mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2026-04-06 04:41:01 +02:00
Code Issues Projects Releases Wiki Activity

Merge tag 'upstream/4.4.5.1'

Browse Source 
Upstream version 4.4.5.1
This commit is contained in:
Oleg Moskalenko 2015-05-27 00:16:31 -07:00
commit 800ff2be5c
52 changed files with 500 additions and 1372 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
4/9/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.5.1 'Ardee West':
- dual allocation adjusted according to the new TURN-bis draft;
- options sha256, sha384, sha512 retired as non-standard;
- third-party authorization (oAuth) updated according to the
version 14 of the draft;
- C++ fixes;
- cosmetic fixes;
3/31/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.4.2 'Ardee West':
- SCTP fixes;

52
INSTALL
View File

@ -470,7 +470,7 @@ libevent2 from their web site. It was tested with older *NIXes
NOTE: SQLite must be of version 3.x.
NOTE: For extra security features (DTLS and SHA256 and and SHA384 and SHA512)
NOTE: For extra security features (like DTLS)
support, OpenSSL version 1.0.0a or newer is recommended. Older versions do
not support DTLS, reliably, in some cases. For example, the Debian 'Squeeze'
Linux supplies 0.9.8 version of OpenSSL, that does not work correctly with
@ -683,10 +683,7 @@ security reasons. Storing only the HMAC key has its own implications -
if you change the realm, you will have to update the HMAC keys of all
users, because the realm is used for the HMAC key generation.
The key must be up to 32 characters (HEX representation of 16 bytes) for SHA1,
or up to 64 characters (HEX representation of 32 bytes) for SHA256,
or up to 96 characters (HEX representation of 48 bytes) for SHA384,
or up to 128 characters (HEX representation of 64 bytes) for SHA512:
The key must be up to 32 characters (HEX representation of 16 bytes) for SHA1:
# Table holding shared secrets for secret-based authorization
# (REST API). Shared secret can be stored either in unsecure open
@ -743,14 +740,10 @@ CREATE TABLE turn_realm_option (
#
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256) default '',
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
hkdf_hash_func varchar(64) default '',
as_rs_alg varchar(64) default '',
as_rs_key varchar(256) default '',
auth_alg varchar(64) default '',
auth_key varchar(256) default '',
primary key (kid)
);
@ -759,38 +752,17 @@ The oauth_key table fields meanings are:
kid: the kid of the key;
ikm_key - (optional) base64-encoded key ("input keying material");
The ikm_key is not needed if the as_rs_key and auth_key are defined
explicitly in the database;
timestamp - (optional) the timestamp (in seconds) when the key
lifetime starts;
lifetime - (optional) the key lifetime in seconds; the default value
is 0 - unlimited lifetime.
hkdf_hash_func - (optional) hash function for HKDF procedure; the
valid values are SHA-1, SHA-256, SHA-384 and SHA-512,
with SHA-256 as default. The hkdf_hash_func is not needed
if the as_rs_key and auth_key are defined explicitly
in the database;
as_rs_alg - oAuth token encryption algorithm; the valid values are
"AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM",
"AEAD-AES-256-GCM".
The default value is "AES-256-CBC";
as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then
calculated with ikm_key and hkdf_hash_func. The as_rs_key length
is defined by as_rs_alg.
auth_alg - (optional) oAuth token authentication algorithm; the valid values are
"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-384",
"HMAC-SHA-512" and "HMAC-SHA-1".
The default value is "HMAC-SHA-256-128".
auth_key - (optional) base64-encoded AUTH key. If not defined, then
calculated with ikm_key and hkdf_hash_func. The auth_key length
is defined by auth_alg.
"A256GCM", "A128GCM" (see
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.1).
The default value is "A256GCM";
# Https access admin users.
# Leave this table empty if you do not want
@ -827,9 +799,6 @@ Fill in users, for example:
$ bin/turnadmin -a -b "/var/db/turndb" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -b "/var/db/turndb" -u ninefingers -r north.gov -p youhavetoberealistic
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -b "/var/db/turndb" -u bethod -r north.gov -p king-of-north --sha256
Admin users:
$ bin/turnadmin -A -b "/var/db/turndb" -u gorst -p hero
@ -954,9 +923,6 @@ Fill in users, for example:
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Admin users:
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
@ -1009,9 +975,6 @@ the root account.
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Admin users:
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
@ -1138,9 +1101,6 @@ Redis TURN admin commands:
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Admin users:
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u gorst -p hero

5
README.turnadmin
View File

@ -104,11 +104,6 @@ Options with required values:
-r, --realm Realm.
-p, --password Password.
-o, --origin Origin
-H, --sha256 Use SHA256 as the keys hash function (a non-standard feature).
By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
-Y, --sha384 Use SHA384 as the keys hash function (a non-standard feature).
-K, --sha512 Use SHA512 as the keys hash function (a non-standard feature).
--max-bps Set value of realm's max-bps parameter.
--total-quota Set value of realm's total-quota parameter.
--user-quota Set value of realm's user-quota parameter.

11
README.turnserver
View File

@ -236,17 +236,6 @@ Flags:
--no-multicast-peers Disallow peers on well-known broadcast addresses
(224.0.0.0 and above, and FFXX:*).
--sha256 Require SHA256 digest function to be used for the message integrity.
By default, the server uses SHA1 hashes. With this option, the server
requires the stronger SHA256 hashes. The client application must support
SHA256 hash function if this option is used. If the server obtains a message
from the client with a weaker (SHA1) hash function then the server returns
error code 426.
--sha384 Require SHA384 digest function to be used for the message integrity.
--sha512 Require SHA512 digest function to be used for the message integrity.
--mobility Mobility with ICE (MICE) specs support.
--no-cli Turn OFF the CLI support. By default it is always ON.

7
README.turnutils
View File

@ -94,13 +94,6 @@ Flags:
-R do negative protocol tests.
-O DOS attack mode.
-H SHA256 digest function for message integrity calculation.
Without this option, by default, SHA1 is used.
-Y SHA384 digest function for message integrity calculation.
-K SHA512 digest function for message integrity calculation.
-M Use TURN ICE Mobility.

6
TODO
View File

@ -59,9 +59,9 @@
2) Redirect draft.
3) STUN-Bis:
a. SCTP
b. New integrity attribute, algorithms
3) STUN-bis: new integrity attribute, algorithms.
4) Third-party authorization updates.
==================================================================

12
examples/etc/turnserver.conf
View File

@ -557,18 +557,6 @@
#
#secure-stun
# Require SHA256, or SHA384, or SHA512 digest function to be used for the message
# integrity. By default, the server uses SHA1 (as per TURN standard specs).
# With this option, the server always requires the stronger SHA256, SHA384 or SHA512
# function. The client application must support SHA256, SHA384 or SHA512 hash function
# if this option is used. If the server obtains
# a message from the client with a weaker (SHA1) hash function then the
# server returns error code 426.
#
#sha256
#sha384
#sha512
# Mobility with ICE (MICE) specs support.
#
#mobility

2
examples/scripts/longtermsecure/secure_relay.sh
View File

@ -32,4 +32,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --db="var/db/turndb" $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --db=var/db/turndb $@

2
examples/scripts/longtermsecure/secure_relay_cert.sh
View File

@ -35,4 +35,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --db=var/db/turndb $@

2
examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh
View File

@ -21,7 +21,7 @@
# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - mandate oAuth security dialog
# 11) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

2
examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh
View File

@ -22,7 +22,7 @@
# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - mandate oAuth security dialog
# 11) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

2
examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh
View File

@ -23,7 +23,7 @@
# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - mandate oAuth security dialog
# 11) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

2
examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh
View File

@ -22,7 +22,7 @@
# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - mandate oAuth security dialog
# 11) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

2
examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh
View File

@ -25,7 +25,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --oauth - mandate oAuth security dialog
# 12) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

2
examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh
View File

@ -21,7 +21,7 @@
# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - mandate oAuth security dialog
# 11) --oauth - support oAuth security dialog
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then

BIN
examples/var/db/turndb
View File

Binary file not shown.

16
man/man1/turnadmin.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "21 March 2015" "" ""
.TH TURN 1 "11 April 2015" "" ""
.SH GENERAL INFORMATION
\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
@ -184,20 +184,6 @@ Password.
Origin
.TP
.B
\fB\-H\fP, \fB\-\-sha256\fP
Use SHA256 as the keys hash function (a non\-standard feature).
By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
.TP
.B
\fB\-Y\fP, \fB\-\-sha384\fP
Use SHA384 as the keys hash function (a non\-standard feature).
.TP
.B
\fB\-K\fP, \fB\-\-sha512\fP
Use SHA512 as the keys hash function (a non\-standard feature).
.TP
.B
\fB\-\-max\-bps\fP
Set value of realm's max\-bps parameter.
.TP

19
man/man1/turnserver.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "21 March 2015" "" ""
.TH TURN 1 "11 April 2015" "" ""
.SH GENERAL INFORMATION
The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
@ -363,23 +363,6 @@ Disallow peers on well\-known broadcast addresses
(224.0.0.0 and above, and FFXX:*).
.TP
.B
\fB\-\-sha256\fP
Require SHA256 digest function to be used for the message integrity.
By default, the server uses SHA1 hashes. With this option, the server
requires the stronger SHA256 hashes. The client application must support
SHA256 hash function if this option is used. If the server obtains a message
from the client with a weaker (SHA1) hash function then the server returns
error code 426.
.TP
.B
\fB\-\-sha384\fP
Require SHA384 digest function to be used for the message integrity.
.TP
.B
\fB\-\-sha512\fP
Require SHA512 digest function to be used for the message integrity.
.TP
.B
\fB\-\-mobility\fP
Mobility with ICE (MICE) specs support.
.TP

15
man/man1/turnutils.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "21 March 2015" "" ""
.TH TURN 1 "11 April 2015" "" ""
.SH GENERAL INFORMATION
A set of turnutils_* programs provides some utility functionality to be used
@ -143,19 +143,6 @@ do negative protocol tests.
DOS attack mode.
.TP
.B
\fB\-H\fP
SHA256 digest function for message integrity calculation.
Without this option, by default, SHA1 is used.
.TP
.B
\fB\-Y\fP
SHA384 digest function for message integrity calculation.
.TP
.B
\fB\-K\fP
SHA512 digest function for message integrity calculation.
.TP
.B
\fB\-M\fP
Use TURN ICE Mobility.
.TP

2
rpm/build.settings.sh
View File

@ -2,7 +2,7 @@
# Common settings script.
TURNVERSION=4.4.4.2
TURNVERSION=4.4.5.1
BUILDDIR=~/rpmbuild
ARCH=`uname -p`
TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn

4
rpm/turnserver.spec
View File

@ -1,5 +1,5 @@
Name: turnserver
Version: 4.4.4.2
Version: 4.4.5.1
Release: 0%{dist}
Summary: Coturn TURN Server
@ -289,6 +289,8 @@ fi
%{_includedir}/turn/client/TurnMsgLib.h
%changelog
* Thu Apr 09 2015 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.4.5.1
* Tue Mar 31 2015 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.4.4.2
* Sun Mar 15 2015 Oleg Moskalenko <mom040267@gmail.com>

23
src/apps/common/apputils.c
View File

@ -1125,8 +1125,6 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o
oakd->lifetime = raw->lifetime;
ns_bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg));
ns_bcopy(raw->auth_alg,oakd->auth_alg,sizeof(oakd->auth_alg));
ns_bcopy(raw->hkdf_hash_func,oakd->hkdf_hash_func,sizeof(oakd->hkdf_hash_func));
ns_bcopy(raw->kid,oakd->kid,sizeof(oakd->kid));
if(raw->ikm_key[0]) {
@ -1138,27 +1136,6 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o
turn_free(ikm_key,ikm_key_size);
}
}
if(raw->as_rs_key[0]) {
size_t as_rs_key_size = 0;
char *as_rs_key = (char*)base64_decode(raw->as_rs_key,strlen(raw->as_rs_key),&as_rs_key_size);
if(as_rs_key) {
ns_bcopy(as_rs_key,oakd->as_rs_key,as_rs_key_size);
oakd->as_rs_key_size = as_rs_key_size;
turn_free(as_rs_key,as_rs_key_size);
}
}
if(raw->auth_key[0]) {
size_t auth_key_size = 0;
char *auth_key = (char*)base64_decode(raw->auth_key,strlen(raw->auth_key),&auth_key_size);
if(auth_key) {
ns_bcopy(auth_key,oakd->auth_key,auth_key_size);
oakd->auth_key_size = auth_key_size;
turn_free(auth_key,auth_key_size);
}
}
}
}

4
src/apps/common/apputils.h
View File

@ -141,11 +141,7 @@ struct _oauth_key_data_raw {
char ikm_key[OAUTH_KEY_SIZE+1];
u64bits timestamp;
u32bits lifetime;
char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1];
char as_rs_alg[OAUTH_ALG_SIZE+1];
char as_rs_key[OAUTH_KEY_SIZE+1];
char auth_alg[OAUTH_ALG_SIZE+1];
char auth_key[OAUTH_KEY_SIZE+1];
};
typedef struct _oauth_key_data_raw oauth_key_data_raw;

48
src/apps/relay/dbdrivers/dbd_mongo.c
View File

@ -216,7 +216,7 @@ static int mongo_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
if (mongoc_cursor_next(cursor, &item)) {
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hmackey") && BSON_ITER_HOLDS_UTF8(&iter)) {
value = bson_iter_utf8(&iter, &length);
size_t sz = get_hmackey_size(turn_params.shatype) * 2;
size_t sz = get_hmackey_size(SHATYPE_DEFAULT) * 2;
if(length < sz) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: string length=%d (must be %d): user %s\n", (int)length, (int)sz, usname);
} else {
@ -255,10 +255,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
BSON_APPEND_INT32(&fields, "lifetime", 1);
BSON_APPEND_INT32(&fields, "timestamp", 1);
BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
BSON_APPEND_INT32(&fields, "as_rs_key", 1);
BSON_APPEND_INT32(&fields, "auth_alg", 1);
BSON_APPEND_INT32(&fields, "auth_key", 1);
BSON_APPEND_INT32(&fields, "hkdf_hash_func", 1);
BSON_APPEND_INT32(&fields, "ikm_key", 1);
mongoc_cursor_t * cursor;
@ -281,21 +277,9 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->auth_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->auth_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hkdf_hash_func") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->hkdf_hash_func,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
key->timestamp = (u64bits)bson_iter_int64(&iter);
}
@ -357,10 +341,6 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) {
bson_init(&doc);
BSON_APPEND_UTF8(&doc, "kid", (const char *)key->kid);
BSON_APPEND_UTF8(&doc, "as_rs_alg", (const char *)key->as_rs_alg);
BSON_APPEND_UTF8(&doc, "as_rs_key", (const char *)key->as_rs_key);
BSON_APPEND_UTF8(&doc, "auth_alg", (const char *)key->auth_alg);
BSON_APPEND_UTF8(&doc, "auth_key", (const char *)key->auth_key);
BSON_APPEND_UTF8(&doc, "hkdf_hash_func", (const char *)key->hkdf_hash_func);
BSON_APPEND_UTF8(&doc, "ikm_key", (const char *)key->ikm_key);
BSON_APPEND_INT64(&doc, "timestamp", (int64_t)key->timestamp);
BSON_APPEND_INT32(&doc, "lifetime", (int32_t)key->lifetime);
@ -497,7 +477,7 @@ static int mongo_list_users(u08bits *realm, secrets_list_t *users, secrets_list_
return ret;
}
static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) {
static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
const char * collection_name = "oauth_key";
mongoc_collection_t * collection = mongo_get_collection(collection_name);
@ -521,10 +501,6 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
BSON_APPEND_INT32(&fields, "lifetime", 1);
BSON_APPEND_INT32(&fields, "timestamp", 1);
BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
BSON_APPEND_INT32(&fields, "as_rs_key", 1);
BSON_APPEND_INT32(&fields, "auth_alg", 1);
BSON_APPEND_INT32(&fields, "auth_key", 1);
BSON_APPEND_INT32(&fields, "hkdf_hash_func", 1);
BSON_APPEND_INT32(&fields, "ikm_key", 1);
mongoc_cursor_t * cursor;
@ -549,21 +525,9 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->auth_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->auth_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hkdf_hash_func") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->hkdf_hash_func,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
key->timestamp = (u64bits)bson_iter_int64(&iter);
}
@ -572,9 +536,7 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
}
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(hkdfs,key->hkdf_hash_func);
add_to_secrets_list(teas,key->as_rs_alg);
add_to_secrets_list(aas,key->auth_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
@ -586,9 +548,9 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
}
mongoc_cursor_destroy(cursor);

