Added AES encryption key/IV cli options.

5 files changed, 54 insertions, 12 deletions

diff --git a/zenserver/auth/authmgr.cpp b/zenserver/auth/authmgr.cpp
index f61e4acd7..fa5e0d753 100644
--- a/zenserver/auth/authmgr.cpp
+++ b/zenserver/auth/authmgr.cpp
@@ -23,9 +23,6 @@ namespace zen {
 using namespace std::literals;
 
 namespace details {
-	const std::string_view DefaultPrivateKey = "HeyThisIsNotAGoodPrivateKeyToUse"sv;
-	const std::string_view DefaultIV		 = "DefaultInitVecto"sv;
-
 	IoBuffer ReadEncryptedFile(std::filesystem::path Path, MemoryView EncryptionKey, MemoryView IV)
 	{
 		FileContents Result = ReadFile(Path);
@@ -79,6 +76,16 @@ namespace details {
 	}
 }  // namespace details
 
+AuthEncryptionKey
+AuthEncryptionKey::Default()
+{
+	const std::string_view DefaultKey = "HeyThisIsNotAGoodPrivateKeyToUse"sv;
+	const std::string_view DefaultIV  = "DefaultInitVecto"sv;
+
+	return {.Key = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(DefaultKey)),
+			.IV	 = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(DefaultIV))};
+}
+
 class AuthMgrImpl final : public AuthMgr
 {
 	using Clock		= std::chrono::system_clock;
@@ -88,6 +95,12 @@ class AuthMgrImpl final : public AuthMgr
 public:
 	AuthMgrImpl(const AuthConfig& Config) : m_Config(Config), m_Log(logging::Get("auth"))
 	{
+		if (!m_Config.EncryptionKey.Key || !m_Config.EncryptionKey.IV)
+		{
+			ZEN_WARN("using default encryption key");
+			m_Config.EncryptionKey = AuthEncryptionKey::Default();
+		}
+
 		LoadState();
 
 		m_BackgroundThread.Interval = Config.UpdateInterval;
@@ -235,9 +248,8 @@ private:
 	{
 		try
 		{
-			IoBuffer Buffer = details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv,
-														 MakeMemoryView(details::DefaultPrivateKey),
-														 MakeMemoryView(details::DefaultIV));
+			IoBuffer Buffer =
+				details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv, m_Config.EncryptionKey.Key, m_Config.EncryptionKey.IV);
 
 			if (Buffer.GetSize() == 0)
 			{
@@ -340,13 +352,10 @@ private:
 
 			std::filesystem::create_directories(m_Config.RootDirectory);
 
-			MemoryView EncryptionKey = MakeMemoryView(details::DefaultPrivateKey);
-			MemoryView IV			 = MakeMemoryView(details::DefaultIV);
-
 			const uint64_t ByteCount = details::WriteEncryptedFile(m_Config.RootDirectory / "authstate"sv,
 																   AuthState.Save().GetBuffer().AsIoBuffer(),
-																   EncryptionKey,
-																   IV);
+																   m_Config.EncryptionKey.Key,
+																   m_Config.EncryptionKey.IV);
 
 			if (ByteCount == 0)
 			{
diff --git a/zenserver/auth/authmgr.h b/zenserver/auth/authmgr.h
index 355c25cc9..9695b4366 100644
--- a/zenserver/auth/authmgr.h
+++ b/zenserver/auth/authmgr.h
@@ -1,5 +1,6 @@
 // Copyright Epic Games, Inc. All Rights Reserved.
 
+#include <zencore/iobuffer.h>
 #include <zencore/string.h>
 
 #include <chrono>
@@ -39,10 +40,19 @@ public:
 	virtual OpenIdAccessToken GetOpenIdAccessToken(std::string_view ProviderName) = 0;
 };
 
+struct AuthEncryptionKey
+{
+	IoBuffer Key;
+	IoBuffer IV;
+
+	static AuthEncryptionKey Default();
+};
+
 struct AuthConfig
 {
 	std::filesystem::path RootDirectory;
 	std::chrono::seconds  UpdateInterval{30};
+	AuthEncryptionKey	  EncryptionKey;
 };
 
 std::unique_ptr<AuthMgr> MakeAuthMgr(const AuthConfig& Config);
diff --git a/zenserver/config.cpp b/zenserver/config.cpp
index bc44e305b..4c30be3ea 100644
--- a/zenserver/config.cpp
+++ b/zenserver/config.cpp
@@ -117,6 +117,19 @@ ParseCliOptions(int argc, char* argv[], ZenServerOptions& ServerOptions)
 						  "Disable Sentry crash handler",
 						  cxxopts::value<bool>(ServerOptions.NoSentry)->default_value("false"));
 
+	options.add_option("security",
+					   "",
+					   "encryption-aes-key",
+					   "256 bit AES encryption key",
+					   cxxopts::value<std::string>(ServerOptions.EncryptionKey),
+					   "");
+
+	options.add_option("security",
+					   "",
+					   "encryption-aes-iv",
+					   "128 bit AES encryption initialization vector",
+					   cxxopts::value<std::string>(ServerOptions.EncryptionIV),
+					   "");
 	options
 		.add_option("lifetime", "", "owner-pid", "Specify owning process id", cxxopts::value<int>(ServerOptions.OwnerPid), "<identifier>");
 	options.add_option("lifetime",
diff --git a/zenserver/config.h b/zenserver/config.h
index cad130193..69e65498c 100644
--- a/zenserver/config.h
+++ b/zenserver/config.h
@@ -94,6 +94,8 @@ struct ZenServerOptions
 	std::string			   ChildId;							// Id assigned by parent process (used for lifetime management)
 	std::string			   LogId;							// Id for tagging log output
 	std::string			   HttpServerClass;					// Choice of HTTP server implementation
+	std::string			   EncryptionKey;					// 256 bit AES encryption key
+	std::string			   EncryptionIV;					// 128 bit AES initialization vector
 	int					   BasePort				  = 1337;	// Service listen port (used for both UDP and TCP)
 	int					   OwnerPid				  = 0;		// Parent process id (zero for standalone)
 	bool				   InstallService		  = false;	// Flag used to initiate service install (temporary)
diff --git a/zenserver/zenserver.cpp b/zenserver/zenserver.cpp
index 6b178ee0c..03d59ba7c 100644
--- a/zenserver/zenserver.cpp
+++ b/zenserver/zenserver.cpp
@@ -204,7 +204,15 @@ public:
 		m_Http				  = zen::CreateHttpServer(ServerOptions.HttpServerClass);
 		int EffectiveBasePort = m_Http->Initialize(ServerOptions.BasePort);
 
-		m_AuthMgr	  = MakeAuthMgr({.RootDirectory = m_DataRoot / "auth"});
+		AuthEncryptionKey EncryptionKey;
+
+		if (ServerOptions.EncryptionKey.empty() == false && ServerOptions.EncryptionIV.empty() == false)
+		{
+			EncryptionKey = AuthEncryptionKey{.Key = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(ServerOptions.EncryptionKey)),
+											  .IV  = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(ServerOptions.EncryptionIV))};
+		};
+
+		m_AuthMgr	  = MakeAuthMgr({.RootDirectory = m_DataRoot / "auth", .EncryptionKey = EncryptionKey});
 		m_AuthService = std::make_unique<zen::HttpAuthService>(*m_AuthMgr);
 		m_Http->RegisterService(*m_AuthService);