Imported Upstream version 4.5.0.4

ChangeLog

@@ -1,8 +1,19 @@
+08/20/2016 Oleg Moskalenko <[email protected]>
+Version 4.5.0.4 'dan Eider':
+	- OpenSSL 1.1.0 support added.
+	- CentOS 7 installation updated.
+	- hiredis and mongo compilation configuration fixed
+	(fix provided by Harsha Bellur).
+	- RPM: Systemd optimization.
+	- REST API option fixed.
+	- Thread creation error handling fixed.
+	- Issue #36 fixed.
+
 11/15/2015 Oleg Moskalenko <[email protected]>
 Version 4.5.0.3 'dan Eider':
 	- SSLv3 support removed. That provides extra security and
 	compatibility with OpenSSL distributions or clones
-	that does not support SSLv3 (like LibreSSL 2.3.0).
+	that do not support SSLv3 (like LibreSSL 2.3.0).
 	This fix is required for fresh FreeBSD and for Debian unstable.
 	- Compilation and configuration cleaning.
 	- Fix for non-interactive shells.

README.turnutils

@@ -139,7 +139,10 @@ Options with required values:
 
 -w      STUN/TURN user password.
 
--W      TURN REST API authentication secret. Is not compatible with -A flag.
+-W       TURN REST API secret. The "plain text" secret e.g. "north"
+	that is stored in the value column of the turn_secret
+	table in the database if dynamic, or the static-auth-secret
+	value set in the configuration file if using static.
 
 -C  	This is the timestamp/username separator symbol (character) in 
 	TURN REST API. The default value is :.

configure

@@ -63,9 +63,14 @@ testlibevent2_comp() {
 }
 
 testhiredis() {
-    HIREDISCFLAGS=
+    for inc in ${INCLUDEDIR}/hiredis /usr/local/include/hiredis /usr/hiredis /usr/include/hiredis
+    do
+        if [ -d ${inc} ] ; then
+            HIREDISCFLAGS="${HIREDISCFLAGS} -I${inc}"
+        fi
+    done
     HIREDISLIBS=-lhiredis
-    ${CC} ${HR_TMPCPROGC} -o ${HR_TMPCPROGB} ${OSCFLAGS} ${DBLIBS} ${HIREDISCFLAGS} ${HIREDISLIBS} 2>>/dev/null
+    ${CC} ${HR_TMPCPROGC} -o ${HR_TMPCPROGB} ${OSCFLAGS} ${DBLIBS} ${HIREDISCFLAGS} ${HIREDISLIBS} ${OSLIBS} 2>>/dev/null
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
 		${ECHO_CMD}
@@ -142,7 +147,7 @@ testlibmysql() {
 }
 
 testlibmongoc() {
-    for inc in ${PREFIX}/libmongoc-1.0 ${PREFIX}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 /usr/libbson-1.0 /usr/include/libbson-1.0/ /usr/include/libmongoc-1.0/
+    for inc in ${INCLUDEDIR}/libmongoc-1.0 ${INCLUDEDIR}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 /usr/libbson-1.0 /usr/include/libbson-1.0/ /usr/include/libmongoc-1.0/
     do
       if [ -d ${inc} ] ; then
         MONGO_CFLAGS="${MONGO_CFLAGS} -I${inc}"

examples/scripts/longtermsecuredb/secure_relay_with_db_psql_test.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# This is an example how to start a TURN Server in
+# secure mode with Postgres database for users
+# with the long-term credentials mechanism.
+#
+# We start here a TURN Server listening on IPv4 address
+# 127.0.0.1 and on IPv6 address ::1. We use 127.0.0.1 as
+# IPv4 relay address, and we use ::1 as IPv6 relay address.
+#
+# Other options:
+#
+# 1) set bandwidth limit on client session 3000000 bytes per second (--max-bps).
+# 2) use fingerprints (-f)
+# 3) use 3 relay threads (-m 3)
+# 4) use min UDP relay port 32355 and max UDP relay port 65535
+# 5) "-r north.gov" means "use authentication realm north.gov"
+# 6) --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" 
+# means that local database "coturn" will be used, with database user "turn" and database user 
+# password "turn".
+# 7) "--cert=example_turn_server_cert.pem" sets the OpenSSL certificate file name. 
+# 8) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
+# 9) "--log-file=stdout" means that all log output will go to the stdout.
+# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
+# 11) --oauth - support oAuth security dialog
+# Other parameters (config file name, etc) are default.
+
+if [ -d examples ] ; then
+       cd examples
+fi
+
+export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
+export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
+
+PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@ 
+
+# Newer PostgreSQL style connection string example:
+# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 November 2015" "" ""
+.TH TURN 1 "29 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 November 2015" "" ""
+.TH TURN 1 "29 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 November 2015" "" ""
+.TH TURN 1 "29 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used
@@ -229,7 +229,10 @@ STUN/TURN user password.
 .TP
 .B
 \fB\-W\fP
-TURN REST API authentication secret. Is not compatible with \fB\-A\fP flag.
+TURN REST API secret. The "plain text" secret e.g. "north"
+that is stored in the value column of the turn_secret
+table in the database if dynamic, or the static\-auth\-secret
+value set in the configuration file if using static.
 .TP
 .B
 \fB\-C\fP

