From 86f40b4bd9ff5e186be0f180f94607a91ec140e8 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sun, 19 Apr 2015 06:18:28 +0000 Subject: [PATCH] working on third-party auth --- ChangeLog | 4 +- INSTALL | 25 +- examples/var/db/turndb | Bin 22528 -> 22528 bytes src/apps/common/apputils.c | 2 - src/apps/common/apputils.h | 2 - src/apps/relay/dbdrivers/dbd_mongo.c | 28 +-- src/apps/relay/dbdrivers/dbd_mysql.c | 65 +++--- src/apps/relay/dbdrivers/dbd_pgsql.c | 40 ++-- src/apps/relay/dbdrivers/dbd_redis.c | 18 +- src/apps/relay/dbdrivers/dbd_sqlite.c | 38 ++- src/apps/relay/dbdrivers/dbdriver.h | 2 +- src/apps/relay/turn_admin_server.c | 162 ++----------- src/apps/relay/userdb.c | 20 +- src/apps/rfc5769/rfc5769check.c | 38 +-- src/apps/uclient/mainuclient.c | 6 +- src/client/ns_turn_msg.c | 323 +++++++------------------- src/client/ns_turn_msg_defs_new.h | 32 +-- src/server/ns_turn_server.c | 1 - turndb/schema.sql | 2 - turndb/schema.userdb.redis | 25 +- turndb/testmongosetup.sh | 14 +- turndb/testredisdbsetup.sh | 6 +- turndb/testsqldbsetup.sql | 6 +- 23 files changed, 226 insertions(+), 633 deletions(-) diff --git a/ChangeLog b/ChangeLog index eca06aa9..5509140e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,9 @@ 4/9/2015 Oleg Moskalenko Version 4.4.5.1 'Ardee West': - dual allocation adjusted according to the new TURN-bis draft; - - options sha256, sha384, sha512 retired as non-standard ones; + - options sha256, sha384, sha512 retired as non-standard; + - third-party authorization (oAuth) updated according to the + version 14 of the draft; - C++ fixes; - cosmetic fixes; diff --git a/INSTALL b/INSTALL index 8e1a285e..46433d92 100644 --- a/INSTALL +++ b/INSTALL @@ -743,10 +743,8 @@ CREATE TABLE oauth_key ( ikm_key varchar(256) default '', timestamp bigint default 0, lifetime integer default 0, - hkdf_hash_func varchar(64) default '', as_rs_alg varchar(64) default '', as_rs_key varchar(256) default '', - auth_alg varchar(64) default '', auth_key varchar(256) default '', primary key (kid) ); @@ -764,30 +762,17 @@ The oauth_key table fields meanings are: lifetime - (optional) the key lifetime in seconds; the default value is 0 - unlimited lifetime. - - hkdf_hash_func - (optional) hash function for HKDF procedure; the - valid values are SHA-1, SHA-256, SHA-384 and SHA-512, - with SHA-256 as default. The hkdf_hash_func is not needed - if the as_rs_key and auth_key are defined explicitly - in the database; as_rs_alg - oAuth token encryption algorithm; the valid values are - "AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM", - "AEAD-AES-256-GCM". - The default value is "AES-256-CBC"; + "A256GCMKW", "A128GCMKW" (see + http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1). + The default value is "A256GCMKW"; as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then - calculated with ikm_key and hkdf_hash_func. The as_rs_key length - is defined by as_rs_alg. - - auth_alg - (optional) oAuth token authentication algorithm; the valid values are - "HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-384", - "HMAC-SHA-512" and "HMAC-SHA-1". - The default value is "HMAC-SHA-256-128". + calculated with ikm_key. auth_key - (optional) base64-encoded AUTH key. If not defined, then - calculated with ikm_key and hkdf_hash_func. The auth_key length - is defined by auth_alg. + calculated with ikm_key. Not used for AEAD algorithms. # Https access admin users. # Leave this table empty if you do not want diff --git a/examples/var/db/turndb b/examples/var/db/turndb index a186ae1937dc2022f80133ff5616307cd3fd536c..9b08dba57bc97b1b5f25a9a3ee567059c8ddc824 100644 GIT binary patch delta 416 zcmZqJz}T>Xae}nqP6h@BF(76IVkQuKqK+}+&W#DH`8kDwTp=K4-^?iShIx?)3m-3# z$ILu~f%y*e9_AUF1$nxdGnAM)B z!{wMb#35=*^D^`E65YcplZ*mw9Sw~v!179r9O9~AGxG9_N-`pi+$xjY!^)D||>{1s0%R zgC;imDK*K8vWv^hGq!M+Bqrsg<|mexWW;BuR>B$VlWYAXg|ahK6v`5dk~0#EG=Ton z)Zv=E%1?3f89$lHFM(LkUuklnzcLF*_vE#Ha-s!AnYoEYl?p(U6f}UEHMukm#U`Kk LH((T66u8Rp>0yqbWkrY zg1sq*{0F^y*hay-2anP}p=ZIPAPAygy4s`P%ftKYdw8Dr>;jx!fDg&*=NN`_d z2%CPk0M0L8e%v6VsEr`3O+ocLoW#TY2Lf!eosQFJ4xx;}&+r|T@gFF@TzXZU1_iXa zdLZq43fT9(J3#Zj9LW0~|GEe%CPfg*+w>kiv`pJlEAmJao|YO_kr#@0#m9{>@#Tl* zYE3Nj;kcL=1e{_+8c)---EHZ;zUk=ABYDs)$gfsZ@e%)zUn$p0fMWI*Qao+hj%zf9 zCl5wiMLyL|O8?Uf_4C3#3Y`Jr9D_gMH#mp0Fs3`PPw;?PUKm^EMNdKoEG~jHWWmZL zPC$lS$kTWni(+F8zllGGU%?@mV`Gr;z5aB3@E(L}YvQ#C^K3t0YpLLVo!fn5Z$ufE z1#fv*)w;T^4qZd(=%ZD!8O-X5IN32<+^Omu8>*8=#xq%p41U#j02w5u?JU_f+q!G^ zbk4L~{X}=Tmflu}U6;$Dk4C4}Rt$AuDD9zj9K4Vch}MvHBcwV|oI&ureruf!g@Yq0 hwXD!=i|jjQPjyBd^24Q(gAA3)$AX!Z12-mz#9y(loS^^! diff --git a/src/apps/common/apputils.c b/src/apps/common/apputils.c index 0d3b7fe4..eecfcbc7 100644 --- a/src/apps/common/apputils.c +++ b/src/apps/common/apputils.c @@ -1125,8 +1125,6 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o oakd->lifetime = raw->lifetime; ns_bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg)); - ns_bcopy(raw->auth_alg,oakd->auth_alg,sizeof(oakd->auth_alg)); - ns_bcopy(raw->hkdf_hash_func,oakd->hkdf_hash_func,sizeof(oakd->hkdf_hash_func)); ns_bcopy(raw->kid,oakd->kid,sizeof(oakd->kid)); if(raw->ikm_key[0]) { diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h index dd86d673..4b93d861 100644 --- a/src/apps/common/apputils.h +++ b/src/apps/common/apputils.h @@ -141,10 +141,8 @@ struct _oauth_key_data_raw { char ikm_key[OAUTH_KEY_SIZE+1]; u64bits timestamp; u32bits lifetime; - char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1]; char as_rs_alg[OAUTH_ALG_SIZE+1]; char as_rs_key[OAUTH_KEY_SIZE+1]; - char auth_alg[OAUTH_ALG_SIZE+1]; char auth_key[OAUTH_KEY_SIZE+1]; }; diff --git a/src/apps/relay/dbdrivers/dbd_mongo.c b/src/apps/relay/dbdrivers/dbd_mongo.c index abcf0b6d..853a5524 100644 --- a/src/apps/relay/dbdrivers/dbd_mongo.c +++ b/src/apps/relay/dbdrivers/dbd_mongo.c @@ -256,9 +256,7 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { BSON_APPEND_INT32(&fields, "timestamp", 1); BSON_APPEND_INT32(&fields, "as_rs_alg", 1); BSON_APPEND_INT32(&fields, "as_rs_key", 1); - BSON_APPEND_INT32(&fields, "auth_alg", 1); BSON_APPEND_INT32(&fields, "auth_key", 1); - BSON_APPEND_INT32(&fields, "hkdf_hash_func", 1); BSON_APPEND_INT32(&fields, "ikm_key", 1); mongoc_cursor_t * cursor; @@ -284,18 +282,12 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_alg") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->auth_alg,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->auth_key,bson_iter_utf8(&iter, &length)); } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hkdf_hash_func") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->hkdf_hash_func,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) { key->timestamp = (u64bits)bson_iter_int64(&iter); } @@ -358,9 +350,7 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) { BSON_APPEND_UTF8(&doc, "kid", (const char *)key->kid); BSON_APPEND_UTF8(&doc, "as_rs_alg", (const char *)key->as_rs_alg); BSON_APPEND_UTF8(&doc, "as_rs_key", (const char *)key->as_rs_key); - BSON_APPEND_UTF8(&doc, "auth_alg", (const char *)key->auth_alg); BSON_APPEND_UTF8(&doc, "auth_key", (const char *)key->auth_key); - BSON_APPEND_UTF8(&doc, "hkdf_hash_func", (const char *)key->hkdf_hash_func); BSON_APPEND_UTF8(&doc, "ikm_key", (const char *)key->ikm_key); BSON_APPEND_INT64(&doc, "timestamp", (int64_t)key->timestamp); BSON_APPEND_INT32(&doc, "lifetime", (int32_t)key->lifetime); @@ -497,7 +487,7 @@ static int mongo_list_users(u08bits *realm, secrets_list_t *users, secrets_list_ return ret; } -static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) { +static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) { const char * collection_name = "oauth_key"; mongoc_collection_t * collection = mongo_get_collection(collection_name); @@ -522,9 +512,7 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr BSON_APPEND_INT32(&fields, "timestamp", 1); BSON_APPEND_INT32(&fields, "as_rs_alg", 1); BSON_APPEND_INT32(&fields, "as_rs_key", 1); - BSON_APPEND_INT32(&fields, "auth_alg", 1); BSON_APPEND_INT32(&fields, "auth_key", 1); - BSON_APPEND_INT32(&fields, "hkdf_hash_func", 1); BSON_APPEND_INT32(&fields, "ikm_key", 1); mongoc_cursor_t * cursor; @@ -552,18 +540,12 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->as_rs_key,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_alg") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->auth_alg,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "auth_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->auth_key,bson_iter_utf8(&iter, &length)); } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) { STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length)); } - if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "hkdf_hash_func") && BSON_ITER_HOLDS_UTF8(&iter)) { - STRCPY(key->hkdf_hash_func,bson_iter_utf8(&iter, &length)); - } if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) { key->timestamp = (u64bits)bson_iter_int64(&iter); } @@ -572,9 +554,7 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr } if(kids) { add_to_secrets_list(kids,key->kid); - add_to_secrets_list(hkdfs,key->hkdf_hash_func); add_to_secrets_list(teas,key->as_rs_alg); - add_to_secrets_list(aas,key->auth_alg); { char ts[256]; snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp); @@ -586,9 +566,9 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); } } mongoc_cursor_destroy(cursor); diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index 7ca45cc7..de7fda11 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -343,7 +343,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); MYSQL * myc = get_mydb_connection(); if(myc) { @@ -354,7 +354,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { MYSQL_RES *mres = mysql_store_result(myc); if(!mres) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); - } else if(mysql_field_count(myc)!=8) { + } else if(mysql_field_count(myc)!=6) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); } else { MYSQL_ROW row = mysql_fetch_row(mres); @@ -375,20 +375,14 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { slifetime[lengths[2]]=0; key->lifetime = (u32bits)strtoul(slifetime,NULL,10); - ns_bcopy(row[3],key->hkdf_hash_func,lengths[3]); - key->hkdf_hash_func[lengths[3]]=0; + ns_bcopy(row[3],key->as_rs_alg,lengths[3]); + key->as_rs_alg[lengths[3]]=0; - ns_bcopy(row[4],key->as_rs_alg,lengths[4]); - key->as_rs_alg[lengths[4]]=0; + ns_bcopy(row[4],key->as_rs_key,lengths[4]); + key->as_rs_key[lengths[4]]=0; - ns_bcopy(row[5],key->as_rs_key,lengths[5]); - key->as_rs_key[lengths[5]]=0; - - ns_bcopy(row[6],key->auth_alg,lengths[6]); - key->auth_alg[lengths[6]]=0; - - ns_bcopy(row[7],key->auth_key,lengths[7]); - key->auth_key[lengths[7]]=0; + ns_bcopy(row[5],key->auth_key,lengths[5]); + key->auth_key[lengths[5]]=0; ret = 0; } @@ -402,13 +396,13 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { return ret; } -static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) { +static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) { oauth_key_data_raw key_; oauth_key_data_raw *key=&key_; int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); MYSQL * myc = get_mydb_connection(); if(myc) { @@ -419,7 +413,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr MYSQL_RES *mres = mysql_store_result(myc); if(!mres) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); - } else if(mysql_field_count(myc)!=9) { + } else if(mysql_field_count(myc)!=7) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); } else { MYSQL_ROW row = mysql_fetch_row(mres); @@ -440,28 +434,21 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr slifetime[lengths[2]]=0; key->lifetime = (u32bits)strtoul(slifetime,NULL,10); - ns_bcopy(row[3],key->hkdf_hash_func,lengths[3]); - key->hkdf_hash_func[lengths[3]]=0; - ns_bcopy(row[4],key->as_rs_alg,lengths[4]); - key->as_rs_alg[lengths[4]]=0; + ns_bcopy(row[3],key->as_rs_alg,lengths[3]); + key->as_rs_alg[lengths[3]]=0; - ns_bcopy(row[5],key->as_rs_key,lengths[5]); - key->as_rs_key[lengths[5]]=0; + ns_bcopy(row[4],key->as_rs_key,lengths[4]); + key->as_rs_key[lengths[4]]=0; - ns_bcopy(row[6],key->auth_alg,lengths[6]); - key->auth_alg[lengths[6]]=0; + ns_bcopy(row[5],key->auth_key,lengths[5]); + key->auth_key[lengths[5]]=0; - ns_bcopy(row[7],key->auth_key,lengths[7]); - key->auth_key[lengths[7]]=0; - - ns_bcopy(row[8],key->kid,lengths[8]); - key->kid[lengths[8]]=0; + ns_bcopy(row[6],key->kid,lengths[6]); + key->kid[lengths[6]]=0; if(kids) { add_to_secrets_list(kids,key->kid); - add_to_secrets_list(hkdfs,key->hkdf_hash_func); add_to_secrets_list(teas,key->as_rs_alg); - add_to_secrets_list(aas,key->auth_alg); { char ts[256]; snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp); @@ -473,9 +460,9 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); } } row = mysql_fetch_row(mres); @@ -519,13 +506,13 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key) char statement[TURN_LONG_STRING_SIZE]; MYSQL * myc = get_mydb_connection(); if(myc) { - snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')", + snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime, - key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key); + key->as_rs_alg,key->as_rs_key,key->auth_key); int res = mysql_query(myc, statement); if(res) { - snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, hkdf_hash_func = '%s', as_rs_alg='%s',as_rs_key='%s',auth_alg='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, - key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,key->kid); + snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, + key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid); res = mysql_query(myc, statement); if(res) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth key information: %s\n",mysql_error(myc)); diff --git a/src/apps/relay/dbdrivers/dbd_pgsql.c b/src/apps/relay/dbdrivers/dbd_pgsql.c index 3ac152b0..6716de8b 100644 --- a/src/apps/relay/dbdrivers/dbd_pgsql.c +++ b/src/apps/relay/dbdrivers/dbd_pgsql.c @@ -158,7 +158,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); PGconn * pqc = get_pqdb_connection(); if(pqc) { @@ -170,11 +170,9 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { STRCPY(key->ikm_key,PQgetvalue(res,0,0)); key->timestamp = (u64bits)strtoll(PQgetvalue(res,0,1),NULL,10); key->lifetime = (u32bits)strtol(PQgetvalue(res,0,2),NULL,10); - STRCPY(key->hkdf_hash_func,PQgetvalue(res,0,3)); - STRCPY(key->as_rs_alg,PQgetvalue(res,0,4)); - STRCPY(key->as_rs_key,PQgetvalue(res,0,5)); - STRCPY(key->auth_alg,PQgetvalue(res,0,6)); - STRCPY(key->auth_key,PQgetvalue(res,0,7)); + STRCPY(key->as_rs_alg,PQgetvalue(res,0,3)); + STRCPY(key->as_rs_key,PQgetvalue(res,0,4)); + STRCPY(key->auth_key,PQgetvalue(res,0,5)); STRCPY(key->kid,kid); ret = 0; } @@ -187,7 +185,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { return ret; } -static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) { +static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) { oauth_key_data_raw