diff --git a/ChangeLog b/ChangeLog index 3dd1bcc3..9e29c956 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ 08/14/2014 Oleg Moskalenko Version 4.1.2.1 'Vitari': - The origin attribute is verified in the subsequent - session messages. + session messages (server flag --check-origin-consistency). - MySQL SSL connection support. - Crash fixed when the DB connection string is incorrect. - Minor docs fixes. diff --git a/README.turnserver b/README.turnserver index 0a014d98..ec163486 100644 --- a/README.turnserver +++ b/README.turnserver @@ -269,6 +269,11 @@ Flags: (if configured). The load balancing is using the ALTERNATE-SERVER mechanism. The TURN client must support 300 ALTERNATE-SERVER response for this functionality. + +--check-origin-consistency The flag that sets the origin consistency + check: across the session, all requests must have the same + main ORIGIN attribute value (if the ORIGIN was + initially used by the session). -h Help. @@ -388,8 +393,8 @@ Options with required values: and the userdb file). Must be used with long-term credentials mechanism or with TURN REST API. --C, --rest-api-separator This is the timestamp/username separator symbol (character) in TURN REST API. - The default value is :. +-C, --rest-api-separator This is the timestamp/username separator symbol + (character) in TURN REST API. The default value is :. -q, --user-quota Per-user allocations quota: how many concurrent allocations a user can create. This option can also be set diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index a6012850..b35391f8 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -306,6 +306,13 @@ # #realm=mycompany.org +# The flag that sets the origin consistency +# check: across the session, all requests must have the same +# main ORIGIN attribute value (if the ORIGIN was +# initially used by the session). +# +#check-origin-consistency + # Per-user allocation quota. # default value is 0 (no quota, unlimited number of sessions per user). # This option can also be set through the database, for a particular realm. diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index e5800532..72dd3e6f 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "17 August 2014" "" "" +.TH TURN 1 "18 August 2014" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 3f668545..2e3878da 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "17 August 2014" "" "" +.TH TURN 1 "18 August 2014" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -410,6 +410,13 @@ ALTERNATE\-SERVER mechanism. The TURN client must support 300 ALTERNATE\-SERVER response for this functionality. .TP .B +\fB\-\-check\-origin\-consistency\fP +The flag that sets the origin consistency +check: across the session, all requests must have the same +main ORIGIN attribute value (if the ORIGIN was +initially used by the session). +.TP +.B \fB\-h\fP Help. .TP @@ -566,8 +573,8 @@ mechanism or with TURN REST API. .TP .B \fB\-C\fP, \fB\-\-rest\-api\-separator\fP -This is the timestamp/username separator symbol (character) in TURN REST API. -The default value is :. +This is the timestamp/username separator symbol +(character) in TURN REST API. The default value is :. .TP .B \fB\-q\fP, \fB\-\-user\-quota\fP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 8e822401..4182b7f7 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "17 August 2014" "" "" +.TH TURN 1 "18 August 2014" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index bfd60209..f29fc79e 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -81,7 +81,7 @@ DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1, NEV_UNKNOWN, { "Unknown", "UDP listening socket per session", "UDP thread per network endpoint", "UDP thread per CPU core" }, //////////////// Relay servers ////////////////////////////////// -LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,"", +LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"", 0,NULL,0,NULL,DEFAULT_GENERAL_RELAY_SERVERS_NUMBER,0, ////////////// Auth server ///////////////////////////////////// {NULL,NULL,NULL,0,NULL}, @@ -397,6 +397,10 @@ static char Usage[] = "Usage: turnserver [options]\n" " server is not using any database (just the commands-line settings\n" " and the userdb file). Must be used with long-term credentials \n" " mechanism or with TURN REST API.\n" +" --check-origin-consistency The flag that sets the origin consistency check:\n" +" across the session, all requests must have the same\n" +" main ORIGIN attribute value (if the ORIGIN was\n" +" initially used by the session).