rpm/CentOS6.pre.build.sh

@@ -90,7 +90,7 @@ cd ${CPWD}
  
 # Platform file
 
-echo "CentOS6.6" > ${BUILDDIR}/platform
+echo "CentOS6.8" > ${BUILDDIR}/platform
 
 cp ${CPWD}/epel6.install.sh ${BUILDDIR}/install.sh
 

rpm/CentOS7.pre.build.sh

@@ -26,7 +26,7 @@ cd ${CPWD}
  
 # Platform file
 
-echo "CentOS7.1" > ${BUILDDIR}/platform
+echo "CentOS7.2" > ${BUILDDIR}/platform
 
 cp ${CPWD}/epel7.install.sh ${BUILDDIR}/install.sh
 

rpm/build.settings.sh

@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.5.0.3
+TURNVERSION=4.5.0.4
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_GIT_URL=https://github.com/coturn/coturn.git

rpm/build.sh

@@ -23,8 +23,12 @@ rm -rf turnserver-${TURNVERSION}
 git clone ${TURNSERVER_GIT_URL} --branch ${TURNVERSION} turnserver-${TURNVERSION}
 ER=$?
 if ! [ ${ER} -eq 0 ] ; then
-    cd ${CPWD}
-    exit -1
+	git clone ${TURNSERVER_GIT_URL} turnserver-${TURNVERSION}
+	ER=$?
+	if ! [ ${ER} -eq 0 ] ; then
+    	cd ${CPWD}
+    	exit -1
+    fi
 fi
 
 tar zcf ${BUILDDIR}/SOURCES/turnserver-${TURNVERSION}.tar.gz turnserver-${TURNVERSION}

rpm/epel7.install.sh

@@ -1,39 +1,8 @@
 #!/bin/bash
 
-CPWD=`pwd`
-
 # Epel installation script
 
-EPEL=epel-release-7-5.noarch
-EPELRPM=${EPEL}.rpm
-BUILDDIR=~/rpmbuild
-WGETOPTIONS="--no-check-certificate"
-RPMOPTIONS="-ivh --force"
-
-mkdir -p ${BUILDDIR}
-mkdir -p ${BUILDDIR}/RPMS
-
-sudo yum -y install wget
-
-cd ${BUILDDIR}/RPMS
-if ! [ -f ${EPELRPM} ] ; then
-    wget ${WGETOPTIONS} http://download.fedoraproject.org/pub/epel/7/x86_64/e/${EPELRPM}
-    ER=$?
-    if ! [ ${ER} -eq 0 ] ; then
-	cd ${CPWD}
-	exit -1
-    fi
-fi
-
-PACK=${EPELRPM}
-sudo rpm ${RPMOPTIONS} ${PACK}
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-    echo "Cannot install package ${PACK}"
-    cd ${CPWD}
-    exit -1
-fi
+sudo yum -y install epel-release
 
-cd ${CPWD}
 
 

rpm/turnserver.service.fc

@@ -18,10 +18,7 @@ LimitNOFILE=999999
 LimitNPROC=60000
 LimitRTPRIO=infinity
 LimitRTTIME=7000000
-IOSchedulingClass=realtime
-IOSchedulingPriority=2
-CPUSchedulingPolicy=fifo
-CPUSchedulingPriority=1
+CPUSchedulingPolicy=other
 UMask=0007
 
