diff --git a/INSTALL b/INSTALL index 258bec2..d158a1c 100644 --- a/INSTALL +++ b/INSTALL @@ -706,6 +706,15 @@ CREATE TABLE turnusers_lt ( PRIMARY KEY (realm,name) ); +The field hmackey contains HEX string representation of the key. +We do not store the user open passwords for long-term credentials, for security reasons. +Storing only the HMAC key has its own implications - if you change the realm, +you will have to update the HMAC keys of all users, because the realm is +used for the HMAC key generation. + +The key must be 32 characters (HEX representation of 16 bytes) for SHA1, +or 64 characters (HEX representation of 32 bytes) for SHA256. + # Table for short-term credentials mechanism authorisation: # CREATE TABLE turnusers_st ( @@ -760,19 +769,10 @@ CREATE TABLE turn_realm_option ( primary key (realm,opt) ); -The field hmackey contains HEX string representation of the key. -We do not store the user open passwords for long-term credentials, for security reasons. -Storing only the HMAC key has its own implications - if you change the realm, -you will have to update the HMAC keys of all users, because the realm is -used for the HMAC key generation. - -The key must be 32 characters (HEX representation of 16 bytes) for SHA1, -or 64 characters (HEX representation of 32 bytes) for SHA256. - # oAuth key storage table. # CREATE TABLE oauth_key ( - kid varchar(128), + kid varchar(128), /* ikm_key varchar(256) default '', timestamp bigint default 0, lifetime integer default 0, @@ -784,6 +784,42 @@ CREATE TABLE oauth_key ( primary key (kid) ); +The oauth_key table fields meanings are: + + kid: the kid of the key; + + ikm_key - (optional) base64-encoded key ("input keying material"); + The ikm_key is not needed if the as_rs_key and auth_key are defined + explicitly in the database; + + timestamp - (optional) the timestamp (in seconds) when the key + lifetime started; + + lifetime - (optional) the key lifetime in seconds; the default value + is 0 - unlimited lifetime. + + hkdf_hash_func - (optional) hash function for HKDF procedure; the + valid values are SHA-1 and SHA-256, with SHA-256 as default; + The hkdf_hash_func is not needed if the as_rs_key and auth_key + are defined explicitly in the database; + + as_rs_alg - oAuth token encryption algorithm; the valid values are + "AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM", + "AEAD-AES-256-GCM". + The default value is "AES-256-CBC"; + + as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then + calculated with ikm_key and hkdf_hash_func. The as_rs_key length + is defined by as_rs_alg. + + auth_alg - (optional) oAuth token authentication algorithm; the valid values are + "HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1". + The default value is "HMAC-SHA-256-128". + + auth_key - (optional) base64-encoded AUTH key. If not defined, then + calculated with ikm_key and hkdf_hash_func. The auth_key length + is defined by auth_alg. + You can use turnadmin program to manage the database - you can either use turnadmin to add/modify/delete users, or you can use turnadmin to produce the hmac keys and modify the database with your favorite tools. @@ -945,6 +981,11 @@ Or in the turnserver.conf file: mongo-userdb="mongodb://localhost:27017/turndb" +The meanings of the MongoDB keys are the same as for the other databases, see the +explanations for the Postgres, for example. + +See the file testmongosetup.sh for the database structure examples. + XVII. Redis setup The Redis setup is well documented on their site http://redis.io. @@ -1013,6 +1054,8 @@ Redis TURN admin commands: $ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u gorst -r north.gov -p hero $ bin/turnadmin -A -N "host=localhost dbname=0 user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic + +See the file testredisdbsetup.sh for the data structure examples. XVIII. Performance tuning diff --git a/README.turnserver b/README.turnserver index cb339a2..31812e4 100644 --- a/README.turnserver +++ b/README.turnserver @@ -190,7 +190,7 @@ Flags: This option can be used with long-term credentials mechanisms only - it does not make much sense with the short-term mechanism. ---oauth Support oAuth authentication. +--oauth Support oAuth authentication, as in the third-party TURN specs document. --dh566 Use 566 bits predefined DH TLS key. Default size of the key is 1066.