diff --git a/server.conf.in b/server.conf.in index 8b8c1d27..6b1c6acf 100644 --- a/server.conf.in +++ b/server.conf.in @@ -41,10 +41,10 @@ listen = 127.0.0.1:8080 ; long cached static resources. ;ver = 1234 ; STUN server URIs in format host:port. You can provide multiple seperated by -; space. If you do not have one use a public one like stun.l.google.com:19302. -; If you have a TURN server you do not need to set an STUN server as the TURN -; server will normally do STUN too. -;stunURIs = stun:stun.l.google.com:19302 +; space. If you do not have one use a public one like stun.spreed.me:443. If +; you have a TURN server you do not need to set an STUN server as the TURN +; server will provide STUN services. +;stunURIs = stun:stun.spreed.me:443 ; TURN server URIs in format host:port?transport=udp|tcp. You can provide ; multiple seperated by space. If you do not have at least one TURN server then ; some users will not be able to use the server as the peer to peer connection @@ -58,12 +58,14 @@ listen = 127.0.0.1:8080 ; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/. ;turnSecret = the-default-turn-shared-secret-do-not-keep ; Session secret to use for session id generator. 32 or 64 bytes of random data -; are recommented. +; are recommented (hex encoded). A warning will be logged if hex decode fails. +; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random". sessionSecret = the-default-secret-do-not-keep-me ; Encryption secret protecting the data in generated server side tokens. Use -; 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. When you change -; the encryption secret, stored authentications, sessions and contacts become -; invalid. +; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256. +; When you change the encryption secret, stored authentications, sessions and +; contacts become invalid. A warning will be logged if hex decode fails. You +; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random". encryptionSecret = tne-default-encryption-block-key ; Full path to a text file containig client tokens which a user needs to enter ; when accessing the web client. Each line in this file represents a valid @@ -78,12 +80,12 @@ encryptionSecret = tne-default-encryption-block-key ;defaultRoomEnabled = true ; Server token is a public random string which is used to enhance security of ; server generated security tokens. When the serverToken is changed all existing -; nonces become invalid. Use 32 or 64 byte random data. -;serverToken = i-did-not-change-the-public-token-boo +; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex). +serverToken = i-did-not-change-the-public-token-boo ; The server realm is part of the validation chain of tokens and nonces and is ; added as suffix to server created user ids if user creation is enabled. When ; the realm is changed, all existing tokens and nonces become invalid. -;serverRealm = local +serverRealm = local ; Full path to an extra templates directory. Templates in this directory ending ; with .html will be parsed on startup and can be used to fill the supported ; extra-* template slots. If the extra folder has a sub folder "static", the diff --git a/src/app/spreed-webrtc-server/hub.go b/src/app/spreed-webrtc-server/hub.go index bc0b1a56..a72fa5f2 100644 --- a/src/app/spreed-webrtc-server/hub.go +++ b/src/app/spreed-webrtc-server/hub.go @@ -93,7 +93,7 @@ type Hub struct { contacts *securecookie.SecureCookie } -func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret, realm string) *Hub { +func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret []byte, realm string) *Hub { h := &Hub{ connectionTable: make(map[string]*Connection), @@ -102,9 +102,9 @@ func NewHub(version string, config *Config, sessionSecret, encryptionSecret, tur userTable: make(map[string]*User), version: version, config: config, - sessionSecret: []byte(sessionSecret), - encryptionSecret: []byte(encryptionSecret), - turnSecret: []byte(turnSecret), + sessionSecret: sessionSecret, + encryptionSecret: encryptionSecret, + turnSecret: turnSecret, realm: realm, } diff --git a/src/app/spreed-webrtc-server/main.go b/src/app/spreed-webrtc-server/main.go index b4bacdd3..50db95c8 100644 --- a/src/app/spreed-webrtc-server/main.go +++ b/src/app/spreed-webrtc-server/main.go @@ -25,6 +25,7 @@ import ( "app/spreed-webrtc-server/sleepy" "bytes" "crypto/rand" + "encoding/hex" "flag" "fmt" "github.com/gorilla/mux" @@ -207,19 +208,31 @@ func runner(runtime phoenix.Runtime) error { }() } - sessionSecret, err := runtime.GetString("app", "sessionSecret") + var sessionSecret []byte + sessionSecretString, err := runtime.GetString("app", "sessionSecret") if err != nil { return fmt.Errorf("No sessionSecret in config file.") } else { + sessionSecret, err = hex.DecodeString(sessionSecretString) + if err != nil { + log.Println("Warning: sessionSecret value is not a hex encoded", err) + sessionSecret = []byte(sessionSecretString) + } if len(sessionSecret) < 32 { return fmt.Errorf("Length of sessionSecret must be at least 32 bytes.") } } - encryptionSecret, err := runtime.GetString("app", "encryptionSecret") + var encryptionSecret []byte + encryptionSecretString, err := runtime.GetString("app", "encryptionSecret") if err != nil { return fmt.Errorf("No encryptionSecret in config file.") } else { + encryptionSecret, err = hex.DecodeString(encryptionSecretString) + if err != nil { + log.Println("Warning: encryptionSecret value is not a hex encoded", err) + encryptionSecret = []byte(encryptionSecretString) + } switch l := len(encryptionSecret); { case l == 16: case l == 24: @@ -268,9 +281,10 @@ func runner(runtime phoenix.Runtime) error { turnURIs := strings.Split(turnURIsString, " ") trimAndRemoveDuplicates(&turnURIs) - turnSecret, err := runtime.GetString("app", "turnSecret") - if err != nil { - turnSecret = "" + var turnSecret []byte + turnSecretString, err := runtime.GetString("app", "turnSecret") + if err == nil { + turnSecret = []byte(turnSecretString) } stunURIsString, err := runtime.GetString("app", "stunURIs")