From 4b2be8adaeec0e9c61d44fb28ad77160ed4ee110 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Tue, 20 Jan 2015 17:05:58 +0000 Subject: [PATCH] third-party authetorization option is mandatory with oauth --- ChangeLog | 1 + README.turnserver | 2 +- examples/etc/turnserver.conf | 2 +- .../secure_relay_with_db_mongo.sh | 3 +- .../secure_relay_with_db_mysql.sh | 3 +- .../secure_relay_with_db_mysql_ssl.sh | 3 +- .../secure_relay_with_db_psql.sh | 5 +-- .../secure_relay_with_db_redis.sh | 3 +- .../secure_relay_with_db_sqlite.sh | 3 +- .../oauth/secure_relay_with_db_mongo.sh | 34 +++++++++++++++++ .../oauth/secure_relay_with_db_mysql.sh | 35 +++++++++++++++++ .../oauth/secure_relay_with_db_mysql_ssl.sh | 36 ++++++++++++++++++ .../oauth/secure_relay_with_db_psql.sh | 38 +++++++++++++++++++ .../oauth/secure_relay_with_db_redis.sh | 38 +++++++++++++++++++ .../oauth/secure_relay_with_db_sqlite.sh | 35 +++++++++++++++++ examples/scripts/oauth/secure_udp_client.sh | 34 +++++++++++++++++ man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 4 +- man/man1/turnutils.1 | 2 +- src/apps/relay/mainrelay.c | 2 +- src/apps/relay/turn_admin_server.c | 3 +- src/apps/relay/userdb.c | 2 +- 22 files changed, 268 insertions(+), 22 deletions(-) create mode 100755 examples/scripts/oauth/secure_relay_with_db_mongo.sh create mode 100755 examples/scripts/oauth/secure_relay_with_db_mysql.sh create mode 100755 examples/scripts/oauth/secure_relay_with_db_mysql_ssl.sh create mode 100755 examples/scripts/oauth/secure_relay_with_db_psql.sh create mode 100755 examples/scripts/oauth/secure_relay_with_db_redis.sh create mode 100755 examples/scripts/oauth/secure_relay_with_db_sqlite.sh create mode 100755 examples/scripts/oauth/secure_udp_client.sh diff --git a/ChangeLog b/ChangeLog index 208138e2..fb886eee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ Version 4.4.1.1 'Ardee West': - OpenSSL 1.1.0 supported; - shared secrets fixed in MongoDB: multiple secrets per realm allowed; - shared secrets admin fixed in Redis; + - --oauth option now strictly requires oAuth authentication; 12/24/2014 Oleg Moskalenko Version 4.3.3.1 'Tolomei': diff --git a/README.turnserver b/README.turnserver index 85087bb4..50b3be53 100644 --- a/README.turnserver +++ b/README.turnserver @@ -181,7 +181,7 @@ Flags: The actual value of the secret is defined either by option static-auth-secret, or can be found in the turn_secret table in the database. ---oauth Support oAuth authentication, as in the third-party TURN specs document. +--oauth Require oAuth authentication, as in the third-party TURN specs document. --dh566 Use 566 bits predefined DH TLS key. Default size of the key is 1066. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 33235e01..cc533781 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -213,7 +213,7 @@ # #server-name=blackdow.carleon.gov -# Flag to support oAuth authentication. +# Flag to require oAuth authentication. # #oauth diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh index 42452008..e070dbd2 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh @@ -21,7 +21,6 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -31,4 +30,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh index fa86b507..04834a0d 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh @@ -22,7 +22,6 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,4 +31,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh index 2ad97f7b..52751b1f 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh @@ -23,7 +23,6 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -33,4 +32,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh index 927bdf18..4e422294 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh @@ -22,7 +22,6 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,7 +31,7 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ # Newer PostgreSQL style connection string example: -# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh index db7db638..af5449ff 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh @@ -25,7 +25,6 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers -# 12) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +34,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh index 1bc1c775..f0866065 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh @@ -21,7 +21,6 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -31,5 +30,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_mongo.sh b/examples/scripts/oauth/secure_relay_with_db_mongo.sh new file mode 100755 index 00000000..59254acb --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_mongo.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with MongoDB database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --mongo-userdb="mongodb://localhost/coturn" +# means that local MongoDB database "turn" will be used. +# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 9) "--log-file=stdout" means that all log output will go to the stdout. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers +# 11) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_mysql.sh b/examples/scripts/oauth/secure_relay_with_db_mysql.sh new file mode 100755 index 00000000..44448dae --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_mysql.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with MySQL database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" +# means that local MySQL database "coturn" will be used, with database user "turn" and +# database user password "turn", and connection timeout 30 seconds. +# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 9) "--log-file=stdout" means that all log output will go to the stdout. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers +# 11) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_mysql_ssl.sh b/examples/scripts/oauth/secure_relay_with_db_mysql_ssl.sh new file mode 100755 index 00000000..5da6af48 --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_mysql_ssl.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with SSL connection to a MySQL database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" +# means that local MySQL database "coturn" will be used, with database user "turn" and +# database user password "turn", and with SSL connection with cipher DHE-RSA-AES256-SHA, +# and connection timeout 30 seconds. +# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 9) "--log-file=stdout" means that all log output will go to the stdout. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers +# 11) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_psql.sh b/examples/scripts/oauth/secure_relay_with_db_psql.sh new file mode 100755 index 00000000..f65852fb --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_psql.