AEAD added

src/client/ns_turn_msg.c

@@ -1678,9 +1678,9 @@ static size_t calculate_enc_key_length(ENC_ALG a)
 {
 	switch(a) {
 	case AES_128_CBC:
+	case AEAD_AES_128_CCM:
+	case AEAD_AES_128_GCM:
 		return 16;
-	case AES_256_CBC:
-		return 32;
 	default:
 		;
 	};
@@ -1821,6 +1821,14 @@ int convert_oauth_key_data(oauth_key_data *oakd, oauth_key *key, char *err_msg,
 			key->as_rs_alg = AES_128_CBC;
 		} else if(!strcmp(oakd->as_rs_alg,"AES-256-CBC")) {
 			key->as_rs_alg = AES_256_CBC;
+		} else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-128-GCM")) {
+			key->as_rs_alg = AEAD_AES_128_GCM;
+		} else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-256-GCM")) {
+			key->as_rs_alg = AEAD_AES_256_GCM;
+		} else if(!strcmp(oakd->as_rs_alg,"AEAD-AES-128-CCM")) {
+			key->as_rs_alg = AEAD_AES_128_CCM;
+		} else if(!strcmp(oakd->as_rs_alg,"AEAD_AES_256_CCM")) {
+			key->as_rs_alg = AEAD_AES_256_CCM;
 		} else if(oakd->as_rs_alg[0]) {
 			if(err_msg) {
 				snprintf(err_msg,err_msg_size,"Wrong oAuth token encryption algorithm: %s",oakd->as_rs_alg);

src/client/ns_turn_msg_defs_new.h

@@ -73,6 +73,10 @@ enum _ENC_ALG {
 	ENC_ALG_DEFAULT=0,
 	AES_256_CBC=ENC_ALG_DEFAULT,
 	AES_128_CBC,
+	AEAD_AES_128_GCM,
+	AEAD_AES_256_GCM,
+	AEAD_AES_128_CCM,
+	AEAD_AES_256_CCM,
 	ENG_ALG_NUM
 };
 

turndb/schema.userdb.redis

@@ -56,15 +56,17 @@ and they will be almost immediately "seen" by the turnserver process.
 		are defined explicitly in the database;
 		
 	as_rs_alg - oAuth token encryption algorithm; the valid values are
-		"AES-128-CBC" and "AES-256-CBC", with "AES-256-CBC" as default;
+		"AES-128-CBC" and "AES-256-CBC", , "AEAD-AES-128-GCM",
+		"AEAD-AES-256-GCM",	"AEAD-AES-128-CCM",	"AEAD-AES-256-CCM".
+		The default value is "AES-256-CBC";
 		
 	as_rs_key - (optional) base64-encoded AS-RS key. If not defined, then 
 		calculated with ikm_key and hkdf_hash_func. The as_rs_key length 
 		is defined by as_rs_alg.
 		
-	auth_alg - oAuth token authentication algorithm; the valid values are
-		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1", with 
-		"HMAC-SHA-256-128" as default;
+	auth_alg - (optional) oAuth token authentication algorithm; the valid values are
+		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".		  
+		The default value is "HMAC-SHA-256-128".
 		
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 

turndb/testmongosetup.sh

@@ -41,7 +41,17 @@ db.allowed_peer_ip.insert({ ip_range: '172.17.13.200' });
 db.denied_peer_ip.insert({ ip_range: '172.17.13.133-172.17.14.56' });
 db.denied_peer_ip.insert({ ip_range: '123::45' });
 
-db.oauth_key.insert({ kid: 'north', ikm_key: 'Y2FybGVvbg==', hkdf_hash_func: 'SHA-256', as_rs_alg: 'AES-256-CBC', auth_alg: 'HMAC-SHA-256-128' });
+db.oauth_key.insert({ kid: 'north', 
+					ikm_key: 'Y2FybGVvbg==', 
+					hkdf_hash_func: 'SHA-256', 
+					as_rs_alg: 'AES-256-CBC', 
+					auth_alg: 'HMAC-SHA-256-128' });
+					
+db.oauth_key.insert({ kid: 'oldempire', 
+					ikm_key: 'YXVsY3Vz', 
+					hkdf_hash_func: 'SHA-256', 
+					as_rs_alg: 'AEAD-AES-256-GCM', 
+					auth_alg: '' });
 
 exit
 

turndb/testredisdbsetup.sh

@@ -39,6 +39,7 @@ set turn/denied-peer-ip/234567 "123::45"
 set turn/allowed-peer-ip/345678 "172.17.13.200"
 
 hmset turn/oauth/kid/north ikm_key Y2FybGVvbg== hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128'
+hmset turn/oauth/kid/oldempire ikm_key YXVsY3Vz hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
 
 save
 

turndb/testsqldbsetup.sql

@@ -28,5 +28,6 @@ insert into denied_peer_ip (ip_range) values('172.17.13.133-172.17.14.56');
 insert into denied_peer_ip (ip_range) values('123::45');
 
 insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128','');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('oldempire','YXVsY3Vz',0,0,'SHA-256','AEAD-AES-256-GCM','','','');
 
 );