Imported Upstream version 4.4.5.3

ChangeLog

@@ -1,9 +1,15 @@
+6/20/2015 Oleg Moskalenko <[email protected]>
+Version 4.4.5.3 'Ardee West':
+	- third-party authorization STUN attributes adjusted according
+		to the values assigned by IANA.
+	- SQL injection security hole fixed.
+	
 5/29/2015 Oleg Moskalenko <[email protected]>
 Version 4.4.5.2 'Ardee West':
 	- dual allocation adjusted according to the new TURN-bis draft;
 	- options sha256, sha384, sha512 retired as non-standard;
 	- third-party authorization (oAuth) updated according to the
-	version 14 of the draft;
+	version 16 of the draft;
 	- C++ compilation fixes;
 	- cosmetic fixes;
 	- fixed binary package for CentOS 7.1;

INSTALL

@@ -751,7 +751,7 @@ The oauth_key table fields meanings are:
 
 	kid: the kid of the key;
 
-	ikm_key - (optional) base64-encoded key ("input keying material");
+	ikm_key - base64-encoded key ("input keying material");
 		
 	timestamp - (optional) the timestamp (in seconds) when the key 
 		lifetime starts;

Makefile.in

@@ -7,7 +7,7 @@ CFLAGS += ${INCFLAGS}
 
 MAKE_DEPS = Makefile
 
-LIBCLIENTTURN_HEADERS = src/ns_turn_defs.h src/client++/TurnMsgLib.h src/client/ns_turn_ioaddr.h src/client/ns_turn_msg.h src/client/ns_turn_msg_defs.h src/client/ns_turn_msg_defs_new.h src/client/ns_turn_msg_addr.h
+LIBCLIENTTURN_HEADERS = src/ns_turn_defs.h src/client++/TurnMsgLib.h src/client/ns_turn_ioaddr.h src/client/ns_turn_msg.h src/client/ns_turn_msg_defs.h src/client/ns_turn_msg_defs_experimental.h src/client/ns_turn_msg_addr.h
 LIBCLIENTTURN_MODS = src/client/ns_turn_ioaddr.c src/client/ns_turn_msg_addr.c src/client/ns_turn_msg.c 
 LIBCLIENTTURN_DEPS = ${LIBCLIENTTURN_HEADERS} ${MAKE_DEPS} 
 LIBCLIENTTURN_OBJS = build/obj/ns_turn_ioaddr.o build/obj/ns_turn_msg_addr.o build/obj/ns_turn_msg.o 

README.turnutils

@@ -49,7 +49,7 @@ It was designed to simulate multiple clients. It uses asynch IO API in
 libevent to handle multiple clients. A client connects to the relay, 
 negotiates the session, and sends multiple (configured number) messages to the server (relay), 
 expecting the same number of replies. The length of the messages is configurable. 
-The message is an arbitrary octet stream, but it can be configured as a string. 
+The message is an arbitrary octet stream. 
 The number of the messages to send is configurable.
 
 Flags:   

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 April 2015" "" ""
+.TH TURN 1 "15 June 2015" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 April 2015" "" ""
+.TH TURN 1 "15 June 2015" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 April 2015" "" ""
+.TH TURN 1 "15 June 2015" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used
@@ -59,7 +59,7 @@ It was designed to simulate multiple clients. It uses asynch IO API in
 libevent to handle multiple clients. A client connects to the relay, 
 negotiates the session, and sends multiple (configured number) messages to the server (relay), 
 expecting the same number of replies. The length of the messages is configurable. 
-The message is an arbitrary octet stream, but it can be configured as a string. 
+The message is an arbitrary octet stream. 
 The number of the messages to send is configurable.
 .TP
 .B

rpm/build.settings.sh

@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.4.5.2
+TURNVERSION=4.4.5.3
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn

rpm/turnserver.spec

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.4.5.2
+Version:	4.4.5.3
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -284,11 +284,13 @@ fi
 %{_includedir}/turn/client/ns_turn_ioaddr.h
 %{_includedir}/turn/client/ns_turn_msg_addr.h
 %{_includedir}/turn/client/ns_turn_msg_defs.h
-%{_includedir}/turn/client/ns_turn_msg_defs_new.h
+%{_includedir}/turn/client/ns_turn_msg_defs_experimental.h
 %{_includedir}/turn/client/ns_turn_msg.h
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
+* Sat Jun 20 2015 Oleg Moskalenko <[email protected]>
+  - Sync to 4.4.5.3
 * Wed May 29 2015 Oleg Moskalenko <[email protected]>
   - Sync to 4.4.5.2
 * Tue Mar 31 2015 Oleg Moskalenko <[email protected]>

src/apps/common/ns_turn_utils.c

@@ -859,4 +859,30 @@ char *turn_strdup_func(const char* s, const char* function, int line) {
 #endif
 #endif
 
+////////////////////////////////
+
+int is_secure_username(const u08bits *username)
+{
+	int ret = 0;
+	if(username) {
+		unsigned char *s0 = (unsigned char*)turn_strdup((const char*)username);
+		unsigned char *s = s0;
+		while(*s) {
+			*s = (unsigned char)tolower((int)*s);
+			++s;
+		}
+		s = s0;
+		if(strstr((char*)s," ")||strstr((char*)s,"\t")||strstr((char*)s,"'")||strstr((char*)s,"\"")||strstr((char*)s,"\n")||strstr((char*)s,"\r")||strstr((char*)s,"\\")) {
+			;
+		} else if(strstr((char*)s,"union")&&strstr((char*)s,"select")) {
+			;
+		} else {
+			ret = 1;
+		}
+		turn_free(s,strlen((char*)s));
+	}
+	return ret;
+}
+
 //////////////////////////////////////////////////////////////////
+

src/apps/common/ns_turn_utils.h

@@ -78,6 +78,10 @@ void rollover_logfile(void);
 
 ///////////////////////////////////////////////////////
 
+int is_secure_username(const u08bits *username);
+
+///////////////////////////////////////////////////////
+
 #ifdef __cplusplus
 }
 #endif

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -300,6 +300,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
 		char statement[TURN_LONG_STRING_SIZE];
+		/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 		snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm);
 		int res = mysql_query(myc, statement);
 		if(res) {
@@ -343,6 +344,7 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
+	/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	MYSQL * myc = get_mydb_connection();

src/apps/relay/dbdrivers/dbd_pgsql.c

@@ -124,6 +124,7 @@ static int pgsql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 	PGconn * pqc = get_pqdb_connection();
 	if(pqc) {
 		char statement[TURN_LONG_STRING_SIZE];
+		/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 		snprintf(statement,sizeof(statement),"select hmackey from turnusers_lt where name='%s' and realm='%s'",usname,realm);
 		PGresult *res = PQexec(pqc, statement);
 
@@ -158,6 +159,7 @@ static int pgsql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	int ret = -1;
 
 	char statement[TURN_LONG_STRING_SIZE];
+	/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	PGconn * pqc = get_pqdb_connection();

src/apps/relay/dbdrivers/dbd_sqlite.c

@@ -261,6 +261,7 @@ static int sqlite_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key)
 		char statement[TURN_LONG_STRING_SIZE];
 		sqlite3_stmt *st = NULL;
 		int rc = 0;
+		/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 		snprintf(statement, sizeof(statement), "select hmackey from turnusers_lt where name='%s' and realm='%s'", usname, realm);
 
 		sqlite_lock(0);
@@ -296,6 +297,8 @@ static int sqlite_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	char statement[TURN_LONG_STRING_SIZE];
 	sqlite3_stmt *st = NULL;
 	int rc = 0;
+
+	/* direct user input eliminated - there is no SQL injection problem (since version 4.4.5.3) */
 	snprintf(statement,sizeof(statement),"select ikm_key,timestamp,lifetime,as_rs_alg from oauth_key where kid='%s'",(const char*)kid);
 
 	sqlite3 *sqliteconnection = get_sqlite_connection();

src/apps/relay/dbdrivers/dbdriver.h

@@ -34,7 +34,7 @@
 
 #include "../userdb.h"
 
-#include "ns_turn_msg_defs_new.h"
+#include "ns_turn_msg_defs.h"
 
