short-term credentials removed in the TURN server

ChangeLog

@@ -1,7 +1,8 @@
 1/1/2015 Oleg Moskalenko <[email protected]>
-Version 4.3.4.1 'Tolomei':
+Version 4.4.1.1 'Carlot dan Eider':
 	- https admin server;
 	- SSLv2 support removed;
+	- The server-side short-term credentials mechanism support removed; 
 
 12/24/2014 Oleg Moskalenko <[email protected]>
 Version 4.3.3.1 'Tolomei':

INSTALL

@@ -684,13 +684,6 @@ used for the HMAC key generation.
 The key must be 32 characters (HEX representation of 16 bytes) for SHA1,
 or 64 characters (HEX representation of 32 bytes) for SHA256.
 
-# Table for short-term credentials mechanism authorisation:
-#
-CREATE TABLE turnusers_st (
-    name varchar(512) PRIMARY KEY,
-    password varchar(127)
-);
-
 # Table holding shared secrets for secret-based authorization
 # (REST API). It can only be used together with the long-term 
 # mechanism:
@@ -827,10 +820,10 @@ Fill in users, for example:
   Long-term credentials mechanism with SHA256 extension:
   $ bin/turnadmin -a -b "/var/db/turndb" -u bethod -r north.gov -p king-of-north --sha256
   
-  Short-term credentials mechanism:
+  Admin users:
    
   $ bin/turnadmin -A -b "/var/db/turndb" -u gorst -p hero
-  $ bin/turnadmin -A -b "/var/db/turndb" -u ninefingers -p youhavetoberealistic 
+  $ bin/turnadmin -A -b "/var/db/turndb" -u ninefingers -p youhavetoberealistic -r north.gov 
 
 XVI. PostgreSQL setup
 
@@ -899,8 +892,6 @@ PREFIX/share/turnserver/schema.sql file after the turnserver installation:
 $ cat turndb/schema.sql | psql -U turn turn
 	NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_lt_pkey" for table "turnusers_lt"
 	CREATE TABLE
-	NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_st_pkey" for table "turnusers_st"
-	CREATE TABLE
 	CREATE TABLE
 
 See the SQLite section for the detailed database schema explanation.
@@ -951,10 +942,10 @@ Fill in users, for example:
   Long-term credentials mechanism with SHA256 extension:
   $ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
   
-  Short-term credentials mechanism:
+  Admin users:
    
   $ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
-  $ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic 
+  $ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
 
 XVII. MySQL (MariaDB) setup
 
@@ -1006,10 +997,10 @@ the root account.
   Long-term credentials mechanism with SHA256 extension:
   $ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
   
-  Short-term credentials mechanism:
+  Admin users:
    
   $ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
-  $ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic 
+  $ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
 
 7) Now we can use mysql in the turnserver.
 
@@ -1135,10 +1126,10 @@ Redis TURN admin commands:
   Long-term credentials mechanism with SHA256 extension:
   $ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u bethod -r north.gov -p king-of-north --sha256
   
-  Short-term credentials mechanism:
+  Admin users:
    
   $ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u gorst -p hero
-  $ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -p youhavetoberealistic 
+  $ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
   
 See the file testredisdbsetup.sh for the data structure examples.
 

README.turnadmin

@@ -51,15 +51,15 @@ Commands:
 
 -a, --add       	Add or update a long-term user.
 
--A, --add-st    	Add or update a short-term credentials mechanism user.
+-A, --add-admin    	Add or update an admin user.
 
 -d, --delete		Delete a long-term user.
 
--D, --delete-st		Delete a short-term user.
+-D, --delete-admin		Delete an admin user.
 
 -l, --list		List long-term users in the database.
 
--L, --list-st		List short-term users in the database.
+-L, --list-admin		List admin users in the database.
 
 -s, --set-secret=<value> Add shared secret for TURN RESP API
 
@@ -119,7 +119,7 @@ List all long-term users in MySQL database:
 
 $ turnadmin -l --mysql-userdb="<db-connection-string>" -r <realm>
 
-List all short-term users in Redis database:
+List all admin users in Redis database:
 
 $ turnadmin -L --redis-userdb="<db-connection-string>"
 

README.turnserver

@@ -85,8 +85,8 @@ User database settings:
 		/usr/local/var/db/turndb or /var/lib/turn/turndb).
 				  
 -e, --psql-userdb	User database connection string for PostgreSQL.
-		This database can be used for long-term and short-term 
-		credentials mechanisms, and it can store the secret value 
+		This database can be used for long-term credentials mechanism,
+		and it can store the secret value 
 		for secret-based timed authentication in TURN RESP API.
 		The connection string format is like that:
 		 
@@ -103,8 +103,8 @@ User database settings:
 		Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
 				  
 -M, --mysql-userdb	User database connection string for MySQL or MariaDB. 
-		This database can be used for long-term and short-term 
-		credentials mechanisms, and it can store the secret value for 
+		This database can be used for long-term credentials mechanism,
+		and it can store the secret value for 
 		secret-based timed authentication in TURN RESP API.
 		The connection string format is like that:
 		 
@@ -121,8 +121,8 @@ User database settings:
 		command options description).
 		
 -J, --mongo-userdb	User database connection string for MongoDB. 
-		This database can be used for long-term and short-term 
-		credentials mechanisms, and it can store the secret value 
+		This database can be used for long-term credentials mechanism,
+		and it can store the secret value 
 		for secret-based timed authentication in TURN RESP API.
 		The connection string format is like that:
 		 
@@ -134,8 +134,8 @@ User database settings:
 		for full MongoDB documentation.
 		
 -N, --redis-userdb	User database connection string for Redis. 
-		This database can be used for long-term and short-term
-		credentials mechanisms, and it can store the secret 
+		This database can be used for long-term	credentials mechanism,
+		and it can store the secret 
 		value for secret-based timed authentication in TURN RESP API.
 		The connection string format is like that:
 		 
@@ -160,8 +160,6 @@ Flags:
 
 -a, --lt-cred-mech	Use long-term credentials mechanism (this one you need for WebRTC usage).
 
--A, --st-cred-mech	Use the short-term credentials mechanism.
-
 -z, --no-auth		Do not use any credentials mechanism, allow anonymous access. 
 			Opposite to -a and -A options. This is default option when no 
 			authentication-related options are set.
@@ -182,8 +180,6 @@ Flags:
 			This option is just turns on secret-based authentication.
 			The actual value of the secret is defined either by option static-auth-secret,
 			or can be found in the turn_secret table in the database.
-			This option can be used with long-term credentials mechanisms only -
-			it does not make much sense with the short-term mechanism.
 			
 --oauth			Support oAuth authentication, as in the third-party TURN specs document.
 			
@@ -380,8 +376,7 @@ Options with required values:
 			the key must be prepended with 0x symbols.
 			The key is calculated over the user name, 
 			the user realm, and the user password.
-			This setting may not be used with TURN REST API or
-			with short-term credentials mechanism.
+			This setting may not be used with TURN REST API.
 
 -r, --realm		The default realm to be used for the users when no explicit 
 			origin/realm relationship was found in the database, or if the TURN
@@ -558,8 +553,8 @@ WEBRTC USAGE
 This is a set of notes for the WebRTC users:
 
 1) WebRTC uses long-term authentication mechanism, so you have to use -a 
-option (or --lt-cred-mech). WebRTC relaying will not work with anonymous access 
-or with short-term authentication. With -a option, do not forget to set the 
+option (or --lt-cred-mech). WebRTC relaying will not work with anonymous
+access. With -a option, do not forget to set the 
 default realm (-r option). You will also have to set up the user accounts, 
 for that you have a number of options:
 
@@ -731,9 +726,7 @@ For long-term credentials, you have to set the "keys" for the users; the "keys"
 by the turnadmin utility. For the key generation, you need username, password and the realm. 
 All users in the database must use the same realm value; if down the road you will decide 
 to change the realm name, then you will have to re-generate all user keys (that can be done 
-in a batch script). If you are using short-term credentials, then you use open passwords 
-in the database; you will have to make sure that nobody can access the database outside of 
-the TURN server box. See the file turndb/testsqldbsetup.sql as an example.
+in a batch script). See the file turndb/testsqldbsetup.sql as an example.
 
 4) The same is true for MySQL database. The same schema file is applicable. 
 The same considerations are applicable. 
@@ -742,8 +735,7 @@ The same considerations are applicable.
 it can be found (in the form of explanation) in schema.userdb.redis. 
 Also, in Redis you can store both "keys" and open passwords (for long term credentials) - 
 the "open password" option is less secure but more convenient for low-security environments. 
-For short-term credentials, you will use open passwords only. See the file 
-turndb/testredisdbsetup.sh as an example. 
+See the file turndb/testredisdbsetup.sh as an example. 
 
 6) If a database is used, then users can be divided into multiple independent realms. Each realm
 can be administered separately, and each realm can have its own set of users and its own

README.turnutils

@@ -84,10 +84,6 @@ Flags:
 
 -g      Set DONT_FRAGMENT parameter in TURN requests.
 
--A	use short-term credentials mechanism for authentication. 
-	By default, the program uses the long-term credentials mechanism 
-	if authentication is required.
-
 -D	Do mandatory channel padding even for UDP (like pjnath).
 
