From a4c47215952d60da4410038c00ecf39c72444df3 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Fri, 26 Sep 2014 23:51:40 +0000 Subject: [PATCH] dialog done --- ChangeLog | 1 - src/apps/relay/dbdrivers/dbd_redis.c | 4 ++-- src/apps/uclient/startuclient.c | 15 ++++++++++----- src/apps/uclient/uclient.c | 15 +++++++++++++-- src/client++/TurnMsgLib.h | 7 ++++--- src/client/ns_turn_msg.c | 27 +++++++++++++++++++++++---- src/client/ns_turn_msg.h | 2 +- 7 files changed, 53 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index dfe5470f..3e730e18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,6 @@ Version 4.2.1.1 'Monza': - oAuth security implementation: TODO: - - security dialog; - authorization process - test; - access-token must be cached and included only in ALLOCATE and REFRESH; - token timeout; diff --git a/src/apps/relay/dbdrivers/dbd_redis.c b/src/apps/relay/dbdrivers/dbd_redis.c index d30633ad..b50bc6bf 100644 --- a/src/apps/relay/dbdrivers/dbd_redis.c +++ b/src/apps/relay/dbdrivers/dbd_redis.c @@ -508,7 +508,7 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { else if (reply->type != REDIS_REPLY_ARRAY) { if (reply->type != REDIS_REPLY_NIL) TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type); - } else { + } else if(reply->elements > 1) { size_t i; for (i = 0; i < (reply->elements)/2; ++i) { char *kw = reply->element[2*i]->str; @@ -533,9 +533,9 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { } } } + ret = 0; } turnFreeRedisReply(reply); - ret = 0; } } return ret; diff --git a/src/apps/uclient/startuclient.c b/src/apps/uclient/startuclient.c index b725784d..003f51aa 100644 --- a/src/apps/uclient/startuclient.c +++ b/src/apps/uclient/startuclient.c @@ -501,7 +501,8 @@ static int clnet_allocate(int verbose, } else if (stun_is_challenge_response_str(message.buf, (size_t)message.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { clnet_info->shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); @@ -697,7 +698,8 @@ static int clnet_allocate(int verbose, } } else if (stun_is_challenge_response_str(message.buf, (size_t)message.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { clnet_info->shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); @@ -795,7 +797,8 @@ static int turn_channel_bind(int verbose, uint16_t *chn, } } else if (stun_is_challenge_response_str(message.buf, (size_t)message.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { clnet_info->shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); @@ -903,7 +906,8 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info, } } else if (stun_is_challenge_response_str(message.buf, (size_t)message.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { clnet_info->shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); @@ -1488,7 +1492,8 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a atc->tcp_data_bound = 1; } else if (stun_is_challenge_response_str(message.buf, (size_t)message.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) { clnet_info->shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); diff --git a/src/apps/uclient/uclient.c b/src/apps/uclient/uclient.c index e40a8061..889e1825 100644 --- a/src/apps/uclient/uclient.c +++ b/src/apps/uclient/uclient.c @@ -587,7 +587,8 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info return rc; } else if (stun_is_challenge_response_str(elem->in_buffer.buf, (size_t)elem->in_buffer.len, &err_code,err_msg,sizeof(err_msg), - clnet_info->realm,clnet_info->nonce)) { + clnet_info->realm,clnet_info->nonce, + clnet_info->server_name, &(clnet_info->oauth))) { if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA1)) { elem->pinfo.shatype = SHATYPE_SHA256; recalculate_restapi_hmac(); @@ -1443,11 +1444,21 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) hmackey_t key; ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length); - if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), g_uname, + if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid, clnet_info->realm, key, clnet_info->nonce, clnet_info->shatype)<0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n"); return -1; } + + //self-test: + { + st_password_t