From 6291ba670282fb8ffa77377ba3da7eb26348f884 Mon Sep 17 00:00:00 2001 From: mom040267 Date: Mon, 20 Apr 2015 04:40:24 +0000 Subject: [PATCH] working on oauth --- .../secure_relay_with_db_mongo.sh | 2 +- .../secure_relay_with_db_mysql.sh | 2 +- .../secure_relay_with_db_mysql_ssl.sh | 2 +- .../secure_relay_with_db_psql.sh | 2 +- .../secure_relay_with_db_redis.sh | 2 +- .../secure_relay_with_db_sqlite.sh | 2 +- src/apps/relay/mainrelay.c | 4 +- src/apps/rfc5769/rfc5769check.c | 4 +- src/client/ns_turn_msg.c | 40 +++++++++---------- src/client/ns_turn_msg_defs_new.h | 4 +- 10 files changed, 32 insertions(+), 32 deletions(-) diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh index 59254ac..09d31cb 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh @@ -21,7 +21,7 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - mandate oAuth security dialog +# 11) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh index 44448da..e486c5f 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh @@ -22,7 +22,7 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - mandate oAuth security dialog +# 11) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh index 5da6af4..95d4ceb 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh @@ -23,7 +23,7 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - mandate oAuth security dialog +# 11) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh index f65852f..ffc30e0 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh @@ -22,7 +22,7 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - mandate oAuth security dialog +# 11) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh index 1de0d15..4c4c4df 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh @@ -25,7 +25,7 @@ # 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 10) "--log-file=stdout" means that all log output will go to the stdout. # 11) --cipher-list=ALL means that we support all OpenSSL ciphers -# 12) --oauth - mandate oAuth security dialog +# 12) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh index 892df9c..009fdce 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh @@ -21,7 +21,7 @@ # 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name. # 9) "--log-file=stdout" means that all log output will go to the stdout. # 10) --cipher-list=ALL means that we support all OpenSSL ciphers -# 11) --oauth - mandate oAuth security dialog +# 11) --oauth - support oAuth security dialog # Other parameters (config file name, etc) are default. if [ -d examples ] ; then diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index df26bca..aa4ad5d 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -1639,9 +1639,9 @@ static void print_features(unsigned long mfn) #endif #if defined(TURN_NO_GCM) - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "AEAD is not supported\n"); + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "GCM (AEAD) is not supported\n"); #else - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "AEAD GCM supported\n"); + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "GCM (AEAD) supported\n"); #endif TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "OpenSSL compile-time version: %s\n",OPENSSL_VERSION_TEXT); diff --git a/src/apps/rfc5769/rfc5769check.c b/src/apps/rfc5769/rfc5769check.c index c8b2f12..220b5df 100644 --- a/src/apps/rfc5769/rfc5769check.c +++ b/src/apps/rfc5769/rfc5769check.c @@ -83,7 +83,7 @@ static int check_oauth(void) { const turn_time_t key_timestamp = 1234567890; const turn_time_t key_lifetime = 3600; - const char aead_nonce[OAUTH_AEAD_NONCE_SIZE+1] = "h4j3k2l2n4b5"; + const char gcm_nonce[OAUTH_GCM_NONCE_SIZE+1] = "h4j3k2l2n4b5"; { { @@ -144,7 +144,7 @@ static int check_oauth(void) { ns_bzero(&etoken,sizeof(etoken)); if (encode_oauth_token((const u08bits *) server_name, &etoken, - &key, &ot, (const u08bits*)aead_nonce) < 0) { + &key, &ot, (const u08bits*)gcm_nonce) < 0) { fprintf(stderr, "%s: cannot encode oauth token\n", __FUNCTION__); return -1; diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index dfce883..490598b 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -2348,13 +2348,13 @@ static void generate_random_nonce(unsigned char *nonce, size_t sz) { #if !defined(TURN_NO_GCM) -static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0) { +static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0) { if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<=MAXSHASIZE)) { unsigned char orig_field[MAX_ENCODED_OAUTH_TOKEN_SIZE]; ns_bzero(orig_field,sizeof(orig_field)); - unsigned char nonce[OAUTH_AEAD_NONCE_SIZE]; + unsigned char nonce[OAUTH_GCM_NONCE_SIZE]; if(nonce0) { ns_bcopy(nonce0,nonce,sizeof(nonce)); } else { @@ -2363,11 +2363,11 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok size_t len = 