From 6dbee00b74ca960e28b8f14e7808eb6f9b5971d8 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sun, 19 Apr 2015 07:37:12 +0000 Subject: [PATCH] working on new third-party auth draft --- INSTALL | 10 ---- examples/var/db/turndb | Bin 22528 -> 22528 bytes src/apps/common/apputils.c | 21 -------- src/apps/common/apputils.h | 2 - src/apps/relay/dbdrivers/dbd_mongo.c | 22 +------- src/apps/relay/dbdrivers/dbd_mysql.c | 34 ++++-------- src/apps/relay/dbdrivers/dbd_pgsql.c | 22 ++++---- src/apps/relay/dbdrivers/dbd_redis.c | 12 ++--- src/apps/relay/dbdrivers/dbd_sqlite.c | 21 +++----- src/apps/relay/turn_admin_server.c | 74 ++------------------------ src/apps/relay/userdb.c | 17 +++--- src/apps/uclient/mainuclient.c | 6 +-- src/client/ns_turn_msg.c | 33 ++++-------- src/client/ns_turn_msg_defs_new.h | 4 -- turndb/schema.sql | 2 - turndb/schema.userdb.redis | 15 ++---- turndb/testsqldbsetup.sql | 6 +-- 17 files changed, 62 insertions(+), 239 deletions(-) diff --git a/INSTALL b/INSTALL index 46433d92..ed19d6fc 100644 --- a/INSTALL +++ b/INSTALL @@ -744,8 +744,6 @@ CREATE TABLE oauth_key ( timestamp bigint default 0, lifetime integer default 0, as_rs_alg varchar(64) default '', - as_rs_key varchar(256) default '', - auth_key varchar(256) default '', primary key (kid) ); @@ -754,8 +752,6 @@ The oauth_key table fields meanings are: kid: the kid of the key; ikm_key - (optional) base64-encoded key ("input keying material"); - The ikm_key is not needed if the as_rs_key and auth_key are defined - explicitly in the database; timestamp - (optional) the timestamp (in seconds) when the key lifetime starts; @@ -767,12 +763,6 @@ The oauth_key table fields meanings are: "A256GCMKW", "A128GCMKW" (see http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1). The default value is "A256GCMKW"; - - as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then - calculated with ikm_key. - - auth_key - (optional) base64-encoded AUTH key. If not defined, then - calculated with ikm_key. Not used for AEAD algorithms. # Https access admin users. # Leave this table empty if you do not want diff --git a/examples/var/db/turndb b/examples/var/db/turndb index 9b08dba57bc97b1b5f25a9a3ee567059c8ddc824..2c30dc868a4c890c65c92fb31f8a9a632d5ce921 100644 GIT binary patch delta 170 zcmZqJz}T>Xae}nqJ_ZH`F(76IVkRJ#n5bjSxNl>^GI5T149xeK4=~T$EXXr~*+YSu zOi*@=w>o7;SDFfvY`*ciaXs4%h7k*hI6lwDk2p0TNZ O@^-&{n|JxUaR305F)yXae}nqP6h@BF(76IVkQuKqK+}+&W#Dn#5ra#FyCR`!#rcNAWs*wpAs{N zyetQYJTGs4PD*NSL1s~EWJFkTq;Xi4qmikZyR)x%xEvFQI7CfpUS@t?qI+0nl2M?o zqoI)nSYC;dLtGVX#^z_zx(3W^na@saEZE%UbAypFXkw!uSCgzLySThOV+-fxKYshn y6N}@EisQ3WD;3HTi;^=Ei!^{XX)2_orX`lu@EOmSmu-*u2I+gaZHo%RoN> diff --git a/src/apps/common/apputils.c b/src/apps/common/apputils.c index eecfcbc7..9b91d891 100644 --- a/src/apps/common/apputils.c +++ b/src/apps/common/apputils.c @@ -1136,27 +1136,6 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o turn_free(ikm_key,ikm_key_size); } } - - if(raw->as_rs_key[0]) { - size_t as_rs_key_size = 0; - char *as_rs_key = (char*)base64_decode(raw->as_rs_key,strlen(raw->as_rs_key),&as_rs_key_size); - if(as_rs_key) { - ns_bcopy(as_rs_key,oakd->as_rs_key,as_rs_key_size); - oakd->as_rs_key_size = as_rs_key_size; - turn_free(as_rs_key,as_rs_key_size); - } - } - - if(raw->auth_key[0]) { - size_t auth_key_size = 0; - char *auth_key = (char*)base64_decode(raw->auth_key,strlen(raw->auth_key),&auth_key_size); - if(auth_key) { - ns_bcopy(auth_key,oakd->auth_key,auth_key_size); - oakd->auth_key_size = auth_key_size; - turn_free(auth_key,auth_key_size); - } - } - } } diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h index 4b93d861..6ff61bfd 100644 --- a/src/apps/common/apputils.h +++ b/src/apps/common/apputils.h @@ -142,8 +142,6 @@ struct _oauth_key_data_raw { u64bits timestamp; u32bits lifetime; char as_rs_alg[OAUTH_ALG_SIZE+1]; - char as_rs_key[OAUTH_KEY_SIZE+1]; - char auth_key[OAUTH_KEY_SIZE+1]; }; typedef struct _oauth_key_data_raw oauth_key_data_raw; diff --git a/src/apps/relay/dbdrivers/dbd_mongo.c b/src/apps/relay/dbdrivers/dbd_mongo.c index 853a5524..e06127e8 100644 --- a/src/apps/relay/dbdrivers/dbd_mongo.c +++ b/src/apps/relay/dbdrivers/dbd_mongo.c @@ -255,8 +255,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { BSON_APPEND_INT32(&fields, "lifetime", 1); BSON_APPEND_INT32(&fields, "timestamp", 1); BSON_APPEND_INT32(&fields, "as_rs_alg", 1); - BSON_APPEND_INT32(&fields, "as_rs_key", 1); - BSON_APPEND_INT32(&fields, "auth_key", 1); BSON_APPEND_INT32(&fields, "ikm_key", 1); mongoc_cursor_t * cursor; @@ -279,12 +277,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length)); - } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->auth_key,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length)); } @@ -349,8 +341,6 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) { bson_init(&doc); BSON_APPEND_UTF8(&doc, "kid", (const char *)key->kid); BSON_APPEND_UTF8(&doc, "as_rs_alg", (const char *)key->as_rs_alg); - BSON_APPEND_UTF8(&doc, "as_rs_key", (const char *)key->as_rs_key); - BSON_APPEND_UTF8(&doc, "auth_key", (const char *)key->auth_key); BSON_APPEND_UTF8(&doc, "ikm_key", (const char *)key->ikm_key); BSON_APPEND_INT64(&doc, "timestamp", (int64_t)key->timestamp); BSON_APPEND_INT32(&doc, "lifetime", (int32_t)key->lifetime); @@ -511,8 +501,6 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre BSON_APPEND_INT32(&fields, "lifetime", 1); BSON_APPEND_INT32(&fields, "timestamp", 1); BSON_APPEND_INT32(&fields, "as_rs_alg", 1); - BSON_APPEND_INT32(&fields, "as_rs_key", 1); - BSON_APPEND_INT32(&fields, "auth_key", 1); BSON_APPEND_INT32(&fields, "ikm_key", 1); mongoc_cursor_t * cursor; @@ -537,12 +525,6 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length)); - } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->auth_key,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length)); } @@ -566,9 +548,9 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + key->as_rs_alg); } } mongoc_cursor_destroy(cursor); diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index de7fda11..ca2189d7 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -343,7 +343,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); MYSQL * myc = get_mydb_connection(); if(myc) { @@ -354,7 +354,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { MYSQL_RES *mres = mysql_store_result(myc); if(!mres) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); - } else if(mysql_field_count(myc)!=6) { + } else if(mysql_field_count(myc)!=4) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); } else { MYSQL_ROW row = mysql_fetch_row(mres); @@ -378,12 +378,6 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { ns_bcopy(row[3],key->as_rs_alg,lengths[3]); key->as_rs_alg[lengths[3]]=0; - ns_bcopy(row[4],key->as_rs_key,lengths[4]); - key->as_rs_key[lengths[4]]=0; - - ns_bcopy(row[5],key->auth_key,lengths[5]); - key->auth_key[lengths[5]]=0; - ret = 0; } } @@ -402,7 +396,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre oauth_key_data_raw *key=&key_; int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid"); MYSQL * myc = get_mydb_connection(); if(myc) { @@ -413,7 +407,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre MYSQL_RES *mres = mysql_store_result(myc); if(!mres) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); - } else if(mysql_field_count(myc)!=7) { + } else if(mysql_field_count(myc)!