funds/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2025-05-14 09:36:49 +08:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

short-term credentials removed in the TURN server

Browse Source
This commit is contained in:
mom040267 2015-01-11 06:28:58 +00:00
parent f2a5909be9
commit 237b3baaa7
39 changed files with 136 additions and 810 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -1,7 +1,8 @@
1/1/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.4.1 'Tolomei':
Version 4.4.1.1 'Carlot dan Eider':
- https admin server;
- SSLv2 support removed;
- The server-side short-term credentials mechanism support removed;
12/24/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.3.1 'Tolomei':

25
INSTALL
View File

@ -684,13 +684,6 @@ used for the HMAC key generation.
The key must be 32 characters (HEX representation of 16 bytes) for SHA1,
or 64 characters (HEX representation of 32 bytes) for SHA256.
# Table for short-term credentials mechanism authorisation:
#
CREATE TABLE turnusers_st (
name varchar(512) PRIMARY KEY,
password varchar(127)
);
# Table holding shared secrets for secret-based authorization
# (REST API). It can only be used together with the long-term
# mechanism:
@ -827,10 +820,10 @@ Fill in users, for example:
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -b "/var/db/turndb" -u bethod -r north.gov -p king-of-north --sha256
Short-term credentials mechanism:
Admin users:
$ bin/turnadmin -A -b "/var/db/turndb" -u gorst -p hero
$ bin/turnadmin -A -b "/var/db/turndb" -u ninefingers -p youhavetoberealistic
$ bin/turnadmin -A -b "/var/db/turndb" -u ninefingers -p youhavetoberealistic -r north.gov
XVI. PostgreSQL setup
@ -899,8 +892,6 @@ PREFIX/share/turnserver/schema.sql file after the turnserver installation:
$ cat turndb/schema.sql | psql -U turn turn
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_lt_pkey" for table "turnusers_lt"
CREATE TABLE
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_st_pkey" for table "turnusers_st"
CREATE TABLE
CREATE TABLE
See the SQLite section for the detailed database schema explanation.
@ -951,10 +942,10 @@ Fill in users, for example:
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Short-term credentials mechanism:
Admin users:
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
XVII. MySQL (MariaDB) setup
@ -1006,10 +997,10 @@ the root account.
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Short-term credentials mechanism:
Admin users:
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
7) Now we can use mysql in the turnserver.
@ -1135,10 +1126,10 @@ Redis TURN admin commands:
Long-term credentials mechanism with SHA256 extension:
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
Short-term credentials mechanism:
Admin users:
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -p youhavetoberealistic
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
See the file testredisdbsetup.sh for the data structure examples.

8
README.turnadmin
View File

@ -51,15 +51,15 @@ Commands:
-a, --add Add or update a long-term user.
-A, --add-st Add or update a short-term credentials mechanism user.
-A, --add-admin Add or update an admin user.
-d, --delete Delete a long-term user.
-D, --delete-st Delete a short-term user.
-D, --delete-admin Delete an admin user.
-l, --list List long-term users in the database.
-L, --list-st List short-term users in the database.
-L, --list-admin List admin users in the database.
-s, --set-secret=<value> Add shared secret for TURN RESP API
@ -119,7 +119,7 @@ List all long-term users in MySQL database:
$ turnadmin -l --mysql-userdb="<db-connection-string>" -r <realm>
List all short-term users in Redis database:
List all admin users in Redis database:
$ turnadmin -L --redis-userdb="<db-connection-string>"

34
README.turnserver
View File

@ -85,8 +85,8 @@ User database settings:
/usr/local/var/db/turndb or /var/lib/turn/turndb).
-e, --psql-userdb User database connection string for PostgreSQL.
This database can be used for long-term and short-term
credentials mechanisms, and it can store the secret value
This database can be used for long-term credentials mechanism,
and it can store the secret value
for secret-based timed authentication in TURN RESP API.
The connection string format is like that:
@ -103,8 +103,8 @@ User database settings:
Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
-M, --mysql-userdb User database connection string for MySQL or MariaDB.
This database can be used for long-term and short-term
credentials mechanisms, and it can store the secret value for
This database can be used for long-term credentials mechanism,
and it can store the secret value for
secret-based timed authentication in TURN RESP API.
The connection string format is like that:
@ -121,8 +121,8 @@ User database settings:
command options description).
-J, --mongo-userdb User database connection string for MongoDB.
This database can be used for long-term and short-term
credentials mechanisms, and it can store the secret value
This database can be used for long-term credentials mechanism,
and it can store the secret value
for secret-based timed authentication in TURN RESP API.
The connection string format is like that:
@ -134,8 +134,8 @@ User database settings:
for full MongoDB documentation.
-N, --redis-userdb User database connection string for Redis.
This database can be used for long-term and short-term
credentials mechanisms, and it can store the secret
This database can be used for long-term credentials mechanism,
and it can store the secret
value for secret-based timed authentication in TURN RESP API.
The connection string format is like that:
@ -160,8 +160,6 @@ Flags:
-a, --lt-cred-mech Use long-term credentials mechanism (this one you need for WebRTC usage).
-A, --st-cred-mech Use the short-term credentials mechanism.
-z, --no-auth Do not use any credentials mechanism, allow anonymous access.
Opposite to -a and -A options. This is default option when no
authentication-related options are set.
@ -182,8 +180,6 @@ Flags:
This option is just turns on secret-based authentication.
The actual value of the secret is defined either by option static-auth-secret,
or can be found in the turn_secret table in the database.
This option can be used with long-term credentials mechanisms only -
it does not make much sense with the short-term mechanism.
--oauth Support oAuth authentication, as in the third-party TURN specs document.
@ -380,8 +376,7 @@ Options with required values:
the key must be prepended with 0x symbols.
The key is calculated over the user name,
the user realm, and the user password.
This setting may not be used with TURN REST API or
with short-term credentials mechanism.
This setting may not be used with TURN REST API.
-r, --realm The default realm to be used for the users when no explicit
origin/realm relationship was found in the database, or if the TURN
@ -558,8 +553,8 @@ WEBRTC USAGE
This is a set of notes for the WebRTC users:
1) WebRTC uses long-term authentication mechanism, so you have to use -a
option (or --lt-cred-mech). WebRTC relaying will not work with anonymous access
or with short-term authentication. With -a option, do not forget to set the
option (or --lt-cred-mech). WebRTC relaying will not work with anonymous
access. With -a option, do not forget to set the
default realm (-r option). You will also have to set up the user accounts,
for that you have a number of options:
@ -731,9 +726,7 @@ For long-term credentials, you have to set the "keys" for the users; the "keys"
by the turnadmin utility. For the key generation, you need username, password and the realm.
All users in the database must use the same realm value; if down the road you will decide
to change the realm name, then you will have to re-generate all user keys (that can be done
in a batch script). If you are using short-term credentials, then you use open passwords
in the database; you will have to make sure that nobody can access the database outside of
the TURN server box. See the file turndb/testsqldbsetup.sql as an example.
in a batch script). See the file turndb/testsqldbsetup.sql as an example.
4) The same is true for MySQL database. The same schema file is applicable.
The same considerations are applicable.
@ -742,8 +735,7 @@ The same considerations are applicable.
it can be found (in the form of explanation) in schema.userdb.redis.
Also, in Redis you can store both "keys" and open passwords (for long term credentials) -
the "open password" option is less secure but more convenient for low-security environments.
For short-term credentials, you will use open passwords only. See the file
turndb/testredisdbsetup.sh as an example.
See the file turndb/testredisdbsetup.sh as an example.
6) If a database is used, then users can be divided into multiple independent realms. Each realm
can be administered separately, and each realm can have its own set of users and its own

4
README.turnutils
View File

@ -84,10 +84,6 @@ Flags:
-g Set DONT_FRAGMENT parameter in TURN requests.
-A use short-term credentials mechanism for authentication.
By default, the program uses the long-term credentials mechanism
if authentication is required.
-D Do mandatory channel padding even for UDP (like pjnath).
-N do negative tests (some limited cases only).

