Merge branch 'mysql-password-encryption'

ChangeLog

@@ -17,6 +17,7 @@ Version 4.5.0.8 'dan Eider':
 	- Update total allocation usage on client shutdown
 	- fix total and user quota mix-up
 	- Fixed typos in postinstall.txt (by Prashanth Rajaram)
+	- MySQL password encryption (by Mustafa Bingül & Erdem Duman)
 
 12/10/2017 Oleg Moskalenko <[email protected]>
 Version 4.5.0.7 'dan Eider':

README.turnadmin

@@ -86,6 +86,8 @@ Only sha256 is supported as the hash function.
 -g, --set-realm-option		Set realm params: max-bps, total-quota, user-quota.
 
 -G, --list-realm-options	List realm params.
+-E, --generate-encrypted-password-aes	Generate and print to the standard output 
+					an encrypted form of password with AES-128
 
 Options with required values:  
 
@@ -103,6 +105,9 @@ Options with required values:
 -u, --user		User name.
 -r, --realm		Realm.
 -p, --password		Password.
+-x, --key-path		Generates a 128 bit key into the given path.
+-f, --file-key-path	Contains a 128 bit key in the given path.
+-v, --verify		Verify a given base64 encrypted type password.
 -o, --origin		Origin
 --max-bps		Set value of realm's max-bps parameter.
 --total-quota	Set value of realm's total-quota parameter.
@@ -158,7 +163,20 @@ $ turnadmin --redis-userdb="<db-connection-string>" -I
 List the origin-to-realm relations in PostgreSQL DB for a single realm:
 
 $ turnadmin --psql-userdb="<db-connection-string>" -I -r <realm>
-
+
+Create new key file for mysql password encryption:
+
+$ turnadmin -E --key-path <key-file>
+
+Create encrypted mysql password:
+
+$ turnadmin -E --file-key-path <key-file> -p <secret>
+
+Verify/decrypt encrypted password:
+
+$ turnadmin --file-key-path <key-file> -v <encrypted>
+
+
 Help:  
 
 $ turnadmin -h

README.turnserver

@@ -120,6 +120,12 @@ User database settings:
 		(see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
 		command options description).
 
+--secret-key-file 	If you want to use password as encrpyted in the mysql connection string MySQL encrypted connection, this is key path.
+			This is the file path which contain secret key of aes encryption while using password encryption.
+			This attribute should be use if allow-encoding-with-aes set to 1.
+--allow-encoding-with-aes	If you want to use password as encrpyted in the mysql connection string. Set allow-encoding-with-aes to 1.
+				If you want to use clearteaxt password in the mysql connection string. Set allow-encoding-with-aes to 0.
+				You have to enable secret-key-file attribute above as a key location.
 -J, --mongo-userdb	User database connection string for MongoDB. 
 		This database can be used for long-term credentials mechanism,
 		and it can store the secret value 

examples/etc/turnserver.conf

@@ -276,6 +276,16 @@
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
 
+#If you want to use password as encrpyted in the mysql connection string MySQL encrypted connection, this is key path.
+#This is the file path which contain secret key of aes encryption while using password encryption.
+#This attribute should be use if allow-encoding-with-aes set to 1.
+#secret-key-file=/path/
+
+#If you want to use password as encrpyted in the mysql connection string. Set allow-encoding-with-aes to 1.
+#If you want to use clearteaxt password in the mysql connection string. Set allow-encoding-with-aes to 0.
+#You have to enable secret-key-file attribute above as a key location.
+#allow-encoding-with-aes=1 or 0
+
 # MongoDB database connection string in the case that we are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 December 2017" "" ""
+.TH TURN 1 "15 August 2018" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
@@ -139,6 +139,11 @@ Set realm params: max\-bps, total\-quota, user\-quota.
 List realm params.
 .TP
 .B
+\fB\-E\fP, \fB\-\-generate\-encrypted\-password\-aes\fP
+Generate and print to the standard output 
+an encrypted form of password with AES\-128
+.TP
+.B
 Options with required values:
 .TP
 .B
@@ -180,6 +185,18 @@ Realm.
 Password.
 .TP
 .B
+\fB\-x\fP, \fB\-\-key\-path\fP
+Generates a 128 bit key into the given path.
+.TP
+.B
+\fB\-f\fP, \fB\-\-file\-key\-path\fP
+Contains a 128 bit key in the given path.
+.TP
+.B
+\fB\-v\fP, \fB\-\-verify\fP
+Verify a given base64 encrypted type password.
+.TP
+.B
 \fB\-o\fP, \fB\-\-origin\fP
 Origin
 .TP
@@ -249,6 +266,22 @@ $ \fIturnadmin\fP \fB\-\-redis\-userdb\fP="<db\-connection\-string>" \fB\-I\fP
 List the origin\-to\-realm relations in PostgreSQL DB for a single realm:
 .PP
 $ \fIturnadmin\fP \fB\-\-psql\-userdb\fP="<db\-connection\-string>" \fB\-I\fP \fB\-r\fP <realm>
+.PP
+Create new key file for mysql password encryption:
+.PP
+$ \fIturnadmin\fP \fB\-E\fP \fB\-\-key\-path\fP <key\-file>
+.PP
+Create encrypted mysql password:
+.PP
+$ \fIturnadmin\fP \fB\-E\fP \fB\-\-file\-key\-path\fP <key\-file> \fB\-p\fP <secret>
+.PP
+Verify/decrypt encrypted password:
+.PP
+$ \fIturnadmin\fP \fB\-\-file\-key\-path\fP <key\-file> \fB\-v\fP <encrypted>
+.RE
+.PP
+
+.RS
 .TP
 .B
 Help:

