, sessionSecret, encryptionSecret, turnSecret, computedRealm)
 
 	// Set number of go routines if it is 1
 	if goruntime.GOMAXPROCS(0) == 1 {