16
examples/etc/turnserver.conf
View File

@ -169,11 +169,6 @@
#
#lt-cred-mech
# Uncomment to use short-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#st-cred-mech
# This option is opposite to lt-cred-mech or st-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
@ -223,8 +218,7 @@
#oauth
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API or with short-term credentials
# mechanism.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
@ -259,7 +253,7 @@
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
@ -270,7 +264,7 @@
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
@ -284,7 +278,7 @@
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
@ -292,7 +286,7 @@
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term and short-term credential mechanisms
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#

34
examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh
View File

@ -1,34 +0,0 @@
#!/bin/sh
#
# This is an example how to start a TURN Server in
# secure mode with short-term security mechanism - see option -A
# that means "use short-term credential mechanism".
#
# The user credentials are stored in the database.
#
# We listen on available interfaces here, and we use the "external" IPs
# for relay endpoints allocation.
#
# Other options:
#
# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps).
# 2) use fingerprints (-f)
# 3) use 3 relay threads (-m 3)
# 4) use min UDP relay port 32355 and max UDP relay port 65535
# 5) --db="var/db/turndb" means that SQLite database "var/db/turndb" will be used.
# 6) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name.
# 7) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 8) "--log-file=stdout" means that all log output will go to the stdout.
# 9) -E 127.0.0.1 and -E :;1 sets the relay addresses, in this case for loopback
# communications only.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
cd examples
fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -A --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -E 127.0.0.1 -E ::1 --cipher-list=ALL $@

31
examples/scripts/shorttermsecure/secure_tcp_client_c2c_tcp_relay_short_term.sh
View File

@ -1,31 +0,0 @@
#!/bin/sh
#
# This is an example of a script to run a "secure" TURN TCP client
# with the short-term credentials mechanism and with
# TCP relay endpoints (RFC 6062).
#
# Options:
#
# 1) -T is present, it means that TCP networking is used, with TCP relay endpoints (RFC 6062).
# 5) -n 1000 means 1000 messages per single emulated client. Messages
# are sent with interval of 20 milliseconds, to emulate an RTP stream.
# 6) -m 10 means that 10 clients are emulated.
# 7) -l 170 means that the payload size of the packets is 170 bytes
# (like average audio RTP packet).
# 8) -y means that the clients will connect to the 'neighbor' clients, no peer app will be used.
# 9) -g means "set DONT_FRAGMENT parameter in TURN requests".
# 10) -A sets the short-term credentials mechanism.
# 11) -u gorst sets the client user name.
# 12) -w hero sets the password for the account as "hero".
# 13) ::1 (the last parameter) is the TURN Server IP address. We use IPv6 here
# to illustrate how the TURN Server convert the traffic from IPv6 to IPv4 and back.
#
if [ -d examples ] ; then
cd examples
fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
PATH=examples/bin/:../bin/:./bin/:${PATH} turnutils_uclient -T -n 1000 -m 10 -l 170 -y -g -A -u gorst -w hero $@ ::1

30
examples/scripts/shorttermsecure/secure_udp_client_short_term.sh
View File

@ -1,30 +0,0 @@
#!/bin/sh
#
# This is an example of a script to run a "secure" TURN UDP client
# with short-term credential mechanism.
#
# Options:
#
# 1) -t is absent, it means that UDP networking is used.
# 5) -n 1000 means 1000 messages per single emulated client. Messages
# are sent with interval of 20 milliseconds, to emulate an RTP stream.
# 6) -m 10 means that 10 clients are emulated.
# 7) -l 170 means that the payload size of the packets is 170 bytes
# (like average audio RTP packet).
# 8) -e 127.0.0.1 means that the clients will use peer address 127.0.0.1.
# 9) -g means "set DONT_FRAGMENT parameter in TURN requests".
# 10) -A means that the short-term credentials mechanism is used.
# 11) -u ninefingers sets the client user name.
# 12) -w youhavetoberealistic sets the password for the user account as "youhavetoberealistic".
# 13) -s option means that the client will be using "send" indication for data trasfer.
# 14) ::1 (the last parameter) is the TURN Server IP address. We use IPv6 here
# to illustrate how the TURN Server convert the traffic from IPv6 to IPv4 and back.
#
if [ -d examples ] ; then
cd examples
fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
PATH=examples/bin/:../bin/:./bin/:${PATH} turnutils_uclient -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -A -u ninefingers -w youhavetoberealistic -s $@ ::1

BIN
examples/var/db/turndb
View File

Binary file not shown.

14
man/man1/turnadmin.1
View File

@ -74,24 +74,24 @@ Generate key for a long\-term credentials mechanism user.
Add or update a long\-term user.
.TP
.B
\fB\-A\fP, \fB\-\-add\-st\fP
Add or update a short\-term credentials mechanism user.
\fB\-A\fP, \fB\-\-add\-admin\fP
Add or update an admin user.
.TP
.B
\fB\-d\fP, \fB\-\-delete\fP
Delete a long\-term user.
.TP
.B
\fB\-D\fP, \fB\-\-delete\-st\fP
Delete a short\-term user.
\fB\-D\fP, \fB\-\-delete\-admin\fP
Delete an admin user.
.TP
.B
\fB\-l\fP, \fB\-\-list\fP
List long\-term users in the database.
.TP
.B
\fB\-L\fP, \fB\-\-list\-st\fP
List short\-term users in the database.
\fB\-L\fP, \fB\-\-list\-admin\fP
List admin users in the database.
.PP
\fB\-s\fP, \fB\-\-set\-secret\fP=<value> Add shared secret for TURN RESP API
.TP
@ -211,7 +211,7 @@ List all long\-term users in MySQL database:
.PP
$ \fIturnadmin\fP \fB\-l\fP \fB\-\-mysql\-userdb\fP="<db\-connection\-string>" \fB\-r\fP <realm>
.PP
List all short\-term users in Redis database:
List all admin users in Redis database:
.PP
$ \fIturnadmin\fP \fB\-L\fP \fB\-\-redis\-userdb\fP="<db\-connection\-string>"
.PP

36
man/man1/turnserver.1
View File

@ -138,8 +138,8 @@ SQLite user database file name (default \- /var/db/turndb or
.B
\fB\-e\fP, \fB\-\-psql\-userdb\fP
User database connection string for PostgreSQL.
This database can be used for long\-term and short\-term
credentials mechanisms, and it can store the secret value
This database can be used for long\-term credentials mechanism,
and it can store the secret value
for secret\-based timed authentication in TURN RESP API.
The connection string format is like that:
.RS
@ -160,8 +160,8 @@ Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
.B
\fB\-M\fP, \fB\-\-mysql\-userdb\fP
User database connection string for MySQL or MariaDB.
This database can be used for long\-term and short\-term
credentials mechanisms, and it can store the secret value for
This database can be used for long\-term credentials mechanism,
and it can store the secret value for
secret\-based timed authentication in TURN RESP API.
The connection string format is like that:
.RS
@ -182,8 +182,8 @@ command \fIoptions\fP description).
.B
\fB\-J\fP, \fB\-\-mongo\-userdb\fP
User database connection string for MongoDB.
This database can be used for long\-term and short\-term
credentials mechanisms, and it can store the secret value
This database can be used for long\-term credentials mechanism,
and it can store the secret value
for secret\-based timed authentication in TURN RESP API.
The connection string format is like that:
.RS
@ -199,8 +199,8 @@ for full MongoDB documentation.
.B
\fB\-N\fP, \fB\-\-redis\-userdb\fP
User database connection string for Redis.
This database can be used for long\-term and short\-term
credentials mechanisms, and it can store the secret
This database can be used for long\-term credentials mechanism,
and it can store the secret
value for secret\-based timed authentication in TURN RESP API.
The connection string format is like that:
.RS
@ -239,10 +239,6 @@ per\-server setting.
Use long\-term credentials mechanism (this one you need for WebRTC usage).
.TP
.B
\fB\-A\fP, \fB\-\-st\-cred\-mech\fP
Use the short\-term credentials mechanism.
.TP
.B
\fB\-z\fP, \fB\-\-no\-auth\fP
Do not use any credentials mechanism, allow anonymous access.
Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no
@ -266,8 +262,6 @@ If you don't have a suitable id, the timestamp alone can be used.
This option is just turns on secret\-based authentication.
The actual value of the secret is defined either by option static\-auth\-secret,
or can be found in the turn_secret table in the database.
This option can be used with long\-term credentials mechanisms only \-
it does not make much sense with the short\-term mechanism.
.TP
.B
\fB\-\-oauth\fP
@ -555,8 +549,7 @@ by \fIturnadmin\fP command. In the second case,
the key must be prepended with 0x symbols.
The key is calculated over the user name,
the user realm, and the user password.
This setting may not be used with TURN REST API or
with short\-term credentials mechanism.
This setting may not be used with TURN REST API.
.TP
.B
\fB\-r\fP, \fB\-\-realm\fP
@ -792,8 +785,8 @@ http://code.google.com/p/coturn/wiki/turn_performance_and_load_balance
This is a set of notes for the WebRTC users:
.IP 1) 4
WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fP
option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous access
or with short\-term authentication. With \fB\-a\fP option, do not forget to set the
option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous
access. With \fB\-a\fP option, do not forget to set the
default realm (\fB\-r\fP option). You will also have to set up the user accounts,
for that you have a number of \fIoptions\fP:
.PP
@ -984,9 +977,7 @@ For long\-term credentials, you have to set the "keys" for the users; the "keys"
by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm.
All users in the database must use the same realm value; if down the road you will decide
to change the realm name, then you will have to re\-generate all user keys (that can be done
in a batch script). If you are using short\-term credentials, then you use open passwords
in the database; you will have to make sure that nobody can access the database outside of
the TURN server box. See the file turndb/testsqldbsetup.sql as an example.
in a batch script). See the file turndb/testsqldbsetup.sql as an example.
.IP 4) 4
The same is true for MySQL database. The same schema file is applicable.
The same considerations are applicable.
@ -995,8 +986,7 @@ The same is true for the Redis database, but the Redis database has aa different
it can be found (in the form of explanation) in schema.userdb.redis.
Also, in Redis you can store both "keys" and open passwords (for long term credentials) \-
the "open password" option is less secure but more convenient for low\-security environments.
For short\-term credentials, you will use open passwords only. See the file
turndb/testredisdbsetup.sh as an example.
See the file turndb/testredisdbsetup.sh as an example.
.IP 6) 4
If a database is used, then users can be divided into multiple independent realms. Each realm
can be administered separately, and each realm can have its own set of users and its own