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 December 2017" "" ""
+.TH TURN 1 "15 August 2018" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@@ -180,6 +180,18 @@ command \fIoptions\fP description).
 .RE
 .TP
 .B
+\fB\-\-secret\-key\-file\fP
+If you want to use password as encrpyted in the mysql connection string MySQL encrypted connection, this is key path.
+This is the file path which contain secret key of aes encryption while using password encryption.
+This attribute should be use if allow\-encoding\-with\-aes set to 1.
+.TP
+.B
+\fB\-\-allow\-encoding\-with\-aes\fP
+If you want to use password as encrpyted in the mysql connection string. Set allow\-encoding\-with\-aes to 1.
+If you want to use clearteaxt password in the mysql connection string. Set allow\-encoding\-with\-aes to 0.
+You have to enable secret\-key\-file attribute above as a key location.
+.TP
+.B
 \fB\-J\fP, \fB\-\-mongo\-userdb\fP
 User database connection string for MongoDB. 
 This database can be used for long\-term credentials mechanism,

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "11 December 2017" "" ""
+.TH TURN 1 "15 August 2018" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -35,6 +35,7 @@
 #if !defined(TURN_NO_MYSQL)
 #include <mysql.h>
 
+
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 static int donot_print_connection_success = 0;
@@ -72,6 +73,33 @@ static void MyconninfoFree(Myconninfo *co) {
 		ns_bzero(co,sizeof(Myconninfo));
 	}
 }
+struct ctr_state state;
+char* decryptPassword(char* in, const unsigned char* mykey){
+
+	char *out;
+	unsigned char iv[8] = {0}; //changed
+	AES_KEY key;
+	unsigned char outdata[256];	//changed
+	AES_set_encrypt_key(mykey, 128, &key);
+	int newTotalSize=decodedTextSize(in);
+	int bytes_to_decode = strlen(in);
+	unsigned char *encryptedText = base64decode(in, bytes_to_decode); //changed
+	char last[1024]="";
+	init_ctr(&state, iv);
+	memset(outdata,'\0', sizeof(outdata));
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	CRYPTO_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num,(block128_f)AES_encrypt);
+#else
+	AES_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num);
+#endif
+
+	strcat(last,(char*)outdata);
+	out=malloc(sizeof(char)*strlen(last));
+	strcpy(out,last);
+	return out;
+}
+
 
 static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) {
 	Myconninfo *co = (Myconninfo*)turn_malloc(sizeof(Myconninfo));
@@ -234,6 +262,11 @@ static MYSQL *get_mydb_connection(void) {
 				if(co->ca || co->capath || co->cert || co->cipher || co->key) {
 					mysql_ssl_set(mydbconnection, co->key, co->cert, co->ca, co->capath, co->cipher);
 				}
+
+				if(turn_params.allow_encoding){
+					co->password = decryptPassword(co->password, turn_params.secret_key);
+				}
+
 				MYSQL *conn = mysql_real_connect(mydbconnection, co->host, co->user, co->password, co->dbname, co->port, NULL, CLIENT_IGNORE_SIGPIPE);
 				if(!conn) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection: <%s>, runtime error\n",pud->userdb);
@@ -245,6 +278,10 @@ static MYSQL *get_mydb_connection(void) {
 					mydbconnection=NULL;
 				} else if(!donot_print_connection_success) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "MySQL DB connection success: %s\n",pud->userdb);
+					if(turn_params.allow_encoding)
+					    TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Connection is secure.\n");
+					else
+                        TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Connection is not secure.\n");
 					donot_print_connection_success = 1;
 				}
 			}