 -N	do negative tests (some limited cases only).

examples/etc/turnserver.conf

@@ -169,11 +169,6 @@
 #
 #lt-cred-mech
 
-# Uncomment to use short-term credential mechanism.
-# By default no credentials mechanism is used (any user allowed).
-#
-#st-cred-mech
-
 # This option is opposite to lt-cred-mech or st-cred-mech. 
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
@@ -223,8 +218,7 @@
 #oauth
 
 # 'Static' user accounts for long term credentials mechanism, only.
-# This option cannot be used with TURN REST API or with short-term credentials
-# mechanism.
+# This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process, 
 # so that they can NOT be changed while the turnserver is running.
 #
@@ -259,7 +253,7 @@
 
 # PostgreSQL database connection string in the case that we are using PostgreSQL
 # as the user database.
-# This database can be used for long-term and short-term credential mechanisms
+# This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see 
@@ -270,7 +264,7 @@
 
 # MySQL database connection string in the case that we are using MySQL
 # as the user database.
-# This database can be used for long-term and short-term credential mechanisms
+# This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN RESP API.
 #
 # Optional connection string parameters for the secure communications (SSL): 
@@ -284,7 +278,7 @@
 
 # MongoDB database connection string in the case that we are using MongoDB
 # as the user database.
-# This database can be used for long-term and short-term credential mechanisms
+# This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 # Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
@@ -292,7 +286,7 @@
 
 # Redis database connection string in the case that we are using Redis
 # as the user database.
-# This database can be used for long-term and short-term credential mechanisms
+# This database can be used for long-term credential mechanism
 # and it can store the secret value for secret-based timed authentication in TURN RESP API. 
 # Use string format as below (space separated parameters, all optional):
 #

examples/scripts/shorttermsecure/secure_relay_short_term_mech.sh

@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# This is an example how to start a TURN Server in
-# secure mode with short-term security mechanism - see option -A
-# that means "use short-term credential mechanism".
-#
-# The user credentials are stored in the database.
-#
-# We listen on available interfaces here, and we use the "external" IPs
-# for relay endpoints allocation.
-#
-# Other options:
-#
-# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps).
-# 2) use fingerprints (-f)
-# 3) use 3 relay threads (-m 3)
-# 4) use min UDP relay port 32355 and max UDP relay port 65535
-# 5) --db="var/db/turndb" means that SQLite database "var/db/turndb" will be used.
-# 6) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. 
-# 7) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
-# 8) "--log-file=stdout" means that all log output will go to the stdout.
-# 9) -E 127.0.0.1 and -E :;1 sets the relay addresses, in this case for loopback 
-# communications only.
-# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
-# Other parameters (config file name, etc) are default.
-
-if [ -d examples ] ; then
-       cd examples
-fi
-
-export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
-export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
-
-PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -A --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535  --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -E 127.0.0.1 -E ::1 --cipher-list=ALL $@

examples/scripts/shorttermsecure/secure_tcp_client_c2c_tcp_relay_short_term.sh

@@ -1,31 +0,0 @@
-#!/bin/sh
-#
-# This is an example of a script to run a "secure" TURN TCP client
-# with the short-term credentials mechanism and with
-# TCP relay endpoints (RFC 6062).
-#
-# Options:
-#
-# 1) -T is present, it means that TCP networking is used, with TCP relay endpoints (RFC 6062).
-# 5) -n 1000 means 1000 messages per single emulated client. Messages
-# are sent with interval of 20 milliseconds, to emulate an RTP stream.
-# 6) -m 10 means that 10 clients are emulated.
-# 7) -l 170 means that the payload size of the packets is 170 bytes 
-# (like average audio RTP packet).
-# 8) -y means that the clients will connect to the 'neighbor' clients, no peer app will be used.
-# 9) -g means "set DONT_FRAGMENT parameter in TURN requests".
-# 10) -A sets the short-term credentials mechanism.
-# 11) -u gorst sets the client user name.
-# 12) -w hero sets the password for the account as "hero".
-# 13) ::1 (the last parameter) is the TURN Server IP address. We use IPv6 here
-# to illustrate how the TURN Server convert the traffic from IPv6 to IPv4 and back.
-#
-
-if [ -d examples ] ; then
-       cd examples
-fi
-
-export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
-
-PATH=examples/bin/:../bin/:./bin/:${PATH} turnutils_uclient -T -n 1000 -m 10 -l 170 -y -g -A -u gorst -w hero $@ ::1
-

examples/scripts/shorttermsecure/secure_udp_client_short_term.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-#
-# This is an example of a script to run a "secure" TURN UDP client
-# with short-term credential mechanism.
-#
-# Options:
-#
-# 1) -t is absent, it means that UDP networking is used.
-# 5) -n 1000 means 1000 messages per single emulated client. Messages
-# are sent with interval of 20 milliseconds, to emulate an RTP stream.
-# 6) -m 10 means that 10 clients are emulated.
-# 7) -l 170 means that the payload size of the packets is 170 bytes 
-# (like average audio RTP packet).
-# 8) -e 127.0.0.1 means that the clients will use peer address 127.0.0.1.
-# 9) -g means "set DONT_FRAGMENT parameter in TURN requests".
-# 10) -A means that the short-term credentials mechanism is used.
-# 11) -u ninefingers sets the client user name.
-# 12) -w youhavetoberealistic sets the password for the user account as "youhavetoberealistic".
-# 13) -s option means that the client will be using "send" indication for data trasfer.
-# 14) ::1 (the last parameter) is the TURN Server IP address. We use IPv6 here
-# to illustrate how the TURN Server convert the traffic from IPv6 to IPv4 and back.
-#
-
-if [ -d examples ] ; then
-       cd examples
-fi
-
-export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
-
-PATH=examples/bin/:../bin/:./bin/:${PATH} turnutils_uclient -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -A -u ninefingers -w youhavetoberealistic -s $@ ::1

man/man1/turnadmin.1

@@ -74,24 +74,24 @@ Generate key for a long\-term credentials mechanism user.
 Add or update a long\-term user.
 .TP
 .B
-\fB\-A\fP, \fB\-\-add\-st\fP
-Add or update a short\-term credentials mechanism user.
+\fB\-A\fP, \fB\-\-add\-admin\fP
+Add or update an admin user.
 .TP
 .B
 \fB\-d\fP, \fB\-\-delete\fP
 Delete a long\-term user.
 .TP
 .B
-\fB\-D\fP, \fB\-\-delete\-st\fP
-Delete a short\-term user.
+\fB\-D\fP, \fB\-\-delete\-admin\fP
+Delete an admin user.
 .TP
 .B
 \fB\-l\fP, \fB\-\-list\fP
 List long\-term users in the database.
 .TP
 .B
-\fB\-L\fP, \fB\-\-list\-st\fP
-List short\-term users in the database.
+\fB\-L\fP, \fB\-\-list\-admin\fP
+List admin users in the database.
 .PP
 \fB\-s\fP, \fB\-\-set\-secret\fP=<value> Add shared secret for TURN RESP API
 .TP
@@ -211,7 +211,7 @@ List all long\-term users in MySQL database:
 .PP
 $ \fIturnadmin\fP \fB\-l\fP \fB\-\-mysql\-userdb\fP="<db\-connection\-string>" \fB\-r\fP <realm>
 .PP
-List all short\-term users in Redis database:
+List all admin users in Redis database:
 .PP
 $ \fIturnadmin\fP \fB\-L\fP \fB\-\-redis\-userdb\fP="<db\-connection\-string>"
 .PP

man/man1/turnserver.1

@@ -138,8 +138,8 @@ SQLite user database file name (default \- /var/db/turndb or
 .B
 \fB\-e\fP, \fB\-\-psql\-userdb\fP
 User database connection string for PostgreSQL.
-This database can be used for long\-term and short\-term 
-credentials mechanisms, and it can store the secret value 
+This database can be used for long\-term credentials mechanism,
+and it can store the secret value 
 for secret\-based timed authentication in TURN RESP API.
 The connection string format is like that:
 .RS
@@ -160,8 +160,8 @@ Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
 .B
 \fB\-M\fP, \fB\-\-mysql\-userdb\fP
 User database connection string for MySQL or MariaDB. 
-This database can be used for long\-term and short\-term 
-credentials mechanisms, and it can store the secret value for 
+This database can be used for long\-term credentials mechanism,
+and it can store the secret value for 
 secret\-based timed authentication in TURN RESP API.
 The connection string format is like that:
 .RS
@@ -182,8 +182,8 @@ command \fIoptions\fP description).
 .B
 \fB\-J\fP, \fB\-\-mongo\-userdb\fP
 User database connection string for MongoDB. 
-This database can be used for long\-term and short\-term 
-credentials mechanisms, and it can store the secret value 
+This database can be used for long\-term credentials mechanism,
+and it can store the secret value 
 for secret\-based timed authentication in TURN RESP API.
 The connection string format is like that:
 .RS
@@ -199,8 +199,8 @@ for full MongoDB documentation.
 .B
 \fB\-N\fP, \fB\-\-redis\-userdb\fP
 User database connection string for Redis. 
-This database can be used for long\-term and short\-term
-credentials mechanisms, and it can store the secret 
+This database can be used for long\-term credentials mechanism,
+and it can store the secret 
 value for secret\-based timed authentication in TURN RESP API.
 The connection string format is like that:
 .RS
@@ -239,10 +239,6 @@ per\-server setting.
 Use long\-term credentials mechanism (this one you need for WebRTC usage).
 .TP
 .B
-\fB\-A\fP, \fB\-\-st\-cred\-mech\fP
-Use the short\-term credentials mechanism.
-.TP
-.B
 \fB\-z\fP, \fB\-\-no\-auth\fP
 Do not use any credentials mechanism, allow anonymous access. 
 Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no 
@@ -266,8 +262,6 @@ If you don't have a suitable id, the timestamp alone can be used.
 This option is just turns on secret\-based authentication.
 The actual value of the secret is defined either by option static\-auth\-secret,
 or can be found in the turn_secret table in the database.
-This option can be used with long\-term credentials mechanisms only \-
-it does not make much sense with the short\-term mechanism.
 .TP
 .B
 \fB\-\-oauth\fP
@@ -555,8 +549,7 @@ by \fIturnadmin\fP command. In the second case,
 the key must be prepended with 0x symbols.
 The key is calculated over the user name, 
 the user realm, and the user password.
-This setting may not be used with TURN REST API or
-with short\-term credentials mechanism.
+This setting may not be used with TURN REST API.
 .TP
 .B
 \fB\-r\fP, \fB\-\-realm\fP
@@ -792,8 +785,8 @@ http://code.google.com/p/coturn/wiki/turn_performance_and_load_balance
 This is a set of notes for the WebRTC users:
 .IP 1) 4
 WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fP
-option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous access 
-or with short\-term authentication. With \fB\-a\fP option, do not forget to set the 
+option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous
+access. With \fB\-a\fP option, do not forget to set the 
 default realm (\fB\-r\fP option). You will also have to set up the user accounts, 
 for that you have a number of \fIoptions\fP:
 .PP
@@ -984,9 +977,7 @@ For long\-term credentials, you have to set the "keys" for the users; the "keys"
 by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm. 
 All users in the database must use the same realm value; if down the road you will decide 
 to change the realm name, then you will have to re\-generate all user keys (that can be done 
-in a batch script). If you are using short\-term credentials, then you use open passwords 
-in the database; you will have to make sure that nobody can access the database outside of 
-the TURN server box. See the file turndb/testsqldbsetup.sql as an example.
+in a batch script). See the file turndb/testsqldbsetup.sql as an example.
 .IP 4) 4
 The same is true for MySQL database. The same schema file is applicable.
 The same considerations are applicable. 
@@ -995,8 +986,7 @@ The same is true for the Redis database, but the Redis database has aa different
 it can be found (in the form of explanation) in schema.userdb.redis. 
 Also, in Redis you can store both "keys" and open passwords (for long term credentials) \- 
 the "open password" option is less secure but more convenient for low\-security environments. 
-For short\-term credentials, you will use open passwords only. See the file 
-turndb/testredisdbsetup.sh as an example. 
+See the file turndb/testredisdbsetup.sh as an example. 
 .IP 6) 4
 If a database is used, then users can be divided into multiple independent realms. Each realm
 can be administered separately, and each realm can have its own set of users and its own

