token cache
This commit is contained in:
mom040267
parent
0cace2dcea
commit
1b8b3eff5c
@ -2,7 +2,6 @@
|
||||
Version 4.2.1.1 'Monza':
|
||||
- oAuth security implementation:
|
||||
TODO:
|
||||
- access-token must be cached and included only in ALLOCATE and REFRESH;
|
||||
- token timeout;
|
||||
- kid timeout;
|
||||
- TLS renegotiation DoS attack prevention implemented;
|
||||
|
||||
@ -83,6 +83,8 @@ typedef struct {
|
||||
/* oAuth */
|
||||
int oauth;
|
||||
u08bits server_name[STUN_MAX_SERVER_NAME_SIZE+1];
|
||||
hmackey_t key;
|
||||
int key_set;
|
||||
/* RFC 6062 */
|
||||
app_tcp_conn_info **tcp_conn;
|
||||
size_t tcp_conn_number;
|
||||
|
||||
@ -1432,20 +1432,28 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
||||
} else if(clnet_info->nonce[0]) {
|
||||
|
||||
if(oauth && clnet_info->oauth) {
|
||||
encoded_oauth_token etoken;
|
||||
u08bits nonce[12];
|
||||
RAND_bytes((unsigned char*)nonce,12);
|
||||
if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
|
||||
return -1;
|
||||
}
|
||||
stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
|
||||
|
||||
u16bits method = stun_get_method_str(message->buf, message->len);
|
||||
|
||||
if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
|
||||
{
|
||||
|
||||
encoded_oauth_token etoken;
|
||||
u08bits nonce[12];
|
||||
RAND_bytes((unsigned char*)nonce,12);
|
||||
if(encode_oauth_token(clnet_info->server_name, &etoken, &okey, &otoken, nonce)<0) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot encode token\n");
|
||||
return -1;
|
||||
}
|
||||
stun_attr_add_str(message->buf, (size_t*)&(message->len), STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN,
|
||||
(const u08bits*)etoken.token, (int)etoken.size);
|
||||
|
||||
hmackey_t key;
|
||||
ns_bcopy(otoken.enc_block.mac_key,key,otoken.enc_block.key_length);
|
||||
ns_bcopy(otoken.enc_block.mac_key,clnet_info->key,otoken.enc_block.key_length);
|
||||
clnet_info->key_set = 1;
|
||||
}
|
||||
|
||||
if(stun_attr_add_integrity_by_key_str(message->buf, (size_t*)&(message->len), (u08bits*)okey.kid,
|
||||
clnet_info->realm, key, clnet_info->nonce, clnet_info->shatype)<0) {
|
||||
clnet_info->realm, clnet_info->key, clnet_info->nonce, clnet_info->shatype)<0) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
|
||||
return -1;
|
||||
}
|
||||
@ -1454,7 +1462,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
|
||||
{
|
||||
st_password_t pwd;
|
||||
if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(),
|
||||
message->buf, (size_t)(message->len), key, pwd, clnet_info->shatype, NULL)<1) {
|
||||
message->buf, (size_t)(message->len), clnet_info->key, pwd, clnet_info->shatype, NULL)<1) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -3262,6 +3262,7 @@ static int check_stun_auth(turn_turnserver *server,
|
||||
if(ss->username[0]) {
|
||||
if(strcmp((char*)ss->username,(char*)usname)) {
|
||||
if(ss->oauth) {
|
||||
ss->hmackey_set = 0;
|
||||
STRCPY(ss->username,usname);
|
||||
set_username_hash(ss->client_socket,ss->username,(u08bits*)ss->realm_options.name);
|
||||
} else {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user