xref: /webrtc/turn/src/auth/mod.rs (revision 5d8fe953) 
1 #[cfg(test)]
2 mod auth_test;
3 
4 use crate::error::*;
5 
6 use std::net::SocketAddr;
7 use std::time::{Duration, SystemTime, UNIX_EPOCH};
8 
9 use md5::{Digest, Md5};
10 use ring::hmac;
11 
12 pub trait AuthHandler {
auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>>13     fn auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>>;
14 }
15 
16 // generate_long_term_credentials can be used to create credentials valid for [duration] time
generate_long_term_credentials( shared_secret: &str, duration: Duration, ) -> Result<(String, String)>17 pub fn generate_long_term_credentials(
18     shared_secret: &str,
19     duration: Duration,
20 ) -> Result<(String, String)> {
21     let t = SystemTime::now().duration_since(UNIX_EPOCH)? + duration;
22     let username = format!("{}", t.as_secs());
23     let password = long_term_credentials(&username, shared_secret);
24     Ok((username, password))
25 }
26 
long_term_credentials(username: &str, shared_secret: &str) -> String27 fn long_term_credentials(username: &str, shared_secret: &str) -> String {
28     let mac = hmac::Key::new(
29         hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY,
30         shared_secret.as_bytes(),
31     );
32     let password = hmac::sign(&mac, username.as_bytes()).as_ref().to_vec();
33     base64::encode(password)
34 }
35 
36 // generate_auth_key is a convenience function to easily generate keys in the format used by AuthHandler
generate_auth_key(username: &str, realm: &str, password: &str) -> Vec<u8>37 pub fn generate_auth_key(username: &str, realm: &str, password: &str) -> Vec<u8> {
38     let s = format!("{username}:{realm}:{password}");
39 
40     let mut h = Md5::new();
41     h.update(s.as_bytes());
42     h.finalize().as_slice().to_vec()
43 }
44 
45 pub struct LongTermAuthHandler {
46     shared_secret: String,
47 }
48 
49 impl AuthHandler for LongTermAuthHandler {
auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>>50     fn auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>> {
51         log::trace!(
52             "Authentication username={} realm={} src_addr={}",
53             username,
54             realm,
55             src_addr
56         );
57 
58         let t = Duration::from_secs(username.parse::<u64>()?);
59         if t < SystemTime::now().duration_since(UNIX_EPOCH)? {
60             return Err(Error::Other(format!(
61                 "Expired time-windowed username {username}"
62             )));
63         }
64 
65         let password = long_term_credentials(username, &self.shared_secret);
66         Ok(generate_auth_key(username, realm, &password))
67     }
68 }
69 
70 impl LongTermAuthHandler {
71     // https://tools.ietf.org/search/rfc5389#section-10.2
new(shared_secret: String) -> Self72     pub fn new(shared_secret: String) -> Self {
73         LongTermAuthHandler { shared_secret }
74     }
75 }
76