master/coturn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sha512 added

Browse Source
This commit is contained in:
mom040267 2015-02-05 07:39:07 +00:00
parent 523be275ee
commit 08f0488255
18 changed files with 103 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,8 +1,8 @@
2/3/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.2.1 'Ardee West':
- SHA-512 added to oAuth;
- updates according to the new third-party-auth draft (oauth);
- (HMAC-)SHA-512 algorithms added;
- TOS (DiffServer) and TTL IP header field handling fixed;
- updates according to the new third-party-auth draft (oauth);
2/1/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.1.2 'Ardee West':

30
INSTALL
View File

@ -470,14 +470,15 @@ libevent2 from their web site. It was tested with older *NIXes
NOTE: SQLite must be of version 3.x.
NOTE: For extra security features (DTLS and SHA256) support, OpenSSL version
1.0.0a or newer is recommended. Older versions do not support DTLS, reliably,
in some cases. For example, the Debian 'Squeeze' Linux supplies 0.9.8 version
of OpenSSL, that does not work correctly with DTLS over IPv6. If your system
already has an older version of OpenSSL installed (usually in directory /usr)
then you may want to install your newer OpenSSL "over" the old one (because it
will most probably will not allow removal of the old one). When installing
the newer OpenSSL, run the OpenSSL's configure command like this:
NOTE: For extra security features (DTLS and SHA256 and SHA512) support, OpenSSL
version 1.0.0a or newer is recommended. Older versions do not support DTLS,
reliably, in some cases. For example, the Debian 'Squeeze' Linux supplies
0.9.8 version of OpenSSL, that does not work correctly with DTLS over IPv6.
If your system already has an older version of OpenSSL installed (usually
in directory /usr) then you may want to install your newer OpenSSL "over"
the old one (because it will most probably will not allow removal of the
old one). When installing the newer OpenSSL, run the OpenSSL's configure
command like this:
$ ./config --prefix=/usr
@ -676,13 +677,14 @@ CREATE TABLE turnusers_lt (
);
The field hmackey contains HEX string representation of the key.
We do not store the user open passwords for long-term credentials, for security reasons.
Storing only the HMAC key has its own implications - if you change the realm,
you will have to update the HMAC keys of all users, because the realm is
used for the HMAC key generation.
We do not store the user open passwords for long-term credentials, for
security reasons. Storing only the HMAC key has its own implications -
if you change the realm, you will have to update the HMAC keys of all
users, because the realm is used for the HMAC key generation.
The key must be 32 characters (HEX representation of 16 bytes) for SHA1,
or 64 characters (HEX representation of 32 bytes) for SHA256.
The key must be up to 32 characters (HEX representation of 16 bytes) for SHA1,
or up to 64 characters (HEX representation of 32 bytes) for SHA256,
or up to 128 characters (HEX representation of 64 bytes) for SHA512:
# Table holding shared secrets for secret-based authorization
# (REST API). It can only be used together with the long-term

5
README.turnadmin
View File

@ -95,7 +95,10 @@ Options with required values:
-r, --realm Realm.
-p, --password Password.
-o, --origin Origin
-H, --sha256 Use SHA256 as the keys hash function (a non-standard feature).
-H, --sha256 Use SHA256 as the keys hash function (a non-standard feature).
By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
-K, --sha512 Use SHA512 as the keys hash function (a non-standard feature).
By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
--max-bps Set value of realm's max-bps parameter.

1
README.turnserver
View File

@ -242,6 +242,7 @@ Flags:
SHA256 hash function if this option is used. If the server obtains a message
from the client with a weaker (SHA1) hash function then the server returns
error code 426.
--sha512 Require SHA512 digest function to be used for the message integrity.
--mobility Mobility with ICE (MICE) specs support.

2
README.turnutils
View File

@ -95,6 +95,8 @@ Flags:
-H SHA256 digest function for message integrity calculation.
Without this option, by default, SHA1 is used.
-K SHA512 digest function for message integrity calculation.
-M Use TURN ICE Mobility.
-I Do not set permissions on TURN relay endpoints

2
STATUS
View File

@ -120,5 +120,7 @@ supported in the client library).
52) Web HTTPS admin interface implemented.
53) SHA512 support added (experimental).
Things to be implemented in future (the development roadmap)
are described in the TODO file.

11
examples/etc/turnserver.conf
View File

@ -557,15 +557,16 @@
#
#secure-stun
# Require SHA256 digest function to be used for the message integrity.
# By default, the server uses SHA1 (as per TURN standard specs).
# With this option, the server
# always requires the stronger SHA256 function. The client application
# must support SHA256 hash function if this option is used. If the server obtains
# Require SHA256 or SHA512 digest function to be used for the message
# integrity. By default, the server uses SHA1 (as per TURN standard specs).
# With this option, the server always requires the stronger SHA256 or SHA512
# function. The client application must support SHA256 or SHA512 hash function
# if this option is used. If the server obtains
# a message from the client with a weaker (SHA1) hash function then the
# server returns error code 426.
#
#sha256
#sha512
# Mobility with ICE (MICE) specs support.
#

BIN
examples/var/db/turndb
View File

Binary file not shown.

