static void ch_info_clean(ur_map_value_type value) {
if(value) {
ch_info* c = (ch_info*)value;
IOA_EVENT_DEL(c->lifetime_ev);
ns_bzero(c,sizeof(ch_info));
}
}
int stun_init_buffer(stun_buffer *buf) {
if(!buf) return -1;
ns_bzero(buf->buf,sizeof(buf->buf));
buf->len=0;
buf->offset=0;
buf->coffset=0;
return 0;
}
void init_allocation(void *owner, allocation* a, ur_map *tcp_connections) {
if(a) {
ns_bzero(a,sizeof(allocation));
a->owner = owner;
a->channel_to_ch_info=ur_map_create();
a->tcp_connections = tcp_connections;
init_turn_permission_map(&(a->addr_to_perm));
}
}
void turn_permission_clean(ur_map_value_type value) {
if(value) {
turn_permission_info* tinfo = (turn_permission_info*)value;
ur_map_foreach(tinfo->channels, (foreachcb_type)delete_channel_info_from_allocation_map);
ur_map_free(&(tinfo->channels));
IOA_EVENT_DEL(tinfo->lifetime_ev);
ns_bzero(tinfo,sizeof(turn_permission_info));
}
}
static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
mongoc_collection_t * collection = mongo_get_collection("oauth_key");
if (!collection)
return -1;
bson_t query;
bson_init(&query);
BSON_APPEND_UTF8(&query, "kid", (const char *)kid);
bson_t fields;
bson_init(&fields);
BSON_APPEND_INT32(&fields, "lifetime", 1);
BSON_APPEND_INT32(&fields, "timestamp", 1);
BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
BSON_APPEND_INT32(&fields, "ikm_key", 1);
mongoc_cursor_t * cursor;
cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 1, 0,
&query, &fields, NULL);
int ret = -1;
ns_bzero(key,sizeof(oauth_key_data_raw));
STRCPY(key->kid,kid);
if (!cursor) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Error querying MongoDB collection 'oauth_key'\n");
} else {
const bson_t * item;
uint32_t length;
bson_iter_t iter;
if (mongoc_cursor_next(cursor, &item)) {
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
key->timestamp = (u64bits)bson_iter_int64(&iter);
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "lifetime") && BSON_ITER_HOLDS_INT32(&iter)) {
key->lifetime = (u32bits)bson_iter_int32(&iter);
}
ret = 0;
}
mongoc_cursor_destroy(cursor);
}
mongoc_collection_destroy(collection);
bson_destroy(&query);
bson_destroy(&fields);
return ret;
}
turn_permission_info* allocation_add_permission(allocation *a, const ioa_addr* addr) {
if(a && addr) {
turn_permission_map map = a->addr_to_perm;
turn_permission_info *elem=(turn_permission_info *)turn_malloc(sizeof(turn_permission_info));
ns_bzero(elem,sizeof(turn_permission_info));
elem->channels = ur_map_create();
addr_cpy(&elem->addr,addr);
u32bits hash=addr_hash_no_port(addr);
int fds=(int)(hash%TURN_PERMISSION_MAP_SIZE);
elem->list.next=NULL;
map[fds]=push_back_cilist(map[fds],elem);
elem->owner = a;
return elem;
} else {
return NULL;
}
}
static server_type* init_server(int verbose, const char* ifname, char **local_addresses, size_t las, int port) {
server_type* server=(server_type*)turn_malloc(sizeof(server_type));
if(!server) return server;
ns_bzero(server,sizeof(server_type));
server->verbose=verbose;
server->event_base = event_base_new();
while(las) {
udp_create_server_socket(server, ifname, local_addresses[--las], port);
udp_create_server_socket(server, ifname, local_addresses[las], port+1);
}
return server;
}
tls_listener_relay_server_type* create_tls_listener_server(const char* ifname,
const char *local_address, int port, int verbose,
ioa_engine_handle e,
ioa_engine_new_connection_event_handler send_socket,
struct relay_server *relay_server)
{
tls_listener_relay_server_type* server =
(tls_listener_relay_server_type*) turn_malloc(sizeof(tls_listener_relay_server_type));
ns_bzero(server, sizeof(tls_listener_relay_server_type));
if (init_server(server, ifname, local_address, port, verbose, e,
send_socket, relay_server) < 0) {
turn_free(server, sizeof(tls_listener_relay_server_type));
return NULL ;
} else {
return server;
}
}
tcp_connection *create_tcp_connection(u08bits server_id, allocation *a, stun_tid *tid, ioa_addr *peer_addr, int *err_code)
{
tcp_connection_list *tcl = &(a->tcl);
while(tcl->next) {
tcp_connection *otc = (tcp_connection*)(tcl->next);
if(addr_eq(&(otc->peer_addr),peer_addr)) {
*err_code = 446;
return NULL;
}
tcl=tcl->next;
}
tcp_connection *tc = (tcp_connection*)turn_malloc(sizeof(tcp_connection));
ns_bzero(tc,sizeof(tcp_connection));
tcl->next = &(tc->list);
addr_cpy(&(tc->peer_addr),peer_addr);
if(tid)
ns_bcopy(tid,&(tc->tid),sizeof(stun_tid));
tc->owner = a;
set_new_tc_id(server_id, tc);
return tc;
}
ch_info* allocation_get_new_ch_info(allocation* a, u16bits chnum, ioa_addr* peer_addr)
{
turn_permission_info* tinfo = get_from_turn_permission_map(a->addr_to_perm, peer_addr);
if (!tinfo)
tinfo = allocation_add_permission(a, peer_addr);
