From 5cd0d33c311ba926716495134502e64770ad160c Mon Sep 17 00:00:00 2001 From: mom040267 Date: Sat, 10 Jan 2015 08:25:29 +0000 Subject: [PATCH] 1) working on https; 2) SSLv2 support removed. --- ChangeLog | 1 + INSTALL | 4 +- README.turnserver | 2 +- configure | 2 +- examples/etc/turnserver.conf | 2 +- .../scripts/longtermsecure/secure_relay.sh | 4 +- .../longtermsecure/secure_relay_cert.sh | 4 +- .../secure_relay_with_db_mongo.sh | 4 +- .../secure_relay_with_db_mysql.sh | 4 +- .../secure_relay_with_db_mysql_ssl.sh | 4 +- .../secure_relay_with_db_psql.sh | 6 +- .../secure_relay_with_db_redis.sh | 4 +- .../secure_relay_with_db_sqlite.sh | 4 +- examples/scripts/mobile/mobile_relay.sh | 4 +- .../scripts/restapi/secure_relay_secret.sh | 4 +- .../secure_relay_secret_with_db_mongo.sh | 4 +- .../secure_relay_secret_with_db_mysql.sh | 4 +- .../secure_relay_secret_with_db_psql.sh | 4 +- .../secure_relay_secret_with_db_redis.sh | 4 +- .../secure_relay_secret_with_db_sqlite.sh | 4 +- .../scripts/selfloadbalance/secure_relay.sh | 4 +- .../secure_relay_short_term_mech.sh | 4 +- examples/var/db/turndb | Bin 22528 -> 22528 bytes man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 4 +- man/man1/turnutils.1 | 2 +- rpm/turnserver.spec | 3 +- src/apps/relay/dbdrivers/dbd_mongo.c | 174 +++++++++++++++++- src/apps/relay/dbdrivers/dbd_mysql.c | 160 ++++++++++++++-- src/apps/relay/dbdrivers/dbd_pgsql.c | 126 ++++++++++++- src/apps/relay/dbdrivers/dbd_redis.c | 133 ++++++++++++- src/apps/relay/dbdrivers/dbd_sqlite.c | 167 ++++++++++++++++- src/apps/relay/dbdrivers/dbdriver.h | 8 +- src/apps/relay/mainrelay.h | 2 + src/apps/relay/netengine.c | 4 +- src/apps/relay/ns_ioalib_engine_impl.c | 2 + src/apps/relay/userdb.c | 10 +- src/apps/relay/userdb.h | 4 +- src/apps/uclient/mainuclient.c | 2 +- src/apps/uclient/uclient.c | 4 +- src/apps/uclient/uclient.h | 2 +- src/client/ns_turn_msg.c | 12 +- src/client/ns_turn_msg.h | 8 +- src/server/ns_turn_server.c | 4 +- src/server/ns_turn_server.h | 2 +- src/server/ns_turn_session.h | 2 +- turndb/schema.mongo.sh | 2 +- turndb/schema.sql | 4 +- turndb/schema.userdb.redis | 9 +- turndb/testmongosetup.sh | 4 +- turndb/testredisdbsetup.sh | 7 +- turndb/testsqldbsetup.sql | 4 +- 52 files changed, 826 insertions(+), 122 deletions(-) diff --git a/ChangeLog b/ChangeLog index da5dcff..cc7eb31 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 1/1/2015 Oleg Moskalenko Version 4.3.4.1 'Tolomei': - https admin server; + - SSLv2 support removed; 12/24/2014 Oleg Moskalenko Version 4.3.3.1 'Tolomei': diff --git a/INSTALL b/INSTALL index 5435dbd..988a458 100644 --- a/INSTALL +++ b/INSTALL @@ -796,10 +796,10 @@ The oauth_key table fields meanings are: # remote https access to the admin functions. # CREATE TABLE admin_user ( - uname varchar(32), + name varchar(32), realm varchar(127), password varchar(127), - primary key (uname) + primary key (name) ); You can use turnadmin program to manage the database - you can either use diff --git a/README.turnserver b/README.turnserver index e3cebab..5add8ab 100644 --- a/README.turnserver +++ b/README.turnserver @@ -300,7 +300,7 @@ Options with required values: endpoints (the "plain" one and the "tls" one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. For secure TCP connections, we currently support SSL version 3 and - TLS versions 1.0, 1.1, 1.2. SSL2 "encapsulation mode" is also supported. + TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1. --alt-listening-port Alternative listening port for UDP and TCP listeners; diff --git a/configure b/configure index 4cd9b10..e7b8925 100755 --- a/configure +++ b/configure @@ -1160,7 +1160,7 @@ fi # So, what we have now: ############################### -OSCFLAGS="${OSCFLAGS} ${TURN_NO_THREAD_BARRIERS} ${TURN_NO_DTLS} ${TURN_NO_GCM} ${TURN_NO_TLS} -DINSTALL_PREFIX=${PREFIX} -DTURNDB=${TURNDBDIR}/turndb" +OSCFLAGS="-DOPENSSL_NO_SSL2 ${OSCFLAGS} ${TURN_NO_THREAD_BARRIERS} ${TURN_NO_DTLS} ${TURN_NO_GCM} ${TURN_NO_TLS} -DINSTALL_PREFIX=${PREFIX} -DTURNDB=${TURNDBDIR}/turndb" if ! [ -z "${TURN_ACCEPT_RPATH}" ] ; then if [ -z "${TURN_DISABLE_RPATH}" ] ; then diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 6e3c2f9..2ba9d67 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -24,7 +24,7 @@ # endpoints (the "plain" one and the "tls" one) are equivalent in terms of # functionality; but we keep both endpoints to satisfy the RFC 5766 specs. # For secure TCP connections, we currently support SSL version 3 and -# TLS version 1.0, 1.1 and 1.2. SSL2 "encapculation mode" is also supported. +# TLS version 1.0, 1.1 and 1.2. # For secure UDP connections, we support DTLS version 1. # #tls-listening-port=5349 diff --git a/examples/scripts/longtermsecure/secure_relay.sh b/examples/scripts/longtermsecure/secure_relay.sh index d390265..4fd53c8 100755 --- a/examples/scripts/longtermsecure/secure_relay.sh +++ b/examples/scripts/longtermsecure/secure_relay.sh @@ -22,7 +22,7 @@ # 9) "--pkey=turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) "-v" means normal verbose mode (with some moderate logging). -# 12) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 12) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,4 +32,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL $@ diff --git a/examples/scripts/longtermsecure/secure_relay_cert.sh b/examples/scripts/longtermsecure/secure_relay_cert.sh index 9df3b4d..ee63572 100755 --- a/examples/scripts/longtermsecure/secure_relay_cert.sh +++ b/examples/scripts/longtermsecure/secure_relay_cert.sh @@ -25,7 +25,7 @@ # 10) --CA-file sets the CA file for client certificate check. # 11) "--log-file=stdout" means that all log output will go to the stdout. # 12) "-v" means normal verbose mode (with some moderate logging). -# 13) --cipher-list="ALL:SSLv2:!eNULL:!aNULL:!NULL" measn "all ciphers, except anonymous". +# 13) --cipher-list="ALL:!eNULL:!aNULL:!NULL" measn "all ciphers, except anonymous". # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:SSLv2:!eNULL:!aNULL:!NULL" $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh