mirror of
https://github.com/coturn/coturn.git
synced 2025-10-29 14:01:01 +01:00
oauth
This commit is contained in:
mom040267
parent
968f5f5729
commit
4451b4f5dd
@ -1733,7 +1733,6 @@ ioa_socket_handle detach_ioa_socket(ioa_socket_handle s, int full_detach)
|
||||
|
||||
ret->magic = SOCKET_MAGIC;
|
||||
|
||||
ret->username_hash = s->username_hash;
|
||||
ret->realm_hash = s->realm_hash;
|
||||
|
||||
set_socket_ssl(ret,s->ssl);
|
||||
@ -3342,14 +3341,9 @@ static u32bits string_hash(const u08bits *str) {
|
||||
return hash;
|
||||
}
|
||||
|
||||
int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
||||
int check_realm_hash(ioa_socket_handle s, u08bits *realm)
|
||||
{
|
||||
if(s) {
|
||||
if(username && username[0]) {
|
||||
if(s->username_hash != string_hash(username)) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if(realm && realm[0]) {
|
||||
if(s->realm_hash != string_hash(realm)) {
|
||||
return 0;
|
||||
@ -3359,12 +3353,9 @@ int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
||||
return 1;
|
||||
}
|
||||
|
||||
void set_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm)
|
||||
void set_realm_hash(ioa_socket_handle s, u08bits *realm)
|
||||
{
|
||||
if(s) {
|
||||
if(username && username[0]) {
|
||||
s->username_hash = string_hash(username);
|
||||
}
|
||||
if(realm && realm[0]) {
|
||||
s->realm_hash = string_hash(realm);
|
||||
}
|
||||
|
||||
@ -214,7 +214,6 @@ struct _ioa_socket
|
||||
connect_cb conn_cb;
|
||||
void *conn_arg;
|
||||
//Transferable sockets user data
|
||||
u32bits username_hash;
|
||||
u32bits realm_hash;
|
||||
//Accept:
|
||||
struct evconnlistener *list_ev;
|
||||
|
||||
@ -99,11 +99,12 @@ band_limit_t bps = 0;
|
||||
int dual_allocation = 0;
|
||||
|
||||
int oauth = 0;
|
||||
oauth_key okey;
|
||||
oauth_token otoken;
|
||||
oauth_key okey_array[2];
|
||||
oauth_token otoken_array[2];
|
||||
|
||||
static oauth_key_data_raw okdr = {
|
||||
"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""
|
||||
static oauth_key_data_raw okdr_array[2] = {
|
||||
{"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""},
|
||||
{"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""}
|
||||
};
|
||||
|
||||
//////////////// local definitions /////////////////
|
||||
@ -225,13 +226,19 @@ int main(int argc, char **argv)
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
oauth_key_data okd;
|
||||
convert_oauth_key_data_raw(&okdr, &okd);
|
||||
oauth_key_data okd_array[2];
|
||||
convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
|
||||
convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
|
||||
|
||||
char err_msg[1025] = "\0";
|
||||
size_t err_msg_size = sizeof(err_msg) - 1;
|
||||
|
||||
if (convert_oauth_key_data(&okd, &okey, err_msg, err_msg_size) < 0) {
|
||||
if (convert_oauth_key_data(&okd_array[0], &okey_array[0], err_msg, err_msg_size) < 0) {
|
||||
fprintf(stderr, "%s\n", err_msg);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (convert_oauth_key_data(&okd_array[1], &okey_array[1], err_msg, err_msg_size) < 0) {
|
||||
fprintf(stderr, "%s\n", err_msg);
|
||||
exit(-1);
|
||||
}
|
||||
@ -403,19 +410,25 @@ int main(int argc, char **argv)
|
||||
|
||||
if(oauth) {
|
||||
|
||||
otoken.enc_block.lifetime = 0;
|
||||
otoken.enc_block.timestamp = 0;
|
||||
otoken_array[0].enc_block.lifetime = 0;
|
||||
otoken_array[0].enc_block.timestamp = 0;
|
||||
|
||||
otoken_array[1].enc_block.lifetime = 0;
|
||||
otoken_array[1].enc_block.timestamp = 0;
|
||||
|
||||
switch(shatype) {
|
||||
case SHATYPE_SHA256:
|
||||
otoken.enc_block.key_length = 32;
|
||||
otoken_array[0].enc_block.key_length = 32;
|
||||
otoken_array[1].enc_block.key_length = 32;
|
||||
break;
|
||||
default:
|
||||
otoken.enc_block.key_length = 20;
|
||||
otoken_array[0].enc_block.key_length = 20;
|
||||
otoken_array[1].enc_block.key_length = 20;
|
||||
break;
|
||||
};
|
||||
|
||||
RAND_bytes((unsigned char *)(otoken.enc_block.mac_key), otoken.enc_block.key_length);
|
||||
RAND_bytes((unsigned char *)(otoken_array[0].enc_block.mac_key), otoken_array[0].enc_block.key_length);
|
||||
RAND_bytes((unsigned char *)(otoken_array[1].enc_block.mac_key), otoken_array[1].enc_block.key_length);
|
||||
}
|
||||
|
||||
if(g_use_auth_secret_with_timestamp) {
|
||||
|
||||
@ -85,6 +85,7 @@ typedef struct {
|
||||
u08bits server_name[STUN_MAX_SERVER_NAME_SIZE+1];
|
||||
hmackey_t key;
|
||||
int key_set;
|
||||
int cok;
|
||||
/* RFC 6062 */
|
||||
app_tcp_conn_info **tcp_conn;
|
||||
size_t tcp_conn_number;
|
||||
|
||||
@ -1435,24 +1435,29 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
||||
|
||||
u16bits method = stun_get_method_str(message->buf, message->len);
|
||||
|
||||
