Add support for raw public keys (Rfc 7250) (#1458)

Resolving #1456

---------

Co-authored-by: nmegdanov <[email protected]>

README.turnserver

@@ -483,6 +483,10 @@ Options with values:
 			are specified, then this parameter is not needed.
 			Default value is turn_server_pkey.pem.
 
+--raw-public-keys        Raw public keys support.
+            On/off switch for RFC-7250 aka raw public keys.
+            Coturn must be built against openSSL version at least 3.2.1
+
 --pkey-pwd		If the private key file is encrypted, then this password to be used.
 
 --cipher-list		Allowed OpenSSL cipher list for TLS/DTLS connections.

docker/coturn/turnserver.conf

@@ -465,6 +465,13 @@ cert=/etc/ssl/certs/cert.pem
 #
 pkey=/etc/ssl/private/privkey.pem
 
+# Raw public keys support.
+# On/off switch for RFC-7250 aka raw public keys.
+# Keep in mind, in order for rpks to work,
+# coturn must be built against openSSL version at least 3.2.1
+#
+#raw-public-keys
+
 # Private key file password, if it is in encoded format.
 # This option has no default value.
 #

examples/etc/turnserver.conf

@@ -480,6 +480,13 @@
 #
 #pkey=/usr/local/etc/turn_server_pkey.pem
 
+# Raw public keys support.
+# On/off switch for RFC-7250 aka raw public keys.
+# Keep in mind, in order for rpks to work,
+# coturn must be built against openSSL version at least 3.2.1
+#
+#raw-public-keys
+
 # Private key file password, if it is in encoded format.
 # This option has no default value.
 #

src/apps/relay/mainrelay.c

@@ -95,6 +95,7 @@ turn_params_t turn_params = {
     "",                     /*ca_cert_file*/
     "turn_server_cert.pem", /*cert_file*/
     "turn_server_pkey.pem", /*pkey_file*/
+    false,                  /*rpk_enabled*/
     "",                     /*tls_password*/
     "",                     /*dh_file*/
 
@@ -1412,6 +1413,7 @@ enum EXTRA_OPTS {
   ALT_PORT_OPT,
   ALT_TLS_PORT_OPT,
   CERT_FILE_OPT,
+  RPK_ENABLED_OPT,
   PKEY_FILE_OPT,
   PKEY_PWD_OPT,
   MIN_PORT_OPT,
@@ -1577,6 +1579,7 @@ static const struct myoption long_options[] = {
     {"stun-only", optional_argument, NULL, 'S'},
     {"no-stun", optional_argument, NULL, NO_STUN_OPT},
     {"cert", required_argument, NULL, CERT_FILE_OPT},
+    {"raw-public-keys", optional_argument, NULL, RPK_ENABLED_OPT},
     {"pkey", required_argument, NULL, PKEY_FILE_OPT},
     {"pkey-pwd", required_argument, NULL, PKEY_PWD_OPT},
     {"log-file", required_argument, NULL, 'l'},
@@ -2278,6 +2281,9 @@ static void set_option(int c, char *value) {
   case CERT_FILE_OPT:
     STRCPY(turn_params.cert_file, value);
     break;
+  case RPK_ENABLED_OPT:
+    turn_params.rpk_enabled = get_bool_value(value);
+    break;
   case CA_FILE_OPT:
     STRCPY(turn_params.ca_cert_file, value);
     break;
@@ -3826,6 +3832,18 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho
     SSL_CTX_free(*out);
     *out = ctx;
   }
+
+
+#if OPENSSL_VERSION_NUMBER >= 0x30200010L
+  if (turn_params.rpk_enabled) {
+    unsigned char cert_type = TLSEXT_cert_type_rpk;
+    if (!SSL_CTX_set1_server_cert_type(ctx, &cert_type, 1)) {
+      TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Could not enable raw public keys functionality (RFC7250)\n");
+    } else {
+      TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Raw Public Keys (RFC7250) enabled!\n");
+    }
+  }
+#endif
 }
 
 static void openssl_load_certificates(void);

src/apps/relay/mainrelay.h

@@ -36,6 +36,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <stdbool.h>
 
 #include <locale.h>
 
@@ -192,6 +193,7 @@ typedef struct _turn_params_ {
   char ca_cert_file[1025];
   char cert_file[1025];
   char pkey_file[1025];
+  bool rpk_enabled;
   char tls_password[513];
   char dh_file[1025];