ch_info* chn = (ch_info*)turn_malloc(sizeof(ch_info));
ns_bzero(chn,sizeof(ch_info));
chn->chnum = chnum;
chn->port = addr_get_port(peer_addr);
addr_cpy(&(chn->peer_addr), peer_addr);
chn->owner = tinfo;
ur_map_put(a->channel_to_ch_info, chnum, chn);
ur_map_put(tinfo->channels, (ur_map_key_type) addr_get_port(peer_addr), (ur_map_value_type) chn);
return chn;
}
dtls_listener_relay_server_type* create_dtls_listener_server(const char* ifname,
const char *local_address,
int port,
int verbose,
ioa_engine_handle e,
turn_turnserver *ts) {
dtls_listener_relay_server_type* server=(dtls_listener_relay_server_type*)
turn_malloc(sizeof(dtls_listener_relay_server_type));
ns_bzero(server,sizeof(dtls_listener_relay_server_type));
if(init_server(server,
ifname, local_address, port,
verbose,
e,
ts)<0) {
turn_free(server,sizeof(dtls_listener_relay_server_type));
return NULL;
} else {
return server;
}
}
/*
* Password retrieval
*/
int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *usname, u08bits *realm, hmackey_t key, ioa_network_buffer_handle nbh)
{
int ret = -1;
if(max_session_time)
*max_session_time = 0;
if(in_oauth && out_oauth && usname && usname[0]) {
stun_attr_ref sar = stun_attr_get_first_by_type_str(ioa_network_buffer_data(nbh),
ioa_network_buffer_get_size(nbh),
STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN);
if(sar) {
int len = stun_attr_get_len(sar);
const u08bits *value = stun_attr_get_value(sar);
*out_oauth = 1;
if(len>0 && value) {
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_oauth_key) {
oauth_key_data_raw rawKey;
ns_bzero(&rawKey,sizeof(rawKey));
int gres = (*(dbd->get_oauth_key))(usname,&rawKey);
if(gres<0)
return ret;
if(!rawKey.kid[0])
return ret;
if(rawKey.lifetime) {
if(!turn_time_before(turn_time(),(turn_time_t)(rawKey.timestamp + rawKey.lifetime+OAUTH_TIME_DELTA))) {
return ret;
}
}
oauth_key_data okd;
ns_bzero(&okd,sizeof(okd));
convert_oauth_key_data_raw(&rawKey, &okd);
char err_msg[1025] = "\0";
size_t err_msg_size = sizeof(err_msg) - 1;
oauth_key okey;
ns_bzero(&okey,sizeof(okey));
if (convert_oauth_key_data(&okd, &okey, err_msg, err_msg_size) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s\n", err_msg);
return -1;
}
oauth_token dot;
ns_bzero((&dot),sizeof(dot));
encoded_oauth_token etoken;
ns_bzero(&etoken,sizeof(etoken));
if((size_t)len > sizeof(etoken.token)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Encoded oAuth token is too large\n");
return -1;
}
ns_bcopy(value,etoken.token,(size_t)len);
etoken.size = (size_t)len;
const char* server_name = (char*)turn_params.oauth_server_name;
if(!(server_name && server_name[0])) {
server_name = (char*)realm;
if(!(server_name && server_name[0])) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot determine oAuth server name");
return -1;
}
}
if (decode_oauth_token((const u08bits *) server_name, &etoken,&okey, &dot) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot decode oauth token\n");
return -1;
}
switch(dot.enc_block.key_length) {
case SHA1SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA1) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(1): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA256SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA256) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(2): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA384SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA384) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
case SHA512SIZEBYTES:
if(turn_params.shatype != SHATYPE_SHA512) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
}
break;
default:
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
};
password_t pwdtmp;
if(stun_check_message_integrity_by_key_str(TURN_CREDENTIALS_LONG_TERM,
ioa_network_buffer_data(nbh),
ioa_network_buffer_get_size(nbh),
dot.enc_block.mac_key,
pwdtmp,
turn_params.shatype,NULL)>0) {
turn_time_t lifetime = (turn_time_t)(dot.enc_block.lifetime);
if(lifetime) {
turn_time_t ts = (turn_time_t)(dot.enc_block.timestamp >> 16);
turn_time_t to = ts + lifetime + OAUTH_TIME_DELTA;
turn_time_t ct = turn_time();
if(!turn_time_before(ct,to)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "oAuth token is too old\n");
return -1;
}
if(max_session_time) {
*max_session_time = to - ct;
}
}
ns_bcopy(dot.enc_block.mac_key,key,dot.enc_block.key_length);
ret = 0;
}
}
}
void init_secrets_list(secrets_list_t *sl)
{
if(sl) {
ns_bzero(sl,sizeof(secrets_list_t));
}
}
int stun_init_buffer(stun_buffer *buf) {
if(!buf) return -1;
ns_bzero(buf->buf,sizeof(buf->buf));
buf->len=STUN_HEADER_LENGTH;
return 0;
}
static int create_new_connected_udp_socket(
dtls_listener_relay_server_type* server, ioa_socket_handle s)
{