index fd793c7..4245200 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh @@ -20,7 +20,7 @@ # 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -31,4 +31,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh index 198f7c6..fa86b50 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh @@ -21,7 +21,7 @@ # 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -32,4 +32,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh index 773020a..2ad97f7 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh @@ -22,7 +22,7 @@ # 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -33,4 +33,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh index 8694928..927bdf1 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh @@ -21,7 +21,7 @@ # 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -32,7 +32,7 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ # Newer PostgreSQL style connection string example: -# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh index 6a18c40..db7db63 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh @@ -24,7 +24,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # 12) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -35,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh index c160af3..1bc1c77 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh @@ -20,7 +20,7 @@ # 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # 11) --oauth - accept oAuth security dialog # Other parameters (config file name, etc) are default. @@ -31,5 +31,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 --oauth $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ diff --git a/examples/scripts/mobile/mobile_relay.sh b/examples/scripts/mobile/mobile_relay.sh index b7ff83c..cab92af 100755 --- a/examples/scripts/mobile/mobile_relay.sh +++ b/examples/scripts/mobile/mobile_relay.sh @@ -23,7 +23,7 @@ # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) "-v" means normal verbose mode (with some moderate logging). # 12) "--mobility" turns on the Mobile ICE TURN functionality. -# 13) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 13) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -33,4 +33,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret.sh b/examples/scripts/restapi/secure_relay_secret.sh index 539742c..719b293 100755 --- a/examples/scripts/restapi/secure_relay_secret.sh +++ b/examples/scripts/restapi/secure_relay_secret.sh @@ -22,7 +22,7 @@ # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) "-q 100" means that single user can create no more than 100 sessions # 12) "-Q 300" means that there may be no more than 300 sessions totally -# 13) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2. +# 13) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -32,5 +32,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh b/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh index fdc41ec..fd2f172 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh @@ -24,7 +24,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +34,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh b/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh index eeab4d2..b3d8bd2 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh @@ -25,7 +25,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh b/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh index c0637c0..2dfa44d 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_psql.sh @@ -25,7 +25,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2. +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh b/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh index 0b64d56..ab335e0 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_redis.sh @@ -25,7 +25,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2. +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -35,4 +35,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL $@ diff --git a/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh b/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh index c4fa65e..3753f28 100755 --- a/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh +++ b/examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh @@ -24,7 +24,7 @@ # 8) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. -# 11) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2 +# 11) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -34,4 +34,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/selfloadbalance/secure_relay.sh b/examples/scripts/selfloadbalance/secure_relay.sh index a537ada..5fb97ff 100755 --- a/examples/scripts/selfloadbalance/secure_relay.sh +++ b/examples/scripts/selfloadbalance/secure_relay.sh @@ -29,7 +29,7 @@ # 11) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 12) "--log-file=stdout" means that all log output will go to the stdout. # 13) "-v" means normal verbose mode (with some moderate logging). -# 14) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2. +# 14) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -39,4 +39,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@ diff --git a/examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh b/examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh index 4cbfb0e..35453f6 100755 --- a/examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh +++ b/examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh @@ -21,7 +21,7 @@ # 8) "--log-file=stdout" means that all log output will go to the stdout. # 9) -E 127.0.0.1 and -E :;1 sets the relay addresses, in this case for loopback # communications only. -# 10) --cipher-list=ALL:SSLv2 means that we support all OpenSSL ciphers, including SSLv2. +# 10) --cipher-list=ALL means that we support all OpenSSL ciphers # Other parameters (config file name, etc) are default. if [ -d examples ] ; then @@ -31,4 +31,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -A --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -E 127.0.0.1 -E ::1 --cipher-list=ALL:SSLv2 $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -A --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -E 127.0.0.1 -E ::1 --cipher-list=ALL $@ diff --git a/examples/var/db/turndb b/examples/var/db/turndb index d122bb1c172b0f8cd214a4358a8a22c3406e6fc8..a51877861fa2c53e1e5710f63b605043bc58ed60 100644 GIT binary patch delta 122 zcmZqJz}T>Xae}m<9s>h|7!bn%??fGAM!k&*y1s#2d5O8H3T25!