 #include <pthread.h>
 

src/apps/relay/mainrelay.c

@@ -1536,6 +1536,10 @@ static int adminmain(int argc, char **argv)
 #endif
 		case 'u':
 			STRCPY(user,optarg);
+			if(!is_secure_username((u08bits*)user)) {
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong user name structure or symbols, choose another name: %s\n",user);
+				exit(-1);
+			}
 			if(SASLprep((u08bits*)user)<0) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong user name: %s\n",user);
 				exit(-1);

src/client/ns_turn_msg_defs.h

@@ -31,7 +31,7 @@
 #ifndef __LIB_TURN_MSG_DEFS__
 #define __LIB_TURN_MSG_DEFS__
 
-#include "ns_turn_msg_defs_new.h"
+#include "ns_turn_msg_defs_experimental.h"
 
 ///////////////////////////////////////////
 // http://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml
@@ -154,6 +154,119 @@
 #define STUN_ATTRIBUTE_MOBILITY_SUPPORT (0x8000)
 /* <<== Mobility */
 
+/* SHA ==>> */
+
+#define SHA1SIZEBYTES (20)
+#define SHA256SIZEBYTES (32)
+#define SHA384SIZEBYTES (48)
+#define SHA512SIZEBYTES (64)
+
+#define MAXSHASIZE (128)
+
+enum _SHATYPE {
+	SHATYPE_ERROR = -1,
+	SHATYPE_DEFAULT=0,
+	SHATYPE_SHA1=SHATYPE_DEFAULT,
+	SHATYPE_SHA256,
+	SHATYPE_SHA384,
+	SHATYPE_SHA512
+};
+
+typedef enum _SHATYPE SHATYPE;
+
+#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA384) ? "SHA384" : "SHA512")))
+
+/* <<== SHA */
+
+/* OAUTH TOKEN ENC ALG ==> */
+
+enum _ENC_ALG {
+	ENC_ALG_ERROR=-1,
+#if !defined(TURN_NO_GCM)
+	ENC_ALG_DEFAULT=0,
+	A256GCM=ENC_ALG_DEFAULT,
+	A128GCM,
+#endif
+	ENC_ALG_NUM
+};
+
+typedef enum _ENC_ALG ENC_ALG;
+
+/* <<== OAUTH TOKEN ENC ALG */
+
+/**
+ * oAuth struct
+ */
+
+#define STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION (0x802E)
+#define STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN (0x001B)
+
+#define OAUTH_KID_SIZE (128)
+#define OAUTH_HASH_FUNC_SIZE (64)
+#define OAUTH_ALG_SIZE (64)
+#define OAUTH_KEY_SIZE (256)
+#define OAUTH_GCM_NONCE_SIZE (12)
+#define OAUTH_MAX_NONCE_SIZE (256)
+#define OAUTH_GCM_TAG_SIZE (16)
+#define OAUTH_ENC_ALG_BLOCK_SIZE (16)
+
+#define OAUTH_DEFAULT_LIFETIME (0)
+#define OAUTH_DEFAULT_TIMESTAMP (turn_time())
+
+#define OAUTH_TIME_DELTA (5)
+
+struct _oauth_key_data {
+	char kid[OAUTH_KID_SIZE+1];
+	char ikm_key[OAUTH_KEY_SIZE+1];
+	size_t ikm_key_size;
+	turn_time_t timestamp;
+	turn_time_t lifetime;
+	char as_rs_alg[OAUTH_ALG_SIZE+1];
+};
+
+typedef struct _oauth_key_data oauth_key_data;
+
+struct _oauth_key {
+	char kid[OAUTH_KID_SIZE+1];
+	char ikm_key[OAUTH_KEY_SIZE+1];
+	size_t ikm_key_size;
+	turn_time_t timestamp;
+	turn_time_t lifetime;
+	ENC_ALG as_rs_alg;
+	char as_rs_key[OAUTH_KEY_SIZE+1];
+	size_t as_rs_key_size;
+	char auth_key[OAUTH_KEY_SIZE+1];
+	size_t auth_key_size;
+};
+
+typedef struct _oauth_key oauth_key;
+
+struct _oauth_encrypted_block {
+	uint16_t nonce_length;
+	uint8_t nonce[OAUTH_MAX_NONCE_SIZE];
+	uint16_t key_length;
+	uint8_t mac_key[MAXSHASIZE];
+	uint64_t timestamp;
+	uint32_t lifetime;
+};
+
+typedef struct _oauth_encrypted_block oauth_encrypted_block;
+
+struct _oauth_token {
+	oauth_encrypted_block enc_block;
+};
+
+typedef struct _oauth_token oauth_token;
+
+#define MAX_ENCODED_OAUTH_TOKEN_SIZE (1024)
+
+struct _encoded_oauth_token {
+	char token[MAX_ENCODED_OAUTH_TOKEN_SIZE];
+	size_t size;
+};
+
+typedef struct _encoded_oauth_token encoded_oauth_token;
+
 ////////////////////////////////////////////////
 