evutil_socket_t udp_fd = socket(s->local_addr.ss.sa_family, CLIENT_DGRAM_SOCKET_TYPE, CLIENT_DGRAM_SOCKET_PROTOCOL);
if (udp_fd < 0) {
perror("socket");
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate new socket\n",
__FUNCTION__);
return -1;
}
if (sock_bind_to_device(udp_fd, (unsigned char*) (s->e->relay_ifname))
< 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind udp server socket to device %s\n",
(char*) (s->e->relay_ifname));
}
ioa_socket_handle ret = (ioa_socket*) turn_malloc(sizeof(ioa_socket));
if (!ret) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: Cannot allocate new socket structure\n", __FUNCTION__);
close(udp_fd);
return -1;
}
ns_bzero(ret, sizeof(ioa_socket));
ret->magic = SOCKET_MAGIC;
ret->fd = udp_fd;
ret->family = s->family;
ret->st = s->st;
ret->sat = CLIENT_SOCKET;
ret->local_addr_known = 1;
addr_cpy(&(ret->local_addr), &(s->local_addr));
if (addr_bind(udp_fd,&(s->local_addr),1,1,UDP_SOCKET) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind new detached udp server socket to local addr\n");
IOA_CLOSE_SOCKET(ret);
return -1;
}
ret->bound = 1;
{
int connect_err = 0;
if (addr_connect(udp_fd, &(server->sm.m.sm.nd.src_addr), &connect_err) < 0) {
char sl[129];
char sr[129];
addr_to_string(&(ret->local_addr),(u08bits*)sl);
addr_to_string(&(server->sm.m.sm.nd.src_addr),(u08bits*)sr);
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot connect new detached udp client socket from local addr %s to remote addr %s\n",sl,sr);
IOA_CLOSE_SOCKET(ret);
return -1;
}
}
ret->connected = 1;
addr_cpy(&(ret->remote_addr), &(server->sm.m.sm.nd.src_addr));
set_socket_options(ret);
ret->current_ttl = s->current_ttl;
ret->default_ttl = s->default_ttl;
ret->current_tos = s->current_tos;
ret->default_tos = s->default_tos;
#if DTLS_SUPPORTED
if (!turn_params.no_dtls
&& is_dtls_handshake_message(
ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int) ioa_network_buffer_get_size(
server->sm.m.sm.nd.nbh))) {
SSL* connecting_ssl = NULL;
BIO *wbio = NULL;
struct timeval timeout;
/* Create BIO */
wbio = BIO_new_dgram(ret->fd, BIO_NOCLOSE);
(void) BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &(server->sm.m.sm.nd.src_addr));
/* Set and activate timeouts */
timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
timeout.tv_usec = 0;
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
#if DTLSv1_2_SUPPORTED
if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) {
connecting_ssl = SSL_NEW(server->dtls_ctx_v1_2);
} else {
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#else
{
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#endif
SSL_set_accept_state(connecting_ssl);
SSL_set_bio(connecting_ssl, NULL, wbio);
SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);
SSL_set_max_cert_list(connecting_ssl, 655350);
int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
server->verbose);
if (rc < 0) {
if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
SSL_shutdown(connecting_ssl);
}
SSL_FREE(connecting_ssl);
IOA_CLOSE_SOCKET(ret);
return -1;
}
addr_debug_print(server->verbose, &(server->sm.m.sm.nd.src_addr),
"Accepted DTLS connection from");
ret->ssl = connecting_ssl;
ioa_network_buffer_delete(server->e, server->sm.m.sm.nd.nbh);
server->sm.m.sm.nd.nbh = NULL;
ret->st = DTLS_SOCKET;
}
#endif
server->sm.m.sm.s = ret;
return server->connect_cb(server->e, &(server->sm));
}
static int clnet_connect(uint16_t clnet_remote_port, const char *remote_address,
const unsigned char* ifname, const char *local_address, int verbose,
app_ur_conn_info *clnet_info) {
ioa_addr local_addr;
evutil_socket_t clnet_fd;
int connect_err;
int connect_cycle = 0;
ioa_addr remote_addr;
start_socket:
clnet_fd = -1;
connect_err = 0;
ns_bzero(&remote_addr, sizeof(ioa_addr));
if (make_ioa_addr((const u08bits*) remote_address, clnet_remote_port,
&remote_addr) < 0)
return -1;
ns_bzero(&local_addr, sizeof(ioa_addr));
clnet_fd = socket(remote_addr.ss.sa_family,
use_sctp ? SCTP_CLIENT_STREAM_SOCKET_TYPE : (use_tcp ? CLIENT_STREAM_SOCKET_TYPE : CLIENT_DGRAM_SOCKET_TYPE),
use_sctp ? SCTP_CLIENT_STREAM_SOCKET_PROTOCOL : (use_tcp ? CLIENT_STREAM_SOCKET_PROTOCOL : CLIENT_DGRAM_SOCKET_PROTOCOL));
if (clnet_fd < 0) {
perror("socket");
exit(-1);
}
if (sock_bind_to_device(clnet_fd, ifname) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"Cannot bind client socket to device %s\n", ifname);
}
set_sock_buf_size(clnet_fd, UR_CLIENT_SOCK_BUF_SIZE);
set_raw_socket_tos(clnet_fd, remote_addr.ss.sa_family, 0x22);
set_raw_socket_ttl(clnet_fd, remote_addr.ss.sa_family, 47);
if(clnet_info->is_peer && (*local_address==0)) {
if(remote_addr.ss.sa_family == AF_INET6) {
if (make_ioa_addr((const u08bits*) "::1", 0, &local_addr) < 0) {
return -1;
}
} else {
if (make_ioa_addr((const u08bits*) "127.0.0.1", 0, &local_addr) < 0) {