=5) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); } else { MYSQL_ROW row = mysql_fetch_row(mres); @@ -437,14 +431,8 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre ns_bcopy(row[3],key->as_rs_alg,lengths[3]); key->as_rs_alg[lengths[3]]=0; - ns_bcopy(row[4],key->as_rs_key,lengths[4]); - key->as_rs_key[lengths[4]]=0; - - ns_bcopy(row[5],key->auth_key,lengths[5]); - key->auth_key[lengths[5]]=0; - ns_bcopy(row[6],key->kid,lengths[6]); - key->kid[lengths[6]]=0; + key->kid[lengths[4]]=0; if(kids) { add_to_secrets_list(kids,key->kid); @@ -460,9 +448,9 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + key->as_rs_alg); } } row = mysql_fetch_row(mres); @@ -506,13 +494,13 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key) char statement[TURN_LONG_STRING_SIZE]; MYSQL * myc = get_mydb_connection(); if(myc) { - snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", + snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')", key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime, - key->as_rs_alg,key->as_rs_key,key->auth_key); + key->as_rs_alg); int res = mysql_query(myc, statement); if(res) { - snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, - key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid); + snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, + key->as_rs_alg,key->kid); res = mysql_query(myc, statement); if(res) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth key information: %s\n",mysql_error(myc)); diff --git a/src/apps/relay/dbdrivers/dbd_pgsql.c b/src/apps/relay/dbdrivers/dbd_pgsql.c index 6716de8b..cfb0187e 100644 --- a/src/apps/relay/dbdrivers/dbd_pgsql.c +++ b/src/apps/relay/dbdrivers/dbd_pgsql.c @@ -158,7 +158,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); PGconn * pqc = get_pqdb_connection(); if(pqc) { @@ -171,8 +171,6 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { key->timestamp = (u64bits)strtoll(PQgetvalue(res,0,1),NULL,10); key->lifetime = (u32bits)strtol(PQgetvalue(res,0,2),NULL,10); STRCPY(key->as_rs_alg,PQgetvalue(res,0,3)); - STRCPY(key->as_rs_key,PQgetvalue(res,0,4)); - STRCPY(key->auth_key,PQgetvalue(res,0,5)); STRCPY(key->kid,kid); ret = 0; } @@ -193,7 +191,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid"); PGconn * pqc = get_pqdb_connection(); if(pqc) { @@ -209,9 +207,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre key->timestamp = (u64bits)strtoll(PQgetvalue(res,i,1),NULL,10); key->lifetime = (u32bits)strtol(PQgetvalue(res,i,2),NULL,10); STRCPY(key->as_rs_alg,PQgetvalue(res,i,3)); - STRCPY(key->as_rs_key,PQgetvalue(res,i,4)); - STRCPY(key->auth_key,PQgetvalue(res,i,5)); - STRCPY(key->kid,PQgetvalue(res,i,6)); + STRCPY(key->kid,PQgetvalue(res,i,4)); if(kids) { add_to_secrets_list(kids,key->kid); @@ -227,9 +223,9 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + key->as_rs_alg); } ret = 0; @@ -277,17 +273,17 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) { char statement[TURN_LONG_STRING_SIZE]; PGconn *pqc = get_pqdb_connection(); if(pqc) { - snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", + snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')", key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime, - key->as_rs_alg,key->as_rs_key,key->auth_key); + key->as_rs_alg); PGresult *res = PQexec(pqc, statement); if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { if(res) { PQclear(res); } - snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, - key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid); + snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, + key->as_rs_alg,key->kid); res = PQexec(pqc, statement); if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth_key