6
man/man1/turnutils.1
View File

@ -122,12 +122,6 @@ IPv4 relay address explicitly requested.
Set DONT_FRAGMENT parameter in TURN requests.
.TP
.B
\fB\-A\fP
use short\-term credentials mechanism for authentication.
By default, the program uses the long\-term credentials mechanism
if authentication is required.
.TP
.B
\fB\-D\fP
Do mandatory channel padding even for UDP (like pjnath).
.TP

2
rpm/build.settings.sh
View File

@ -2,7 +2,7 @@
# Common settings script.
TURNVERSION=4.3.4.1
TURNVERSION=4.4.1.1
BUILDDIR=~/rpmbuild
ARCH=`uname -p`
TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn

11
rpm/turnserver.spec
View File

@ -1,5 +1,5 @@
Name: turnserver
Version: 4.3.4.1
Version: 4.4.1.1
Release: 0%{dist}
Summary: Coturn TURN Server
@ -61,7 +61,6 @@ authentication is required):
Redis can also be used for status and statistics storage and notification.
Supported TURN authentication mechanisms:
- short-term
- long-term
- TURN REST API (a modification of the long-term mechanism, for time-limited
secret-based authentication, for WebRTC applications)
@ -248,10 +247,6 @@ fi
%dir %{_datadir}/%{name}/scripts/selfloadbalance
%{_datadir}/%{name}/scripts/selfloadbalance/secure_dos_attack.sh
%{_datadir}/%{name}/scripts/selfloadbalance/secure_relay.sh
%dir %{_datadir}/%{name}/scripts/shorttermsecure
%{_datadir}/%{name}/scripts/shorttermsecure/secure_relay_short_term_mech.sh
%{_datadir}/%{name}/scripts/shorttermsecure/secure_tcp_client_c2c_tcp_relay_short_term.sh
%{_datadir}/%{name}/scripts/shorttermsecure/secure_udp_client_short_term.sh
%dir %{_datadir}/%{name}/scripts/mobile
%{_datadir}/%{name}/scripts/mobile/mobile_relay.sh
%{_datadir}/%{name}/scripts/mobile/mobile_dtls_client.sh
@ -293,8 +288,8 @@ fi
%{_includedir}/turn/client/TurnMsgLib.h
%changelog
* Thu Jan 24 2015 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.3.4.1
* Sat Jan 10 2015 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.4.1.1
* Wed Dec 24 2014 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.3.3.1
* Sun Dec 14 2014 Oleg Moskalenko <mom040267@gmail.com>

95
src/apps/relay/dbdrivers/dbd_mongo.c
View File

@ -312,53 +312,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
return ret;
}
static int mongo_get_user_pwd(u08bits *usname, password_t pwd) {
mongoc_collection_t * collection = mongo_get_collection("turnusers_st");
if(!collection)
return -1;
bson_t query;
bson_init(&query);
BSON_APPEND_UTF8(&query, "name", (const char *)usname);
bson_t fields;
bson_init(&fields);
BSON_APPEND_INT32(&fields, "password", 1);
mongoc_cursor_t * cursor;
cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 1, 0, &query, &fields, NULL);
int ret = -1;
if (!cursor) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error querying MongoDB collection 'turnusers_st'\n");
} else {
const bson_t * item;
uint32_t length;
bson_iter_t iter;
const char * value;
if (mongoc_cursor_next(cursor, &item)) {
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "password") && BSON_ITER_HOLDS_UTF8(&iter)) {
value = bson_iter_utf8(&iter, &length);
if(length < 1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s, size in MongoDB is zero(0)\n", usname);
} else {
ns_bcopy(value, pwd, length);
pwd[length] = 0;
ret = 0;
}
}
}
mongoc_cursor_destroy(cursor);
}
mongoc_collection_destroy(collection);
bson_destroy(&query);
bson_destroy(&fields);
return ret;
}
static int mongo_set_user_key(u08bits *usname, u08bits *realm, const char *key) {
mongoc_collection_t * collection = mongo_get_collection("turnusers_lt");
@ -425,8 +378,8 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) {
return ret;
}
static int mongo_set_user_pwd(u08bits *usname, password_t pwd) {
mongoc_collection_t * collection = mongo_get_collection("turnusers_st");
static int mongo_del_user(u08bits *usname, u08bits *realm) {
mongoc_collection_t * collection = mongo_get_collection("turnusers_lt");
if(!collection)
return -1;
@ -434,37 +387,7 @@ static int mongo_set_user_pwd(u08bits *usname, password_t pwd) {
bson_t query;
bson_init(&query);
BSON_APPEND_UTF8(&query, "name", (const char *)usname);
bson_t doc;
bson_init(&doc);
BSON_APPEND_UTF8(&doc, "name", (const char *)usname);
BSON_APPEND_UTF8(&doc, "password", (const char *)pwd);
int ret = -1;
if (!mongoc_collection_update(collection, MONGOC_UPDATE_UPSERT, &query, &doc, NULL, NULL)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating secret key information\n");
} else {
ret = 0;
}
mongoc_collection_destroy(collection);
bson_destroy(&doc);
bson_destroy(&query);
return ret;
}
static int mongo_del_user(u08bits *usname, int is_st, u08bits *realm) {
mongoc_collection_t * collection = mongo_get_collection(is_st ? "turnusers_st" : "turnusers_lt");
if(!collection)
return -1;
bson_t query;
bson_init(&query);
BSON_APPEND_UTF8(&query, "name", (const char *)usname);
if(!is_st) {
BSON_APPEND_UTF8(&query, "realm", (const char *)realm);
}
BSON_APPEND_UTF8(&query, "realm", (const char *)realm);
int ret = -1;
@ -501,8 +424,8 @@ static int mongo_del_oauth_key(const u08bits *kid) {
return ret;
}
static int mongo_list_users(int is_st, u08bits *realm) {
const char * collection_name = is_st ? "turnusers_st" : "turnusers_lt";
static int mongo_list_users(u08bits *realm) {
const char * collection_name = "turnusers_lt";
mongoc_collection_t * collection = mongo_get_collection(collection_name);
if(!collection)
@ -514,7 +437,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
bson_append_int32(&child, "name", -1, 1);
bson_append_document_end(&query, &child);
bson_append_document_begin(&query, "$query", -1, &child);
if (!is_st && realm && realm[0]) {
if (realm && realm[0]) {
BSON_APPEND_UTF8(&child, "realm", (const char *)realm);
}
bson_append_document_end(&query, &child);
@ -522,7 +445,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
bson_t fields;
bson_init(&fields);
BSON_APPEND_INT32(&fields, "name", 1);
if(!is_st) BSON_APPEND_INT32(&fields, "realm", 1);
BSON_APPEND_INT32(&fields, "realm", 1);
mongoc_cursor_t * cursor;
cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 0, 0, &query, &fields, NULL);
@ -542,7 +465,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
value = bson_iter_utf8(&iter, &length);
if (length) {
const char *realm = "";
if (!is_st && bson_iter_init(&iter_realm, item) && bson_iter_find(&iter_realm, "realm") && BSON_ITER_HOLDS_UTF8(&iter_realm)) {
if (bson_iter_init(&iter_realm, item) && bson_iter_find(&iter_realm, "realm") && BSON_ITER_HOLDS_UTF8(&iter_realm)) {
realm = bson_iter_utf8(&iter_realm, &length);
}
if(realm && *realm) {
@ -1339,9 +1262,7 @@ static int mongo_list_admin_users(void)
static const turn_dbdriver_t driver = {
&mongo_get_auth_secrets,
&mongo_get_user_key,
&mongo_get_user_pwd,
&mongo_set_user_key,
&mongo_set_user_pwd,
&mongo_del_user,
&mongo_list_users,
&mongo_show_secret,

