mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2026-05-04 18:36:10 +02:00
Code Issues Projects Releases Wiki Activity

New upstream version 4.5.1.0

Browse Source
This commit is contained in:
Mészáros Mihály 2019-01-18 13:37:04 +01:00
commit 9a84f5f065
44 changed files with 468 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
ChangeLog
View File

@ -1,5 +1,45 @@
27/09/2018 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.0.9 'dan Eider':
24/11/2018 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.0 'dan Eider':
Consider to change config file after upgrade, because it contains some
not backward compatible breaking changes !!
- Security fixes
Many thanks to Nicolas Edet (Cisco) !!
who reported all of the following issues:
* DB/SQL injection in stun realm. Fix: add extra string validation.
* DB/SQL injection in web-admin interface lack of admin user validation.
Fix: add extra string validation.
* Fix for earlier unsafe default settings:
o HTTPS administrator interface should be disabled by default
It could be enbled with "web-admin" option.
o Default configuration allowed earlier forwarding traffic
from an external interface to loopback interface. Now it
has been changed and option name is also changed!
!!BREAKING change!! Don't forget to change config!!
"no-loopback-peers" replaced by "allow-loopback-peers"
o Unauthenticated telnet admin interface runs on the
loopback interface, which can be accessed by exploiting the
loopback relay that was enabled by default.
* Add username string sanity check on web admin interface to
avoid any sql-injection attacks.
- Admin portal does not list TCP session ( reported and fixed by Nicolas Edet )
- Fix memory leak in read_config_file (by Thibaut Ackermann)
- Add a release helper script.
- Web Admin interface use own listener (it is disableb by default) (by Thibaut ACKERMANN)
!!BREAKING change!! Don't forget to change/review config!!
* Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1)
* Add new option "web-admin-port" to set webadmin listen port
* Add new option "web-admin-listen-on-workers" to change back to earlier
behaviour and listen web admin on all worker processes and ports.
- Not allow to start server if "allow-loopback-peers" set without "cli-password"
!!BREAKING change!! Don't forget to change config!!
Added a warning if cli-password is empty or missing, but allow-loopback-peers
set, and so loopback allocation is enalbed.
27/09/2018 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.0.8 'dan Eider':

261
Makefile
View File

@ -1,261 +0,0 @@
#################################
# Generated by configure script #
#################################
ECHO_CMD = echo
CC = cc
LDFLAGS += -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib/ -Wl,-rpath,/usr/local/lib/postgresql -Wl,-rpath,/usr/local/lib/postgresql -Wl,-rpath,/usr/local/lib/mysql -Wl,-rpath,/usr/local/lib/mysql -Wl,-rpath,/usr/local/lib
DBLIBS += -lsqlite3 -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -L/usr/local/lib/postgresql -L/usr/local/lib/postgresql -lpq -L/usr/local/lib/ -L/usr/local/lib/ -lrt -lintl -pthread -lcrypto -lssl -levent_core -levent_extra -levent_openssl -levent_pthreads -lsqlite3 -L/usr/local/lib/mysql -L/usr/local/lib/mysql -lmysqlclient -lmongoc-1.0 -lbson-1.0 -lhiredis
CFLAGS += -g -Wall -Wno-deprecated-declarations -Wextra -Wformat-security -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wcast-qual -I/usr/local/include -I/usr/local/include/ -I/usr/local/include -DTURN_HAS_SIN_LEN -DTURN_HAS_DAEMON -DTURN_SCTP_INCLUDE="</usr/include/netinet/sctp.h>" -DINSTALL_PREFIX=/usr/local -DTURNDB=/usr/local/var/db/turndb