63
src/apps/relay/dbdrivers/dbd_mysql.c
View File

@ -315,7 +315,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
if(row && row[0]) {
unsigned long *lengths = mysql_fetch_lengths(mres);
if(lengths) {
size_t sz = get_hmackey_size(turn_params.shatype)*2;
size_t sz = get_hmackey_size(SHATYPE_DEFAULT)*2;
if(lengths[0]<sz) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: string length=%d (must be %d): user %s\n",(int)lengths[0],(int)sz,usname);
} else {
@ -343,7 +343,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid);
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
MYSQL * myc = get_mydb_connection();
if(myc) {
@ -354,7 +354,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
MYSQL_RES *mres = mysql_store_result(myc);
if(!mres) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
} else if(mysql_field_count(myc)!=8) {
} else if(mysql_field_count(myc)!=4) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
} else {
MYSQL_ROW row = mysql_fetch_row(mres);
@ -375,20 +375,8 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
slifetime[lengths[2]]=0;
key->lifetime = (u32bits)strtoul(slifetime,NULL,10);
ns_bcopy(row[3],key->hkdf_hash_func,lengths[3]);
key->hkdf_hash_func[lengths[3]]=0;
ns_bcopy(row[4],key->as_rs_alg,lengths[4]);
key->as_rs_alg[lengths[4]]=0;
ns_bcopy(row[5],key->as_rs_key,lengths[5]);
key->as_rs_key[lengths[5]]=0;
ns_bcopy(row[6],key->auth_alg,lengths[6]);
key->auth_alg[lengths[6]]=0;
ns_bcopy(row[7],key->auth_key,lengths[7]);
key->auth_key[lengths[7]]=0;
ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
key->as_rs_alg[lengths[3]]=0;
ret = 0;
}
@ -402,13 +390,13 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
return ret;
}
static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) {
static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
oauth_key_data_raw key_;
oauth_key_data_raw *key=&key_;
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid");
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
MYSQL * myc = get_mydb_connection();
if(myc) {
@ -419,7 +407,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
MYSQL_RES *mres = mysql_store_result(myc);
if(!mres) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
} else if(mysql_field_count(myc)!=9) {
} else if(mysql_field_count(myc)!=5) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
} else {
MYSQL_ROW row = mysql_fetch_row(mres);
@ -440,28 +428,15 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
slifetime[lengths[2]]=0;
key->lifetime = (u32bits)strtoul(slifetime,NULL,10);
ns_bcopy(row[3],key->hkdf_hash_func,lengths[3]);
key->hkdf_hash_func[lengths[3]]=0;
ns_bcopy(row[4],key->as_rs_alg,lengths[4]);
key->as_rs_alg[lengths[4]]=0;
ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
key->as_rs_alg[lengths[3]]=0;
ns_bcopy(row[5],key->as_rs_key,lengths[5]);
key->as_rs_key[lengths[5]]=0;
ns_bcopy(row[6],key->auth_alg,lengths[6]);
key->auth_alg[lengths[6]]=0;
ns_bcopy(row[7],key->auth_key,lengths[7]);
key->auth_key[lengths[7]]=0;
ns_bcopy(row[8],key->kid,lengths[8]);
key->kid[lengths[8]]=0;
ns_bcopy(row[4],key->kid,lengths[4]);
key->kid[lengths[4]]=0;
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(hkdfs,key->hkdf_hash_func);
add_to_secrets_list(teas,key->as_rs_alg);
add_to_secrets_list(aas,key->auth_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
@ -473,9 +448,9 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
}
row = mysql_fetch_row(mres);
@ -519,13 +494,13 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key)
char statement[TURN_LONG_STRING_SIZE];
MYSQL * myc = get_mydb_connection();
if(myc) {
snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')",
snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime,
key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key);
key->as_rs_alg);
int res = mysql_query(myc, statement);
if(res) {
snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, hkdf_hash_func = '%s', as_rs_alg='%s',as_rs_key='%s',auth_alg='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,key->kid);
snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
key->as_rs_alg,key->kid);
res = mysql_query(myc, statement);
if(res) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth key information: %s\n",mysql_error(myc));

38
src/apps/relay/dbdrivers/dbd_pgsql.c
View File

@ -133,7 +133,7 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
char *kval = PQgetvalue(res,0,0);
int len = PQgetlength(res,0,0);
if(kval) {
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
if(((size_t)len<sz*2)||(strlen(kval)<sz*2)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: %s, user %s\n",kval,usname);
} else if(convert_string_key_to_binary(kval, key, sz)<0) {
@ -158,7 +158,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid);
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
PGconn * pqc = get_pqdb_connection();
if(pqc) {
@ -170,11 +170,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
STRCPY(key->ikm_key,PQgetvalue(res,0,0));
key->timestamp = (u64bits)strtoll(PQgetvalue(res,0,1),NULL,10);
key->lifetime = (u32bits)strtol(PQgetvalue(res,0,2),NULL,10);
STRCPY(key->hkdf_hash_func,PQgetvalue(res,0,3));
STRCPY(key->as_rs_alg,PQgetvalue(res,0,4));
STRCPY(key->as_rs_key,PQgetvalue(res,0,5));
STRCPY(key->auth_alg,PQgetvalue(res,0,6));
STRCPY(key->auth_key,PQgetvalue(res,0,7));
STRCPY(key->as_rs_alg,PQgetvalue(res,0,3));
STRCPY(key->kid,kid);
ret = 0;
}
@ -187,7 +183,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
return ret;
}
static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) {
static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
oauth_key_data_raw key_;
oauth_key_data_raw *key=&key_;
@ -195,7 +191,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid");
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
PGconn * pqc = get_pqdb_connection();
if(pqc) {
@ -210,18 +206,12 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
STRCPY(key->ikm_key,PQgetvalue(res,i,0));
key->timestamp = (u64bits)strtoll(PQgetvalue(res,i,1),NULL,10);
key->lifetime = (u32bits)strtol(PQgetvalue(res,i,2),NULL,10);
STRCPY(key->hkdf_hash_func,PQgetvalue(res,i,3));
STRCPY(key->as_rs_alg,PQgetvalue(res,i,4));
STRCPY(key->as_rs_key,PQgetvalue(res,i,5));
STRCPY(key->auth_alg,PQgetvalue(res,i,6));
STRCPY(key->auth_key,PQgetvalue(res,i,7));
STRCPY(key->kid,PQgetvalue(res,i,8));
STRCPY(key->as_rs_alg,PQgetvalue(res,i,3));
STRCPY(key->kid,PQgetvalue(res,i,4));
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(hkdfs,key->hkdf_hash_func);
add_to_secrets_list(teas,key->as_rs_alg);
add_to_secrets_list(aas,key->auth_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
@ -233,9 +223,9 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
ret = 0;
@ -283,17 +273,17 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) {
char statement[TURN_LONG_STRING_SIZE];
PGconn *pqc = get_pqdb_connection();
if(pqc) {
snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')",
snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime,
key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key);
key->as_rs_alg);
PGresult *res = PQexec(pqc, statement);
if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
if(res) {
PQclear(res);
}
snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, hkdf_hash_func = '%s', as_rs_alg='%s',as_rs_key='%s',auth_alg='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,key->kid);
snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime,
key->as_rs_alg,key->kid);
res = PQexec(pqc, statement);
if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth_key information: %s\n",PQerrorMessage(pqc));

24
src/apps/relay/dbdrivers/dbd_redis.c
View File

@ -439,7 +439,7 @@ static int redis_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
if (rget->type != REDIS_REPLY_NIL)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
} else {
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
if(strlen(rget->str)<sz*2) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: %s, user %s\n",rget->str,usname);
} else if(convert_string_key_to_binary(rget->str, key, sz)<0) {
@ -477,16 +477,8 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
if(kw) {
if(!strcmp(kw,"as_rs_alg")) {
STRCPY(key->as_rs_alg,val);
} else if(!strcmp(kw,"as_rs_key")) {
STRCPY(key->as_rs_key,val);
} else if(!strcmp(kw,"auth_key")) {
STRCPY(key->auth_key,val);
} else if(!strcmp(kw,"auth_alg")) {
STRCPY(key->auth_alg,val);
} else if(!strcmp(kw,"ikm_key")) {
STRCPY(key->ikm_key,val);
} else if(!strcmp(kw,"hkdf_hash_func")) {
STRCPY(key->hkdf_hash_func,val);
} else if(!strcmp(kw,"timestamp")) {
key->timestamp = (u64bits)strtoull(val,NULL,10);
} else if(!strcmp(kw,"lifetime")) {
@ -520,8 +512,8 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) {
redisContext *rc = get_redis_connection();
if(rc) {
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s hkdf_hash_func %s as_rs_alg %s as_rs_key %s auth_alg %s auth_key %s timestamp %llu lifetime %lu",
key->kid,key->ikm_key,key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime);
snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s timestamp %llu lifetime %lu",
key->kid,key->ikm_key,key->as_rs_alg,(unsigned long long)key->timestamp,(unsigned long)key->lifetime);
turnFreeRedisReply(redisCommand(rc, statement));
turnFreeRedisReply(redisCommand(rc, "save"));
ret = 0;
@ -637,7 +629,7 @@ static int redis_list_users(u08bits *realm, secrets_list_t *users, secrets_list_
return ret;
}
static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) {
static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
int ret = -1;
redisContext *rc = get_redis_connection();
secrets_list_t keys;
@ -675,9 +667,7 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
if(redis_get_oauth_key((const u08bits*)s,key) == 0) {
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(hkdfs,key->hkdf_hash_func);
add_to_secrets_list(teas,key->as_rs_alg);
add_to_secrets_list(aas,key->auth_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
@ -689,9 +679,9 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
}
}

37
src/apps/relay/dbdrivers/dbd_sqlite.c
View File

@ -154,7 +154,7 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) {
"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
"CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))",
"CREATE TABLE turn_realm_option (realm varchar(127) default '', opt varchar(32), value varchar(128), primary key (realm,opt))",
"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,hkdf_hash_func varchar(64) default '',as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_alg varchar(64) default '',auth_key varchar(256) default '',primary key (kid))",
"CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256),timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',primary key (kid))",
"CREATE TABLE admin_user (name varchar(32), realm varchar(127), password varchar(127), primary key (name))",
NULL
};
@ -266,7 +266,7 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key)
int res = sqlite3_step(st);
if (res == SQLITE_ROW) {
char *kval = turn_strdup((const char*) sqlite3_column_text(st, 0));
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
if (convert_string_key_to_binary(kval, key, sz) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key: %s, user %s\n", kval, usname);
} else {
@ -293,7 +293,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
char statement[TURN_LONG_STRING_SIZE];
sqlite3_stmt *st = NULL;
int rc = 0;
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid);
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
sqlite3 *sqliteconnection = get_sqlite_connection();
if(sqliteconnection) {
@ -308,11 +308,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
STRCPY(key->ikm_key,sqlite3_column_text(st, 0));
key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10);
key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10);
STRCPY(key->hkdf_hash_func,sqlite3_column_text(st, 3));
STRCPY(key->as_rs_alg,sqlite3_column_text(st, 4));
STRCPY(key->as_rs_key,sqlite3_column_text(st, 5));
STRCPY(key->auth_alg,sqlite3_column_text(st, 6));
STRCPY(key->auth_key,sqlite3_column_text(st, 7));
STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3));
STRCPY(key->kid,kid);
ret = 0;
}
@ -329,7 +325,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
return ret;
}
static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) {
static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
oauth_key_data_raw key_;
oauth_key_data_raw *key=&key_;
@ -341,7 +337,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec
char statement[TURN_LONG_STRING_SIZE];
sqlite3_stmt *st = NULL;
int rc = 0;
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid");
snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,kid from oauth_key order by kid");
sqlite3 *sqliteconnection = get_sqlite_connection();
if(sqliteconnection) {
@ -358,18 +354,12 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec
STRCPY(key->ikm_key,sqlite3_column_text(st, 0));
key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10);
key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10);
STRCPY(key->hkdf_hash_func,sqlite3_column_text(st, 3));
STRCPY(key->as_rs_alg,sqlite3_column_text(st, 4));
STRCPY(key->as_rs_key,sqlite3_column_text(st, 5));
STRCPY(key->auth_alg,sqlite3_column_text(st, 6));
STRCPY(key->auth_key,sqlite3_column_text(st, 7));
STRCPY(key->kid,sqlite3_column_text(st, 8));
STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3));
STRCPY(key->kid,sqlite3_column_text(st, 4));
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(hkdfs,key->hkdf_hash_func);
add_to_secrets_list(teas,key->as_rs_alg);
add_to_secrets_list(aas,key->auth_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
@ -381,9 +371,9 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
} else if (res == SQLITE_DONE) {
@ -453,9 +443,8 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key)
snprintf(
statement,
sizeof(statement),
"insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')",
key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->hkdf_hash_func, key->as_rs_alg, key->as_rs_key, key->auth_alg,
key->auth_key);
"insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('%s','%s',%llu,%lu,'%s')",
key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg);
sqlite_lock(1);

2
src/apps/relay/dbdrivers/dbdriver.h
View File

@ -68,7 +68,7 @@ typedef struct _turn_dbdriver_t {
int (*set_oauth_key)(oauth_key_data_raw *key);
int (*get_oauth_key)(const u08bits *kid, oauth_key_data_raw *key);
int (*del_oauth_key)(const u08bits *kid);
int (*list_oauth_keys)(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts);
int (*list_oauth_keys)(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts);
int (*get_admin_user)(const u08bits *usname, u08bits *realm, password_t pwd);
int (*set_admin_user)(const u08bits *usname, const u08bits *realm, const password_t pwd);
int (*del_admin_user)(const u08bits *usname);