 [Install]

rpm/turnserver.spec

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.5.0.3
+Version:	4.5.0.4
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -290,6 +290,8 @@ fi
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
+* Sat Aug 20 2016 Oleg Moskalenko <[email protected]>
+  - Sync to 4.5.0.4
 * Sun Oct 11 2015 Oleg Moskalenko <[email protected]>
   - Sync to 4.5.0.3
 * Tue Sep 29 2015 Oleg Moskalenko <[email protected]>
@@ -300,7 +302,7 @@ fi
   - Sync to 4.4.5.4
 * Sat Jun 20 2015 Oleg Moskalenko <[email protected]>
   - Sync to 4.4.5.3
-* Wed May 29 2015 Oleg Moskalenko <[email protected]>
+* Fri May 29 2015 Oleg Moskalenko <[email protected]>
   - Sync to 4.4.5.2
 * Tue Mar 31 2015 Oleg Moskalenko <[email protected]>
   - Sync to 4.4.4.2
@@ -322,11 +324,11 @@ fi
   - Sync to 4.3.2.2
 * Sat Nov 29 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.3.1.3
-* Mon Nov 23 2014 Oleg Moskalenko <[email protected]>
+* Mon Nov 24 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.3.1.2
-* Mon Nov 22 2014 Oleg Moskalenko <[email protected]>
+* Sat Nov 22 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.3.1.1
-* Thu Nov 07 2014 Oleg Moskalenko <[email protected]>
+* Fri Nov 07 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.2.3.1
 * Sun Oct 26 2014 Oleg Moskalenko <[email protected]>
   - Sync to 4.2.2.2

src/apps/common/apputils.h

@@ -90,7 +90,7 @@ extern int IS_TURN_SERVER;
 
 #endif
 
-#if defined(TURN_NO_DTLS) || !defined(DTLS_CTRL_LISTEN)
+#if defined(TURN_NO_DTLS) || (!defined(DTLS_CTRL_LISTEN) && (OPENSSL_VERSION_NUMBER < 0x10100000L))
 
 	#define DTLS_SUPPORTED 0
 	#define DTLSv1_2_SUPPORTED 0

src/apps/relay/dtls_listener.c

@@ -150,6 +150,8 @@ static int generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *cookie
   /* Read peer information */
   (void) BIO_dgram_get_peer(SSL_get_wbio(ssl), &peer);
   
+  //TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: family=%u(1)\n",__FUNCTION__,(unsigned)peer.ss.sa_family);
+
   /* Create buffer with peer's address and port */
   length = 0;
   switch (peer.ss.sa_family) {
@@ -171,6 +173,8 @@ static int generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *cookie
     return 0;
   }
   
+  //TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: family=%u(2)\n",__FUNCTION__,(unsigned)peer.ss.sa_family);
+
   switch (peer.ss.sa_family) {
   case AF_INET:
     memcpy(buffer,
@@ -204,7 +208,11 @@ static int generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *cookie
   return 1;
 }
 
-static int verify_cookie(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
+static int verify_cookie(SSL *ssl,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		const
+#endif
+		unsigned char *cookie, unsigned int cookie_len)
 {
   unsigned int resultlength=0;
   unsigned char result[COOKIE_SECRET_LENGTH];
@@ -212,11 +220,12 @@ static int verify_cookie(SSL *ssl, unsigned char *cookie, unsigned int cookie_le
   generate_cookie(ssl, result, &resultlength);
   
   if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) {
-    //TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: cookies are OK, length=%u\n",__FUNCTION__,cookie_len);
-    return 1;
+	  //TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: cookies are OK, length=%u\n",__FUNCTION__,cookie_len);
+	  return 1;
+  } else {
+	  //TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"%s: cookies are OK, length=%u\n",__FUNCTION__,cookie_len);
+	  return  0;
   }
-  
-  return 0;
 }
 
 /////////////// io handlers ///////////////////

src/apps/relay/http_server.c

@@ -168,12 +168,12 @@ static struct http_request* parse_http_request_1(struct http_request* ret, char*
 				}
 
 				const char *path = evhttp_uri_get_path(uri);
-				if(path)
+				if(path && ret)
 					ret->path = strdup(path);
 
 				evhttp_uri_free(uri);
 
-				if(parse_post) {
+				if(parse_post && ret) {
 					char *body = strstr(s+1,"\r\n\r\n");
 					if(body && body[0]) {
 						if(!ret->headers) {