CPPFLAGS =
DBCFLAGS += -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/ -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/ -I/usr/pgsql/include -I/usr/include/pgsql/ -I/usr/include/postgres/ -I/usr/postgres/include/ -I/usr/include/postgresql/ -I/usr/postgresql/include/ -I/usr/local/mysql/include -I/usr/local/include/mysql/ -I/usr/local/mysql/include -I/usr/local/include/mysql/ -I/usr/mysql/include -I/usr/include/mysql/ -I/usr/local/include/libmongoc-1.0 -I/usr/local/include/libbson-1.0 -I/usr/local/include/libmongoc-1.0 -I/usr/local/include/libbson-1.0 -I/usr/local/include/hiredis -I/usr/local/include/hiredis
#
PORTNAME = turnserver
PREFIX = /usr/local
prefix = /usr/local
BINDIR = /usr/local/bin
bindir = /usr/local/bin
LOCALSTATEDIR = /usr/local/var
localstatedir = /usr/local/var
TURNDBDIR = /usr/local/var/db
turndbdir = /usr/local/var/db
CONFDIR = /usr/local/etc
confdir = /usr/local/etc
MANPREFIX = /usr/local
manprefix = /usr/local
EXAMPLESDIR = /usr/local/share/examples/turnserver
examplesdir = /usr/local/share/examples/turnserver
DOCSDIR = /usr/local/share/doc/turnserver
docsdir = /usr/local/share/doc/turnserver
LIBDIR = /usr/local/lib
libdir = /usr/local/lib
SCHEMADIR = /usr/local/share/turnserver
schemadir = /usr/local/share/turnserver
INCLUDEDIR = /usr/local/include
includedir = /usr/local/include
TURNINCLUDEDIR = /usr/local/include/turn
turnincludedir = /usr/local/include/turn
#
ARCHIVERCMD = ar -r
MKDIR = install -d
SQLITE_CMD = sqlite3
INSTALL_PROGRAM = install
PKILL_PROGRAM = pkill
INSTALL_MAN = install
INSTALL_SCRIPT = install
INSTALL_SHARED_LIB = install
INSTALL_STATIC_LIB = install
INSTALL_DATA = install
INSTALL_DIR = cp -rpf
MKBUILDDIR = mkdir -p
RMCMD = rm -rf
MORECMD = cat
LDCONFIG=ldconfig -m
################################
LIBEVENT_INCLUDE = -I${PREFIX}/include/ -I/usr/local/include/
INCFLAGS = -Isrc -Isrc/apps/common -Isrc/server -Isrc/client -Isrc/client++ ${LIBEVENT_INCLUDE}
CFLAGS += ${INCFLAGS}
MAKE_DEPS = Makefile
LIBCLIENTTURN_HEADERS = src/ns_turn_defs.h src/client++/TurnMsgLib.h src/client/ns_turn_ioaddr.h src/client/ns_turn_msg.h src/client/ns_turn_msg_defs.h src/client/ns_turn_msg_defs_experimental.h src/client/ns_turn_msg_addr.h
LIBCLIENTTURN_MODS = src/client/ns_turn_ioaddr.c src/client/ns_turn_msg_addr.c src/client/ns_turn_msg.c
LIBCLIENTTURN_DEPS = ${LIBCLIENTTURN_HEADERS} ${MAKE_DEPS}
LIBCLIENTTURN_OBJS = build/obj/ns_turn_ioaddr.o build/obj/ns_turn_msg_addr.o build/obj/ns_turn_msg.o
SERVERTURN_HEADERS = src/server/ns_turn_allocation.h src/server/ns_turn_ioalib.h src/server/ns_turn_khash.h src/server/ns_turn_maps_rtcp.h src/server/ns_turn_maps.h src/server/ns_turn_server.h src/server/ns_turn_session.h
SERVERTURN_DEPS = ${LIBCLIENTTURN_HEADERS} ${SERVERTURN_HEADERS} ${MAKE_DEPS}
SERVERTURN_MODS = ${LIBCLIENTTURN_MODS} src/server/ns_turn_allocation.c src/server/ns_turn_maps_rtcp.c src/server/ns_turn_maps.c src/server/ns_turn_server.c
COMMON_HEADERS = src/apps/common/apputils.h src/apps/common/ns_turn_openssl.h src/apps/common/ns_turn_utils.h src/apps/common/stun_buffer.h
COMMON_MODS = src/apps/common/apputils.c src/apps/common/ns_turn_utils.c src/apps/common/stun_buffer.c
COMMON_DEPS = ${LIBCLIENTTURN_DEPS} ${COMMON_MODS} ${COMMON_HEADERS}
IMPL_HEADERS = src/apps/relay/ns_ioalib_impl.h src/apps/relay/ns_sm.h src/apps/relay/turn_ports.h