information: %s\n",PQerrorMessage(pqc)); diff --git a/src/apps/relay/dbdrivers/dbd_redis.c b/src/apps/relay/dbdrivers/dbd_redis.c index c315522a..3619f816 100644 --- a/src/apps/relay/dbdrivers/dbd_redis.c +++ b/src/apps/relay/dbdrivers/dbd_redis.c @@ -477,10 +477,6 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { if(kw) { if(!strcmp(kw,"as_rs_alg")) { STRCPY(key->as_rs_alg,val); - } else if(!strcmp(kw,"as_rs_key")) { - STRCPY(key->as_rs_key,val); - } else if(!strcmp(kw,"auth_key")) { - STRCPY(key->auth_key,val); } else if(!strcmp(kw,"ikm_key")) { STRCPY(key->ikm_key,val); } else if(!strcmp(kw,"timestamp")) { @@ -516,8 +512,8 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) { redisContext *rc = get_redis_connection(); if(rc) { char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s as_rs_key %s auth_key %s timestamp %llu lifetime %lu", - key->kid,key->ikm_key,key->as_rs_alg,key->as_rs_key,key->auth_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime); + snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s timestamp %llu lifetime %lu", + key->kid,key->ikm_key,key->as_rs_alg,(unsigned long long)key->timestamp,(unsigned long)key->lifetime); turnFreeRedisReply(redisCommand(rc, statement)); turnFreeRedisReply(redisCommand(rc, "save")); ret = 0; @@ -683,9 +679,9 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + key->as_rs_alg); } } } diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 5a9dac15..6d216a5f 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -154,7 +154,7 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) { "CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))", "CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))", "CREATE TABLE turn_realm_option (realm varchar(127) default '', opt varchar(32), value varchar(128), primary key (realm,opt))", - "CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_key varchar(256) default '',primary key (kid))", + "CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',primary key (kid))", "CREATE TABLE admin_user (name varchar(32), realm varchar(127), password varchar(127), primary key (name))", NULL }; @@ -293,7 +293,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid); sqlite3 *sqliteconnection = get_sqlite_connection(); if(sqliteconnection) { @@ -309,8 +309,6 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10); key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10); STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3)); - STRCPY(key->as_rs_key,sqlite3_column_text(st, 4)); - STRCPY(key->auth_key,sqlite3_column_text(st, 5)); STRCPY(key->kid,kid); ret = 0; } @@ -339,7 +337,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid"); sqlite3 *sqliteconnection = get_sqlite_connection(); if(sqliteconnection) { @@ -357,9 +355,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10); key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10); STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3)); - STRCPY(key->as_rs_key,sqlite3_column_text(st, 4)); - STRCPY(key->auth_key,sqlite3_column_text(st, 5)); - STRCPY(key->kid,sqlite3_column_text(st, 6)); + STRCPY(key->kid,sqlite3_column_text(st, 4)); if(kids) { add_to_secrets_list(kids,key->kid); @@ -375,9 +371,9 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secr add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + key->as_rs_alg); } } else if (res == SQLITE_DONE) { @@ -447,9 +443,8 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key) snprintf( statement, sizeof(statement), - "insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", - key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg, key->as_rs_key, - key->auth_key); + "insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')", + key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg); sqlite_lock(1); diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index 