key_; oauth_key_data_raw *key=&key_; @@ -195,7 +193,7 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr int ret = -1; char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); PGconn * pqc = get_pqdb_connection(); if(pqc) { @@ -210,18 +208,14 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr STRCPY(key->ikm_key,PQgetvalue(res,i,0)); key->timestamp = (u64bits)strtoll(PQgetvalue(res,i,1),NULL,10); key->lifetime = (u32bits)strtol(PQgetvalue(res,i,2),NULL,10); - STRCPY(key->hkdf_hash_func,PQgetvalue(res,i,3)); - STRCPY(key->as_rs_alg,PQgetvalue(res,i,4)); - STRCPY(key->as_rs_key,PQgetvalue(res,i,5)); - STRCPY(key->auth_alg,PQgetvalue(res,i,6)); - STRCPY(key->auth_key,PQgetvalue(res,i,7)); - STRCPY(key->kid,PQgetvalue(res,i,8)); + STRCPY(key->as_rs_alg,PQgetvalue(res,i,3)); + STRCPY(key->as_rs_key,PQgetvalue(res,i,4)); + STRCPY(key->auth_key,PQgetvalue(res,i,5)); + STRCPY(key->kid,PQgetvalue(res,i,6)); if(kids) { add_to_secrets_list(kids,key->kid); - add_to_secrets_list(hkdfs,key->hkdf_hash_func); add_to_secrets_list(teas,key->as_rs_alg); - add_to_secrets_list(aas,key->auth_alg); { char ts[256]; snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp); @@ -233,9 +227,9 @@ static int pgsql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); } ret = 0; @@ -283,17 +277,17 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) { char statement[TURN_LONG_STRING_SIZE]; PGconn *pqc = get_pqdb_connection(); if(pqc) { - snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')", + snprintf(statement,sizeof(statement),"insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", key->kid,key->ikm_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime, - key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key); + key->as_rs_alg,key->as_rs_key,key->auth_key); PGresult *res = PQexec(pqc, statement); if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { if(res) { PQclear(res); } - snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, hkdf_hash_func = '%s', as_rs_alg='%s',as_rs_key='%s',auth_alg='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, - key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,key->kid); + snprintf(statement,sizeof(statement),"update oauth_key set ikm_key='%s',timestamp=%lu,lifetime=%lu, as_rs_alg='%s',as_rs_key='%s',auth_key='%s' where kid='%s'",key->ikm_key,(unsigned long)key->timestamp,(unsigned long)key->lifetime, + key->as_rs_alg,key->as_rs_key,key->auth_key,key->kid); res = PQexec(pqc, statement); if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating oauth_key information: %s\n",PQerrorMessage(pqc)); diff --git a/src/apps/relay/dbdrivers/dbd_redis.c b/src/apps/relay/dbdrivers/dbd_redis.c index 1d3809e4..c315522a 100644 --- a/src/apps/relay/dbdrivers/dbd_redis.c +++ b/src/apps/relay/dbdrivers/dbd_redis.c @@ -481,12 +481,8 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { STRCPY(key->as_rs_key,val); } else if(!strcmp(kw,"auth_key")) { STRCPY(key->auth_key,val); - } else if(!strcmp(kw,"auth_alg")) { - STRCPY(key->auth_alg,val); } else if(!strcmp(kw,"ikm_key")) { STRCPY(key->ikm_key,val); - } else if(!strcmp(kw,"hkdf_hash_func")) { - STRCPY(key->hkdf_hash_func,val); } else if(!strcmp(kw,"timestamp")) { key->timestamp = (u64bits)strtoull(val,NULL,10); } else if(!strcmp(kw,"lifetime")) { @@ -520,8 +516,8 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) { redisContext *rc = get_redis_connection(); if(rc) { char statement[TURN_LONG_STRING_SIZE]; - snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s hkdf_hash_func %s as_rs_alg %s as_rs_key %s auth_alg %s auth_key %s timestamp %llu lifetime %lu", - key->kid,key->ikm_key,key->hkdf_hash_func,key->as_rs_alg,key->as_rs_key,key->auth_alg,key->auth_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime); + snprintf(statement,sizeof(statement),"hmset turn/oauth/kid/%s ikm_key %s as_rs_alg %s as_rs_key %s auth_key %s timestamp %llu lifetime %lu", + key->kid,key->ikm_key,key->as_rs_alg,key->as_rs_key,key->auth_key,(unsigned long long)key->timestamp,(unsigned long)key->lifetime); turnFreeRedisReply(redisCommand(rc, statement)); turnFreeRedisReply(redisCommand(rc, "save")); ret = 0; @@ -637,7 +633,7 @@ static int redis_list_users(u08bits *realm, secrets_list_t *users, secrets_list_ return ret; } -static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) { +static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) { int ret = -1; redisContext *rc = get_redis_connection(); secrets_list_t keys; @@ -675,9 +671,7 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr if(redis_get_oauth_key((const u08bits*)s,key) == 0) { if(kids) { add_to_secrets_list(kids,key->kid); - add_to_secrets_list(hkdfs,key->hkdf_hash_func); add_to_secrets_list(teas,key->as_rs_alg); - add_to_secrets_list(aas,key->auth_alg); { char ts[256]; snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp); @@ -689,9 +683,9 @@ static int redis_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secr add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); } } } diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 8b928c2a..5a9dac15 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -154,7 +154,7 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) { "CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))", "CREATE TABLE turn_origin_to_realm (origin varchar(127),realm varchar(127),primary key (origin))", "CREATE TABLE turn_realm_option (realm varchar(127) default '', opt varchar(32), value varchar(128), primary key (realm,opt))", - "CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,hkdf_hash_func varchar(64) default '',as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_alg varchar(64) default '',auth_key varchar(256) default '',primary key (kid))", + "CREATE TABLE oauth_key (kid varchar(128),ikm_key varchar(256) default '',timestamp bigint default 0,lifetime integer default 0,as_rs_alg varchar(64) default '',as_rs_key varchar(256) default '',auth_key varchar(256) default '',primary key (kid))", "CREATE TABLE admin_user (name varchar(32), realm varchar(127), password varchar(127), primary key (name))", NULL }; @@ -293,7 +293,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key from oauth_key where kid='%s'",(const char*)kid); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key from oauth_key where kid='%s'",(const char*)kid); sqlite3 *sqliteconnection = get_sqlite_connection(); if(sqliteconnection) { @@ -308,11 +308,9 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { STRCPY(key->ikm_key,sqlite3_column_text(st, 0)); key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10); key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10); - STRCPY(key->hkdf_hash_func,sqlite3_column_text(st, 3)); - STRCPY(key->as_rs_alg,sqlite3_column_text(st, 4)); - STRCPY(key->as_rs_key,sqlite3_column_text(st, 5)); - STRCPY(key->auth_alg,sqlite3_column_text(st, 6)); - STRCPY(key->auth_key,sqlite3_column_text(st, 7)); + STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3)); + STRCPY(key->as_rs_key,sqlite3_column_text(st, 4)); + STRCPY(key->auth_key,sqlite3_column_text(st, 5)); STRCPY(key->kid,kid); ret = 0; } @@ -329,7 +327,7 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { return ret; } -static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts) { +static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) { oauth_key_data_raw