IMPL_MODS = src/apps/relay/ns_ioalib_engine_impl.c src/apps/relay/turn_ports.c src/apps/relay/http_server.c
IMPL_DEPS = ${COMMON_DEPS} ${IMPL_HEADERS} ${IMPL_MODS}
HIREDIS_HEADERS = src/apps/common/hiredis_libevent2.h
HIREDIS_MODS = src/apps/common/hiredis_libevent2.c
USERDB_HEADERS = src/apps/relay/dbdrivers/dbdriver.h src/apps/relay/dbdrivers/dbd_sqlite.h src/apps/relay/dbdrivers/dbd_pgsql.h src/apps/relay/dbdrivers/dbd_mysql.h src/apps/relay/dbdrivers/dbd_mongo.h src/apps/relay/dbdrivers/dbd_redis.h
USERDB_MODS = src/apps/relay/dbdrivers/dbdriver.c src/apps/relay/dbdrivers/dbd_sqlite.c src/apps/relay/dbdrivers/dbd_pgsql.c src/apps/relay/dbdrivers/dbd_mysql.c src/apps/relay/dbdrivers/dbd_mongo.c src/apps/relay/dbdrivers/dbd_redis.c
SERVERAPP_HEADERS = src/apps/relay/userdb.h src/apps/relay/tls_listener.h src/apps/relay/mainrelay.h src/apps/relay/turn_admin_server.h src/apps/relay/dtls_listener.h src/apps/relay/libtelnet.h ${HIREDIS_HEADERS} ${USERDB_HEADERS}
SERVERAPP_MODS = src/apps/relay/mainrelay.c src/apps/relay/netengine.c src/apps/relay/libtelnet.c src/apps/relay/turn_admin_server.c src/apps/relay/userdb.c src/apps/relay/tls_listener.c src/apps/relay/dtls_listener.c ${HIREDIS_MODS} ${USERDB_MODS}
SERVERAPP_DEPS = ${SERVERTURN_MODS} ${SERVERTURN_DEPS} ${SERVERAPP_MODS} ${SERVERAPP_HEADERS} ${COMMON_DEPS} ${IMPL_DEPS} lib/libturnclient.a
TURN_BUILD_RESULTS = bin/turnutils_oauth bin/turnutils_natdiscovery bin/turnutils_stunclient bin/turnutils_rfc5769check bin/turnutils_uclient bin/turnserver bin/turnutils_peer lib/libturnclient.a include/turn/ns_turn_defs.h sqlite_empty_db
.PHONY: all test check clean distclean sqlite_empty_db install deinstall uninstall reinstall
all: ${TURN_BUILD_RESULTS}
test: check
check: bin/turnutils_rfc5769check
bin/turnutils_rfc5769check
include/turn/ns_turn_defs.h: src/ns_turn_defs.h
${RMCMD} include
${MKBUILDDIR} include/turn/client
cp -pf src/client/*.h include/turn/client/
cp -pf src/client++/*.h include/turn/client/
cp -pf src/ns_turn_defs.h include/turn/
bin/turnutils_uclient: ${COMMON_DEPS} src/apps/uclient/session.h lib/libturnclient.a src/apps/uclient/mainuclient.c src/apps/uclient/uclient.c src/apps/uclient/uclient.h src/apps/uclient/startuclient.c src/apps/uclient/startuclient.h
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/uclient/uclient.c src/apps/uclient/startuclient.c src/apps/uclient/mainuclient.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
bin/turnutils_natdiscovery: ${COMMON_DEPS} lib/libturnclient.a src/apps/natdiscovery/natdiscovery.c
pwd
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/natdiscovery/natdiscovery.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
bin/turnutils_oauth: ${COMMON_DEPS} lib/libturnclient.a src/apps/oauth/oauth.c
pwd
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/oauth/oauth.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
bin/turnutils_stunclient: ${COMMON_DEPS} lib/libturnclient.a src/apps/stunclient/stunclient.c
pwd
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/stunclient/stunclient.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
bin/turnutils_rfc5769check: ${COMMON_DEPS} lib/libturnclient.a src/apps/rfc5769/rfc5769check.c
pwd
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/rfc5769/rfc5769check.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
bin/turnserver: ${SERVERAPP_DEPS}
${MKBUILDDIR} bin
${RMCMD} bin/turnadmin
${CC} ${CPPFLAGS} ${CFLAGS} ${DBCFLAGS} ${IMPL_MODS} -Ilib ${SERVERAPP_MODS} ${COMMON_MODS} ${SERVERTURN_MODS} -o $@ ${DBLIBS} ${LDFLAGS}