man/man1/turnutils.1

@@ -122,12 +122,6 @@ IPv4 relay address explicitly requested.
 Set DONT_FRAGMENT parameter in TURN requests.
 .TP
 .B
-\fB\-A\fP
-use short\-term credentials mechanism for authentication. 
-By default, the program uses the long\-term credentials mechanism 
-if authentication is required.
-.TP
-.B
 \fB\-D\fP
 Do mandatory channel padding even for UDP (like pjnath).
 .TP

rpm/build.settings.sh

@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.3.4.1
+TURNVERSION=4.4.1.1
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn

rpm/turnserver.spec

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.3.4.1
+Version:	4.4.1.1
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -61,7 +61,6 @@ authentication is required):
 Redis can also be used for status and statistics storage and notification.
 
 Supported TURN authentication mechanisms:
-- short-term
 - long-term
 - TURN REST API (a modification of the long-term mechanism, for time-limited
   secret-based authentication, for WebRTC applications)
@@ -248,10 +247,6 @@ fi
 %dir %{_datadir}/%{name}/scripts/selfloadbalance
 %{_datadir}/%{name}/scripts/selfloadbalance/secure_dos_attack.sh
 %{_datadir}/%{name}/scripts/selfloadbalance/secure_relay.sh
-%dir %{_datadir}/%{name}/scripts/shorttermsecure
-%{_datadir}/%{name}/scripts/shorttermsecure/secure_relay_short_term_mech.sh
-%{_datadir}/%{name}/scripts/shorttermsecure/secure_tcp_client_c2c_tcp_relay_short_term.sh
-%{_datadir}/%{name}/scripts/shorttermsecure/secure_udp_client_short_term.sh
 %dir %{_datadir}/%{name}/scripts/mobile
 %{_datadir}/%{name}/scripts/mobile/mobile_relay.sh
 %{_datadir}/%{name}/scripts/mobile/mobile_dtls_client.sh
@@ -293,8 +288,8 @@ fi
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
-* Thu Jan 24 2015 Oleg Moskalenko <[email protected]>
-  - Sync to 4.3.4.1
+* Sat Jan 10 2015 Oleg Moskalenko <[email protected]>
+  - Sync to 4.4.1.1
 * Wed Dec 24 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.3.3.1
 * Sun Dec 14 2014 Oleg Moskalenko <[email protected]>

src/apps/relay/dbdrivers/dbd_mongo.c

@@ -312,53 +312,6 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	return ret;
 }
   
-static int mongo_get_user_pwd(u08bits *usname, password_t pwd) {
-  mongoc_collection_t * collection = mongo_get_collection("turnusers_st"); 
-
-	if(!collection)
-    return -1;
-    
-  bson_t query;
-  bson_init(&query);
-  BSON_APPEND_UTF8(&query, "name", (const char *)usname);
-
-  bson_t fields;
-  bson_init(&fields);
-  BSON_APPEND_INT32(&fields, "password", 1);
-  
-  mongoc_cursor_t * cursor;
-  cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 1, 0, &query, &fields, NULL);
-  
-  int ret = -1;
-
-  if (!cursor) {
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error querying MongoDB collection 'turnusers_st'\n");
-  } else {
-    const bson_t * item;
-    uint32_t length;
-    bson_iter_t iter;
-    const char * value;
-    if (mongoc_cursor_next(cursor, &item)) {
-    	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "password") && BSON_ITER_HOLDS_UTF8(&iter)) {
-        value = bson_iter_utf8(&iter, &length);
-
-				if(length < 1) {
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s, size in MongoDB is zero(0)\n", usname);
-				} else {
-					ns_bcopy(value, pwd, length);
-					pwd[length] = 0;
-					ret = 0;
-				}
-			}
-    }
-    mongoc_cursor_destroy(cursor);
-  }
-  mongoc_collection_destroy(collection);
-  bson_destroy(&query);
-  bson_destroy(&fields);
-  return ret;
-}
-  
 static int mongo_set_user_key(u08bits *usname, u08bits *realm, const char *key) {
   mongoc_collection_t * collection = mongo_get_collection("turnusers_lt"); 
 
@@ -425,8 +378,8 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) {
   return ret;
 }
   
-static int mongo_set_user_pwd(u08bits *usname, password_t pwd) {
-  mongoc_collection_t * collection = mongo_get_collection("turnusers_st");
+static int mongo_del_user(u08bits *usname, u08bits *realm) {
+  mongoc_collection_t * collection = mongo_get_collection("turnusers_lt");
 
 	if(!collection)
     return -1;
@@ -434,37 +387,7 @@ static int mongo_set_user_pwd(u08bits *usname, password_t pwd) {
   bson_t query;
   bson_init(&query);
   BSON_APPEND_UTF8(&query, "name", (const char *)usname);
-  
-  bson_t doc;
-  bson_init(&doc);
-  BSON_APPEND_UTF8(&doc, "name", (const char *)usname);
-  BSON_APPEND_UTF8(&doc, "password", (const char *)pwd);
-
-  int ret = -1;
-  
-  if (!mongoc_collection_update(collection, MONGOC_UPDATE_UPSERT, &query, &doc, NULL, NULL)) {
-    TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating secret key information\n");
-  } else {
-    ret = 0;
-  }
-  mongoc_collection_destroy(collection);
-  bson_destroy(&doc);
-  bson_destroy(&query);
-  return ret;
-}
-  
-static int mongo_del_user(u08bits *usname, int is_st, u08bits *realm) {
-  mongoc_collection_t * collection = mongo_get_collection(is_st ? "turnusers_st" : "turnusers_lt");
-
-	if(!collection)
-    return -1;
-    
-  bson_t query;
-  bson_init(&query);
-  BSON_APPEND_UTF8(&query, "name", (const char *)usname);
-  if(!is_st) {
-    BSON_APPEND_UTF8(&query, "realm", (const char *)realm);
-  }
+  BSON_APPEND_UTF8(&query, "realm", (const char *)realm);
   
   int ret = -1;    
 
@@ -501,8 +424,8 @@ static int mongo_del_oauth_key(const u08bits *kid) {
   return ret;
 }
   
-static int mongo_list_users(int is_st, u08bits *realm) {
-  const char * collection_name = is_st ? "turnusers_st" : "turnusers_lt";
+static int mongo_list_users(u08bits *realm) {
+  const char * collection_name = "turnusers_lt";
   mongoc_collection_t * collection = mongo_get_collection(collection_name); 
 
 	if(!collection)
@@ -514,7 +437,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
   bson_append_int32(&child, "name", -1, 1);
   bson_append_document_end(&query, &child);
   bson_append_document_begin(&query, "$query", -1, &child);
-  if (!is_st && realm && realm[0]) {
+  if (realm && realm[0]) {
     BSON_APPEND_UTF8(&child, "realm", (const char *)realm);
   }
   bson_append_document_end(&query, &child);
@@ -522,7 +445,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
   bson_t fields;
   bson_init(&fields);
   BSON_APPEND_INT32(&fields, "name", 1);
-  if(!is_st) BSON_APPEND_INT32(&fields, "realm", 1);
+  BSON_APPEND_INT32(&fields, "realm", 1);
 
   mongoc_cursor_t * cursor;
   cursor = mongoc_collection_find(collection, MONGOC_QUERY_NONE, 0, 0, 0, &query, &fields, NULL);
@@ -542,7 +465,7 @@ static int mongo_list_users(int is_st, u08bits *realm) {
     		value = bson_iter_utf8(&iter, &length);
     		if (length) {
         		const char *realm = "";
-    			if (!is_st && bson_iter_init(&iter_realm, item) && bson_iter_find(&iter_realm, "realm") && BSON_ITER_HOLDS_UTF8(&iter_realm)) {
+    			if (bson_iter_init(&iter_realm, item) && bson_iter_find(&iter_realm, "realm") && BSON_ITER_HOLDS_UTF8(&iter_realm)) {
     				realm = bson_iter_utf8(&iter_realm, &length);
     			}
     			if(realm && *realm) {
@@ -1339,9 +1262,7 @@ static int mongo_list_admin_users(void)
 static const turn_dbdriver_t driver = {
   &mongo_get_auth_secrets,
   &mongo_get_user_key,
-  &mongo_get_user_pwd,
   &mongo_set_user_key,
-  &mongo_set_user_pwd,
   &mongo_del_user,
   &mongo_list_users,
   &mongo_show_secret,

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -338,47 +338,6 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 	}
   return ret;
 }
-  
-static int mysql_get_user_pwd(u08bits *usname, password_t pwd) {
-
-  int ret = -1;
-
-	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select password from turnusers_st where name='%s'",usname);
-
-	MYSQL * myc = get_mydb_connection();
-	if(myc) {
-		int res = mysql_query(myc, statement);
-		if(res) {
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
-		} else {
-			MYSQL_RES *mres = mysql_store_result(myc);
-			if(!mres) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving MySQL DB information: %s\n",mysql_error(myc));
-			} else if(mysql_field_count(myc)!=1) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unknown error retrieving MySQL DB information: %s\n",statement);
-			} else {
-				MYSQL_ROW row = mysql_fetch_row(mres);
-				if(row && row[0]) {
-					unsigned long *lengths = mysql_fetch_lengths(mres);
-					if(lengths) {
-						if(lengths[0]<1) {
-							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s, size in MySQL DB is zero(0)\n",usname);
-						} else {
-							ns_bcopy(row[0],pwd,lengths[0]);
-							pwd[lengths[0]]=0;
-							ret = 0;
-						}
-					}
-				}
-			}
-
-			if(mres)
-				mysql_free_result(mres);
-		}
-	}
-  return ret;
-}
 
 static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
@@ -558,36 +517,12 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key) {
   return ret;
 }
   
