SHA-512 added to oauth

ChangeLog

@@ -1,3 +1,7 @@
+2/2/2015 Oleg Moskalenko <mom040267@gmail.com>
+Version 4.4.1.3 'Ardee West':
+	- SHA-512 added to oAuth;
+	
 2/1/2015 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.4.1.2 'Ardee West':
 	- SSODA updates according to turnbis specs;

INSTALL

@@ -763,7 +763,7 @@ The oauth_key table fields meanings are:
 		is 0 - unlimited lifetime.
 	
 	hkdf_hash_func - (optional) hash function for HKDF procedure; the 
-		valid values are SHA-1 and SHA-256, with SHA-256 as default;
+		valid values are SHA-1, SHA-256 and SHA-512, with SHA-256 as default;
 		The hkdf_hash_func is not needed if the as_rs_key and auth_key 
 		are defined explicitly in the database;
 		
@@ -777,7 +777,7 @@ The oauth_key table fields meanings are:
 		is defined by as_rs_alg.
 		
 	auth_alg - (optional) oAuth token authentication algorithm; the valid values are
-		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".		  
+		"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-512" and "HMAC-SHA-1".		  
 		The default value is "HMAC-SHA-256-128".
 		
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used

rpm/build.settings.sh

@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.4.1.2
+TURNVERSION=4.4.1.3
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn

rpm/turnserver.spec

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.4.1.2
+Version:	4.4.1.3
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -288,6 +288,8 @@ fi
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
+* Sun Feb 2 2015 Oleg Moskalenko <mom040267@gmail.com>
+  - Sync to 4.4.1.3
 * Sun Feb 1 2015 Oleg Moskalenko <mom040267@gmail.com>
   - Sync to 4.4.1.2
 * Sat Jan 24 2015 Oleg Moskalenko <mom040267@gmail.com>

src/apps/relay/turn_admin_server.c

@@ -712,6 +712,8 @@ static void cli_print_configuration(struct cli_session* cs)
 
 		if(turn_params.shatype == SHATYPE_SHA256)
 			cli_print_str(cs,"SHA256","SHA type",0);
+		else if(turn_params.shatype == SHATYPE_SHA512)
+			cli_print_str(cs,"SHA512","SHA type",0);
 		else
 			cli_print_str(cs,"SHA1","SHA type",0);
 		myprintf(cs,"\n");
@@ -1979,6 +1981,8 @@ static void write_pc_page(ioa_socket_handle s)
 
 				if(turn_params.shatype == SHATYPE_SHA256)
 					https_print_str(sb,"SHA256","SHA type",0);
+				else if(turn_params.shatype == SHATYPE_SHA512)
+					https_print_str(sb,"SHA512","SHA type",0);
 				else
 					https_print_str(sb,"SHA1","SHA type",0);
 
@@ -2508,6 +2512,8 @@ static void write_users_page(ioa_socket_handle s, const u08bits *add_user, const
 
 			if(turn_params.shatype == SHATYPE_SHA256)
 				str_buffer_append(sb,"SHA type: SHA256<br>\r\n");
+			else if(turn_params.shatype == SHATYPE_SHA512)
+				str_buffer_append(sb,"SHA type: SHA512<br>\r\n");
 			else
 				str_buffer_append(sb,"SHA type: SHA1<br>\r\n");
 
@@ -3043,10 +3049,18 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
 					str_buffer_append(sb,"<input type=\"radio\" name=\"");
 					str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
 					str_buffer_append(sb,"\" value=\"SHA-256\" ");
-					if(strcmp("SHA-1",add_hkdf_hash_func)) {
+					if(!strcmp("SHA-256",add_hkdf_hash_func)) {
 						str_buffer_append(sb," checked ");
 					}
 					str_buffer_append(sb,">SHA-256\r\n<br>\r\n");
+
+					str_buffer_append(sb,"<input type=\"radio\" name=\"");
+					str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
+					str_buffer_append(sb,"\" value=\"SHA-512\" ");
+					if(!strcmp("SHA-512",add_hkdf_hash_func)) {
+						str_buffer_append(sb," checked ");
+					}
+					str_buffer_append(sb,">SHA-512\r\n<br>\r\n");
 				}
 
 				str_buffer_append(sb,"</td><td colspan=\"2\">");
@@ -3140,6 +3154,14 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
 					}
 					str_buffer_append(sb,">HMAC-SHA-256\r\n<br>\r\n");
 
