dialog done

ChangeLog

@@ -2,7 +2,6 @@
 Version 4.2.1.1 'Monza':
 	- oAuth security implementation: 
 		TODO:
-		- security dialog;
 		- authorization process - test;
 		- access-token must be cached and included only in ALLOCATE and REFRESH;
 		- token timeout;

src/apps/relay/dbdrivers/dbd_redis.c

@@ -508,7 +508,7 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 		else if (reply->type != REDIS_REPLY_ARRAY) {
 			if (reply->type != REDIS_REPLY_NIL)
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type);
-		} else {
+		} else if(reply->elements > 1) {
 			size_t i;
 			for (i = 0; i < (reply->elements)/2; ++i) {
 				char *kw = reply->element[2*i]->str;
@@ -533,9 +533,9 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 					}
 				}
 			}
+			ret = 0;
 		}
 		turnFreeRedisReply(reply);
-		ret = 0;
 	}
   }
   return ret;

src/apps/uclient/startuclient.c

@@ -501,7 +501,8 @@ static int clnet_allocate(int verbose,
 
 					} else if (stun_is_challenge_response_str(message.buf, (size_t)message.len,
 									&err_code,err_msg,sizeof(err_msg),
-									clnet_info->realm,clnet_info->nonce)) {
+									clnet_info->realm,clnet_info->nonce,
+									clnet_info->server_name, &(clnet_info->oauth))) {
 						if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
 							clnet_info->shatype = SHATYPE_SHA256;
 							recalculate_restapi_hmac();
@@ -697,7 +698,8 @@ static int clnet_allocate(int verbose,
 						}
 					} else if (stun_is_challenge_response_str(message.buf, (size_t)message.len,
 										&err_code,err_msg,sizeof(err_msg),
-										clnet_info->realm,clnet_info->nonce)) {
+										clnet_info->realm,clnet_info->nonce,
+										clnet_info->server_name, &(clnet_info->oauth))) {
 						if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
 							clnet_info->shatype = SHATYPE_SHA256;
 							recalculate_restapi_hmac();
@@ -795,7 +797,8 @@ static int turn_channel_bind(int verbose, uint16_t *chn,
 					}
 				} else if (stun_is_challenge_response_str(message.buf, (size_t)message.len,
 										&err_code,err_msg,sizeof(err_msg),
-										clnet_info->realm,clnet_info->nonce)) {
+										clnet_info->realm,clnet_info->nonce,
+										clnet_info->server_name, &(clnet_info->oauth))) {
 					if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
 						clnet_info->shatype = SHATYPE_SHA256;
 						recalculate_restapi_hmac();
@@ -903,7 +906,8 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info,
 					}
 				} else if (stun_is_challenge_response_str(message.buf, (size_t)message.len,
 									&err_code,err_msg,sizeof(err_msg),
-									clnet_info->realm,clnet_info->nonce)) {
+									clnet_info->realm,clnet_info->nonce,
+									clnet_info->server_name, &(clnet_info->oauth))) {
 					if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
 						clnet_info->shatype = SHATYPE_SHA256;
 						recalculate_restapi_hmac();
@@ -1488,7 +1492,8 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a
 					atc->tcp_data_bound = 1;
 				} else if (stun_is_challenge_response_str(message.buf, (size_t)message.len,
 										&err_code,err_msg,sizeof(err_msg),
-										clnet_info->realm,clnet_info->nonce)) {
+										clnet_info->realm,clnet_info->nonce,
+										clnet_info->server_name, &(clnet_info->oauth))) {
 					if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
 						clnet_info->shatype = SHATYPE_SHA256;
 						recalculate_restapi_hmac();

src/apps/uclient/uclient.c

@@ -587,7 +587,8 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
 			return rc;
 		} else if (stun_is_challenge_response_str(elem->in_buffer.buf, (size_t)elem->in_buffer.len,
 							&err_code,err_msg,sizeof(err_msg),
-							clnet_info->realm,clnet_info->nonce)) {
+							clnet_info->realm,clnet_info->nonce,
+							clnet_info->server_name, &(clnet_info->oauth))) {
 			if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA1)) {
 				elem->pinfo.shatype = SHATYPE_SHA256;
 				recalculate_restapi_hmac();
@@ -1443,11 +1444,21 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 
 			hmackey_t key;
 			ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length);
-			if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), g_uname,
+			if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid,
 					clnet_info->realm, key, clnet_info->nonce, clnet_info->shatype)<0) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
 				return -1;
 			}
+
+			//self-test:
+			{
+				st_password_t pwd;
+				if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
+								message->buf, (size_t)(message->len), key, pwd, clnet_info->shatype, NULL)<1) {
+					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n");
+					return -1;
+				}
+			}
 		} else {
 			if(stun_attr_add_integrity_by_user_str(message->buf, (size_t*)&(message->len), g_uname,
 					clnet_info->realm, g_upwd, clnet_info->nonce, clnet_info->shatype)<0) {

