encrypted admin user passwords

2015-03-21 07:29:00 +00:00 · 2015-03-21 07:29:00 +00:00 · c92e4e7480
commit c92e4e7480
parent a2cf8155a6
7 changed files with 19 additions and 11 deletions
--- a/8
+++ b/8
@ -689,7 +689,9 @@ or up to 96 characters (HEX representation of 48 bytes) for SHA384,
 or up to 128 characters (HEX representation of 64 bytes) for SHA512:

 # Table holding shared secrets for secret-based authorization
-# (REST API). It can only be used together with the long-term 
+# (REST API). Shared secret can be stored either in unsecure open
+# plain form, or in encrypted form (see turnadmin docs).
+# It can only be used together with the long-term 
 # mechanism:
 #
 CREATE TABLE turn_secret (
@ -793,6 +795,8 @@ The oauth_key table fields meanings are:
 # Https access admin users.
 # Leave this table empty if you do not want 
 # remote https access to the admin functions.
+# Web user password can be stored either in unsecure open
+# plain form, or in encrypted form (see turnadmin docs).
 #
 CREATE TABLE admin_user (
 	name varchar(32),
@ -900,7 +904,7 @@ The database schema for the TURN server is very minimalistic and is located
 in project's turndb/schema.sql file, or in the system's 
 PREFIX/share/turnserver/schema.sql file after the turnserver installation:

-$ cat turndb/schema.sql | psql -U turn turn
+$ cat turndb/schema.sql | psql -U turn -d turn
 	NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_lt_pkey" for table "turnusers_lt"
 	CREATE TABLE
 	CREATE TABLE
--- a/examples/var/db/turndb
+++ b/examples/var/db/turndb
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@ -3318,7 +3318,6 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr)
 		if(!(as->as_ok) && uname && pwd) {
 			const turn_dbdriver_t * dbd = get_dbdriver();
 			if (dbd && dbd->get_admin_user) {
-
 				password_t password;
 				char realm[STUN_MAX_REALM_SIZE+1]="\0";
 				if((*(dbd->get_admin_user))((const u08bits*)uname,(u08bits*)realm,password)>=0) {
@ -3356,7 +3355,9 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 	if(turn_params.verbose) {
 		if(nbh) {
 			((char*)ioa_network_buffer_data(nbh))[ioa_network_buffer_get_size(nbh)] = 0;
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh));
+			if(!strstr((char*)ioa_network_buffer_data(nbh),"pwd")) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh));
+			}
 		} else {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection initial input\n", __FUNCTION__);
 		}
--- a/src/apps/relay/userdb.c
+++ b/src/apps/relay/userdb.c
@ -1011,7 +1011,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
 				must_set_admin_pwd(pwd);
 				if (dbd->set_admin_user) {
 					password_t password;
-					STRCPY(password,pwd);
+					generate_new_enc_password((char*)pwd,(char*)password);
 					(*dbd->set_admin_user)(user, realm, password);
 				}
 			} else {
--- a/turndb/testmongosetup.sh
+++ b/turndb/testmongosetup.sh
@ -20,8 +20,8 @@ db.turn_secret.insert({ realm: 'north.gov', value: 'bloody9' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'library' });

-db.admin_user.insert({ name: 'skarling', realm: 'north.gov', password: 'hoodless' });
-db.admin_user.insert({ name: 'bayaz', realm: '', password: 'magi' });
+db.admin_user.insert({ name: 'skarling', realm: 'north.gov', password: '$5$6fc35c3b0c7d4633$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2' });
+db.admin_user.insert({ name: 'bayaz', realm: '', password: '$5$e018513e9de69e73$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f' });

 db.realm.insert({
  realm: 'north.gov',
--- a/turndb/testredisdbsetup.sh
+++ b/turndb/testredisdbsetup.sh
@ -4,6 +4,9 @@
 # gorst:password: hero
 # whirrun:password: sword
 # stranger-come-knocking:password: civilization
+#
+# bayaz admin user password: magi
+# skarling admin user password: hoodless

 redis-cli <<!

@ -39,8 +42,8 @@ hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs
 hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512'
 hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'

-hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless'
-hmset turn/admin_user/bayaz password 'magi'
+hmset turn/admin_user/skarling realm 'north.gov' password '\$5\$6fc35c3b0c7d4633\$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2'
+hmset turn/admin_user/bayaz password '\$5\$e018513e9de69e73\$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f'

 save

--- a/turndb/testsqldbsetup.sql
+++ b/turndb/testsqldbsetup.sql
@ -9,8 +9,8 @@ insert into turn_secret (realm,value) values('north.gov','bloody9');
 insert into turn_secret (realm,value) values('crinna.org','north');
 insert into turn_secret (realm,value) values('crinna.org','library');

-insert into admin_user (name, realm, password) values('skarling','north.gov','hoodless');
-insert into admin_user (name, realm, password) values('bayaz','','magi');
+insert into admin_user (name, realm, password) values('skarling','north.gov','$5$6fc35c3b0c7d4633$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2');
+insert into admin_user (name, realm, password) values('bayaz','','$5$e018513e9de69e73$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f');

 insert into turn_origin_to_realm (origin,realm) values('http://crinna.org:80','crinna.org');
 insert into turn_origin_to_realm (origin,realm) values('https://bligh.edu:443','crinna.org');