pwd; + if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(), + message->buf, (size_t)(message->len), key, pwd, clnet_info->shatype, NULL)<1) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n"); + return -1; + } + } } else { if(stun_attr_add_integrity_by_user_str(message->buf, (size_t*)&(message->len), g_uname, clnet_info->realm, g_upwd, clnet_info->nonce, clnet_info->shatype)<0) { diff --git a/src/client++/TurnMsgLib.h b/src/client++/TurnMsgLib.h index b5b46abb..008bbc05 100644 --- a/src/client++/TurnMsgLib.h +++ b/src/client++/TurnMsgLib.h @@ -665,8 +665,9 @@ public: */ static bool isChallengeResponse(const u08bits* buf, size_t sz, int &err_code, u08bits *err_msg, size_t err_msg_size, - u08bits *realm, u08bits *nonce) { - return stun_is_challenge_response_str(buf, sz, &err_code, err_msg, err_msg_size, realm, nonce); + u08bits *realm, u08bits *nonce, + u08bits *server_name, int *oauth) { + return stun_is_challenge_response_str(buf, sz, &err_code, err_msg, err_msg_size, realm, nonce, server_name, oauth); } /** @@ -970,7 +971,7 @@ public: size_t err_msg_size=sizeof(err_msg); u08bits srealm[0xFFFF]; u08bits snonce[0xFFFF]; - ret = stun_is_challenge_response_str(_buffer, _sz, &err_code, err_msg, err_msg_size, srealm, snonce); + ret = stun_is_challenge_response_str(_buffer, _sz, &err_code, err_msg, err_msg_size, srealm, snonce, NULL, NULL); if(ret) { realm = (char*)srealm; nonce = (char*)snonce; diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index bda8e477..f588ed8a 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -332,7 +332,7 @@ int stun_is_error_response_str(const u08bits* buf, size_t len, int *err_code, u0 } int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size, - u08bits *realm, u08bits *nonce) + u08bits *realm, u08bits *nonce, u08bits *server_name, int *oauth) { int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size); @@ -345,6 +345,25 @@ int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code size_t vlen = (size_t)stun_attr_get_len(sar); ns_bcopy(value,realm,vlen); realm[vlen]=0; + + { + stun_attr_ref sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION); + if(sar) { + const u08bits *value = stun_attr_get_value(sar); + if(value) { + size_t vlen = (size_t)stun_attr_get_len(sar); + if(vlen>0) { + if(server_name) { + ns_bcopy(value,server_name,vlen); + } + if(oauth) { + *oauth = 1; + } + } + } + } + } + sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_NONCE); if(sar) { value = stun_attr_get_value(sar); @@ -1781,7 +1800,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er if(err_msg) { snprintf(err_msg,err_msg_size,"AS-RS key is not defined"); } - OAUTH_ERROR("AS-RS key is not defined"); + OAUTH_ERROR("AS-RS key is not defined\n"); return -1; } if(!(oakd->auth_key_size)) { @@ -1803,7 +1822,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er if(err_msg) { snprintf(err_msg,err_msg_size,"KID is not defined"); } - OAUTH_ERROR("KID is not defined"); + OAUTH_ERROR("KID is not defined\n"); return -1; } @@ -1833,7 +1852,7 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er if(err_msg) { snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func); } - OAUTH_ERROR("Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func); + OAUTH_ERROR("Wrong HKDF hash function algorithm: %s\n",oakd->hkdf_hash_func); return -1; } diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h index e5f86dce..d756ad06 100644 --- a/src/client/ns_turn_msg.h +++ b/src/client/ns_turn_msg.h @@ -116,7 +116,7 @@ int stun_is_command_message_offset_str(const u08bits* buf, size_t blen, int offs int stun_is_request_str(const u08bits* buf, size_t len); int stun_is_success_response_str(const u08bits* buf, size_t len); int stun_is_error_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size); -int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size, u08bits *realm, u08bits *nonce); +int stun_is_challenge_response_str(const u08bits* buf, size_t len, int *err_code, u08bits *err_msg, size_t err_msg_size, u08bits *realm, u08bits *nonce, u08bits *server_name, int *oauth); int stun_is_response_str(const u08bits* buf, size_t len); int stun_is_indication_str(const u08bits* buf, size_t len); u16bits stun_get_method_str(const u08bits *buf, size_t len);