From 00f2a84f563a032bccad0d77778f491a365f7d84 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sat, 16 Aug 2014 06:51:58 +0000 Subject: [PATCH] MySQL SSL support added --- ChangeLog | 1 + INSTALL | 5 ++++ README.turnserver | 4 ++++ STATUS | 2 ++ examples/etc/turnserver.conf | 7 +++++- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 6 ++++- man/man1/turnutils.1 | 2 +- src/apps/relay/dbdrivers/dbd_mysql.c | 35 ++++++++++++++++++++++++++++ src/apps/relay/mainrelay.c | 11 +++++---- 10 files changed, 67 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e9898d2..3dd1bcc3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Version 4.1.2.1 'Vitari': - The origin attribute is verified in the subsequent session messages. + - MySQL SSL connection support. - Crash fixed when the DB connection string is incorrect. - Minor docs fixes. diff --git a/INSTALL b/INSTALL index c9e57915..d68f5ff2 100644 --- a/INSTALL +++ b/INSTALL @@ -897,6 +897,11 @@ Or in the turnserver.conf file: mysql-userdb="host=localhost dbname=turn user=turn password=turn connect_timeout=30" +If you have to use a secure MySQL connection (SSL) then you have to use also +the optional connection string parameters for the secure communications: +ca, capath, cert, key, cipher (see +http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description). + XVI. MongoDB setup The MongoDB setup is well documented on their site http://docs.mongodb.org/manual/. diff --git a/README.turnserver b/README.turnserver index 57c61a82..e7191d38 100644 --- a/README.turnserver +++ b/README.turnserver @@ -118,6 +118,10 @@ User database settings: Also, see http://www.mysql.org or http://mariadb.org for full MySQL documentation. + Optional connection string parameters for the secure communications (SSL): + ca, capath, cert, key, cipher + (see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description). + -J, --mongo-userdb User database connection string for MongoDB. This database can be used for long-term and short-term credentials mechanisms, and it can store the secret value diff --git a/STATUS b/STATUS index f76f353e..6d4090fa 100644 --- a/STATUS +++ b/STATUS @@ -102,6 +102,8 @@ compatibility. 43) MongoDB support added. 44) Double (dual) allocation added (SSODA draft). + +45) Secure MySQL connection implemented. Things to be implemented in future (the development roadmap) are described in the TODO file. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 844fe77d..9f8c8ea9 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -263,7 +263,12 @@ # MySQL database connection string in the case that we are using MySQL # as the user database. # This database can be used for long-term and short-term credential mechanisms -# and it can store the secret value for secret-based timed authentication in TURN RESP API. +# and it can store the secret value for secret-based timed authentication in TURN RESP API. +# +# Optional connection string parameters for the secure communications (SSL): +# ca, capath, cert, key, cipher +# (see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description). +# # Use string format as below (space separated parameters, all optional): # #mysql-userdb="host= dbname= user= password= port= connect_timeout=" diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index dc1bb6a3..8617d631 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "11 August 2014" "" "" +.TH TURN 1 "15 August 2014" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 8f2fef05..03a01007 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "11 August 2014" "" "" +.TH TURN 1 "15 August 2014" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -175,6 +175,10 @@ See the INSTALL file for more explanations and examples. .PP Also, see http://www.mysql.org or http://mariadb.org for full MySQL documentation. +.PP +Optional connection string parameters for the secure communications (SSL): +ca, capath, cert, key, cipher +(see http://dev.mysql.com/doc/refman/5.0/en/mysql\-ssl\-set.html for the description). .RE .TP .B diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 5f0a9d90..2de9b76a 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "11 August 2014" "" "" +.TH