key_; oauth_key_data_raw *key=&key_; @@ -341,7 +339,7 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec char statement[TURN_LONG_STRING_SIZE]; sqlite3_stmt *st = NULL; int rc = 0; - snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key,kid from oauth_key order by kid"); + snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key,kid from oauth_key order by kid"); sqlite3 *sqliteconnection = get_sqlite_connection(); if(sqliteconnection) { @@ -358,18 +356,14 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec STRCPY(key->ikm_key,sqlite3_column_text(st, 0)); key->timestamp = (u64bits)strtoll((const char*)sqlite3_column_text(st, 1),NULL,10); key->lifetime = (u32bits)strtol((const char*)sqlite3_column_text(st, 2),NULL,10); - STRCPY(key->hkdf_hash_func,sqlite3_column_text(st, 3)); - STRCPY(key->as_rs_alg,sqlite3_column_text(st, 4)); - STRCPY(key->as_rs_key,sqlite3_column_text(st, 5)); - STRCPY(key->auth_alg,sqlite3_column_text(st, 6)); - STRCPY(key->auth_key,sqlite3_column_text(st, 7)); - STRCPY(key->kid,sqlite3_column_text(st, 8)); + STRCPY(key->as_rs_alg,sqlite3_column_text(st, 3)); + STRCPY(key->as_rs_key,sqlite3_column_text(st, 4)); + STRCPY(key->auth_key,sqlite3_column_text(st, 5)); + STRCPY(key->kid,sqlite3_column_text(st, 6)); if(kids) { add_to_secrets_list(kids,key->kid); - add_to_secrets_list(hkdfs,key->hkdf_hash_func); add_to_secrets_list(teas,key->as_rs_alg); - add_to_secrets_list(aas,key->auth_alg); { char ts[256]; snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp); @@ -381,9 +375,9 @@ static int sqlite_list_oauth_keys(secrets_list_t *kids,secrets_list_t *hkdfs,sec add_to_secrets_list(lts,lt); } } else { - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); } } else if (res == SQLITE_DONE) { @@ -453,8 +447,8 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key) snprintf( statement, sizeof(statement), - "insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s','%s','%s')", - key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->hkdf_hash_func, key->as_rs_alg, key->as_rs_key, key->auth_alg, + "insert or replace into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('%s','%s',%llu,%lu,'%s','%s','%s')", + key->kid, key->ikm_key, (unsigned long long) key->timestamp, (unsigned long) key->lifetime, key->as_rs_alg, key->as_rs_key, key->auth_key); sqlite_lock(1); diff --git a/src/apps/relay/dbdrivers/dbdriver.h b/src/apps/relay/dbdrivers/dbdriver.h index 5b745f33..1ab87a27 100644 --- a/src/apps/relay/dbdrivers/dbdriver.h +++ b/src/apps/relay/dbdrivers/dbdriver.h @@ -68,7 +68,7 @@ typedef struct _turn_dbdriver_t { int (*set_oauth_key)(oauth_key_data_raw *key); int (*get_oauth_key)(const u08bits *kid, oauth_key_data_raw *key); int (*del_oauth_key)(const u08bits *kid); - int (*list_oauth_keys)(secrets_list_t *kids,secrets_list_t *hkdfs,secrets_list_t *teas,secrets_list_t *aas,secrets_list_t *tss,secrets_list_t *lts); + int (*list_oauth_keys)(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts); int (*get_admin_user)(const u08bits *usname, u08bits *realm, password_t pwd); int (*set_admin_user)(const u08bits *usname, const u08bits *realm, const password_t pwd); int (*del_admin_user)(const u08bits *usname); diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index d3317947..699876cc 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -1374,9 +1374,7 @@ typedef enum _AS_FORM AS_FORM; #define HR_ADD_OAUTH_IKM "oauth_ikm" #define HR_ADD_OAUTH_RS_KEY "oauth_rs_key" #define HR_ADD_OAUTH_AUTH_KEY "oauth_auth_key" -#define HR_ADD_OAUTH_HKDF "oauth_hkdf" #define HR_ADD_OAUTH_TEA "oauth_tea" -#define HR_ADD_OAUTH_AA "oauth_aa" #define HR_DELETE_OAUTH_KID "oauth_kid_del" #define HR_OAUTH_KID "kid" @@ -2775,14 +2773,12 @@ static size_t https_print_oauth_keys(struct str_buffer* sb) size_t ret = 0; const turn_dbdriver_t * dbd = get_dbdriver(); if (dbd && dbd->list_oauth_keys) { - secrets_list_t kids,hkdfs,teas,aas,tss,lts; + secrets_list_t kids,teas,tss,lts; init_secrets_list(&kids); - init_secrets_list(&hkdfs); init_secrets_list(&teas); - init_secrets_list(&aas); init_secrets_list(&tss); init_secrets_list(<s); - dbd->list_oauth_keys(&kids,&hkdfs,&teas,&aas,&tss,<s); + dbd->list_oauth_keys(&kids,&teas,&tss,<s); size_t sz = get_secrets_list_size(&kids); size_t i; @@ -2809,14 +2805,8 @@ static size_t https_print_oauth_keys(struct str_buffer* sb) str_buffer_append(sb,get_secrets_list_elem(<s,i)); str_buffer_append(sb,""); str_buffer_append(sb,""); - str_buffer_append(sb,get_secrets_list_elem(&hkdfs,i)); - str_buffer_append(sb,""); - str_buffer_append(sb,""); str_buffer_append(sb,get_secrets_list_elem(&teas,i)); str_buffer_append(sb,""); - str_buffer_append(sb,""); - str_buffer_append(sb,get_secrets_list_elem(&aas,i)); - str_buffer_append(sb,""); { str_buffer_append(sb,"
\r\n"); } - str_buffer_append(sb,""); + str_buffer_append(sb,"\r\n"); - { - str_buffer_append(sb,"
Hash key derivation function (optional):
\r\n"); - - if(!add_hkdf_hash_func || !add_hkdf_hash_func[0]) - add_hkdf_hash_func = "SHA-256"; - - str_buffer_append(sb,"SHA-1\r\n
\r\n"); - - str_buffer_append(sb,"SHA-256\r\n
\r\n"); - - str_buffer_append(sb,"SHA-384\r\n
\r\n"); - - str_buffer_append(sb,"SHA-512\r\n
\r\n"); - } - - str_buffer_append(sb,""); + str_buffer_append(sb,""); { if(!add_ikm) add_ikm = ""; @@ -3049,39 +2998,23 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con str_buffer_append(sb,"
Token encryption algorithm (required):
\r\n"); if(!add_tea || !add_tea[0]) - add_tea = "AES-256-CBC"; + add_tea = "A256GCMKW"; str_buffer_append(sb,"AES-128-CBC\r\n
\r\n"); + str_buffer_append(sb,">A128GCMKW\r\n
\r\n"); str_buffer_append(sb,"AES-256-CBC\r\n
\r\n"); - - str_buffer_append(sb,"AEAD-AES-128-GCM\r\n
\r\n"); - - str_buffer_append(sb,"AEAD-AES-256-GCM\r\n
\r\n"); + str_buffer_append(sb,">A256GCMKW\r\n
\r\n"); } str_buffer_append(sb,""); @@ -3097,56 +3030,9 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con str_buffer_append(sb,"
\r\n"); } - str_buffer_append(sb,"\r\n"); + str_buffer_append(sb,"\r\n"); - { - str_buffer_append(sb,"
Token authentication algorithm (required if no AEAD used):
\r\n"); - - if(!add_aa || !add_aa[0]) - add_aa = "HMAC-SHA-256-128"; - - str_buffer_append(sb,"HMAC-SHA-256-128\r\n
\r\n"); - - str_buffer_append(sb,"HMAC-SHA-256\r\n
\r\n"); - - str_buffer_append(sb,"HMAC-SHA-384\r\n
\r\n"); - - str_buffer_append(sb,"HMAC-SHA-512\r\n
\r\n"); - - str_buffer_append(sb,"HMAC-SHA-1\r\n