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with Postgres database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" +# means that local database "coturn" will be used, with database user "turn" and database user +# password "turn". +# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 9) "--log-file=stdout" means that all log output will go to the stdout. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers +# 11) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ + +# Newer PostgreSQL style connection string example: +# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_redis.sh b/examples/scripts/oauth/secure_relay_with_db_redis.sh new file mode 100755 index 00000000..1de0d158 --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_redis.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with Redis database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" +# means that local Redis database 0 will be used, +# database password is "turn", and connection timeout 30 seconds. +# 7) --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" +# means that we want to use Redis for status and statistics information, +# and this will be the database number 3. +# 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 10) "--log-file=stdout" means that all log output will go to the stdout. +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers +# 12) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/oauth/secure_relay_with_db_sqlite.sh b/examples/scripts/oauth/secure_relay_with_db_sqlite.sh new file mode 100755 index 00000000..892df9c0 --- /dev/null +++ b/examples/scripts/oauth/secure_relay_with_db_sqlite.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# This is an example how to start a TURN Server in +# secure mode with SQLite database for users +# with the long-term credentials mechanism. +# +# We start here a TURN Server listening on IPv4 address +# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as +# IPv4 relay address, and we use ::1 as IPv6 relay address. +# +# Other options: +# +# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps). +# 2) use fingerprints (-f) +# 3) use 3 relay threads (-m 3) +# 4) use min UDP relay port 32355 and max UDP relay port 65535 +# 5) "-r north.gov" means "use authentication realm north.gov" +# 6) --db= +# means that local database will be used. +# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. +# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. +# 9) "--log-file=stdout" means that all log output will go to the stdout. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers +# 11) --oauth - mandate oAuth security dialog +# Other parameters (config file name, etc) are default. + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ +export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ + +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ + diff --git a/examples/scripts/oauth/secure_udp_client.sh b/examples/scripts/oauth/secure_udp_client.sh new file mode 100755 index 00000000..76df4619 --- /dev/null +++ b/examples/scripts/oauth/secure_udp_client.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# This is an example of a script to run a "secure" TURN UDP client +# with the long-term credentials mechanism. +# +# Options: +# +# 1) -t is absent, it means that UDP networking is used. +# 5) -n 1000 means 1000 messages per single emulated client. Messages +# are sent with interval of 20 milliseconds, to emulate an RTP stream. +# 6) -m 10 means that 10 clients are emulated. +# 7) -l 170 means that the payload size of the packets is 170 bytes +# (like average audio RTP packet). +# 8) -e 127.0.0.1 means that the clients will use peer address 127.0.0.1. +# 9) -g means "set DONT_FRAGMENT parameter in TURN requests". +# 10) -u ninefingers means that if the server challenges the client with +# authentication challenge, then we use account "ninefingers". +# 11) -w youhavetoberealistic sets the password for the account as "youhavetoberealistic". +# 12) -s option is absent - it means that the client will be using +# the "channel" mechanism for data. +# 13) -J means that the client supports oAuth third-party authorization +# (with kid='north') +# 14) ::1 (the last parameter) is the TURN Server IP address. We use IPv6 here +# to illustrate how the TURN Server convert the traffic from IPv6 to IPv4 and back. +# + +if [ -d examples ] ; then + cd examples +fi + +export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ + +PATH=examples/bin/:../bin/:./bin/:${PATH} turnutils_uclient -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u ninefingers -w youhavetoberealistic -J $@ ::1 + diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index a9e34f63..a5b34d3b 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "10 January 2015" "" "" +.TH TURN 1 "20 January 2015" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 5e66b223..a809a709 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "10 January 2015" "" "" +.TH TURN 1 "20 January 2015" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -265,7 +265,7 @@ or can be found in the turn_secret table in the database. .TP .B \fB\-\-oauth\fP -Support oAuth authentication, as in the third\-party TURN specs document. +Require oAuth authentication, as in the third\-party TURN specs document. .TP .B \fB\-\-dh566\fP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index c5cd42bb..29cb1a9b 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "10 January 2015" "" "" +.TH TURN 1 "20 January 2015" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 7dd1e65d..1eb9440f 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -492,7 +492,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " --server-name Server name used for\n" " the oAuth authentication purposes.\n" " The default value is the realm name.\n" -" --oauth Support oAuth authentication.\n" +" --oauth Require oAuth authentication.\n" " -n Do not use configuration file, take all parameters from the command line only.\n" " --cert Certificate file, PEM format. Same file search rules\n" " applied as for the configuration file.\n" diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index 821654f5..36117901 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -2871,7 +2871,8 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) if(turn_params.verbose) { if(nbh) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %.40s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh)); + ((char*)ioa_network_buffer_data(nbh))[ioa_network_buffer_get_size(nbh)] = 0; + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh)); } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection initial input\n", __FUNCTION__); } diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c index 57ac5291..c89eb80e 100644 --- a/src/apps/relay/userdb.c +++ b/src/apps/relay/userdb.c @@ -527,7 +527,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u } } - if(out_oauth && *out_oauth) { + if(in_oauth) { return ret; }