109
src/apps/relay/mainrelay.c
View File

@ -117,7 +117,7 @@ LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"",
/////////////// stop server ////////////////
0,
/////////////// MISC PARAMS ////////////////
0,0,0,0,0,SHATYPE_SHA1,':',0,0,TURN_CREDENTIALS_NONE,0,0,0,0,0,0,
0,0,0,0,0,':',0,0,TURN_CREDENTIALS_NONE,0,0,0,0,0,0,
///////////// Users DB //////////////
{ (TURN_USERDB_TYPE)0, {"\0"}, {0,NULL, {NULL,0}} },
///////////// CPUs //////////////////
@ -562,15 +562,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
" /var/tmp/turnserver.pid .\n"
" --secure-stun Require authentication of the STUN Binding request.\n"
" By default, the clients are allowed anonymous access to the STUN Binding functionality.\n"
" --sha256 Require SHA256 digest function to be used for the message integrity.\n"
" By default, the server SHA1 (as per TURN standard specs).\n"
" With this option, the server\n"
" requires the stronger SHA256 function. The client application must\n"
" support SHA256 hash function if this option is used. If the server obtains\n"
" a message from the client with a weaker (SHA1) hash function then the server\n"
" returns error code 426.\n"
" --sha384 Require SHA384 digest function to be used for the message integrity.\n"
" --sha512 Require SHA512 digest function to be used for the message integrity.\n"
" --proc-user <user-name> User name to run the turnserver process.\n"
" After the initialization, the turnserver process\n"
" will make an attempt to change the current user ID to that user.\n"
@ -645,10 +636,6 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
#if !defined(TURN_NO_SQLITE) || !defined(TURN_NO_PQ) || !defined(TURN_NO_MYSQL) || !defined(TURN_NO_MONGO) || !defined(TURN_NO_HIREDIS)
" -o, --origin Origin\n"
#endif
" -H, --sha256 Use SHA256 digest function to be used for the message integrity.\n"
" By default, the server SHA1 (as per TURN standard specs).\n"
" -Y, --sha384 Use SHA384 digest function to be used for the message integrity.\n"
" -K, --sha512 Use SHA512 digest function to be used for the message integrity.\n"
" --max-bps Set value of realm's max-bps parameter.\n"
" Setting to zero value means removal of the option.\n"
" --total-quota Set value of realm's total-quota parameter.\n"
@ -698,9 +685,6 @@ enum EXTRA_OPTS {
SECURE_STUN_OPT,
CA_FILE_OPT,
DH_FILE_OPT,
SHA256_OPT,
SHA384_OPT,
SHA512_OPT,
NO_STUN_OPT,
PROC_USER_OPT,
PROC_GROUP_OPT,
@ -759,10 +743,8 @@ static const struct myoption long_options[] = {
{ "lt-cred-mech", optional_argument, NULL, 'a' },
{ "no-auth", optional_argument, NULL, 'z' },
{ "user", required_argument, NULL, 'u' },
#if !defined(TURN_NO_SQLITE)
{ "userdb", required_argument, NULL, 'b' },
{ "db", required_argument, NULL, 'b' },
#endif
#if !defined(TURN_NO_PQ)
{ "psql-userdb", required_argument, NULL, 'e' },
{ "sql-userdb", required_argument, NULL, 'e' },
@ -823,9 +805,6 @@ static const struct myoption long_options[] = {
{ "secure-stun", optional_argument, NULL, SECURE_STUN_OPT },
{ "CA-file", required_argument, NULL, CA_FILE_OPT },
{ "dh-file", required_argument, NULL, DH_FILE_OPT },
{ "sha256", optional_argument, NULL, SHA256_OPT },
{ "sha384", optional_argument, NULL, SHA384_OPT },
{ "sha512", optional_argument, NULL, SHA512_OPT },
{ "proc-user", required_argument, NULL, PROC_USER_OPT },
{ "proc-group", required_argument, NULL, PROC_GROUP_OPT },
{ "mobility", optional_argument, NULL, MOBILITY_OPT },
@ -880,9 +859,6 @@ static const struct myoption admin_long_options[] = {
{ "user", required_argument, NULL, 'u' },
{ "realm", required_argument, NULL, 'r' },
{ "password", required_argument, NULL, 'p' },
{ "sha256", no_argument, NULL, 'H' },
{ "sha384", no_argument, NULL, 'Y' },
{ "sha512", no_argument, NULL, 'K' },
{ "add-origin", no_argument, NULL, 'O' },
{ "del-origin", no_argument, NULL, 'R' },
{ "list-origins", required_argument, NULL, 'I' },
@ -919,7 +895,11 @@ static void set_option(int c, char *value)
STRCPY(turn_params.oauth_server_name,value);
break;
case OAUTH_OPT:
turn_params.oauth = get_bool_value(value);
if(!ENC_ALG_NUM) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: option --oauth is not supported; ignored.\n");
} else {
turn_params.oauth = get_bool_value(value);
}
break;
case NO_SSLV2_OPT:
//deprecated
@ -1046,18 +1026,6 @@ static void set_option(int c, char *value)
case SECURE_STUN_OPT:
turn_params.secure_stun = get_bool_value(value);
break;
case SHA256_OPT:
if(get_bool_value(value))
turn_params.shatype = SHATYPE_SHA256;
break;
case SHA384_OPT:
if(get_bool_value(value))
turn_params.shatype = SHATYPE_SHA384;
break;
case SHA512_OPT:
if(get_bool_value(value))
turn_params.shatype = SHATYPE_SHA512;
break;
case NO_MULTICAST_PEERS_OPT:
turn_params.no_multicast_peers = get_bool_value(value);
break;
@ -1155,12 +1123,14 @@ static void set_option(int c, char *value)
case 'u':
add_static_user_account(value);
break;
#if !defined(TURN_NO_SQLITE)
case 'b':
#if defined(TURN_NO_SQLITE)
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: Options -b, --userdb and --db are not supported because SQLite is not supported in this build.\n");
#else
STRCPY(turn_params.default_users_db.persistent_users_db.userdb, value);
turn_params.default_users_db.userdb_type = TURN_USERDB_TYPE_SQLITE;
break;
#endif
break;
#if !defined(TURN_NO_PQ)
case 'e':
STRCPY(turn_params.default_users_db.persistent_users_db.userdb, value);
@ -1592,18 +1562,6 @@ static int adminmain(int argc, char **argv)
exit(0);
}
break;
case 'H':
if(get_bool_value(optarg))
turn_params.shatype = SHATYPE_SHA256;
break;
case 'Y':
if(get_bool_value(optarg))
turn_params.shatype = SHATYPE_SHA384;
break;
case 'K':
if(get_bool_value(optarg))
turn_params.shatype = SHATYPE_SHA512;
break;
case 'h':
printf("\n%s\n", AdminUsage);
exit(0);
@ -1650,6 +1608,17 @@ static void print_features(unsigned long mfn)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "\n\n==== Show him the instruments, Practical Frost: ====\n\n");
/*
Frost stepped forward and opened the polished case with a theatrical
flourish. It was a masterful piece of craftsmanship. As the lid was
pulled back, the many trays inside lifted and fanned out, displaying
Gloktas tools in all their gruesome glory. There were blades of every
size and shape, needles curved and straight, bottles of oil and acid,
nails and screws, clamps and pliers, saws, hammers, chisels. Metal, wood
and glass glittered in the bright lamplight, all polished to mirror
brightness and honed to a murderous sharpness.
*/
#if !TLS_SUPPORTED
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS is not supported\n");
#else
@ -1660,14 +1629,34 @@ static void print_features(unsigned long mfn)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS is not supported\n");
#else
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS supported\n");
#if DTLSv1_2_SUPPORTED
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS 1.2 supported\n");
#else
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS 1.2 is not supported\n");
#endif
#endif
#if defined(TURN_NO_GCM)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "AEAD is not supported\n");
#if ALPN_SUPPORTED
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TURN/STUN ALPN supported\n");
#else
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "AEAD supported\n");
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TURN/STUN ALPN is not supported\n");
#endif
if(!ENC_ALG_NUM) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Third-party authorization (oAuth) is not supported\n");
} else {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Third-party authorization (oAuth) supported\n");
#if defined(TURN_NO_GCM)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "GCM (AEAD) is not supported\n");
#else
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "GCM (AEAD) supported\n");
#endif
}
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "OpenSSL compile-time version: %s\n",OPENSSL_VERSION_TEXT);
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "\n");
#if !defined(TURN_NO_SQLITE)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SQLite supported, default database location is %s\n",DEFAULT_USERDB_FILE);
#else
@ -1698,7 +1687,13 @@ static void print_features(unsigned long mfn)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "MongoDB is not supported\n");
#endif
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "OpenSSL compile-time version: %s\n",OPENSSL_VERSION_TEXT);
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "\n");
#if !defined(TURN_NO_SCTP)
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SCTP supported\n");
#else
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "SCTP is not supported\n");
#endif
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Default Net Engine version: %d (%s)\n\n=====================================================\n\n", (int)turn_params.net_engine_version, turn_params.net_engine_version_txt[(int)turn_params.net_engine_version]);
@ -2657,7 +2652,7 @@ static void openssl_setup(void)
#if DTLSv1_2_SUPPORTED
turn_params.dtls_ctx = SSL_CTX_new(DTLS_server_method());
turn_params.dtls_ctx_v1_2 = SSL_CTX_new(DTLSv1_2_server_method());
set_ctx(turn_params.dtls_ctx_v1_2,"DTLS1,2");
set_ctx(turn_params.dtls_ctx_v1_2,"DTLS1.2");
SSL_CTX_set_read_ahead(turn_params.dtls_ctx_v1_2, 1);
#else
turn_params.dtls_ctx = SSL_CTX_new(DTLSv1_server_method());

1
src/apps/relay/mainrelay.h
View File

@ -291,7 +291,6 @@ typedef struct _turn_params_ {
vint secure_stun;
int server_relay;
int fingerprint;
SHATYPE shatype;
char rest_api_separator;
vint stale_nonce;
vint mobility;

2
src/apps/relay/netengine.c
View File

@ -1642,7 +1642,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
&turn_params.no_multicast_peers, &turn_params.no_loopback_peers,
&turn_params.ip_whitelist, &turn_params.ip_blacklist,
send_socket_to_relay,
&turn_params.secure_stun, turn_params.shatype, &turn_params.mobility,
&turn_params.secure_stun, &turn_params.mobility,
turn_params.server_relay,
send_turn_session_info,
send_https_socket,

