ascii-chat/turn__credentials_8c_source.html

#include "network/webrtc/turn_credentials.h"

#include "asciichat_errno.h"

#include "common.h"

#include "log/logging.h"


#include <openssl/evp.h>

#include <openssl/hmac.h>

#include <stdio.h>

#include <string.h>

#include <time.h>


static const char base64_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";


static size_t base64_encode(const uint8_t *input, size_t input_len, char *output, size_t output_size) {

  if (!input || !output || input_len == 0) {

    return 0;

  }


  // Calculate required output size: ((n + 2) / 3) * 4 + 1 for null terminator

  size_t required_size = ((input_len + 2) / 3) * 4 + 1;

  if (output_size < required_size) {

    return 0;

  }


  size_t i = 0;

  size_t j = 0;


  // Process input in 3-byte chunks

  while (i + 2 < input_len) {

    uint32_t triple = ((uint32_t)input[i] << 16) | ((uint32_t)input[i + 1] << 8) | (uint32_t)input[i + 2];


    output[j++] = base64_table[(triple >> 18) & 0x3F];

    output[j++] = base64_table[(triple >> 12) & 0x3F];

    output[j++] = base64_table[(triple >> 6) & 0x3F];

    output[j++] = base64_table[triple & 0x3F];


    i += 3;

  }


  // Handle remaining bytes (1 or 2)

  if (i < input_len) {

    uint32_t triple = (uint32_t)input[i] << 16;

    if (i + 1 < input_len) {

      triple |= (uint32_t)input[i + 1] << 8;

    }


    output[j++] = base64_table[(triple >> 18) & 0x3F];

    output[j++] = base64_table[(triple >> 12) & 0x3F];


    if (i + 1 < input_len) {

      output[j++] = base64_table[(triple >> 6) & 0x3F];

    } else {

      output[j++] = '=';

    }

    output[j++] = '=';

  }


  output[j] = '\0';

  return j;

}


static asciichat_error_t hmac_sha1(const uint8_t *data, size_t data_len, const uint8_t *secret, size_t secret_len,

                                   uint8_t *output, unsigned int *output_len) {

  if (!data || !secret || !output || !output_len) {

    return SET_ERRNO(ERROR_INVALID_PARAM, "HMAC-SHA1: NULL parameter");

  }


  // OpenSSL 3.0+ uses EVP interface, older versions use HMAC_* functions

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);

  if (!mac) {

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to fetch HMAC algorithm");

  }


  EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac);

  if (!ctx) {

    EVP_MAC_free(mac);

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to create context");

  }


  // Set digest algorithm to SHA1

  OSSL_PARAM params[] = {OSSL_PARAM_construct_utf8_string("digest", "SHA1", 0), OSSL_PARAM_construct_end()};


  if (EVP_MAC_init(ctx, secret, secret_len, params) != 1) {

    EVP_MAC_CTX_free(ctx);

    EVP_MAC_free(mac);

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to initialize");

  }


  if (EVP_MAC_update(ctx, data, data_len) != 1) {

    EVP_MAC_CTX_free(ctx);

    EVP_MAC_free(mac);

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to update");

  }


  size_t out_len = 0;

  if (EVP_MAC_final(ctx, output, &out_len, 20) != 1) {

    EVP_MAC_CTX_free(ctx);

    EVP_MAC_free(mac);

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to finalize");

  }


  *output_len = (unsigned int)out_len;


  EVP_MAC_CTX_free(ctx);

  EVP_MAC_free(mac);

#else

  // OpenSSL 1.x compatibility

  unsigned char *result = HMAC(EVP_sha1(), secret, (int)secret_len, data, data_len, output, output_len);

  if (!result) {

    return SET_ERRNO(ERROR_CRYPTO, "HMAC-SHA1: Failed to compute HMAC");

  }

#endif


  return ASCIICHAT_OK;

}


asciichat_error_t turn_generate_credentials(const char *session_id, const char *secret, uint32_t validity_seconds,

                                            turn_credentials_t *out_credentials) {

  if (!session_id || !secret || !out_credentials) {

    return SET_ERRNO(ERROR_INVALID_PARAM, "TURN credentials: NULL parameter");