-static int mysql_set_user_pwd(u08bits *usname, password_t pwd) {
-  int ret = -1;
-	char statement[TURN_LONG_STRING_SIZE];
-	MYSQL * myc = get_mydb_connection();
-	if(myc) {
-	  snprintf(statement,sizeof(statement),"insert into turnusers_st values('%s','%s')",usname,pwd);
-		int res = mysql_query(myc, statement);
-		if(res) {
-		  snprintf(statement,sizeof(statement),"update turnusers_st set password='%s' where name='%s'",pwd,usname);
-			res = mysql_query(myc, statement);
-			if(res) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user key information: %s\n",mysql_error(myc));
-			} else {
-			  ret = 0;
-			}
-		}
-	}
-  return ret;
-}
-  
-static int mysql_del_user(u08bits *usname, int is_st, u08bits *realm) {
+static int mysql_del_user(u08bits *usname, u08bits *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
-		if(is_st) {
-		  snprintf(statement,sizeof(statement),"delete from turnusers_st where name='%s'",usname);
-		} else {
-		  snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
-		}
+		snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
 		int res = mysql_query(myc, statement);
 		if(res) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error deleting user key information: %s\n",mysql_error(myc));
@@ -614,14 +549,12 @@ static int mysql_del_oauth_key(const u08bits *kid) {
 	return ret;
 }
   
-static int mysql_list_users(int is_st, u08bits *realm) {
+static int mysql_list_users(u08bits *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
-		if(is_st) {
-		  snprintf(statement,sizeof(statement),"select name,'' from turnusers_st order by name");
-		} else if(realm && realm[0]) {
+		if(realm && realm[0]) {
 		  snprintf(statement,sizeof(statement),"select name, realm from turnusers_lt where realm='%s' order by name",realm);
 		} else {
 		  snprintf(statement,sizeof(statement),"select name, realm from turnusers_lt order by name");
@@ -1194,9 +1127,7 @@ static int mysql_list_admin_users(void)
 static const turn_dbdriver_t driver = {
   &mysql_get_auth_secrets,
   &mysql_get_user_key,
-  &mysql_get_user_pwd,
   &mysql_set_user_key,
-  &mysql_set_user_pwd,
   &mysql_del_user,
   &mysql_list_users,
   &mysql_show_secret,

src/apps/relay/dbdrivers/dbd_pgsql.c

@@ -152,34 +152,6 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 	}
   return ret;
 }
-  
-static int pgsql_get_user_pwd(u08bits *usname, password_t pwd) {
-  int ret = -1;
-	char statement[TURN_LONG_STRING_SIZE];
-	snprintf(statement,sizeof(statement),"select password from turnusers_st where name='%s'",usname);
-
-	PGconn * pqc = get_pqdb_connection();
-	if(pqc) {
-		PGresult *res = PQexec(pqc, statement);
-
-		if(!res || (PQresultStatus(res) != PGRES_TUPLES_OK) || (PQntuples(res)!=1)) {
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving PostgreSQL DB information: %s\n",PQerrorMessage(pqc));
-		} else {
-			char *kval = PQgetvalue(res,0,0);
-			if(kval) {
-				strncpy((char*)pwd,kval,sizeof(password_t));
-				ret = 0;
-			} else {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s: NULL\n",usname);
-			}
-		}
-
-		if(res) {
-			PQclear(res);
-		}
-	}
-  return ret;
-}
 
 static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
@@ -318,43 +290,13 @@ static int pgsql_set_oauth_key(oauth_key_data_raw *key) {
   }
   return ret;
 }
-
-static int pgsql_set_user_pwd(u08bits *usname, password_t pwd) {
-  int ret = -1;
-	char statement[TURN_LONG_STRING_SIZE];
-	PGconn *pqc = get_pqdb_connection();
-	if(pqc) {
-	  snprintf(statement,sizeof(statement),"insert into turnusers_st values('%s','%s')",usname,pwd);
-    PGresult *res = PQexec(pqc, statement);
-		if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
-			if(res) {
-				PQclear(res);
-			}
-		  snprintf(statement,sizeof(statement),"update turnusers_st set password='%s' where name='%s'",pwd,usname);
-			res = PQexec(pqc, statement);
-			if(!res || (PQresultStatus(res) != PGRES_COMMAND_OK)) {
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error inserting/updating user information: %s\n",PQerrorMessage(pqc));
-			} else {
-			  ret = 0;
-			}
-		}
-		if(res) {
-			PQclear(res);
-		}
-	}
-  return ret;
-}
   
-static int pgsql_del_user(u08bits *usname, int is_st, u08bits *realm) {
+static int pgsql_del_user(u08bits *usname, u08bits *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	PGconn *pqc = get_pqdb_connection();
 	if(pqc) {
-		if(is_st) {
-		  snprintf(statement,sizeof(statement),"delete from turnusers_st where name='%s'",usname);
-		} else {
-		  snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
-		}
+		snprintf(statement,sizeof(statement),"delete from turnusers_lt where name='%s' and realm='%s'",usname,realm);
 		PGresult *res = PQexec(pqc, statement);
 		if(res) {
 			PQclear(res);
@@ -385,14 +327,12 @@ static int pgsql_del_oauth_key(const u08bits *kid) {
   return ret;
 }
   
-static int pgsql_list_users(int is_st, u08bits *realm) {
+static int pgsql_list_users(u08bits *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	PGconn *pqc = get_pqdb_connection();
 	if(pqc) {
-		if(is_st) {
-		  snprintf(statement,sizeof(statement),"select name,'' from turnusers_st order by name");
-		} else if(realm && realm[0]) {
+		if(realm && realm[0]) {
 		  snprintf(statement,sizeof(statement),"select name,realm from turnusers_lt where realm='%s' order by name",realm);
 		} else {
 		  snprintf(statement,sizeof(statement),"select name,realm from turnusers_lt order by name");
@@ -902,9 +842,7 @@ static int pgsql_list_admin_users(void)
 static const turn_dbdriver_t driver = {
   &pgsql_get_auth_secrets,
   &pgsql_get_user_key,
-  &pgsql_get_user_pwd,
   &pgsql_set_user_key,
-  &pgsql_set_user_pwd,
   &pgsql_del_user,
   &pgsql_list_users,
   &pgsql_show_secret,

src/apps/relay/dbdrivers/dbd_redis.c

@@ -519,30 +519,6 @@ static int redis_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
   return ret;
 }
   
-static int redis_get_user_pwd(u08bits *usname, password_t pwd) {
-  int ret = -1;
-	redisContext * rc = get_redis_connection();
-	if(rc) {
-		char s[TURN_LONG_STRING_SIZE];
-		snprintf(s,sizeof(s),"get turn/user/%s/password", usname);
-		redisReply *rget = (redisReply *)redisCommand(rc, s);
-		if(rget) {
-			if (rget->type == REDIS_REPLY_ERROR)
-				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", rget->str);
-			else if (rget->type != REDIS_REPLY_STRING) {
-				if (rget->type != REDIS_REPLY_NIL)
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", rget->type);
-			} else {
-				strncpy((char*)pwd,rget->str,STUN_MAX_PWD_SIZE);
-				pwd[STUN_MAX_PWD_SIZE]=0;
-				ret = 0;
-			}
-			turnFreeRedisReply(rget);
-		}
-	}
-  return ret;
-}
-  
 static int redis_set_user_key(u08bits *usname, u08bits *realm, const char *key) {
   int ret = -1;
 	redisContext *rc = get_redis_connection();
@@ -572,28 +548,12 @@ static int redis_set_oauth_key(oauth_key_data_raw *key) {
   return ret;
 }
   
-static int redis_set_user_pwd(u08bits *usname, password_t pwd) {
-  int ret = -1;
-	redisContext *rc = get_redis_connection();
-	if(rc) {
-		char statement[TURN_LONG_STRING_SIZE];
-		snprintf(statement,sizeof(statement),"set turn/user/%s/password %s",usname,pwd);
-		turnFreeRedisReply(redisCommand(rc, statement));
-		turnFreeRedisReply(redisCommand(rc, "save"));
-		ret = 0;
-	}
-  return ret;
-}
-  
-static int redis_del_user(u08bits *usname, int is_st, u08bits *realm) {
+static int redis_del_user(u08bits *usname, u08bits *realm) {
   int ret = -1;
 	redisContext *rc = get_redis_connection();
 	if(rc) {
 		char statement[TURN_LONG_STRING_SIZE];
-		if(is_st) {
-		  snprintf(statement,sizeof(statement),"del turn/user/%s/password",usname);
-		  turnFreeRedisReply(redisCommand(rc, statement));
-		} else {
+		{
 		  snprintf(statement,sizeof(statement),"del turn/realm/%s/user/%s/key",(char*)realm,usname);
 		  turnFreeRedisReply(redisCommand(rc, statement));
 		  snprintf(statement,sizeof(statement),"del turn/realm/%s/user/%s/password",(char*)realm,usname);
@@ -619,7 +579,7 @@ static int redis_del_oauth_key(const u08bits *kid) {
   return ret;
 }
   
-static int redis_list_users(int is_st, u08bits *realm) {
+static int redis_list_users(u08bits *realm) {
   int ret = -1;
 	redisContext *rc = get_redis_connection();
 	if(rc) {
@@ -630,8 +590,7 @@ static int redis_list_users(int is_st, u08bits *realm) {
 
 		redisReply *reply = NULL;
 
-		if(!is_st) {
-
+		{
 			if(realm && realm[0]) {
 				reply = (redisReply*)redisCommand(rc, "keys turn/realm/%s/user/*/key", (char*)realm);
 			} else {
@@ -660,23 +619,6 @@ static int redis_list_users(int is_st, u08bits *realm) {
 			}
 			if(reply) {
 