return -1;
}
}
addr_bind(clnet_fd, &local_addr, 0, 1, get_socket_type());
} else if (strlen(local_address) > 0) {
if (make_ioa_addr((const u08bits*) local_address, 0,
&local_addr) < 0)
return -1;
addr_bind(clnet_fd, &local_addr,0,1,get_socket_type());
}
if(clnet_info->is_peer) {
;
} else if(socket_connect(clnet_fd, &remote_addr, &connect_err)>0)
goto start_socket;
if (clnet_info) {
addr_cpy(&(clnet_info->remote_addr), &remote_addr);
addr_cpy(&(clnet_info->local_addr), &local_addr);
clnet_info->fd = clnet_fd;
addr_get_from_sock(clnet_fd, &(clnet_info->local_addr));
STRCPY(clnet_info->lsaddr,local_address);
STRCPY(clnet_info->rsaddr,remote_address);
STRCPY(clnet_info->ifname,(const char*)ifname);
}
if (use_secure) {
int try_again = 0;
clnet_info->ssl = tls_connect(clnet_info->fd, &remote_addr,&try_again,connect_cycle++);
if (!clnet_info->ssl) {
if(try_again) {
goto start_socket;
}
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: cannot SSL connect to remote addr\n", __FUNCTION__);
exit(-1);
}
}
if(verbose && clnet_info) {
addr_debug_print(verbose, &(clnet_info->local_addr), "Connected from");
addr_debug_print(verbose, &remote_addr, "Connected to");
}
if(!dos) usleep(500);
return 0;
}
void tcp_data_connect(app_ur_session *elem, u32bits cid)
{
int clnet_fd;
int connect_cycle = 0;
again:
clnet_fd = socket(elem->pinfo.remote_addr.ss.sa_family, CLIENT_STREAM_SOCKET_TYPE, CLIENT_STREAM_SOCKET_PROTOCOL);
if (clnet_fd < 0) {
perror("socket");
exit(-1);
}
if (sock_bind_to_device(clnet_fd, client_ifname) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"Cannot bind client socket to device %s\n", client_ifname);
}
set_sock_buf_size(clnet_fd, (UR_CLIENT_SOCK_BUF_SIZE<<2));
++elem->pinfo.tcp_conn_number;
int i = (int)(elem->pinfo.tcp_conn_number-1);
elem->pinfo.tcp_conn=(app_tcp_conn_info**)turn_realloc(elem->pinfo.tcp_conn,0,elem->pinfo.tcp_conn_number*sizeof(app_tcp_conn_info*));
elem->pinfo.tcp_conn[i]=(app_tcp_conn_info*)turn_malloc(sizeof(app_tcp_conn_info));
ns_bzero(elem->pinfo.tcp_conn[i],sizeof(app_tcp_conn_info));
elem->pinfo.tcp_conn[i]->tcp_data_fd = clnet_fd;
elem->pinfo.tcp_conn[i]->cid = cid;
addr_cpy(&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr),&(elem->pinfo.local_addr));
addr_set_port(&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr),0);
addr_bind(clnet_fd, &(elem->pinfo.tcp_conn[i]->tcp_data_local_addr), 1, 1, TCP_SOCKET);
addr_get_from_sock(clnet_fd,&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr));
{
int cycle = 0;
while(cycle++<1024) {
int err = 0;
if (addr_connect(clnet_fd, &(elem->pinfo.remote_addr),&err) < 0) {
if(err == EADDRINUSE) {
socket_closesocket(clnet_fd);
clnet_fd = socket(elem->pinfo.remote_addr.ss.sa_family, CLIENT_STREAM_SOCKET_TYPE, CLIENT_STREAM_SOCKET_PROTOCOL);
if (clnet_fd < 0) {
perror("socket");
exit(-1);
}
if (sock_bind_to_device(clnet_fd, client_ifname) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"Cannot bind client socket to device %s\n", client_ifname);
}
set_sock_buf_size(clnet_fd, UR_CLIENT_SOCK_BUF_SIZE<<2);
elem->pinfo.tcp_conn[i]->tcp_data_fd = clnet_fd;
addr_cpy(&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr),&(elem->pinfo.local_addr));
addr_set_port(&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr),0);
addr_bind(clnet_fd, &(elem->pinfo.tcp_conn[i]->tcp_data_local_addr),1,1,TCP_SOCKET);
addr_get_from_sock(clnet_fd,&(elem->pinfo.tcp_conn[i]->tcp_data_local_addr));
continue;
} else {
perror("connect");
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"%s: cannot connect to remote addr\n", __FUNCTION__);
exit(-1);
}
} else {
break;
}
}
}
if(use_secure) {
int try_again = 0;
elem->pinfo.tcp_conn[i]->tcp_data_ssl = tls_connect(elem->pinfo.tcp_conn[i]->tcp_data_fd, &(elem->pinfo.remote_addr),&try_again, connect_cycle++);
if(!(elem->pinfo.tcp_conn[i]->tcp_data_ssl)) {
if(try_again) {
--elem->pinfo.tcp_conn_number;
goto again;
}
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"%s: cannot SSL connect to remote addr\n", __FUNCTION__);
exit(-1);
}
}
if(turn_tcp_connection_bind(clnet_verbose, &(elem->pinfo), elem->pinfo.tcp_conn[i],0)<0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"%s: cannot BIND to tcp connection\n", __FUNCTION__);
} else {
socket_set_nonblocking(clnet_fd);
struct event* ev = event_new(client_event_base,clnet_fd,
EV_READ|EV_PERSIST,client_input_handler,
elem);
event_add(ev,NULL);
elem->input_tcp_data_ev = ev;
addr_debug_print(clnet_verbose, &(elem->pinfo.remote_addr), "TCP data network connected to");
}
}
static int check_oauth(void) {
const char server_name[33] = "blackdow.carleon.gov";
size_t i_hmacs,i_shas,i_encs;
const char long_term_password[33] = "HGkj32KJGiuy098sdfaqbNjOiaz71923";