src/apps/relay/mainrelay.c

@@ -1162,10 +1162,14 @@ static void set_option(int c, char *value)
 #endif
 	case AUTH_SECRET_OPT:
 		turn_params.use_auth_secret_with_timestamp = 1;
+		turn_params.ct = TURN_CREDENTIALS_LONG_TERM;
+		use_lt_credentials = 1;
 		break;
 	case STATIC_AUTH_SECRET_VAL_OPT:
 		add_to_secrets_list(&turn_params.default_users_db.ram_db.static_auth_secrets,value);
 		turn_params.use_auth_secret_with_timestamp = 1;
+		turn_params.ct = TURN_CREDENTIALS_LONG_TERM;
+		use_lt_credentials = 1;
 		break;
 	case AUTH_SECRET_TS_EXP:
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: Option --secret-ts-exp-time deprecated and has no effect.\n");
@@ -1173,11 +1177,11 @@ static void set_option(int c, char *value)
 	case 'r':
 		set_default_realm_name(value);
 		break;
-	case 'q':
+	case 'Q':
 		turn_params.total_quota = (vint)atoi(value);
 		get_realm(NULL)->options.perf_options.user_quota = atoi(value);
 		break;
-	case 'Q':
+	case 'q':
 		turn_params.user_quota = (vint)atoi(value);
 		get_realm(NULL)->options.perf_options.total_quota = atoi(value);
 		break;
@@ -2092,7 +2096,8 @@ static char some_buffer[65536];
 static pthread_mutex_t mutex_buf[256];
 static int mutex_buf_initialized = 0;
 
-static void locking_function(int mode, int n, const char *file, int line) {
+void coturn_locking_function(int mode, int n, const char *file, int line);
+void coturn_locking_function(int mode, int n, const char *file, int line) {
   UNUSED_ARG(file);
   UNUSED_ARG(line);
   if(mutex_buf_initialized && (n < CRYPTO_num_locks())) {
@@ -2104,12 +2109,15 @@ static void locking_function(int mode, int n, const char *file, int line) {
 }
 
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
-static void id_function(CRYPTO_THREADID *ctid)
+void coturn_id_function(CRYPTO_THREADID *ctid);
+void coturn_id_function(CRYPTO_THREADID *ctid)
 {
+	UNUSED_ARG(ctid);
     CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
 }
 #else
-static unsigned long id_function(void)
+unsigned long coturn_id_function(void);
+unsigned long coturn_id_function(void)
 {
     return (unsigned long)pthread_self();
 }
@@ -2132,12 +2140,12 @@ static int THREAD_setup(void) {
 	mutex_buf_initialized = 1;
 
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
-	CRYPTO_THREADID_set_callback(id_function);
+	CRYPTO_THREADID_set_callback(coturn_id_function);
 #else
-	CRYPTO_set_id_callback(id_function);
+	CRYPTO_set_id_callback(coturn_id_function);
 #endif
 
-	CRYPTO_set_locking_callback(locking_function);
+	CRYPTO_set_locking_callback(coturn_locking_function);
 #endif
 
 	return 1;
@@ -2226,9 +2234,9 @@ static void adjust_key_file_names(void)
 	if(turn_params.dh_file[0])
 		adjust_key_file_name(turn_params.dh_file,"DH key",0);
 }
-
 static DH *get_dh566(void) {
 
+
 	unsigned char dh566_p[] = {
 					0x36,0x53,0xA8,0x9C,0x3C,0xF1,0xD1,0x1B,0x2D,0xA2,0x64,0xDE,
 					0x59,0x3B,0xE3,0x8C,0x27,0x74,0xC2,0xBE,0x9B,0x6D,0x56,0xE7,
@@ -2248,9 +2256,13 @@ static DH *get_dh566(void) {
 
 	if ((dh = DH_new()) == NULL )
 		return (NULL );
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	dh->p = BN_bin2bn(dh566_p, sizeof(dh566_p), NULL );
 	dh->g = BN_bin2bn(dh566_g, sizeof(dh566_g), NULL );
 	if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);}
+#else
+	DH_set0_pqg(dh, BN_bin2bn(dh566_p, sizeof(dh566_p), NULL ), NULL, BN_bin2bn(dh566_g, sizeof(dh566_g), NULL ));
+#endif
 	return (dh);
 }
 
@@ -2282,9 +2294,13 @@ static DH *get_dh1066(void) {
 
 	if ((dh = DH_new()) == NULL )
 		return (NULL );
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	dh->p = BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL );
 	dh->g = BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL );
 	if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);}
+#else
+	DH_set0_pqg(dh, BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL ), NULL, BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL ));
+#endif
 	return (dh);
 }
 
@@ -2329,9 +2345,13 @@ static DH *get_dh2066(void) {
 
 	if ((dh = DH_new()) == NULL )
 		return (NULL );
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	dh->p = BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL );
 	dh->g = BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL );
 	if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);}
+#else
+	DH_set0_pqg(dh, BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL ), NULL, BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL ));
+#endif
 	return (dh);
 }
 