0; - *((uint16_t*)(orig_field+len)) = nswap16(OAUTH_AEAD_NONCE_SIZE); + *((uint16_t*)(orig_field+len)) = nswap16(OAUTH_GCM_NONCE_SIZE); len +=2; - ns_bcopy(nonce,orig_field+len,OAUTH_AEAD_NONCE_SIZE); - len += OAUTH_AEAD_NONCE_SIZE; + ns_bcopy(nonce,orig_field+len,OAUTH_GCM_NONCE_SIZE); + len += OAUTH_GCM_NONCE_SIZE; *((uint16_t*)(orig_field+len)) = nswap16(dtoken->enc_block.key_length); len +=2; @@ -2395,7 +2395,7 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok EVP_CIPHER_CTX_set_padding(&ctx,1); /* Set IV length if default 12 bytes (96 bits) is not appropriate */ - if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_AEAD_NONCE_SIZE, NULL)) + if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL)) return -1; /* Initialize key and IV */ @@ -2413,10 +2413,10 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok outl=0; unsigned char *encoded_field = (unsigned char*)etoken->token; - ns_bcopy(orig_field,encoded_field,OAUTH_AEAD_NONCE_SIZE + 2); - encoded_field += OAUTH_AEAD_NONCE_SIZE + 2; - unsigned char *start_field = orig_field + OAUTH_AEAD_NONCE_SIZE + 2; - len -= OAUTH_AEAD_NONCE_SIZE + 2; + ns_bcopy(orig_field,encoded_field,OAUTH_GCM_NONCE_SIZE + 2); + encoded_field += OAUTH_GCM_NONCE_SIZE + 2; + unsigned char *start_field = orig_field + OAUTH_GCM_NONCE_SIZE + 2; + len -= OAUTH_GCM_NONCE_SIZE + 2; if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, start_field, (int)len)) return -1; @@ -2425,10 +2425,10 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl); outl += tmp_outl; - EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_AEAD_TAG_SIZE, encoded_field + outl); - outl += OAUTH_AEAD_TAG_SIZE; + EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl); + outl += OAUTH_GCM_TAG_SIZE; - etoken->size = 2 + OAUTH_AEAD_NONCE_SIZE + outl; + etoken->size = 2 + OAUTH_GCM_NONCE_SIZE + outl; EVP_CIPHER_CTX_cleanup(&ctx); @@ -2437,7 +2437,7 @@ static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_tok return -1; } -static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken) +static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken) { if(server_name && etoken && key && dtoken) { @@ -2447,17 +2447,17 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau uint16_t nonce_len = nswap16(*((const uint16_t*)csnl)); - size_t min_encoded_field_size = 2+4+8+nonce_len+2+OAUTH_AEAD_TAG_SIZE+1; + size_t min_encoded_field_size = 2+4+8+nonce_len+2+OAUTH_GCM_TAG_SIZE+1; if(etoken->size < min_encoded_field_size) { OAUTH_ERROR("%s: token size too small: %d\n",__FUNCTION__,(int)etoken->size); return -1; } const unsigned char* encoded_field = (const unsigned char*)(etoken->token + nonce_len + 2); - unsigned int encoded_field_size = (unsigned int)etoken->size - nonce_len - 2 - OAUTH_AEAD_TAG_SIZE; + unsigned int encoded_field_size = (unsigned int)etoken->size - nonce_len - 2 - OAUTH_GCM_TAG_SIZE; const unsigned char* nonce = ((const unsigned char*)etoken->token + 2); - unsigned char tag[OAUTH_AEAD_TAG_SIZE]; + unsigned char tag[OAUTH_GCM_TAG_SIZE]; ns_bcopy(((const unsigned char*)etoken->token) + nonce_len + 2 + encoded_field_size, tag ,sizeof(tag)); unsigned char decoded_field[MAX_ENCODED_OAUTH_TOKEN_SIZE]; @@ -2492,7 +2492,7 @@ static int decode_oauth_token_aead(const u08bits *server_name, const encoded_oau /* Set expected tag value. A restriction in OpenSSL 1.0.1c and earlier + * required the tag before any AAD or ciphertext */ - EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_AEAD_TAG_SIZE, tag); + EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag); int outl=0; size_t sn_len = strlen((const char*)server_name); @@ -2548,7 +2548,7 @@ int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, #if !defined(TURN_NO_GCM) case A256GCM: case A128GCM: - return encode_oauth_token_aead(server_name, etoken,key,dtoken,nonce); + return encode_oauth_token_gcm(server_name, etoken,key,dtoken,nonce); #endif default: fprintf(stderr,"Unsupported AS_RS algorithm: %d\n",(int)key->as_rs_alg); @@ -2565,7 +2565,7 @@ int decode_oauth_token(const u08bits *server_name, const encoded_oauth_token *et #if !defined(TURN_NO_GCM) case A256GCM: case A128GCM: - return decode_oauth_token_aead(server_name, etoken,key,dtoken); + return decode_oauth_token_gcm(server_name, etoken,key,dtoken); #endif default: fprintf(stderr,"Unsupported AS_RS algorithm: %d\n",(int)key->as_rs_alg); diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index 122d3d1..f58e981 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -95,9 +95,9 @@ typedef enum _ENC_ALG ENC_ALG; #define OAUTH_HASH_FUNC_SIZE (64) #define OAUTH_ALG_SIZE (64) #define OAUTH_KEY_SIZE (256) -#define OAUTH_AEAD_NONCE_SIZE (12) +#define OAUTH_GCM_NONCE_SIZE (12) #define OAUTH_MAX_NONCE_SIZE (256) -#define OAUTH_AEAD_TAG_SIZE (16) +#define OAUTH_GCM_TAG_SIZE (16) #define OAUTH_ENC_ALG_BLOCK_SIZE (16) #define OAUTH_DEFAULT_LIFETIME (0)