  }


  if (validity_seconds == 0) {

    return SET_ERRNO(ERROR_INVALID_PARAM, "TURN credentials: validity_seconds must be > 0");

  }


  // Calculate expiration timestamp

  time_t now = time(NULL);

  time_t expires_at = now + (time_t)validity_seconds;


  // Format username: "{timestamp}:{session_id}"

  int username_len =

      snprintf(out_credentials->username, sizeof(out_credentials->username), "%ld:%s", (long)expires_at, session_id);

  if (username_len < 0 || (size_t)username_len >= sizeof(out_credentials->username)) {

    return SET_ERRNO(ERROR_BUFFER_OVERFLOW, "TURN credentials: username too long");

  }


  // Compute HMAC-SHA1(secret, username)

  uint8_t hmac_result[20]; // SHA1 produces 20 bytes

  unsigned int hmac_len = 0;


  asciichat_error_t result = hmac_sha1((const uint8_t *)out_credentials->username, (size_t)username_len,

                                       (const uint8_t *)secret, strlen(secret), hmac_result, &hmac_len);

  if (result != ASCIICHAT_OK) {

    return result;

  }


  if (hmac_len != 20) {

    return SET_ERRNO(ERROR_CRYPTO, "TURN credentials: unexpected HMAC length %u (expected 20)", hmac_len);

  }


  // Base64-encode the HMAC to get the password

  size_t encoded_len =

      base64_encode(hmac_result, hmac_len, out_credentials->password, sizeof(out_credentials->password));

  if (encoded_len == 0) {

    return SET_ERRNO(ERROR_BUFFER_OVERFLOW, "TURN credentials: password encoding failed");

  }


  out_credentials->expires_at = expires_at;


  log_debug("Generated TURN credentials: username=%s, expires_at=%ld", out_credentials->username, (long)expires_at);


  return ASCIICHAT_OK;

}


bool turn_credentials_expired(const turn_credentials_t *credentials) {

  if (!credentials) {

    return true;

  }


  time_t now = time(NULL);

  return now >= credentials->expires_at;

}


asciichat_errno.h
⚠️‼️ Error and/or exit() when things go bad.

uint32_t
unsigned int uint32_t
Definition common.h:58

uint8_t
unsigned char uint8_t
Definition common.h:56

SET_ERRNO
#define SET_ERRNO(code, context_msg,...)
Set error code with custom context message and log it.
Definition asciichat_errno.h:190

asciichat_error_t
asciichat_error_t
Error and exit codes - unified status values (0-255)
Definition error_codes.h:46

ASCIICHAT_OK
@ ASCIICHAT_OK
Definition error_codes.h:48

ERROR_CRYPTO
@ ERROR_CRYPTO
Definition error_codes.h:88

ERROR_INVALID_PARAM
@ ERROR_INVALID_PARAM
Definition error_codes.h:101

ERROR_BUFFER_OVERFLOW
@ ERROR_BUFFER_OVERFLOW
Definition error_codes.h:98

log_debug
#define log_debug(...)
Log a DEBUG message.
Definition log/logging.h:450

logging.h
📝 Logging API with multiple log levels and terminal output control

session_id
uint8_t session_id[16]
Definition src/client/webrtc.c:61

turn_credentials_t
TURN server credentials (username + password)
Definition turn_credentials.h:28

turn_credentials_t::password
char password[128]
Definition turn_credentials.h:30

turn_credentials_t::expires_at
time_t expires_at
Definition turn_credentials.h:31

turn_credentials_t::username
char username[128]
Definition turn_credentials.h:29

time.h
⏱️ High-precision timing utilities using sokol_time.h and uthash

turn_credentials_expired
bool turn_credentials_expired(const turn_credentials_t *credentials)
Check if TURN credentials have expired.
Definition turn_credentials.c:195

turn_generate_credentials
asciichat_error_t turn_generate_credentials(const char *session_id, const char *secret, uint32_t validity_seconds, turn_credentials_t *out_credentials)
Generate time-limited TURN credentials.
Definition turn_credentials.c:146

turn_credentials.h
TURN server credential generation for WebRTC.