280
src/apps/relay/turn_admin_server.c
View File

@ -691,16 +691,6 @@ static void cli_print_configuration(struct cli_session* cs)
cli_print_str(cs,turn_params.cert_file,"Certificate file",0);
cli_print_str(cs,turn_params.pkey_file,"Private Key file",0);
if(turn_params.shatype == SHATYPE_SHA256)
cli_print_str(cs,"SHA256","SHA type",0);
else if(turn_params.shatype == SHATYPE_SHA384)
cli_print_str(cs,"SHA384","SHA type",0);
else if(turn_params.shatype == SHATYPE_SHA512)
cli_print_str(cs,"SHA512","SHA type",0);
else
cli_print_str(cs,"SHA1","SHA type",0);
myprintf(cs,"\n");
cli_print_str_array(cs,turn_params.listener.addrs,turn_params.listener.addrs_number,"Listener addr",0);
if(turn_params.listener_ifname[0])
@ -1382,11 +1372,7 @@ typedef enum _AS_FORM AS_FORM;
#define HR_ADD_OAUTH_TS "oauth_ts"
#define HR_ADD_OAUTH_LT "oauth_lt"
#define HR_ADD_OAUTH_IKM "oauth_ikm"
#define HR_ADD_OAUTH_RS_KEY "oauth_rs_key"
#define HR_ADD_OAUTH_AUTH_KEY "oauth_auth_key"
#define HR_ADD_OAUTH_HKDF "oauth_hkdf"
#define HR_ADD_OAUTH_TEA "oauth_tea"
#define HR_ADD_OAUTH_AA "oauth_aa"
#define HR_DELETE_OAUTH_KID "oauth_kid_del"
#define HR_OAUTH_KID "kid"
@ -1665,13 +1651,15 @@ static void write_https_home_page(ioa_socket_handle s)
str_buffer_append(sb,"\">Origins</a>");
if(is_superuser()) {
str_buffer_append(sb,"<br><a href=\"");
str_buffer_append(sb,form_names[AS_FORM_OAUTH].name);
str_buffer_append(sb,"?");
str_buffer_append(sb,HR_REALM);
str_buffer_append(sb,"=");
str_buffer_append(sb,current_eff_realm());
str_buffer_append(sb,"\">oAuth keys</a>");
if(ENC_ALG_NUM>0) {
str_buffer_append(sb,"<br><a href=\"");
str_buffer_append(sb,form_names[AS_FORM_OAUTH].name);
str_buffer_append(sb,"?");
str_buffer_append(sb,HR_REALM);
str_buffer_append(sb,"=");
str_buffer_append(sb,current_eff_realm());
str_buffer_append(sb,"\">oAuth keys</a>");
}
}
str_buffer_append(sb,"</fieldset>\r\n");
@ -1962,15 +1950,6 @@ static void write_pc_page(ioa_socket_handle s)
https_print_str(sb,turn_params.cert_file,"Certificate file",0);
https_print_str(sb,turn_params.pkey_file,"Private Key file",0);
if(turn_params.shatype == SHATYPE_SHA256)
https_print_str(sb,"SHA256","SHA type",0);
else if(turn_params.shatype == SHATYPE_SHA384)
https_print_str(sb,"SHA384","SHA type",0);
else if(turn_params.shatype == SHATYPE_SHA512)
https_print_str(sb,"SHA512","SHA type",0);
else
https_print_str(sb,"SHA1","SHA type",0);
https_print_empty_row(sb,2);
https_print_str_array(sb,turn_params.listener.addrs,turn_params.listener.addrs_number,"Listener addr");
@ -2495,15 +2474,6 @@ static void write_users_page(ioa_socket_handle s, const u08bits *add_user, const
str_buffer_append(sb,"\"");
str_buffer_append(sb,"><br><br>\r\n");
if(turn_params.shatype == SHATYPE_SHA256)
str_buffer_append(sb,"SHA type: SHA256<br>\r\n");
else if(turn_params.shatype == SHATYPE_SHA384)
str_buffer_append(sb,"SHA type: SHA384<br>\r\n");
else if(turn_params.shatype == SHATYPE_SHA512)
str_buffer_append(sb,"SHA type: SHA512<br>\r\n");
else
str_buffer_append(sb,"SHA type: SHA1<br>\r\n");
str_buffer_append(sb,"<br><input type=\"submit\" value=\"Add user\">");
str_buffer_append(sb,"</fieldset>\r\n");
@ -2803,14 +2773,12 @@ static size_t https_print_oauth_keys(struct str_buffer* sb)
size_t ret = 0;
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->list_oauth_keys) {
secrets_list_t kids,hkdfs,teas,aas,tss,lts;
secrets_list_t kids,teas,tss,lts;
init_secrets_list(&kids);
init_secrets_list(&hkdfs);
init_secrets_list(&teas);
init_secrets_list(&aas);
init_secrets_list(&tss);
init_secrets_list(&lts);
dbd->list_oauth_keys(&kids,&hkdfs,&teas,&aas,&tss,&lts);
dbd->list_oauth_keys(&kids,&teas,&tss,&lts);
size_t sz = get_secrets_list_size(&kids);
size_t i;
@ -2837,14 +2805,8 @@ static size_t https_print_oauth_keys(struct str_buffer* sb)
str_buffer_append(sb,get_secrets_list_elem(&lts,i));
str_buffer_append(sb,"</td>");
str_buffer_append(sb,"<td>");
str_buffer_append(sb,get_secrets_list_elem(&hkdfs,i));
str_buffer_append(sb,"</td>");
str_buffer_append(sb,"<td>");
str_buffer_append(sb,get_secrets_list_elem(&teas,i));
str_buffer_append(sb,"</td>");
str_buffer_append(sb,"<td>");
str_buffer_append(sb,get_secrets_list_elem(&aas,i));
str_buffer_append(sb,"</td>");
{
str_buffer_append(sb,"<td> <a href=\"");
@ -2861,9 +2823,7 @@ static size_t https_print_oauth_keys(struct str_buffer* sb)
}
clean_secrets_list(&kids);
clean_secrets_list(&hkdfs);
clean_secrets_list(&teas);
clean_secrets_list(&aas);
}
return ret;
@ -2913,33 +2873,11 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid)
str_buffer_append(sb,"<table>\r\n");
if(key.ikm_key[0]) {
str_buffer_append(sb,"<tr><td>Input Keying Material:</td><td>");
str_buffer_append(sb,"<tr><td>Base64-encoded key:</td><td>");
str_buffer_append(sb,key.ikm_key);
str_buffer_append(sb,"</td></tr>\r\n");
}
if(okey.as_rs_key_size) {
size_t as_rs_key_size = 0;
char *as_rs_key = (char*)base64_encode((unsigned char*)okey.as_rs_key,okey.as_rs_key_size,&as_rs_key_size);
if(as_rs_key) {
str_buffer_append(sb,"<tr><td>AS-RS key:</td><td>");
str_buffer_append(sb,as_rs_key);
str_buffer_append(sb,"</td></tr>\r\n");
turn_free(as_rs_key,as_rs_key_size);
}
}
if(okey.auth_key_size) {
size_t auth_key_size = 0;
char *auth_key = (char*)base64_encode((unsigned char*)okey.auth_key,okey.auth_key_size,&auth_key_size);
if(auth_key) {
str_buffer_append(sb,"<tr><td>AUTH key:</td><td>");
str_buffer_append(sb,auth_key);
str_buffer_append(sb,"</td></tr>\r\n");
turn_free(auth_key,auth_key_size);
}
}
str_buffer_append(sb,"</table>\r\n");
}
}
@ -2952,9 +2890,8 @@ static void write_https_oauth_show_keys(ioa_socket_handle s, const char* kid)
}
static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, const char* add_ikm,
const char* add_hkdf_hash_func, const char* add_tea, const char* add_aa,
const char* add_tea,
const char *add_ts, const char* add_lt,
const char *add_rs_key, const char *add_auth_key,
const char* msg)
{
if(s && !ioa_socket_tobeclosed(s)) {
@ -3017,53 +2954,14 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
str_buffer_append(sb,"\"><br>\r\n");
}
str_buffer_append(sb,"</td></tr><tr><td>");
str_buffer_append(sb,"</td></tr>\r\n");
{
str_buffer_append(sb,"<br>Hash key derivation function (optional):<br>\r\n");
if(!add_hkdf_hash_func || !add_hkdf_hash_func[0])
add_hkdf_hash_func = "SHA-256";
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
str_buffer_append(sb,"\" value=\"SHA-1\" ");
if(!strcmp("SHA-1",add_hkdf_hash_func)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">SHA-1\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
str_buffer_append(sb,"\" value=\"SHA-256\" ");
if(!strcmp("SHA-256",add_hkdf_hash_func)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">SHA-256\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
str_buffer_append(sb,"\" value=\"SHA-384\" ");
if(!strcmp("SHA-384",add_hkdf_hash_func)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">SHA-384\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
str_buffer_append(sb,"\" value=\"SHA-512\" ");
if(!strcmp("SHA-512",add_hkdf_hash_func)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">SHA-512\r\n<br>\r\n");
}
str_buffer_append(sb,"</td><td colspan=\"2\">");
str_buffer_append(sb,"<tr><td colspan=\"2\">");
{
if(!add_ikm) add_ikm = "";
str_buffer_append(sb," <br>Base64-encoded input keying material (optional):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
str_buffer_append(sb," <br>Base64-encoded input keying material (required):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_IKM);
str_buffer_append(sb,"\" maxLength=256 >");
str_buffer_append(sb,(const char*)add_ikm);
@ -3071,123 +2969,32 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
str_buffer_append(sb,"<br>\r\n");
}
str_buffer_append(sb,"</td></tr>\r\n<tr><td>");
str_buffer_append(sb,"</td><td>");
{
str_buffer_append(sb,"<br>Token encryption algorithm (required):<br>\r\n");
if(!add_tea || !add_tea[0])
add_tea = "AES-256-CBC";
add_tea = "A256GCM";
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_TEA);
str_buffer_append(sb,"\" value=\"AES-128-CBC\" ");
if(!strcmp("AES-128-CBC",add_tea)) {
str_buffer_append(sb,"\" value=\"A128GCM\" ");
if(!strcmp("A128GCM",add_tea)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">AES-128-CBC\r\n<br>\r\n");
str_buffer_append(sb,">A128GCM\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_TEA);
str_buffer_append(sb,"\" value=\"AES-256-CBC\" ");
if(!strcmp("AES-256-CBC",add_tea)) {
str_buffer_append(sb,"\" value=\"A256GCM\" ");
if(!strcmp("A256GCM",add_tea)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">AES-256-CBC\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_TEA);
str_buffer_append(sb,"\" value=\"AEAD-AES-128-GCM\" ");
if(!strcmp("AEAD-AES-128-GCM",add_tea)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">AEAD-AES-128-GCM\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_TEA);
str_buffer_append(sb,"\" value=\"AEAD-AES-256-GCM\" ");
if(!strcmp("AEAD-AES-256-GCM",add_tea)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">AEAD-AES-256-GCM\r\n<br>\r\n");
str_buffer_append(sb,">A256GCM\r\n<br>\r\n");
}
str_buffer_append(sb,"</td><td colspan=\"2\">");
{
if(!add_rs_key) add_rs_key = "";
str_buffer_append(sb," <br>Base64-encoded AS-RS key (optional):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_RS_KEY);
str_buffer_append(sb,"\" maxLength=256 >");
str_buffer_append(sb,(const char*)add_rs_key);
str_buffer_append(sb,"</textarea>");
str_buffer_append(sb,"<br>\r\n");
}
str_buffer_append(sb,"</td></tr>\r\n<tr><td>");
{
str_buffer_append(sb,"<br>Token authentication algorithm (required if no AEAD used):<br>\r\n");
if(!add_aa || !add_aa[0])
add_aa = "HMAC-SHA-256-128";
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AA);
str_buffer_append(sb,"\" value=\"HMAC-SHA-256-128\" ");
if(!strcmp("HMAC-SHA-256-128",add_aa)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">HMAC-SHA-256-128\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AA);
str_buffer_append(sb,"\" value=\"HMAC-SHA-256\" ");
if(!strcmp("HMAC-SHA-256",add_aa)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">HMAC-SHA-256\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AA);
str_buffer_append(sb,"\" value=\"HMAC-SHA-384\" ");
if(!strcmp("HMAC-SHA-384",add_aa)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">HMAC-SHA-384\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AA);
str_buffer_append(sb,"\" value=\"HMAC-SHA-512\" ");
if(!strcmp("HMAC-SHA-512",add_aa)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">HMAC-SHA-512\r\n<br>\r\n");
str_buffer_append(sb,"<input type=\"radio\" name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AA);
str_buffer_append(sb,"\" value=\"HMAC-SHA-1\" ");
if(!strcmp("HMAC-SHA-1",add_aa)) {
str_buffer_append(sb," checked ");
}
str_buffer_append(sb,">HMAC-SHA-1\r\n<br>\r\n");
}
str_buffer_append(sb,"</td><td colspan=\"2\">");
{
if(!add_auth_key) add_auth_key = "";
str_buffer_append(sb," <br>Base64-encoded AUTH key (optional):<br><textarea wrap=\"soft\" cols=70 rows=4 name=\"");
str_buffer_append(sb,HR_ADD_OAUTH_AUTH_KEY);
str_buffer_append(sb,"\" maxLength=256 >");
str_buffer_append(sb,(const char*)add_auth_key);
str_buffer_append(sb,"</textarea>");
str_buffer_append(sb,"<br>\r\n");
}
str_buffer_append(sb,"</td></tr></table>\r\n");
str_buffer_append(sb,"</td></tr>\r\n</table>\r\n");
str_buffer_append(sb,"<br><input type=\"submit\" value=\"Add key\">");
@ -3200,9 +3007,7 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
str_buffer_append(sb,"<tr><th>N</th><th>KID</th><th>keys</th>");
str_buffer_append(sb,"<th>Timestamp, secs</th>");
str_buffer_append(sb,"<th>Lifetime,secs</th>");
str_buffer_append(sb,"<th>Hash key derivation function</th>");
str_buffer_append(sb,"<th>Token encryption algorithm</th>");
str_buffer_append(sb,"<th>Token authentication algorithm</th>");
str_buffer_append(sb,"<th> </th>");
str_buffer_append(sb,"</tr>\r\n");
@ -3491,9 +3296,9 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
STRCPY(u,add_user);
STRCPY(r,add_realm);
STRCPY(p,pwd);
stun_produce_integrity_key_str(u, r, p, key, turn_params.shatype);
stun_produce_integrity_key_str(u, r, p, key, SHATYPE_DEFAULT);
size_t i = 0;
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
int maxsz = (int) (sz * 2) + 1;
char *s = skey;
for (i = 0; (i < sz) && (maxsz > 2); i++) {
@ -3689,34 +3494,19 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
const char* add_ts = "0";
const char* add_lt = "0";
const char* add_ikm = "";
const char *add_rs_key = "";
const char *add_auth_key = "";
const char* add_hkdf_hash_func = "";
const char* add_tea = "";
const char* add_aa = "";
const char* msg = "";
add_kid = get_http_header_value(hr,HR_ADD_OAUTH_KID,"");
if(add_kid[0]) {
add_ikm = get_http_header_value(hr,HR_ADD_OAUTH_IKM,"");
add_rs_key = get_http_header_value(hr,HR_ADD_OAUTH_RS_KEY,"");
add_auth_key = get_http_header_value(hr,HR_ADD_OAUTH_AUTH_KEY,"");
add_ts = get_http_header_value(hr,HR_ADD_OAUTH_TS,"");
add_lt = get_http_header_value(hr,HR_ADD_OAUTH_LT,"");
add_hkdf_hash_func = get_http_header_value(hr,HR_ADD_OAUTH_HKDF,"");
add_tea = get_http_header_value(hr,HR_ADD_OAUTH_TEA,"");
add_aa = get_http_header_value(hr,HR_ADD_OAUTH_AA,"");
int keys_ok = 0;
if(add_ikm[0] && add_hkdf_hash_func[0]) {
keys_ok = 1;
} else if(add_rs_key[0] && add_auth_key[0]) {
keys_ok = 1;
} else if(strstr(add_tea,"AEAD") && add_rs_key[0]) {
keys_ok = 1;
}
int keys_ok = (add_ikm[0] != 0);
if(!keys_ok) {
msg = "Provided information is insufficient for the oAuth key generation.";
msg = "You must enter the key value.";
} else {
oauth_key_data_raw key;
ns_bzero(&key,sizeof(key));
@ -3737,13 +3527,7 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
}
STRCPY(key.ikm_key,add_ikm);
STRCPY(key.hkdf_hash_func,add_hkdf_hash_func);
STRCPY(key.as_rs_alg,add_tea);
STRCPY(key.auth_alg,add_aa);
STRCPY(key.as_rs_key,add_rs_key);
STRCPY(key.auth_key,add_auth_key);
if(strstr(key.as_rs_alg,"AEAD")) key.auth_alg[0]=0;
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->set_oauth_key) {
@ -3754,17 +3538,13 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
add_ts = "0";
add_lt = "0";
add_ikm = "";
add_hkdf_hash_func = "";
add_tea = "";
add_aa = "";
add_rs_key = "";
add_auth_key = "";
}
}
}
}
write_https_oauth_page(s,add_kid,add_ikm,add_hkdf_hash_func,add_tea,add_aa,add_ts,add_lt,add_rs_key,add_auth_key,msg);
write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,msg);
}
break;
}

78
src/apps/relay/userdb.c
View File

@ -484,29 +484,10 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
switch(dot.enc_block.key_length) {
case SHA1SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(1): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA256SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA256) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(2): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA384SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA384) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA512SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA512) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
default:
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
@ -518,7 +499,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
ioa_network_buffer_get_size(nbh),
dot.enc_block.mac_key,
pwdtmp,
turn_params.shatype,NULL)>0) {
SHATYPE_DEFAULT)>0) {
turn_time_t lifetime = (turn_time_t)(dot.enc_block.lifetime);
if(lifetime) {
@ -578,25 +559,11 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
int sarlen = stun_attr_get_len(sar);
switch(sarlen) {
case SHA1SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA1)
return -1;
hmac_len = SHA1SIZEBYTES;
break;
case SHA256SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA256)
return -1;
hmac_len = SHA256SIZEBYTES;
break;
case SHA384SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA384)
return -1;
hmac_len = SHA384SIZEBYTES;
break;
case SHA512SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA512)
return -1;
hmac_len = SHA512SIZEBYTES;
break;
default:
return -1;
};
@ -606,7 +573,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
const char* secret = get_secrets_list_elem(&sl,sll);
if(secret) {
if(stun_calculate_hmac(usname, strlen((char*)usname), (const u08bits*)secret, strlen(secret), hmac, &hmac_len, turn_params.shatype)>=0) {
if(stun_calculate_hmac(usname, strlen((char*)usname), (const u08bits*)secret, strlen(secret), hmac, &hmac_len, SHATYPE_DEFAULT)>=0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac,hmac_len,&pwd_length);
@ -614,14 +581,14 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
if(pwd_length<1) {
turn_free(pwd,strlen(pwd)+1);
} else {
if(stun_produce_integrity_key_str((u08bits*)usname, realm, (u08bits*)pwd, key, turn_params.shatype)>=0) {
if(stun_produce_integrity_key_str((u08bits*)usname, realm, (u08bits*)pwd, key, SHATYPE_DEFAULT)>=0) {
if(stun_check_message_integrity_by_key_str(TURN_CREDENTIALS_LONG_TERM,
ioa_network_buffer_data(nbh),
ioa_network_buffer_get_size(nbh),
key,
pwdtmp,
turn_params.shatype,NULL)>0) {
SHATYPE_DEFAULT)>0) {
ret = 0;
}
@ -650,15 +617,15 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
ur_string_map_unlock(turn_params.default_users_db.ram_db.static_accounts);
if(ret==0) {
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
ns_bcopy(ukey,key,sz);
return 0;
}
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_user_key) {
ret = (*(dbd->get_user_key))(usname, realm, key);
}
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_user_key) {
ret = (*(dbd->get_user_key))(usname, realm, key);
}
return ret;
}
@ -762,7 +729,7 @@ int add_static_user_account(char *user)
hmackey_t *key = (hmackey_t*)turn_malloc(sizeof(hmackey_t));
if(strstr(s,"0x")==s) {
char *keysource = s + 2;
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
if(strlen(keysource)<sz*2) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: %s\n",s);
} if(convert_string_key_to_binary(keysource, *key, sz)<0) {
@ -773,7 +740,7 @@ int add_static_user_account(char *user)
}
} else {
//this is only for default realm
stun_produce_integrity_key_str((u08bits*)usname, (u08bits*)get_realm(NULL)->options.name, (u08bits*)s, *key, turn_params.shatype);
stun_produce_integrity_key_str((u08bits*)usname, (u08bits*)get_realm(NULL)->options.name, (u08bits*)s, *key, SHATYPE_DEFAULT);
}
{
ur_string_map_lock(turn_params.default_users_db.ram_db.static_accounts);
@ -973,9 +940,9 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
must_set_admin_pwd(pwd);
{
stun_produce_integrity_key_str(user, realm, pwd, key, turn_params.shatype);
stun_produce_integrity_key_str(user, realm, pwd, key, SHATYPE_DEFAULT);
size_t i = 0;
size_t sz = get_hmackey_size(turn_params.shatype);
size_t sz = get_hmackey_size(SHATYPE_DEFAULT);
int maxsz = (int) (sz * 2) + 1;
char *s = skey;
for (i = 0; (i < sz) && (maxsz > 2); i++) {
@ -1051,17 +1018,12 @@ void run_db_test(void)
oauth_key_data_raw key_;
oauth_key_data_raw *key=&key_;
dbd->get_oauth_key((const u08bits*)"north",key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg);
printf("DB TEST 3:\n");
STRCPY(key->as_rs_alg,"as_rs_alg");
STRCPY(key->as_rs_key,"as_rs_key");
STRCPY(key->auth_alg,"auth_alg");
STRCPY(key->auth_key,"auth_key");
STRCPY(key->hkdf_hash_func,"hkdf");
STRCPY(key->ikm_key,"ikm_key");
STRCPY(key->kid,"kid");
key->timestamp = 123;
@ -1072,9 +1034,8 @@ void run_db_test(void)
printf("DB TEST 4:\n");
dbd->get_oauth_key((const u08bits*)"kid",key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func,
key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->as_rs_alg);
printf("DB TEST 5:\n");
dbd->del_oauth_key((const u08bits*)"kid");
@ -1086,9 +1047,8 @@ void run_db_test(void)
oauth_key_data oakd;
convert_oauth_key_data_raw(key, &oakd);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key_size=%d, auth_alg=%s, auth_key_size=%d\n",
oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, oakd.hkdf_hash_func,
oakd.as_rs_alg, (int)oakd.as_rs_key_size, oakd.auth_alg, (int)oakd.auth_key_size);
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, oakd.as_rs_alg);
oauth_key oak;
char err_msg[1025];