699876cc..dfdb8d2e 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -1372,8 +1372,6 @@ typedef enum _AS_FORM AS_FORM; #define HR_ADD_OAUTH_TS "oauth_ts" #define HR_ADD_OAUTH_LT "oauth_lt" #define HR_ADD_OAUTH_IKM "oauth_ikm" -#define HR_ADD_OAUTH_RS_KEY "oauth_rs_key" -#define HR_ADD_OAUTH_AUTH_KEY "oauth_auth_key" #define HR_ADD_OAUTH_TEA "oauth_tea" #define HR_DELETE_OAUTH_KID "oauth_kid_del" #define HR_OAUTH_KID "kid" @@ -2878,28 +2876,6 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid) str_buffer_append(sb,"\r\n"); } - if(okey.as_rs_key_size) { - size_t as_rs_key_size = 0; - char *as_rs_key = (char*)base64_encode((unsigned char*)okey.as_rs_key,okey.as_rs_key_size,&as_rs_key_size); - if(as_rs_key) { - str_buffer_append(sb,"AS-RS key:"); - str_buffer_append(sb,as_rs_key); - str_buffer_append(sb,"\r\n"); - turn_free(as_rs_key,as_rs_key_size); - } - } - - if(okey.auth_key_size) { - size_t auth_key_size = 0; - char *auth_key = (char*)base64_encode((unsigned char*)okey.auth_key,okey.auth_key_size,&auth_key_size); - if(auth_key) { - str_buffer_append(sb,"AUTH key:"); - str_buffer_append(sb,auth_key); - str_buffer_append(sb,"\r\n"); - turn_free(auth_key,auth_key_size); - } - } - str_buffer_append(sb,"\r\n"); } } @@ -2914,7 +2890,6 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid) static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, const char* add_ikm, const char* add_tea, const char *add_ts, const char* add_lt, - const char *add_rs_key, const char *add_auth_key, const char* msg) { if(s && !ioa_socket_tobeclosed(s)) { @@ -3017,35 +2992,7 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con str_buffer_append(sb,">A256GCMKW\r\n
\r\n"); } - str_buffer_append(sb,""); - - { - if(!add_rs_key) add_rs_key = ""; - - str_buffer_append(sb,"
Base64-encoded AS-RS key (optional):
"); - str_buffer_append(sb,"
\r\n"); - } - - str_buffer_append(sb,"\r\n"); - - str_buffer_append(sb,""); - - { - if(!add_auth_key) add_auth_key = ""; - - str_buffer_append(sb,"
Base64-encoded AUTH key (optional):
"); - str_buffer_append(sb,"
\r\n"); - } - - str_buffer_append(sb,"\r\n"); + str_buffer_append(sb,"\r\n\r\n"); str_buffer_append(sb,"
"); @@ -3545,28 +3492,19 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) const char* add_ts = "0"; const char* add_lt = "0"; const char* add_ikm = ""; - const char *add_rs_key = ""; - const char *add_auth_key = ""; const char* add_tea = ""; const char* msg = ""; add_kid = get_http_header_value(hr,HR_ADD_OAUTH_KID,""); if(add_kid[0]) { add_ikm = get_http_header_value(hr,HR_ADD_OAUTH_IKM,""); - add_rs_key = get_http_header_value(hr,HR_ADD_OAUTH_RS_KEY,""); - add_auth_key = get_http_header_value(hr,HR_ADD_OAUTH_AUTH_KEY,""); add_ts = get_http_header_value(hr,HR_ADD_OAUTH_TS,""); add_lt = get_http_header_value(hr,HR_ADD_OAUTH_LT,""); add_tea = get_http_header_value(hr,HR_ADD_OAUTH_TEA,""); - int keys_ok = 0; - if(add_rs_key[0] && add_auth_key[0]) { - keys_ok = 1; - } else if(strstr(add_tea,"GCM") && add_rs_key[0]) { - keys_ok = 1; - } + int keys_ok = (add_ikm[0] != 0); if(!keys_ok) { - msg = "Provided information is insufficient for the oAuth key generation."; + msg = "You must enter the key value."; } else { oauth_key_data_raw key; ns_bzero(&key,sizeof(key)); @@ -3588,8 +3526,6 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) STRCPY(key.ikm_key,add_ikm); STRCPY(key.as_rs_alg,add_tea); - STRCPY(key.as_rs_key,add_rs_key); - STRCPY(key.auth_key,add_auth_key); const turn_dbdriver_t * dbd = get_dbdriver(); if (dbd && dbd->set_oauth_key) { @@ -3601,14 +3537,12 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) add_lt = "0"; add_ikm = ""; add_tea = ""; - add_rs_key = ""; - add_auth_key = ""; } } } } - write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,add_rs_key,add_auth_key,msg); + write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,msg); } break; } diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c index 8e5acf76..26f6cde2 100644 --- a/src/apps/relay/userdb.c +++ b/src/apps/relay/userdb.c @@ -1018,15 +1018,12 @@ void run_db_test(void) oauth_key_data_raw key_; oauth_key_data_raw *key=&key_; dbd->get_oauth_key((const u08bits*)"north",key); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg); printf("DB TEST 3:\n"); STRCPY(key->as_rs_alg,"as_rs_alg"); - STRCPY(key->as_rs_key,"as_rs_key"); - STRCPY(key->auth_key,"auth_key"); STRCPY(key->ikm_key,"ikm_key"); STRCPY(key->kid,"kid"); key->timestamp = 123; @@ -1037,9 +1034,8 @@ void run_db_test(void) printf("DB TEST 4:\n"); dbd->get_oauth_key((const u08bits*)"kid",key); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, - key->as_rs_alg, key->as_rs_key, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg); printf("DB TEST 5:\n"); dbd->del_oauth_key((const u08bits*)"kid"); @@ -1051,9 +1047,8 @@ void run_db_test(void) oauth_key_data oakd; convert_oauth_key_data_raw(key, &oakd); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key_size=%d, auth_key_size=%d\n", - oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, - oakd.as_rs_alg, (int)oakd.as_rs_key_size, (int)oakd.auth_key_size); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n", + oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, oakd.as_rs_alg); oauth_key oak; char err_msg[1025]; diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c index c172ee31..264d2422 100644 --- a/src/apps/uclient/mainuclient.c +++ b/src/apps/uclient/mainuclient.c @@ -102,9 +102,9 @@ int oauth = 0; oauth_key okey_array[3]; static oauth_key_data_raw okdr_array[3] = { - {"north","Y2FybGVvbg==",0,0,"A256GCMKW","",""}, - {"union","aGVyb2Q=",0,0,"A128GCMKW","",""}, - {"oldempire","YXVsY3Vz",0,0,"A256GCMKW","",""} + {"north","Y2FybGVvbg==",0,0,"A256GCMKW"}, + {"union","aGVyb2Q=",0,0,"A128GCMKW"}, + {"oldempire","YXVsY3Vz",0,0,"A256GCMKW"} }; //////////////// local definitions ///////////////// diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 51454c6e..f8f2ddb7 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -2045,15 +2045,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er oauth_key_data *oakd = &oakd_obj; if(!(oakd->ikm_key_size)) { - if(!(oakd->as_rs_key_size)) { - if(err_msg) { - snprintf(err_msg,err_msg_size,"AS-RS key is not defined"); - } - OAUTH_ERROR("AS-RS key is not defined\n"); - return -1; - } - if(!(oakd->auth_key_size)) { - //AEAD ? + if(err_msg) { + snprintf(err_msg,err_msg_size,"key is not defined"); } } @@ -2075,10 +2068,6 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er STRCPY(key->kid,oakd->kid); - ns_bcopy(oakd->as_rs_key,key->as_rs_key,sizeof(key->as_rs_key)); - key->as_rs_key_size = oakd->as_rs_key_size; - ns_bcopy(oakd->auth_key,key->auth_key,sizeof(key->auth_key)); - key->auth_key_size = oakd->auth_key_size; ns_bcopy(oakd->ikm_key,key->ikm_key,sizeof(key->ikm_key)); key->ikm_key_size = oakd->ikm_key_size; @@ -2108,20 +2097,16 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er return -1; } - if(!(key->auth_key_size)) { - key->auth_key_size = calculate_auth_key_length(key->as_rs_alg); - if(key->auth_key_size) { - if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) { - return -1; - } + key->auth_key_size = calculate_auth_key_length(key->as_rs_alg); + if(key->auth_key_size) { + if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) { + return -1; } } - if(!