-				if (reply->type == REDIS_REPLY_ERROR)
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str);
-				else if (reply->type != REDIS_REPLY_ARRAY) {
-					if (reply->type != REDIS_REPLY_NIL)
-						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Unexpected type: %d\n", reply->type);
-				} else {
-					size_t i;
-					for (i = 0; i < reply->elements; ++i) {
-						add_to_secrets_list(&keys,reply->element[i]->str);
-					}
-				}
-				turnFreeRedisReply(reply);
-			}
-		} else {
-
-			reply = (redisReply*)redisCommand(rc, "keys turn/user/*/password");
-			if(reply) {
 				if (reply->type == REDIS_REPLY_ERROR)
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error: %s\n", reply->str);
 				else if (reply->type != REDIS_REPLY_ARRAY) {
@@ -1329,9 +1271,7 @@ static int redis_list_admin_users(void)
 static const turn_dbdriver_t driver = {
   &redis_get_auth_secrets,
   &redis_get_user_key,
-  &redis_get_user_pwd,
   &redis_set_user_key,
-  &redis_set_user_pwd,
   &redis_del_user,
   &redis_list_users,
   &redis_show_secret,

src/apps/relay/dbdrivers/dbd_sqlite.c

@@ -149,7 +149,6 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) {
 
 	const char * statements[] = {
 		"CREATE TABLE turnusers_lt ( realm varchar(127) default '', name varchar(512), hmackey char(128), PRIMARY KEY (realm,name))",
-		"CREATE TABLE turnusers_st (name varchar(512) PRIMARY KEY, password varchar(127))",
 		"CREATE TABLE turn_secret (realm varchar(127) default '', value varchar(127), primary key (realm,value))",
 		"CREATE TABLE allowed_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
 		"CREATE TABLE denied_peer_ip (realm varchar(127) default '', ip_range varchar(256), primary key (realm,ip_range))",
@@ -287,42 +286,6 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key)
 	return ret;
 }
 
-static int sqlite_get_user_pwd(u08bits *usname, password_t pwd)
-{
-	int ret = -1;
-	char statement[TURN_LONG_STRING_SIZE];
-	sqlite3_stmt *st = NULL;
-	int rc = 0;
-	snprintf(statement, sizeof(statement), "select password from turnusers_st where name='%s'", usname);
-
-	sqlite3 *sqliteconnection = get_sqlite_connection();
-	if (sqliteconnection) {
-
-		sqlite_lock(0);
-
-		if ((rc = sqlite3_prepare(sqliteconnection, statement, -1, &st, 0)) == SQLITE_OK) {
-			int res = sqlite3_step(st);
-			if (res == SQLITE_ROW) {
-				const char *kval = (const char*) sqlite3_column_text(st, 0);
-				if (kval) {
-					strncpy((char*) pwd, kval, sizeof(password_t));
-					ret = 0;
-				} else {
-					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong password data for user %s: NULL\n", usname);
-				}
-			}
-		} else {
-			const char* errmsg = sqlite3_errmsg(sqliteconnection);
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving SQLite DB information: %s\n", errmsg);
-		}
-
-		sqlite3_finalize(st);
-
-		sqlite_unlock(0);
-	}
-	return ret;
-}
-
 static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
 	int ret = -1;
@@ -493,7 +456,7 @@ static int sqlite_set_oauth_key(oauth_key_data_raw *key)
 	return ret;
 }
 
-static int sqlite_set_user_pwd(u08bits *usname, password_t pwd)
+static int sqlite_del_user(u08bits *usname, u08bits *realm)
 {
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -504,40 +467,7 @@ static int sqlite_set_user_pwd(u08bits *usname, password_t pwd)
 
 	sqlite3 *sqliteconnection = get_sqlite_connection();
 	if (sqliteconnection) {
-		snprintf(statement, sizeof(statement), "insert or replace into turnusers_st values('%s','%s')", usname, pwd);
-
-		sqlite_lock(1);
-
-		if ((rc = sqlite3_prepare(sqliteconnection, statement, -1, &st, 0)) == SQLITE_OK) {
-			sqlite3_step(st);
-			ret = 0;
-		} else {
-			const char* errmsg = sqlite3_errmsg(sqliteconnection);
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Error retrieving SQLite DB information: %s\n", errmsg);
-		}
-		sqlite3_finalize(st);
-
-		sqlite_unlock(1);
-	}
-	return ret;
-}
-
-static int sqlite_del_user(u08bits *usname, int is_st, u08bits *realm)
-{
-	int ret = -1;
-	char statement[TURN_LONG_STRING_SIZE];
-	sqlite3_stmt *st = NULL;
-	int rc = 0;
-
-	donot_print_connection_success=1;
-
-	sqlite3 *sqliteconnection = get_sqlite_connection();
-	if (sqliteconnection) {
-		if (is_st) {
-			snprintf(statement, sizeof(statement), "delete from turnusers_st where name='%s'", usname);
-		} else {
-			snprintf(statement, sizeof(statement), "delete from turnusers_lt where name='%s' and realm='%s'", usname, realm);
-		}
+		snprintf(statement, sizeof(statement), "delete from turnusers_lt where name='%s' and realm='%s'", usname, realm);
 
 		sqlite_lock(1);
 
@@ -586,7 +516,7 @@ static int sqlite_del_oauth_key(const u08bits *kid)
 }
 
 
-static int sqlite_list_users(int is_st, u08bits *realm)
+static int sqlite_list_users(u08bits *realm)
 {
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -597,9 +527,7 @@ static int sqlite_list_users(int is_st, u08bits *realm)
 
 	sqlite3 *sqliteconnection = get_sqlite_connection();
 	if (sqliteconnection) {
-		if (is_st) {
-			snprintf(statement, sizeof(statement), "select name,'' from turnusers_st order by name");
-		} else if (realm && realm[0]) {
+		if (realm && realm[0]) {
 			snprintf(statement, sizeof(statement), "select name,realm from turnusers_lt where realm='%s' order by name", realm);
 		} else {
 			snprintf(statement, sizeof(statement), "select name,realm from turnusers_lt order by name");
@@ -1259,9 +1187,7 @@ static int sqlite_list_admin_users(void)
 static const turn_dbdriver_t driver = {
   &sqlite_get_auth_secrets,
   &sqlite_get_user_key,
-  &sqlite_get_user_pwd,
   &sqlite_set_user_key,
-  &sqlite_set_user_pwd,
   &sqlite_del_user,
   &sqlite_list_users,
   &sqlite_show_secret,

src/apps/relay/dbdrivers/dbdriver.h

@@ -50,11 +50,9 @@ extern pthread_once_t connection_key_once;
 typedef struct _turn_dbdriver_t {
   int (*get_auth_secrets)(secrets_list_t *sl, u08bits *realm);
   int (*get_user_key)(u08bits *usname, u08bits *realm, hmackey_t key);
-  int (*get_user_pwd)(u08bits *usname, password_t pwd);
   int (*set_user_key)(u08bits *usname, u08bits *realm, const char *key);
-  int (*set_user_pwd)(u08bits *usname, password_t pwd);
-  int (*del_user)(u08bits *usname, int is_st, u08bits *realm);
-  int (*list_users)(int is_st, u08bits *realm);
+  int (*del_user)(u08bits *usname, u08bits *realm);
+  int (*list_users)(u08bits *realm);
   int (*show_secret)(u08bits *realm);
   int (*del_secret)(u08bits *secret, u08bits *realm);
   int (*set_secret)(u08bits *secret, u08bits *realm);

src/apps/relay/mainrelay.c

@@ -33,7 +33,6 @@
 ////// TEMPORARY data //////////
 
 static int use_lt_credentials = 0;
-static int use_st_credentials = 0;
 static int anon_credentials = 0;
 
 ////// TURNDB //////////////
@@ -414,10 +413,9 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " -o, --daemon					Start process as daemon (detach from current shell).\n"
 " -f, --fingerprint				Use fingerprints in the TURN messages.\n"
 " -a, --lt-cred-mech				Use the long-term credential mechanism.\n"
-" -A, --st-cred-mech				Use the short-term credential mechanism.\n"
 " -z, --no-auth					Do not use any credential mechanism, allow anonymous access.\n"
 " -u, --user			<user:pwd>	User account, in form 'username:password', for long-term credentials.\n"
-"						Cannot be used with TURN REST API or with short-term credentials.\n"
+"						Cannot be used with TURN REST API.\n"
 " -r, --realm			<realm>		The default realm to be used for the users when no explicit\n"
 "						origin/realm relationship was found in the database.\n"
 "						Must be used with long-term credentials \n"
@@ -445,7 +443,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
 #endif
 #if !defined(TURN_NO_PQ)
 " -e, --psql-userdb, --sql-userdb <conn-string>	PostgreSQL database connection string, if used (default - empty, no PostreSQL DB used).\n"
-"		                                This database can be used for long-term and short-term credentials mechanisms,\n"
+"		                                This database can be used for long-term credentials mechanism users,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 "						See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL\n"
 "						versions format, see \n"
@@ -454,7 +452,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
 #endif
 #if !defined(TURN_NO_MYSQL)
 " -M, --mysql-userdb	<connection-string>	MySQL database connection string, if used (default - empty, no MySQL DB used).\n"
-"	                                	This database can be used for long-term and short-term credentials mechanisms,\n"
+"	                                	This database can be used for long-term credentials mechanism users,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 "						The connection string my be space-separated list of parameters:\n"
 "	        	          		\"host=<ip-addr> dbname=<database-name> user=<database-user> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
@@ -466,12 +464,12 @@ static char Usage[] = "Usage: turnserver [options]\n"
 #endif
 #if !defined(TURN_NO_MONGO)
 " -J, --mongo-userdb	<connection-string>	MongoDB connection string, if used (default - empty, no MongoDB used).\n"
-"	                                	This database can be used for long-term and short-term credentials mechanisms,\n"
+"	                                	This database can be used for long-term credentials mechanism users,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 #endif
 #if !defined(TURN_NO_HIREDIS)
 " -N, --redis-userdb	<connection-string>	Redis user database connection string, if used (default - empty, no Redis DB used).\n"
-"	                                	This database can be used for long-term and short-term credentials mechanisms,\n"
+"	                                	This database can be used for long-term credentials mechanism users,\n"
 "		                                and it can store the secret value(s) for secret-based timed authentication in TURN RESP API.\n"
 "						The connection string my be space-separated list of parameters:\n"
 "	        	          		\"host=<ip-addr> dbname=<db-number> \\\n								password=<database-user-password> port=<db-port> connect_timeout=<seconds>\".\n\n"
@@ -601,11 +599,11 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
 	"\nCommands:\n\n"
 	"	-k, --key			generate long-term credential mechanism key for a user\n"
 	"	-a, --add			add/update a long-term mechanism user\n"
-	"	-A, --add-st			add/update a short-term mechanism user\n"
+	"	-A, --add-admin			add/update a web admin user\n"
 	"	-d, --delete			delete a long-term mechanism user\n"
-	"	-D, --delete-st			delete a short-term mechanism user\n"
+	"	-D, --delete-admin		delete an admin user\n"
 	"	-l, --list			list all long-term mechanism users\n"
-	"	-L, --list-st			list all short-term mechanism users\n"
+	"	-L, --list-admin		list all admin users\n"
 	"	-s, --set-secret=<value>	Add shared secret for TURN RESP API\n"
 	"	-S, --show-secret		Show stored shared secrets for TURN REST API\n"
 	"	-X, --delete-secret=<value>	Delete a shared secret\n"
@@ -746,7 +744,6 @@ static const struct myoption long_options[] = {
 				{ "min-port", required_argument, NULL, MIN_PORT_OPT },
 				{ "max-port", required_argument, NULL, MAX_PORT_OPT },
 				{ "lt-cred-mech", optional_argument, NULL, 'a' },
-				{ "st-cred-mech", optional_argument, NULL, 'A' },
 				{ "no-auth", optional_argument, NULL, 'z' },
 				{ "user", required_argument, NULL, 'u' },
 #if !defined(TURN_NO_SQLITE)
@@ -840,13 +837,13 @@ static const struct myoption admin_long_options[] = {
 				{ "add", no_argument, NULL, 'a' },
 				{ "delete", no_argument, NULL, 'd' },
 				{ "list", no_argument, NULL, 'l' },
-				{ "list-st", no_argument, NULL, 'L' },
+				{ "list-admin", no_argument, NULL, 'L' },
 				{ "set-secret", required_argument, NULL, 's' },
 				{ "show-secret", no_argument, NULL, 'S' },
 				{ "delete-secret", required_argument, NULL, 'X' },
 				{ "delete-all-secrets", no_argument, NULL, DEL_ALL_AUTH_SECRETS_OPT },
-				{ "add-st", no_argument, NULL, 'A' },
-				{ "delete-st", no_argument, NULL, 'D' },
+				{ "add-admin", no_argument, NULL, 'A' },
+				{ "delete-admin", no_argument, NULL, 'D' },
 #if !defined(TURN_NO_SQLITE)
 				{ "userdb", required_argument, NULL, 'b' },
 				{ "db", required_argument, NULL, 'b' },
@@ -1119,15 +1116,6 @@ static void set_option(int c, char *value)
 			use_lt_credentials=0;
 		}
 		break;
-	case 'A':
-		if (get_bool_value(value)) {
-			turn_params.ct = TURN_CREDENTIALS_SHORT_TERM;
-			use_st_credentials=1;
-		} else {
-			turn_params.ct = TURN_CREDENTIALS_UNDEFINED;
-			use_st_credentials=0;
-		}
-		break;
 	case 'z':
 		if (!get_bool_value(value)) {
 			turn_params.ct = TURN_CREDENTIALS_UNDEFINED;
@@ -1430,7 +1418,8 @@ static int adminmain(int argc, char **argv)
 	int c = 0;
 