@@ -2490,7 +2510,9 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 
 		if(set_auto_curve) {
 #if SSL_SESSION_ECDH_AUTO_SUPPORTED
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 			SSL_CTX_set_ecdh_auto(ctx,1);
+#endif
 #endif
 			set_auto_curve = 0;
 		}

src/apps/relay/netengine.c

@@ -1184,7 +1184,7 @@ static void setup_socket_per_endpoint_udp_listener_servers(void)
 			if(turn_params.general_relay_servers_number>1) {
 				++udp_relay_server_index;
 				pthread_t thr;
-				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.aux_udp_services[index][0])<0) {
+				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.aux_udp_services[index][0])) {
 					perror("Cannot create aux listener thread\n");
 					exit(-1);
 				}
@@ -1207,7 +1207,7 @@ static void setup_socket_per_endpoint_udp_listener_servers(void)
 			if(turn_params.general_relay_servers_number>1) {
 				++udp_relay_server_index;
 				pthread_t thr;
-				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.udp_services[index][0])<0) {
+				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.udp_services[index][0])) {
 					perror("Cannot create listener thread\n");
 					exit(-1);
 				}
@@ -1222,7 +1222,7 @@ static void setup_socket_per_endpoint_udp_listener_servers(void)
 				if(turn_params.general_relay_servers_number>1) {
 					++udp_relay_server_index;
 					pthread_t thr;
-					if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.udp_services[index+1][0])<0) {
+					if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.udp_services[index+1][0])) {
 						perror("Cannot create listener thread\n");
 						exit(-1);
 					}
@@ -1242,7 +1242,7 @@ static void setup_socket_per_endpoint_udp_listener_servers(void)
 			if(turn_params.general_relay_servers_number>1) {
 				++udp_relay_server_index;
 				pthread_t thr;
-				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.dtls_services[index][0])<0) {
+				if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.dtls_services[index][0])) {
 					perror("Cannot create listener thread\n");
 					exit(-1);
 				}
@@ -1257,7 +1257,7 @@ static void setup_socket_per_endpoint_udp_listener_servers(void)
 				if(turn_params.general_relay_servers_number>1) {
 					++udp_relay_server_index;
 					pthread_t thr;
-					if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.dtls_services[index+1][0])<0) {
+					if(pthread_create(&thr, NULL, run_udp_listener_thread, turn_params.listener.dtls_services[index+1][0])) {
 						perror("Cannot create listener thread\n");
 						exit(-1);
 					}
@@ -1697,7 +1697,7 @@ static void setup_general_relay_servers(void)
 			general_relay_servers[i] = (struct relay_server*)allocate_super_memory_region(sm,sizeof(struct relay_server));
 			general_relay_servers[i]->id = (turnserver_id)i;
 			general_relay_servers[i]->sm = sm;
-			if(pthread_create(&(general_relay_servers[i]->thr), NULL, run_general_relay_thread, general_relay_servers[i])<0) {
+			if(pthread_create(&(general_relay_servers[i]->thr), NULL, run_general_relay_thread, general_relay_servers[i])) {
 				perror("Cannot create relay thread\n");
 				exit(-1);
 			}
@@ -1766,7 +1766,7 @@ static void* run_auth_server_thread(void *arg)
 
 static void setup_auth_server(struct auth_server *as)
 {
-	if(pthread_create(&(as->thr), NULL, run_auth_server_thread, as)<0) {
+	if(pthread_create(&(as->thr), NULL, run_auth_server_thread, as)) {
 		perror("Cannot create auth thread\n");
 		exit(-1);
 	}
@@ -1794,7 +1794,7 @@ static void setup_admin_server(void)
 	adminserver.listen_fd = -1;
 	adminserver.verbose = turn_params.verbose;
 
-	if(pthread_create(&(adminserver.thr), NULL, run_admin_server_thread, &adminserver)<0) {
+	if(pthread_create(&(adminserver.thr), NULL, run_admin_server_thread, &adminserver)) {
 		perror("Cannot create cli thread\n");
 		exit(-1);
 	}

src/apps/relay/ns_ioalib_engine_impl.c

@@ -1419,6 +1419,7 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) {
     UNUSED_ARG(ssl);
     UNUSED_ARG(where);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
     if (0 != (where & SSL_CB_HANDSHAKE_START)) {
     	ioa_socket_handle s = (ioa_socket_handle)SSL_get_app_data(ssl);
@@ -1436,6 +1437,7 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) {
     	}
     }
 #endif
+#endif
 }
 
 typedef void (*ssl_info_callback_t)(const SSL *ssl,int type,int val);
@@ -1856,7 +1858,11 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve
 	BIO* rbio = BIO_new_mem_buf(buffer, old_buffer_len);
 	BIO_set_mem_eof_return(rbio, -1);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ssl->rbio = rbio;
+#else
+	SSL_set0_rbio(ssl,rbio);
+#endif
 
 	int if1 = SSL_is_init_finished(ssl);
 