8
man/man1/turnadmin.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "02 February 2015" "" ""
.TH TURN 1 "04 February 2015" "" ""
.SH GENERAL INFORMATION
\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
@ -179,6 +179,12 @@ By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
.TP
.B
\fB\-K\fP, \fB\-\-sha512\fP
Use SHA512 as the keys hash function (a non\-standard feature).
By default, MD5 is used for the key storage encryption
(as required by the current STUN/TURNstandards).
.TP
.B
\fB\-\-max\-bps\fP
Set value of realm's max\-bps parameter.
.TP

6
man/man1/turnserver.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "02 February 2015" "" ""
.TH TURN 1 "04 February 2015" "" ""
.SH GENERAL INFORMATION
The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
@ -372,6 +372,10 @@ from the client with a weaker (SHA1) hash function then the server returns
error code 426.
.TP
.B
\fB\-\-sha512\fP
Require SHA512 digest function to be used for the message integrity.
.TP
.B
\fB\-\-mobility\fP
Mobility with ICE (MICE) specs support.
.TP

6
man/man1/turnutils.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "02 February 2015" "" ""
.TH TURN 1 "04 February 2015" "" ""
.SH GENERAL INFORMATION
A set of turnutils_* programs provides some utility functionality to be used
@ -143,6 +143,10 @@ SHA256 digest function for message integrity calculation.
Without this option, by default, SHA1 is used.
.TP
.B
\fB\-K\fP
SHA512 digest function for message integrity calculation.
.TP
.B
\fB\-M\fP
Use TURN ICE Mobility.
.TP

19
src/apps/relay/mainrelay.c
View File

@ -569,6 +569,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
" support SHA256 hash function if this option is used. If the server obtains\n"
" a message from the client with a weaker (SHA1) hash function then the server\n"
" returns error code 426.\n"
" --sha512 Require SHA512 digest function to be used for the message integrity.\n"
" --proc-user <user-name> User name to run the turnserver process.\n"
" After the initialization, the turnserver process\n"
" will make an attempt to change the current user ID to that user.\n"
@ -638,6 +639,7 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
#endif
" -H, --sha256 Use SHA256 digest function to be used for the message integrity.\n"
" By default, the server SHA1 (as per TURN standard specs).\n"
" -K, --sha512 Use SHA512 digest function to be used for the message integrity.\n"
" --max-bps Set value of realm's max-bps parameter.\n"
" Setting to zero value means removal of the option.\n"
" --total-quota Set value of realm's total-quota parameter.\n"
@ -648,7 +650,7 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
#define OPTIONS "c:d:p:L:E:X:i:m:l:r:u:b:B:e:M:J:N:O:q:Q:s:C:vVofhznaAS"
#define ADMIN_OPTIONS "gGORIHlLkaADSdb:e:M:J:N:u:r:p:s:X:o:h"
#define ADMIN_OPTIONS "gGORIHKlLkaADSdb:e:M:J:N:u:r:p:s:X:o:h"
enum EXTRA_OPTS {
NO_UDP_OPT=256,
@ -688,6 +690,7 @@ enum EXTRA_OPTS {
CA_FILE_OPT,
DH_FILE_OPT,
SHA256_OPT,
SHA512_OPT,
NO_STUN_OPT,
PROC_USER_OPT,
PROC_GROUP_OPT,
@ -811,6 +814,7 @@ static const struct myoption long_options[] = {
{ "CA-file", required_argument, NULL, CA_FILE_OPT },
{ "dh-file", required_argument, NULL, DH_FILE_OPT },
{ "sha256", optional_argument, NULL, SHA256_OPT },
{ "sha512", optional_argument, NULL, SHA512_OPT },
{ "proc-user", required_argument, NULL, PROC_USER_OPT },
{ "proc-group", required_argument, NULL, PROC_GROUP_OPT },
{ "mobility", optional_argument, NULL, MOBILITY_OPT },
@ -865,6 +869,7 @@ static const struct myoption admin_long_options[] = {
{ "realm", required_argument, NULL, 'r' },
{ "password", required_argument, NULL, 'p' },
{ "sha256", no_argument, NULL, 'H' },
{ "sha512", no_argument, NULL, 'K' },
{ "add-origin", no_argument, NULL, 'O' },
{ "del-origin", no_argument, NULL, 'R' },
{ "list-origins", required_argument, NULL, 'I' },
@ -1031,8 +1036,10 @@ static void set_option(int c, char *value)
case SHA256_OPT:
if(get_bool_value(value))
turn_params.shatype = SHATYPE_SHA256;
else
turn_params.shatype = SHATYPE_SHA1;
break;
case SHA512_OPT:
if(get_bool_value(value))
turn_params.shatype = SHATYPE_SHA512;
break;
case NO_MULTICAST_PEERS_OPT:
turn_params.no_multicast_peers = get_bool_value(value);
@ -1554,8 +1561,10 @@ static int adminmain(int argc, char **argv)
case 'H':
if(get_bool_value(optarg))
turn_params.shatype = SHATYPE_SHA256;
else
turn_params.shatype = SHATYPE_SHA1;
break;
case 'K':
if(get_bool_value(optarg))
turn_params.shatype = SHATYPE_SHA512;
break;
case 'h':
printf("\n%s\n", AdminUsage);

