mirror of
https://github.com/coturn/coturn.git
synced 2025-10-29 05:51:10 +01:00
oauth
This commit is contained in:
mom040267
parent
968f5f5729
commit
4451b4f5dd
@ -1733,7 +1733,6 @@ ioa_socket_handle detach_ioa_socket(ioa_socket_handle s, int full_detach)
|
|||||||
|
|
||||||
ret->magic = SOCKET_MAGIC;
|
ret->magic = SOCKET_MAGIC;
|
||||||
|
|
||||||
ret->username_hash = s->username_hash;
|
|
||||||
ret->realm_hash = s->realm_hash;
|
ret->realm_hash = s->realm_hash;
|
||||||
|
|
||||||
set_socket_ssl(ret,s->ssl);
|
set_socket_ssl(ret,s->ssl);
|
||||||
@ -3342,14 +3341,9 @@ static u32bits string_hash(const u08bits *str) {
|
|||||||
return hash;
|
return hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
int check_realm_hash(ioa_socket_handle s, u08bits *realm)
|
||||||
{
|
{
|
||||||
if(s) {
|
if(s) {
|
||||||
if(username && username[0]) {
|
|
||||||
if(s->username_hash != string_hash(username)) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if(realm && realm[0]) {
|
if(realm && realm[0]) {
|
||||||
if(s->realm_hash != string_hash(realm)) {
|
if(s->realm_hash != string_hash(realm)) {
|
||||||
return 0;
|
return 0;
|
||||||
@ -3359,12 +3353,9 @@ int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
void set_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
void set_realm_hash(ioa_socket_handle s, u08bits *realm)
|
||||||
{
|
{
|
||||||
if(s) {
|
if(s) {
|
||||||
if(username && username[0]) {
|
|
||||||
s->username_hash = string_hash(username);
|
|
||||||
}
|
|
||||||
if(realm && realm[0]) {
|
if(realm && realm[0]) {
|
||||||
s->realm_hash = string_hash(realm);
|
s->realm_hash = string_hash(realm);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -214,7 +214,6 @@ struct _ioa_socket
|
|||||||
connect_cb conn_cb;
|
connect_cb conn_cb;
|
||||||
void *conn_arg;
|
void *conn_arg;
|
||||||
//Transferable sockets user data
|
//Transferable sockets user data
|
||||||
u32bits username_hash;
|
|
||||||
u32bits realm_hash;
|
u32bits realm_hash;
|
||||||
//Accept:
|
//Accept:
|
||||||
struct evconnlistener *list_ev;
|
struct evconnlistener *list_ev;
|
||||||
|
|||||||
@ -99,11 +99,12 @@ band_limit_t bps = 0;
|
|||||||
int dual_allocation = 0;
|
int dual_allocation = 0;
|
||||||
|
|
||||||
int oauth = 0;
|
int oauth = 0;
|
||||||
oauth_key okey;
|
oauth_key okey_array[2];
|
||||||
oauth_token otoken;
|
oauth_token otoken_array[2];
|
||||||
|
|
||||||
static oauth_key_data_raw okdr = {
|
static oauth_key_data_raw okdr_array[2] = {
|
||||||
"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""
|
{"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""},
|
||||||
|
{"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""}
|
||||||
};
|
};
|
||||||
|
|
||||||
//////////////// local definitions /////////////////
|
//////////////// local definitions /////////////////
|
||||||
@ -225,13 +226,19 @@ int main(int argc, char **argv)
|
|||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
oauth_key_data okd;
|
oauth_key_data okd_array[2];
|
||||||
convert_oauth_key_data_raw(&okdr, &okd);
|
convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
|
||||||
|
convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
|
||||||
|
|
||||||
char err_msg[1025] = "\0";
|
char err_msg[1025] = "\0";
|
||||||
size_t err_msg_size = sizeof(err_msg) - 1;
|
size_t err_msg_size = sizeof(err_msg) - 1;
|
||||||
|
|
||||||
if (convert_oauth_key_data(&okd, &okey, err_msg, err_msg_size) < 0) {
|
if (convert_oauth_key_data(&okd_array[0], &okey_array[0], err_msg, err_msg_size) < 0) {
|
||||||
|
fprintf(stderr, "%s\n", err_msg);
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (convert_oauth_key_data(&okd_array[1], &okey_array[1], err_msg, err_msg_size) < 0) {
|
||||||
fprintf(stderr, "%s\n", err_msg);
|
fprintf(stderr, "%s\n", err_msg);
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
@ -403,19 +410,25 @@ int main(int argc, char **argv)
|
|||||||
|
|
||||||
if(oauth) {
|
if(oauth) {
|
||||||
|
|
||||||
otoken.enc_block.lifetime = 0;
|
otoken_array[0].enc_block.lifetime = 0;