@@ -1949,7 +1955,11 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve
 	}
 
 	BIO_free(rbio);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ssl->rbio = NULL;
+#else
+	SSL_set0_rbio(ssl,NULL);
+#endif
 
 	return ret;
 }
@@ -3313,19 +3323,20 @@ int register_callback_on_ioa_socket(ioa_engine_handle e, ioa_socket_handle s, in
 							return -1;
 						}
 					} else {
+#if TLS_SUPPORTED
 						if(check_tentative_tls(s->fd)) {
 							s->tobeclosed = 1;
 							return -1;
-						} else {
-							s->bev = bufferevent_socket_new(s->e->event_base,
-										s->fd,
-										TURN_BUFFEREVENTS_OPTIONS);
-							debug_ptr_add(s->bev);
-							bufferevent_setcb(s->bev, socket_input_handler_bev, socket_output_handler_bev,
-											eventcb_bev, s);
-							bufferevent_setwatermark(s->bev, EV_READ|EV_WRITE, 0, BUFFEREVENT_HIGH_WATERMARK);
-							bufferevent_enable(s->bev, EV_READ|EV_WRITE); /* Start reading. */
 						}
+#endif
+						s->bev = bufferevent_socket_new(s->e->event_base,
+									s->fd,
+									TURN_BUFFEREVENTS_OPTIONS);
+						debug_ptr_add(s->bev);
+						bufferevent_setcb(s->bev, socket_input_handler_bev, socket_output_handler_bev,
+										eventcb_bev, s);
+						bufferevent_setwatermark(s->bev, EV_READ|EV_WRITE, 0, BUFFEREVENT_HIGH_WATERMARK);
+						bufferevent_enable(s->bev, EV_READ|EV_WRITE); /* Start reading. */
 					}
 					break;
 				case TLS_SCTP_SOCKET:

src/apps/relay/turn_admin_server.c

@@ -3198,6 +3198,7 @@ static void handle_https(ioa_socket_handle s, ioa_network_buffer_handle nbh)
 		struct http_request* hr = parse_http_request((char*)ioa_network_buffer_data(nbh));
 		if(!hr) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong HTTPS request (I cannot parse it)\n", __FUNCTION__);
+			write_https_logon_page(s);
 		} else {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: HTTPS request, path %s\n", __FUNCTION__,hr->path);
 

src/apps/uclient/mainuclient.c

@@ -154,7 +154,7 @@ static char Usage[] =
   "	-z	Per-session packet interval in milliseconds (default is 20 ms).\n"
   "	-u	STUN/TURN user name.\n"
   "	-w	STUN/TURN user password.\n"
-  "	-W	TURN REST API authentication secret. Is not compatible with -A option.\n"
+  "	-W	TURN REST API \"plain text\" secret.\n"
   "	-C	TURN REST API timestamp/username separator symbol (character). The default value is ':'.\n"
   "	-F	<cipher-suite> Cipher suite for TLS/DTLS. Default value is DEFAULT.\n"
   "	-o	<origin> - the ORIGIN STUN attribute value.\n"

src/apps/uclient/uclient.c

@@ -488,7 +488,7 @@ int recv_buffer(app_ur_conn_info *clnet_info, stun_buffer* message, int sync, in
 
 			if (SSL_get_shutdown(ssl))
 				return -1;
-				rc = 0;
+			rc = 0;
 			do {
 				rc = SSL_read(ssl, message->buf, sizeof(message->buf) - 1);
 				if (rc < 0 && errno == EAGAIN && sync)

src/client/ns_turn_msg.c

@@ -176,37 +176,63 @@ int stun_produce_integrity_key_str(u08bits *uname, u08bits *realm, u08bits *upwd
 	str[strl]=0;
 