77
src/apps/relay/dbdrivers/dbd_mysql.c
View File

@ -338,47 +338,6 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
}
return ret;
}
static int mysql_get_user_pwd(u08bits *usname, password_t pwd) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select password from turnusers_st where name='%s'",usname);
MYSQL * myc = get_mydb_connection();
if(myc) {
int res = mysql_query(myc, statement);
if(res) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
} else {
MYSQL_RES *mres = mysql_store_result(myc);
if(!mres) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
} else if(mysql_field_count(myc)!=1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
} else {
MYSQL_ROW row = mysql_fetch_row(mres);
if(row && row[0]) {
unsigned long *lengths = mysql_fetch_lengths(mres);
if(lengths) {
if(lengths[0]<1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s, size in MySQL DB is zero(0)\n",usname);
} else {
ns_bcopy(row[0],pwd,lengths[0]);
pwd[lengths[0]]=0;
ret = 0;
}
}
}
}
if(mres)
mysql_free_result(mres);
}
}
return ret;
}
static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
@ -558,36 +517,12 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key) {
return ret;
}
static int mysql_set_user_pwd(u08bits *usname, password_t pwd) {
static int mysql_del_user(u08bits *usname, u08bits *realm) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
MYSQL * myc = get_mydb_connection();
if(myc) {
snprintf(statement,sizeof(statement),"insert into turnusers_st values('%s','%s')",usname,pwd);
int res = mysql_query(myc, statement);
if(res) {
snprintf(statement,sizeof(statement),"update turnusers_st set password='%s' where name='%s'",pwd,usname);
res = mysql_query(myc, statement);
if(res) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user key information: %s\n",mysql_error(myc));
} else {
ret = 0;
}
}
}
return ret;
}
static int mysql_del_user(u08bits *usname, int is_st, u08bits *realm) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
MYSQL * myc = get_mydb_connection();
if(myc) {
if(is_st) {
snprintf(statement,sizeof(statement),"delete from turnusers_st where name='%s'",usname);
} else {
snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
}
snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
int res = mysql_query(myc, statement);
if(res) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error deleting user key information: %s\n",mysql_error(myc));
@ -614,14 +549,12 @@ static int mysql_del_oauth_key(const u08bits *kid) {
return ret;
}
static int mysql_list_users(int is_st, u08bits *realm) {
static int mysql_list_users(u08bits *realm) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
MYSQL * myc = get_mydb_connection();
if(myc) {
if(is_st) {
snprintf(statement,sizeof(statement),"select name,'' from turnusers_st order by name");
} else if(realm && realm[0]) {
if(realm && realm[0]) {
snprintf(statement,sizeof(statement),"select name, realm from turnusers_lt where realm='%s' order by name",realm);
} else {
snprintf(statement,sizeof(statement),"select name, realm from turnusers_lt order by name");
@ -1194,9 +1127,7 @@ static int mysql_list_admin_users(void)
static const turn_dbdriver_t driver = {
&mysql_get_auth_secrets,
&mysql_get_user_key,
&mysql_get_user_pwd,
&mysql_set_user_key,
&mysql_set_user_pwd,
&mysql_del_user,
&mysql_list_users,
&mysql_show_secret,

70
src/apps/relay/dbdrivers/dbd_pgsql.c
View File

@ -152,34 +152,6 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
}
return ret;
}
static int pgsql_get_user_pwd(u08bits *usname, password_t pwd) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"select password from turnusers_st where name='%s'",usname);
PGconn * pqc = get_pqdb_connection();
if(pqc) {
PGresult *res = PQexec(pqc, statement);
if(!res || (PQresultStatus(res) != PGRES_TUPLES_OK) || (PQntuples(res)!=1)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving PostgreSQL DB information: %s\n",PQerrorMessage(pqc));
} else {
char *kval = PQgetvalue(res,0,0);
if(kval) {
strncpy((char*)pwd,kval,sizeof(password_t));
ret = 0;
} else {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s: NULL\n",usname);
}
}
if(res) {
PQclear(res);
}
}
return ret;
}
static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
@ -318,43 +290,13 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) {
}
return ret;
}
static int pgsql_set_user_pwd(u08bits *usname, password_t pwd) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
PGconn *pqc = get_pqdb_connection();
if(pqc) {
snprintf(statement,sizeof(statement),"insert into turnusers_st values('%s','%s')",usname,pwd);
PGresult *res = PQexec(pqc, statement);
if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
if(res) {
PQclear(res);
}
snprintf(statement,sizeof(statement),"update turnusers_st set password='%s' where name='%s'",pwd,usname);
res = PQexec(pqc, statement);
if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user information: %s\n",PQerrorMessage(pqc));
} else {
ret = 0;
}
}
if(res) {
PQclear(res);
}
}
return ret;
}
static int pgsql_del_user(u08bits *usname, int is_st, u08bits *realm) {
static int pgsql_del_user(u08bits *usname, u08bits *realm) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
PGconn *pqc = get_pqdb_connection();
if(pqc) {
if(is_st) {
snprintf(statement,sizeof(statement),"delete from turnusers_st where name='%s'",usname);
} else {
snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
}
snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
PGresult *res = PQexec(pqc, statement);
if(res) {
PQclear(res);
@ -385,14 +327,12 @@ static int pgsql_del_oauth_key(const u08bits *kid) {
return ret;
}
static int pgsql_list_users(int is_st, u08bits *realm) {
static int pgsql_list_users(u08bits *realm) {
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
PGconn *pqc = get_pqdb_connection();
if(pqc) {
if(is_st) {
snprintf(statement,sizeof(statement),"select name,'' from turnusers_st order by name");
} else if(realm && realm[0]) {
if(realm && realm[0]) {
snprintf(statement,sizeof(statement),"select name,realm from turnusers_lt where realm='%s' order by name",realm);
} else {
snprintf(statement,sizeof(statement),"select name,realm from turnusers_lt order by name");
@ -902,9 +842,7 @@ static int pgsql_list_admin_users(void)
static const turn_dbdriver_t driver = {
&pgsql_get_auth_secrets,
&pgsql_get_user_key,
&pgsql_get_user_pwd,
&pgsql_set_user_key,
&pgsql_set_user_pwd,
&pgsql_del_user,
&pgsql_list_users,
&pgsql_show_secret,

68
src/apps/relay/dbdrivers/dbd_redis.c
View File

@ -519,30 +519,6 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
return ret;
}
static int redis_get_user_pwd(u08bits *usname, password_t pwd) {
int ret = -1;
redisContext * rc = get_redis_connection();
if(rc) {
char s[TURN_LONG_STRING_SIZE];
snprintf(s,sizeof(s),"get turn/user/%s/password", usname);
redisReply *rget = (redisReply *)redisCommand(rc, s);
if(rget) {
if (rget->type == REDIS_REPLY_ERROR)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", rget->str);
else if (rget->type != REDIS_REPLY_STRING) {
if (rget->type != REDIS_REPLY_NIL)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
} else {
strncpy((char*)pwd,rget->str,STUN_MAX_PWD_SIZE);
pwd[STUN_MAX_PWD_SIZE]=0;
ret = 0;
}
turnFreeRedisReply(rget);
}
}
return ret;
}
static int redis_set_user_key(u08bits *usname, u08bits *realm, const char *key) {
int ret = -1;
redisContext *rc = get_redis_connection();
@ -572,28 +548,12 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) {
return ret;
}
static int redis_set_user_pwd(u08bits *usname, password_t pwd) {
static int redis_del_user(u08bits *usname, u08bits *realm) {
int ret = -1;
redisContext *rc = get_redis_connection();
if(rc) {
char statement[TURN_LONG_STRING_SIZE];
snprintf(statement,sizeof(statement),"set turn/user/%s/password %s",usname,pwd);
turnFreeRedisReply(redisCommand(rc, statement));
turnFreeRedisReply(redisCommand(rc, "save"));
ret = 0;
}
return ret;
}
static int redis_del_user(u08bits *usname, int is_st, u08bits *realm) {
int ret = -1;
redisContext *rc = get_redis_connection();
if(rc) {
char statement[TURN_LONG_STRING_SIZE];
if(is_st) {
snprintf(statement,sizeof(statement),"del turn/user/%s/password",usname);
turnFreeRedisReply(redisCommand(rc, statement));
} else {
{
snprintf(statement,sizeof(statement),"del turn/realm/%s/user/%s/key",(char*)realm,usname);
turnFreeRedisReply(redisCommand(rc, statement));
snprintf(statement,sizeof(statement),"del turn/realm/%s/user/%s/password",(char*)realm,usname);
@ -619,7 +579,7 @@ static int redis_del_oauth_key(const u08bits *kid) {
return ret;
}
static int redis_list_users(int is_st, u08bits *realm) {
static int redis_list_users(u08bits *realm) {
int ret = -1;
redisContext *rc = get_redis_connection();
if(rc) {
@ -630,8 +590,7 @@ static int redis_list_users(int is_st, u08bits *realm) {
redisReply *reply = NULL;
if(!is_st) {
{
if(realm && realm[0]) {
reply = (redisReply*)redisCommand(rc, "keys turn/realm/%s/user/*/key", (char*)realm);
} else {
@ -660,23 +619,6 @@ static int redis_list_users(int is_st, u08bits *realm) {
}
if(reply) {
if (reply->type == REDIS_REPLY_ERROR)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str);
else if (reply->type != REDIS_REPLY_ARRAY) {
if (reply->type != REDIS_REPLY_NIL)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type);
} else {
size_t i;
for (i = 0; i < reply->elements; ++i) {
add_to_secrets_list(&keys,reply->element[i]->str);
}
}
turnFreeRedisReply(reply);
}
} else {
reply = (redisReply*)redisCommand(rc, "keys turn/user/*/password");
if(reply) {
if (reply->type == REDIS_REPLY_ERROR)
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str);
else if (reply->type != REDIS_REPLY_ARRAY) {
@ -1329,9 +1271,7 @@ static int redis_list_admin_users(void)
static const turn_dbdriver_t driver = {
&redis_get_auth_secrets,
&redis_get_user_key,
&redis_get_user_pwd,
&redis_set_user_key,
&redis_set_user_pwd,
&redis_del_user,
&redis_list_users,
&redis_show_secret,

