From 0d7d85da5833e76ab7175f9e3fef935a6ba0dd2f Mon Sep 17 00:00:00 2001
From: mom040267 <mom040267@users.noreply.github.com>
Date: Tue, 3 Feb 2015 07:38:40 +0000
Subject: [PATCH] SHA-512 added to oauth

---
 ChangeLog                          |   4 ++
 INSTALL                            |   4 +-
 examples/var/db/turndb             | Bin 22528 -> 22528 bytes
 man/man1/turnadmin.1               |   2 +-
 man/man1/turnserver.1              |   2 +-
 man/man1/turnutils.1               |   2 +-
 rpm/build.settings.sh              |   2 +-
 rpm/turnserver.spec                |   4 +-
 src/apps/relay/turn_admin_server.c |  24 +++++++-
 src/apps/relay/userdb.c            |  11 ++++
 src/apps/rfc5769/rfc5769check.c    |   6 ++
 src/apps/uclient/mainuclient.c     |  16 ++++-
 src/apps/uclient/uclient.c         |   5 +-
 src/apps/uclient/uclient.h         |   2 +-
 src/client/ns_turn_msg.c           |  94 ++++++++++++++++++++++++-----
 src/client/ns_turn_msg_defs_new.h  |   9 ++-
 src/ns_turn_defs.h                 |   2 +-
 src/server/ns_turn_server.c        |   6 ++
 turndb/schema.userdb.redis         |   4 +-
 turndb/testmongosetup.sh           |   6 ++
 turndb/testredisdbsetup.sh         |   1 +
 turndb/testsqldbsetup.sql          |   1 +
 22 files changed, 171 insertions(+), 36 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2c739d2e..81cf0102 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2/2/2015 Oleg Moskalenko <mom040267@gmail.com>
+Version 4.4.1.3 'Ardee West':
+	- SHA-512 added to oAuth;
+	
 2/1/2015 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.4.1.2 'Ardee West':
 	- SSODA updates according to turnbis specs;
diff --git a/INSTALL b/INSTALL
index 1706efb4..95c56016 100644
--- a/INSTALL
+++ b/INSTALL
@@ -763,7 +763,7 @@ The oauth_key table fields meanings are:
 		is 0 - unlimited lifetime.
 	
 	hkdf_hash_func - (optional) hash function for HKDF procedure; the 
-		valid values are SHA-1 and SHA-256, with SHA-256 as default;
+		valid values are SHA-1, SHA-256 and SHA-512, with SHA-256 as default;
 		The hkdf_hash_func is not needed if the as_rs_key and auth_key 
 		are defined explicitly in the database;
 		
@@ -777,7 +777,7 @@ The oauth_key table fields meanings are:
 		is defined by as_rs_alg.
 		
 	auth_alg - (optional) oAuth token authentication algorithm; the valid values are
-		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".		  
+		"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-512" and "HMAC-SHA-1".		  
 		The default value is "HMAC-SHA-256-128".
 		
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
diff --git a/examples/var/db/turndb b/examples/var/db/turndb
index bd93f071598d22131933274dbff1ab2600efefe8..1805bfb55f20ec83c60a4a0935daa6ccdc10595f 100644
GIT binary patch
delta 101
zcmZqJz}T>Xae_4C%!xA2tTP#OAE|9jS>Vjf%pA6v-Nm0-!jzdyT$Y1FTA5dsw=^#^
zKQGZetTM?caPnPu8D>*MqshJQ<y_3n_ZgVKGrwfMznRbDA~P2!vp6GIG4tk^-r_s}
D;7=X)

delta 76
zcmZqJz}T>Xae_4CjEOSNtTPyNA4zXaS>Vjf#N4}?-Nm1og@J*=d}5>V<X-o3E+*!e
e49wq|Uot=3%;#~DnF}b#z`y|_Hox>1=K%nKLlsm2

diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1
index 2dd8022a..4f3538f4 100644
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1
index d471c104..943c7fca 100644
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1
index a43fd9b8..b72d8b39 100644
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "31 January 2015" "" ""
+.TH TURN 1 "02 February 2015" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used
diff --git a/rpm/build.settings.sh b/rpm/build.settings.sh
index c5c3ea19..7057e035 100755
--- a/rpm/build.settings.sh
+++ b/rpm/build.settings.sh
@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.4.1.2
+TURNVERSION=4.4.1.3
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_SVN_URL=http://coturn.googlecode.com/svn
diff --git a/rpm/turnserver.spec b/rpm/turnserver.spec
index fe251e84..96cd4658 100644
--- a/rpm/turnserver.spec
+++ b/rpm/turnserver.spec
@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.4.1.2
+Version:	4.4.1.3
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -288,6 +288,8 @@ fi
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
+* Sun Feb 2 2015 Oleg Moskalenko <mom040267@gmail.com>
+  - Sync to 4.4.1.3
 * Sun Feb 1 2015 Oleg Moskalenko <mom040267@gmail.com>
   - Sync to 4.4.1.2
 * Sat Jan 24 2015 Oleg Moskalenko <mom040267@gmail.com>
diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c
index 6bba4eb7..8ad74912 100644
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@@ -712,6 +712,8 @@ static void cli_print_configuration(struct cli_session* cs)
 
 		if(turn_params.shatype == SHATYPE_SHA256)
 			cli_print_str(cs,"SHA256","SHA type",0);
+		else if(turn_params.shatype == SHATYPE_SHA512)
+			cli_print_str(cs,"SHA512","SHA type",0);
 		else
 			cli_print_str(cs,"SHA1","SHA type",0);
 		myprintf(cs,"\n");
@@ -1979,6 +1981,8 @@ static void write_pc_page(ioa_socket_handle s)
 
 				if(turn_params.shatype == SHATYPE_SHA256)
 					https_print_str(sb,"SHA256","SHA type",0);
+				else if(turn_params.shatype == SHATYPE_SHA512)
+					https_print_str(sb,"SHA512","SHA type",0);
 				else
 					https_print_str(sb,"SHA1","SHA type",0);
 
@@ -2508,6 +2512,8 @@ static void write_users_page(ioa_socket_handle s, const u08bits *add_user, const
 
 			if(turn_params.shatype == SHATYPE_SHA256)
 				str_buffer_append(sb,"SHA type: SHA256<br>\r\n");
+			else if(turn_params.shatype == SHATYPE_SHA512)
+				str_buffer_append(sb,"SHA type: SHA512<br>\r\n");
 			else
 				str_buffer_append(sb,"SHA type: SHA1<br>\r\n");
 
@@ -3043,10 +3049,18 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
 					str_buffer_append(sb,"<input type=\"radio\" name=\"");
 					str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
 					str_buffer_append(sb,"\" value=\"SHA-256\" ");
-					if(strcmp("SHA-1",add_hkdf_hash_func)) {
+					if(!strcmp("SHA-256",add_hkdf_hash_func)) {
 						str_buffer_append(sb," checked ");
 					}
 					str_buffer_append(sb,">SHA-256\r\n<br>\r\n");
+
+					str_buffer_append(sb,"<input type=\"radio\" name=\"");
+					str_buffer_append(sb,HR_ADD_OAUTH_HKDF);
+					str_buffer_append(sb,"\" value=\"SHA-512\" ");
+					if(!strcmp("SHA-512",add_hkdf_hash_func)) {
+						str_buffer_append(sb," checked ");
+					}
+					str_buffer_append(sb,">SHA-512\r\n<br>\r\n");
 				}
 
 				str_buffer_append(sb,"</td><td colspan=\"2\">");
@@ -3140,6 +3154,14 @@ static void write_https_oauth_page(ioa_socket_handle s, const char* add_kid, con
 					}
 					str_buffer_append(sb,">HMAC-SHA-256\r\n<br>\r\n");
 