42
src/apps/rfc5769/rfc5769check.c
View File

@ -41,33 +41,11 @@
//////////// OAUTH //////////////////
static const char* shas[]={"SHA1",
#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
"SHA256",
#endif
#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH)
"SHA384",
#endif
#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
"SHA512",
#endif
NULL};
static const char* encs[]={"AES-256-CBC","AES-128-CBC",
static const char* encs[]={
#if !defined(TURN_NO_GCM)
"AEAD_AES_128_GCM", "AEAD_AES_256_GCM",
"A128GCM", "A256GCM",
#endif
NULL};
static const char* hmacs[]={"HMAC-SHA-1",
#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
"HMAC-SHA-256","HMAC-SHA-256-128",
#endif
#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH)
"HMAC-SHA-384",
#endif
#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
"HMAC-SHA-512",
#endif
NULL};
static int print_extra = 0;
@ -86,7 +64,7 @@ static int check_oauth(void) {
const char server_name[33] = "blackdow.carleon.gov";
size_t i_hmacs,i_shas,i_encs;
size_t i_encs;
const char long_term_key[33] = "HGkj32KJGiuy098sdfaqbNjOiaz71923";
@ -105,20 +83,20 @@ static int check_oauth(void) {
const turn_time_t key_timestamp = 1234567890;
const turn_time_t key_lifetime = 3600;
const char aead_nonce[OAUTH_AEAD_NONCE_SIZE+1] = "h4j3k2l2n4b5";
const char gcm_nonce[OAUTH_GCM_NONCE_SIZE+1] = "h4j3k2l2n4b5";
for (i_hmacs = 0; hmacs[i_hmacs]; ++i_hmacs) {
for (i_shas = 0; shas[i_shas]; ++i_shas) {
{
{
for (i_encs = 0; encs[i_encs]; ++i_encs) {
printf("oauth token %s:%s:%s:",hmacs[i_hmacs],shas[i_shas],encs[i_encs]);
printf("oauth token %s:",encs[i_encs]);
if(print_extra)
printf("\n");
oauth_token ot;
ns_bzero(&ot,sizeof(ot));
ot.enc_block.key_length = (uint16_t)mac_key_length;
STRCPY(ot.enc_block.mac_key,mac_key);
ot.enc_block.timestamp = token_timestamp;
@ -140,8 +118,6 @@ static int check_oauth(void) {
STRCPY(okdr.kid,kid);
STRCPY(okdr.ikm_key,base64encoded_ltp);
STRCPY(okdr.as_rs_alg, encs[i_encs]);
STRCPY(okdr.auth_alg, hmacs[i_hmacs]);
STRCPY(okdr.hkdf_hash_func, shas[i_shas]);
okdr.timestamp = key_timestamp;
okdr.lifetime = key_lifetime;
@ -168,7 +144,7 @@ static int check_oauth(void) {
ns_bzero(&etoken,sizeof(etoken));
if (encode_oauth_token((const u08bits *) server_name, &etoken,
&key, &ot, (const u08bits*)aead_nonce) < 0) {
&key, &ot, (const u08bits*)gcm_nonce) < 0) {
fprintf(stderr, "%s: cannot encode oauth token\n",
__FUNCTION__);
return -1;

4
src/apps/stunclient/stunclient.c
View File

@ -67,7 +67,7 @@ static int run_stunclient(const char* rip, int rport, int *port, int *rfc5780, i
err(-1, NULL);
if (!addr_any(&real_local_addr)) {
if (addr_bind(udp_fd, &real_local_addr,0,1) < 0)
if (addr_bind(udp_fd, &real_local_addr,0,1,UDP_SOCKET) < 0)
err(-1, NULL);
}
}
@ -80,7 +80,7 @@ static int run_stunclient(const char* rip, int rport, int *port, int *rfc5780, i
addr_set_port(&real_local_addr, response_port);
if (addr_bind(new_udp_fd, &real_local_addr, 0, 1) < 0)
if (addr_bind(new_udp_fd, &real_local_addr, 0, 1, UDP_SOCKET) < 0)
err(-1, NULL);
}

56
src/apps/uclient/mainuclient.c
View File

@ -84,7 +84,7 @@ int negative_protocol_test = 0;
int dos = 0;
int random_disconnect = 0;
SHATYPE shatype = SHATYPE_SHA1;
SHATYPE shatype = SHATYPE_DEFAULT;
int mobility = 0;
@ -102,9 +102,9 @@ int oauth = 0;
oauth_key okey_array[3];
static oauth_key_data_raw okdr_array[3] = {
{"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""},
{"union","aGVyb2Q=",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-512",""},
{"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""}
{"north","MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEK",0,0,"A256GCM"},
{"union","MTIzNDU2Nzg5MDEyMzQ1Ngo=",0,0,"A128GCM"},
{"oldempire","MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIK",0,0,"A256GCM"}
};
//////////////// local definitions /////////////////
@ -131,10 +131,6 @@ static char Usage[] =
" -N Negative tests (some limited cases only).\n"
" -R Negative protocol tests.\n"
" -O DOS attack mode (quick connect and exit).\n"
" -H SHA256 digest function for message integrity calculation.\n"
" Without this option, by default, SHA1 is used.\n"
" -Y SHA384 digest function for message integrity calculation.\n"
" -K SHA512 digest function for message integrity calculation.\n"
" -M ICE Mobility engaged.\n"
" -I Do not set permissions on TURN relay endpoints\n"
" (for testing the non-standard server relay functionality).\n"
@ -166,39 +162,6 @@ static char Usage[] =
//////////////////////////////////////////////////
void recalculate_restapi_hmac(SHATYPE st) {
if (g_use_auth_secret_with_timestamp) {
u08bits hmac[MAXSHASIZE];
unsigned int hmac_len = 0;
if(st == SHATYPE_SHA256)
hmac_len = SHA256SIZEBYTES;
else if(st == SHATYPE_SHA384)
hmac_len = SHA384SIZEBYTES;
else if(st == SHATYPE_SHA512)
hmac_len = SHA512SIZEBYTES;
hmac[0] = 0;
if (stun_calculate_hmac(g_uname, strlen((char*) g_uname),
(u08bits*) g_auth_secret, strlen(g_auth_secret), hmac,
&hmac_len, st) >= 0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac, hmac_len, &pwd_length);
if (pwd) {
if (pwd_length > 0) {
ns_bcopy(pwd,g_upwd,pwd_length);
g_upwd[pwd_length] = 0;
}
}
turn_free(pwd,strlen(pwd)+1);
}
}
}
int main(int argc, char **argv)
{
int port = 0;
@ -220,7 +183,7 @@ int main(int argc, char **argv)
ns_bzero(local_addr, sizeof(local_addr));
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:bZvsyhcxXgtTSAPDNOUHYKMRIGBJ")) != -1) {
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:bZvsyhcxXgtTSAPDNOUMRIGBJ")) != -1) {
switch (c){
case 'J': {
@ -271,15 +234,6 @@ int main(int argc, char **argv)
case 'M':
mobility = 1;
break;
case 'H':
shatype = SHATYPE_SHA256;
break;
case 'Y':
shatype = SHATYPE_SHA384;
break;
case 'K':
shatype = SHATYPE_SHA512;
break;
case 'E':
{
char* fn = find_config_file(optarg,1);

1
src/apps/uclient/session.h
View File

@ -91,7 +91,6 @@ typedef struct {
app_tcp_conn_info **tcp_conn;
size_t tcp_conn_number;
int is_peer;
SHATYPE shatype;
char s_mobile_id[33];
} app_ur_conn_info;

52
src/apps/uclient/startuclient.c
View File

@ -526,16 +526,6 @@ static int clnet_allocate(int verbose,
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_allocate;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
@ -668,7 +658,7 @@ static int clnet_allocate(int verbose,
field[1]=0;
field[2]=0;
field[3]=0;
stun_attr_add(&request_message, STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY, (const char*) field, 4);
stun_attr_add(&request_message, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY, (const char*) field, 4);
}
}
@ -730,16 +720,6 @@ static int clnet_allocate(int verbose,
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_refresh;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
refresh_received = 1;
@ -834,16 +814,6 @@ static int turn_channel_bind(int verbose, uint16_t *chn,
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_bind;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
cb_received = 1;
@ -948,16 +918,6 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info,
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_cp;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
cp_received = 1;
@ -1533,16 +1493,6 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA384)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_cb;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
cb_received = 1;

26
src/apps/uclient/uclient.c
View File

@ -119,7 +119,6 @@ static app_ur_session* init_app_session(app_ur_session *ss) {
if(ss) {
ns_bzero(ss,sizeof(app_ur_session));
ss->pinfo.fd=-1;
ss->pinfo.shatype = shatype;
}
return ss;
}
@ -751,17 +750,6 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
&err_code,err_msg,sizeof(err_msg),
clnet_info->realm,clnet_info->nonce,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA1)) {
elem->pinfo.shatype = SHATYPE_SHA256;
recalculate_restapi_hmac(elem->pinfo.shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA256)) {
elem->pinfo.shatype = SHATYPE_SHA384;
recalculate_restapi_hmac(elem->pinfo.shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA384)) {
elem->pinfo.shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(elem->pinfo.shatype);
}
if(is_TCP_relay() && (stun_get_method(&(elem->in_buffer)) == STUN_METHOD_CONNECT)) {
turn_tcp_connect(clnet_verbose, &(elem->pinfo), &(elem->pinfo.peer_addr));
} else if(stun_get_method(&(elem->in_buffer)) == STUN_METHOD_REFRESH) {
@ -1008,7 +996,6 @@ static int start_client(const char *remote_address, int port,
app_ur_conn_info clnet_info_probe; /* for load balancing probe */
ns_bzero(&clnet_info_probe,sizeof(clnet_info_probe));
clnet_info_probe.fd = -1;
clnet_info_probe.shatype = shatype;
app_ur_conn_info *clnet_info=&(ss->pinfo);
app_ur_conn_info *clnet_info_rtcp=NULL;
@ -1103,7 +1090,6 @@ static int start_c2c(const char *remote_address, int port,
app_ur_conn_info clnet_info_probe; /* for load balancing probe */
ns_bzero(&clnet_info_probe,sizeof(clnet_info_probe));
clnet_info_probe.fd = -1;
clnet_info_probe.shatype = shatype;
app_ur_conn_info *clnet_info1=&(ss1->pinfo);
app_ur_conn_info *clnet_info1_rtcp=NULL;
@ -1247,7 +1233,7 @@ static int refresh_channel(app_ur_session* elem, u16bits method, uint32_t lt)
field[1]=0;
field[2]=0;
field[3]=0;
stun_attr_add(&message, STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY, (const char*) field, 4);
stun_attr_add(&message, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY, (const char*) field, 4);
}
}
@ -1652,7 +1638,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
}
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey_array[cok].kid,
clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
clnet_info->realm, clnet_info->key, clnet_info->nonce, shatype)<0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
return -1;
}
@ -1661,14 +1647,14 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
{
password_t pwd;
if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
message->buf, (size_t)(message->len), clnet_info->key, pwd, clnet_info->shatype, NULL)<1) {
message->buf, (size_t)(message->len), clnet_info->key, pwd, shatype)<1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n");
return -1;
}
}
} else {
if(stun_attr_add_integrity_by_user_str(message->buf, (size_t*)&(message->len), g_uname,
clnet_info->realm, g_upwd, clnet_info->nonce, clnet_info->shatype)<0) {
clnet_info->realm, g_upwd, clnet_info->nonce, shatype)<0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
return -1;
}
@ -1680,14 +1666,14 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
{
SHATYPE sht = clnet_info->shatype;
SHATYPE sht = shatype;
if(oauth && clnet_info->oauth) {
password_t pwd;
return stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
message->buf, (size_t)(message->len), clnet_info->key, pwd, sht, NULL);
message->buf, (size_t)(message->len), clnet_info->key, pwd, sht);
} else {

2
src/apps/uclient/uclient.h
View File

@ -110,8 +110,6 @@ turn_credential_type get_turn_credentials_type(void);
int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message);
int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message);
void recalculate_restapi_hmac(SHATYPE st);
SOCKET_TYPE get_socket_type(void);
////////////////////////////////////////////