82
src/apps/relay/dbdrivers/dbd_sqlite.c
View File

@ -149,7 +149,6 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) {
const char * statements[] = {
"CREATE TABLE turnusers_lt ( realm varchar(127) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(127))",
"CREATE TABLE turn_secret (realm varchar(127) default '', value varchar(127), primary key (realm,value))",
"CREATE TABLE allowed_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
@ -287,42 +286,6 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key)
return ret;
}
static int sqlite_get_user_pwd(u08bits *usname, password_t pwd)
{
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
sqlite3_stmt *st = NULL;
int rc = 0;
snprintf(statement, sizeof(statement), "select password from turnusers_st where name='%s'", usname);
sqlite3 *sqliteconnection = get_sqlite_connection();
if (sqliteconnection) {
sqlite_lock(0);
if ((rc = sqlite3_prepare(sqliteconnection, statement, -1, &st, 0)) == SQLITE_OK) {
int res = sqlite3_step(st);
if (res == SQLITE_ROW) {
const char *kval = (const char*) sqlite3_column_text(st, 0);
if (kval) {
strncpy((char*) pwd, kval, sizeof(password_t));
ret = 0;
} else {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s: NULL\n", usname);
}
}
} else {
const char* errmsg = sqlite3_errmsg(sqliteconnection);
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving SQLite DB information: %s\n", errmsg);
}
sqlite3_finalize(st);
sqlite_unlock(0);
}
return ret;
}
static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
int ret = -1;
@ -493,7 +456,7 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key)
return ret;
}
static int sqlite_set_user_pwd(u08bits *usname, password_t pwd)
static int sqlite_del_user(u08bits *usname, u08bits *realm)
{
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
@ -504,40 +467,7 @@ static int sqlite_set_user_pwd(u08bits *usname, password_t pwd)
sqlite3 *sqliteconnection = get_sqlite_connection();
if (sqliteconnection) {
snprintf(statement, sizeof(statement), "insert or replace into turnusers_st values('%s','%s')", usname, pwd);
sqlite_lock(1);
if ((rc = sqlite3_prepare(sqliteconnection, statement, -1, &st, 0)) == SQLITE_OK) {
sqlite3_step(st);
ret = 0;
} else {
const char* errmsg = sqlite3_errmsg(sqliteconnection);
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving SQLite DB information: %s\n", errmsg);
}
sqlite3_finalize(st);
sqlite_unlock(1);
}
return ret;
}
static int sqlite_del_user(u08bits *usname, int is_st, u08bits *realm)
{
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
sqlite3_stmt *st = NULL;
int rc = 0;
donot_print_connection_success=1;
sqlite3 *sqliteconnection = get_sqlite_connection();
if (sqliteconnection) {
if (is_st) {
snprintf(statement, sizeof(statement), "delete from turnusers_st where name='%s'", usname);
} else {
snprintf(statement, sizeof(statement), "delete from turnusers_lt where name='%s' and realm='%s'", usname, realm);
}
snprintf(statement, sizeof(statement), "delete from turnusers_lt where name='%s' and realm='%s'", usname, realm);
sqlite_lock(1);
@ -586,7 +516,7 @@ static int sqlite_del_oauth_key(const u08bits *kid)
}
static int sqlite_list_users(int is_st, u08bits *realm)
static int sqlite_list_users(u08bits *realm)
{
int ret = -1;
char statement[TURN_LONG_STRING_SIZE];
@ -597,9 +527,7 @@ static int sqlite_list_users(int is_st, u08bits *realm)
sqlite3 *sqliteconnection = get_sqlite_connection();
if (sqliteconnection) {
if (is_st) {
snprintf(statement, sizeof(statement), "select name,'' from turnusers_st order by name");
} else if (realm && realm[0]) {
if (realm && realm[0]) {
snprintf(statement, sizeof(statement), "select name,realm from turnusers_lt where realm='%s' order by name", realm);
} else {
snprintf(statement, sizeof(statement), "select name,realm from turnusers_lt order by name");
@ -1259,9 +1187,7 @@ static int sqlite_list_admin_users(void)
static const turn_dbdriver_t driver = {
&sqlite_get_auth_secrets,
&sqlite_get_user_key,
&sqlite_get_user_pwd,
&sqlite_set_user_key,
&sqlite_set_user_pwd,
&sqlite_del_user,
&sqlite_list_users,
&sqlite_show_secret,

6
src/apps/relay/dbdrivers/dbdriver.h
View File

@ -50,11 +50,9 @@ extern pthread_once_t connection_key_once;
typedef struct _turn_dbdriver_t {
int (*get_auth_secrets)(secrets_list_t *sl, u08bits *realm);
int (*get_user_key)(u08bits *usname, u08bits *realm, hmackey_t key);
int (*get_user_pwd)(u08bits *usname, password_t pwd);
int (*set_user_key)(u08bits *usname, u08bits *realm, const char *key);
int (*set_user_pwd)(u08bits *usname, password_t pwd);
int (*del_user)(u08bits *usname, int is_st, u08bits *realm);
int (*list_users)(int is_st, u08bits *realm);
int (*del_user)(u08bits *usname, u08bits *realm);
int (*list_users)(u08bits *realm);
int (*show_secret)(u08bits *realm);
int (*del_secret)(u08bits *secret, u08bits *realm);
int (*set_secret)(u08bits *secret, u08bits *realm);