+					str_buffer_append(sb,"<input type=\"radio\" name=\"");
+					str_buffer_append(sb,HR_ADD_OAUTH_AA);
+					str_buffer_append(sb,"\" value=\"HMAC-SHA-512\" ");
+					if(!strcmp("HMAC-SHA-512",add_aa)) {
+						str_buffer_append(sb," checked ");
+					}
+					str_buffer_append(sb,">HMAC-SHA-512\r\n<br>\r\n");
+
 					str_buffer_append(sb,"<input type=\"radio\" name=\"");
 					str_buffer_append(sb,HR_ADD_OAUTH_AA);
 					str_buffer_append(sb,"\" value=\"HMAC-SHA-1\" ");
diff --git a/src/apps/relay/userdb.c b/src/apps/relay/userdb.c
index 044bf747..1c1330f1 100644
--- a/src/apps/relay/userdb.c
+++ b/src/apps/relay/userdb.c
@@ -495,6 +495,12 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
 							return -1;
 						}
 						break;
+					case SHA512SIZEBYTES:
+						if(turn_params.shatype != SHATYPE_SHA512) {
+							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
+							return -1;
+						}
+						break;
 					default:
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong size of the MAC key in oAuth token(3): %d\n",(int)dot.enc_block.key_length);
 						return -1;
@@ -575,6 +581,11 @@ int get_user_key(int in_oauth, int *out_oauth, int *max_session_time, u08bits *u
 					return -1;
 				hmac_len = SHA256SIZEBYTES;
 				break;
+			case SHA512SIZEBYTES:
+				if(turn_params.shatype != SHATYPE_SHA512)
+					return -1;
+				hmac_len = SHA512SIZEBYTES;
+				break;
 			default:
 				return -1;
 			};
diff --git a/src/apps/rfc5769/rfc5769check.c b/src/apps/rfc5769/rfc5769check.c
index d2aa46b2..af781f84 100644
--- a/src/apps/rfc5769/rfc5769check.c
+++ b/src/apps/rfc5769/rfc5769check.c
@@ -44,6 +44,9 @@
 static const char* shas[]={"SHA1",
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 			   "SHA256",
+#endif
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+			   "SHA512",
 #endif
 			   NULL};
 static const char* encs[]={"AES-256-CBC","AES-128-CBC",
@@ -54,6 +57,9 @@ static const char* encs[]={"AES-256-CBC","AES-128-CBC",
 static const char* hmacs[]={"HMAC-SHA-1",
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
 			    "HMAC-SHA-256","HMAC-SHA-256-128",
+#endif
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+			    "HMAC-SHA-512",
 #endif
 			    NULL};
 
diff --git a/src/apps/uclient/mainuclient.c b/src/apps/uclient/mainuclient.c
index 5adce35f..26a5b934 100644
--- a/src/apps/uclient/mainuclient.c
+++ b/src/apps/uclient/mainuclient.c
@@ -98,10 +98,11 @@ band_limit_t bps = 0;
 int dual_allocation = 0;
 
 int oauth = 0;
-oauth_key okey_array[2];
+oauth_key okey_array[3];
 
-static oauth_key_data_raw okdr_array[2] = {
+static oauth_key_data_raw okdr_array[3] = {
 		{"north","Y2FybGVvbg==",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-256-128",""},
+		{"union","aGVyb2Q=",0,0,"SHA-256","AES-256-CBC","","HMAC-SHA-512",""},
 		{"oldempire","YXVsY3Vz",0,0,"SHA-256","AEAD-AES-256-GCM","","",""}
 };
 
@@ -216,9 +217,10 @@ int main(int argc, char **argv)
 
 			oauth = 1;
 
-			oauth_key_data okd_array[2];
+			oauth_key_data okd_array[3];
 			convert_oauth_key_data_raw(&okdr_array[0], &okd_array[0]);
 			convert_oauth_key_data_raw(&okdr_array[1], &okd_array[1]);
+			convert_oauth_key_data_raw(&okdr_array[2], &okd_array[2]);
 
 			char err_msg[1025] = "\0";
 			size_t err_msg_size = sizeof(err_msg) - 1;
@@ -232,6 +234,11 @@ int main(int argc, char **argv)
 				fprintf(stderr, "%s\n", err_msg);
 				exit(-1);
 			}
+
+			if (convert_oauth_key_data(&okd_array[2], &okey_array[2], err_msg, err_msg_size) < 0) {
+				fprintf(stderr, "%s\n", err_msg);
+				exit(-1);
+			}
 		}
 			break;
 		case 'a':
@@ -416,6 +423,9 @@ int main(int argc, char **argv)
 			case SHATYPE_SHA256:
 				hmac_len = SHA256SIZEBYTES;
 				break;
+			case SHATYPE_SHA512:
+				hmac_len = SHA512SIZEBYTES;
+				break;
 			default:
 				hmac_len = SHA1SIZEBYTES;
 			};
diff --git a/src/apps/uclient/uclient.c b/src/apps/uclient/uclient.c
index 1f3d9c07..a75dd0e2 100644
--- a/src/apps/uclient/uclient.c
+++ b/src/apps/uclient/uclient.c
@@ -1609,8 +1609,7 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 			if(((method == STUN_METHOD_ALLOCATE) || (method == STUN_METHOD_REFRESH)) || !(clnet_info->key_set))
 			{
 