size_t ltp_output_length=0;
const char* base64encoded_ltp = base64_encode((const unsigned char *)long_term_password,
strlen(long_term_password),
<p_output_length);
const char mac_key[33] = "ZksjpweoixXmvn67534m";
const size_t mac_key_length=strlen(mac_key);
const uint64_t token_timestamp = (uint64_t)(92470300704768LL);
const uint32_t token_lifetime = 3600;
const char kid[33] = "2783466234";
const turn_time_t key_timestamp = 1234567890;
const turn_time_t key_lifetime = 3600;
const char aead_nonce[OAUTH_AEAD_NONCE_SIZE+1] = "h4j3k2l2n4b5";
for (i_hmacs = 0; hmacs[i_hmacs]; ++i_hmacs) {
for (i_shas = 0; shas[i_shas]; ++i_shas) {
for (i_encs = 0; encs[i_encs]; ++i_encs) {
printf("oauth token %s:%s:%s:",hmacs[i_hmacs],shas[i_shas],encs[i_encs]);
if(print_extra)
printf("\n");
oauth_token ot;
ot.enc_block.key_length = (uint16_t)mac_key_length;
STRCPY(ot.enc_block.mac_key,mac_key);
ot.enc_block.timestamp = token_timestamp;
ot.enc_block.lifetime = token_lifetime;
oauth_token dot;
ns_bzero((&dot),sizeof(dot));
oauth_key key;
ns_bzero(&key,sizeof(key));
{
oauth_key_data okd;
ns_bzero(&okd,sizeof(okd));
{
oauth_key_data_raw okdr;
ns_bzero(&okdr,sizeof(okdr));
STRCPY(okdr.kid,kid);
STRCPY(okdr.ikm_key,base64encoded_ltp);
STRCPY(okdr.as_rs_alg, encs[i_encs]);
STRCPY(okdr.auth_alg, hmacs[i_hmacs]);
STRCPY(okdr.hkdf_hash_func, shas[i_shas]);
okdr.timestamp = key_timestamp;
okdr.lifetime = key_lifetime;
convert_oauth_key_data_raw(&okdr, &okd);
char err_msg[1025] = "\0";
size_t err_msg_size = sizeof(err_msg) - 1;
if (convert_oauth_key_data(&okd, &key, err_msg,
err_msg_size) < 0) {
fprintf(stderr, "%s\n", err_msg);
return -1;
}
}
}
if(print_extra) {
print_field5769("AS-RS",key.as_rs_key,key.as_rs_key_size);
print_field5769("AUTH",key.auth_key,key.auth_key_size);
}
{
encoded_oauth_token etoken;
ns_bzero(&etoken,sizeof(etoken));
if (encode_oauth_token((const u08bits *) server_name, &etoken,
&key, &ot, (const u08bits*)aead_nonce) < 0) {
fprintf(stderr, "%s: cannot encode oauth token\n",
__FUNCTION__);
return -1;
}
if(print_extra) {
print_field5769("encoded token",etoken.token,etoken.size);
}
if (decode_oauth_token((const u08bits *) server_name, &etoken,
&key, &dot) < 0) {
fprintf(stderr, "%s: cannot decode oauth token\n",
__FUNCTION__);
return -1;
}
}
if (strcmp((char*) ot.enc_block.mac_key,
(char*) dot.enc_block.mac_key)) {
fprintf(stderr, "%s: wrong mac key: %s, must be %s\n",
__FUNCTION__, (char*) dot.enc_block.mac_key,
(char*) ot.enc_block.mac_key);
return -1;
}
if (ot.enc_block.key_length != dot.enc_block.key_length) {
fprintf(stderr, "%s: wrong key length: %d, must be %d\n",
__FUNCTION__, (int) dot.enc_block.key_length,
(int) ot.enc_block.key_length);
return -1;
}
if (ot.enc_block.timestamp != dot.enc_block.timestamp) {
fprintf(stderr, "%s: wrong timestamp: %llu, must be %llu\n",
__FUNCTION__,
(unsigned long long) dot.enc_block.timestamp,
(unsigned long long) ot.enc_block.timestamp);
return -1;
}
if (ot.enc_block.lifetime != dot.enc_block.lifetime) {
fprintf(stderr, "%s: wrong lifetime: %lu, must be %lu\n",
__FUNCTION__,
(unsigned long) dot.enc_block.lifetime,
(unsigned long) ot.enc_block.lifetime);
return -1;
}
printf("OK\n");
}
}
}
return 0;
}
int main(int argc, char **argv)
{
int port = 0;
int messagenumber = 5;
char local_addr[256];
int c;
int mclient = 1;
char peer_address[129] = "\0";
int peer_port = PEER_DEFAULT_PORT;
char rest_api_separator = ':';
int use_null_cipher=0;
set_logfile("stdout");
set_execdir();
set_system_parameters(0);
ns_bzero(local_addr, sizeof(local_addr));
while ((c = getopt(argc, argv, "d:p:l:n:L:m:e:r:u:w:i:k:z:W:C:E:F:vsyhcxXgtTSAPDNOUHMRIGB")) != -1) {
switch (c){
case 'B':
random_disconnect = 1;
break;
case 'G':
extra_requests = 1;
break;
case 'F':
STRCPY(cipher_suite,optarg);
break;
case 'I':
no_permissions = 1;
break;
case 'M':
mobility = 1;
break;
case 'H':
shatype = SHATYPE_SHA256;
break;
case 'E':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(ca_cert_file,fn);
}
break;
case 'O':
dos = 1;
break;
case 'C':
rest_api_separator=*optarg;
break;
case 'D':
mandatory_channel_padding = 1;
break;
case 'N':
negative_test = 1;
break;
case 'R':
negative_protocol_test = 1;
break;
case 'z':
RTP_PACKET_INTERVAL = atoi(optarg);
break;
case 'A':
use_short_term = 1;
break;
case 'u':
STRCPY(g_uname, optarg);
break;
case 'w':
STRCPY(g_upwd, optarg);
break;
case 'g':
dont_fragment = 1;
break;
case 'd':
STRCPY(client_ifname, optarg);
break;
case 'x':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
break;
case 'X':
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV4;
break;
case 'l':
clmessage_length = atoi(optarg);
break;
case 's':
do_not_use_channel = 1;
break;
case 'n':
messagenumber = atoi(optarg);