cd bin; ln -s turnserver turnadmin
bin/turnutils_peer: ${COMMON_DEPS} ${LIBCLIENTTURN_MODS} ${LIBCLIENTTURN_DEPS} lib/libturnclient.a src/apps/peer/mainudpserver.c src/apps/peer/udpserver.h src/apps/peer/udpserver.c
${MKBUILDDIR} bin
${CC} ${CPPFLAGS} ${CFLAGS} src/apps/peer/mainudpserver.c src/apps/peer/udpserver.c ${COMMON_MODS} -o $@ -Llib -lturnclient -Llib ${LDFLAGS}
### Client Library:
lib/libturnclient.a: ${LIBCLIENTTURN_OBJS} ${LIBCLIENTTURN_DEPS}
${MKBUILDDIR} lib
${ARCHIVERCMD} $@ ${LIBCLIENTTURN_OBJS}
build/obj/ns_turn_ioaddr.o: src/client/ns_turn_ioaddr.c ${LIBCLIENTTURN_DEPS}
${MKBUILDDIR} build/obj
${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_ioaddr.c -o $@
build/obj/ns_turn_msg_addr.o: src/client/ns_turn_msg_addr.c ${LIBCLIENTTURN_DEPS}
${MKBUILDDIR} build/obj
${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_msg_addr.c -o $@
build/obj/ns_turn_msg.o: src/client/ns_turn_msg.c ${LIBCLIENTTURN_DEPS}
${MKBUILDDIR} build/obj
${CC} ${CPPFLAGS} ${CFLAGS} -c src/client/ns_turn_msg.c -o $@
### Clean all:
clean:
${RMCMD} bin build lib obj *bak *~ */*~ */*/*~ */*/*/*~ *core */*core */*/*core include tmp sqlite
distclean: clean
${RMCMD} Makefile
### SQLite empty database:
sqlite_empty_db : sqlite/turndb
sqlite/turndb : turndb/schema.sql
${MKDIR} sqlite
${RMCMD} sqlite/turndb
${SQLITE_CMD} sqlite/turndb < turndb/schema.sql
### Install all:
install: all ${MAKE_DEPS}
${MKDIR} ${DESTDIR}${PREFIX}
${MKDIR} ${DESTDIR}${BINDIR}
${MKDIR} ${DESTDIR}${TURNDBDIR}
${MKDIR} ${DESTDIR}${MANPREFIX}/man/man1
${MKDIR} ${DESTDIR}${CONFDIR}
${MKDIR} ${DESTDIR}${LIBDIR}
${MKDIR} ${DESTDIR}${EXAMPLESDIR}
${MKDIR} ${DESTDIR}${DOCSDIR}
${MKDIR} ${DESTDIR}${SCHEMADIR}
${MKDIR} ${DESTDIR}${TURNINCLUDEDIR}
${INSTALL_PROGRAM} bin/turnserver ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnadmin ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnutils_uclient ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnutils_peer ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnutils_stunclient ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnutils_oauth ${DESTDIR}${BINDIR}
${INSTALL_PROGRAM} bin/turnutils_natdiscovery ${DESTDIR}${BINDIR}
${INSTALL_MAN} man/man1/turnserver.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnadmin.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils_uclient.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils_stunclient.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils_oauth.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils_natdiscovery.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/turnutils_peer.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_MAN} man/man1/coturn.1 ${DESTDIR}${MANPREFIX}/man/man1/
${INSTALL_STATIC_LIB} lib/libturnclient.a ${DESTDIR}${LIBDIR}
${INSTALL_DATA} LICENSE ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} README.turnserver ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} README.turnadmin ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} README.turnutils ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} INSTALL ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} postinstall.txt ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} turndb/schema.sql ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} turndb/schema.sql ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/schema.mongo.sh ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} turndb/schema.mongo.sh ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/testredisdbsetup.sh ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/testmongosetup.sh ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/testsqldbsetup.sql ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/schema.userdb.redis ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} turndb/schema.userdb.redis ${DESTDIR}${SCHEMADIR}