+					str_buffer_append(sb,"<input type=\"radio\" name=\"");
+					str_buffer_append(sb,HR_ADD_OAUTH_AA);
+					str_buffer_append(sb,"\" value=\"HMAC-SHA-512\" ");
+					if(!strcmp("HMAC-SHA-512",add_aa)) {
+						str_buffer_append(sb," checked ");
+					}
+					str_buffer_append(sb,">HMAC-SHA-512\r\n<br>\r\n");
+
 					str_buffer_append(sb,"<input type=\"radio\" name=\"");
 					str_buffer_append(sb,HR_ADD_OAUTH_AA);
 					str_buffer_append(sb,"\" value=\"HMAC-SHA-1\" ");

src/apps/relay/userdb.c

@@ -495,6 +495,12 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
 							return -1;
 						}
 						break;
+					case SHA512SIZEBYTES:
+						if(turn_params.shatype != SHATYPE_SHA512) {
+							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
+							return -1;
+						}
+						break;
 					default:
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
 						return -1;
@@ -575,6 +581,11 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
 					return -1;
 				hmac_len = SHA256SIZEBYTES;
 				break;
+			case SHA512SIZEBYTES:
+				if(turn_params.shatype != SHATYPE_SHA512)
+					return -1;
+				hmac_len = SHA512SIZEBYTES;
+				break;
 			default:
 				return -1;
 			};

src/apps/rfc5769/rfc5769check.c

@@ -44,6 +44,9 @@
 static const char* shas[]={"SHA1",
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 			   "SHA256",
+#endif
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+			   "SHA512",
 #endif
 			   NULL};
 static const char* encs[]={"AES-256-CBC","AES-128-CBC",
@@ -54,6 +57,9 @@ static const char* encs[]={"AES-256-CBC","AES-128-CBC",
 static const char* hmacs[]={"HMAC-SHA-1",
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 			    "HMAC-SHA-256","HMAC-SHA-256-128",
+#endif
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+			    "HMAC-SHA-512",
 #endif
 			    NULL};
 

src/apps/uclient/mainuclient.c

@@ -98,10 +98,11 @@ band_limit_t bps = 0;
 int dual_allocation = 0;
 
 int oauth = 0;
-oauth_key okey_array[2];
+oauth_key okey_array[3];
 
-static oauth_key_data_raw okdr_array[2] = {
+static oauth_key_data_raw okdr_array[3] = {
 		{"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""},
+		{"union","aGVyb2Q=",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-512",""},
 		{"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""}
 };
 
@@ -216,9 +217,10 @@ int main(int argc, char **argv)
 
 			oauth = 1;
 
-			oauth_key_data okd_array[2];
+			oauth_key_data okd_array[3];
 			convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
 			convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
+			convert_oauth_key_data_raw(&okdr_array[2], &okd_array[2]);
 
 			char err_msg[1025] = "\0";
 			size_t err_msg_size = sizeof(err_msg) - 1;
@@ -232,6 +234,11 @@ int main(int argc, char **argv)
 				fprintf(stderr, "%s\n", err_msg);
 				exit(-1);
 			}
+
+			if (convert_oauth_key_data(&okd_array[2], &okey_array[2], err_msg, err_msg_size) < 0) {
+				fprintf(stderr, "%s\n", err_msg);
+				exit(-1);
+			}
 		}
 			break;
 		case 'a':
@@ -416,6 +423,9 @@ int main(int argc, char **argv)
 			case SHATYPE_SHA256:
 				hmac_len = SHA256SIZEBYTES;
 				break;
+			case SHATYPE_SHA512:
+				hmac_len = SHA512SIZEBYTES;
+				break;
 			default:
 				hmac_len = SHA1SIZEBYTES;
 			};

src/apps/uclient/uclient.c

@@ -1609,8 +1609,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 			if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
 			{
 