break;
case 'p':
port = atoi(optarg);
break;
case 'L':
STRCPY(local_addr, optarg);
break;
case 'e':
STRCPY(peer_address, optarg);
break;
case 'r':
peer_port = atoi(optarg);
break;
case 'v':
clnet_verbose = TURN_VERBOSE_NORMAL;
break;
case 'h':
hang_on = 1;
break;
case 'c':
no_rtcp = 1;
break;
case 'm':
mclient = atoi(optarg);
break;
case 'y':
c2c = 1;
break;
case 't':
use_tcp = 1;
break;
case 'P':
passive_tcp = 1;
/* implies 'T': */
/* no break */
case 'T':
relay_transport = STUN_ATTRIBUTE_TRANSPORT_TCP_VALUE;
break;
case 'U':
use_null_cipher = 1;
/* implies 'S' */
/* no break */
case 'S':
use_secure = 1;
break;
case 'W':
g_use_auth_secret_with_timestamp = 1;
STRCPY(g_auth_secret,optarg);
break;
case 'i':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(cert_file,fn);
free(fn);
}
break;
case 'k':
{
char* fn = find_config_file(optarg,1);
if(!fn) {
fprintf(stderr,"ERROR: file %s not found\n",optarg);
exit(-1);
}
STRCPY(pkey_file,fn);
free(fn);
}
break;
default:
fprintf(stderr, "%s\n", Usage);
exit(1);
}
}
if(g_use_auth_secret_with_timestamp) {
if(use_short_term) {
fprintf(stderr,"ERROR: You cannot use authentication secret (REST API) with short-term credentials mechanism.\n");
exit(-1);
}
{
char new_uname[1025];
const unsigned long exp_time = 3600 * 24; /* one day */
if(g_uname[0]) {
snprintf(new_uname,sizeof(new_uname),"%lu%c%s",(unsigned long)time(NULL) + exp_time,rest_api_separator, (char*)g_uname);
} else {
snprintf(new_uname,sizeof(new_uname),"%lu", (unsigned long)time(NULL) + exp_time);
}
STRCPY(g_uname,new_uname);
}
{
u08bits hmac[MAXSHASIZE];
unsigned int hmac_len;
switch(shatype) {
case SHATYPE_SHA256:
hmac_len = SHA256SIZEBYTES;
break;
default:
hmac_len = SHA1SIZEBYTES;
};
hmac[0]=0;
if(stun_calculate_hmac(g_uname, strlen((char*)g_uname), (u08bits*)g_auth_secret, strlen(g_auth_secret), hmac, &hmac_len, shatype)>=0) {
size_t pwd_length = 0;
char *pwd = base64_encode(hmac,hmac_len,&pwd_length);
if(pwd) {
if(pwd_length>0) {
ns_bcopy(pwd,g_upwd,pwd_length);
g_upwd[pwd_length]=0;
}
}
free(pwd);
}
}
}
if(is_TCP_relay()) {
dont_fragment = 0;
no_rtcp = 1;
c2c = 1;
use_tcp = 1;
do_not_use_channel = 1;
}
if(port == 0) {
if(use_secure)
port = DEFAULT_STUN_TLS_PORT;
else
port = DEFAULT_STUN_PORT;
}
if (clmessage_length < (int) sizeof(message_info))
clmessage_length = (int) sizeof(message_info);
const int max_header = 100;
if(clmessage_length > (int)(STUN_BUFFER_SIZE-max_header)) {
fprintf(stderr,"Message length was corrected to %d\n",(STUN_BUFFER_SIZE-max_header));
clmessage_length = (int)(STUN_BUFFER_SIZE-max_header);
}
if (optind >= argc) {
fprintf(stderr, "%s\n", Usage);
exit(-1);
}
if (!c2c) {
if (make_ioa_addr((const u08bits*) peer_address, peer_port, &peer_addr) < 0)
return -1;
if(peer_addr.ss.sa_family == AF_INET6)
default_address_family = STUN_ATTRIBUTE_REQUESTED_ADDRESS_FAMILY_VALUE_IPV6;
}
/* SSL Init ==>> */
if(use_secure) {
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
const char *csuite = "ALL"; //"AES256-SHA" "DH"
if(use_null_cipher)
csuite = "eNULL";
else if(cipher_suite[0])
csuite=cipher_suite;
if(use_tcp) {
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv3_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if defined(SSL_TXT_TLSV1_1)
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#if defined(SSL_TXT_TLSV1_2)
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_2_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
#endif
} else {
#if defined(TURN_NO_DTLS)
fprintf(stderr,"ERROR: DTLS is not supported.\n");
exit(-1);
#else
if(OPENSSL_VERSION_NUMBER < 0x10000000L) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: OpenSSL version is rather old, DTLS may not be working correctly.\n");
}
root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_client_method());
SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
root_tls_ctx_num++;
#endif
}
int sslind = 0;
for(sslind = 0; sslind<root_tls_ctx_num; sslind++) {
if(cert_file[0]) {
if (!SSL_CTX_use_certificate_chain_file(root_tls_ctx[sslind], cert_file)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no certificate found!\n");
exit(-1);
}
}
if (!SSL_CTX_use_PrivateKey_file(root_tls_ctx[sslind], pkey_file,
SSL_FILETYPE_PEM)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: no private key found!\n");
exit(-1);
}
if(cert_file[0]) {
if (!SSL_CTX_check_private_key(root_tls_ctx[sslind])) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nERROR: invalid private key!\n");
exit(-1);
}
}
if (ca_cert_file[0]) {
if (!SSL_CTX_load_verify_locations(root_tls_ctx[sslind], ca_cert_file, NULL )) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"ERROR: cannot load CA from file: %s\n",
ca_cert_file);
}