$r*`78pcMNI$TAm ti8;A&Awwf`pjbg-adCNmQ3|?nQD$ypQKdq5YNdh($Rtg!&G&qjxBy>*B5(iz delta 122 zcmZqJz}T>Xae}m<76Su=7!bn%_e33IMy-try1s#>d5O8H3T25!$r*`78pcMNItoRp si8;A&Awwf`pjbg-adCNmQ3|?nQD$ypQKdq5YNdh(*eK1-_k5MO0FIp_egFUf diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 0d2e3ed..b56c9e0 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "07 January 2015" "" "" +.TH TURN 1 "10 January 2015" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 44c5670..f655a51 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "07 January 2015" "" "" +.TH TURN 1 "10 January 2015" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -453,7 +453,7 @@ Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS endpoints (the "plain" one and the "tls" one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. For secure TCP connections, we currently support SSL version 3 and -TLS versions 1.0, 1.1, 1.2. SSL2 "encapsulation mode" is also supported. +TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1. .TP .B diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 3c989ac..1f37f85 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "07 January 2015" "" "" +.TH TURN 1 "10 January 2015" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/rpm/turnserver.spec b/rpm/turnserver.spec index 923228e..5d816c6 100644 --- a/rpm/turnserver.spec +++ b/rpm/turnserver.spec @@ -44,8 +44,7 @@ STUN specs: The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) -- TLS (per RFC 5766 and RFC 6062); SSL3/TLS1.0/TLS1.1/TLS1.2; SSL2 wrapping - supported +- TLS (per RFC 5766 and RFC 6062); SSL3/TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: diff --git a/src/apps/relay/dbdrivers/dbd_mongo.c b/src/apps/relay/dbdrivers/dbd_mongo.c index f5d4f99..612c703 100644 --- a/src/apps/relay/dbdrivers/dbd_mongo.c +++ b/src/apps/relay/dbdrivers/dbd_mongo.c @@ -312,7 +312,7 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) { return ret; } -static int mongo_get_user_pwd(u08bits *usname, st_password_t pwd) { +static int mongo_get_user_pwd(u08bits *usname, password_t pwd) { mongoc_collection_t * collection = mongo_get_collection("turnusers_st"); if(!collection) @@ -425,7 +425,7 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) { return ret; } -static int mongo_set_user_pwd(u08bits *usname, st_password_t pwd) { +static int mongo_set_user_pwd(u08bits *usname, password_t pwd) { mongoc_collection_t * collection = mongo_get_collection("turnusers_st"); if(!collection) @@ -1172,7 +1172,169 @@ static void mongo_reread_realms(secrets_list_t * realms_list) { bson_destroy(&fields); } -/////////////////////////////////////////////////////////////////////////////////////////////////////////// +///////////////////////////////////////////////// + +static int mongo_get_admin_user(const u08bits *usname, u08bits *realm, password_t pwd) +{ + mongoc_collection_t * collection = mongo_get_collection("admin_user"); + + if(!collection) + return -1; + + realm[0]=0; + pwd[0]=0; + + bson_t query; + bson_init(&query); + BSON_APPEND_UTF8(&query, "name", (const char *)usname); + + bson_t fields; + bson_init(&fields); + BSON_APPEND_INT32(&fields, "realm", 1); + BSON_APPEND_INT32(&fields, "password", 1); + + mongoc_cursor_t * cursor; + cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 1, 0, &query, &fields, NULL); + + int ret = -1; + + if (!cursor) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error querying MongoDB collection 'admin_user'\n"); + } else { + const bson_t * item; + uint32_t length; + bson_iter_t iter; + if (mongoc_cursor_next(cursor, &item)) { + if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "realm") && BSON_ITER_HOLDS_UTF8(&iter)) { + strncpy((char*)realm,bson_iter_utf8(&iter, &length),STUN_MAX_REALM_SIZE); + ret = 0; + } + if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "password") && BSON_ITER_HOLDS_UTF8(&iter)) { + strncpy((char*)pwd,bson_iter_utf8(&iter, &length),STUN_MAX_PWD_SIZE); + ret = 0; + } + } + mongoc_cursor_destroy(cursor); + } + mongoc_collection_destroy(collection); + bson_destroy(&query); + bson_destroy(&fields); + return ret; +} + +static int mongo_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd) +{ + mongoc_collection_t * collection = mongo_get_collection("admin_user"); + + if(!collection) + return -1; + + bson_t query; + bson_init(&query); + BSON_APPEND_UTF8(&query, "name", (const char *)usname); + + bson_t doc; + bson_init(&doc); + BSON_APPEND_UTF8(&doc, "name", (const char *)usname); + BSON_APPEND_UTF8(&doc, "realm", (const char *)realm); + BSON_APPEND_UTF8(&doc, "password", (const char *)pwd); + + int ret = -1; + + if (!mongoc_collection_update(collection, MONGOC_UPDATE_UPSERT, &query, &doc, NULL, NULL)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating admin user information\n"); + } else { + ret = 0; + } + mongoc_collection_destroy(collection); + bson_destroy(&doc); + bson_destroy(&query); + return ret; +} + +static int mongo_del_admin_user(const u08bits *usname) +{ + mongoc_collection_t * collection = mongo_get_collection("admin_user"); + + if(!collection) + return -1; + + bson_t query; + bson_init(&query); + BSON_APPEND_UTF8(&query, "name", (const char *)usname); + + int ret = -1; + + if (!mongoc_collection_delete(collection, MONGOC_DELETE_SINGLE_REMOVE, &query, NULL, NULL)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error deleting admin user information\n"); + } else { + ret = 0; + } + mongoc_collection_destroy(collection); + bson_destroy(&query); + return ret; +} + +static int mongo_list_admin_users(void) +{ + const char * collection_name = "admin_user"; + mongoc_collection_t * collection = mongo_get_collection(collection_name); + + if(!collection) + return -1; + + bson_t query, child; + bson_init(&query); + bson_append_document_begin(&query, "$orderby", -1, &child); + bson_append_int32(&child, "name", -1, 1); + bson_append_document_end(&query, &child); + bson_append_document_begin(&query, "$query", -1, &child); + bson_append_document_end(&query, &child); + + bson_t fields; + bson_init(&fields); + BSON_APPEND_INT32(&fields, "name", 1); + BSON_APPEND_INT32(&fields, "realm", 1); + + mongoc_cursor_t * cursor; + cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 0, 0, &query, &fields, NULL); + + int ret = -1; + + if (!cursor) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error querying MongoDB collection '%s'\n", collection_name); + } else { + const bson_t * item; + uint32_t length; + bson_iter_t iter; + bson_iter_t iter_realm; + const char * value; + while (mongoc_cursor_next(cursor, &item)) { + if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "name") && BSON_ITER_HOLDS_UTF8(&iter)) { + value = bson_iter_utf8(&iter, &length); + if (length) { + const char *realm = ""; + if (bson_iter_init(&iter_realm, item) && bson_iter_find(&iter_realm, "realm") && BSON_ITER_HOLDS_UTF8(&iter_realm)) { + realm = bson_iter_utf8(&iter_realm, &length); + } + if(realm && *realm) { + printf("%s[%s]\n", value, realm); + } else { + printf("%s\n", value); + } + } + } + } + mongoc_cursor_destroy(cursor); + ret = 0; + } + mongoc_collection_destroy(collection); + bson_destroy(&query); + bson_destroy(&fields); + return ret; +} + +////////////////////////////////////////////////////////// static const turn_dbdriver_t driver = { &mongo_get_auth_secrets, @@ -1196,7 +1358,11 @@ static const turn_dbdriver_t driver = { &mongo_set_oauth_key, &mongo_get_oauth_key, &mongo_del_oauth_key, - &mongo_list_oauth_keys + &mongo_list_oauth_keys, + &mongo_get_admin_user, + &mongo_set_admin_user, + &mongo_del_admin_user, + &mongo_list_admin_users }; const turn_dbdriver_t * get_mongo_dbdriver(void) { diff --git a/src/apps/relay/dbdrivers/dbd_mysql.c b/src/apps/relay/dbdrivers/dbd_mysql.c index 37b705b..f376371 100644 --- a/src/apps/relay/dbdrivers/dbd_mysql.c +++ b/src/apps/relay/dbdrivers/dbd_mysql.c @@ -339,7 +339,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { return ret; } -static int mysql_get_user_pwd(u08bits *usname, st_password_t pwd) { +static int mysql_get_user_pwd(u08bits *usname, password_t pwd) { int ret = -1; @@ -514,21 +514,26 @@ static int mysql_list_oauth_keys(void) { return ret; } -static int mysql_set_user_key(u08bits *usname, u08bits *realm, const char *key) { +static int mysql_set_user_key(u08bits *usname, u08bits *realm, const char *key) +{ int ret = -1; - char statement[TURN_LONG_STRING_SIZE]; - MYSQL * myc = get_mydb_connection(); - if(myc) { + char statement[TURN_LONG_STRING_SIZE]; + MYSQL * myc = get_mydb_connection(); + if(myc) { snprintf(statement,sizeof(statement),"insert into turnusers_lt (realm,name,hmackey) values('%s','%s','%s')",realm,usname,key); - int res = mysql_query(myc, statement); - if(res) { + int res = mysql_query(myc, statement); + if(!res) { + ret = 0; + } else { snprintf(statement,sizeof(statement),"update turnusers_lt set hmackey='%s' where name='%s' and realm='%s'",key,usname,realm); - res = mysql_query(myc, statement); - if(res) { - TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user key information: %s\n",mysql_error(myc)); - } - } - } + res = mysql_query(myc, statement); + if(!res) { + ret = 0; + } else { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user key information: %s\n",mysql_error(myc)); + } + } + } return ret; } @@ -553,7 +558,7 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key) { return ret; } -static int mysql_set_user_pwd(u08bits *usname, st_password_t pwd) { +static int mysql_set_user_pwd(u08bits *usname, password_t pwd) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; MYSQL * myc = get_mydb_connection(); @@ -1065,7 +1070,126 @@ static void mysql_reread_realms(secrets_list_t * realms_list) { } } -/////////////////////////////////////////////////////////////////////////////////////////////////////////// +///////////////////////////////////////////////////// + +static int mysql_get_admin_user(const u08bits *usname, u08bits *realm, password_t pwd) +{ + int ret = -1; + + realm[0]=0; + pwd[0]=0; + + MYSQL * myc = get_mydb_connection(); + if(myc) { + char statement[TURN_LONG_STRING_SIZE]; + snprintf(statement,sizeof(statement),"select realm,password from admin_user where name='%s'",usname); + int res = mysql_query(myc, statement); + if(res) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); + } else { + MYSQL_RES *mres = mysql_store_result(myc); + if(!mres) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); + } else if(mysql_field_count(myc)!=2) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); + } else { + MYSQL_ROW row = mysql_fetch_row(mres); + if(row && row[0]) { + strncpy((char*)realm,row[0],STUN_MAX_REALM_SIZE); + strncpy((char*)pwd,row[1],STUN_MAX_PWD_SIZE); + ret = 0; + } + } + + if(mres) + mysql_free_result(mres); + } + } + return ret; +} + +static int mysql_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + MYSQL * myc = get_mydb_connection(); + if(myc) { + snprintf(statement,sizeof(statement),"insert into admin_user (realm,name,password) values('%s','%s','%s')",realm,usname,pwd); + int res = mysql_query(myc, statement); + if(!res) { + ret = 0; + } else { + snprintf(statement,sizeof(statement),"update admin_user set realm='%s',password='%s' where name='%s'",realm,pwd,usname); + res = mysql_query(myc, statement); + if(!res) { + ret = 0; + } else { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user key information: %s\n",mysql_error(myc)); + } + } + } + return ret; +} + +static int mysql_del_admin_user(const u08bits *usname) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + MYSQL * myc = get_mydb_connection(); + if(myc) { + snprintf(statement,sizeof(statement),"delete from admin_user where name='%s'",usname); + int res = mysql_query(myc, statement); + if(res) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error deleting admin user information: %s\n",mysql_error(myc)); + } else { + ret = 0; + } + } + return ret; +} + +static int mysql_list_admin_users(void) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + MYSQL * myc = get_mydb_connection(); + if(myc) { + snprintf(statement,sizeof(statement),"select name, realm from admin_user order by realm,name"); + int res = mysql_query(myc, statement); + if(res) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); + } else { + MYSQL_RES *mres = mysql_store_result(myc); + if(!mres) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc)); + } else if(mysql_field_count(myc)!