 	TURNADMIN_COMMAND_TYPE ct = TA_COMMAND_UNKNOWN;
-	int is_st = 0;
+
+	int is_admin = 0;
 
 	u08bits user[STUN_MAX_USERNAME_SIZE+1]="";
 	u08bits realm[STUN_MAX_REALM_SIZE+1]="";
@@ -1482,18 +1471,18 @@ static int adminmain(int argc, char **argv)
 			break;
 		case 'A':
 			ct = TA_UPDATE_USER;
-			is_st = 1;
+			is_admin = 1;
 			break;
 		case 'D':
 			ct = TA_DELETE_USER;
-			is_st = 1;
+			is_admin = 1;
 			break;
 		case 'l':
 			ct = TA_LIST_USERS;
 			break;
 		case 'L':
 			ct = TA_LIST_USERS;
-			is_st = 1;
+			is_admin = 1;
 			break;
 		case 's':
 			ct = TA_SET_SECRET;
@@ -1596,7 +1585,7 @@ static int adminmain(int argc, char **argv)
 		exit(-1);
 	}
 
-	return adminuser(user, realm, pwd, secret, origin, ct, is_st, &po);
+	return adminuser(user, realm, pwd, secret, origin, ct, &po);
 }
 
 static void print_features(unsigned long mfn)
@@ -1895,17 +1884,7 @@ int main(int argc, char **argv)
 		exit(-1);
 	}
 
-	if(use_st_credentials && anon_credentials) {
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: -A and -z options cannot be used together.\n");
-		exit(-1);
-	}
-
-	if(use_lt_credentials && use_st_credentials) {
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: -a and -A options cannot be used together.\n");
-		exit(-1);
-	}
-
-	if(!use_lt_credentials && !anon_credentials && !use_st_credentials) {
+	if(!use_lt_credentials && !anon_credentials) {
 		if(turn_params.default_users_db.ram_db.users_number) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified long-term user accounts, (-u option) \n	but you did not specify the long-term credentials option\n	(-a or --lt-cred-mech option).\n 	I am turning --lt-cred-mech ON for you, but double-check your configuration.\n");
 			turn_params.ct = TURN_CREDENTIALS_LONG_TERM;
@@ -1927,15 +1906,9 @@ int main(int argc, char **argv)
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: you specified user accounts, (-u option) \n	but you also specified the anonymous user access option (-z or --no-auth option).\n 	User accounts will be ignored.\n");
 			turn_params.ct = TURN_CREDENTIALS_NONE;
 			use_lt_credentials=0;
-			use_st_credentials=0;
 		}
 	}
 
-	if(turn_params.use_auth_secret_with_timestamp && use_st_credentials) {
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIGURATION ERROR: Authentication secret (REST API) cannot be used with short-term credentials mechanism.\n");
-		exit(-1);
-	}
-
 	openssl_setup();
 
 	int local_listeners = 0;

src/apps/relay/netengine.c

@@ -402,17 +402,7 @@ static void auth_server_receive_message(struct bufferevent *bev, void *ptr)
       continue;
     }
     
-    if(am.ct == TURN_CREDENTIALS_SHORT_TERM) {
-      password_t pwd;
-      am.in_oauth = 0;
-      am.out_oauth = 0;
-      if(get_user_pwd(am.username,pwd)<0) {
-    	  am.success = 0;
-      } else {
-    	  ns_bcopy(pwd,am.pwd,sizeof(password_t));
-    	  am.success = 1;
-      }
-    } else {
+    {
       hmackey_t key;
       if(get_user_key(am.in_oauth,&(am.out_oauth),&(am.max_session_time),am.username,am.realm,key,am.in_buffer.nbh)<0) {
     	  am.success = 0;

src/apps/relay/turn_admin_server.c

@@ -832,8 +832,6 @@ static void cli_print_configuration(struct cli_session* cs)
 			cli_print_str(cs,cs->origin,"CLI session origin",0);
 		if(turn_params.ct == TURN_CREDENTIALS_LONG_TERM)
 			cli_print_flag(cs,1,"Long-term authorization mechanism",0);
-		else if(turn_params.ct == TURN_CREDENTIALS_SHORT_TERM)
-			cli_print_flag(cs,1,"Short-term authorization mechanism",0);
 		else
 			cli_print_flag(cs,1,"Anonymous credentials",0);
 		cli_print_flag(cs,turn_params.use_auth_secret_with_timestamp,"TURN REST API support",0);

src/apps/relay/userdb.c

@@ -643,21 +643,6 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
 	return ret;
 }
 
-/*
- * Short-term mechanism password retrieval
- */
-int get_user_pwd(u08bits *usname, password_t pwd)
-{
-	int ret = -1;
-
-	const turn_dbdriver_t * dbd = get_dbdriver();
-	if (dbd && dbd->get_user_pwd) {
-		ret = (*dbd->get_user_pwd)(usname, pwd);
-	}
-
-	return ret;
-}
-
 u08bits *start_user_check(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *usname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply)
 {
 	*postpone_reply = 1;
@@ -790,11 +775,11 @@ int add_user_account(char *user, int dynamic)
 
 ////////////////// Admin /////////////////////////
 
-static int list_users(int is_st, u08bits *realm)
+static int list_users(u08bits *realm)
 {
   const turn_dbdriver_t * dbd = get_dbdriver();
   if (dbd && dbd->list_users) {
-    (*dbd->list_users)(is_st, realm);
+    (*dbd->list_users)(realm);
   }
 
   return 0;
@@ -910,15 +895,17 @@ static int list_realm_options(u08bits *realm)
 	return 0;
 }
 
-int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, int is_st, perf_options_t *po)
+int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, perf_options_t *po)
 {
 	hmackey_t key;
 	char skey[sizeof(hmackey_t) * 2 + 1];
 
 	password_t passwd;
 
+	STRCPY(passwd,pwd);
+
 	if (ct == TA_LIST_USERS) {
-		return list_users(is_st, realm);
+		return list_users(realm);
 	}
 
 	if (ct == TA_LIST_ORIGINS) {
@@ -967,9 +954,7 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
 
 		must_set_admin_pwd(pwd);
 
-		if (is_st) {
-			strncpy((char*) passwd, (char*) pwd, sizeof(password_t));
-		} else {
+		{
 			stun_produce_integrity_key_str(user, realm, pwd, key, turn_params.shatype);
 			size_t i = 0;
 			size_t sz = get_hmackey_size(turn_params.shatype);
@@ -988,27 +973,18 @@ int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08b
 
 	if (ct == TA_PRINT_KEY) {
 
-		if (!is_st) {
-			printf("0x%s\n", skey);
-		}
+		printf("0x%s\n", skey);
 
 	} else if (dbd) {
 
-		if (!is_st) {
-			must_set_admin_realm(realm);
-		}
+		must_set_admin_realm(realm);
 
 		if (ct == TA_DELETE_USER) {
 			if (dbd->del_user)
-				(*dbd->del_user)(user, is_st, realm);
+				(*dbd->del_user)(user, realm);
 		} else if (ct == TA_UPDATE_USER) {
-			if (is_st) {
-				if (dbd->set_user_pwd)
-					(*dbd->set_user_pwd)(user, passwd);
-			} else {
-				if (dbd->set_user_key)
-					(*dbd->set_user_key)(user, realm, skey);
-			}
+			if (dbd->set_user_key)
+				(*dbd->set_user_key)(user, realm, skey);
 		}
 