-				cok=(random())%2;
-				if(cok<0) cok=-cok;
+				cok=((unsigned short)random())%3;
 				clnet_info->cok = cok;
 				oauth_token otoken;
 				encoded_oauth_token etoken;
@@ -1627,6 +1626,8 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 				otoken.enc_block.timestamp = ((uint64_t)turn_time()) << 16;
 				if(shatype == SHATYPE_SHA256) {
 					otoken.enc_block.key_length = 32;
+				} else if(shatype == SHATYPE_SHA512) {
+					otoken.enc_block.key_length = 64;
 				} else {
 					otoken.enc_block.key_length = 20;
 				}

src/apps/uclient/uclient.h

@@ -88,7 +88,7 @@ extern int dual_allocation;
 extern char origin[STUN_MAX_ORIGIN_SIZE+1];
 
 extern int oauth;
-extern oauth_key okey_array[2];
+extern oauth_key okey_array[3];
 
 #define UCLIENT_SESSION_LIFETIME (777)
 #define OAUTH_SESSION_LIFETIME (555)

src/client/ns_turn_msg.c

@@ -125,6 +125,15 @@ int stun_calculate_hmac(const u08bits *buf, size_t len, const u08bits *key, size
 #else
 	  fprintf(stderr,"SHA256 is not supported\n");
 	  return -1;
+#endif
+	} else if(shatype == SHATYPE_SHA512) {
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+	  if (!HMAC(EVP_sha512(), key, keylen, buf, len, hmac, hmac_len)) {
+	    return -1;
+	  }
+#else
+	  fprintf(stderr,"SHA512 is not supported\n");
+	  return -1;
 #endif
 	} else
 	  if (!HMAC(EVP_sha1(), key, keylen, buf, len, hmac, hmac_len)) {
@@ -164,6 +173,18 @@ int stun_produce_integrity_key_str(u08bits *uname, u08bits *realm, u08bits *upwd
 #else
 		fprintf(stderr,"SHA256 is not supported\n");
 		return -1;
+#endif
+	} else if(shatype == SHATYPE_SHA512) {
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+		unsigned int keylen = 0;
+		EVP_MD_CTX ctx;
+		EVP_DigestInit(&ctx,EVP_sha512());
+		EVP_DigestUpdate(&ctx,str,strl);
+		EVP_DigestFinal(&ctx,key,&keylen);
+		EVP_MD_CTX_cleanup(&ctx);
+#else
+		fprintf(stderr,"SHA512 is not supported\n");
+		return -1;
 #endif
 	} else {
 		MD5_CTX ctx;
@@ -1517,6 +1538,8 @@ size_t get_hmackey_size(SHATYPE shatype)
 {
 	if(shatype == SHATYPE_SHA256)
 		return 32;
+	if(shatype == SHATYPE_SHA512)
+		return 64;
 	return 16;
 }
 
@@ -1540,6 +1563,9 @@ int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *l
 	case SHATYPE_SHA256:
 		shasize = SHA256SIZEBYTES;
 		break;
+	case SHATYPE_SHA512:
+		shasize = SHA512SIZEBYTES;
+		break;
 	default:
 		shasize = SHA1SIZEBYTES;
 	};
@@ -1624,6 +1650,11 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu
 		if(shatype != SHATYPE_SHA256)
 			return -1;
 		break;
+	case SHA512SIZEBYTES:
+		shasize = SHA512SIZEBYTES;
+		if(shatype != SHATYPE_SHA512)
+			return -1;
+		break;
 	case SHA1SIZEBYTES:
 		shasize = SHA1SIZEBYTES;
 		if(shatype != SHATYPE_SHA1) {
@@ -1818,6 +1849,8 @@ static size_t calculate_auth_key_length(AUTH_ALG a)
 		return 32;
 	case AUTH_ALG_HMAC_SHA_256:
 		return 32;
+	case AUTH_ALG_HMAC_SHA_512:
+		return 64;
 	default:
 		break;
 	};
@@ -1834,6 +1867,8 @@ static size_t calculate_auth_output_length(AUTH_ALG a)
 		return 16;
 	case AUTH_ALG_HMAC_SHA_256:
 		return 32;
+	case AUTH_ALG_HMAC_SHA_512:
+		return 64;
 	default:
 		break;
 	};
@@ -1852,25 +1887,44 @@ static int calculate_key(char *key, size_t key_size, char *new_key, size_t new_k
 	//Expand:
 	u08bits buf[128];
 	buf[0]=1;
-	u08bits hmac[128];
-	unsigned int hmac_len = 0;
-	stun_calculate_hmac((const u08bits *)buf, 1, prk, prk_len, hmac, &hmac_len, shatype);
-	ns_bcopy(hmac,new_key,hmac_len);
+	u08bits hmac1[128];
+	unsigned int hmac1_len = 0;
+	stun_calculate_hmac((const u08bits *)buf, 1, prk, prk_len, hmac1, &hmac1_len, shatype);
+	ns_bcopy(hmac1,new_key,hmac1_len);
 