/* Set to require peer (client) certificate verification */
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_PEER, NULL );
/* Set the verification depth to 9 */
SSL_CTX_set_verify_depth(root_tls_ctx[sslind], 9);
} else {
SSL_CTX_set_verify(root_tls_ctx[sslind], SSL_VERIFY_NONE, NULL );
}
if(!use_tcp)
SSL_CTX_set_read_ahead(root_tls_ctx[sslind], 1);
}
}
start_mclient(argv[optind], port, client_ifname, local_addr, messagenumber, mclient);
return 0;
}
static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secrets_list_t *tss,secrets_list_t *lts) {
const char * collection_name = "oauth_key";
mongoc_collection_t * collection = mongo_get_collection(collection_name);
if(!collection)
return -1;
bson_t query;
bson_init(&query);
bson_t child;
bson_append_document_begin(&query, "$orderby", -1, &child);
bson_append_int32(&child, "kid", -1, 1);
bson_append_document_end(&query, &child);
bson_append_document_begin(&query, "$query", -1, &child);
bson_append_document_end(&query, &child);
bson_t fields;
bson_init(&fields);
BSON_APPEND_INT32(&fields, "kid", 1);
BSON_APPEND_INT32(&fields, "lifetime", 1);
BSON_APPEND_INT32(&fields, "timestamp", 1);
BSON_APPEND_INT32(&fields, "as_rs_alg", 1);
BSON_APPEND_INT32(&fields, "ikm_key", 1);
mongoc_cursor_t * cursor;
cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 0, 0, &query, &fields, NULL);
int ret = -1;
if (!cursor) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error querying MongoDB collection '%s'\n", collection_name);
} else {
const bson_t * item;
oauth_key_data_raw key_;
oauth_key_data_raw *key=&key_;
uint32_t length;
bson_iter_t iter;
while (mongoc_cursor_next(cursor, &item)) {
ns_bzero(key,sizeof(oauth_key_data_raw));
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "kid") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->kid,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "as_rs_alg") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->as_rs_alg,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "ikm_key") && BSON_ITER_HOLDS_UTF8(&iter)) {
STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
key->timestamp = (u64bits)bson_iter_int64(&iter);
}
if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "lifetime") && BSON_ITER_HOLDS_INT32(&iter)) {
key->lifetime = (u32bits)bson_iter_int32(&iter);
}
if(kids) {
add_to_secrets_list(kids,key->kid);
add_to_secrets_list(teas,key->as_rs_alg);
{
char ts[256];
snprintf(ts,sizeof(ts)-1,"%llu",(unsigned long long)key->timestamp);
add_to_secrets_list(tss,ts);
}
{
char lt[256];
snprintf(lt,sizeof(lt)-1,"%lu",(unsigned long)key->lifetime);
add_to_secrets_list(lts,lt);
}
} else {
printf(" kid=%s, ikm_key=%s, timestamp=%llu, lifetime=%lu, as_rs_alg=%s\n",
key->kid, key->ikm_key, (unsigned long long)key->timestamp, (unsigned long)key->lifetime,
key->as_rs_alg);
}
}
mongoc_cursor_destroy(cursor);
ret = 0;
}
mongoc_collection_destroy(collection);
bson_destroy(&query);
bson_destroy(&fields);
return ret;
}
redis_context_handle redisLibeventAttach(struct event_base *base, char *ip0, int port0, char *pwd, int db)
{
struct redisLibeventEvents *e = NULL;
redisAsyncContext *ac = NULL;
char ip[256];
if(ip0 && ip0[0])
STRCPY(ip,ip0);
else
STRCPY(ip,"127.0.0.1");
int port = DEFAULT_REDIS_PORT;
if(port0>0)
port=port0;
ac = redisAsyncConnect(ip, port);
if (ac->err) {
fprintf(stderr,"Error: %s\n", ac->errstr);
return NULL;
}
/* Create container for context and r/w events */
e = (struct redisLibeventEvents*)turn_malloc(sizeof(struct redisLibeventEvents));
ns_bzero(e,sizeof(struct redisLibeventEvents));
e->allocated = 1;
e->context = ac;
e->base = base;
/* Register functions to start/stop listening for events */
ac->ev.addRead = redisLibeventAddRead;
ac->ev.delRead = redisLibeventDelRead;
ac->ev.addWrite = redisLibeventAddWrite;
ac->ev.delWrite = redisLibeventDelWrite;
ac->ev.cleanup = redisLibeventCleanup;
ac->ev.data = e;
/* Initialize and install read/write events */
e->rev = event_new(e->base,e->context->c.fd,
EV_READ|EV_PERSIST,redisLibeventReadEvent,
e);
e->wev = event_new(e->base,e->context->c.fd,
EV_WRITE,redisLibeventWriteEvent,
e);
if (e->rev == NULL || e->wev == NULL) {
turn_free(e, sizeof(struct redisLibeventEvents));
return NULL;
}
event_add(e->wev, NULL);
e->wev_set = 1;
struct bufferevent *pair[2];
bufferevent_pair_new(base, TURN_BUFFEREVENTS_OPTIONS, pair);
e->in_buf = pair[0];
e->out_buf = pair[1];
bufferevent_setcb(e->in_buf, receive_message_for_redis, NULL, NULL, e);
bufferevent_enable(e->in_buf, EV_READ);
//Authentication
if(pwd)
redisAsyncCommand(ac, NULL, e, "AUTH %s", pwd);
if(db>0)
redisAsyncCommand(ac, NULL, e, "SELECT %d", db);
return ac;
}
/*
* Password retrieval
*/
int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *usname, u08bits *realm, hmackey_t key, ioa_network_buffer_handle nbh)
