Decode secrets as hex and recommend in configuration comments to generate secrets as hex values with example on how to do it.

server.conf.in

@@ -41,10 +41,10 @@ listen = 127.0.0.1:8080
 ; long cached static resources.
 ;ver = 1234
 ; STUN server URIs in format host:port. You can provide multiple seperated by
-; space. If you do not have one use a public one like stun.l.google.com:19302.
+; space. If you do not have one use a public one like stun.spreed.me:443. If
-; If you have a TURN server you do not need to set an STUN server as the TURN
+; you have a TURN server you do not need to set an STUN server as the TURN
-; server will normally do STUN too.
+; server will provide STUN services.
-;stunURIs = stun:stun.l.google.com:19302
+;stunURIs = stun:stun.spreed.me:443
 ; TURN server URIs in format host:port?transport=udp|tcp. You can provide
 ; multiple seperated by space. If you do not have at least one TURN server then
 ; some users will not be able to use the server as the peer to peer connection
@@ -58,12 +58,14 @@ listen = 127.0.0.1:8080
 ; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
 ;turnSecret = the-default-turn-shared-secret-do-not-keep
 ; Session secret to use for session id generator. 32 or 64 bytes of random data
-; are recommented.
+; are recommented (hex encoded). A warning will be logged if hex decode fails.
+; You can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
 sessionSecret = the-default-secret-do-not-keep-me
 ; Encryption secret protecting the data in generated server side tokens. Use
-; 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. When you change
+; 16, 24, or 32 bytes (hex encoded) to select AES-128, AES-192, or AES-256.
-; the encryption secret, stored authentications, sessions and contacts become
+; When you change the encryption secret, stored authentications, sessions and
-; invalid.
+; contacts become invalid. A warning will be logged if hex decode fails. You
+; can generate a secret easily with "xxd -ps -l 32 -c 32 /dev/random".
 encryptionSecret = tne-default-encryption-block-key
 ; Full path to a text file containig client tokens which a user needs to enter
 ; when accessing the web client. Each line in this file represents a valid
@@ -78,12 +80,12 @@ encryptionSecret = tne-default-encryption-block-key
 ;defaultRoomEnabled = true
 ; Server token is a public random string which is used to enhance security of
 ; server generated security tokens. When the serverToken is changed all existing
-; nonces become invalid. Use 32 or 64 byte random data.
+; nonces become invalid. Use 32 or 64 characters (eg. 16 or 32 byte hex).
-;serverToken = i-did-not-change-the-public-token-boo
+serverToken = i-did-not-change-the-public-token-boo
 ; The server realm is part of the validation chain of tokens and nonces and is
 ; added as suffix to server created user ids if user creation is enabled. When
 ; the realm is changed, all existing tokens and nonces become invalid.
-;serverRealm = local
+serverRealm = local
 ; Full path to an extra templates directory. Templates in this directory ending
 ; with .html will be parsed on startup and can be used to fill the supported
 ; extra-* template slots. If the extra folder has a sub folder "static", the

src/app/spreed-webrtc-server/hub.go

@@ -93,7 +93,7 @@ type Hub struct {
 	contacts              *securecookie.SecureCookie
 }
 
-func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret, realm string) *Hub {
+func NewHub(version string, config *Config, sessionSecret, encryptionSecret, turnSecret []byte, realm string) *Hub {
 
 	h := &Hub{
 		connectionTable:  make(map[string]*Connection),
@@ -102,9 +102,9 @@ func NewHub(version string, config *Config, sessionSecret, encryptionSecret, tur
 		userTable:        make(map[string]*User),
 		version:          version,
 		config:           config,
-		sessionSecret:    []byte(sessionSecret),
+		sessionSecret:    sessionSecret,
-		encryptionSecret: []byte(encryptionSecret),
+		encryptionSecret: encryptionSecret,
-		turnSecret:       []byte(turnSecret),
+		turnSecret:       turnSecret,
 		realm:            realm,
 	}
 

src/app/spreed-webrtc-server/main.go

@@ -25,6 +25,7 @@ import (
 	"app/spreed-webrtc-server/sleepy"
 	"bytes"
 	"crypto/rand"
+	"encoding/hex"
 	"flag"
 	"fmt"
 	"github.com/gorilla/mux"
@@ -207,19 +208,31 @@ func runner(runtime phoenix.Runtime) error {
 		}()
 	}
 
-	sessionSecret, err := runtime.GetString("app", "sessionSecret")
+	var sessionSecret []byte
+	sessionSecretString, err := runtime.GetString("app", "sessionSecret")
 	if err != nil {
 		return fmt.Errorf("No sessionSecret in config file.")
 	} else {
+		sessionSecret, err = hex.DecodeString(sessionSecretString)
+		if err != nil {
+			log.Println("Warning: sessionSecret value is not a hex encoded", err)
+			sessionSecret = []byte(sessionSecretString)
+		}
 		if len(sessionSecret) < 32 {
 			return fmt.Errorf("Length of sessionSecret must be at least 32 bytes.")
 		}
 	}
 
-	encryptionSecret, err := runtime.GetString("app", "encryptionSecret")
+	var encryptionSecret []byte
+	encryptionSecretString, err := runtime.GetString("app", "encryptionSecret")
 	if err != nil {
 		return fmt.Errorf("No encryptionSecret in config file.")
 	} else {
+		encryptionSecret, err = hex.DecodeString(encryptionSecretString)
+		if err != nil {
+			log.Println("Warning: encryptionSecret value is not a hex encoded", err)
+			encryptionSecret = []byte(encryptionSecretString)
+		}
 		switch l := len(encryptionSecret); {
 		case l == 16:
 		case l == 24:
@@ -268,9 +281,10 @@ func runner(runtime phoenix.Runtime) error {
 	turnURIs := strings.Split(turnURIsString, " ")
 	trimAndRemoveDuplicates(&turnURIs)
 
-	turnSecret, err := runtime.GetString("app", "turnSecret")
+	var turnSecret []byte
-	if err != nil {
+	turnSecretString, err := runtime.GetString("app", "turnSecret")
-		turnSecret = ""
+	if err == nil {
+		turnSecret = []byte(turnSecretString)
 	}
 
 	stunURIsString, err := runtime.GetString("app", "stunURIs")