 	//Check
-	if(new_key_size>hmac_len) {
-		ns_bcopy(hmac,buf,hmac_len);
-		buf[hmac_len]=2;
-		u08bits hmac1[128];
-		unsigned int hmac1_len = 0;
-		stun_calculate_hmac((const u08bits *)buf, hmac_len+1, prk, prk_len, hmac1, &hmac1_len, shatype);
-		ns_bcopy(hmac1,new_key+hmac_len,hmac1_len);
-		if(new_key_size > (hmac_len + hmac1_len)) {
-			if(err_msg) {
-				snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac_len,(unsigned long)hmac1_len);
+	if(new_key_size>hmac1_len) {
+		ns_bcopy(hmac1,buf,hmac1_len);
+		buf[hmac1_len]=2;
+		u08bits hmac2[128];
+		unsigned int hmac2_len = 0;
+		stun_calculate_hmac((const u08bits *)buf, hmac1_len+1, prk, prk_len, hmac2, &hmac2_len, shatype);
+		ns_bcopy(hmac2,new_key+hmac1_len,hmac2_len);
+		if(new_key_size > (hmac1_len + hmac2_len)) {
+
+			ns_bcopy(hmac2,buf,hmac2_len);
+			buf[hmac2_len]=3;
+			u08bits hmac3[128];
+			unsigned int hmac3_len = 0;
+			stun_calculate_hmac((const u08bits *)buf, hmac2_len+1, prk, prk_len, hmac3, &hmac3_len, shatype);
+			ns_bcopy(hmac3,new_key+hmac1_len+hmac2_len,hmac3_len);
+			if(new_key_size > (hmac1_len + hmac2_len + hmac3_len)) {
+
+				ns_bcopy(hmac3,buf,hmac3_len);
+				buf[hmac3_len]=4;
+				u08bits hmac4[128];
+				unsigned int hmac4_len = 0;
+				stun_calculate_hmac((const u08bits *)buf, hmac3_len+1, prk, prk_len, hmac4, &hmac4_len, shatype);
+				ns_bcopy(hmac4,new_key+hmac1_len+hmac2_len+hmac3_len,hmac4_len);
+				if(new_key_size > (hmac1_len + hmac2_len + hmac3_len + hmac4_len)) {
+
+					if(err_msg) {
+						snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
+					}
+					OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
+					return -1;
+				}
 			}
-			OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac_len,(unsigned long)hmac1_len);
-			return -1;
 		}
 	}
 
@@ -1938,6 +1992,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			key->hkdf_hash_func = SHATYPE_SHA1;
 		} else if(!strcmp(oakd->hkdf_hash_func,"SHA256") || !strcmp(oakd->hkdf_hash_func,"SHA-256")) {
 			key->hkdf_hash_func = SHATYPE_SHA256;
+		} else if(!strcmp(oakd->hkdf_hash_func,"SHA512") || !strcmp(oakd->hkdf_hash_func,"SHA-512")) {
+			key->hkdf_hash_func = SHATYPE_SHA512;
 		} else if(oakd->hkdf_hash_func[0]) {
 			if(err_msg) {
 				snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func);
@@ -1951,6 +2007,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			key->auth_alg = AUTH_ALG_HMAC_SHA_1;
 		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256")) {
 			key->auth_alg = AUTH_ALG_HMAC_SHA_256;
+		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-512")) {
+			key->auth_alg = AUTH_ALG_HMAC_SHA_512;
 		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256-128")) {
 			key->auth_alg = AUTH_ALG_HMAC_SHA_256_128;
 		} else if(oakd->auth_alg[0]) {
@@ -2034,6 +2092,10 @@ static const EVP_MD *get_auth_type(AUTH_ALG aa)
 	case AUTH_ALG_HMAC_SHA_256_128:
 	case AUTH_ALG_HMAC_SHA_256:
 		return EVP_sha256();
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+	case AUTH_ALG_HMAC_SHA_512:
+		return EVP_sha512();
+#endif
 #endif
 	default:
 		break;

src/client/ns_turn_msg_defs_new.h

@@ -48,6 +48,7 @@
 
 #define SHA1SIZEBYTES (20)
 #define SHA256SIZEBYTES (32)
+#define SHA512SIZEBYTES (64)
 
