From 708b83ea78dfe109d1ddf5565660da957d155eff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Sat, 5 Jun 2021 21:36:20 +0200 Subject: [PATCH] RESPONSE_ORIGIN attribute only if rfc5780 is on --- ChangeLog | 8 ++++++-- README.turnserver | 1 + examples/etc/turnserver.conf | 6 ++++++ src/apps/relay/mainrelay.c | 9 ++++++++- src/apps/relay/mainrelay.h | 1 + src/apps/relay/netengine.c | 3 ++- src/server/ns_turn_server.c | 23 ++++++++++++++--------- src/server/ns_turn_server.h | 6 +++++- 8 files changed, 43 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7309db5b..83ae46e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,10 +23,14 @@ Version 4.5.3 'dan Eider': * SSL reload has hidden bugs which cause crashes - Fix regression in PR #739 - Try to mitigate amplification attatck - * Add option --no-rfc5780 + * Add new option --no-rfc5780 to force disable RFC8750 * Add new option --no-stun-backward-compatibility - Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS). + Disable handling old STUN Binding requests and disable + MAPPED-ADDRESS attribute in binding response (use only the + XOR-MAPPED-ADDRESS) + * Add new option --response-origin-only-with-rfc5780 + Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled 10/01/2021 Oleg Moskalenko Mihály Mészáros Version 4.5.2 'dan Eider': diff --git a/README.turnserver b/README.turnserver index 457b3d00..e8b42487 100644 --- a/README.turnserver +++ b/README.turnserver @@ -616,6 +616,7 @@ Options with values: adds attributes to response, and this increase the possibility of an amplification attack. Strongly encouraged to use this option to decrease gain factor in STUN binding responses. --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS). +--response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. ================================== diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 7a1b708c..97999e7b 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -781,3 +781,9 @@ no-rfc5780 # no-stun-backward-compatibility +# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +response-origin-only-with-rfc5780 diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 2cce4c21..3ed4a1db 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -188,6 +188,7 @@ ALLOCATION_DEFAULT_ADDRESS_FAMILY_IPV4, /* allocation_default_address_family */ 0, /* log_binding */ 0, /* no_stun_backward_compatibility */ +0 /* response_origin_only_with_rfc5780 */ }; //////////////// OpenSSL Init ////////////////////// @@ -699,6 +700,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n" " --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute\n" " in binding response (use only the XOR-MAPPED-ADDRESS).\n" +" --response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.\n" " -h Help\n" "\n"; @@ -846,7 +848,8 @@ enum EXTRA_OPTS { ACME_REDIRECT_OPT, LOG_BINDING_OPT, NO_RFC5780, - NO_STUN_BACKWARD_COMPATIBILITY_OPT + NO_STUN_BACKWARD_COMPATIBILITY_OPT, + RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT }; struct myoption { @@ -985,6 +988,7 @@ static const struct myoption long_options[] = { { "log-binding", optional_argument, NULL, LOG_BINDING_OPT }, { "no-rfc5780", optional_argument, NULL, NO_RFC5780 }, { "no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT }, + { "response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT }, { NULL, no_argument, NULL, 0 } }; @@ -1664,6 +1668,9 @@ static void set_option(int c, char *value) case NO_STUN_BACKWARD_COMPATIBILITY_OPT: turn_params.no_stun_backward_compatibility = get_bool_value(value); break; + case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT: + turn_params.response_origin_only_with_rfc5780 = get_bool_value(value); + break; /* these options have been already taken care of before: */ case 'l': diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 9f791ec8..2e703874 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -340,6 +340,7 @@ typedef struct _turn_params_ { vint log_binding; vint no_stun_backward_compatibility; + vint response_origin_only_with_rfc5780; } turn_params_t; extern turn_params_t turn_params; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 0d835dbb..34f414c6 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1695,7 +1695,8 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int turn_params.acme_redirect, turn_params.allocation_default_address_family, &turn_params.log_binding, - &turn_params.no_stun_backward_compatibility + &turn_params.no_stun_backward_compatibility, + &turn_params.response_origin_only_with_rfc5780 ); if(to_set_rfc5780) { diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 3143a6c8..f0cbd236 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -2881,14 +2881,16 @@ static int handle_turn_binding(turn_turnserver *server, if(!is_rfc5780(server)) { - if(old_stun) { - stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, - OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin); - stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, - OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin); - } else { - stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, - STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin); + if(!(*server->response_origin_only_with_rfc5780)) { + if(old_stun) { + stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, + OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin); + stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, + OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin); + } else { + stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, + STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin); + } } } else if(ss->client_socket) { @@ -4937,7 +4939,8 @@ void init_turn_server(turn_turnserver* server, const char* acme_redirect, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, vintp log_binding, - vintp no_stun_backward_compatibility) { + vintp no_stun_backward_compatibility, + vintp response_origin_only_with_rfc5780) { if (!server) return; @@ -5013,6 +5016,8 @@ void init_turn_server(turn_turnserver* server, server->log_binding = log_binding; server->no_stun_backward_compatibility = no_stun_backward_compatibility; + + server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780; } ioa_engine_handle turn_server_get_engine(turn_turnserver *s) { diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 21603885..bc571796 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -190,6 +190,9 @@ struct _turn_turnserver { /* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */ vintp no_stun_backward_compatibility; + + /* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */ + vintp response_origin_only_with_rfc5780; }; const char * get_version(turn_turnserver *server); @@ -238,7 +241,8 @@ void init_turn_server(turn_turnserver* server, const char* acme_redirect, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, vintp log_binding, - vintp no_stun_backward_compatibility + vintp no_stun_backward_compatibility, + vintp response_origin_only_with_rfc5780 ); ioa_engine_handle turn_server_get_engine(turn_turnserver *s);