\n" " -q, --user-quota Per-user allocation quota: how many concurrent allocations a user can create.\n" " This option can also be set through the database, for a particular realm.\n" " -Q, --total-quota Total allocations quota: global limit on concurrent allocations.\n" @@ -670,6 +674,7 @@ enum EXTRA_OPTS { NO_TLSV1_OPT, NO_TLSV1_1_OPT, NO_TLSV1_2_OPT, + CHECK_ORIGIN_CONSISTENCY_OPT, ADMIN_MAX_BPS_OPT, ADMIN_TOTAL_QUOTA_OPT, ADMIN_USER_QUOTA_OPT @@ -734,6 +739,7 @@ static const struct myoption long_options[] = { { "Verbose", optional_argument, NULL, 'V' }, { "daemon", optional_argument, NULL, 'o' }, { "fingerprint", optional_argument, NULL, 'f' }, + { "check-origin-consistency", optional_argument, NULL, CHECK_ORIGIN_CONSISTENCY_OPT }, { "no-udp", optional_argument, NULL, NO_UDP_OPT }, { "no-tcp", optional_argument, NULL, NO_TCP_OPT }, { "no-tls", optional_argument, NULL, NO_TLS_OPT }, @@ -1152,6 +1158,9 @@ static void set_option(int c, char *value) turn_params.bps_capacity = (band_limit_t)atoi(value); TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%lu bytes per second allowed, combined server capacity\n",(unsigned long)turn_params.bps_capacity); break; + case CHECK_ORIGIN_CONSISTENCY_OPT: + turn_params.check_origin = get_bool_value(value); + break; case NO_UDP_OPT: turn_params.no_udp = get_bool_value(value); break; diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 22b16902..d105b459 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -250,6 +250,8 @@ typedef struct _turn_params_ { u16bits min_port; u16bits max_port; + vint check_origin; + vint no_multicast_peers; vint no_loopback_peers; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 5f857c79..5adb222d 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1574,6 +1574,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int check_new_allocation_quota, release_allocation_quota, turn_params.external_ip, + &turn_params.check_origin, &turn_params.no_tcp_relay, &turn_params.no_udp_relay, &turn_params.stale_nonce, diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 0b35a37d..de00da58 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -3506,24 +3506,26 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss, ioa_network_buffer_get_size(in_buffer->nbh), sar); } - if(ss->origin[0]) { - if(!origin_found) { + if(server->check_origin && *(server->check_origin)) { + if(ss->origin[0]) { + if(!origin_found) { + err_code = 441; + reason = (const u08bits *)"The origin attribute does not match the initial session origin value"; + if(server->verbose) { + char smethod[129]; + stun_method_str(method,smethod); + log_method(ss, smethod, err_code, reason); + } + } + } else if(norigins > 0){ err_code = 441; - reason = (const u08bits *)"The origin attribute does not match the initial session origin value"; + reason = (const u08bits *)"The origin attribute is empty, does not match the initial session origin value"; if(server->verbose) { char smethod[129]; stun_method_str(method,smethod); log_method(ss, smethod, err_code, reason); } } - } else if(norigins > 0){ - err_code = 441; - reason = (const u08bits *)"The origin attribute is empty, does not match the initial session origin value"; - if(server->verbose) { - char smethod[129]; - stun_method_str(method,smethod); - log_method(ss, smethod, err_code, reason); - } } } @@ -4675,6 +4677,7 @@ void init_turn_server(turn_turnserver* server, check_new_allocation_quota_cb chquotacb, release_allocation_quota_cb raqcb, ioa_addr *external_ip, + vintp check_origin, vintp no_tcp_relay, vintp no_udp_relay, vintp stale_nonce, @@ -4718,6 +4721,7 @@ void init_turn_server(turn_turnserver* server, TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"turn server id=%d created\n",(int)id); + server->check_origin = check_origin; server->no_tcp_relay = no_tcp_relay; server->no_udp_relay = no_udp_relay; diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index feaad20d..1aba589e 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -112,6 +112,7 @@ struct _turn_turnserver { int verbose; int fingerprint; int rfc5780; + vintp check_origin; vintp stale_nonce; vintp stun_only; vintp no_stun; @@ -174,6 +175,7 @@ void init_turn_server(turn_turnserver* server, check_new_allocation_quota_cb chquotacb, release_allocation_quota_cb raqcb, ioa_addr *external_addr, + vintp check_origin, vintp no_tcp_relay, vintp no_udp_relay, vintp stale_nonce,