|
||||||
otoken.enc_block.timestamp = 0;
|
otoken_array[0].enc_block.timestamp = 0;
|
||||||
|
|
||||||
|
otoken_array[1].enc_block.lifetime = 0;
|
||||||
|
otoken_array[1].enc_block.timestamp = 0;
|
||||||
|
|
||||||
switch(shatype) {
|
switch(shatype) {
|
||||||
case SHATYPE_SHA256:
|
case SHATYPE_SHA256:
|
||||||
otoken.enc_block.key_length = 32;
|
otoken_array[0].enc_block.key_length = 32;
|
||||||
|
otoken_array[1].enc_block.key_length = 32;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
otoken.enc_block.key_length = 20;
|
otoken_array[0].enc_block.key_length = 20;
|
||||||
|
otoken_array[1].enc_block.key_length = 20;
|
||||||
break;
|
break;
|
||||||
};
|
};
|
||||||
|
|
||||||
RAND_bytes((unsigned char *)(otoken.enc_block.mac_key), otoken.enc_block.key_length);
|
RAND_bytes((unsigned char *)(otoken_array[0].enc_block.mac_key), otoken_array[0].enc_block.key_length);
|
||||||
|
RAND_bytes((unsigned char *)(otoken_array[1].enc_block.mac_key), otoken_array[1].enc_block.key_length);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(g_use_auth_secret_with_timestamp) {
|
if(g_use_auth_secret_with_timestamp) {
|
||||||
|
|||||||
@ -85,6 +85,7 @@ typedef struct {
|
|||||||
u08bits server_name[STUN_MAX_SERVER_NAME_SIZE+1];
|
u08bits server_name[STUN_MAX_SERVER_NAME_SIZE+1];
|
||||||
hmackey_t key;
|
hmackey_t key;
|
||||||
int key_set;
|
int key_set;
|
||||||
|
int cok;
|
||||||
/* RFC 6062 */
|
/* RFC 6062 */
|
||||||
app_tcp_conn_info **tcp_conn;
|
app_tcp_conn_info **tcp_conn;
|
||||||
size_t tcp_conn_number;
|
size_t tcp_conn_number;
|
||||||
|
|||||||
@ -1435,24 +1435,29 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
|||||||
|
|
||||||
u16bits method = stun_get_method_str(message->buf, message->len);
|
u16bits method = stun_get_method_str(message->buf, message->len);
|
||||||
|
|
||||||
|
int cok = clnet_info->cok;
|
||||||
|
|
||||||
if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
|
if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
|
||||||
{
|
{
|
||||||
|
|
||||||
|
if(!mobility)
|
||||||
|
cok=(++(clnet_info->cok))%2;
|
||||||
|
clnet_info->cok = cok;
|
||||||
encoded_oauth_token etoken;
|
encoded_oauth_token etoken;
|
||||||
u08bits nonce[12];
|
u08bits nonce[12];
|
||||||
RAND_bytes((unsigned char*)nonce,12);
|
RAND_bytes((unsigned char*)nonce,12);
|
||||||
if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
|
if(encode_oauth_token(clnet_info->server_name, &etoken, &(okey_array[cok]), &(otoken_array[cok]), nonce)<0) {
|
||||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
|
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
|
stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
|
||||||
(const u08bits*)etoken.token, (int)etoken.size);
|
(const u08bits*)etoken.token, (int)etoken.size);
|
||||||
|
|
||||||
ns_bcopy(otoken.enc_block.mac_key,clnet_info->key,otoken.enc_block.key_length);
|
ns_bcopy(otoken_array[cok].enc_block.mac_key,clnet_info->key,otoken_array[cok].enc_block.key_length);
|
||||||
clnet_info->key_set = 1;
|
clnet_info->key_set = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid,
|
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey_array[cok].kid,
|
||||||
clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
|
clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
|
||||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
|
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
|
||||||
return -1;
|
return -1;
|
||||||
@ -1488,7 +1493,9 @@ int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
|||||||
hmackey_t key;
|
hmackey_t key;
|
||||||
st_password_t pwd;
|
st_password_t pwd;
|
||||||
|
|
||||||
ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length);
|
int cok = clnet_info->cok;
|
||||||
|
|
||||||
|
ns_bcopy(otoken_array[cok].enc_block.mac_key,key,otoken_array[cok].enc_block.key_length);
|
||||||
|
|
||||||
return stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
|
return stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
|
||||||