=2) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement); + } else { + for(;;) { + MYSQL_ROW row = mysql_fetch_row(mres); + if(!row) { + break; + } else { + if(row[0]) { + if(row[1] && row[1][0]) { + printf("%s[%s]\n",row[0],row[1]); + } else { + printf("%s\n",row[0]); + } + } + } + } + ret = 0; + } + + if(mres) + mysql_free_result(mres); + } + } + return ret; +} + +////////////////////////////////////////////////////// static const turn_dbdriver_t driver = { &mysql_get_auth_secrets, @@ -1089,7 +1213,11 @@ static const turn_dbdriver_t driver = { &mysql_set_oauth_key, &mysql_get_oauth_key, &mysql_del_oauth_key, - &mysql_list_oauth_keys + &mysql_list_oauth_keys, + &mysql_get_admin_user, + &mysql_set_admin_user, + &mysql_del_admin_user, + &mysql_list_admin_users }; const turn_dbdriver_t * get_mysql_dbdriver(void) { diff --git a/src/apps/relay/dbdrivers/dbd_pgsql.c b/src/apps/relay/dbdrivers/dbd_pgsql.c index c35a3f8..fb6e0f4 100644 --- a/src/apps/relay/dbdrivers/dbd_pgsql.c +++ b/src/apps/relay/dbdrivers/dbd_pgsql.c @@ -153,7 +153,7 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) { return ret; } -static int pgsql_get_user_pwd(u08bits *usname, st_password_t pwd) { +static int pgsql_get_user_pwd(u08bits *usname, password_t pwd) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; snprintf(statement,sizeof(statement),"select password from turnusers_st where name='%s'",usname); @@ -167,7 +167,7 @@ static int pgsql_get_user_pwd(u08bits *usname, st_password_t pwd) { } else { char *kval = PQgetvalue(res,0,0); if(kval) { - strncpy((char*)pwd,kval,sizeof(st_password_t)); + strncpy((char*)pwd,kval,sizeof(password_t)); ret = 0; } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s: NULL\n",usname); @@ -319,7 +319,7 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) { return ret; } -static int pgsql_set_user_pwd(u08bits *usname, st_password_t pwd) { +static int pgsql_set_user_pwd(u08bits *usname, password_t pwd) { int ret = -1; char statement[TURN_LONG_STRING_SIZE]; PGconn *pqc = get_pqdb_connection(); @@ -785,7 +785,119 @@ static void pgsql_reread_realms(secrets_list_t * realms_list) { } } -/////////////////////////////////////////////////////////////////////////////////////////////////////////// +////////////////////////////////////////////// + +static int pgsql_get_admin_user(const u08bits *usname, u08bits *realm, password_t pwd) +{ + int ret = -1; + + realm[0]=0; + pwd[0]=0; + + PGconn * pqc = get_pqdb_connection(); + if(pqc) { + char statement[TURN_LONG_STRING_SIZE]; + snprintf(statement,sizeof(statement),"select realm,password from admin_user where name='%s'",usname); + PGresult *res = PQexec(pqc, statement); + + if(!res || (PQresultStatus(res) != PGRES_TUPLES_OK) || (PQntuples(res)!=1)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving PostgreSQL DB information: %s\n",PQerrorMessage(pqc)); + } else { + const char *kval = PQgetvalue(res,0,0); + if(kval) { + strncpy((char*)realm,kval,STUN_MAX_REALM_SIZE); + } + kval = (const char*) PQgetvalue(res,0,1); + if(kval) { + strncpy((char*)pwd,kval,STUN_MAX_PWD_SIZE); + } + ret = 0; + } + + if(res) + PQclear(res); + + } + return ret; +} + +static int pgsql_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + PGconn *pqc = get_pqdb_connection(); + if(pqc) { + snprintf(statement,sizeof(statement),"insert into admin_user (realm,name,password) values('%s','%s','%s')",realm,usname,pwd); + + PGresult *res = PQexec(pqc, statement); + if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { + if(res) { + PQclear(res); + } + snprintf(statement,sizeof(statement),"update admin_user set password='%s',realm='%s' where name='%s'",pwd,realm,usname); + res = PQexec(pqc, statement); + if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user information: %s\n",PQerrorMessage(pqc)); + } else { + ret = 0; + } + } + if(res) { + PQclear(res); + } + } + return ret; +} + +static int pgsql_del_admin_user(const u08bits *usname) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + PGconn *pqc = get_pqdb_connection(); + if(pqc) { + snprintf(statement,sizeof(statement),"delete from admin_user where name='%s'",usname); + PGresult *res = PQexec(pqc, statement); + if(res) { + PQclear(res); + ret = 0; + } + } + return ret; +} + +static int pgsql_list_admin_users(void) +{ + int ret = -1; + char statement[TURN_LONG_STRING_SIZE]; + PGconn *pqc = get_pqdb_connection(); + if(pqc) { + snprintf(statement,sizeof(statement),"select name,realm,password from admin_user order by realm,name"); + } + PGresult *res = PQexec(pqc, statement); + if(!res || (PQresultStatus(res) != PGRES_TUPLES_OK)) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving PostgreSQL DB information: %s\n",PQerrorMessage(pqc)); + } else { + int i = 0; + for(i=0;itype == REDIS_REPLY_ERROR) + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str); + else if (reply->type != REDIS_REPLY_ARRAY) { + if (reply->type != REDIS_REPLY_NIL) + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type); + } else if(reply->elements > 1) { + size_t i; + for (i = 0; i < (reply->elements)/2; ++i) { + char *kw = reply->element[2*i]->str; + char *val = reply->element[2*i+1]->str; + if(kw) { + if(!strcmp(kw,"realm")) { + strncpy((char*)realm,val,STUN_MAX_REALM_SIZE); + } else