 	if(shatype == SHATYPE_SHA256) {
-#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 		unsigned int keylen = 0;
+#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		EVP_MD_CTX ctx;
 		EVP_DigestInit(&ctx,EVP_sha256());
 		EVP_DigestUpdate(&ctx,str,strl);
 		EVP_DigestFinal(&ctx,key,&keylen);
 		EVP_MD_CTX_cleanup(&ctx);
+#else
+		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+		EVP_DigestInit(ctx,EVP_sha256());
+		EVP_DigestUpdate(ctx,str,strl);
+		EVP_DigestFinal(ctx,key,&keylen);
+		EVP_MD_CTX_free(ctx);
+#endif
 #else
 		fprintf(stderr,"SHA256 is not supported\n");
 		return -1;
 #endif
 	} else if(shatype == SHATYPE_SHA384) {
 #if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		unsigned int keylen = 0;
 		EVP_MD_CTX ctx;
 		EVP_DigestInit(&ctx,EVP_sha384());
 		EVP_DigestUpdate(&ctx,str,strl);
 		EVP_DigestFinal(&ctx,key,&keylen);
 		EVP_MD_CTX_cleanup(&ctx);
+#else
+		unsigned int keylen = 0;
+		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+		EVP_DigestInit(ctx,EVP_sha384());
+		EVP_DigestUpdate(ctx,str,strl);
+		EVP_DigestFinal(ctx,key,&keylen);
+		EVP_MD_CTX_free(ctx);
+#endif
 #else
 		fprintf(stderr,"SHA384 is not supported\n");
 		return -1;
 #endif
 	} else if(shatype == SHATYPE_SHA512) {
 #if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		unsigned int keylen = 0;
 		EVP_MD_CTX ctx;
 		EVP_DigestInit(&ctx,EVP_sha512());
 		EVP_DigestUpdate(&ctx,str,strl);
 		EVP_DigestFinal(&ctx,key,&keylen);
 		EVP_MD_CTX_cleanup(&ctx);
+#else
+		unsigned int keylen = 0;
+		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+		EVP_DigestInit(ctx,EVP_sha512());
+		EVP_DigestUpdate(ctx,str,strl);
+		EVP_DigestFinal(ctx,key,&keylen);
+		EVP_MD_CTX_free(ctx);
+#endif
 #else
 		fprintf(stderr,"SHA512 is not supported\n");
 		return -1;
@@ -253,6 +279,7 @@ static void generate_enc_password(const char* pwd, char *result, const unsigned
 	result[3+PWD_SALT_SIZE+PWD_SALT_SIZE]='$';
 	unsigned char* out = (unsigned char*)(result+3+PWD_SALT_SIZE+PWD_SALT_SIZE+1);
 	{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		EVP_MD_CTX ctx;
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 		EVP_DigestInit(&ctx,EVP_sha256());
@@ -268,6 +295,23 @@ static void generate_enc_password(const char* pwd, char *result, const unsigned
 			readable_string(hash,out,keylen);
 		}
 		EVP_MD_CTX_cleanup(&ctx);
+#else
+		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
+		EVP_DigestInit(ctx,EVP_sha256());
+#else
+		EVP_DigestInit(ctx,EVP_sha1());
+#endif
+		EVP_DigestUpdate(ctx,salt,PWD_SALT_SIZE);
+		EVP_DigestUpdate(ctx,pwd,strlen(pwd));
+		{
+			unsigned char hash[129];
+			unsigned int keylen = 0;
+			EVP_DigestFinal(ctx,hash,&keylen);
+			readable_string(hash,out,keylen);
+		}
+		EVP_MD_CTX_free(ctx);
+#endif
 	}
 }
 
@@ -2400,21 +2444,26 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke
 		if(!cipher)
 			return -1;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		EVP_CIPHER_CTX ctx;
-		EVP_CIPHER_CTX_init(&ctx);
+		EVP_CIPHER_CTX *ctxp = &ctx;
+#else
+		EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new();
+#endif
+		EVP_CIPHER_CTX_init(ctxp);
 
 		/* Initialize the encryption operation. */
-		if(1 != EVP_EncryptInit_ex(&ctx, cipher, NULL, NULL, NULL))
+		if(1 != EVP_EncryptInit_ex(ctxp, cipher, NULL, NULL, NULL))
 			return -1;
 
-		EVP_CIPHER_CTX_set_padding(&ctx,1);
+		EVP_CIPHER_CTX_set_padding(ctxp,1);
 
 		/* Set IV length if default 12 bytes (96 bits) is not appropriate */
-		if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL))
+		if(1 != EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL))
 			return -1;
 
 		/* Initialize key and IV */
-		if(1 != EVP_EncryptInit_ex(&ctx, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce))
+		if(1 != EVP_EncryptInit_ex(ctxp, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce))
 			return -1;
 
 		int outl=0;
@@ -2423,7 +2472,7 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke
 		/* Provide any AAD data. This can be called zero or more times as
 		 * required
 		 */
-		if(1 != my_EVP_EncryptUpdate(&ctx, NULL, &outl, server_name, (int)sn_len))
+		if(1 != my_EVP_EncryptUpdate(ctxp, NULL, &outl, server_name, (int)sn_len))
 			return -1;
 
 		outl=0;
@@ -2433,19 +2482,23 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke
 		unsigned char *start_field = orig_field + OAUTH_GCM_NONCE_SIZE + 2;
 		len -= OAUTH_GCM_NONCE_SIZE + 2;
 