17
src/apps/uclient/mainuclient.c
View File

@ -131,6 +131,7 @@ static char Usage[] =
" -O DOS attack mode (quick connect and exit).\n"
" -H SHA256 digest function for message integrity calculation.\n"
" Without this option, by default, SHA1 is used.\n"
" -K SHA512 digest function for message integrity calculation.\n"
" -M ICE Mobility engaged.\n"
" -I Do not set permissions on TURN relay endpoints\n"
" (for testing the non-standard server relay functionality).\n"
@ -162,20 +163,23 @@ static char Usage[] =
//////////////////////////////////////////////////
void recalculate_restapi_hmac(void) {
void recalculate_restapi_hmac(SHATYPE st) {
if (g_use_auth_secret_with_timestamp) {
u08bits hmac[MAXSHASIZE];
unsigned int hmac_len;
unsigned int hmac_len = 0;
hmac_len = SHA256SIZEBYTES;
if(st == SHATYPE_SHA256)
hmac_len = SHA256SIZEBYTES;
else if(st == SHATYPE_SHA512)
hmac_len = SHA512SIZEBYTES;
hmac[0] = 0;
if (stun_calculate_hmac(g_uname, strlen((char*) g_uname),
(u08bits*) g_auth_secret, strlen(g_auth_secret), hmac,
&hmac_len, SHATYPE_SHA256) >= 0) {
&hmac_len, st) >= 0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac, hmac_len, &pwd_length);
@ -211,7 +215,7 @@ int main(int argc, char **argv)
ns_bzero(local_addr, sizeof(local_addr));
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:ZvsyhcxXgtTSAPDNOUHMRIGBJ")) != -1) {
while ((c = getopt(argc, argv, "a:d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:o:ZvsyhcxXgtTSAPDNOUHKMRIGBJ")) != -1) {
switch (c){
case 'J': {
@ -265,6 +269,9 @@ int main(int argc, char **argv)
case 'H':
shatype = SHATYPE_SHA256;
break;
case 'K':
shatype = SHATYPE_SHA512;
break;
case 'E':
{
char* fn = find_config_file(optarg,1);

25
src/apps/uclient/startuclient.c
View File

@ -526,7 +526,10 @@ static int clnet_allocate(int verbose,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_allocate;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
@ -724,7 +727,10 @@ static int clnet_allocate(int verbose,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_refresh;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
@ -822,7 +828,10 @@ static int turn_channel_bind(int verbose, uint16_t *chn,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_bind;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
@ -930,7 +939,10 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info,
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_cp;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
@ -1509,7 +1521,10 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1)) {
clnet_info->shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(clnet_info->shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA256)) {
clnet_info->shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(clnet_info->shatype);
}
goto beg_cb;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {

5
src/apps/uclient/uclient.c
View File

@ -753,7 +753,10 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
clnet_info->server_name, &(clnet_info->oauth))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA1)) {
elem->pinfo.shatype = SHATYPE_SHA256;
recalculate_restapi_hmac();
recalculate_restapi_hmac(elem->pinfo.shatype);
} else if(err_code == SHA_TOO_WEAK_ERROR_CODE && (elem->pinfo.shatype == SHATYPE_SHA256)) {
elem->pinfo.shatype = SHATYPE_SHA512;
recalculate_restapi_hmac(elem->pinfo.shatype);
}
if(is_TCP_relay() && (stun_get_method(&(elem->in_buffer)) == STUN_METHOD_CONNECT)) {

2
src/apps/uclient/uclient.h
View File

@ -109,7 +109,7 @@ turn_credential_type get_turn_credentials_type(void);
int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message);
int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message);
void recalculate_restapi_hmac(void);
void recalculate_restapi_hmac(SHATYPE st);
////////////////////////////////////////////

2
src/client/ns_turn_msg_defs.h
View File

@ -44,7 +44,7 @@
#define STUN_MAX_REALM_SIZE (127)
#define STUN_MAX_NONCE_SIZE (127)
#define STUN_MAX_SERVER_NAME_SIZE (1025)
#define STUN_MAX_PWD_SIZE (127)
#define STUN_MAX_PWD_SIZE (256)
#define AUTH_SECRET_SIZE STUN_MAX_PWD_SIZE
#define STUN_MAGIC_COOKIE (0x2112A442)

2
turndb/schema.sql
View File

@ -8,7 +8,7 @@ CREATE TABLE turnusers_lt (
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(127),
value varchar(256),
primary key (realm,value)
);