63
src/apps/relay/mainrelay.c
View File

@ -33,7 +33,6 @@
////// TEMPORARY data //////////
static int use_lt_credentials = 0;
static int use_st_credentials = 0;
static int anon_credentials = 0;
////// TURNDB //////////////
@ -414,10 +413,9 @@ static char Usage[] = "Usage: turnserver [options]\n"
" -o, --daemon Start process as daemon (detach from current shell).\n"
" -f, --fingerprint Use fingerprints in the TURN messages.\n"
" -a, --lt-cred-mech Use the long-term credential mechanism.\n"
" -A, --st-cred-mech Use the short-term credential mechanism.\n"
" -z, --no-auth Do not use any credential mechanism, allow anonymous access.\n"
" -u, --user <user:pwd> User account, in form 'username:password', for long-term credentials.\n"
" Cannot be used with TURN REST API or with short-term credentials.\n"
" Cannot be used with TURN REST API.\n"
" -r, --realm <realm> The default realm to be used for the users when no explicit\n"
" origin/realm relationship was found in the database.\n"
" Must be used with long-term credentials \n"
@ -445,7 +443,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
#endif
#if !defined(TURN_NO_PQ)
" -e, --psql-userdb, --sql-userdb <conn-string> PostgreSQL database connection string, if used (default - empty, no PostreSQL DB used).\n"
" This database can be used for long-term and short-term credentials mechanisms,\n"
" This database can be used for long-term credentials mechanism users,\n"
" and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
" See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL\n"
" versions format, see \n"
@ -454,7 +452,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
#endif
#if !defined(TURN_NO_MYSQL)
" -M, --mysql-userdb <connection-string> MySQL database connection string, if used (default - empty, no MySQL DB used).\n"
" This database can be used for long-term and short-term credentials mechanisms,\n"
" This database can be used for long-term credentials mechanism users,\n"
" and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
" The connection string my be space-separated list of parameters:\n"
" \"host=<ip-addr> dbname=<database-name> user=<database-user> \\\n password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
@ -466,12 +464,12 @@ static char Usage[] = "Usage: turnserver [options]\n"
#endif
#if !defined(TURN_NO_MONGO)
" -J, --mongo-userdb <connection-string> MongoDB connection string, if used (default - empty, no MongoDB used).\n"
" This database can be used for long-term and short-term credentials mechanisms,\n"
" This database can be used for long-term credentials mechanism users,\n"
" and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
#endif
#if !defined(TURN_NO_HIREDIS)
" -N, --redis-userdb <connection-string> Redis user database connection string, if used (default - empty, no Redis DB used).\n"
" This database can be used for long-term and short-term credentials mechanisms,\n"
" This database can be used for long-term credentials mechanism users,\n"
" and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
" The connection string my be space-separated list of parameters:\n"
" \"host=<ip-addr> dbname=<db-number> \\\n password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
@ -601,11 +599,11 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
"\nCommands:\n\n"
" -k, --key generate long-term credential mechanism key for a user\n"
" -a, --add add/update a long-term mechanism user\n"
" -A, --add-st add/update a short-term mechanism user\n"
" -A, --add-admin add/update a web admin user\n"
" -d, --delete delete a long-term mechanism user\n"
" -D, --delete-st delete a short-term mechanism user\n"
" -D, --delete-admin delete an admin user\n"
" -l, --list list all long-term mechanism users\n"
" -L, --list-st list all short-term mechanism users\n"
" -L, --list-admin list all admin users\n"
" -s, --set-secret=<value> Add shared secret for TURN RESP API\n"
" -S, --show-secret Show stored shared secrets for TURN REST API\n"
" -X, --delete-secret=<value> Delete a shared secret\n"
@ -746,7 +744,6 @@ static const struct myoption long_options[] = {
{ "min-port", required_argument, NULL, MIN_PORT_OPT },
{ "max-port", required_argument, NULL, MAX_PORT_OPT },
{ "lt-cred-mech", optional_argument, NULL, 'a' },
{ "st-cred-mech", optional_argument, NULL, 'A' },
{ "no-auth", optional_argument, NULL, 'z' },
{ "user", required_argument, NULL, 'u' },
#if !defined(TURN_NO_SQLITE)
@ -840,13 +837,13 @@ static const struct myoption admin_long_options[] = {
{ "add", no_argument, NULL, 'a' },
{ "delete", no_argument, NULL, 'd' },
{ "list", no_argument, NULL, 'l' },
{ "list-st", no_argument, NULL, 'L' },
{ "list-admin", no_argument, NULL, 'L' },
{ "set-secret", required_argument, NULL, 's' },
{ "show-secret", no_argument, NULL, 'S' },
{ "delete-secret", required_argument, NULL, 'X' },
{ "delete-all-secrets", no_argument, NULL, DEL_ALL_AUTH_SECRETS_OPT },
{ "add-st", no_argument, NULL, 'A' },
{ "delete-st", no_argument, NULL, 'D' },
{ "add-admin", no_argument, NULL, 'A' },
{ "delete-admin", no_argument, NULL, 'D' },
#if !defined(TURN_NO_SQLITE)
{ "userdb", required_argument, NULL, 'b' },
{ "db", required_argument, NULL, 'b' },
@ -1119,15 +1116,6 @@ static void set_option(int c, char *value)
use_lt_credentials=0;
}
break;
case 'A':
if (get_bool_value(value)) {
turn_params.ct = TURN_CREDENTIALS_SHORT_TERM;
use_st_credentials=1;
} else {
turn_params.ct = TURN_CREDENTIALS_UNDEFINED;
use_st_credentials=0;
}
break;
case 'z':
if (!get_bool_value(value)) {
turn_params.ct = TURN_CREDENTIALS_UNDEFINED;
@ -1430,7 +1418,8 @@ static int adminmain(int argc, char **argv)
int c = 0;
TURNADMIN_COMMAND_TYPE ct = TA_COMMAND_UNKNOWN;
int is_st = 0;
int is_admin = 0;
u08bits user[STUN_MAX_USERNAME_SIZE+1]="";
u08bits realm[STUN_MAX_REALM_SIZE+1]="";
@ -1482,18 +1471,18 @@ static int adminmain(int argc, char **argv)
break;
case 'A':
ct = TA_UPDATE_USER;
is_st = 1;
is_admin = 1;
break;
case 'D':
ct = TA_DELETE_USER;
is_st = 1;
is_admin = 1;
break;
case 'l':
ct = TA_LIST_USERS;
break;
case 'L':
ct = TA_LIST_USERS;
is_st = 1;
is_admin = 1;
break;
case 's':
ct = TA_SET_SECRET;
@ -1596,7 +1585,7 @@ static int adminmain(int argc, char **argv)
exit(-1);
}
return adminuser(user, realm, pwd, secret, origin, ct, is_st, &po);
return adminuser(user, realm, pwd, secret, origin, ct, &po);
}
static void print_features(unsigned long mfn)
@ -1895,17 +1884,7 @@ int main(int argc, char **argv)
exit(-1);
}
if(use_st_credentials && anon_credentials) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: -A and -z options cannot be used together.\n");
exit(-1);
}
if(use_lt_credentials && use_st_credentials) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: -a and -A options cannot be used together.\n");
exit(-1);
}
if(!use_lt_credentials && !anon_credentials && !use_st_credentials) {
if(!use_lt_credentials && !anon_credentials) {
if(turn_params.default_users_db.ram_db.users_number) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified long-term user accounts, (-u option) \n but you did not specify the long-term credentials option\n (-a or --lt-cred-mech option).\n I am turning --lt-cred-mech ON for you, but double-check your configuration.\n");
turn_params.ct = TURN_CREDENTIALS_LONG_TERM;
@ -1927,15 +1906,9 @@ int main(int argc, char **argv)
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified user accounts, (-u option) \n but you also specified the anonymous user access option (-z or --no-auth option).\n User accounts will be ignored.\n");
turn_params.ct = TURN_CREDENTIALS_NONE;
use_lt_credentials=0;
use_st_credentials=0;
}
}
if(turn_params.use_auth_secret_with_timestamp && use_st_credentials) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIGURATION ERROR: Authentication secret (REST API) cannot be used with short-term credentials mechanism.\n");
exit(-1);
}
openssl_setup();
int local_listeners = 0;

12
src/apps/relay/netengine.c
View File

@ -402,17 +402,7 @@ static void auth_server_receive_message(struct bufferevent *bev, void *ptr)
continue;
}
if(am.ct == TURN_CREDENTIALS_SHORT_TERM) {
password_t pwd;
am.in_oauth = 0;
am.out_oauth = 0;
if(get_user_pwd(am.username,pwd)<0) {
am.success = 0;
} else {
ns_bcopy(pwd,am.pwd,sizeof(password_t));
am.success = 1;
}
} else {
{
hmackey_t key;
if(get_user_key(am.in_oauth,&(am.out_oauth),&(am.max_session_time),am.username,am.realm,key,am.in_buffer.nbh)<0) {
am.success = 0;

2
src/apps/relay/turn_admin_server.c
View File

@ -832,8 +832,6 @@ static void cli_print_configuration(struct cli_session* cs)
cli_print_str(cs,cs->origin,"CLI session origin",0);
if(turn_params.ct == TURN_CREDENTIALS_LONG_TERM)
cli_print_flag(cs,1,"Long-term authorization mechanism",0);
else if(turn_params.ct == TURN_CREDENTIALS_SHORT_TERM)
cli_print_flag(cs,1,"Short-term authorization mechanism",0);
else
cli_print_flag(cs,1,"Anonymous credentials",0);
cli_print_flag(cs,turn_params.use_auth_secret_with_timestamp,"TURN REST API support",0);

48
src/apps/relay/userdb.c
View File

@ -643,21 +643,6 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
return ret;
}
/*
* Short-term mechanism password retrieval
*/
int get_user_pwd(u08bits *usname, password_t pwd)
{
int ret = -1;
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_user_pwd) {
ret = (*dbd->get_user_pwd)(usname, pwd);
}
return ret;
}
u08bits *start_user_check(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *usname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply)
{
*postpone_reply = 1;
@ -790,11 +775,11 @@ int add_user_account(char *user, int dynamic)
////////////////// Admin /////////////////////////
static int list_users(int is_st, u08bits *realm)
static int list_users(u08bits *realm)
{
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->list_users) {
(*dbd->list_users)(is_st, realm);
(*dbd->list_users)(realm);
}
return 0;
@ -910,15 +895,17 @@ static int list_realm_options(u08bits *realm)
return 0;
}
int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, int is_st, perf_options_t *po)
int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, perf_options_t *po)
{
hmackey_t key;
char skey[sizeof(hmackey_t) * 2 + 1];
password_t passwd;
STRCPY(passwd,pwd);
if (ct == TA_LIST_USERS) {
return list_users(is_st, realm);
return list_users(realm);
}
if (ct == TA_LIST_ORIGINS) {
@ -967,9 +954,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
must_set_admin_pwd(pwd);
if (is_st) {
strncpy((char*) passwd, (char*) pwd, sizeof(password_t));
} else {
{
stun_produce_integrity_key_str(user, realm, pwd, key, turn_params.shatype);
size_t i = 0;
size_t sz = get_hmackey_size(turn_params.shatype);
@ -988,27 +973,18 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
if (ct == TA_PRINT_KEY) {
if (!is_st) {
printf("0x%s\n", skey);
}
printf("0x%s\n", skey);
} else if (dbd) {
if (!is_st) {
must_set_admin_realm(realm);
}
must_set_admin_realm(realm);
if (ct == TA_DELETE_USER) {
if (dbd->del_user)
(*dbd->del_user)(user, is_st, realm);
(*dbd->del_user)(user, realm);
} else if (ct == TA_UPDATE_USER) {
if (is_st) {
if (dbd->set_user_pwd)
(*dbd->set_user_pwd)(user, passwd);
} else {
if (dbd->set_user_key)
(*dbd->set_user_key)(user, realm, skey);
}
if (dbd->set_user_key)
(*dbd->set_user_key)(user, realm, skey);
}
}

