RESPONSE_ORIGIN attribute only if rfc5780 is on

2025-10-24 20:41:03 +02:00 · 2021-06-05 21:36:20 +02:00 · 2021-06-05 21:36:20 +02:00 · 708b83ea78
commit 708b83ea78
parent 54ef051844
8 changed files with 43 additions and 14 deletions
--- a/8
+++ b/8
@ -23,10 +23,14 @@ Version 4.5.3 'dan Eider':
 		* SSL reload has hidden bugs which cause crashes
 	- Fix regression in PR #739
 	- Try to mitigate amplification attatck 
-		* Add option --no-rfc5780
+		* Add new option --no-rfc5780
 		  to force disable RFC8750
 		* Add new option --no-stun-backward-compatibility
-		  Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+		  Disable handling old STUN Binding requests and disable
+		  MAPPED-ADDRESS attribute in binding response (use only the
+		  XOR-MAPPED-ADDRESS)
+		* Add new option --response-origin-only-with-rfc5780
+		  Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled

 10/01/2021 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.2 'dan Eider':
--- a/README.turnserver
+++ b/README.turnserver
@ -616,6 +616,7 @@ Options with values:
                    adds attributes to response, and this increase the possibility of an amplification attack.
                    Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
 --no-stun-backward-compatibility		Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+--response-origin-only-with-rfc5780		Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
 					

 ==================================
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -781,3 +781,9 @@ no-rfc5780
 #
 no-stun-backward-compatibility

+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+response-origin-only-with-rfc5780
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -188,6 +188,7 @@ ALLOCATION_DEFAULT_ADDRESS_FAMILY_IPV4,  /* allocation_default_address_family */

 0,  /* log_binding */
 0,	/* no_stun_backward_compatibility */
+0	/* response_origin_only_with_rfc5780 */
 };

 //////////////// OpenSSL Init //////////////////////
@ -699,6 +700,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "						Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n"
 " --no-stun-backward-compatibility		Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute\n"
 "						in binding response (use only the XOR-MAPPED-ADDRESS).\n"
+" --response-origin-only-with-rfc5780		Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.\n"
 " -h						Help\n"
 "\n";

@ -846,7 +848,8 @@ enum EXTRA_OPTS {
 	ACME_REDIRECT_OPT,
 	LOG_BINDING_OPT,
 	NO_RFC5780,
-	NO_STUN_BACKWARD_COMPATIBILITY_OPT
+	NO_STUN_BACKWARD_COMPATIBILITY_OPT,
+	RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT
 };

 struct myoption {
@ -985,6 +988,7 @@ static const struct myoption long_options[] = {
 				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
 				{ "no-rfc5780", optional_argument, NULL, NO_RFC5780 },
 				{ "no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT },
+				{ "response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT },
 				{ NULL, no_argument, NULL, 0 }
 };

@ -1664,6 +1668,9 @@ static void set_option(int c, char *value)
 	case NO_STUN_BACKWARD_COMPATIBILITY_OPT:
 		turn_params.no_stun_backward_compatibility = get_bool_value(value);
 		break;
+	case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT:
+		turn_params.response_origin_only_with_rfc5780 = get_bool_value(value);
+		break;

 	/* these options have been already taken care of before: */
 	case 'l':
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -340,6 +340,7 @@ typedef struct _turn_params_ {

  vint log_binding;
  vint no_stun_backward_compatibility;
+  vint response_origin_only_with_rfc5780;
 } turn_params_t;

 extern turn_params_t turn_params;
--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@ -1695,7 +1695,8 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
 		turn_params.acme_redirect,
 		turn_params.allocation_default_address_family,
 		&turn_params.log_binding,
-		&turn_params.no_stun_backward_compatibility
+		&turn_params.no_stun_backward_compatibility,
+		&turn_params.response_origin_only_with_rfc5780
 		);
 	
 	if(to_set_rfc5780) {
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@ -2881,14 +2881,16 @@ static int handle_turn_binding(turn_turnserver *server,

 			if(!is_rfc5780(server)) {

-				if(old_stun) {
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-								OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin);
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-								OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin);
-				} else {
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-							STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin);
+				if(!(*server->response_origin_only_with_rfc5780)) {
+					if(old_stun) {
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+									OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin);
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+									OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin);
+					} else {
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+								STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin);
+					}
 				}

 			} else if(ss->client_socket) {
@ -4937,7 +4939,8 @@ void init_turn_server(turn_turnserver* server,
 		const char* acme_redirect,
 		ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
 		vintp log_binding,
-		vintp no_stun_backward_compatibility) {
+		vintp no_stun_backward_compatibility,
+		vintp response_origin_only_with_rfc5780) {

 	if (!server)
 		return;
@ -5013,6 +5016,8 @@ void init_turn_server(turn_turnserver* server,
 	server->log_binding = log_binding;

 	server->no_stun_backward_compatibility = no_stun_backward_compatibility;
+
+	server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780;
 }

 ioa_engine_handle turn_server_get_engine(turn_turnserver *s) {
--- a/src/server/ns_turn_server.h
+++ b/src/server/ns_turn_server.h
@ -190,6 +190,9 @@ struct _turn_turnserver {

 	/* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */
 	vintp no_stun_backward_compatibility;
+
+	/* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */
+	vintp response_origin_only_with_rfc5780;
 };

 const char * get_version(turn_turnserver *server);
@ -238,7 +241,8 @@ void init_turn_server(turn_turnserver* server,
 					const char* acme_redirect,
 					ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
 					vintp log_binding,
-					vintp no_stun_backward_compatibility
+					vintp no_stun_backward_compatibility,
+					vintp response_origin_only_with_rfc5780
 					);

 ioa_engine_handle turn_server_get_engine(turn_turnserver *s);