\r\n"); - } - - str_buffer_append(sb,""); + str_buffer_append(sb,""); { if(!add_auth_key) add_auth_key = ""; @@ -3172,9 +3058,7 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con str_buffer_append(sb,"NKIDkeys"); str_buffer_append(sb,"Timestamp, secs"); str_buffer_append(sb,"Lifetime,secs"); - str_buffer_append(sb,"Hash key derivation function"); str_buffer_append(sb,"Token encryption algorithm"); - str_buffer_append(sb,"Token authentication algorithm"); str_buffer_append(sb," "); str_buffer_append(sb,"\r\n"); @@ -3663,9 +3547,7 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) const char* add_ikm = ""; const char *add_rs_key = ""; const char *add_auth_key = ""; - const char* add_hkdf_hash_func = ""; const char* add_tea = ""; - const char* add_aa = ""; const char* msg = ""; add_kid = get_http_header_value(hr,HR_ADD_OAUTH_KID,""); @@ -3675,16 +3557,12 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) add_auth_key = get_http_header_value(hr,HR_ADD_OAUTH_AUTH_KEY,""); add_ts = get_http_header_value(hr,HR_ADD_OAUTH_TS,""); add_lt = get_http_header_value(hr,HR_ADD_OAUTH_LT,""); - add_hkdf_hash_func = get_http_header_value(hr,HR_ADD_OAUTH_HKDF,""); add_tea = get_http_header_value(hr,HR_ADD_OAUTH_TEA,""); - add_aa = get_http_header_value(hr,HR_ADD_OAUTH_AA,""); int keys_ok = 0; - if(add_ikm[0] && add_hkdf_hash_func[0]) { + if(add_rs_key[0] && add_auth_key[0]) { keys_ok = 1; - } else if(add_rs_key[0] && add_auth_key[0]) { - keys_ok = 1; - } else if(strstr(add_tea,"AEAD") && add_rs_key[0]) { + } else if(strstr(add_tea,"GCM") && add_rs_key[0]) { keys_ok = 1; } if(!keys_ok) { @@ -3709,14 +3587,10 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) } STRCPY(key.ikm_key,add_ikm); - STRCPY(key.hkdf_hash_func,add_hkdf_hash_func); STRCPY(key.as_rs_alg,add_tea); - STRCPY(key.auth_alg,add_aa); STRCPY(key.as_rs_key,add_rs_key); STRCPY(key.auth_key,add_auth_key); - if(strstr(key.as_rs_alg,"AEAD")) key.auth_alg[0]=0; - const turn_dbdriver_t * dbd = get_dbdriver(); if (dbd && dbd->set_oauth_key) { if((*dbd->set_oauth_key)(&key)<0) { @@ -3726,9 +3600,7 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) add_ts = "0"; add_lt = "0"; add_ikm = ""; - add_hkdf_hash_func = ""; add_tea = ""; - add_aa = ""; add_rs_key = ""; add_auth_key = ""; } @@ -3736,7 +3608,7 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh) } } - write_https_oauth_page(s,add_kid,add_ikm,add_hkdf_hash_func,add_tea,add_aa,add_ts,add_lt,add_rs_key,add_auth_key,msg); + write_https_oauth_page(s,add_kid,add_ikm,add_tea,add_ts,add_lt,add_rs_key,add_auth_key,msg); } break; } diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c index dd823383..8e5acf76 100644 --- a/src/apps/relay/userdb.c +++ b/src/apps/relay/userdb.c @@ -1018,17 +1018,15 @@ void run_db_test(void) oauth_key_data_raw key_; oauth_key_data_raw *key=&key_; dbd->get_oauth_key((const u08bits*)"north",key); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); printf("DB TEST 3:\n"); STRCPY(key->as_rs_alg,"as_rs_alg"); STRCPY(key->as_rs_key,"as_rs_key"); - STRCPY(key->auth_alg,"auth_alg"); STRCPY(key->auth_key,"auth_key"); - STRCPY(key->hkdf_hash_func,"hkdf"); STRCPY(key->ikm_key,"ikm_key"); STRCPY(key->kid,"kid"); key->timestamp = 123; @@ -1039,9 +1037,9 @@ void run_db_test(void) printf("DB TEST 4:\n"); dbd->get_oauth_key((const u08bits*)"kid",key); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key=%s, auth_alg=%s, auth_key=%s\n", - key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, key->hkdf_hash_func, - key->as_rs_alg, key->as_rs_key, key->auth_alg, key->auth_key); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key=%s, auth_key=%s\n", + key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime, + key->as_rs_alg, key->as_rs_key, key->auth_key); printf("DB TEST 5:\n"); dbd->del_oauth_key((const u08bits*)"kid"); @@ -1053,9 +1051,9 @@ void run_db_test(void) oauth_key_data oakd; convert_oauth_key_data_raw(key, &oakd); - printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, hkdf_hash_func=%s, as_rs_alg=%s, as_rs_key_size=%d, auth_alg=%s, auth_key_size=%d\n", - oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, oakd.hkdf_hash_func, - oakd.as_rs_alg, (int)oakd.as_rs_key_size, oakd.auth_alg, (int)oakd.auth_key_size); + printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s, as_rs_key_size=%d, auth_key_size=%d\n", + oakd.kid, oakd.ikm_key, (unsigned long long)oakd.timestamp, (unsigned long)oakd.lifetime, + oakd.as_rs_alg, (int)oakd.as_rs_key_size, (int)oakd.auth_key_size); oauth_key oak; char err_msg[1025]; diff --git a/src/apps/rfc5769/rfc5769check.c b/src/apps/rfc5769/rfc5769check.c index 36cde6db..712483b4 100644 --- a/src/apps/rfc5769/rfc5769check.c +++ b/src/apps/rfc5769/rfc5769check.c @@ -41,33 +41,11 @@ //////////// OAUTH ////////////////// -static const char* shas[]={"SHA1", -#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) - "SHA256", -#endif -#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) - "SHA384", -#endif -#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) - "SHA512", -#endif - NULL}; -static const char* encs[]={"AES-256-CBC","AES-128-CBC", +static const char* encs[]={ #if !defined(TURN_NO_GCM) - "AEAD_AES_128_GCM", "AEAD_AES_256_GCM", + "A128GCMKW", "A256GCMKW", #endif NULL}; -static const char* hmacs[]={"HMAC-SHA-1", -#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) - "HMAC-SHA-256","HMAC-SHA-256-128", -#endif -#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) - "HMAC-SHA-384", -#endif -#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) - "HMAC-SHA-512", -#endif - NULL}; static int print_extra = 0; @@ -86,7 +64,7 @@ static int check_oauth(void) { const char server_name[33] = "blackdow.carleon.gov"; - size_t i_hmacs,i_shas,i_encs; + size_t i_encs; const char long_term_key[33] = "HGkj32KJGiuy098sdfaqbNjOiaz71923"; @@ -107,18 +85,18 @@ static int check_oauth(void) { const char aead_nonce[OAUTH_AEAD_NONCE_SIZE+1] = "h4j3k2l2n4b5"; - for (i_hmacs = 0; hmacs[i_hmacs]; ++i_hmacs) { - - for (i_shas = 0; shas[i_shas]; ++i_shas) { + { + { for (i_encs = 0; encs[i_encs]; ++i_encs) { - printf("oauth token %s:%s:%s:",hmacs[i_hmacs],shas[i_shas],encs[i_encs]); + printf("oauth token %s:",encs[i_encs]); if(print_extra) printf("\n"); oauth_token ot; + ns_bzero(&ot,sizeof(ot)); ot.enc_block.key_length = (uint16_t)mac_key_length; STRCPY(ot.enc_block.mac_key,mac_key); ot.enc_block.timestamp = token_timestamp; @@ -140,8 +118,6 @@ static int check_oauth(void) { STRCPY(okdr.kid,kid); STRCPY(okdr.ikm_key,base64encoded_ltp); STRCPY(okdr.as_rs_alg, encs[i_encs]); - STRCPY(okdr.auth_alg, hmacs[i_hmacs]); - STRCPY(okdr.hkdf_hash_func, shas[i_shas]); okdr.timestamp = key_timestamp; okdr.lifetime = key_lifetime; diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c index a16cb43d..c172ee31 100644 --- a/src/apps/uclient/mainuclient.c +++ b/src/apps/uclient/mainuclient.c @@ -102,9 +102,9 @@ int oauth = 0; oauth_key okey_array[3]; static oauth_key_data_raw okdr_array[3] = { - {"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""}, - {"union","aGVyb2Q=",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-512",""}, - {"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""} + {"north","Y2FybGVvbg==",0,0,"A256GCMKW","",""}, + {"union","aGVyb2Q=",0,0,"A128GCMKW","",""}, + {"oldempire","YXVsY3Vz",0,0,"A256GCMKW","",""} }; //////////////// local definitions ///////////////// diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index c90dd4f9..51454c6e 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -662,7 +662,7 @@ static void stun_init_error_response_common_str(u08bits* buf, size_t *len, stun_tid* id) { - if (!reason) { + if (!reason || !strcmp((const char*)reason,"Unknown error")) { reason = get_default_reason(error_code); } @@ -2002,8 +2002,7 @@ static void normalize_algorithm(char *s) static size_t calculate_enc_key_length(ENC_ALG a) { switch(a) { - case AES_128_CBC: - case AEAD_AES_128_GCM: + case A128GCMKW: return 16; default: break; @@ -2012,105 +2011,27 @@ static size_t calculate_enc_key_length(ENC_ALG a) return 32; } -static size_t calculate_auth_key_length(AUTH_ALG a) +static size_t calculate_auth_key_length(ENC_ALG a) { switch(a) { - case AUTH_ALG_HMAC_SHA_1: - return 20; - case AUTH_ALG_HMAC_SHA_256_128: - return 32; - case AUTH_ALG_HMAC_SHA_256: - return 32; - case AUTH_ALG_HMAC_SHA_384: - return 48; - case AUTH_ALG_HMAC_SHA_512: - return 64; +#if !defined(TURN_NO_GCM) + case A256GCMKW: + case A128GCMKW: + return 0; +#endif default: break; }; - return 32; -} - -static size_t calculate_auth_output_length(AUTH_ALG a) -{ - switch(a) { - case AUTH_ALG_HMAC_SHA_1: - return 20; - case AUTH_ALG_HMAC_SHA_256_128: - return 16; - case AUTH_ALG_HMAC_SHA_256: - return 32; - case AUTH_ALG_HMAC_SHA_384: - return 48; - case AUTH_ALG_HMAC_SHA_512: - return 64; - default: - break; - }; - - return 32; + return 0; } static int calculate_key(char *key, size_t key_size, - char *new_key, size_t new_key_size, - SHATYPE shatype, - char *err_msg, size_t err_msg_size, - const char *info) + char *new_key, size_t new_key_size) { - //Extract: - u08bits prk[128]; - unsigned int prk_len = 0; - stun_calculate_hmac((const u08bits *)key, key_size, (const u08bits *)"", 0, prk, &prk_len, shatype); + UNUSED_ARG(key_size); - //Expand: - size_t info_len = strlen(info); - u08bits buf[256]; - ns_bcopy(info,buf,info_len); - buf[info_len]=0x01; - u08bits hmac1[128]; - unsigned int hmac1_len = 0; - stun_calculate_hmac((const u08bits *)buf, info_len+1, prk, prk_len, hmac1, &hmac1_len, shatype); - ns_bcopy(hmac1,new_key,hmac1_len); - - //Check - if(new_key_size>hmac1_len) { - ns_bcopy(hmac1,buf,hmac1_len); - ns_bcopy(info,buf+hmac1_len,info_len); - buf[hmac1_len+info_len]=0x02; - u08bits hmac2[128]; - unsigned int hmac2_len = 0; - stun_calculate_hmac((const u08bits *)buf, hmac1_len+info_len+1, prk, prk_len, hmac2, &hmac2_len, shatype); - ns_bcopy(hmac2,new_key+hmac1_len,hmac2_len); - if(new_key_size > (hmac1_len + hmac2_len)) { - - ns_bcopy(hmac2,buf,hmac2_len); - ns_bcopy(info,buf+hmac2_len,info_len); - buf[hmac2_len+info_len]=0x03; - u08bits hmac3[128]; - unsigned int hmac3_len = 0; - stun_calculate_hmac((const u08bits *)buf, hmac2_len+info_len+1, prk, prk_len, hmac3, &hmac3_len, shatype); - ns_bcopy(hmac3,new_key+hmac1_len+hmac2_len,hmac3_len); - if(new_key_size > (hmac1_len + hmac2_len + hmac3_len)) { - - ns_bcopy(hmac3,buf,hmac3_len); - ns_bcopy(info,buf+hmac3_len,info_len); - buf[hmac3_len+info_len]=0x04; - u08bits hmac4[128]; - unsigned int hmac4_len = 0; - stun_calculate_hmac((const u08bits *)buf, hmac3_len+info_len+1, prk, prk_len, hmac4, &hmac4_len, shatype); - ns_bcopy(hmac4,new_key+hmac1_len+hmac2_len+hmac3_len,hmac4_len); - if(new_key_size > (hmac1_len + hmac2_len + hmac3_len + hmac4_len)) { - - if(err_msg) { - snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len); - } - OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len); - return -1; - } - } - } - } + ns_bcopy(key,new_key,new_key_size); return 0; } @@ -2138,13 +2059,9 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er remove_spaces(oakd->kid); - remove_spaces(oakd->hkdf_hash_func); remove_spaces(oakd->as_rs_alg); - remove_spaces(oakd->auth_alg); - normalize_algorithm(oakd->hkdf_hash_func); normalize_algorithm(oakd->as_rs_alg); - normalize_algorithm(oakd->auth_alg); if(!(oakd->kid[0])) { if(err_msg) { @@ -2171,57 +2088,19 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er if(!(key->timestamp)) key->timestamp = OAUTH_DEFAULT_TIMESTAMP; if(!(key->lifetime)) key->lifetime = OAUTH_DEFAULT_LIFETIME; - key->hkdf_hash_func = SHATYPE_SHA256; - if(!strcmp(oakd->hkdf_hash_func,"SHA1") || !strcmp(oakd->hkdf_hash_func,"SHA-1")) { - key->hkdf_hash_func = SHATYPE_SHA1; - } else if(!strcmp(oakd->hkdf_hash_func,"SHA256") || !strcmp(oakd->hkdf_hash_func,"SHA-256")) { - key->hkdf_hash_func = SHATYPE_SHA256; - } else if(!strcmp(oakd->hkdf_hash_func,"SHA384") || !strcmp(oakd->hkdf_hash_func,"SHA-384")) { - key->hkdf_hash_func = SHATYPE_SHA384; - } else if(!strcmp(oakd->hkdf_hash_func,"SHA512") || !strcmp(oakd->hkdf_hash_func,"SHA-512")) { - key->hkdf_hash_func = SHATYPE_SHA512; - } else if(oakd->hkdf_hash_func[0]) { - if(err_msg) { - snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func); - } - OAUTH_ERROR("Wrong HKDF hash function algorithm: %s\n",oakd->hkdf_hash_func); - return -1; - } - - key->auth_alg = AUTH_ALG_DEFAULT; - if(!strcmp(oakd->auth_alg,"HMAC-SHA-1") || !strcmp(oakd->auth_alg,"HMAC-SHA1")) { - key->auth_alg = AUTH_ALG_HMAC_SHA_1; - } else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256")) { - key->auth_alg = AUTH_ALG_HMAC_SHA_256; - } else if(!strcmp(oakd->auth_alg,"HMAC-SHA-384")) { - key->auth_alg = AUTH_ALG_HMAC_SHA_384; - } else if(!strcmp(oakd->auth_alg,"HMAC-SHA-512")) { - key->auth_alg = AUTH_ALG_HMAC_SHA_512; - } else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256-128")) { - key->auth_alg = AUTH_ALG_HMAC_SHA_256_128; - } else if(oakd->auth_alg[0]) { - if(err_msg) { - snprintf(err_msg,err_msg_size,"Wrong oAuth token hash algorithm: %s (1)\n",oakd->auth_alg); - } - key->auth_alg = AUTH_ALG_ERROR; - OAUTH_ERROR("Wrong oAuth token hash algorithm: %s (2)\n",oakd->auth_alg); - return -1; - } else { - key->auth_alg = AUTH_ALG_UNDEFINED; - } - key->as_rs_alg = ENC_ALG_DEFAULT; - if(!strcmp(oakd->as_rs_alg,"AES-128-CBC")) { - key->as_rs_alg = AES_128_CBC; - } else if(!strcmp(oakd->as_rs_alg,"AES-256-CBC")) { - key->as_rs_alg = AES_256_CBC; - } else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-128-GCM")) { - key->as_rs_alg = AEAD_AES_128_GCM; - key->auth_alg = AUTH_ALG_UNDEFINED; - } else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-256-GCM")) { - key->as_rs_alg = AEAD_AES_256_GCM; - key->auth_alg = AUTH_ALG_UNDEFINED; - } else if(oakd->as_rs_alg[0]) { +#if !defined(TURN_NO_GCM) + if(!strcmp(oakd->as_rs_alg,"A128GCMKW")) { + key->as_rs_alg = A128GCMKW; + key->auth_key_size = 0; + key->auth_key[0] = 0; + } else if(!strcmp(oakd->as_rs_alg,"A256GCMKW")) { + key->as_rs_alg = A256GCMKW; + key->auth_key_size = 0; + key->auth_key[0] = 0; + } else if(oakd->as_rs_alg[0]) +#endif + { if(err_msg) { snprintf(err_msg,err_msg_size,"Wrong oAuth token encryption algorithm: %s (2)\n",oakd->as_rs_alg); } @@ -2229,20 +2108,18 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er return -1; } - if(key->auth_alg == AUTH_ALG_UNDEFINED) { - //AEAD - key->auth_key_size = 0; - key->auth_key[0] = 0; - } else if(!(key->auth_key_size)) { - key->auth_key_size = calculate_auth_key_length(key->auth_alg); - if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size,key->hkdf_hash_func,err_msg,err_msg_size,"AUTH key")<0) { - return -1; + if(!(key->auth_key_size)) { + key->auth_key_size = calculate_auth_key_length(key->as_rs_alg); + if(key->auth_key_size) { + if(calculate_key(key->ikm_key,key->ikm_key_size,key->auth_key,key->auth_key_size)<0) { + return -1; + } } } if(!