From c92e4e748064a4cb9541dd04ac524839cd8a8543 Mon Sep 17 00:00:00 2001
From: mom040267 <mom040267@users.noreply.github.com>
Date: Sat, 21 Mar 2015 07:29:00 +0000
Subject: [PATCH] encrypted admin user passwords

---
 INSTALL                            |   8 ++++++--
 examples/var/db/turndb             | Bin 22528 -> 22528 bytes
 src/apps/relay/turn_admin_server.c |   5 +++--
 src/apps/relay/userdb.c            |   2 +-
 turndb/testmongosetup.sh           |   4 ++--
 turndb/testredisdbsetup.sh         |   7 +++++--
 turndb/testsqldbsetup.sql          |   4 ++--
 7 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/INSTALL b/INSTALL
index 6ec90a1..90c34bc 100644
--- a/INSTALL
+++ b/INSTALL
@@ -689,7 +689,9 @@ or up to 96 characters (HEX representation of 48 bytes) for SHA384,
 or up to 128 characters (HEX representation of 64 bytes) for SHA512:
 
 # Table holding shared secrets for secret-based authorization
-# (REST API). It can only be used together with the long-term 
+# (REST API). Shared secret can be stored either in unsecure open
+# plain form, or in encrypted form (see turnadmin docs).
+# It can only be used together with the long-term 
 # mechanism:
 #
 CREATE TABLE turn_secret (
@@ -793,6 +795,8 @@ The oauth_key table fields meanings are:
 # Https access admin users.
 # Leave this table empty if you do not want 
 # remote https access to the admin functions.
+# Web user password can be stored either in unsecure open
+# plain form, or in encrypted form (see turnadmin docs).
 #
 CREATE TABLE admin_user (
 	name varchar(32),
@@ -900,7 +904,7 @@ The database schema for the TURN server is very minimalistic and is located
 in project's turndb/schema.sql file, or in the system's 
 PREFIX/share/turnserver/schema.sql file after the turnserver installation:
 
-$ cat turndb/schema.sql | psql -U turn turn
+$ cat turndb/schema.sql | psql -U turn -d turn
 	NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_lt_pkey" for table "turnusers_lt"
 	CREATE TABLE
 	CREATE TABLE
diff --git a/examples/var/db/turndb b/examples/var/db/turndb
index 8802a7f5d6bc0f1fbb11b1baa598cc35253c36a3..a186ae1937dc2022f80133ff5616307cd3fd536c 100644
GIT binary patch
delta 291
zcmXw!OG*Pl6h*7L2-u3?ECUln=&@ASdsWqM>;hasAX?w}BY`M_PE7B>fNOA?1b5+F
z7m;xmU?Vs^TsZeE)_k$%Z^wMK9Gvsj=IY~O51DuuSbT5VuYzAL+tKT|==Bd<?cK9`
zsdSZO-RK$;#bhX1sC4i#s-!4M3=WM;UMi(b<188(!2y~krkWrIuRQ524U(*_p^RGR
zTizR<wEE%B&F^oflj&^!czrgRJ#{XV1B`S4FN2L}04im3a8_H)<Sj)RJb_CR5^Au7
zwgWzPlMtgpS!c4z2cu+$I%~{opD|X5EfZU@6T8pTqaQISJH}Wk`uwl4I1t0~|IIJ@
C-cp$W

delta 169
zcmZqJz}T>Xae_4Cs);hrjH@;#Ec55O#K8QJ`4aO+=8c;b1(q<!C^Db}ek1{2CKhpC
z(WJ!6#H!rH^h{Ys7Fl`O;_SqtoXouRy!@h)488RHvW)!vl$_M!VlJRgCgxWR%&(Zg
hFyCUn1+?KTv$6oxJPr`e$t=zYHjas#S(X!K5&*xcD4hTR

diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c
index 3eebabf..d9c4cb4 100644
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@@ -3318,7 +3318,6 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr)
 		if(!(as->as_ok) && uname && pwd) {
 			const turn_dbdriver_t * dbd = get_dbdriver();
 			if (dbd && dbd->get_admin_user) {
-
 				password_t password;
 				char realm[STUN_MAX_REALM_SIZE+1]="\0";
 				if((*(dbd->get_admin_user))((const u08bits*)uname,(u08bits*)realm,password)>=0) {
@@ -3356,7 +3355,9 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 	if(turn_params.verbose) {
 		if(nbh) {
 			((char*)ioa_network_buffer_data(nbh))[ioa_network_buffer_get_size(nbh)] = 0;
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh));
+			if(!strstr((char*)ioa_network_buffer_data(nbh),"pwd")) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection input: %s\n", __FUNCTION__, (char*)ioa_network_buffer_data(nbh));
+			}
 		} else {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS connection initial input\n", __FUNCTION__);
 		}
diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c
index 07b987a..e846cb0 100644
--- a/src/apps/relay/userdb.c
+++ b/src/apps/relay/userdb.c
@@ -1011,7 +1011,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
 				must_set_admin_pwd(pwd);
 				if (dbd->set_admin_user) {
 					password_t password;
-					STRCPY(password,pwd);
+					generate_new_enc_password((char*)pwd,(char*)password);
 					(*dbd->set_admin_user)(user, realm, password);
 				}
 			} else {
diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh
index a266cf9..884b28d 100755
--- a/turndb/testmongosetup.sh
+++ b/turndb/testmongosetup.sh
@@ -20,8 +20,8 @@ db.turn_secret.insert({ realm: 'north.gov', value: 'bloody9' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'library' });
 
-db.admin_user.insert({ name: 'skarling', realm: 'north.gov', password: 'hoodless' });
-db.admin_user.insert({ name: 'bayaz', realm: '', password: 'magi' });
+db.admin_user.insert({ name: 'skarling', realm: 'north.gov', password: '$5$6fc35c3b0c7d4633$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2' });
+db.admin_user.insert({ name: 'bayaz', realm: '', password: '$5$e018513e9de69e73$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f' });
 
 db.realm.insert({
   realm: 'north.gov',
diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh
index 29d6d58..d19da17 100755
--- a/turndb/testredisdbsetup.sh
+++ b/turndb/testredisdbsetup.sh
@@ -4,6 +4,9 @@
 # gorst:password: hero
 # whirrun:password: sword
 # stranger-come-knocking:password: civilization
+#
+# bayaz admin user password: magi
+# skarling admin user password: hoodless
 
 redis-cli <<!
 
@@ -39,8 +42,8 @@ hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs
 hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512'
 hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
 
-hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless'
-hmset turn/admin_user/bayaz password 'magi'
+hmset turn/admin_user/skarling realm 'north.gov' password '\$5\$6fc35c3b0c7d4633\$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2'
+hmset turn/admin_user/bayaz password '\$5\$e018513e9de69e73\$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f'
 
 save
 
diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql
index 8bd0c7a..54648bd 100644
--- a/turndb/testsqldbsetup.sql
+++ b/turndb/testsqldbsetup.sql
@@ -9,8 +9,8 @@ insert into turn_secret (realm,value) values('north.gov','bloody9');
 insert into turn_secret (realm,value) values('crinna.org','north');
 insert into turn_secret (realm,value) values('crinna.org','library');
 
-insert into admin_user (name, realm, password) values('skarling','north.gov','hoodless');
-insert into admin_user (name, realm, password) values('bayaz','','magi');
+insert into admin_user (name, realm, password) values('skarling','north.gov','$5$6fc35c3b0c7d4633$27fca7574f9b79d0cb93ae03e45379470cbbdfcacdd6401f97ebc620f31f54f2');
+insert into admin_user (name, realm, password) values('bayaz','','$5$e018513e9de69e73$5cbdd2e29e04ca46aeb022268a7460d3a3468de193dcb2b95f064901769f455f');
 
 insert into turn_origin_to_realm (origin,realm) values('http://crinna.org:80','crinna.org');
 insert into turn_origin_to_realm (origin,realm) values('https://bligh.edu:443','crinna.org');