 #endif //__LIB_TURN_MSG_DEFS__

src/client/ns_turn_msg_defs_experimental.h

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2011, 2012, 2013 Citrix Systems
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __LIB_TURN_MSG_DEFS_NEW__
+#define __LIB_TURN_MSG_DEFS_NEW__
+
+/***** POST-RFC5766 FRESH SPECS ***********/
+
+/* Origin ==>> */
+#define STUN_MAX_ORIGIN_SIZE (127)
+#define STUN_ATTRIBUTE_ORIGIN (0x802F)
+/* <<== Origin */
+
+/* Bandwidth */
+
+#define STUN_ATTRIBUTE_NEW_BANDWIDTH (0x8000 + STUN_ATTRIBUTE_BANDWIDTH)
+
+/* <<== Bandwidth */
+
+////////////// SSODA ///////////////////
+
+#define STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY (0x8032)
+#define STUN_ATTRIBUTE_ADDRESS_ERROR_CODE (0x8033)
+
+#endif //__LIB_TURN_MSG_DEFS_NEW__

src/client/ns_turn_msg_defs_new.h

@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 2011, 2012, 2013 Citrix Systems
- *
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef __LIB_TURN_MSG_DEFS_NEW__
-#define __LIB_TURN_MSG_DEFS_NEW__
-
-/***** POST-RFC5766 FRESH SPECS ***********/
-
-/* Origin ==>> */
-#define STUN_MAX_ORIGIN_SIZE (127)
-#define STUN_ATTRIBUTE_ORIGIN (0x802F)
-/* <<== Origin */
-
-/* Bandwidth */
-
-#define STUN_ATTRIBUTE_NEW_BANDWIDTH (0x8000 + STUN_ATTRIBUTE_BANDWIDTH)
-
-/* <<== Bandwidth */
-
-/* SHA ==>> */
-
-#define SHA1SIZEBYTES (20)
-#define SHA256SIZEBYTES (32)
-#define SHA384SIZEBYTES (48)
-#define SHA512SIZEBYTES (64)
-
-#define MAXSHASIZE (128)
-
-enum _SHATYPE {
-	SHATYPE_ERROR = -1,
-	SHATYPE_DEFAULT=0,
-	SHATYPE_SHA1=SHATYPE_DEFAULT,
-	SHATYPE_SHA256,
-	SHATYPE_SHA384,
-	SHATYPE_SHA512
-};
-
-typedef enum _SHATYPE SHATYPE;
-
-#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA384) ? "SHA384" : "SHA512")))
-
-/* <<== SHA */
-
-/* OAUTH TOKEN ENC ALG ==> */
-
-enum _ENC_ALG {
-	ENC_ALG_ERROR=-1,
-#if !defined(TURN_NO_GCM)
-	ENC_ALG_DEFAULT=0,
-	A256GCM=ENC_ALG_DEFAULT,
-	A128GCM,
-#endif
-	ENC_ALG_NUM
-};
-
-typedef enum _ENC_ALG ENC_ALG;
-
-/* <<== OAUTH TOKEN ENC ALG */
-
-/**
- * oAuth struct
- */
-
-#define STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION (0x8031)
-#define STUN_ATTRIBUTE_OAUTH_ACCESS_TOKEN (0x0031)
-
-#define OAUTH_KID_SIZE (128)
-#define OAUTH_HASH_FUNC_SIZE (64)
-#define OAUTH_ALG_SIZE (64)
-#define OAUTH_KEY_SIZE (256)
-#define OAUTH_GCM_NONCE_SIZE (12)
-#define OAUTH_MAX_NONCE_SIZE (256)
-#define OAUTH_GCM_TAG_SIZE (16)
-#define OAUTH_ENC_ALG_BLOCK_SIZE (16)
-
-#define OAUTH_DEFAULT_LIFETIME (0)