message->buf, (size_t)(message->len), key, pwd, sht, NULL);
|
message->buf, (size_t)(message->len), key, pwd, sht, NULL);
|
||||||
|
|||||||
@ -87,8 +87,8 @@ extern int dual_allocation;
|
|||||||
extern char origin[STUN_MAX_ORIGIN_SIZE+1];
|
extern char origin[STUN_MAX_ORIGIN_SIZE+1];
|
||||||
|
|
||||||
extern int oauth;
|
extern int oauth;
|
||||||
extern oauth_key okey;
|
extern oauth_key okey_array[2];
|
||||||
extern oauth_token otoken;
|
extern oauth_token otoken_array[2];
|
||||||
|
|
||||||
#define is_TCP_relay() (relay_transport == STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE)
|
#define is_TCP_relay() (relay_transport == STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE)
|
||||||
|
|
||||||
|
|||||||
@ -242,8 +242,8 @@ void set_do_not_use_df(ioa_socket_handle s);
|
|||||||
int ioa_socket_tobeclosed(ioa_socket_handle s);
|
int ioa_socket_tobeclosed(ioa_socket_handle s);
|
||||||
void set_ioa_socket_tobeclosed(ioa_socket_handle s);
|
void set_ioa_socket_tobeclosed(ioa_socket_handle s);
|
||||||
void close_ioa_socket_after_processing_if_necessary(ioa_socket_handle s);
|
void close_ioa_socket_after_processing_if_necessary(ioa_socket_handle s);
|
||||||
int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm);
|
int check_realm_hash(ioa_socket_handle s, u08bits *realm);
|
||||||
void set_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm);
|
void set_realm_hash(ioa_socket_handle s, u08bits *realm);
|
||||||
|
|
||||||
////////////////// Base64 /////////////////////////////
|
////////////////// Base64 /////////////////////////////
|
||||||
|
|
||||||
|
|||||||
@ -3264,7 +3264,7 @@ static int check_stun_auth(turn_turnserver *server,
|
|||||||
if(ss->oauth) {
|
if(ss->oauth) {
|
||||||
ss->hmackey_set = 0;
|
ss->hmackey_set = 0;
|
||||||
STRCPY(ss->username,usname);
|
STRCPY(ss->username,usname);
|
||||||
set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
|
set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
|
||||||
} else {
|
} else {
|
||||||
if(method == STUN_METHOD_ALLOCATE) {
|
if(method == STUN_METHOD_ALLOCATE) {
|
||||||
*err_code = 437;
|
*err_code = 437;
|
||||||
@ -3278,7 +3278,7 @@ static int check_stun_auth(turn_turnserver *server,
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
STRCPY(ss->username,usname);
|
STRCPY(ss->username,usname);
|
||||||
set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
|
set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
|
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
|
||||||
@ -4210,10 +4210,10 @@ static int create_relay_connection(turn_turnserver* server,
|
|||||||
ns_bzero(newelem, sizeof(relay_endpoint_session));
|
ns_bzero(newelem, sizeof(relay_endpoint_session));
|
||||||
newelem->s = s;
|
newelem->s = s;
|
||||||
|
|
||||||
if(!check_username_hash(newelem->s,ss->username,(u08bits*)ss->realm_options.name)) {
|
if(!check_realm_hash(newelem->s,(u08bits*)ss->realm_options.name)) {
|
||||||
IOA_CLOSE_SOCKET(newelem->s);
|
IOA_CLOSE_SOCKET(newelem->s);
|
||||||
*err_code = 508;
|
*err_code = 508;
|
||||||
*reason = (const u08bits *)"Cannot find a valid reserved socket for this username";
|
*reason = (const u08bits *)"Cannot find a valid reserved socket for this realm";
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4251,11 +4251,11 @@ static int create_relay_connection(turn_turnserver* server,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
set_username_hash(newelem->s,ss->username,(u08bits*)ss->realm_options.name);
|
set_realm_hash(newelem->s,(u08bits*)ss->realm_options.name);
|
||||||
|
|
||||||
if (rtcp_s) {
|
if (rtcp_s) {
|
||||||
if (out_reservation_token && *out_reservation_token) {
|
if (out_reservation_token && *out_reservation_token) {
|
||||||
set_username_hash(rtcp_s,ss->username,(u08bits*)ss->realm_options.name);
|
set_realm_hash(rtcp_s,(u08bits*)ss->realm_options.name);
|
||||||
/* OK */
|
/* OK */
|
||||||
} else {
|
} else {
|
||||||
IOA_CLOSE_SOCKET(newelem->s);
|
IOA_CLOSE_SOCKET(newelem->s);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user