mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2025-10-25 04:51:04 +02:00
Code Issues Projects Releases Wiki Activity

RESPONSE_ORIGIN attribute only if rfc5780 is on

Browse Source
This commit is contained in:
Mészáros Mihály 2021-06-05 21:36:20 +02:00
parent 54ef051844
commit 708b83ea78
8 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -23,10 +23,14 @@ Version 4.5.3 'dan Eider':
* SSL reload has hidden bugs which cause crashes * SSL reload has hidden bugs which cause crashes
- Fix regression in PR #739 - Fix regression in PR #739
- Try to mitigate amplification attatck - Try to mitigate amplification attatck
* Add option --no-rfc5780 * Add new option --no-rfc5780
to force disable RFC8750 to force disable RFC8750
* Add new option --no-stun-backward-compatibility * Add new option --no-stun-backward-compatibility
Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS). Disable handling old STUN Binding requests and disable
MAPPED-ADDRESS attribute in binding response (use only the
XOR-MAPPED-ADDRESS)
* Add new option --response-origin-only-with-rfc5780
Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled
10/01/2021 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu> 10/01/2021 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.2 'dan Eider': Version 4.5.2 'dan Eider':

1
README.turnserver
View File

@ -616,6 +616,7 @@ Options with values:
adds attributes to response, and this increase the possibility of an amplification attack. adds attributes to response, and this increase the possibility of an amplification attack.
Strongly encouraged to use this option to decrease gain factor in STUN binding responses. Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
--no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS). --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
--response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
================================== ==================================

6
examples/etc/turnserver.conf
View File

@ -781,3 +781,9 @@ no-rfc5780
# #
no-stun-backward-compatibility no-stun-backward-compatibility
# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
#
# Strongly encouraged to use this option to decrease gain factor in STUN
# binding responses.
#
response-origin-only-with-rfc5780

9
src/apps/relay/mainrelay.c
View File

@ -188,6 +188,7 @@ ALLOCATION_DEFAULT_ADDRESS_FAMILY_IPV4, /* allocation_default_address_family */
0, /* log_binding */ 0, /* log_binding */
0, /* no_stun_backward_compatibility */ 0, /* no_stun_backward_compatibility */
0 /* response_origin_only_with_rfc5780 */
}; };
//////////////// OpenSSL Init ////////////////////// //////////////// OpenSSL Init //////////////////////
@ -699,6 +700,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
" Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n" " Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n"
" --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute\n" " --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute\n"
" in binding response (use only the XOR-MAPPED-ADDRESS).\n" " in binding response (use only the XOR-MAPPED-ADDRESS).\n"
" --response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.\n"
" -h Help\n" " -h Help\n"
"\n"; "\n";
@ -846,7 +848,8 @@ enum EXTRA_OPTS {
ACME_REDIRECT_OPT, ACME_REDIRECT_OPT,
LOG_BINDING_OPT, LOG_BINDING_OPT,
NO_RFC5780, NO_RFC5780,
NO_STUN_BACKWARD_COMPATIBILITY_OPT NO_STUN_BACKWARD_COMPATIBILITY_OPT,
RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT
}; };
struct myoption { struct myoption {
@ -985,6 +988,7 @@ static const struct myoption long_options[] = {
{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT }, { "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
{ "no-rfc5780", optional_argument, NULL, NO_RFC5780 }, { "no-rfc5780", optional_argument, NULL, NO_RFC5780 },
{ "no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT }, { "no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT },
{ "response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT },
{ NULL, no_argument, NULL, 0 } { NULL, no_argument, NULL, 0 }
}; };
@ -1664,6 +1668,9 @@ static void set_option(int c, char *value)
case NO_STUN_BACKWARD_COMPATIBILITY_OPT: case NO_STUN_BACKWARD_COMPATIBILITY_OPT:
turn_params.no_stun_backward_compatibility = get_bool_value(value); turn_params.no_stun_backward_compatibility = get_bool_value(value);
break; break;
case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT:
turn_params.response_origin_only_with_rfc5780 = get_bool_value(value);
break;
/* these options have been already taken care of before: */ /* these options have been already taken care of before: */
case 'l': case 'l':

1
src/apps/relay/mainrelay.h
View File

@ -340,6 +340,7 @@ typedef struct _turn_params_ {
vint log_binding; vint log_binding;
vint no_stun_backward_compatibility; vint no_stun_backward_compatibility;
vint response_origin_only_with_rfc5780;
} turn_params_t; } turn_params_t;
extern turn_params_t turn_params; extern turn_params_t turn_params;

3
src/apps/relay/netengine.c
View File

@ -1695,7 +1695,8 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
turn_params.acme_redirect, turn_params.acme_redirect,
turn_params.allocation_default_address_family, turn_params.allocation_default_address_family,
&turn_params.log_binding, &turn_params.log_binding,
&turn_params.no_stun_backward_compatibility &turn_params.no_stun_backward_compatibility,
&turn_params.response_origin_only_with_rfc5780
); );
if(to_set_rfc5780) { if(to_set_rfc5780) {

23
src/server/ns_turn_server.c
View File

@ -2881,14 +2881,16 @@ static int handle_turn_binding(turn_turnserver *server,
if(!is_rfc5780(server)) { if(!is_rfc5780(server)) {
if(old_stun) { if(!(*server->response_origin_only_with_rfc5780)) {
stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, if(old_stun) {
OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin); stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin);
OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin); stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
} else { OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin);
stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len, } else {
STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin); stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin);
}
} }
} else if(ss->client_socket) { } else if(ss->client_socket) {
@ -4937,7 +4939,8 @@ void init_turn_server(turn_turnserver* server,
const char* acme_redirect, const char* acme_redirect,
ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
vintp log_binding, vintp log_binding,
vintp no_stun_backward_compatibility) { vintp no_stun_backward_compatibility,
vintp response_origin_only_with_rfc5780) {
if (!server) if (!server)
return; return;
@ -5013,6 +5016,8 @@ void init_turn_server(turn_turnserver* server,
server->log_binding = log_binding; server->log_binding = log_binding;
server->no_stun_backward_compatibility = no_stun_backward_compatibility; server->no_stun_backward_compatibility = no_stun_backward_compatibility;
server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780;
} }
ioa_engine_handle turn_server_get_engine(turn_turnserver *s) { ioa_engine_handle turn_server_get_engine(turn_turnserver *s) {

6
src/server/ns_turn_server.h
View File

@ -190,6 +190,9 @@ struct _turn_turnserver {
/* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */ /* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */
vintp no_stun_backward_compatibility; vintp no_stun_backward_compatibility;
/* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */
vintp response_origin_only_with_rfc5780;
}; };
const char * get_version(turn_turnserver *server); const char * get_version(turn_turnserver *server);
@ -238,7 +241,8 @@ void init_turn_server(turn_turnserver* server,
const char* acme_redirect, const char* acme_redirect,
ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
vintp log_binding, vintp log_binding,
vintp no_stun_backward_compatibility vintp no_stun_backward_compatibility,
vintp response_origin_only_with_rfc5780
); );
ioa_engine_handle turn_server_get_engine(turn_turnserver *s); ioa_engine_handle turn_server_get_engine(turn_turnserver *s);