 #define MAXSHASIZE (128)
 
@@ -55,12 +56,13 @@ enum _SHATYPE {
 	SHATYPE_ERROR = -1,
 	SHATYPE_DEFAULT=0,
 	SHATYPE_SHA1=SHATYPE_DEFAULT,
-	SHATYPE_SHA256
+	SHATYPE_SHA256,
+	SHATYPE_SHA512
 };
 
 typedef enum _SHATYPE SHATYPE;
 
-#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : "SHA UNKNOWN"))
+#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA512) ? "SHA512" : "SHA UNKNOWN")))
 
 #define SHA_TOO_WEAK_ERROR_CODE (426)
 
@@ -90,7 +92,8 @@ enum _AUTH_ALG {
 	AUTH_ALG_DEFAULT = 1,
 	AUTH_ALG_HMAC_SHA_256_128 = AUTH_ALG_DEFAULT,
 	AUTH_ALG_HMAC_SHA_1,
-	AUTH_ALG_HMAC_SHA_256
+	AUTH_ALG_HMAC_SHA_256,
+	AUTH_ALG_HMAC_SHA_512
 };
 
 typedef enum _AUTH_ALG AUTH_ALG;

src/ns_turn_defs.h

@@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.4.1.2"
+#define TURN_SERVER_VERSION "4.4.1.3"
 #define TURN_SERVER_VERSION_NAME "Ardee West"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
 

src/server/ns_turn_server.c

@@ -3297,6 +3297,12 @@ static int check_stun_auth(turn_turnserver *server,
 				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 			}
 			break;
+		case SHA512SIZEBYTES:
+			if(server->shatype != SHATYPE_SHA512) {
+				*err_code = 401;
+				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
+			}
+			break;
 		default:
 			*err_code = 401;
 			return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);

turndb/schema.userdb.redis

@@ -45,7 +45,7 @@ and they will be almost immediately "seen" by the turnserver process.
 		is 0 - unlimited lifetime.
 	
 	hkdf_hash_func - (optional) hash function for HKDF procedure; the 
-		valid values are SHA-1 and SHA-256, with SHA-256 as default;
+		valid values are SHA-1, SHA-256 and SHA-512, with SHA-256 as default;
 		The hkdf_hash_func is not needed if the as_rs_key and auth_key 
 		are defined explicitly in the database;
 		
@@ -59,7 +59,7 @@ and they will be almost immediately "seen" by the turnserver process.
 		is defined by as_rs_alg.
 		
 	auth_alg - (optional) oAuth token authentication algorithm; the valid values are
-		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".		  
+		"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-512" and "HMAC-SHA-1".		  
 		The default value is "HMAC-SHA-256-128".
 		
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 

turndb/testmongosetup.sh

@@ -51,6 +51,12 @@ db.oauth_key.insert({ kid: 'north',
 					hkdf_hash_func: 'SHA-256', 
 					as_rs_alg: 'AES-256-CBC', 
 					auth_alg: 'HMAC-SHA-256-128' });
+
+db.oauth_key.insert({ kid: 'union', 
+					ikm_key: 'aGVyb2Q=', 
+					hkdf_hash_func: 'SHA-256', 
+					as_rs_alg: 'AES-256-CBC', 
+					auth_alg: 'HMAC-SHA-512' });
 					
 db.oauth_key.insert({ kid: 'oldempire', 
 					ikm_key: 'YXVsY3Vz', 

turndb/testredisdbsetup.sh

@@ -36,6 +36,7 @@ sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17
 sadd turn/realm/crinna.org/denied-peer-ip "123::77"
 
 hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128'
+hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512'
 hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
 
 hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless'

turndb/testsqldbsetup.sql

@@ -32,4 +32,5 @@ insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-17
 insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77');
 
 insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128','');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('union','aGVyb2Q=',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-512','');
 insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('oldempire','YXVsY3Vz',0,0,'SHA-256','AEAD-AES-256-GCM','','','');