-		if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, start_field, (int)len))
+		if(1 != my_EVP_EncryptUpdate(ctxp, encoded_field, &outl, start_field, (int)len))
 			return -1;
 
 		int tmp_outl = 0;
-		EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl);
+		EVP_EncryptFinal_ex(ctxp, encoded_field + outl, &tmp_outl);
 		outl += tmp_outl;
 
-		EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl);
+		EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl);
 		outl += OAUTH_GCM_TAG_SIZE;
 
 		etoken->size = 2 + OAUTH_GCM_NONCE_SIZE + outl;
 
-		EVP_CIPHER_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		EVP_CIPHER_CTX_cleanup(ctxp);
+#else
+		EVP_CIPHER_CTX_free(ctxp);
+#endif
 
 		return 0;
 	}
@@ -2483,10 +2536,15 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut
 			return -1;
 		}
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		EVP_CIPHER_CTX ctx;
-		EVP_CIPHER_CTX_init(&ctx);
+		EVP_CIPHER_CTX *ctxp = &ctx;
+#else
+		EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new();
+#endif
+		EVP_CIPHER_CTX_init(ctxp);
 		/* Initialize the decryption operation. */
-		if(1 != EVP_DecryptInit_ex(&ctx, cipher, NULL, NULL, NULL)) {
+		if(1 != EVP_DecryptInit_ex(ctxp, cipher, NULL, NULL, NULL)) {
 			OAUTH_ERROR("%s: Cannot initialize decryption\n",__FUNCTION__);
 			return -1;
 		}
@@ -2494,20 +2552,20 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut
 		//EVP_CIPHER_CTX_set_padding(&ctx,1);
 
 		/* Set IV length if default 12 bytes (96 bits) is not appropriate */
-		if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) {
+		if(1 != EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) {
 			OAUTH_ERROR("%s: Cannot set nonce length\n",__FUNCTION__);
 			return -1;
 		}
 
 		/* Initialize key and IV */
-		if(1 != EVP_DecryptInit_ex(&ctx, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) {
+		if(1 != EVP_DecryptInit_ex(ctxp, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) {
 			OAUTH_ERROR("%s: Cannot set nonce\n",__FUNCTION__);
 			return -1;
 		}
 
 		/* Set expected tag value. A restriction in OpenSSL 1.0.1c and earlier
 		  +         * required the tag before any AAD or ciphertext */
-		EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag);
+		EVP_CIPHER_CTX_ctrl (ctxp, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag);
 
 		int outl=0;
 		size_t sn_len = strlen((const char*)server_name);
@@ -2515,24 +2573,32 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut
 		/* Provide any AAD data. This can be called zero or more times as
 		 * required
 		 */
-		if(1 != my_EVP_DecryptUpdate(&ctx, NULL, &outl, server_name, (int)sn_len)) {
+		if(1 != my_EVP_DecryptUpdate(ctxp, NULL, &outl, server_name, (int)sn_len)) {
 			OAUTH_ERROR("%s: Cannot decrypt update server_name: %s, len=%d\n",__FUNCTION__,server_name,(int)sn_len);
 			return -1;
 		}
-		if(1 != my_EVP_DecryptUpdate(&ctx, decoded_field, &outl, encoded_field, (int)encoded_field_size)) {
+		if(1 != my_EVP_DecryptUpdate(ctxp, decoded_field, &outl, encoded_field, (int)encoded_field_size)) {
 			OAUTH_ERROR("%s: Cannot decrypt update\n",__FUNCTION__);
 			return -1;
 		}
 
 		int tmp_outl = 0;
-		if(EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl)<1) {
-			EVP_CIPHER_CTX_cleanup(&ctx);
+		if(EVP_DecryptFinal_ex(ctxp, decoded_field + outl, &tmp_outl)<1) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+			EVP_CIPHER_CTX_cleanup(ctxp);
+#else
+			EVP_CIPHER_CTX_free(ctxp);
+#endif
 			OAUTH_ERROR("%s: token integrity check failed\n",__FUNCTION__);
 			return -1;
 		}
 		outl += tmp_outl;
 
-		EVP_CIPHER_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+			EVP_CIPHER_CTX_cleanup(ctxp);
+#else
+			EVP_CIPHER_CTX_free(ctxp);
+#endif
 
 		size_t len = 0;
 

src/ns_turn_defs.h

@@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.5.0.3"
+#define TURN_SERVER_VERSION "4.5.0.4"
 #define TURN_SERVER_VERSION_NAME "dan Eider"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"