565
src/client/ns_turn_msg.c
View File

@ -231,7 +231,7 @@ static void readable_string(unsigned char *orig, unsigned char *out, size_t sz)
out[0]=0;
for(i = 0; i < sz; ++i) {
sprintf((char*)(out + (i * 2)), "%02x", (unsigned int)orig[i]);
snprintf((char*)(out + (i * 2)), 4, "%02x", (unsigned int)orig[i]);
}
}
@ -441,20 +441,20 @@ int stun_is_error_response_str(const u08bits* buf, size_t len, int *err_code, u0
if(err_code) {
stun_attr_ref sar = stun_attr_get_first_by_type_str(buf, len, STUN_ATTRIBUTE_ERROR_CODE);
if(sar) {
if(stun_attr_get_len(sar)>=4) {
const u08bits* val = (const u08bits*)stun_attr_get_value(sar);
*err_code=(int)(val[2]*100 + val[3]);
if(err_msg && err_msg_size>0) {
err_msg[0]=0;
if(stun_attr_get_len(sar)>4) {
size_t msg_len = stun_attr_get_len(sar) - 4;
if(msg_len>(err_msg_size-1))
msg_len=err_msg_size - 1;
ns_bcopy(val+4, err_msg, msg_len);
err_msg[msg_len]=0;
}
}
}
if(stun_attr_get_len(sar)>=4) {
const u08bits* val = (const u08bits*)stun_attr_get_value(sar);
*err_code=(int)(val[2]*100 + val[3]);
if(err_msg && err_msg_size>0) {
err_msg[0]=0;
if(stun_attr_get_len(sar)>4) {
size_t msg_len = stun_attr_get_len(sar) - 4;
if(msg_len>(err_msg_size-1))
msg_len=err_msg_size - 1;
ns_bcopy(val+4, err_msg, msg_len);
err_msg[msg_len]=0;
}
}
}
}
}
return 1;
@ -467,7 +467,7 @@ int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code
{
int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size);
if(ret && (((*err_code) == 401) || ((*err_code) == 438) || ((*err_code) == SHA_TOO_WEAK_ERROR_CODE))) {
if(ret && (((*err_code) == 401) || ((*err_code) == 438) )) {
stun_attr_ref sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_REALM);
if(sar) {
@ -591,39 +591,79 @@ void old_stun_init_success_response_str(u16bits method, u08bits* buf, size_t *le
}
}
const u08bits* get_default_reason(int error_code)
{
const u08bits* reason = (const u08bits *) "Unknown error";
switch (error_code){
case 300:
reason = (const u08bits *) "Try Alternate";
break;
case 400:
reason = (const u08bits *) "Bad Request";
break;
case 401:
reason = (const u08bits *) "Unauthorized";
break;
case 403:
reason = (const u08bits *) "Forbidden";
break;
case 404:
reason = (const u08bits *) "Not Found";
break;
case 420:
reason = (const u08bits *) "Unknown Attribute";
break;
case 437:
reason = (const u08bits *) "Allocation Mismatch";
break;
case 438:
reason = (const u08bits *) "Stale Nonce";
break;
case 440:
reason = (const u08bits *) "Address Family not Supported";
break;
case 441:
reason = (const u08bits *) "Wrong Credentials";
break;
case 442:
reason = (const u08bits *) "Unsupported Transport Protocol";
break;
case 443:
reason = (const u08bits *) "Peer Address Family Mismatch";
break;
case 446:
reason = (const u08bits *) "Connection Already Exists";
break;
case 447:
reason = (const u08bits *) "Connection Timeout or Failure";
break;
case 486:
reason = (const u08bits *) "Allocation Quota Reached";
break;
case 487:
reason = (const u08bits *) "Role Conflict";
break;
case 500:
reason = (const u08bits *) "Server Error";
break;
case 508:
reason = (const u08bits *) "Insufficient Capacity";
break;
default:
;
};
return reason;
}
static void stun_init_error_response_common_str(u08bits* buf, size_t *len,
u16bits error_code, const u08bits *reason,
stun_tid* id)
{
if (!reason) {
switch (error_code){
case 300:
reason = (const u08bits *) "Try Alternate";
break;
case 400:
reason = (const u08bits *) "Bad Request";
break;
case 401:
reason = (const u08bits *) "Unauthorized";
break;
case 404:
reason = (const u08bits *) "Not Found";
break;
case 420:
reason = (const u08bits *) "Unknown Attribute";
break;
case 438:
reason = (const u08bits *) "Stale Nonce";
break;
case 500:
reason = (const u08bits *) "Server Error";
break;
default:
reason = (const u08bits *) "Unknown Error";
break;
};
if (!reason || !strcmp((const char*)reason,"Unknown error")) {
reason = get_default_reason(error_code);
}
u08bits avalue[513];
@ -1426,17 +1466,33 @@ int stun_attr_add_bandwidth_str(u08bits* buf, size_t *len, band_limit_t bps0) {
return stun_attr_add_str(buf,len,STUN_ATTRIBUTE_NEW_BANDWIDTH,(u08bits*)(&field),sizeof(field));
}
int stun_attr_add_address_error_code(u08bits* buf, size_t *len, int requested_address_family, u08bits error_code)
int stun_attr_add_address_error_code(u08bits* buf, size_t *len, int requested_address_family, int error_code)
{
u08bits field[4];
field[0]=(u08bits)requested_address_family;
field[1]=error_code;
field[2]=0;
field[3]=0;
return stun_attr_add_str(buf,len,STUN_ATTRIBUTE_ADDRESS_ERROR_CODE,field,sizeof(field));
const u08bits *reason = get_default_reason(error_code);
u08bits avalue[513];
avalue[0] = (u08bits)requested_address_family;
avalue[1] = 0;
avalue[2] = (u08bits) (error_code / 100);
avalue[3] = (u08bits) (error_code % 100);
strncpy((s08bits*) (avalue + 4), (const s08bits*) reason, sizeof(avalue)-4);
avalue[sizeof(avalue)-1]=0;
int alen = 4 + strlen((const s08bits*) (avalue+4));
//"Manual" padding for compatibility with classic old stun:
{
int rem = alen % 4;
if(rem) {
alen +=(4-rem);
}
}
stun_attr_add_str(buf, len, STUN_ATTRIBUTE_ADDRESS_ERROR_CODE, (u08bits*) avalue, alen);
return 0;
}
int stun_attr_get_address_error_code(u08bits* buf, size_t len, int *requested_address_family, u08bits *error_code)
int stun_attr_get_address_error_code(u08bits* buf, size_t len, int *requested_address_family, int *error_code)
{
if(requested_address_family) {
*requested_address_family = 0;
@ -1459,7 +1515,7 @@ int stun_attr_get_address_error_code(u08bits* buf, size_t len, int *requested_ad
*requested_address_family = value[0];
}
if(error_code) {
*error_code = value[1];
*error_code = (int)(value[2]*100+value[3]);
}
return 0;
}
@ -1745,7 +1801,7 @@ void print_hmac(const char *name, const void *s, size_t len)
/*
* Return -1 if failure, 0 if the integrity is not correct, 1 if OK
*/
int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak)
int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype)
{
int res = 0;
u08bits new_hmac[MAXSHASIZE];
@ -1761,41 +1817,21 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu
switch(sarlen) {
case SHA256SIZEBYTES:
shasize = SHA256SIZEBYTES;
if(shatype > SHATYPE_SHA256) {
if(too_weak)
*too_weak = 1;
return -1;
}
if(shatype != SHATYPE_SHA256)
return -1;
break;
case SHA384SIZEBYTES:
shasize = SHA384SIZEBYTES;
if(shatype > SHATYPE_SHA384) {
if(too_weak)
*too_weak = 1;
return -1;
}
if(shatype != SHATYPE_SHA384)
return -1;
break;
case SHA512SIZEBYTES:
shasize = SHA512SIZEBYTES;
if(shatype > SHATYPE_SHA512) {
if(too_weak)
*too_weak = 1;
return -1;
}
if(shatype != SHATYPE_SHA512)
return -1;
break;
case SHA1SIZEBYTES:
shasize = SHA1SIZEBYTES;
if(shatype > SHATYPE_SHA1) {
if(too_weak)
*too_weak = 1;
return -1;
}
if(shatype != SHATYPE_SHA1)
return -1;
break;
@ -1847,7 +1883,7 @@ int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size
else if (stun_produce_integrity_key_str(uname, realm, upwd, key, shatype) < 0)
return -1;
return stun_check_message_integrity_by_key_str(ct, buf, len, key, pwd, shatype, NULL);
return stun_check_message_integrity_by_key_str(ct, buf, len, key, pwd, shatype);
}
/* RFC 5780 */
@ -1963,12 +1999,14 @@ static void normalize_algorithm(char *s)
}
}
static size_t calculate_enc_key_length(ENC_ALG a)
size_t calculate_enc_key_length(ENC_ALG a);
size_t calculate_enc_key_length(ENC_ALG a)
{
switch(a) {
case AES_128_CBC:
case AEAD_AES_128_GCM:
#if !defined(TURN_NO_GCM)
case A128GCM:
return 16;
#endif
default:
break;
};
@ -1976,105 +2014,30 @@ static size_t calculate_enc_key_length(ENC_ALG a)
return 32;
}
static size_t calculate_auth_key_length(AUTH_ALG a)
size_t calculate_auth_key_length(ENC_ALG a);
size_t calculate_auth_key_length(ENC_ALG a)
{
switch(a) {
case AUTH_ALG_HMAC_SHA_1:
return 20;
case AUTH_ALG_HMAC_SHA_256_128:
return 32;
case AUTH_ALG_HMAC_SHA_256:
return 32;
case AUTH_ALG_HMAC_SHA_384:
return 48;
case AUTH_ALG_HMAC_SHA_512:
return 64;
#if !defined(TURN_NO_GCM)
case A256GCM:
case A128GCM:
return 0;
#endif
default:
break;
};
return 32;
return 0;
}
static size_t calculate_auth_output_length(AUTH_ALG a)
int calculate_key(char *key, size_t key_size,
char *new_key, size_t new_key_size);
int calculate_key(char *key, size_t key_size,
char *new_key, size_t new_key_size)
{
switch(a) {
case AUTH_ALG_HMAC_SHA_1:
return 20;
case AUTH_ALG_HMAC_SHA_256_128:
return 16;
case AUTH_ALG_HMAC_SHA_256:
return 32;
case AUTH_ALG_HMAC_SHA_384:
return 48;
case AUTH_ALG_HMAC_SHA_512:
return 64;
default:
break;
};
UNUSED_ARG(key_size);
return 32;
}
static int calculate_key(char *key, size_t key_size,
char *new_key, size_t new_key_size,
SHATYPE shatype,
char *err_msg, size_t err_msg_size,
const char *info)
{
//Extract:
u08bits prk[128];
unsigned int prk_len = 0;
stun_calculate_hmac((const u08bits *)key, key_size, (const u08bits *)"", 0, prk, &prk_len, shatype);
//Expand:
size_t info_len = strlen(info);
u08bits buf[256];
ns_bcopy(info,buf,info_len);
buf[info_len]=0x01;
u08bits hmac1[128];
unsigned int hmac1_len = 0;
stun_calculate_hmac((const u08bits *)buf, info_len+1, prk, prk_len, hmac1, &hmac1_len, shatype);
ns_bcopy(hmac1,new_key,hmac1_len);
//Check
if(new_key_size>hmac1_len) {
ns_bcopy(hmac1,buf,hmac1_len);
ns_bcopy(info,buf+hmac1_len,info_len);
buf[hmac1_len+info_len]=0x02;
u08bits hmac2[128];
unsigned int hmac2_len = 0;
stun_calculate_hmac((const u08bits *)buf, hmac1_len+info_len+1, prk, prk_len, hmac2, &hmac2_len, shatype);
ns_bcopy(hmac2,new_key+hmac1_len,hmac2_len);
if(new_key_size > (hmac1_len + hmac2_len)) {
ns_bcopy(hmac2,buf,hmac2_len);
ns_bcopy(info,buf+hmac2_len,info_len);
buf[hmac2_len+info_len]=0x03;
u08bits hmac3[128];
unsigned int hmac3_len = 0;
stun_calculate_hmac((const u08bits *)buf, hmac2_len+info_len+1, prk, prk_len, hmac3, &hmac3_len, shatype);
ns_bcopy(hmac3,new_key+hmac1_len+hmac2_len,hmac3_len);
if(new_key_size > (hmac1_len + hmac2_len + hmac3_len)) {
ns_bcopy(hmac3,buf,hmac3_len);
ns_bcopy(info,buf+hmac3_len,info_len);
buf[hmac3_len+info_len]=0x04;
u08bits hmac4[128];
unsigned int hmac4_len = 0;
stun_calculate_hmac((const u08bits *)buf, hmac3_len+info_len+1, prk, prk_len, hmac4, &hmac4_len, shatype);
ns_bcopy(hmac4,new_key+hmac1_len+hmac2_len+hmac3_len,hmac4_len);
if(new_key_size > (hmac1_len + hmac2_len + hmac3_len + hmac4_len)) {
if(err_msg) {
snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
}
OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
return -1;
}
}
}
}
ns_bcopy(key,new_key,new_key_size);
return 0;
}
@ -2088,27 +2051,16 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
oauth_key_data *oakd = &oakd_obj;
if(!(oakd->ikm_key_size)) {
if(!(oakd->as_rs_key_size)) {
if(err_msg) {
snprintf(err_msg,err_msg_size,"AS-RS key is not defined");
}
OAUTH_ERROR("AS-RS key is not defined\n");
return -1;
}
if(!(oakd->auth_key_size)) {
//AEAD ?
if(err_msg) {
snprintf(err_msg,err_msg_size,"key is not defined");
}
}
remove_spaces(oakd->kid);
remove_spaces(oakd->hkdf_hash_func);
remove_spaces(oakd->as_rs_alg);
remove_spaces(oakd->auth_alg);
normalize_algorithm(oakd->hkdf_hash_func);
normalize_algorithm(oakd->as_rs_alg);
normalize_algorithm(oakd->auth_alg);
if(!(oakd->kid[0])) {
if(err_msg) {
@ -2122,10 +2074,6 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
STRCPY(key->kid,oakd->kid);
ns_bcopy(oakd->as_rs_key,key->as_rs_key,sizeof(key->as_rs_key));
key->as_rs_key_size = oakd->as_rs_key_size;
ns_bcopy(oakd->auth_key,key->auth_key,sizeof(key->auth_key));
key->auth_key_size = oakd->auth_key_size;
ns_bcopy(oakd->ikm_key,key->ikm_key,sizeof(key->ikm_key));
key->ikm_key_size = oakd->ikm_key_size;
@ -2135,57 +2083,20 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
if(!(key->timestamp)) key->timestamp = OAUTH_DEFAULT_TIMESTAMP;
if(!(key->lifetime)) key->lifetime = OAUTH_DEFAULT_LIFETIME;
key->hkdf_hash_func = SHATYPE_SHA256;
if(!strcmp(oakd->hkdf_hash_func,"SHA1") || !strcmp(oakd->hkdf_hash_func,"SHA-1")) {
key->hkdf_hash_func = SHATYPE_SHA1;
} else if(!strcmp(oakd->hkdf_hash_func,"SHA256") || !strcmp(oakd->hkdf_hash_func,"SHA-256")) {
key->hkdf_hash_func = SHATYPE_SHA256;
} else if(!strcmp(oakd->hkdf_hash_func,"SHA384") || !strcmp(oakd->hkdf_hash_func,"SHA-384")) {
key->hkdf_hash_func = SHATYPE_SHA384;
} else if(!strcmp(oakd->hkdf_hash_func,"SHA512") || !strcmp(oakd->hkdf_hash_func,"SHA-512")) {
key->hkdf_hash_func = SHATYPE_SHA512;
} else if(oakd->hkdf_hash_func[0]) {
if(err_msg) {
snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func);
}
OAUTH_ERROR("Wrong HKDF hash function algorithm: %s\n",oakd->hkdf_hash_func);
return -1;
}
key->auth_alg = AUTH_ALG_DEFAULT;
if(!strcmp(oakd->auth_alg,"HMAC-SHA-1") || !strcmp(oakd->auth_alg,"HMAC-SHA1")) {
key->auth_alg = AUTH_ALG_HMAC_SHA_1;
} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256")) {
key->auth_alg = AUTH_ALG_HMAC_SHA_256;
} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-384")) {
key->auth_alg = AUTH_ALG_HMAC_SHA_384;
} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-512")) {
key->auth_alg = AUTH_ALG_HMAC_SHA_512;
} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256-128")) {
key->auth_alg = AUTH_ALG_HMAC_SHA_256_128;
} else if(oakd->auth_alg[0]) {
if(err_msg) {
snprintf(err_msg,err_msg_size,"Wrong oAuth token hash algorithm: %s (1)\n",oakd->auth_alg);
}
key->auth_alg = AUTH_ALG_ERROR;
OAUTH_ERROR("Wrong oAuth token hash algorithm: %s (2)\n",oakd->auth_alg);
return -1;
} else {
key->auth_alg = AUTH_ALG_UNDEFINED;
}
key->as_rs_alg = ENC_ALG_ERROR;
#if !defined(TURN_NO_GCM)
key->as_rs_alg = ENC_ALG_DEFAULT;
if(!strcmp(oakd->as_rs_alg,"AES-128-CBC")) {
key->as_rs_alg = AES_128_CBC;
} else if(!strcmp(oakd->as_rs_alg,"AES-256-CBC")) {
key->as_rs_alg = AES_256_CBC;
} else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-128-GCM")) {
key->as_rs_alg = AEAD_AES_128_GCM;
key->auth_alg = AUTH_ALG_UNDEFINED;
} else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-256-GCM")) {
key->as_rs_alg = AEAD_AES_256_GCM;
key->auth_alg = AUTH_ALG_UNDEFINED;
} else if(oakd->as_rs_alg[0]) {
if(!strcmp(oakd->as_rs_alg,"A128GCM")) {
key->as_rs_alg = A128GCM;
key->auth_key_size = 0;
key->auth_key[0] = 0;
} else if(!strcmp(oakd->as_rs_alg,"A256GCM")) {
key->as_rs_alg = A256GCM;
key->auth_key_size = 0;
key->auth_key[0] = 0;
} else
#endif
{
if(err_msg) {
snprintf(err_msg,err_msg_size,"Wrong oAuth token encryption algorithm: %s (2)\n",oakd->as_rs_alg);
}
@ -2193,39 +2104,33 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
return -1;
}
if(key->auth_alg == AUTH_ALG_UNDEFINED) {
//AEAD
key->auth_key_size = 0;
key->auth_key[0] = 0;
} else if(!(key->auth_key_size)) {
key->auth_key_size = calculate_auth_key_length(key->auth_alg);
if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size,key->hkdf_hash_func,err_msg,err_msg_size,"AUTH key")<0) {
#if !defined(TURN_NO_GCM)
key->auth_key_size = calculate_auth_key_length(key->as_rs_alg);
if(key->auth_key_size) {
if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) {
return -1;
}
}
if(!(key->as_rs_key_size)) {
key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg);
if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size,key->hkdf_hash_func,err_msg,err_msg_size,"AS-RS key")<0) {
return -1;
}
key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg);
if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) {
return -1;
}
#endif
}
return 0;
}
static const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg)
const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg);
const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg)
{
switch(enc_alg) {
case AES_256_CBC:
return EVP_aes_256_cbc();
case AES_128_CBC:
return EVP_aes_128_cbc();
#if !defined(TURN_NO_GCM)
case AEAD_AES_128_GCM:
case A128GCM:
return EVP_aes_128_gcm();
case AEAD_AES_256_GCM:
case A256GCM:
return EVP_aes_256_gcm();
#endif
default:
@ -2235,45 +2140,9 @@ static const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg)
return NULL;
}
static const EVP_MD *get_auth_type(AUTH_ALG aa)
{
switch(aa) {
case AUTH_ALG_HMAC_SHA_1:
return EVP_sha1();
#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
case AUTH_ALG_HMAC_SHA_256_128:
case AUTH_ALG_HMAC_SHA_256:
return EVP_sha256();
#endif
#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH)
case AUTH_ALG_HMAC_SHA_384:
return EVP_sha384();
#endif
#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
case AUTH_ALG_HMAC_SHA_512:
return EVP_sha512();
#endif
default:
break;
};
OAUTH_ERROR("%s: Unknown auth algorithm: %d\n",__FUNCTION__,(int)aa);
return NULL;
}
static void update_hmac_len(AUTH_ALG aa, unsigned int *hmac_len)
{
if(hmac_len) {
switch(aa) {
case AUTH_ALG_HMAC_SHA_256_128:
*hmac_len = 16;
break;
default:
break;
};
}
}
static int my_EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int my_EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
int my_EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl)
{
int cycle = 0;
@ -2292,7 +2161,9 @@ static int my_EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
return 1;
}
static int my_EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int my_EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl);
int my_EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *outl, const unsigned char *in, int inl)
{
int cycle = 0;
@ -2321,8 +2192,15 @@ void print_field(const char* name, const unsigned char* f, size_t len) {
printf("\n<<==field %s\n",name);
}
static int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken)
int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken);
int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken)
{
UNUSED_ARG(server_name);
UNUSED_ARG(etoken);
UNUSED_ARG(key);
UNUSED_ARG(dtoken);
/*
if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<=128)) {
unsigned char orig_field[MAX_ENCODED_OAUTH_TOKEN_SIZE];
@ -2384,11 +2262,19 @@ static int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_t
return 0;
}
*/
return -1;
}
static int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken)
int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken);
int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken)
{
UNUSED_ARG(server_name);
UNUSED_ARG(etoken);
UNUSED_ARG(key);
UNUSED_ARG(dtoken);
/*
if(server_name && etoken && key && dtoken) {
size_t mac_size = calculate_auth_output_length(key->auth_alg);
@ -2462,6 +2348,7 @@ static int decode_oauth_token_normal(const u08bits *server_name, const encoded_o
return 0;
}
*/
return -1;
}
@ -2476,14 +2363,27 @@ static void generate_random_nonce(unsigned char *nonce, size_t sz) {
#if !defined(TURN_NO_GCM)
static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0)
{
if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<128)) {
static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0) {
if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<=MAXSHASIZE)) {
unsigned char orig_field[MAX_ENCODED_OAUTH_TOKEN_SIZE];
ns_bzero(orig_field,sizeof(orig_field));
unsigned char nonce[OAUTH_GCM_NONCE_SIZE];
if(nonce0) {
ns_bcopy(nonce0,nonce,sizeof(nonce));
} else {
generate_random_nonce(nonce, sizeof(nonce));
}
size_t len = 0;
*((uint16_t*)(orig_field+len)) = nswap16(OAUTH_GCM_NONCE_SIZE);
len +=2;
ns_bcopy(nonce,orig_field+len,OAUTH_GCM_NONCE_SIZE);
len += OAUTH_GCM_NONCE_SIZE;
*((uint16_t*)(orig_field+len)) = nswap16(dtoken->enc_block.key_length);
len +=2;
@ -2500,15 +2400,6 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
if(!cipher)
return -1;
unsigned char *encoded_field = (unsigned char*)etoken->token;
unsigned char nonce[OAUTH_AEAD_NONCE_SIZE];
if(nonce0) {
ns_bcopy(nonce0,nonce,sizeof(nonce));
} else {
generate_random_nonce(nonce, sizeof(nonce));
}
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
@ -2519,7 +2410,7 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
EVP_CIPHER_CTX_set_padding(&ctx,1);
/* Set IV length if default 12 bytes (96 bits) is not appropriate */
if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL))
if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL))
return -1;
/* Initialize key and IV */
@ -2536,21 +2427,23 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
return -1;
outl=0;
unsigned char *encoded_field = (unsigned char*)etoken->token;
ns_bcopy(orig_field,encoded_field,OAUTH_GCM_NONCE_SIZE + 2);
encoded_field += OAUTH_GCM_NONCE_SIZE + 2;
unsigned char *start_field = orig_field + OAUTH_GCM_NONCE_SIZE + 2;
len -= OAUTH_GCM_NONCE_SIZE + 2;
if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, orig_field, (int)len))
if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, start_field, (int)len))
return -1;
int tmp_outl = 0;
EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl);
outl += tmp_outl;
EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_AEAD_TAG_SIZE, encoded_field + outl);
outl += OAUTH_AEAD_TAG_SIZE;
EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl);
outl += OAUTH_GCM_TAG_SIZE;
ns_bcopy(nonce, encoded_field + outl, OAUTH_AEAD_NONCE_SIZE);
outl += OAUTH_AEAD_NONCE_SIZE; //encoded+tag+hmac
etoken->size = outl;
etoken->size = 2 + OAUTH_GCM_NONCE_SIZE + outl;
EVP_CIPHER_CTX_cleanup(&ctx);
@ -2559,22 +2452,28 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok
return -1;
}
static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken)
static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken)
{
if(server_name && etoken && key && dtoken) {
size_t min_encoded_field_size = 2+4+8+OAUTH_AEAD_NONCE_SIZE+OAUTH_AEAD_TAG_SIZE+1;
unsigned char snl[2];
ns_bcopy((const unsigned char*)(etoken->token),snl,2);
const unsigned char *csnl = snl;
uint16_t nonce_len = nswap16(*((const uint16_t*)csnl));
size_t min_encoded_field_size = 2+4+8+nonce_len+2+OAUTH_GCM_TAG_SIZE+1;
if(etoken->size < min_encoded_field_size) {
OAUTH_ERROR("%s: token size too small: %d\n",__FUNCTION__,(int)etoken->size);
return -1;
}
const unsigned char* encoded_field = (const unsigned char*)etoken->token;
unsigned int encoded_field_size = (unsigned int)etoken->size-OAUTH_AEAD_NONCE_SIZE - OAUTH_AEAD_TAG_SIZE;
const unsigned char* nonce = ((const unsigned char*)etoken->token) + encoded_field_size + OAUTH_AEAD_TAG_SIZE;
const unsigned char* encoded_field = (const unsigned char*)(etoken->token + nonce_len + 2);
unsigned int encoded_field_size = (unsigned int)etoken->size - nonce_len - 2 - OAUTH_GCM_TAG_SIZE;
const unsigned char* nonce = ((const unsigned char*)etoken->token + 2);
unsigned char tag[OAUTH_AEAD_TAG_SIZE];
ns_bcopy(((const unsigned char*)etoken->token) + encoded_field_size, tag ,sizeof(tag));
unsigned char tag[OAUTH_GCM_TAG_SIZE];
ns_bcopy(((const unsigned char*)etoken->token) + nonce_len + 2 + encoded_field_size, tag ,sizeof(tag));
unsigned char decoded_field[MAX_ENCODED_OAUTH_TOKEN_SIZE];
@ -2595,7 +2494,7 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau
//EVP_CIPHER_CTX_set_padding(&ctx,1);
/* Set IV length if default 12 bytes (96 bits) is not appropriate */
if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL)) {
if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) {
OAUTH_ERROR("%s: Cannot set nonce length\n",__FUNCTION__);
return -1;
}
@ -2608,7 +2507,7 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau
/* Set expected tag value. A restriction in OpenSSL 1.0.1c and earlier
+ * required the tag before any AAD or ciphertext */
EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_AEAD_TAG_SIZE, tag);
EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag);
int outl=0;
size_t sn_len = strlen((const char*)server_name);
@ -2661,13 +2560,10 @@ int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken,
UNUSED_ARG(nonce);
if(server_name && etoken && key && dtoken) {
switch(key->as_rs_alg) {
case AES_256_CBC:
case AES_128_CBC:
return encode_oauth_token_normal(server_name, etoken,key,dtoken);
#if !defined(TURN_NO_GCM)
case AEAD_AES_128_GCM:
case AEAD_AES_256_GCM:
return encode_oauth_token_aead(server_name, etoken,key,dtoken,nonce);
case A256GCM:
case A128GCM:
return encode_oauth_token_gcm(server_name, etoken,key,dtoken,nonce);
#endif
default:
fprintf(stderr,"Unsupported AS_RS algorithm: %d\n",(int)key->as_rs_alg);
@ -2681,13 +2577,10 @@ int decode_oauth_token(const u08bits *server_name, const encoded_oauth_token *et
{
if(server_name && etoken && key && dtoken) {
switch(key->as_rs_alg) {
case AES_256_CBC:
case AES_128_CBC:
return decode_oauth_token_normal(server_name, etoken,key,dtoken);
#if !defined(TURN_NO_GCM)
case AEAD_AES_128_GCM:
case AEAD_AES_256_GCM:
return decode_oauth_token_aead(server_name, etoken,key,dtoken);
case A256GCM:
case A128GCM:
return decode_oauth_token_gcm(server_name, etoken,key,dtoken);
#endif
default:
fprintf(stderr,"Unsupported AS_RS algorithm: %d\n",(int)key->as_rs_alg);