if(!strcmp(kw,"password")) { + strncpy((char*)pwd,val,STUN_MAX_PWD_SIZE); + ret = 0; + } + } + } + } + turnFreeRedisReply(reply); + } + } + return ret; +} + +static int redis_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd) +{ + int ret = -1; + redisContext *rc = get_redis_connection(); + if(rc) { + char statement[TURN_LONG_STRING_SIZE]; + if(realm[0]) { + snprintf(statement,sizeof(statement),"hmset turn/admin_user/%s realm '%s' password '%s'",usname,realm,pwd); + } else { + snprintf(statement,sizeof(statement),"hmset turn/admin_user/%s password '%s'",usname,pwd); + } + turnFreeRedisReply(redisCommand(rc, statement)); + turnFreeRedisReply(redisCommand(rc, "save")); + ret = 0; + } + return ret; +} + +static int redis_del_admin_user(const u08bits *usname) { + int ret = -1; + redisContext *rc = get_redis_connection(); + if(rc) { + char statement[TURN_LONG_STRING_SIZE]; + snprintf(statement,sizeof(statement),"del turn/admin_user/%s",(const char*)usname); + turnFreeRedisReply(redisCommand(rc, statement)); + turnFreeRedisReply(redisCommand(rc, "save")); + ret = 0; + } + return ret; +} + +static int redis_list_admin_users(void) +{ + int ret = -1; + redisContext *rc = get_redis_connection(); + secrets_list_t keys; + size_t isz = 0; + init_secrets_list(&keys); + + if(rc) { + + redisReply *reply = NULL; + + reply = (redisReply*)redisCommand(rc, "keys turn/admin_user/*"); + if(reply) { + + if (reply->type == REDIS_REPLY_ERROR) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str); + } else if (reply->type != REDIS_REPLY_ARRAY) { + if (reply->type != REDIS_REPLY_NIL) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type); + } + } else { + size_t i; + for (i = 0; i < reply->elements; ++i) { + add_to_secrets_list(&keys,reply->element[i]->str); + } + } + turnFreeRedisReply(reply); + } + } + + for(isz=0;isz #include #include +#include +#include #include "ns_turn_utils.h" #include "ns_turn_khash.h" diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index e74d786..f74fb71 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -403,13 +403,13 @@ static void auth_server_receive_message(struct bufferevent *bev, void *ptr) } if(am.ct == TURN_CREDENTIALS_SHORT_TERM) { - st_password_t pwd; + password_t pwd; am.in_oauth = 0; am.out_oauth = 0; if(get_user_pwd(am.username,pwd)<0) { am.success = 0; } else { - ns_bcopy(pwd,am.pwd,sizeof(st_password_t)); + ns_bcopy(pwd,am.pwd,sizeof(password_t)); am.success = 1; } } else { diff --git a/src/apps/relay/ns_ioalib_engine_impl.c b/src/apps/relay/ns_ioalib_engine_impl.c index 233306a..8f9b5bd 100644 --- a/src/apps/relay/ns_ioalib_engine_impl.c +++ b/src/apps/relay/ns_ioalib_engine_impl.c @@ -2268,8 +2268,10 @@ static TURN_TLS_TYPE check_tentative_tls(ioa_socket_raw fd) ret = (TURN_TLS_TYPE)(s[10]+1); } else if((s[2]==1)&&(s[3]==3)) { ret = TURN_TLS_SSL23; /* compatibility mode */ +#ifndef OPENSSL_NO_SSL2 } else if((s[2]==1)&&(s[3]==0)&&(s[4]==2)) { ret = TURN_TLS_SSL23; /* old mode */ +#endif } } diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c index 2178395..a2cf519 100644 --- a/src/apps/relay/userdb.c +++ b/src/apps/relay/userdb.c @@ -496,7 +496,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u return -1; }; - st_password_t pwdtmp; + password_t pwdtmp; if(stun_check_message_integrity_by_key_str(TURN_CREDENTIALS_LONG_TERM, ioa_network_buffer_data(nbh), ioa_network_buffer_get_size(nbh), @@ -549,7 +549,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u u08bits hmac[MAXSHASIZE]; unsigned int hmac_len; - st_password_t pwdtmp; + password_t pwdtmp; hmac[0] = 0; @@ -646,7 +646,7 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u /* * Short-term mechanism password retrieval */ -int get_user_pwd(u08bits *usname, st_password_t pwd) +int get_user_pwd(u08bits *usname, password_t pwd) { int ret = -1; @@ -915,7 +915,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b hmackey_t key; char skey[sizeof(hmackey_t) * 2 + 1]; - st_password_t passwd; + password_t passwd; if (ct == TA_LIST_USERS) { return list_users(is_st, realm); @@ -968,7 +968,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b must_set_admin_pwd(pwd); if (is_st) { - strncpy((char*) passwd, (char*) pwd, sizeof(st_password_t)); + strncpy((char*) passwd, (char*) pwd, sizeof(password_t)); } else { stun_produce_integrity_key_str(user, realm, pwd, key, turn_params.shatype); size_t i = 0; diff --git a/src/apps/relay/userdb.h b/src/apps/relay/userdb.h index 71dbbfe..4efd145 100644 --- a/src/apps/relay/userdb.h +++ b/src/apps/relay/userdb.h @@ -86,7 +86,7 @@ struct auth_message { u08bits username[STUN_MAX_USERNAME_SIZE + 1]; u08bits realm[STUN_MAX_REALM_SIZE + 1]; hmackey_t key; - st_password_t pwd; + password_t pwd; get_username_resume_cb resume_func; ioa_net_data in_buffer; u64bits ctxkey; @@ -187,7 +187,7 @@ void add_to_secrets_list(secrets_list_t *sl, const char* elem); /////////// USER DB CHECK ////////////////// int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *uname, u08bits *realm, hmackey_t key, ioa_network_buffer_handle nbh); -int get_user_pwd(u08bits *uname, st_password_t pwd); +int get_user_pwd(u08bits *uname, password_t pwd); u08bits *start_user_check(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *uname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply); int check_new_allocation_quota(u08bits *username, int oauth, u08bits *realm); void release_allocation_quota(u08bits *username, int oauth, u08bits *realm); diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c index 7adc798..d19a95b 100644 --- a/src/apps/uclient/mainuclient.c +++ b/src/apps/uclient/mainuclient.c @@ -63,7 +63,7 @@ int no_rtcp = 0; int default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_DEFAULT; int dont_fragment = 0; u08bits g_uname[STUN_MAX_USERNAME_SIZE+1]; -st_password_t g_upwd; +password_t g_upwd; char g_auth_secret[1025]="\0"; int g_use_auth_secret_with_timestamp = 0; int use_fingerprints = 1; diff --git a/src/apps/uclient/uclient.c b/src/apps/uclient/uclient.c index 7403b88..03bf401 100644 --- a/src/apps/uclient/uclient.c +++ b/src/apps/uclient/uclient.c @@ -1654,7 +1654,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) //self-test: { - st_password_t pwd; + password_t pwd; if(stun_check_message_integrity_by_key_str(get_turn_credentials_type(), message->buf, (size_t)(message->len), clnet_info->key, pwd, clnet_info->shatype, NULL)<1) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR," Self-test of integrity does not comple correctly !