 	}

src/apps/relay/userdb.h

@@ -187,7 +187,6 @@ void add_to_secrets_list(secrets_list_t *sl, const char* elem);
 /////////// USER DB CHECK //////////////////
 
 int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *uname, u08bits *realm, hmackey_t key, ioa_network_buffer_handle nbh);
-int get_user_pwd(u08bits *uname, password_t pwd);
 u08bits *start_user_check(turnserver_id id, turn_credential_type ct, int in_oauth, int *out_oauth, u08bits *uname, u08bits *realm, get_username_resume_cb resume, ioa_net_data *in_buffer, u64bits ctxkey, int *postpone_reply);
 int check_new_allocation_quota(u08bits *username, int oauth, u08bits *realm);
 void release_allocation_quota(u08bits *username, int oauth, u08bits *realm);
@@ -201,7 +200,7 @@ void release_allocation_quota(u08bits *username, int oauth, u08bits *realm);
 void auth_ping(redis_context_handle rch);
 void reread_realms(void);
 int add_user_account(char *user, int dynamic);
-int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, int is_st, perf_options_t* po);
+int adminuser(u08bits *user, u08bits *realm, u08bits *pwd, u08bits *secret, u08bits *origin, TURNADMIN_COMMAND_TYPE ct, perf_options_t* po);
 
 int add_ip_list_range(const char* range, const char* realm, ip_range_list_t * list);
 ip_range_list_t* get_ip_list(const char *kind);

src/apps/uclient/mainuclient.c

@@ -56,7 +56,6 @@ int c2c=0;
 int clnet_verbose=TURN_VERBOSE_NONE;
 int use_tcp=0;
 int use_secure=0;
-int use_short_term=0;
 int hang_on=0;
 ioa_addr peer_addr;
 int no_rtcp = 0;
@@ -125,8 +124,6 @@ static char Usage[] =
   "	-x	IPv6 relay address requested.\n"
   "	-X	IPv4 relay address explicitly requested.\n"
   "	-g	Include DONT_FRAGMENT option.\n"
-  "	-A	Use short-term credentials mechanism. By default, the program uses\n"
-  "		the long-term credentials mechanism if authentication is required.\n"
   "	-D	Mandatory channel padding (like in pjnath).\n"
   "	-N	Negative tests (some limited cases only).\n"
   "	-R	Negative protocol tests.\n"
@@ -219,11 +216,6 @@ int main(int argc, char **argv)
 
 			oauth = 1;
 
-			if(use_short_term) {
-				fprintf(stderr,"Short-term mechanism cannot be used together with oAuth.\n");
-				exit(-1);
-			}
-
 			oauth_key_data okd_array[2];
 			convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
 			convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
@@ -297,13 +289,6 @@ int main(int argc, char **argv)
 		case 'Z':
 			dual_allocation = 1;
 			break;
-		case 'A':
-			if(oauth) {
-				fprintf(stderr,"Short-term mechanism cannot be used together with oAuth.\n");
-				exit(-1);
-			}
-			use_short_term = 1;
-			break;
 		case 'u':
 			STRCPY(g_uname, optarg);
 			break;
@@ -409,10 +394,6 @@ int main(int argc, char **argv)
 
 	if(g_use_auth_secret_with_timestamp) {
 
-		if(use_short_term) {
-			fprintf(stderr,"ERROR: You cannot use authentication secret (REST API) with short-term credentials mechanism.\n");
-			exit(-1);
-		}
 		{
 			char new_uname[1025];
 			const unsigned long exp_time = 3600 * 24; /* one day */

src/apps/uclient/startuclient.c

@@ -448,7 +448,7 @@ static int clnet_allocate(int verbose,
 						allocate_received = 1;
 						allocate_finished = 1;
 
-						if(clnet_info->nonce[0] || use_short_term) {
+						if(clnet_info->nonce[0]) {
 							if(check_integrity(clnet_info, &response_message)<0)
 								return -1;
 						}
@@ -528,16 +528,11 @@ static int clnet_allocate(int verbose,
 						goto beg_allocate;
 					} else if (stun_is_error_response(&response_message, &err_code,err_msg,sizeof(err_msg))) {
 
-						if(err_code == SHA_TOO_WEAK_ERROR_CODE && (clnet_info->shatype == SHATYPE_SHA1) && use_short_term) {
-							clnet_info->shatype = SHATYPE_SHA256;
-							goto beg_allocate;
-						}
-
 						allocate_received = 1;
 
 						if(err_code == 300) {
 
-							if(clnet_info->nonce[0] || use_short_term) {
+							if(clnet_info->nonce[0]) {
 								if(check_integrity(clnet_info, &response_message)<0)
 									return -1;
 							}
@@ -797,7 +792,7 @@ static int turn_channel_bind(int verbose, uint16_t *chn,
 
 					cb_received = 1;
 
-					if(clnet_info->nonce[0] || use_short_term) {
+					if(clnet_info->nonce[0]) {
 						if(check_integrity(clnet_info, &response_message)<0)
 							return -1;
 					}
@@ -906,7 +901,7 @@ static int turn_create_permission(int verbose, app_ur_conn_info *clnet_info,
 
 					cp_received = 1;
 
-					if(clnet_info->nonce[0] || use_short_term) {
+					if(clnet_info->nonce[0]) {
 						if(check_integrity(clnet_info, &response_message)<0)
 							return -1;
 					}
@@ -1481,7 +1476,7 @@ static int turn_tcp_connection_bind(int verbose, app_ur_conn_info *clnet_info, a
 				u08bits err_msg[129];
 				if (stun_is_success_response(&response_message)) {
 
-					if(clnet_info->nonce[0] || use_short_term) {
+					if(clnet_info->nonce[0]) {
 						if(check_integrity(clnet_info, &response_message)<0)
 							return -1;
 					}

src/apps/uclient/uclient.c

@@ -678,12 +678,6 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
 		   }
 		} else if (stun_is_indication(&(elem->in_buffer))) {
 
-			if(use_short_term) {
-
-				if(check_integrity(&(elem->pinfo), &(elem->in_buffer))<0)
-					return -1;
-			}
-
 			uint16_t method = stun_get_method(&elem->in_buffer);
 
 			if((method == STUN_METHOD_CONNECTION_ATTEMPT)&& is_TCP_relay()) {
@@ -733,7 +727,7 @@ static int client_read(app_ur_session *elem, int is_tcp_data, app_tcp_conn_info
 
 		} else if (stun_is_success_response(&(elem->in_buffer))) {
 
-			if(elem->pinfo.nonce[0] || use_short_term) {
+			if(elem->pinfo.nonce[0]) {
 				if(check_integrity(&(elem->pinfo), &(elem->in_buffer))<0)
 					return -1;
 			}
@@ -908,10 +902,6 @@ static int client_write(app_ur_session *elem) {
     if(dont_fragment)
 	    stun_attr_add(&(elem->out_buffer), STUN_ATTRIBUTE_DONT_FRAGMENT, NULL, 0);
 
-    if (use_short_term) {
-	    if(add_integrity(&(elem->pinfo), &(elem->out_buffer))<0) return -1;
-    }
-
     if(use_fingerprints)
 	    stun_attr_add_fingerprint_str(elem->out_buffer.buf,(size_t*)&(elem->out_buffer.len));
   }
@@ -1590,19 +1580,12 @@ void start_mclient(const char *remote_address, int port,
 
 turn_credential_type get_turn_credentials_type(void)
 {
-	if(use_short_term)
-		return TURN_CREDENTIALS_SHORT_TERM;
 	return TURN_CREDENTIALS_LONG_TERM;
 }
 
 int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 {
-	if(use_short_term) {
-		if(stun_attr_add_integrity_by_user_short_term_str(message->buf, (size_t*)&(message->len), g_uname, g_upwd, clnet_info->shatype)<0) {
-			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO," Cannot add integrity to the message\n");
-			return -1;
-		}
-	} else if(clnet_info->nonce[0]) {
+	if(clnet_info->nonce[0]) {
 
 		if(oauth && clnet_info->oauth) {
 

src/apps/uclient/uclient.h

@@ -53,7 +53,6 @@ extern int do_not_use_channel;
 extern int clnet_verbose;
 extern int use_tcp;
 extern int use_secure;
-extern int use_short_term;
 extern char cert_file[1025];
 extern char pkey_file[1025];
 extern int hang_on;

src/client/ns_turn_msg.h

@@ -63,9 +63,6 @@ typedef enum {
  */
 typedef u08bits hmackey_t[64];
 
-/**
- * Short-term credentials password
- */
 typedef u08bits password_t[STUN_MAX_PWD_SIZE+1];
 typedef unsigned int band_limit_t;
 

src/ns_turn_defs.h

@@ -31,8 +31,8 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.3.4.1"
-#define TURN_SERVER_VERSION_NAME "Tolomei"
+#define TURN_SERVER_VERSION "4.4.1.1"
+#define TURN_SERVER_VERSION_NAME "Carlot dan Eider"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
 
 #if (defined(__unix__) || defined(unix)) && !defined(USG)

src/server/ns_turn_server.c

@@ -2148,13 +2148,6 @@ static void tcp_peer_accept_connection(ioa_socket_handle s, void *arg)
 			ioa_network_buffer_set_size(nbh, len);
 		}
 
-		/* We add integrity for short-term indication messages, only */
-		if(server->ct == TURN_CREDENTIALS_SHORT_TERM)
-		{
-			stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
-			ioa_network_buffer_set_size(nbh,len);
-		}
-
 		if ((server->fingerprint) || ss->enforce_fingerprints) {
 			size_t len = ioa_network_buffer_get_size(nbh);
 			stun_attr_add_fingerprint_str(ioa_network_buffer_data(nbh), &len);
@@ -3118,8 +3111,6 @@ static int need_stun_authentication(turn_turnserver *server, ts_ur_super_session
 		switch(server->ct) {
 		case TURN_CREDENTIALS_LONG_TERM:
 			return 1;
-		case TURN_CREDENTIALS_SHORT_TERM:
-			return 1;
 		default:
 			;
 		};
@@ -3252,11 +3243,7 @@ static int check_stun_auth(turn_turnserver *server,
 	if(!sar) {
 		*err_code = 401;
 		*reason = (const u08bits*)"Unauthorised";
-		if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
-			return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
-		} else {
-			return -1;
-		}
+		return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 	}
 