{
/* Decode certificate */
struct certificate cert;
memset(&cert, 0, sizeof cert);
unsigned char const *secret_key = (unsigned char *)turn_params.secret_key;
unsigned char const *iv = (unsigned char *)turn_params.secret_iv;
stun_attr_ref sar = stun_attr_get_first_by_type_str(ioa_network_buffer_data(nbh), ioa_network_buffer_get_size(nbh), STUN_ATTRIBUTE_SOFTWARE);
if (sar)
{
int token_len = stun_attr_get_len(sar);
const u08bits* token_ptr = stun_attr_get_value(sar);
u08bits token[128];
memcpy(token, token_ptr, token_len);
token[token_len]=0;
int err = stun_check_message_certificate(token, token_len, &cert, secret_key, iv);
if(token_len && err == 0)
{
const char* password = cert.call_id;
size_t sz = get_hmackey_size(SHATYPE_DEFAULT) * 2;
char skey[sizeof(hmackey_t) * 2 + 1];
password2hmac(password, usname, realm, skey);
if(convert_string_key_to_binary(skey, key, sz / 2) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key: %s, user %s\n", skey, usname);
}
char buff[20];
struct tm * timeinfo;
timeinfo = localtime (&cert.deadline);
strftime(buff, sizeof(buff), "%Y %b %d %H:%M", timeinfo);
time_t now;
now = time(NULL);
/* if(now - cert.deadline < -60 || // server's time's wrong? more tann 60 sec time diff
now - cert.deadline > 60*60*24 ) // too much diff, something wrong
{
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Token expired: user: %s token: %s time: %s time_diff: %d sec\n", usname, token, buff, now - cert.deadline);
return -1;
} */
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Token decrypted: user:%s seq:%s time:%s call:%s \n", usname, cert.seq, buff, cert.call_id);
return 0;
}
else
{
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Incorrect token: user %s token: %s Error: %d\n", usname, token, err);
return -1;
}
}
else
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "Tokent not found: user %s\n", usname);
int ret = -1;
if(max_session_time)
*max_session_time = 0;
if(in_oauth && out_oauth && usname && usname[0]) {
stun_attr_ref sar = stun_attr_get_first_by_type_str(ioa_network_buffer_data(nbh),
ioa_network_buffer_get_size(nbh),
STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN);
if(sar) {
int len = stun_attr_get_len(sar);
const u08bits *value = stun_attr_get_value(sar);
*out_oauth = 1;
if(len>0 && value) {
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_oauth_key) {
oauth_key_data_raw rawKey;
ns_bzero(&rawKey,sizeof(rawKey));
int gres = (*(dbd->get_oauth_key))(usname,&rawKey);
if(gres<0)
return ret;
if(!rawKey.kid[0])
return ret;
if(rawKey.lifetime) {
if(!turn_time_before(turn_time(),(turn_time_t)(rawKey.timestamp + rawKey.lifetime+OAUTH_TIME_DELTA))) {
return ret;
}
}
oauth_key_data okd;
ns_bzero(&okd,sizeof(okd));
convert_oauth_key_data_raw(&rawKey, &okd);
char err_msg[1025] = "\0";
size_t err_msg_size = sizeof(err_msg) - 1;
oauth_key okey;
ns_bzero(&okey,sizeof(okey));
if (convert_oauth_key_data(&okd, &okey, err_msg, err_msg_size) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s\n", err_msg);
return -1;
}
oauth_token dot;
ns_bzero((&dot),sizeof(dot));
encoded_oauth_token etoken;
ns_bzero(&etoken,sizeof(etoken));
if((size_t)len > sizeof(etoken.token)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Encoded oAuth token is too large\n");
return -1;
}
ns_bcopy(value,etoken.token,(size_t)len);
etoken.size = (size_t)len;
const char* server_name = (char*)turn_params.oauth_server_name;
if(!(server_name && server_name[0])) {
server_name = (char*)realm;
if(!(server_name && server_name[0])) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot determine oAuth server name");
return -1;
}
}
if (decode_oauth_token((const u08bits *) server_name, &etoken,&okey, &dot) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot decode oauth token\n");
return -1;
}
switch(dot.enc_block.key_length) {
case SHA1SIZEBYTES:
break;
case SHA256SIZEBYTES:
case SHA384SIZEBYTES:
case SHA512SIZEBYTES:
default:
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
return -1;
};
password_t pwdtmp;
if(stun_check_message_integrity_by_key_str(TURN_CREDENTIALS_LONG_TERM,
ioa_network_buffer_data(nbh),
ioa_network_buffer_get_size(nbh),
dot.enc_block.mac_key,
pwdtmp,
SHATYPE_DEFAULT)>0) {
turn_time_t lifetime = (turn_time_t)(dot.enc_block.lifetime);
if(lifetime) {
turn_time_t ts = (turn_time_t)(dot.enc_block.timestamp >> 16);
turn_time_t to = ts + lifetime + OAUTH_TIME_DELTA;
turn_time_t ct = turn_time();
if(!turn_time_before(ct,to)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "oAuth token is too old\n");
return -1;
}
if(max_session_time) {
*max_session_time = to - ct;
}
}
ns_bcopy(dot.enc_block.mac_key,key,dot.enc_block.key_length);
ret = 0;
}
}
}