TURN 1 "15 August 2014" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index 4681dba3..dee2feb9 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -46,6 +46,13 @@ struct _Myconninfo { char *password; unsigned int port; unsigned int connect_timeout; + /* SSL ==>> */ + char *key; + char *ca; + char *cert; + char *capath; + char *cipher; + /* <<== SSL : see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html */ }; typedef struct _Myconninfo Myconninfo; @@ -56,6 +63,11 @@ static void MyconninfoFree(Myconninfo *co) { if(co->dbname) turn_free(co->dbname, strlen(co->dbname)+1); if(co->user) turn_free(co->user, strlen(co->user)+1); if(co->password) turn_free(co->password, strlen(co->password)+1); + if(co->key) turn_free(co->key, strlen(co->key)+1); + if(co->ca) turn_free(co->ca, strlen(co->ca)+1); + if(co->cert) turn_free(co->cert, strlen(co->cert)+1); + if(co->capath) turn_free(co->capath, strlen(co->capath)+1); + if(co->cipher) turn_free(co->cipher, strlen(co->cipher)+1); ns_bzero(co,sizeof(Myconninfo)); } } @@ -127,6 +139,26 @@ static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) { co->connect_timeout = (unsigned int)atoi(seq+1); else if(!strcmp(s,"timeout")) co->connect_timeout = (unsigned int)atoi(seq+1); + else if(!strcmp(s,"key")) + co->key = strdup(seq+1); + else if(!strcmp(s,"ssl-key")) + co->key = strdup(seq+1); + else if(!strcmp(s,"ca")) + co->ca = strdup(seq+1); + else if(!strcmp(s,"ssl-ca")) + co->ca = strdup(seq+1); + else if(!strcmp(s,"capath")) + co->capath = strdup(seq+1); + else if(!strcmp(s,"ssl-capath")) + co->capath = strdup(seq+1); + else if(!strcmp(s,"cert")) + co->cert = strdup(seq+1); + else if(!strcmp(s,"ssl-cert")) + co->cert = strdup(seq+1); + else if(!strcmp(s,"cipher")) + co->cipher = strdup(seq+1); + else if(!strcmp(s,"ssl-cipher")) + co->cipher = strdup(seq+1); else { MyconninfoFree(co); co = NULL; @@ -192,6 +224,9 @@ static MYSQL *get_mydb_connection(void) { } else { if(co->connect_timeout) mysql_options(mydbconnection,MYSQL_OPT_CONNECT_TIMEOUT,&(co->connect_timeout)); + if(co->ca || co->capath || co->cert || co->cipher || co->key) { + mysql_ssl_set(mydbconnection, co->key, co->cert, co->ca, co->capath, co->cipher); + } MYSQL *conn = mysql_real_connect(mydbconnection, co->host, co->user, co->password, co->dbname, co->port, NULL, CLIENT_IGNORE_SIGPIPE); if(!conn) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection: <%s>, runtime error\n",pud->userdb); diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index bce9a590..ce6a2492 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -425,8 +425,11 @@ static char Usage[] = "Usage: turnserver [options]\n" " This database can be used for long-term and short-term credentials mechanisms,\n" " and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n" " The connection string my be space-separated list of parameters:\n" -" \"host= dbname= user= \\\n password= port= connect_timeout=\".\n" -" All parameters are optional.\n" +" \"host= dbname= user= \\\n password= port= connect_timeout=\".\n\n" +" The connection string parameters for the secure communications (SSL):\n" +" ca, capath, cert, key, cipher\n" +" (see http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html for the description).\n\n" +" All connection-string parameters are optional.\n\n" #endif #if !defined(TURN_NO_MONGO) " -J, --mongo-userdb MongoDB connection string, if used (default - empty, no MongoDB used).\n" @@ -438,8 +441,8 @@ static char Usage[] = "Usage: turnserver [options]\n" " This database can be used for long-term and short-term credentials mechanisms,\n" " and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n" " The connection string my be space-separated list of parameters:\n" -" \"host= dbname= \\\n password= port= connect_timeout=\".\n" -" All parameters are optional.\n" +" \"host= dbname= \\\n password= port= connect_timeout=\".\n\n" +" All connection-string parameters are optional.\n\n" " -O, --redis-statsdb Redis status and statistics database connection string, if used \n" " (default - empty, no Redis stats DB used).\n" " This database keeps allocations status information, and it can be also used for publishing\n"