src/client++/TurnMsgLib.h

@@ -665,8 +665,9 @@ public:
 	 */
 	static bool isChallengeResponse(const u08bits* buf, size_t sz,
 					int &err_code, u08bits *err_msg, size_t err_msg_size,
-					u08bits *realm, u08bits *nonce) {
-		return stun_is_challenge_response_str(buf, sz, &err_code, err_msg, err_msg_size, realm, nonce);
+					u08bits *realm, u08bits *nonce,
+					u08bits *server_name, int *oauth) {
+		return stun_is_challenge_response_str(buf, sz, &err_code, err_msg, err_msg_size, realm, nonce, server_name, oauth);
 	}
 
 	/**
@@ -970,7 +971,7 @@ public:
 			size_t err_msg_size=sizeof(err_msg);
 			u08bits srealm[0xFFFF];
 			u08bits snonce[0xFFFF];
-			ret = stun_is_challenge_response_str(_buffer, _sz, &err_code, err_msg, err_msg_size, srealm, snonce);
+			ret = stun_is_challenge_response_str(_buffer, _sz, &err_code, err_msg, err_msg_size, srealm, snonce, NULL, NULL);
 			if(ret) {
 				realm = (char*)srealm;
 				nonce = (char*)snonce;

src/client/ns_turn_msg.c

@@ -332,7 +332,7 @@ int stun_is_error_response_str(const u08bits* buf, size_t len, int *err_code, u0
 }
 
 int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size,
-				u08bits *realm, u08bits *nonce)
+				u08bits *realm, u08bits *nonce, u08bits *server_name, int *oauth)
 {
 	int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size);
 
@@ -345,6 +345,25 @@ int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code
 				size_t vlen = (size_t)stun_attr_get_len(sar);
 				ns_bcopy(value,realm,vlen);
 				realm[vlen]=0;
+
+				{
+					stun_attr_ref sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION);
+					if(sar) {
+						const u08bits *value = stun_attr_get_value(sar);
+						if(value) {
+							size_t vlen = (size_t)stun_attr_get_len(sar);
+							if(vlen>0) {
+								if(server_name) {
+									ns_bcopy(value,server_name,vlen);
+								}
+								if(oauth) {
+									*oauth = 1;
+								}
+							}
+						}
+					}
+				}
+
 				sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_NONCE);
 				if(sar) {
 					value = stun_attr_get_value(sar);
@@ -1781,7 +1800,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 				if(err_msg) {
 					snprintf(err_msg,err_msg_size,"AS-RS key is not defined");
 				}
-				OAUTH_ERROR("AS-RS key is not defined");
+				OAUTH_ERROR("AS-RS key is not defined\n");
 				return -1;
 			}
 			if(!(oakd->auth_key_size)) {
@@ -1803,7 +1822,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			if(err_msg) {
 				snprintf(err_msg,err_msg_size,"KID is not defined");
 			}
-			OAUTH_ERROR("KID is not defined");
+			OAUTH_ERROR("KID is not defined\n");
 			return -1;
 		}
 
@@ -1833,7 +1852,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			if(err_msg) {
 				snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func);
 			}
-			OAUTH_ERROR("Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func);
+			OAUTH_ERROR("Wrong HKDF hash function algorithm: %s\n",oakd->hkdf_hash_func);
 			return -1;
 		}
 

src/client/ns_turn_msg.h

@@ -116,7 +116,7 @@ int stun_is_command_message_offset_str(const u08bits* buf, size_t blen, int offs
 int stun_is_request_str(const u08bits* buf, size_t len);
 int stun_is_success_response_str(const u08bits* buf, size_t len);
 int stun_is_error_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size);
-int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size, u08bits *realm, u08bits *nonce);
+int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size, u08bits *realm, u08bits *nonce, u08bits *server_name, int *oauth);
 int stun_is_response_str(const u08bits* buf, size_t len);
 int stun_is_indication_str(const u08bits* buf, size_t len);
 u16bits stun_get_method_str(const u08bits *buf, size_t len);