\n"); @@ -1679,7 +1679,7 @@ int check_integrity(app_ur_conn_info *clnet_info, stun_buffer *message) if(oauth && clnet_info->oauth) { - st_password_t pwd; + password_t pwd; return stun_check_message_integrity_by_key_str(get_turn_credentials_type(), message->buf, (size_t)(message->len), clnet_info->key, pwd, sht, NULL); diff --git a/src/apps/uclient/uclient.h b/src/apps/uclient/uclient.h index 43ff021..3d0267d 100644 --- a/src/apps/uclient/uclient.h +++ b/src/apps/uclient/uclient.h @@ -61,7 +61,7 @@ extern int no_rtcp; extern int default_address_family; extern int dont_fragment; extern u08bits g_uname[STUN_MAX_USERNAME_SIZE+1]; -extern st_password_t g_upwd; +extern password_t g_upwd; extern char g_auth_secret[1025]; extern int g_use_auth_secret_with_timestamp; extern int use_fingerprints; diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 1f2c1be..061cbf6 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -1465,7 +1465,7 @@ void print_bin_func(const char *name, size_t len, const void *s, const char *fun printf("]\n"); } -int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, st_password_t pwd, SHATYPE shatype) +int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, password_t pwd, SHATYPE shatype) { u08bits hmac[MAXSHASIZE]; @@ -1504,7 +1504,7 @@ int stun_attr_add_integrity_by_key_str(u08bits *buf, size_t *len, u08bits *uname if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_REALM, realm, strlen((s08bits*)realm))<0) return -1; - st_password_t p; + password_t p; return stun_attr_add_integrity_str(TURN_CREDENTIALS_LONG_TERM, buf, len, key, p, shatype); } @@ -1518,7 +1518,7 @@ int stun_attr_add_integrity_by_user_str(u08bits *buf, size_t *len, u08bits *unam return stun_attr_add_integrity_by_key_str(buf, len, uname, realm, key, nonce, shatype); } -int stun_attr_add_integrity_by_user_short_term_str(u08bits *buf, size_t *len, u08bits *uname, st_password_t pwd, SHATYPE shatype) +int stun_attr_add_integrity_by_user_short_term_str(u08bits *buf, size_t *len, u08bits *uname, password_t pwd, SHATYPE shatype) { if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((s08bits*)uname))<0) return -1; @@ -1540,7 +1540,7 @@ void print_hmac(const char *name, const void *s, size_t len) /* * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ -int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, st_password_t pwd, SHATYPE shatype, int *too_weak) +int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak) { int res = 0; u08bits new_hmac[MAXSHASIZE]; @@ -1608,10 +1608,10 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size_t len, u08bits *uname, u08bits *realm, u08bits *upwd, SHATYPE shatype) { hmackey_t key; - st_password_t pwd; + password_t pwd; if(ct == TURN_CREDENTIALS_SHORT_TERM) - strncpy((char*)pwd,(char*)upwd,sizeof(st_password_t)); + strncpy((char*)pwd,(char*)upwd,sizeof(password_t)); else if (stun_produce_integrity_key_str(uname, realm, upwd, key, shatype) < 0) return -1; diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h index 2b24231..8f8c739 100644 --- a/src/client/ns_turn_msg.h +++ b/src/client/ns_turn_msg.h @@ -66,7 +66,7 @@ typedef u08bits hmackey_t[64]; /** * Short-term credentials password */ -typedef u08bits st_password_t[STUN_MAX_PWD_SIZE+1]; +typedef u08bits password_t[STUN_MAX_PWD_SIZE+1]; typedef unsigned int band_limit_t; /////////////////////////////////// @@ -179,12 +179,12 @@ void print_bin_func(const char *name, size_t len, const void *s, const char *fun /* * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ -int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, st_password_t pwd, SHATYPE shatype, int *too_weak); +int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype, int *too_weak); int stun_check_message_integrity_str(turn_credential_type ct, u08bits *buf, size_t len, u08bits *uname, u08bits *realm, u08bits *upwd, SHATYPE shatype); -int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, st_password_t pwd, SHATYPE shatype); +int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *len, hmackey_t key, password_t pwd, SHATYPE shatype); int stun_attr_add_integrity_by_key_str(u08bits *buf, size_t *len, u08bits *uname, u08bits *realm, hmackey_t key, u08bits *nonce, SHATYPE shatype); int stun_attr_add_integrity_by_user_str(u08bits *buf, size_t *len, u08bits *uname, u08bits *realm, u08bits *upwd, u08bits *nonce, SHATYPE shatype); -int stun_attr_add_integrity_by_user_short_term_str(u08bits *buf, size_t *len, u08bits *uname, st_password_t pwd, SHATYPE shatype); +int stun_attr_add_integrity_by_user_short_term_str(u08bits *buf, size_t *len, u08bits *uname, password_t pwd, SHATYPE shatype); size_t get_hmackey_size(SHATYPE shatype); /* diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index cf660f5..a6e0e64 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -3164,7 +3164,7 @@ static int create_challenge_response(ts_ur_super_session *ss, stun_tid *tid, int #define min(a,b) ((a)<=(b) ? (a) : (b)) #endif -static void resume_processing_after_username_check(int success, int oauth, int max_session_time, hmackey_t hmackey, st_password_t pwd, turn_turnserver *server, u64bits ctxkey, ioa_net_data *in_buffer) +static void resume_processing_after_username_check(int success, int oauth, int max_session_time, hmackey_t hmackey, password_t pwd, turn_turnserver *server, u64bits ctxkey, ioa_net_data *in_buffer) { if(server && in_buffer && in_buffer->nbh) { @@ -3178,7 +3178,7 @@ static void resume_processing_after_username_check(int