3
src/apps/relay/userdb.h
View File

@ -187,7 +187,6 @@ void add_to_secrets_list(secrets_list_t *sl, const char* elem);
/////////// USER DB CHECK //////////////////
int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *uname, u08bits *realm, hmackey_t key, ioa_network_buffer_handle nbh);
int get_user_pwd(u08bits *uname, password_t pwd);
u08bits *start_user_check(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *uname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply);
int check_new_allocation_quota(u08bits *username, int oauth, u08bits *realm);
void release_allocation_quota(u08bits *username, int oauth, u08bits *realm);
@ -201,7 +200,7 @@ void release_allocation_quota(u08bits *username, int oauth, u08bits *realm);
void auth_ping(redis_context_handle rch);
void reread_realms(void);
int add_user_account(char *user, int dynamic);
int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, int is_st, perf_options_t* po);
int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, perf_options_t* po);
int add_ip_list_range(const char* range, const char* realm, ip_range_list_t * list);
ip_range_list_t* get_ip_list(const char *kind);

19
src/apps/uclient/mainuclient.c
View File

@ -56,7 +56,6 @@ int c2c=0;
int clnet_verbose=TURN_VERBOSE_NONE;
int use_tcp=0;
int use_secure=0;
int use_short_term=0;
int hang_on=0;
ioa_addr peer_addr;
int no_rtcp = 0;
@ -125,8 +124,6 @@ static char Usage[] =
" -x IPv6 relay address requested.\n"
" -X IPv4 relay address explicitly requested.\n"
" -g Include DONT_FRAGMENT option.\n"
" -A Use short-term credentials mechanism. By default, the program uses\n"
" the long-term credentials mechanism if authentication is required.\n"
" -D Mandatory channel padding (like in pjnath).\n"
" -N Negative tests (some limited cases only).\n"
" -R Negative protocol tests.\n"
@ -219,11 +216,6 @@ int main(int argc, char **argv)
oauth = 1;
if(use_short_term) {
fprintf(stderr,"Short-term mechanism cannot be used together with oAuth.\n");
exit(-1);
}
oauth_key_data okd_array[2];
convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
@ -297,13 +289,6 @@ int main(int argc, char **argv)
case 'Z':
dual_allocation = 1;
break;
case 'A':
if(oauth) {
fprintf(stderr,"Short-term mechanism cannot be used together with oAuth.\n");
exit(-1);
}
use_short_term = 1;
break;
case 'u':
STRCPY(g_uname, optarg);
break;
@ -409,10 +394,6 @@ int main(int argc, char **argv)
if(g_use_auth_secret_with_timestamp) {
if(use_short_term) {
fprintf(stderr,"ERROR: You cannot use authentication secret (REST API) with short-term credentials mechanism.\n");
exit(-1);
}
{
char new_uname[1025];
const unsigned long exp_time = 3600 * 24; /* one day */

15
src/apps/uclient/startuclient.c
View File

@ -448,7 +448,7 @@ static int clnet_allocate(int verbose,
allocate_received = 1;
allocate_finished = 1;
if(clnet_info->nonce[0] || use_short_term) {
if(clnet_info->nonce[0]) {
if(check_integrity(clnet_info, &response_message)<0)
return -1;
}
@ -528,16 +528,11 @@ static int clnet_allocate(int verbose,
goto beg_allocate;
} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1) && use_short_term) {
clnet_info->shatype = SHATYPE_SHA256;
goto beg_allocate;
}
allocate_received = 1;
if(err_code == 300) {
if(clnet_info->nonce[0] || use_short_term) {
if(clnet_info->nonce[0]) {
if(check_integrity(clnet_info, &response_message)<0)
return -1;
}
@ -797,7 +792,7 @@ static int turn_channel_bind(int verbose, uint16_t *chn,
cb_received = 1;
if(clnet_info->nonce[0] || use_short_term) {
if(clnet_info->nonce[0]) {
if(check_integrity(clnet_info, &response_message)<0)
return -1;
}
@ -906,7 +901,7 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info,
cp_received = 1;
if(clnet_info->nonce[0] || use_short_term) {
if(clnet_info->nonce[0]) {
if(check_integrity(clnet_info, &response_message)<0)
return -1;
}
@ -1481,7 +1476,7 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a
u08bits err_msg[129];
if (stun_is_success_response(&response_message)) {
if(clnet_info->nonce[0] || use_short_term) {
if(clnet_info->nonce[0]) {
if(check_integrity(clnet_info, &response_message)<0)
return -1;
}

21
src/apps/uclient/uclient.c
View File

@ -678,12 +678,6 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
}
} else if (stun_is_indication(&(elem->in_buffer))) {
if(use_short_term) {
if(check_integrity(&(elem->pinfo), &(elem->in_buffer))<0)
return -1;
}
uint16_t method = stun_get_method(&elem->in_buffer);
if((method == STUN_METHOD_CONNECTION_ATTEMPT)&& is_TCP_relay()) {
@ -733,7 +727,7 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
} else if (stun_is_success_response(&(elem->in_buffer))) {
if(elem->pinfo.nonce[0] || use_short_term) {
if(elem->pinfo.nonce[0]) {
if(check_integrity(&(elem->pinfo), &(elem->in_buffer))<0)
return -1;
}
@ -908,10 +902,6 @@ static int client_write(app_ur_session *elem) {
if(dont_fragment)
stun_attr_add(&(elem->out_buffer), STUN_ATTRIBUTE_DONT_FRAGMENT, NULL, 0);
if (use_short_term) {
if(add_integrity(&(elem->pinfo), &(elem->out_buffer))<0) return -1;
}
if(use_fingerprints)
stun_attr_add_fingerprint_str(elem->out_buffer.buf,(size_t*)&(elem->out_buffer.len));
}
@ -1590,19 +1580,12 @@ void start_mclient(const char *remote_address, int port,
turn_credential_type get_turn_credentials_type(void)
{
if(use_short_term)
return TURN_CREDENTIALS_SHORT_TERM;
return TURN_CREDENTIALS_LONG_TERM;
}
int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
{
if(use_short_term) {
if(stun_attr_add_integrity_by_user_short_term_str(message->buf, (size_t*)&(message->len), g_uname, g_upwd, clnet_info->shatype)<0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
return -1;
}
} else if(clnet_info->nonce[0]) {
if(clnet_info->nonce[0]) {
if(oauth && clnet_info->oauth) {

1
src/apps/uclient/uclient.h
View File

@ -53,7 +53,6 @@ extern int do_not_use_channel;
extern int clnet_verbose;
extern int use_tcp;
extern int use_secure;
extern int use_short_term;
extern char cert_file[1025];
extern char pkey_file[1025];
extern int hang_on;

3
src/client/ns_turn_msg.h
View File

@ -63,9 +63,6 @@ typedef enum {
*/
typedef u08bits hmackey_t[64];
/**
* Short-term credentials password
*/
typedef u08bits password_t[STUN_MAX_PWD_SIZE+1];
typedef unsigned int band_limit_t;

4
src/ns_turn_defs.h
View File

@ -31,8 +31,8 @@
#ifndef __IOADEFS__
#define __IOADEFS__
#define TURN_SERVER_VERSION "4.3.4.1"
#define TURN_SERVER_VERSION_NAME "Tolomei"
#define TURN_SERVER_VERSION "4.4.1.1"
#define TURN_SERVER_VERSION_NAME "Carlot dan Eider"
#define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
#if (defined(__unix__) || defined(unix)) && !defined(USG)