-#define OAUTH_DEFAULT_TIMESTAMP (turn_time())
-
-#define OAUTH_TIME_DELTA (5)
-
-struct _oauth_key_data {
-	char kid[OAUTH_KID_SIZE+1];
-	char ikm_key[OAUTH_KEY_SIZE+1];
-	size_t ikm_key_size;
-	turn_time_t timestamp;
-	turn_time_t lifetime;
-	char as_rs_alg[OAUTH_ALG_SIZE+1];
-};
-
-typedef struct _oauth_key_data oauth_key_data;
-
-struct _oauth_key {
-	char kid[OAUTH_KID_SIZE+1];
-	char ikm_key[OAUTH_KEY_SIZE+1];
-	size_t ikm_key_size;
-	turn_time_t timestamp;
-	turn_time_t lifetime;
-	ENC_ALG as_rs_alg;
-	char as_rs_key[OAUTH_KEY_SIZE+1];
-	size_t as_rs_key_size;
-	char auth_key[OAUTH_KEY_SIZE+1];
-	size_t auth_key_size;
-};
-
-typedef struct _oauth_key oauth_key;
-
-struct _oauth_encrypted_block {
-	uint16_t nonce_length;
-	uint8_t nonce[OAUTH_MAX_NONCE_SIZE];
-	uint16_t key_length;
-	uint8_t mac_key[MAXSHASIZE];
-	uint64_t timestamp;
-	uint32_t lifetime;
-};
-
-typedef struct _oauth_encrypted_block oauth_encrypted_block;
-
-struct _oauth_token {
-	oauth_encrypted_block enc_block;
-};
-
-typedef struct _oauth_token oauth_token;
-
-#define MAX_ENCODED_OAUTH_TOKEN_SIZE (1024)
-
-struct _encoded_oauth_token {
-	char token[MAX_ENCODED_OAUTH_TOKEN_SIZE];
-	size_t size;
-};
-
-typedef struct _encoded_oauth_token encoded_oauth_token;
-
-////////////// SSODA ///////////////////
-
-#define STUN_ATTRIBUTE_ADDITIONAL_ADDRESS_FAMILY (0x8032)
-#define STUN_ATTRIBUTE_ADDRESS_ERROR_CODE (0x8033)
-
-#endif //__LIB_TURN_MSG_DEFS_NEW__

src/ns_turn_defs.h

@@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.4.5.2"
+#define TURN_SERVER_VERSION "4.4.5.3"
 #define TURN_SERVER_VERSION_NAME "Ardee West"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
 

src/server/ns_turn_server.c

@@ -1015,6 +1015,12 @@ static int handle_turn_allocate(turn_turnserver *server,
 					}
 					ns_bcopy(value,username,ulen);
 					username[ulen]=0;
+					if(!is_secure_username(username)) {
+						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)username);
+						username[0]=0;
+						*err_code = 400;
+						break;
+					}
 				}
 			}
 
@@ -3338,7 +3344,12 @@ static int check_stun_auth(turn_turnserver *server,
 	ns_bcopy(stun_attr_get_value(sar),usname,alen);
 	usname[alen]=0;
 
-	if(ss->username[0]) {
+	if(!is_secure_username(usname)) {
+		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)usname);
+		usname[0]=0;
+		*err_code = 400;
+		return -1;
+	} else if(ss->username[0]) {
 		if(strcmp((char*)ss->username,(char*)usname)) {
 			if(ss->oauth) {
 				ss->hmackey_set = 0;