success, int oauth, int ss->hmackey_set = 1; ss->oauth = oauth; ss->max_session_time_auth = (turn_time_t)max_session_time; - ns_bcopy(pwd,ss->pwd,sizeof(st_password_t)); + ns_bcopy(pwd,ss->pwd,sizeof(password_t)); } read_client_connection(server,ss,in_buffer,0,0); diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 7538080..1a76739 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -90,7 +90,7 @@ typedef enum { struct _turn_turnserver; typedef struct _turn_turnserver turn_turnserver; -typedef void (*get_username_resume_cb)(int success, int oauth, int max_session_time, hmackey_t hmackey, st_password_t pwd, turn_turnserver *server, u64bits ctxkey, ioa_net_data *in_buffer); +typedef void (*get_username_resume_cb)(int success, int oauth, int max_session_time, hmackey_t hmackey, password_t pwd, turn_turnserver *server, u64bits ctxkey, ioa_net_data *in_buffer); typedef u08bits *(*get_user_key_cb)(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *uname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply); typedef int (*check_new_allocation_quota_cb)(u08bits *username, int oauth, u08bits *realm); typedef void (*release_allocation_quota_cb)(u08bits *username, int oauth, u08bits *realm); diff --git a/src/server/ns_turn_session.h b/src/server/ns_turn_session.h index c1a2c70..c9d4b92 100644 --- a/src/server/ns_turn_session.h +++ b/src/server/ns_turn_session.h @@ -81,7 +81,7 @@ struct _ts_ur_super_session { u08bits username[STUN_MAX_USERNAME_SIZE+1]; hmackey_t hmackey; int hmackey_set; - st_password_t pwd; + password_t pwd; int quota_used; int oauth; turn_time_t max_session_time_auth; diff --git a/turndb/schema.mongo.sh b/turndb/schema.mongo.sh index 0edec9b..32173f0 100755 --- a/turndb/schema.mongo.sh +++ b/turndb/schema.mongo.sh @@ -9,7 +9,7 @@ db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 }); db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 }); db.realm.ensureIndex({ realm: 1 }, { unique: 1 }); db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 }); -db.admin_user.ensureIndex({ uname: 1 }, {unique: 1 }); +db.admin_user.ensureIndex({ name: 1 }, {unique: 1 }); exit diff --git a/turndb/schema.sql b/turndb/schema.sql index 5a2396b..00cd4dc 100644 --- a/turndb/schema.sql +++ b/turndb/schema.sql @@ -56,8 +56,8 @@ CREATE TABLE oauth_key ( ); CREATE TABLE admin_user ( - uname varchar(32), + name varchar(32), realm varchar(127), password varchar(127), - primary key (uname) + primary key (name) ); diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis index fbc550c..a09d323 100644 --- a/turndb/schema.userdb.redis +++ b/turndb/schema.userdb.redis @@ -139,9 +139,6 @@ set turn/user/gorst/password "hero" set turn/user/whirrun/password "sword" set turn/user/stranger-come-knocking/password "civilization" -set turn/realm/north.gov/admin_user/skarling/password "hoodless" -set turn/admin_user/bayaz/password "magi" - set turn/realm/north.gov/max-bps 500000 set turn/realm/north.gov/total-quota 12000 set turn/realm/north.gov/user-quota 10000 @@ -158,7 +155,11 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202" sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45" sadd turn/realm/crinna.org/denied-peer-ip "123::77" -hmset turn/oauth/kid/north ikm_key Y2FybGVvbg== hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128' +hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128' +hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM' + +hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless' +hmset turn/admin_user/bayaz password 'magi' save diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh index 0d3f107..60d36ed 100755 --- a/turndb/testmongosetup.sh +++ b/turndb/testmongosetup.sh @@ -23,8 +23,8 @@ db.turnusers_st.insert({ name: 'stranger-come-knocking', password: 'civilization db.turn_secret.insert({ realm: 'north.gov', value: 'logen' }); db.turn_secret.insert({ realm: 'crinna.org', value: 'north' }); -db.admin_user.insert({ uname: 'skarling', realm: 'north.gov', password: 'hoodless' }); -db.admin_user.insert({ uname: 'bayaz', realm: '', password: 'magi' }); +db.admin_user.insert({ name: 'skarling', realm: 'north.gov', password: 'hoodless' }); +db.admin_user.insert({ name: 'bayaz', realm: '', password: 'magi' }); db.realm.insert({ realm: 'north.gov', diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh index 5e2fb68..2330745 100755 --- a/turndb/testredisdbsetup.sh +++ b/turndb/testredisdbsetup.sh @@ -51,8 +51,11 @@ sadd turn/realm/crinna.org/allowed-peer-ip "172.17.13.202" sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17.133-172.17.19.56" "123::45" sadd turn/realm/crinna.org/denied-peer-ip "123::77" -hmset turn/oauth/kid/north ikm_key Y2FybGVvbg== hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128' -hmset turn/oauth/kid/oldempire ikm_key YXVsY3Vz hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM' +hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128' +hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM' + +hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless' +hmset turn/admin_user/bayaz password 'magi' save diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql index e9aef97..8e47399 100644 --- a/turndb/testsqldbsetup.sql +++ b/turndb/testsqldbsetup.sql @@ -12,8 +12,8 @@ insert into turnusers_st (name, password) values('stranger-come-knocking','civil insert into turn_secret (realm,value) values('north.gov','logen'); insert into turn_secret (realm,value) values('crinna.org','north'); -insert into admin_user (uname, realm, password) values('skarling','north.gov','hoodless'); -insert into admin_user (uname, realm, password) values('bayaz','','magi'); +insert into admin_user (name, realm, password) values('skarling','north.gov','hoodless'); +insert into admin_user (name, realm, password) values('bayaz','','magi'); insert into turn_origin_to_realm (origin,realm) values('http://crinna.org:80','crinna.org'); insert into turn_origin_to_realm (origin,realm) values('https://bligh.edu:443','crinna.org');