-				cok=(random())%2;
-				if(cok<0) cok=-cok;
+				cok=((unsigned short)random())%3;
 				clnet_info->cok = cok;
 				oauth_token otoken;
 				encoded_oauth_token etoken;
@@ -1627,6 +1626,8 @@ int add_integrity(app_ur_conn_info *clnet_info, stun_buffer *message)
 				otoken.enc_block.timestamp = ((uint64_t)turn_time()) << 16;
 				if(shatype == SHATYPE_SHA256) {
 					otoken.enc_block.key_length = 32;
+				} else if(shatype == SHATYPE_SHA512) {
+					otoken.enc_block.key_length = 64;
 				} else {
 					otoken.enc_block.key_length = 20;
 				}
diff --git a/src/apps/uclient/uclient.h b/src/apps/uclient/uclient.h
index e68de6ee..045e53ba 100644
--- a/src/apps/uclient/uclient.h
+++ b/src/apps/uclient/uclient.h
@@ -88,7 +88,7 @@ extern int dual_allocation;
 extern char origin[STUN_MAX_ORIGIN_SIZE+1];
 
 extern int oauth;
-extern oauth_key okey_array[2];
+extern oauth_key okey_array[3];
 
 #define UCLIENT_SESSION_LIFETIME (777)
 #define OAUTH_SESSION_LIFETIME (555)
diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c
index 4df6f5fb..fd9004ad 100644
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@@ -125,6 +125,15 @@ int stun_calculate_hmac(const u08bits *buf, size_t len, const u08bits *key, size
 #else
 	  fprintf(stderr,"SHA256 is not supported\n");
 	  return -1;
+#endif
+	} else if(shatype == SHATYPE_SHA512) {
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+	  if (!HMAC(EVP_sha512(), key, keylen, buf, len, hmac, hmac_len)) {
+	    return -1;
+	  }
+#else
+	  fprintf(stderr,"SHA512 is not supported\n");
+	  return -1;
 #endif
 	} else
 	  if (!HMAC(EVP_sha1(), key, keylen, buf, len, hmac, hmac_len)) {
@@ -164,6 +173,18 @@ int stun_produce_integrity_key_str(u08bits *uname, u08bits *realm, u08bits *upwd
 #else
 		fprintf(stderr,"SHA256 is not supported\n");
 		return -1;
+#endif
+	} else if(shatype == SHATYPE_SHA512) {
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+		unsigned int keylen = 0;
+		EVP_MD_CTX ctx;
+		EVP_DigestInit(&ctx,EVP_sha512());
+		EVP_DigestUpdate(&ctx,str,strl);
+		EVP_DigestFinal(&ctx,key,&keylen);
+		EVP_MD_CTX_cleanup(&ctx);
+#else
+		fprintf(stderr,"SHA512 is not supported\n");
+		return -1;
 #endif
 	} else {
 		MD5_CTX ctx;
@@ -1517,6 +1538,8 @@ size_t get_hmackey_size(SHATYPE shatype)
 {
 	if(shatype == SHATYPE_SHA256)
 		return 32;
+	if(shatype == SHATYPE_SHA512)
+		return 64;
 	return 16;
 }
 