8
src/client/ns_turn_msg.h
View File

@ -134,6 +134,8 @@ void stun_tid_generate_in_message_str(u08bits* buf, stun_tid* id);
int stun_get_command_message_len_str(const u08bits* buf, size_t len);
const u08bits* get_default_reason(int error_code);
int stun_attr_is_addr(stun_attr_ref attr);
int stun_attr_get_type(stun_attr_ref attr);
int stun_attr_get_len(stun_attr_ref attr);
@ -151,9 +153,9 @@ int stun_attr_get_addr_str(const u08bits *buf, size_t len, stun_attr_ref attr, i
int stun_attr_get_first_addr_str(const u08bits *buf, size_t len, u16bits attr_type, ioa_addr* ca, const ioa_addr *default_addr);
int stun_attr_add_channel_number_str(u08bits* buf, size_t *len, u16bits chnumber);
int stun_attr_add_bandwidth_str(u08bits* buf, size_t *len, band_limit_t bps);
int stun_attr_add_address_error_code(u08bits* buf, size_t *len, int requested_address_family, u08bits error_code);
int stun_attr_add_address_error_code(u08bits* buf, size_t *len, int requested_address_family, int error_code);
/* return +1 if present, 0 if not, -1 if error: */
int stun_attr_get_address_error_code(u08bits* buf, size_t len, int *requested_address_family, u08bits *error_code);
int stun_attr_get_address_error_code(u08bits* buf, size_t len, int *requested_address_family, int *error_code);
u16bits stun_attr_get_first_channel_number_str(const u08bits *buf, size_t len);
int stun_set_allocate_request_str(u08bits* buf, size_t *len, u32bits lifetime, int af4, int af6, u08bits transport, int mobile, const char* rt, int ep);
@ -179,7 +181,7 @@ void print_bin_func(const char *name, size_t len, const void *s, const char *fun
/*
* Return -1 if failure, 0 if the integrity is not correct, 1 if OK
*/
int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak);
int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype);
int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size_t len, u08bits *uname, u08bits *realm, u08bits *upwd, SHATYPE shatype);
int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, password_t pwd, SHATYPE shatype);
int stun_attr_add_integrity_by_key_str(u08bits *buf, size_t *len, u08bits *uname, u08bits *realm, hmackey_t key, u08bits *nonce, SHATYPE shatype);

49
src/client/ns_turn_msg_defs_new.h
View File

@ -44,7 +44,7 @@
/* <<== Bandwidth */
/* SHA AGILITY ==>> */
/* SHA ==>> */
#define SHA1SIZEBYTES (20)
#define SHA256SIZEBYTES (32)
@ -66,44 +66,24 @@ typedef enum _SHATYPE SHATYPE;
#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA384) ? "SHA384" : "SHA512")))
#define SHA_TOO_WEAK_ERROR_CODE (426)
#define SHA_TOO_WEAK_ERROR_REASON ((const u08bits*)("credentials too weak"))
/* <<== SHA AGILITY */
/* <<== SHA */
/* OAUTH TOKEN ENC ALG ==> */
enum _ENC_ALG {
ENC_ALG_ERROR=-1,
#if !defined(TURN_NO_GCM)
ENC_ALG_DEFAULT=0,
AES_256_CBC=ENC_ALG_DEFAULT,
AES_128_CBC,
AEAD_AES_128_GCM,
AEAD_AES_256_GCM,
ENG_ALG_NUM
A256GCM=ENC_ALG_DEFAULT,
A128GCM,
#endif
ENC_ALG_NUM
};
typedef enum _ENC_ALG ENC_ALG;
/* <<== OAUTH TOKEN ENC ALG */
/* OAUTH TOKEN AUTH ALG ==> */
enum _AUTH_ALG {
AUTH_ALG_ERROR = -1,
AUTH_ALG_UNDEFINED = 0,
AUTH_ALG_DEFAULT = 1,
AUTH_ALG_HMAC_SHA_256_128 = AUTH_ALG_DEFAULT,
AUTH_ALG_HMAC_SHA_1,
AUTH_ALG_HMAC_SHA_256,
AUTH_ALG_HMAC_SHA_384,
AUTH_ALG_HMAC_SHA_512
};
typedef enum _AUTH_ALG AUTH_ALG;
/* <<== OAUTH TOKEN AUTH ALG */
/**
* oAuth struct
*/
@ -115,8 +95,9 @@ typedef enum _AUTH_ALG AUTH_ALG;
#define OAUTH_HASH_FUNC_SIZE (64)
#define OAUTH_ALG_SIZE (64)
#define OAUTH_KEY_SIZE (256)
#define OAUTH_AEAD_NONCE_SIZE (12)
#define OAUTH_AEAD_TAG_SIZE (16)
#define OAUTH_GCM_NONCE_SIZE (12)
#define OAUTH_MAX_NONCE_SIZE (256)
#define OAUTH_GCM_TAG_SIZE (16)
#define OAUTH_ENC_ALG_BLOCK_SIZE (16)
#define OAUTH_DEFAULT_LIFETIME (0)
@ -130,13 +111,7 @@ struct _oauth_key_data {
size_t ikm_key_size;
turn_time_t timestamp;
turn_time_t lifetime;
char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1];
char as_rs_alg[OAUTH_ALG_SIZE+1];
char as_rs_key[OAUTH_KEY_SIZE+1];
size_t as_rs_key_size;
char auth_alg[OAUTH_ALG_SIZE+1];
char auth_key[OAUTH_KEY_SIZE+1];
size_t auth_key_size;
};
typedef struct _oauth_key_data oauth_key_data;
@ -147,11 +122,9 @@ struct _oauth_key {
size_t ikm_key_size;
turn_time_t timestamp;
turn_time_t lifetime;
SHATYPE hkdf_hash_func;
ENC_ALG as_rs_alg;
char as_rs_key[OAUTH_KEY_SIZE+1];
size_t as_rs_key_size;
AUTH_ALG auth_alg;
char auth_key[OAUTH_KEY_SIZE+1];
size_t auth_key_size;
};
@ -159,6 +132,8 @@ struct _oauth_key {
typedef struct _oauth_key oauth_key;
struct _oauth_encrypted_block {
uint16_t nonce_length;
uint8_t nonce[OAUTH_MAX_NONCE_SIZE];
uint16_t key_length;
uint8_t mac_key[MAXSHASIZE];
uint64_t timestamp;

2
src/ns_turn_defs.h
View File

@ -31,7 +31,7 @@
#ifndef __IOADEFS__
#define __IOADEFS__
#define TURN_SERVER_VERSION "4.4.4.2"
#define TURN_SERVER_VERSION "4.4.5.1"
#define TURN_SERVER_VERSION_NAME "Ardee West"
#define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"