(key->as_rs_key_size)) { - key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg); - if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) { - return -1; - } + key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg); + if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) { + return -1; } } diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index f23493de..9a0d3732 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -112,10 +112,6 @@ struct _oauth_key_data { turn_time_t timestamp; turn_time_t lifetime; char as_rs_alg[OAUTH_ALG_SIZE+1]; - char as_rs_key[OAUTH_KEY_SIZE+1]; - size_t as_rs_key_size; - char auth_key[OAUTH_KEY_SIZE+1]; - size_t auth_key_size; }; typedef struct _oauth_key_data oauth_key_data; diff --git a/turndb/schema.sql b/turndb/schema.sql index 25ee800f..b35463a2 100644 --- a/turndb/schema.sql +++ b/turndb/schema.sql @@ -43,8 +43,6 @@ CREATE TABLE oauth_key ( timestamp bigint default 0, lifetime integer default 0, as_rs_alg varchar(64) default '', - as_rs_key varchar(256) default '', - auth_key varchar(256) default '', primary key (kid) ); diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis index 00810404..d79ccf6e 100644 --- a/turndb/schema.userdb.redis +++ b/turndb/schema.userdb.redis @@ -34,12 +34,10 @@ and they will be almost immediately "seen" by the turnserver process. 4) For the oAuth authentication, there is a hash structure with the key "turn/oauth/kid/". The kid structure fields are: - ikm_key - (optional) base64-encoded key ("input keying material"); - The ikm_key is not needed if the as_rs_key and auth_key are defined - explicitly in the database; + ikm_key - (optional) base64-encoded key ("input keying material"). timestamp - (optional) the timestamp (in seconds) when the key - lifetime started; + lifetime started. lifetime - (optional) the key lifetime in seconds; the default value is 0 - unlimited lifetime. @@ -47,14 +45,7 @@ and they will be almost immediately "seen" by the turnserver process. as_rs_alg - oAuth token encryption algorithm; the valid values are "A256GCMKW", "A128GCMKW" (see http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1). - The default value is "A256GCMKW"; - - as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then - calculated with ikm_key. The as_rs_key length - is defined by as_rs_alg. - - auth_key - (optional) base64-encoded AUTH key. If not defined, then - calculated with ikm_key. Not used with AEAD algorithms. + The default value is "A256GCMKW". 5) admin users (over https interface) are maintained as keys of form: "turn/admin_user/ with hash members "password" and, diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql index a7e77ccf..ce7d7d57 100644 --- a/turndb/testsqldbsetup.sql +++ b/turndb/testsqldbsetup.sql @@ -31,6 +31,6 @@ insert into denied_peer_ip (ip_range) values('123::45'); insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-172.17.19.56'); insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77'); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('north','Y2FybGVvbg==',0,0,'A256GCMKW','',''); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('union','aGVyb2Q=',0,0,'A128GCMKW','',''); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('oldempire','YXVsY3Vz',0,0,'A256GCMKW','',''); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('north','Y2FybGVvbg==',0,0,'A256GCMKW'); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('union','aGVyb2Q=',0,0,'A128GCMKW'); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('oldempire','YXVsY3Vz',0,0,'A256GCMKW');