@@ -1540,6 +1563,9 @@ int stun_attr_add_integrity_str(turn_credential_type ct, u08bits *buf, size_t *l
 	case SHATYPE_SHA256:
 		shasize = SHA256SIZEBYTES;
 		break;
+	case SHATYPE_SHA512:
+		shasize = SHA512SIZEBYTES;
+		break;
 	default:
 		shasize = SHA1SIZEBYTES;
 	};
@@ -1624,6 +1650,11 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, u08bits *bu
 		if(shatype != SHATYPE_SHA256)
 			return -1;
 		break;
+	case SHA512SIZEBYTES:
+		shasize = SHA512SIZEBYTES;
+		if(shatype != SHATYPE_SHA512)
+			return -1;
+		break;
 	case SHA1SIZEBYTES:
 		shasize = SHA1SIZEBYTES;
 		if(shatype != SHATYPE_SHA1) {
@@ -1818,6 +1849,8 @@ static size_t calculate_auth_key_length(AUTH_ALG a)
 		return 32;
 	case AUTH_ALG_HMAC_SHA_256:
 		return 32;
+	case AUTH_ALG_HMAC_SHA_512:
+		return 64;
 	default:
 		break;
 	};
@@ -1834,6 +1867,8 @@ static size_t calculate_auth_output_length(AUTH_ALG a)
 		return 16;
 	case AUTH_ALG_HMAC_SHA_256:
 		return 32;
+	case AUTH_ALG_HMAC_SHA_512:
+		return 64;
 	default:
 		break;
 	};
@@ -1852,25 +1887,44 @@ static int calculate_key(char *key, size_t key_size, char *new_key, size_t new_k
 	//Expand:
 	u08bits buf[128];
 	buf[0]=1;
-	u08bits hmac[128];
-	unsigned int hmac_len = 0;
-	stun_calculate_hmac((const u08bits *)buf, 1, prk, prk_len, hmac, &hmac_len, shatype);
-	ns_bcopy(hmac,new_key,hmac_len);
+	u08bits hmac1[128];
+	unsigned int hmac1_len = 0;
+	stun_calculate_hmac((const u08bits *)buf, 1, prk, prk_len, hmac1, &hmac1_len, shatype);
+	ns_bcopy(hmac1,new_key,hmac1_len);
 
 	//Check
-	if(new_key_size>hmac_len) {
-		ns_bcopy(hmac,buf,hmac_len);
-		buf[hmac_len]=2;
-		u08bits hmac1[128];
-		unsigned int hmac1_len = 0;
-		stun_calculate_hmac((const u08bits *)buf, hmac_len+1, prk, prk_len, hmac1, &hmac1_len, shatype);
-		ns_bcopy(hmac1,new_key+hmac_len,hmac1_len);
-		if(new_key_size > (hmac_len + hmac1_len)) {
-			if(err_msg) {
-				snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac_len,(unsigned long)hmac1_len);
+	if(new_key_size>hmac1_len) {
+		ns_bcopy(hmac1,buf,hmac1_len);
+		buf[hmac1_len]=2;
+		u08bits hmac2[128];
+		unsigned int hmac2_len = 0;
+		stun_calculate_hmac((const u08bits *)buf, hmac1_len+1, prk, prk_len, hmac2, &hmac2_len, shatype);
+		ns_bcopy(hmac2,new_key+hmac1_len,hmac2_len);
+		if(new_key_size > (hmac1_len + hmac2_len)) {
+
+			ns_bcopy(hmac2,buf,hmac2_len);
+			buf[hmac2_len]=3;
+			u08bits hmac3[128];
+			unsigned int hmac3_len = 0;
+			stun_calculate_hmac((const u08bits *)buf, hmac2_len+1, prk, prk_len, hmac3, &hmac3_len, shatype);
+			ns_bcopy(hmac3,new_key+hmac1_len+hmac2_len,hmac3_len);
+			if(new_key_size > (hmac1_len + hmac2_len + hmac3_len)) {
+
+				ns_bcopy(hmac3,buf,hmac3_len);
+				buf[hmac3_len]=4;
+				u08bits hmac4[128];
+				unsigned int hmac4_len = 0;
+				stun_calculate_hmac((const u08bits *)buf, hmac3_len+1, prk, prk_len, hmac4, &hmac4_len, shatype);
+				ns_bcopy(hmac4,new_key+hmac1_len+hmac2_len+hmac3_len,hmac4_len);
+				if(new_key_size > (hmac1_len + hmac2_len + hmac3_len + hmac4_len)) {
+
+					if(err_msg) {
+						snprintf(err_msg,err_msg_size,"Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
+					}
+					OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac1_len,(unsigned long)hmac2_len);
+					return -1;
+				}
 			}
-			OAUTH_ERROR("Wrong HKDF procedure (key sizes): output.sz=%lu, hmac(1)=%lu, hmac(2)=%lu",(unsigned long)new_key_size,(unsigned long)hmac_len,(unsigned long)hmac1_len);
-			return -1;
 		}
 	}
 