105
src/server/ns_turn_server.c
View File

@ -1047,7 +1047,6 @@ static int handle_turn_allocate(turn_turnserver *server,
transport = get_transport_value(value);
if (!transport) {
*err_code = 442;
*reason = (const u08bits *)"Unsupported Transport Protocol";
}
if((transport == STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE) && *(server->no_tcp_relay)) {
*err_code = 442;
@ -1159,7 +1158,6 @@ static int handle_turn_allocate(turn_turnserver *server,
break;
default:
*err_code = 440;
*reason = (const u08bits *)"Unsupported address family requested";
}
}
}
@ -1182,8 +1180,6 @@ static int handle_turn_allocate(turn_turnserver *server,
} else if (*ua_num > 0) {
*err_code = 420;
if(!(*reason))
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -1209,7 +1205,6 @@ static int handle_turn_allocate(turn_turnserver *server,
if(inc_quota(ss, username)<0) {
*err_code = 486;
*reason = (const u08bits *)"Allocation Quota Reached";
} else {
@ -1290,7 +1285,7 @@ static int handle_turn_allocate(turn_turnserver *server,
if(af4res<0) {
set_relay_session_failure(alloc,AF_INET);
if(!err_code4) {
err_code4 = 437;
err_code4 = 440;
}
}
}
@ -1303,7 +1298,7 @@ static int handle_turn_allocate(turn_turnserver *server,
if(af6res<0) {
set_relay_session_failure(alloc,AF_INET6);
if(!err_code6) {
err_code6 = 437;
err_code6 = 440;
}
}
}
@ -1405,12 +1400,12 @@ static int handle_turn_allocate(turn_turnserver *server,
if(*resp_constructed && !(*err_code)) {
if(err_code4) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_address_error_code(ioa_network_buffer_data(nbh), &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4, (u08bits)err_code4);
stun_attr_add_address_error_code(ioa_network_buffer_data(nbh), &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4, err_code4);
ioa_network_buffer_set_size(nbh,len);
}
if(err_code6) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_address_error_code(ioa_network_buffer_data(nbh), &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6, (u08bits)err_code6);
stun_attr_add_address_error_code(ioa_network_buffer_data(nbh), &len, STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6, err_code6);
ioa_network_buffer_set_size(nbh,len);
}
}
@ -1519,8 +1514,8 @@ static int handle_turn_refresh(turn_turnserver *server,
}
}
break;
case STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY: /* <<== ??? */
case STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY: {
case STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY: /* deprecated, for backward compatibility with older versions of TURN-bis */
case STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY: {
int af_req = stun_get_requested_address_family(sar);
{
int is_err = 0;
@ -1561,7 +1556,6 @@ static int handle_turn_refresh(turn_turnserver *server,
if (*ua_num > 0) {
*err_code = 420;
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -1723,7 +1717,7 @@ static int handle_turn_refresh(turn_turnserver *server,
}
if(message_integrity) {
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT);
ioa_network_buffer_set_size(nbh,len);
}
@ -1980,14 +1974,13 @@ static void tcp_peer_connection_completed_callback(int success, void *arg)
addr_to_string(&(tc->peer_addr),(u08bits*)rs);
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: failure to connect from %s to %s\n", __FUNCTION__, ls,rs);
}
const u08bits *reason = (const u08bits *)"Connection Timeout or Failure";
stun_init_error_response_str(STUN_METHOD_CONNECT, ioa_network_buffer_data(nbh), &len, err_code, reason, &(tc->tid));
stun_init_error_response_str(STUN_METHOD_CONNECT, ioa_network_buffer_data(nbh), &len, err_code, NULL, &(tc->tid));
}
ioa_network_buffer_set_size(nbh,len);
if(need_stun_authentication(server, ss)) {
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT);
ioa_network_buffer_set_size(nbh,len);
}
@ -2051,7 +2044,6 @@ static int tcp_start_connection_to_peer(turn_turnserver *server, ts_ur_super_ses
tcp_connection *tc = get_tcp_connection_by_peer(a, peer_addr);
if(tc) {
*err_code = 446;
*reason = (const u08bits *)"Connection Already Exists";
FUNCEND;
return -1;
}
@ -2219,7 +2211,6 @@ static int handle_turn_connect(turn_turnserver *server,
*reason = (const u08bits *)"Connect cannot be used with UDP relay";
} else if (!is_allocation_valid(a)) {
*err_code = 437;
*reason = (const u08bits *)"Allocation mismatch";
} else {
stun_attr_ref sar = stun_attr_get_first_str(ioa_network_buffer_data(in_buffer->nbh),
@ -2258,7 +2249,6 @@ static int handle_turn_connect(turn_turnserver *server,
if (*ua_num > 0) {
*err_code = 420;
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -2296,7 +2286,6 @@ static int handle_turn_connection_bind(turn_turnserver *server,
if(ss->to_be_closed) {
*err_code = 400;
*reason = (const u08bits *)"Bad request";
} else if (is_allocation_valid(a)) {
@ -2343,7 +2332,6 @@ static int handle_turn_connection_bind(turn_turnserver *server,
if (*ua_num > 0) {
*err_code = 420;
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -2474,7 +2462,7 @@ int turnserver_accept_tcp_client_data_connection(turn_turnserver *server, tcp_co
if(message_integrity && ss) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT);
ioa_network_buffer_set_size(nbh,len);
}
@ -2584,7 +2572,6 @@ static int handle_turn_channel_bind(turn_turnserver *server,
if (*ua_num > 0) {
*err_code = 420;
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -2798,7 +2785,6 @@ static int handle_turn_binding(turn_turnserver *server,
if (*ua_num > 0) {
*err_code = 420;
*reason = (const u08bits *)"Unknown attribute";
} else if (*err_code) {
@ -3286,7 +3272,6 @@ static int check_stun_auth(turn_turnserver *server,
if(!sar) {
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
@ -3295,49 +3280,10 @@ static int check_stun_auth(turn_turnserver *server,
switch(sarlen) {
case SHA1SIZEBYTES:
if(server->shatype > SHATYPE_SHA1) {
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = SHA_TOO_WEAK_ERROR_REASON;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
if(server->shatype != SHATYPE_SHA1) {
*err_code = 401;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
break;
case SHA256SIZEBYTES:
if(server->shatype > SHATYPE_SHA256) {
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = SHA_TOO_WEAK_ERROR_REASON;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
if(server->shatype != SHATYPE_SHA256) {
*err_code = 401;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
break;
case SHA384SIZEBYTES:
if(server->shatype > SHATYPE_SHA384) {
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = SHA_TOO_WEAK_ERROR_REASON;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
if(server->shatype != SHATYPE_SHA384) {
*err_code = 401;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
break;
case SHA512SIZEBYTES:
if(server->shatype > SHATYPE_SHA512) {
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = SHA_TOO_WEAK_ERROR_REASON;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
if(server->shatype != SHATYPE_SHA512) {
*err_code = 401;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
break;
default:
*err_code = 401;
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
@ -3354,7 +3300,6 @@ static int check_stun_auth(turn_turnserver *server,
if(!sar) {
*err_code = 400;
*reason = (const u08bits*)"Bad request";
return -1;
}
@ -3386,7 +3331,6 @@ static int check_stun_auth(turn_turnserver *server,
if(!sar) {
*err_code = 400;
*reason = (const u08bits*)"Bad request";
return -1;
}
@ -3405,7 +3349,6 @@ static int check_stun_auth(turn_turnserver *server,
*reason = (const u08bits*)"Allocation mismatch: wrong credentials";
} else {
*err_code = 441;
*reason = (const u08bits*)"Wrong credentials";
}
return -1;
}
@ -3424,7 +3367,6 @@ static int check_stun_auth(turn_turnserver *server,
if(!sar) {
*err_code = 400;
*reason = (const u08bits*)"Bad request";
return -1;
}
@ -3456,33 +3398,19 @@ static int check_stun_auth(turn_turnserver *server,
}
}
/* direct user pattern is supported only for long-term credentials */
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: Cannot find credentials of user <%s>\n",
__FUNCTION__, (char*)usname);
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
/* Check integrity */
int too_weak = 0;
if(stun_check_message_integrity_by_key_str(server->ct,ioa_network_buffer_data(in_buffer->nbh),
ioa_network_buffer_get_size(in_buffer->nbh),
ss->hmackey,
ss->pwd,
server->shatype,
&too_weak)<1) {
if(too_weak) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: user %s credentials are incorrect: SHA function is too weak\n",
__FUNCTION__, (char*)usname);
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = SHA_TOO_WEAK_ERROR_REASON;
*reason = (const u08bits*)"Unauthorised: weak SHA function is used";
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
SHATYPE_DEFAULT)<1) {
if(can_resume) {
(server->userkeycb)(server->id, server->ct, server->oauth, &(ss->oauth), usname, realm, resume_processing_after_username_check, in_buffer, ss->id, postpone_reply);
@ -3495,7 +3423,6 @@ static int check_stun_auth(turn_turnserver *server,
"%s: user %s credentials are incorrect\n",
__FUNCTION__, (char*)usname);
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
@ -3528,7 +3455,6 @@ static void set_alternate_server(turn_server_addrs_list_t *asl, const ioa_addr *
if(addr->ss.sa_family == local_addr->ss.sa_family) {
*err_code = 300;
*reason = (const u08bits *)"Redirect";
size_t len = ioa_network_buffer_get_size(nbh);
stun_init_error_response_str(method, ioa_network_buffer_data(nbh), &len, *err_code, *reason, tid);
@ -3930,7 +3856,7 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
if(message_integrity) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,SHATYPE_DEFAULT);
ioa_network_buffer_set_size(nbh,len);
}
@ -4329,7 +4255,7 @@ static int create_relay_connection(turn_turnserver* server,
ioa_socket_tobeclosed(s)) {
IOA_CLOSE_SOCKET(s);
*err_code = 508;
*err_code = 404;
*reason = (const u08bits *)"Cannot find reserved socket";
return -1;
}
@ -4389,7 +4315,7 @@ static int create_relay_connection(turn_turnserver* server,
} else {
IOA_CLOSE_SOCKET(newelem->s);
IOA_CLOSE_SOCKET(rtcp_s);
*err_code = 508;
*err_code = 500;
*reason = (const u08bits *)"Wrong reservation tokens (internal error)";
return -1;
}
@ -4863,7 +4789,7 @@ void init_turn_server(turn_turnserver* server,
vintp no_multicast_peers, vintp no_loopback_peers,
ip_range_list_t* ip_whitelist, ip_range_list_t* ip_blacklist,
send_socket_to_relay_cb send_socket_to_relay,
vintp secure_stun, SHATYPE shatype, vintp mobility, int server_relay,
vintp secure_stun, vintp mobility, int server_relay,
send_turn_session_info_cb send_turn_session_info,
send_https_socket_cb send_https_socket,
allocate_bps_cb allocate_bps_func,
@ -4887,7 +4813,6 @@ void init_turn_server(turn_turnserver* server,
server->no_multicast_peers = no_multicast_peers;
server->no_loopback_peers = no_loopback_peers;
server->secure_stun = secure_stun;
server->shatype = shatype;
server->mobility = mobility;
server->server_relay = server_relay;
server->send_turn_session_info = send_turn_session_info;

2
src/server/ns_turn_server.h
View File

@ -118,7 +118,6 @@ struct _turn_turnserver {
vintp stun_only;
vintp no_stun;
vintp secure_stun;
SHATYPE shatype;
turn_credential_type ct;
get_alt_addr_cb alt_addr_cb;
send_message_cb sm_cb;
@ -197,7 +196,6 @@ void init_turn_server(turn_turnserver* server,
ip_range_list_t* ip_blacklist,
send_socket_to_relay_cb send_socket_to_relay,
vintp secure_stun,
SHATYPE shatype,
vintp mobility,
int server_relay,
send_turn_session_info_cb send_turn_session_info,

6
turndb/schema.sql
View File

@ -39,14 +39,10 @@ CREATE TABLE turn_realm_option (
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256) default '',
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
hkdf_hash_func varchar(64) default '',
as_rs_alg varchar(64) default '',
as_rs_key varchar(256) default '',
auth_alg varchar(64) default '',
auth_key varchar(256) default '',
primary key (kid)
);

37
turndb/schema.userdb.redis
View File

@ -34,39 +34,18 @@ and they will be almost immediately "seen" by the turnserver process.
4) For the oAuth authentication, there is a hash structure with the key
"turn/oauth/kid/<kid-value>". The kid structure fields are:
ikm_key - (optional) base64-encoded key ("input keying material");
The ikm_key is not needed if the as_rs_key and auth_key are defined
explicitly in the database;
ikm_key - (optional) base64-encoded key ("input keying material").
timestamp - (optional) the timestamp (in seconds) when the key
lifetime started;
lifetime started.
lifetime - (optional) the key lifetime in seconds; the default value
is 0 - unlimited lifetime.
hkdf_hash_func - (optional) hash function for HKDF procedure; the
valid values are SHA-1, SHA-256, SHA-384 and SHA-512,
with SHA-256 as default. The hkdf_hash_func is not needed
if the as_rs_key and auth_key are defined explicitly
in the database;
as_rs_alg - oAuth token encryption algorithm; the valid values are
"AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM",
"AEAD-AES-256-GCM".
The default value is "AES-256-CBC";
as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then
calculated with ikm_key and hkdf_hash_func. The as_rs_key length
is defined by as_rs_alg.
auth_alg - (optional) oAuth token authentication algorithm; the valid values are
"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-384",
"HMAC-SHA-512" and "HMAC-SHA-1".
The default value is "HMAC-SHA-256-128".
auth_key - (optional) base64-encoded AUTH key. If not defined, then
calculated with ikm_key and hkdf_hash_func. The auth_key length
is defined by auth_alg.
"A256GCM", "A128GCM" (see
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.1).
The default value is "A256GCM".
5) admin users (over https interface) are maintained as keys of form:
"turn/admin_user/<username> with hash members "password" and,
@ -102,7 +81,8 @@ This example sets user database for:
* The realm performance parameters: "max_bps",
"total_quota" and "user_quota" (same names as the turnserver
configuration options, with the same meanings).
* The oAuth data for the key with kid "north" and key value "carleon".
* The oAuth data for the key with kid "oldempire" and key value
"12345678901234567890123456789012".
* The admin user 'skarling', realm 'north.gov', with password 'hoodless';
* The global admin user 'bayaz' with password 'magi';
@ -137,8 +117,7 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202"
sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45"
sadd turn/realm/crinna.org/denied-peer-ip "123::77"
hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128'
hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
hmset turn/oauth/kid/oldempire ikm_key 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIK' as_rs_alg 'A256GCM'
hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless'
hmset turn/admin_user/bayaz password 'magi'

20
turndb/testmongosetup.sh
View File

@ -55,22 +55,14 @@ db.realm.insert({
});
db.oauth_key.insert({ kid: 'north',
ikm_key: 'Y2FybGVvbg==',
hkdf_hash_func: 'SHA-256',
as_rs_alg: 'AES-256-CBC',
auth_alg: 'HMAC-SHA-256-128' });
ikm_key: 'MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEK',
as_rs_alg: 'A256GCM'});
db.oauth_key.insert({ kid: 'union',
ikm_key: 'aGVyb2Q=',
hkdf_hash_func: 'SHA-256',
as_rs_alg: 'AES-256-CBC',
auth_alg: 'HMAC-SHA-512' });
ikm_key: 'MTIzNDU2Nzg5MDEyMzQ1Ngo=',
as_rs_alg: 'A128GCM'});
db.oauth_key.insert({ kid: 'oldempire',
ikm_key: 'YXVsY3Vz',
hkdf_hash_func: 'SHA-256',
as_rs_alg: 'AEAD-AES-256-GCM',
auth_alg: '' });
ikm_key: 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIK',
as_rs_alg: 'A256GCM'});
exit

6
turndb/testredisdbsetup.sh
View File

@ -38,9 +38,9 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202"
sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45"
sadd turn/realm/crinna.org/denied-peer-ip "123::77"
hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128'
hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512'
hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
hmset turn/oauth/kid/north ikm_key 'MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEK' as_rs_alg 'A256GCM'
hmset turn/oauth/kid/union ikm_key 'MTIzNDU2Nzg5MDEyMzQ1Ngo=' as_rs_alg 'A128GCM'
hmset turn/oauth/kid/oldempire ikm_key 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIK' as_rs_alg 'A256GCM'
hmset turn/admin_user/skarling realm 'north.gov' password '\$5\$6fc35c3b0c7d4633\$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2'
hmset turn/admin_user/bayaz password '\$5\$e018513e9de69e73\$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f'

6
turndb/testsqldbsetup.sql
View File

@ -31,6 +31,6 @@ insert into denied_peer_ip (ip_range) values('123::45');
insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-172.17.19.56');
insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128','');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('union','aGVyb2Q=',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-512','');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('oldempire','YXVsY3Vz',0,0,'SHA-256','AEAD-AES-256-GCM','','','');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('north','MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEK',0,0,'A256GCM');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('union','MTIzNDU2Nzg5MDEyMzQ1Ngo=',0,0,'A128GCM');
insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg) values('oldempire','MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIK',0,0,'A256GCM');