 	{
@@ -3280,7 +3267,7 @@ static int check_stun_auth(turn_turnserver *server,
 		};
 	}
 
-	if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
+	{
 
 		/* REALM ATTR: */
 
@@ -3351,7 +3338,7 @@ static int check_stun_auth(turn_turnserver *server,
 		set_realm_hash(ss->client_socket,(u08bits*)ss->realm_options.name);
 	}
 
-	if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
+	{
 		/* NONCE ATTR: */
 
 		sar = stun_attr_get_first_by_type_str(ioa_network_buffer_data(in_buffer->nbh),
@@ -3391,18 +3378,14 @@ static int check_stun_auth(turn_turnserver *server,
 				return 0;
 			}
 		}
-		/* we always return NULL for short-term credentials here */
+
 		/* direct user pattern is supported only for long-term credentials */
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
 				"%s: Cannot find credentials of user <%s>\n",
 				__FUNCTION__, (char*)usname);
 		*err_code = 401;
 		*reason = (const u08bits*)"Unauthorised";
-		if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
-			return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
-		} else {
-			return -1;
-		}
+		return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 	}
 
 	/* Check integrity */
@@ -3420,11 +3403,7 @@ static int check_stun_auth(turn_turnserver *server,
 									__FUNCTION__, (char*)usname);
 					*err_code = SHA_TOO_WEAK_ERROR_CODE;
 					*reason = (const u08bits*)"Unauthorised: weak SHA function is used";
-					if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
-						return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
-					} else {
-						return -1;
-					}
+					return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 		}
 
 		if(can_resume) {
@@ -3439,11 +3418,7 @@ static int check_stun_auth(turn_turnserver *server,
 				__FUNCTION__, (char*)usname);
 		*err_code = 401;
 		*reason = (const u08bits*)"Unauthorised";
-		if(server->ct != TURN_CREDENTIALS_SHORT_TERM) {
-			return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
-		} else {
-			return -1;
-		}
+		return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 	}
 
 	*message_integrity = 1;
@@ -3792,10 +3767,6 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
 		no_response = 1;
 		int postpone = 0;
 
-		if(server->ct == TURN_CREDENTIALS_SHORT_TERM) {
-			check_stun_auth(server, ss, &tid, resp_constructed, &err_code, &reason, in_buffer, nbh, method, &message_integrity, &postpone, can_resume);
-		}
-
 		if (!postpone && !err_code) {
 
 			switch (method){
@@ -4734,13 +4705,6 @@ static void peer_input_handler(ioa_socket_handle s, int event_type,
 					ioa_network_buffer_set_size(nbh, len);
 				}
 
-				/* We add integrity for short-term indication messages, only */
-				if(server->ct == TURN_CREDENTIALS_SHORT_TERM)
-				{
-					stun_attr_add_integrity_str(server->ct,ioa_network_buffer_data(nbh),&len,ss->hmackey,ss->pwd,server->shatype);
-					ioa_network_buffer_set_size(nbh,len);
-				}
-
 				if ((server->fingerprint) || ss->enforce_fingerprints) {
 					size_t len = ioa_network_buffer_get_size(nbh);
 					stun_attr_add_fingerprint_str(ioa_network_buffer_data(nbh), &len);

turndb/schema.mongo.sh

@@ -5,7 +5,6 @@ mongo $* <<EOF
 use coturn;
 
 db.turnusers_lt.ensureIndex({ realm: 1, name: 1 }, { unique: 1 });
-db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
 db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
 db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
 db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });

turndb/schema.sql

@@ -6,11 +6,6 @@ CREATE TABLE turnusers_lt (
     PRIMARY KEY (realm,name)
 );
 
-CREATE TABLE turnusers_st (
-    name varchar(512) PRIMARY KEY,
-    password varchar(127)
-);
-
 CREATE TABLE turn_secret (
 	realm varchar(127) default '',
     value varchar(127),

turndb/schema.userdb.redis

@@ -12,12 +12,7 @@ with value "7da2270ccfa49786e0115366d3a3d14d". Alternatively, the password
 may be stored in clear text format. Then the key will be 
 "turn/realm/north.gov/user/gorst/password" and the key will be simply "hero".
 
-2) For the short-term credentials, the passwords are stored always in
-clear text format, with no realm name (because the short-term credentials 
-are not bound to a realm). So, there will be key "turn/user/gorst/password" 
-and the value will be "hero".
-
-3) For the shared secrets (REST API), several key/value pairs 
+2) For the shared secrets (REST API), several key/value pairs 
 may be used (same as in SQL schema). The secrets are stored as members 
 of an unordered set. The name of the set will be 
 "turn/realm/<realm-name>/secret" and the value(s) will be the secret(s).
@@ -26,7 +21,7 @@ then we will have set "turn/realm/north.gov/secret" with values
 "hero1", "hero2" and "hero3". The turnserver will try to use the 
 secrets in arbitrary order.
 
-4) The "white" and "black" peer IP ranges are stored as unordered sets
+3) The "white" and "black" peer IP ranges are stored as unordered sets
 of the following names:  
 "turn/realm/<realm>/allowed-peer-ip" and
 "turn/realm/<realm>/denied-peer-ip".
@@ -38,7 +33,7 @@ The only difference is that the turnserver option values are "static"
 the database records can be dynamically changed 
 and they will be almost immediately "seen" by the turnserver process.
 
-5) For the oAuth authentication, there is a hash structure with the key 
+4) For the oAuth authentication, there is a hash structure with the key 
 "turn/oauth/kid/<kid-value>". The kid structure fields are:
  
 	ikm_key - (optional) base64-encoded key ("input keying material");
@@ -73,11 +68,9 @@ and they will be almost immediately "seen" by the turnserver process.
 		calculated with ikm_key and hkdf_hash_func. The auth_key length 
 		is defined by auth_alg.
 		
-6) admin users (over https interface) are maintained as keys of form:
-"turn/realm/<realm-name>/admin_user/<username>/password" with the password 
-values (for the per-relam admin users), or as keys of form:
-"turn/admin_user/<username>/password" with password values - for the global
-admin users.
+5) admin users (over https interface) are maintained as keys of form:
+"turn/admin_user/<username> with hash members "password" and,
+optionally, "realm".
 
 II. Extra realms data in the database
 
@@ -101,7 +94,6 @@ This example sets user database for:
   * long-term credentials with open passwords and 
   	with default realm "north.gov";
   * TURN REST API with shared secrets "logen", etc;
-  * short-term credentials mechanism, with open passwords;
   * Black and white IP peer lists used.
   * Information how to match ORIGIN field with extra
     realms (if used). If no origin match found
@@ -134,11 +126,6 @@ set turn/realm/crinna.org/user/stranger-come-knocking/password "civilization"
 sadd turn/realm/north.gov/secret "logen" "bloody9"
 sadd turn/realm/crinna.org/secret "north" "library"
 
-set turn/user/ninefingers/password "youhavetoberealistic"
-set turn/user/gorst/password "hero"
-set turn/user/whirrun/password "sword"
-set turn/user/stranger-come-knocking/password "civilization"
-
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000

turndb/testmongosetup.sh

@@ -5,7 +5,6 @@ mongo $* <<EOF
 use coturn;
 
 db.turnusers_lt.ensureIndex({ realm: 1, name: 1 }, { unique: 1 });
-db.turnusers_st.ensureIndex({ name: 1 }, { unique: 1 });
 db.turn_secret.ensureIndex({ realm: 1 }, { unique: 1 });
 db.realm.ensureIndex({ realm: 1 }, { unique: 1 });
 db.oauth_key.ensureIndex({ kid: 1 }, {unique: 1 });
@@ -15,11 +14,6 @@ db.turnusers_lt.insert({ realm: 'north.gov', name: 'gorst', hmackey: '7da2270ccf
 db.turnusers_lt.insert({ realm: 'crinna.org', name: 'whirrun', hmackey: '6972e85e51f36e53b0b61759c5a5219a' });
 db.turnusers_lt.insert({ realm: 'crinna.org', name: 'stranger-come-knocking', hmackey: 'd43cb678560259a1839bff61c19de15e' });
 
-db.turnusers_st.insert({ name: 'ninefingers', password: 'youhavetoberealistic'});
-db.turnusers_st.insert({ name: 'gorst', password: 'hero'});
-db.turnusers_st.insert({ name: 'whirrun', password: 'sword'});
-db.turnusers_st.insert({ name: 'stranger-come-knocking', password: 'civilization'});
-
 db.turn_secret.insert({ realm: 'north.gov', value: 'logen' });
 db.turn_secret.insert({ realm: 'crinna.org', value: 'north' });
 

turndb/testredisdbsetup.sh

@@ -24,17 +24,6 @@ set turn/realm/crinna.org/user/stranger-come-knocking/password "civilization"
 sadd turn/realm/north.gov/secret "logen" "bloody9"
 sadd turn/realm/crinna.org/secret "north" "library"
 
-set turn/user/ninefingers/password "youhavetoberealistic"
-set turn/user/gorst/password "hero"
-
-set turn/user/bethod/password "king-of-north"
-
-set turn/user/whirrun/password "sword"
-set turn/user/stranger-come-knocking/password "civilization"
-
-set turn/realm/north.gov/admin_user/skarling/password "hoodless"
-set turn/admin_user/bayaz/password "magi"
-
 set turn/realm/north.gov/max-bps 500000
 set turn/realm/north.gov/total-quota 12000
 set turn/realm/north.gov/user-quota 10000

turndb/testsqldbsetup.sql

@@ -4,11 +4,6 @@ insert into turnusers_lt (realm, name, hmackey) values('north.gov','gorst','7da2
 insert into turnusers_lt (realm, name, hmackey) values('crinna.org','whirrun','6972e85e51f36e53b0b61759c5a5219a');
 insert into turnusers_lt (realm, name, hmackey) values('crinna.org','stranger-come-knocking','d43cb678560259a1839bff61c19de15e');
 
-insert into turnusers_st (name, password) values('ninefingers','youhavetoberealistic');
-insert into turnusers_st (name, password) values('gorst','hero');
-insert into turnusers_st (name, password) values('whirrun','sword');
-insert into turnusers_st (name, password) values('stranger-come-knocking','civilization');
-
 insert into turn_secret (realm,value) values('north.gov','logen');
 insert into turn_secret (realm,value) values('crinna.org','north');