50
src/server/ns_turn_server.c
View File

@ -2148,13 +2148,6 @@ static void tcp_peer_accept_connection(ioa_socket_handle s, void *arg)
ioa_network_buffer_set_size(nbh, len);
}
/* We add integrity for short-term indication messages, only */
if(server->ct == TURN_CREDENTIALS_SHORT_TERM)
{
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
ioa_network_buffer_set_size(nbh,len);
}
if ((server->fingerprint) || ss->enforce_fingerprints) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_fingerprint_str(ioa_network_buffer_data(nbh), &len);
@ -3118,8 +3111,6 @@ static int need_stun_authentication(turn_turnserver *server, ts_ur_super_session
switch(server->ct) {
case TURN_CREDENTIALS_LONG_TERM:
return 1;
case TURN_CREDENTIALS_SHORT_TERM:
return 1;
default:
;
};
@ -3252,11 +3243,7 @@ static int check_stun_auth(turn_turnserver *server,
if(!sar) {
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
} else {
return -1;
}
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
{
@ -3280,7 +3267,7 @@ static int check_stun_auth(turn_turnserver *server,
};
}
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
{
/* REALM ATTR: */
@ -3351,7 +3338,7 @@ static int check_stun_auth(turn_turnserver *server,
set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
}
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
{
/* NONCE ATTR: */
sar = stun_attr_get_first_by_type_str(ioa_network_buffer_data(in_buffer->nbh),
@ -3391,18 +3378,14 @@ static int check_stun_auth(turn_turnserver *server,
return 0;
}
}
/* we always return NULL for short-term credentials here */
/* direct user pattern is supported only for long-term credentials */
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: Cannot find credentials of user <%s>\n",
__FUNCTION__, (char*)usname);
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
} else {
return -1;
}
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
/* Check integrity */
@ -3420,11 +3403,7 @@ static int check_stun_auth(turn_turnserver *server,
__FUNCTION__, (char*)usname);
*err_code = SHA_TOO_WEAK_ERROR_CODE;
*reason = (const u08bits*)"Unauthorised: weak SHA function is used";
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
} else {
return -1;
}
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
if(can_resume) {
@ -3439,11 +3418,7 @@ static int check_stun_auth(turn_turnserver *server,
__FUNCTION__, (char*)usname);
*err_code = 401;
*reason = (const u08bits*)"Unauthorised";
if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
} else {
return -1;
}
return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
}
*message_integrity = 1;
@ -3792,10 +3767,6 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
no_response = 1;
int postpone = 0;
if(server->ct == TURN_CREDENTIALS_SHORT_TERM) {
check_stun_auth(server, ss, &tid, resp_constructed, &err_code, &reason, in_buffer, nbh, method, &message_integrity, &postpone, can_resume);
}
if (!postpone && !err_code) {
switch (method){
@ -4734,13 +4705,6 @@ static void peer_input_handler(ioa_socket_handle s, int event_type,
ioa_network_buffer_set_size(nbh, len);
}
/* We add integrity for short-term indication messages, only */
if(server->ct == TURN_CREDENTIALS_SHORT_TERM)
{
stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
ioa_network_buffer_set_size(nbh,len);
}
if ((server->fingerprint) || ss->enforce_fingerprints) {
size_t len = ioa_network_buffer_get_size(nbh);
stun_attr_add_fingerprint_str(ioa_network_buffer_data(nbh), &len);

1
turndb/schema.mongo.sh
View File

@ -5,7 +5,6 @@ mongo $* <<EOF
use coturn;
db.turnusers_lt.ensureIndex({ realm: 1, name: 1 }, { unique: 1 });
db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });

5
turndb/schema.sql
View File

@ -6,11 +6,6 @@ CREATE TABLE turnusers_lt (
PRIMARY KEY (realm,name)
);
CREATE TABLE turnusers_st (
name varchar(512) PRIMARY KEY,
password varchar(127)
);
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(127),

25
turndb/schema.userdb.redis
View File

@ -12,12 +12,7 @@ with value "7da2270ccfa49786e0115366d3a3d14d". Alternatively, the password
may be stored in clear text format. Then the key will be
"turn/realm/north.gov/user/gorst/password" and the key will be simply "hero".
2) For the short-term credentials, the passwords are stored always in
clear text format, with no realm name (because the short-term credentials
are not bound to a realm). So, there will be key "turn/user/gorst/password"
and the value will be "hero".
3) For the shared secrets (REST API), several key/value pairs
2) For the shared secrets (REST API), several key/value pairs
may be used (same as in SQL schema). The secrets are stored as members
of an unordered set. The name of the set will be
"turn/realm/<realm-name>/secret" and the value(s) will be the secret(s).
@ -26,7 +21,7 @@ then we will have set "turn/realm/north.gov/secret" with values
"hero1", "hero2" and "hero3". The turnserver will try to use the
secrets in arbitrary order.
4) The "white" and "black" peer IP ranges are stored as unordered sets
3) The "white" and "black" peer IP ranges are stored as unordered sets
of the following names:
"turn/realm/<realm>/allowed-peer-ip" and
"turn/realm/<realm>/denied-peer-ip".
@ -38,7 +33,7 @@ The only difference is that the turnserver option values are "static"
the database records can be dynamically changed
and they will be almost immediately "seen" by the turnserver process.
5) For the oAuth authentication, there is a hash structure with the key
4) For the oAuth authentication, there is a hash structure with the key
"turn/oauth/kid/<kid-value>". The kid structure fields are:
ikm_key - (optional) base64-encoded key ("input keying material");
@ -73,11 +68,9 @@ and they will be almost immediately "seen" by the turnserver process.
calculated with ikm_key and hkdf_hash_func. The auth_key length
is defined by auth_alg.
6) admin users (over https interface) are maintained as keys of form:
"turn/realm/<realm-name>/admin_user/<username>/password" with the password
values (for the per-relam admin users), or as keys of form:
"turn/admin_user/<username>/password" with password values - for the global
admin users.
5) admin users (over https interface) are maintained as keys of form:
"turn/admin_user/<username> with hash members "password" and,
optionally, "realm".
II. Extra realms data in the database
@ -101,7 +94,6 @@ This example sets user database for:
* long-term credentials with open passwords and
with default realm "north.gov";
* TURN REST API with shared secrets "logen", etc;
* short-term credentials mechanism, with open passwords;
* Black and white IP peer lists used.
* Information how to match ORIGIN field with extra
realms (if used). If no origin match found
@ -134,11 +126,6 @@ set turn/realm/crinna.org/user/stranger-come-knocking/password "civilization"
sadd turn/realm/north.gov/secret "logen" "bloody9"
sadd turn/realm/crinna.org/secret "north" "library"
set turn/user/ninefingers/password "youhavetoberealistic"
set turn/user/gorst/password "hero"
set turn/user/whirrun/password "sword"
set turn/user/stranger-come-knocking/password "civilization"
set turn/realm/north.gov/max-bps 500000
set turn/realm/north.gov/total-quota 12000
set turn/realm/north.gov/user-quota 10000

6
turndb/testmongosetup.sh
View File

@ -5,7 +5,6 @@ mongo $* <<EOF
use coturn;
db.turnusers_lt.ensureIndex({ realm: 1, name: 1 }, { unique: 1 });
db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });
@ -15,11 +14,6 @@ db.turnusers_lt.insert({ realm: 'north.gov', name: 'gorst', hmackey: '7da2270ccf
db.turnusers_lt.insert({ realm: 'crinna.org', name: 'whirrun', hmackey: '6972e85e51f36e53b0b61759c5a5219a' });
db.turnusers_lt.insert({ realm: 'crinna.org', name: 'stranger-come-knocking', hmackey: 'd43cb678560259a1839bff61c19de15e' });
db.turnusers_st.insert({ name: 'ninefingers', password: 'youhavetoberealistic'});
db.turnusers_st.insert({ name: 'gorst', password: 'hero'});
db.turnusers_st.insert({ name: 'whirrun', password: 'sword'});
db.turnusers_st.insert({ name: 'stranger-come-knocking', password: 'civilization'});
db.turn_secret.insert({ realm: 'north.gov', value: 'logen' });
db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });

11
turndb/testredisdbsetup.sh
View File

@ -24,17 +24,6 @@ set turn/realm/crinna.org/user/stranger-come-knocking/password "civilization"
sadd turn/realm/north.gov/secret "logen" "bloody9"
sadd turn/realm/crinna.org/secret "north" "library"
set turn/user/ninefingers/password "youhavetoberealistic"
set turn/user/gorst/password "hero"
set turn/user/bethod/password "king-of-north"
set turn/user/whirrun/password "sword"
set turn/user/stranger-come-knocking/password "civilization"
set turn/realm/north.gov/admin_user/skarling/password "hoodless"
set turn/admin_user/bayaz/password "magi"
set turn/realm/north.gov/max-bps 500000
set turn/realm/north.gov/total-quota 12000
set turn/realm/north.gov/user-quota 10000

5
turndb/testsqldbsetup.sql
View File

@ -4,11 +4,6 @@ insert into turnusers_lt (realm, name, hmackey) values('north.gov','gorst','7da2
insert into turnusers_lt (realm, name, hmackey) values('crinna.org','whirrun','6972e85e51f36e53b0b61759c5a5219a');
insert into turnusers_lt (realm, name, hmackey) values('crinna.org','stranger-come-knocking','d43cb678560259a1839bff61c19de15e');
insert into turnusers_st (name, password) values('ninefingers','youhavetoberealistic');
insert into turnusers_st (name, password) values('gorst','hero');
insert into turnusers_st (name, password) values('whirrun','sword');
insert into turnusers_st (name, password) values('stranger-come-knocking','civilization');
insert into turn_secret (realm,value) values('north.gov','logen');
insert into turn_secret (realm,value) values('crinna.org','north');