int cok = clnet_info->cok;
|
||||
|
||||
if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
|
||||
{
|
||||
|
||||
if(!mobility)
|
||||
cok=(++(clnet_info->cok))%2;
|
||||
clnet_info->cok = cok;
|
||||
encoded_oauth_token etoken;
|
||||
u08bits nonce[12];
|
||||
RAND_bytes((unsigned char*)nonce,12);
|
||||
if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
|
||||
if(encode_oauth_token(clnet_info->server_name, &etoken, &(okey_array[cok]), &(otoken_array[cok]), nonce)<0) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
|
||||
return -1;
|
||||
}
|
||||
stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
|
||||
(const u08bits*)etoken.token, (int)etoken.size);
|
||||
|
||||
ns_bcopy(otoken.enc_block.mac_key,clnet_info->key,otoken.enc_block.key_length);
|
||||
ns_bcopy(otoken_array[cok].enc_block.mac_key,clnet_info->key,otoken_array[cok].enc_block.key_length);
|
||||
clnet_info->key_set = 1;
|
||||
}
|
||||
|
||||
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid,
|
||||
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey_array[cok].kid,
|
||||
clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
|
||||
return -1;
|
||||
@ -1488,7 +1493,9 @@ int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
||||
hmackey_t key;
|
||||
st_password_t pwd;
|
||||
|
||||
ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length);
|
||||
int cok = clnet_info->cok;
|
||||
|
||||
ns_bcopy(otoken_array[cok].enc_block.mac_key,key,otoken_array[cok].enc_block.key_length);
|
||||
|
||||
return stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
|
||||
message->buf, (size_t)(message->len), key, pwd, sht, NULL);
|
||||
|
||||
@ -87,8 +87,8 @@ extern int dual_allocation;
|
||||
extern char origin[STUN_MAX_ORIGIN_SIZE+1];
|
||||
|
||||
extern int oauth;
|
||||
extern oauth_key okey;
|
||||
extern oauth_token otoken;
|
||||
extern oauth_key okey_array[2];
|
||||
extern oauth_token otoken_array[2];
|
||||
|
||||
#define is_TCP_relay() (relay_transport == STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE)
|
||||
|
||||
|
||||
@ -242,8 +242,8 @@ void set_do_not_use_df(ioa_socket_handle s);
|
||||
int ioa_socket_tobeclosed(ioa_socket_handle s);
|
||||
void set_ioa_socket_tobeclosed(ioa_socket_handle s);
|
||||
void close_ioa_socket_after_processing_if_necessary(ioa_socket_handle s);
|
||||
int check_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm);
|
||||
void set_username_hash(ioa_socket_handle s, u08bits *username, u08bits *realm);
|
||||
int check_realm_hash(ioa_socket_handle s, u08bits *realm);
|
||||
void set_realm_hash(ioa_socket_handle s, u08bits *realm);
|
||||
|
||||
////////////////// Base64 /////////////////////////////
|
||||
|
||||
|
||||
@ -3264,7 +3264,7 @@ static int check_stun_auth(turn_turnserver *server,
|
||||
if(ss->oauth) {
|
||||
ss->hmackey_set = 0;
|
||||
STRCPY(ss->username,usname);
|
||||
set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
|
||||
set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
|
||||
} else {
|
||||
if(method == STUN_METHOD_ALLOCATE) {
|
||||
*err_code = 437;
|
||||
@ -3278,7 +3278,7 @@ static int check_stun_auth(turn_turnserver *server,
|
||||
}
|
||||
} else {
|
||||
STRCPY(ss->username,usname);
|
||||
set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
|
||||
set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
|
||||
}
|
||||
|
||||
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
|
||||
@ -4210,10 +4210,10 @@ static int create_relay_connection(turn_turnserver* server,
|
||||
ns_bzero(newelem, sizeof(relay_endpoint_session));
|
||||
newelem->s = s;
|
||||
|
||||
if(!check_username_hash(newelem->s,ss->username,(u08bits*)ss->realm_options.name)) {
|
||||
if(!check_realm_hash(newelem->s,(u08bits*)ss->realm_options.name)) {
|
||||
IOA_CLOSE_SOCKET(newelem->s);
|
||||
*err_code = 508;
|
||||
*reason = (const u08bits *)"Cannot find a valid reserved socket for this username";
|
||||
*reason = (const u08bits *)"Cannot find a valid reserved socket for this realm";
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -4251,11 +4251,11 @@ static int create_relay_connection(turn_turnserver* server,
|
||||
return -1;
|
||||
}
|
||||
|
||||
set_username_hash(newelem->s,ss->username,(u08bits*)ss->realm_options.name);
|
||||
set_realm_hash(newelem->s,(u08bits*)ss->realm_options.name);
|
||||
|
||||
if (rtcp_s) {
|
||||
if (out_reservation_token && *out_reservation_token) {
|
||||
set_username_hash(rtcp_s,ss->username,(u08bits*)ss->realm_options.name);
|
||||
set_realm_hash(rtcp_s,(u08bits*)ss->realm_options.name);
|
||||
/* OK */
|
||||
} else {
|
||||
IOA_CLOSE_SOCKET(newelem->s);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user