@@ -1938,6 +1992,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			key->hkdf_hash_func = SHATYPE_SHA1;
 		} else if(!strcmp(oakd->hkdf_hash_func,"SHA256") || !strcmp(oakd->hkdf_hash_func,"SHA-256")) {
 			key->hkdf_hash_func = SHATYPE_SHA256;
+		} else if(!strcmp(oakd->hkdf_hash_func,"SHA512") || !strcmp(oakd->hkdf_hash_func,"SHA-512")) {
+			key->hkdf_hash_func = SHATYPE_SHA512;
 		} else if(oakd->hkdf_hash_func[0]) {
 			if(err_msg) {
 				snprintf(err_msg,err_msg_size,"Wrong HKDF hash function algorithm: %s",oakd->hkdf_hash_func);
@@ -1951,6 +2007,8 @@ int convert_oauth_key_data(const oauth_key_data *oakd0, oauth_key *key, char *er
 			key->auth_alg = AUTH_ALG_HMAC_SHA_1;
 		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256")) {
 			key->auth_alg = AUTH_ALG_HMAC_SHA_256;
+		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-512")) {
+			key->auth_alg = AUTH_ALG_HMAC_SHA_512;
 		} else if(!strcmp(oakd->auth_alg,"HMAC-SHA-256-128")) {
 			key->auth_alg = AUTH_ALG_HMAC_SHA_256_128;
 		} else if(oakd->auth_alg[0]) {
@@ -2034,6 +2092,10 @@ static const EVP_MD *get_auth_type(AUTH_ALG aa)
 	case AUTH_ALG_HMAC_SHA_256_128:
 	case AUTH_ALG_HMAC_SHA_256:
 		return EVP_sha256();
+#if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
+	case AUTH_ALG_HMAC_SHA_512:
+		return EVP_sha512();
+#endif
 #endif
 	default:
 		break;
diff --git a/src/client/ns_turn_msg_defs_new.h b/src/client/ns_turn_msg_defs_new.h
index 99709b3a..ae0b122c 100644
--- a/src/client/ns_turn_msg_defs_new.h
+++ b/src/client/ns_turn_msg_defs_new.h
@@ -48,6 +48,7 @@
 
 #define SHA1SIZEBYTES (20)
 #define SHA256SIZEBYTES (32)
+#define SHA512SIZEBYTES (64)
 
 #define MAXSHASIZE (128)
 
@@ -55,12 +56,13 @@ enum _SHATYPE {
 	SHATYPE_ERROR = -1,
 	SHATYPE_DEFAULT=0,
 	SHATYPE_SHA1=SHATYPE_DEFAULT,
-	SHATYPE_SHA256
+	SHATYPE_SHA256,
+	SHATYPE_SHA512
 };
 
 typedef enum _SHATYPE SHATYPE;
 
-#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : "SHA UNKNOWN"))
+#define shatype_name(sht) ((sht == SHATYPE_SHA1) ? "SHA1" : ((sht == SHATYPE_SHA256) ? "SHA256" : ((sht == SHATYPE_SHA512) ? "SHA512" : "SHA UNKNOWN")))
 
 #define SHA_TOO_WEAK_ERROR_CODE (426)
 
@@ -90,7 +92,8 @@ enum _AUTH_ALG {
 	AUTH_ALG_DEFAULT = 1,
 	AUTH_ALG_HMAC_SHA_256_128 = AUTH_ALG_DEFAULT,
 	AUTH_ALG_HMAC_SHA_1,
-	AUTH_ALG_HMAC_SHA_256
+	AUTH_ALG_HMAC_SHA_256,
+	AUTH_ALG_HMAC_SHA_512
 };
 
 typedef enum _AUTH_ALG AUTH_ALG;
diff --git a/src/ns_turn_defs.h b/src/ns_turn_defs.h
index 570e1fdc..4e48fa0b 100644
--- a/src/ns_turn_defs.h
+++ b/src/ns_turn_defs.h
@@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.4.1.2"
+#define TURN_SERVER_VERSION "4.4.1.3"
 #define TURN_SERVER_VERSION_NAME "Ardee West"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
 
diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
index acde670c..7a61f59e 100644
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@@ -3297,6 +3297,12 @@ static int check_stun_auth(turn_turnserver *server,
 				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
 			}
 			break;
+		case SHA512SIZEBYTES:
+			if(server->shatype != SHATYPE_SHA512) {
+				*err_code = 401;
+				return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
+			}
+			break;
 		default:
 			*err_code = 401;
 			return create_challenge_response(ss,tid,resp_constructed,err_code,reason,nbh,method);
diff --git a/turndb/schema.userdb.redis b/turndb/schema.userdb.redis
index bcb5c4ff..e25fcd5b 100644
--- a/turndb/schema.userdb.redis
+++ b/turndb/schema.userdb.redis
@@ -45,7 +45,7 @@ and they will be almost immediately "seen" by the turnserver process.
 		is 0 - unlimited lifetime.
 	