(key->as_rs_key_size)) { key->as_rs_key_size = calculate_enc_key_length(key->as_rs_alg); - if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size,key->hkdf_hash_func,err_msg,err_msg_size,"AS-RS key")<0) { + if(calculate_key(key->ikm_key,key->ikm_key_size,key->as_rs_key,key->as_rs_key_size)<0) { return -1; } } @@ -2254,14 +2131,10 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er static const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg) { switch(enc_alg) { - case AES_256_CBC: - return EVP_aes_256_cbc(); - case AES_128_CBC: - return EVP_aes_128_cbc(); #if !defined(TURN_NO_GCM) - case AEAD_AES_128_GCM: + case A128GCMKW: return EVP_aes_128_gcm(); - case AEAD_AES_256_GCM: + case A256GCMKW: return EVP_aes_256_gcm(); #endif default: @@ -2271,44 +2144,6 @@ static const EVP_CIPHER *get_cipher_type(ENC_ALG enc_alg) return NULL; } -static const EVP_MD *get_auth_type(AUTH_ALG aa) -{ - switch(aa) { - case AUTH_ALG_HMAC_SHA_1: - return EVP_sha1(); -#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) - case AUTH_ALG_HMAC_SHA_256_128: - case AUTH_ALG_HMAC_SHA_256: - return EVP_sha256(); -#endif -#if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) - case AUTH_ALG_HMAC_SHA_384: - return EVP_sha384(); -#endif -#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) - case AUTH_ALG_HMAC_SHA_512: - return EVP_sha512(); -#endif - default: - break; - }; - OAUTH_ERROR("%s: Unknown auth algorithm: %d\n",__FUNCTION__,(int)aa); - return NULL; -} - -static void update_hmac_len(AUTH_ALG aa, unsigned int *hmac_len) -{ - if(hmac_len) { - switch(aa) { - case AUTH_ALG_HMAC_SHA_256_128: - *hmac_len = 16; - break; - default: - break; - }; - } -} - static int my_EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { @@ -2357,8 +2192,15 @@ void print_field(const char* name, const unsigned char* f, size_t len) { printf("\n<<==field %s\n",name); } -static int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken) +int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken); +int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken) { + UNUSED_ARG(server_name); + UNUSED_ARG(etoken); + UNUSED_ARG(key); + UNUSED_ARG(dtoken); + + /* if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<=128)) { unsigned char orig_field[MAX_ENCODED_OAUTH_TOKEN_SIZE]; @@ -2420,11 +2262,19 @@ static int encode_oauth_token_normal(const u08bits *server_name, encoded_oauth_t return 0; } + */ return -1; } -static int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken) +int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken); +int decode_oauth_token_normal(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken) { + UNUSED_ARG(server_name); + UNUSED_ARG(etoken); + UNUSED_ARG(key); + UNUSED_ARG(dtoken); + + /* if(server_name && etoken && key && dtoken) { size_t mac_size = calculate_auth_output_length(key->auth_alg); @@ -2498,6 +2348,7 @@ static int decode_oauth_token_normal(const u08bits *server_name, const encoded_o return 0; } + */ return -1; } @@ -2512,14 +2363,27 @@ static void generate_random_nonce(unsigned char *nonce, size_t sz) { #if !defined(TURN_NO_GCM) -static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0) -{ - if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<128)) { +static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0) { + if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<=MAXSHASIZE)) { unsigned char orig_field[MAX_ENCODED_OAUTH_TOKEN_SIZE]; ns_bzero(orig_field,sizeof(orig_field)); + unsigned char nonce[OAUTH_AEAD_NONCE_SIZE]; + if(nonce0) { + ns_bcopy(nonce0,nonce,sizeof(nonce)); + } else { + generate_random_nonce(nonce, sizeof(nonce)); + } + size_t len = 0; + + *((uint16_t*)(orig_field+len)) = nswap16(OAUTH_AEAD_NONCE_SIZE); + len +=2; + + ns_bcopy(nonce,orig_field+len,OAUTH_AEAD_NONCE_SIZE); + len += OAUTH_AEAD_NONCE_SIZE; + *((uint16_t*)(orig_field+len)) = nswap16(dtoken->enc_block.key_length); len +=2; @@ -2536,15 +2400,6 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok if(!cipher) return -1; - unsigned char *encoded_field = (unsigned char*)etoken->token; - - unsigned char nonce[OAUTH_AEAD_NONCE_SIZE]; - if(nonce0) { - ns_bcopy(nonce0,nonce,sizeof(nonce)); - } else { - generate_random_nonce(nonce, sizeof(nonce)); - } - EVP_CIPHER_CTX ctx; EVP_CIPHER_CTX_init(&ctx); @@ -2572,8 +2427,13 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok return -1; outl=0; + unsigned char *encoded_field = (unsigned char*)etoken->token; + ns_bcopy(orig_field,encoded_field,OAUTH_AEAD_NONCE_SIZE + 2); + encoded_field += OAUTH_AEAD_NONCE_SIZE + 2; + unsigned char *start_field = orig_field + OAUTH_AEAD_NONCE_SIZE + 2; + len -= OAUTH_AEAD_NONCE_SIZE + 2; - if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, orig_field, (int)len)) + if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, start_field, (int)len)) return -1; int tmp_outl = 0; @@ -2583,10 +2443,7 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_AEAD_TAG_SIZE, encoded_field + outl); outl += OAUTH_AEAD_TAG_SIZE; - ns_bcopy(nonce, encoded_field + outl, OAUTH_AEAD_NONCE_SIZE); - outl += OAUTH_AEAD_NONCE_SIZE; //encoded+tag+hmac - - etoken->size = outl; + etoken->size = 2 + OAUTH_AEAD_NONCE_SIZE + outl; EVP_CIPHER_CTX_cleanup(&ctx); @@ -2599,18 +2456,24 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau { if(server_name && etoken && key && dtoken) { - size_t min_encoded_field_size = 2+4+8+OAUTH_AEAD_NONCE_SIZE+OAUTH_AEAD_TAG_SIZE+1; + unsigned char snl[2]; + ns_bcopy((const unsigned char*)(etoken->token),snl,2); + const unsigned char *csnl = snl; + + uint16_t nonce_len = nswap16(*((const uint16_t*)csnl)); + + size_t min_encoded_field_size = 2+4+8+nonce_len+2+OAUTH_AEAD_TAG_SIZE+1; if(etoken->size < min_encoded_field_size) { OAUTH_ERROR("%s: token size too small: %d\n",__FUNCTION__,(int)etoken->size); return -1; } - const unsigned char* encoded_field = (const unsigned char*)etoken->token; - unsigned int encoded_field_size = (unsigned int)etoken->size-OAUTH_AEAD_NONCE_SIZE - OAUTH_AEAD_TAG_SIZE; - const unsigned char* nonce = ((const unsigned char*)etoken->token) + encoded_field_size + OAUTH_AEAD_TAG_SIZE; + const unsigned char* encoded_field = (const unsigned char*)(etoken->token + nonce_len + 2); + unsigned int encoded_field_size = (unsigned int)etoken->size - nonce_len - 2 - OAUTH_AEAD_TAG_SIZE; + const unsigned char* nonce = ((const unsigned char*)etoken->token + 2); unsigned char tag[OAUTH_AEAD_TAG_SIZE]; - ns_bcopy(((const unsigned char*)etoken->token) + encoded_field_size, tag ,sizeof(tag)); + ns_bcopy(((const unsigned char*)etoken->token) + nonce_len + 2 + encoded_field_size, tag ,sizeof(tag)); unsigned char decoded_field[MAX_ENCODED_OAUTH_TOKEN_SIZE]; @@ -2631,7 +2494,7 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau //EVP_CIPHER_CTX_set_padding(&ctx,1); /* Set IV length if default 12 bytes (96 bits) is not appropriate */ - if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL)) { + if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) { OAUTH_ERROR("%s: Cannot set nonce length\n",__FUNCTION__); return -1; } @@ -2697,12 +2560,9 @@ int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, UNUSED_ARG(nonce); if(server_name && etoken && key && dtoken) { switch(key->as_rs_alg) { - case AES_256_CBC: - case AES_128_CBC: - return encode_oauth_token_normal(server_name, etoken,key,dtoken); #if !defined(TURN_NO_GCM) - case AEAD_AES_128_GCM: - case AEAD_AES_256_GCM: + case A256GCMKW: + case A128GCMKW: return encode_oauth_token_aead(server_name, etoken,key,dtoken,nonce); #endif default: @@ -2717,12 +2577,9 @@ int decode_oauth_token(const u08bits *server_name, const encoded_oauth_token *et { if(server_name && etoken && key && dtoken) { switch(key->as_rs_alg) { - case AES_256_CBC: - case AES_128_CBC: - return decode_oauth_token_normal(server_name, etoken,key,dtoken); #if !defined(TURN_NO_GCM) - case AEAD_AES_128_GCM: - case AEAD_AES_256_GCM: + case A256GCMKW: + case A128GCMKW: return decode_oauth_token_aead(server_name, etoken,key,dtoken); #endif default: diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index 81bb51ab..f23493de 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -73,10 +73,10 @@ typedef enum _SHATYPE SHATYPE; enum _ENC_ALG { ENC_ALG_ERROR=-1, ENC_ALG_DEFAULT=0, - AES_256_CBC=ENC_ALG_DEFAULT, - AES_128_CBC, - AEAD_AES_128_GCM, - AEAD_AES_256_GCM, +#if !defined(TURN_NO_GCM) + A256GCMKW=ENC_ALG_DEFAULT, + A128GCMKW, +#endif ENG_ALG_NUM }; @@ -84,23 +84,6 @@ typedef enum _ENC_ALG ENC_ALG; /* <<== OAUTH TOKEN ENC ALG */ -/* OAUTH TOKEN AUTH ALG ==> */ - -enum _AUTH_ALG { - AUTH_ALG_ERROR = -1, - AUTH_ALG_UNDEFINED = 0, - AUTH_ALG_DEFAULT = 1, - AUTH_ALG_HMAC_SHA_256_128 = AUTH_ALG_DEFAULT, - AUTH_ALG_HMAC_SHA_1, - AUTH_ALG_HMAC_SHA_256, - AUTH_ALG_HMAC_SHA_384, - AUTH_ALG_HMAC_SHA_512 -}; - -typedef enum _AUTH_ALG AUTH_ALG; - -/* <<== OAUTH TOKEN AUTH ALG */ - /** * oAuth struct */ @@ -113,6 +96,7 @@ typedef enum _AUTH_ALG AUTH_ALG; #define OAUTH_ALG_SIZE (64) #define OAUTH_KEY_SIZE (256) #define OAUTH_AEAD_NONCE_SIZE (12) +#define OAUTH_MAX_NONCE_SIZE (256) #define OAUTH_AEAD_TAG_SIZE (16) #define OAUTH_ENC_ALG_BLOCK_SIZE (16) @@ -127,11 +111,9 @@ struct _oauth_key_data { size_t ikm_key_size; turn_time_t timestamp; turn_time_t lifetime; - char hkdf_hash_func[OAUTH_HASH_FUNC_SIZE+1]; char as_rs_alg[OAUTH_ALG_SIZE+1]; char as_rs_key[OAUTH_KEY_SIZE+1]; size_t as_rs_key_size; - char auth_alg[OAUTH_ALG_SIZE+1]; char auth_key[OAUTH_KEY_SIZE+1]; size_t auth_key_size; }; @@ -144,11 +126,9 @@ struct _oauth_key { size_t ikm_key_size; turn_time_t timestamp; turn_time_t lifetime; - SHATYPE hkdf_hash_func; ENC_ALG as_rs_alg; char as_rs_key[OAUTH_KEY_SIZE+1]; size_t as_rs_key_size; - AUTH_ALG auth_alg; char auth_key[OAUTH_KEY_SIZE+1]; size_t auth_key_size; }; @@ -156,6 +136,8 @@ struct _oauth_key { typedef struct _oauth_key oauth_key; struct _oauth_encrypted_block { + uint16_t nonce_length; + uint8_t nonce[OAUTH_MAX_NONCE_SIZE]; uint16_t key_length; uint8_t mac_key[MAXSHASIZE]; uint64_t timestamp; diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 3cd62ca3..203f69d1 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -3398,7 +3398,6 @@ static int check_stun_auth(turn_turnserver *server, } } - /* direct user pattern is supported only for long-term credentials */ TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot find credentials of user <%s>\n", __FUNCTION__, (char*)usname); diff --git a/turndb/schema.sql b/turndb/schema.sql index b44f1bec..25ee800f 100644 --- a/turndb/schema.sql +++ b/turndb/schema.sql @@ -42,10 +42,8 @@ CREATE TABLE oauth_key ( ikm_key varchar(256) default '', timestamp bigint default 0, lifetime integer default 0, - hkdf_hash_func varchar(64) default '', as_rs_alg varchar(64) default '', as_rs_key varchar(256) default '', - auth_alg varchar(64) default '', auth_key varchar(256) default '', primary key (kid) ); diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis index 31bc8b51..00810404 100644 --- a/turndb/schema.userdb.redis +++ b/turndb/schema.userdb.redis @@ -43,30 +43,18 @@ and they will be almost immediately "seen" by the turnserver process. lifetime - (optional) the key lifetime in seconds; the default value is 0 - unlimited lifetime. - - hkdf_hash_func - (optional) hash function for HKDF procedure; the - valid values are SHA-1, SHA-256, SHA-384 and SHA-512, - with SHA-256 as default. The hkdf_hash_func is not needed - if the as_rs_key and auth_key are defined explicitly - in the database; as_rs_alg - oAuth token encryption algorithm; the valid values are - "AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM", - "AEAD-AES-256-GCM". - The default value is "AES-256-CBC"; + "A256GCMKW", "A128GCMKW" (see + http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1). + The default value is "A256GCMKW"; as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then - calculated with ikm_key and hkdf_hash_func. The as_rs_key length + calculated with ikm_key. The as_rs_key length is defined by as_rs_alg. - auth_alg - (optional) oAuth token authentication algorithm; the valid values are - "HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-384", - "HMAC-SHA-512" and "HMAC-SHA-1". - The default value is "HMAC-SHA-256-128". - auth_key - (optional) base64-encoded AUTH key. If not defined, then - calculated with ikm_key and hkdf_hash_func. The auth_key length - is defined by auth_alg. + calculated with ikm_key. Not used with AEAD algorithms. 5) admin users (over https interface) are maintained as keys of form: "turn/admin_user/ with hash members "password" and, @@ -137,8 +125,7 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202" sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45" sadd turn/realm/crinna.org/denied-peer-ip "123::77" -hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128' -hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM' +hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' as_rs_alg 'A256GCMKW' hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless' hmset turn/admin_user/bayaz password 'magi' diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh index 130ad291..23ab9573 100755 --- a/turndb/testmongosetup.sh +++ b/turndb/testmongosetup.sh @@ -56,21 +56,13 @@ db.realm.insert({ db.oauth_key.insert({ kid: 'north', ikm_key: 'Y2FybGVvbg==', - hkdf_hash_func: 'SHA-256', - as_rs_alg: 'AES-256-CBC', - auth_alg: 'HMAC-SHA-256-128' }); - + as_rs_alg: 'A256GCMKW'}); db.oauth_key.insert({ kid: 'union', ikm_key: 'aGVyb2Q=', - hkdf_hash_func: 'SHA-256', - as_rs_alg: 'AES-256-CBC', - auth_alg: 'HMAC-SHA-512' }); - + as_rs_alg: 'A128GCMKW'}); db.oauth_key.insert({ kid: 'oldempire', ikm_key: 'YXVsY3Vz', - hkdf_hash_func: 'SHA-256', - as_rs_alg: 'AEAD-AES-256-GCM', - auth_alg: '' }); + as_rs_alg: 'A256GCMKW'}); exit diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh index d19da17a..08696e56 100755 --- a/turndb/testredisdbsetup.sh +++ b/turndb/testredisdbsetup.sh @@ -38,9 +38,9 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202" sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45" sadd turn/realm/crinna.org/denied-peer-ip "123::77" -hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128' -hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512' -hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM' +hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' as_rs_alg 'A256GCMKW' +hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' as_rs_alg 'A128GCMKW' +hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' as_rs_alg 'A256GCMKW' hmset turn/admin_user/skarling realm 'north.gov' password '\$5\$6fc35c3b0c7d4633\$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2' hmset turn/admin_user/bayaz password '\$5\$e018513e9de69e73\$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f' diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql index 54648bd2..a7e77ccf 100644 --- a/turndb/testsqldbsetup.sql +++ b/turndb/testsqldbsetup.sql @@ -31,6 +31,6 @@ insert into denied_peer_ip (ip_range) values('123::45'); insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-172.17.19.56'); insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77'); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128',''); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('union','aGVyb2Q=',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-512',''); -insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('oldempire','YXVsY3Vz',0,0,'SHA-256','AEAD-AES-256-GCM','','',''); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('north','Y2FybGVvbg==',0,0,'A256GCMKW','',''); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('union','aGVyb2Q=',0,0,'A128GCMKW','',''); +insert into oauth_key (kid,ikm_key,timestamp,lifetime,as_rs_alg,as_rs_key,auth_key) values('oldempire','YXVsY3Vz',0,0,'A256GCMKW','','');