diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h index e4e7bbb..22e1090 100644 --- a/src/client/ns_turn_msg_defs_new.h +++ b/src/client/ns_turn_msg_defs_new.h @@ -71,8 +71,8 @@ typedef enum _SHATYPE SHATYPE; enum _ENC_ALG { ENC_ALG_ERROR=-1, ENC_ALG_DEFAULT=0, - AES_128_CBC=ENC_ALG_DEFAULT, - AES_256_CBC, + AES_256_CBC=ENC_ALG_DEFAULT, + AES_128_CBC, ENG_ALG_NUM }; diff --git a/turndb/schema.mongo.sh b/turndb/schema.mongo.sh index c340a1b..867dbb6 100755 --- a/turndb/schema.mongo.sh +++ b/turndb/schema.mongo.sh @@ -8,6 +8,7 @@ db.turnusers_lt.ensureIndex({ realm: 1, name: 1 }, { unique: 1 }); db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 }); db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 }); db.realm.ensureIndex({ realm: 1 }, { unique: 1 }); +db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 }); exit diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis index 0d3cae3..84d59c4 100644 --- a/turndb/schema.userdb.redis +++ b/turndb/schema.userdb.redis @@ -37,6 +37,39 @@ the option values are "static" (they remain the same for the lifetime of the turnserver process) but the database records can be dynamically changed and they will be almost immediately "seen" by the turnserver process. +5) For the oAuth authentication, there is a hash structure with the key +"turn/oauth/kid/". The kid structure fields are: + + ikm_key - (optional) base64-encoded key ("input keying material"); + The ikm_key is not needed if the as_rs_key and auth_key are defined + explicitly in the database; + + timestamp - (optional) the timestamp (in seconds) when the key + lifetime started; + + lifetime - (optional) the key lifetime in seconds; the default value + is 0 - unlimited lifetime. + + hkdf_hash_func - (optional) hash function for HKDF procedure; the + valid values are SHA-1 and SHA-256, with SHA-256 as default; + The hkdf_hash_func is not needed if the as_rs_key and auth_key + are defined explicitly in the database; + + as_rs_alg - oAuth token encryption algorithm; the valid values are + "AES-128-CBC" and "AES-256-CBC", with "AES-256-CBC" as default; + + as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then + calculated with ikm_key and hkdf_hash_func. The as_rs_key length + is defined by as_rs_alg. + + auth_alg - oAuth token authentication algorithm; the valid values are + "HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1", with + "HMAC-SHA-256-128" as default; + + auth_key - (optional) base64-encoded AUTH key. If not defined, then + calculated with ikm_key and hkdf_hash_func. The auth_key length + is defined by auth_alg. + II. Extra realms data in the database We can use more than one realm with the same instance of the TURN server. @@ -68,6 +101,7 @@ This example sets user database for: * The realm performance parameters: "max_bps", "total_quota" and "user_quota" (same names as the turnserver configuration options, with the same meanings). + * The oAuth data for the key with kid "north" and key value "carleon". The shell command would be: @@ -109,6 +143,8 @@ set turn/denied-peer-ip/234567 "123::45" set turn/allowed-peer-ip/345678 "172.17.13.200" +hmset turn/oauth/kid/north ikm_key Y2FybGVvbg== hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128' + save ! diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh index 067d5d5..7567942 100755 --- a/turndb/testmongosetup.sh +++ b/turndb/testmongosetup.sh @@ -41,6 +41,8 @@ db.allowed_peer_ip.insert({ ip_range: '172.17.13.200' }); db.denied_peer_ip.insert({ ip_range: '172.17.13.133-172.17.14.56' }); db.denied_peer_ip.insert({ ip_range: '123::45' }); +db.oauth_key.insert({ kid: 'north', ikm_key: 'Y2FybGVvbg==', hkdf_hash_func: 'SHA-256', as_rs_alg: 'AES-128-CBC', auth_alg: 'HMAC-SHA-256-128' }); + exit EOF diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh index 888fe67..bfeb871 100755 --- a/turndb/testredisdbsetup.sh +++ b/turndb/testredisdbsetup.sh @@ -38,6 +38,8 @@ set turn/denied-peer-ip/234567 "123::45" set turn/allowed-peer-ip/345678 "172.17.13.200" +hmset turn/oauth/kid/north ikm_key Y2FybGVvbg== hkdf_hash_func 'SHA-256' as_rs_alg 'AES-128-CBC' auth_alg 'HMAC-SHA-256-128' + save ! diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql index 32b390e..acbddc3 100644 --- a/turndb/testsqldbsetup.sql +++ b/turndb/testsqldbsetup.sql @@ -26,3 +26,7 @@ insert into allowed_peer_ip (ip_range) values('172.17.13.200'); insert into denied_peer_ip (ip_range) values('172.17.13.133-172.17.14.56'); insert into denied_peer_ip (ip_range) values('123::45'); + +insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128',''); + +);