 	hkdf_hash_func - (optional) hash function for HKDF procedure; the 
-		valid values are SHA-1 and SHA-256, with SHA-256 as default;
+		valid values are SHA-1, SHA-256 and SHA-512, with SHA-256 as default;
 		The hkdf_hash_func is not needed if the as_rs_key and auth_key 
 		are defined explicitly in the database;
 		
@@ -59,7 +59,7 @@ and they will be almost immediately "seen" by the turnserver process.
 		is defined by as_rs_alg.
 		
 	auth_alg - (optional) oAuth token authentication algorithm; the valid values are
-		"HMAC-SHA-256-128", "HMAC-SHA-256" and "HMAC-SHA-1".		  
+		"HMAC-SHA-256-128", "HMAC-SHA-256", "HMAC-SHA-512" and "HMAC-SHA-1".		  
 		The default value is "HMAC-SHA-256-128".
 		
 	auth_key - (optional) base64-encoded AUTH key. If not defined, then 
diff --git a/turndb/testmongosetup.sh b/turndb/testmongosetup.sh
index b6a8779c..a266cf90 100755
--- a/turndb/testmongosetup.sh
+++ b/turndb/testmongosetup.sh
@@ -51,6 +51,12 @@ db.oauth_key.insert({ kid: 'north',
 					hkdf_hash_func: 'SHA-256', 
 					as_rs_alg: 'AES-256-CBC', 
 					auth_alg: 'HMAC-SHA-256-128' });
+
+db.oauth_key.insert({ kid: 'union', 
+					ikm_key: 'aGVyb2Q=', 
+					hkdf_hash_func: 'SHA-256', 
+					as_rs_alg: 'AES-256-CBC', 
+					auth_alg: 'HMAC-SHA-512' });
 					
 db.oauth_key.insert({ kid: 'oldempire', 
 					ikm_key: 'YXVsY3Vz', 
diff --git a/turndb/testredisdbsetup.sh b/turndb/testredisdbsetup.sh
index 1fe32ece..29d6d584 100755
--- a/turndb/testredisdbsetup.sh
+++ b/turndb/testredisdbsetup.sh
@@ -36,6 +36,7 @@ sadd turn/realm/north.gov/denied-peer-ip "172.17.13.133-172.17.14.56" "172.17.17
 sadd turn/realm/crinna.org/denied-peer-ip "123::77"
 
 hmset turn/oauth/kid/north ikm_key 'Y2FybGVvbg==' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-256-128'
+hmset turn/oauth/kid/union ikm_key 'aGVyb2Q=' hkdf_hash_func 'SHA-256' as_rs_alg 'AES-256-CBC' auth_alg 'HMAC-SHA-512'
 hmset turn/oauth/kid/oldempire ikm_key 'YXVsY3Vz' hkdf_hash_func 'SHA-256' as_rs_alg 'AEAD-AES-256-GCM'
 
 hmset turn/admin_user/skarling realm 'north.gov' password 'hoodless'
diff --git a/turndb/testsqldbsetup.sql b/turndb/testsqldbsetup.sql
index b20dec5e..8bd0c7a7 100644
--- a/turndb/testsqldbsetup.sql
+++ b/turndb/testsqldbsetup.sql
@@ -32,4 +32,5 @@ insert into denied_peer_ip (realm,ip_range) values('north.gov','172.17.17.133-17
 insert into denied_peer_ip (realm,ip_range) values('crinna.org','123::77');
 
 insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('north','Y2FybGVvbg==',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-256-128','');
+insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('union','aGVyb2Q=',0,0,'SHA-256','AES-256-CBC','','HMAC-SHA-512','');
 insert into oauth_key (kid,ikm_key,timestamp,lifetime,hkdf_hash_func,as_rs_alg,as_rs_key,auth_alg,auth_key) values('oldempire','YXVsY3Vz',0,0,'SHA-256','AEAD-AES-256-GCM','','','');