${INSTALL_DATA} turndb/schema.stats.redis ${DESTDIR}${DOCSDIR}
${INSTALL_DATA} turndb/schema.stats.redis ${DESTDIR}${SCHEMADIR}
if [ -f sqlite/turndb ] ; then ${INSTALL_DATA} sqlite/turndb ${DESTDIR}${TURNDBDIR}/turndb; fi
${INSTALL_DATA} examples/etc/turnserver.conf ${DESTDIR}${CONFDIR}/turnserver.conf.default
${INSTALL_DIR} examples/etc ${DESTDIR}${EXAMPLESDIR}
${INSTALL_DIR} examples/scripts ${DESTDIR}${EXAMPLESDIR}
${RMCMD} ${DESTDIR}${EXAMPLESDIR}/scripts/rfc5769.sh
${INSTALL_DIR} include/turn/client ${DESTDIR}${TURNINCLUDEDIR}
${INSTALL_DATA} include/turn/ns_turn_defs.h ${DESTDIR}${TURNINCLUDEDIR}
${MORECMD} ${DESTDIR}${DOCSDIR}/postinstall.txt
deinstall: ${MAKE_DEPS}
${PKILL_PROGRAM} turnserver || ${ECHO_CMD} OK
${RMCMD} ${DESTDIR}${TURNDBDIR}/turndb
${RMCMD} ${DESTDIR}${DOCSDIR}
${RMCMD} ${DESTDIR}${SCHEMADIR}
${RMCMD} ${DESTDIR}${BINDIR}/turnserver
${RMCMD} ${DESTDIR}${BINDIR}/turnadmin
${RMCMD} ${DESTDIR}${BINDIR}/turnutils_peer
${RMCMD} ${DESTDIR}${BINDIR}/turnutils_uclient
${RMCMD} ${DESTDIR}${BINDIR}/turnutils_stunclient
${RMCMD} ${DESTDIR}${BINDIR}/turnutils_oauth
${RMCMD} ${DESTDIR}${BINDIR}/turnutils_natdiscovery
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnserver.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnadmin.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_uclient.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_stunclient.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_oauth.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_natdiscovery.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/turnutils_peer.1
${RMCMD} ${DESTDIR}${MANPREFIX}/man/man1/coturn.1
${RMCMD} ${DESTDIR}${LIBDIR}/libturnclient.a
${RMCMD} ${DESTDIR}${EXAMPLESDIR}
${RMCMD} ${DESTDIR}${CONFDIR}/turnserver.conf.default
${RMCMD} ${DESTDIR}${TURNINCLUDEDIR}
uninstall: deinstall
reinstall: deinstall install

15
README.turnserver
View File

@ -234,7 +234,11 @@ Flags:
--no-stun Run as TURN server only, all STUN requests will be ignored.
Option to suppress STUN functionality, only TURN requests will be processed.
--no-loopback-peers Disallow peers on the loopback addresses (127.x.x.x and ::1).
--allow-loopback-peers Allow peers on the loopback addresses (127.x.x.x and ::1).
Allow it only for testing in a development environment!
In production it adds a possible security vulnerability,
and so due to security reasons, it is not allowed
using it together with empty cli-password.
--no-multicast-peers Disallow peers on well-known broadcast addresses
(224.0.0.0 and above, and FFXX:*).
@ -552,6 +556,15 @@ Options with values:
--cli-max-output-sessions Maximum number of output sessions in ps CLI command.
This value can be changed on-the-fly in CLI. The default value is 256.
--web-admin Enable Turn Web-admin support. By default it is disabled.
--web-admin-ip=<IP> Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
--web-admin-port=<port> Web-admin server port. Default is 8080.
--web-admin-listen-on-workers Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.
By default it is disabled for security resons!
(This beahvior used to be the default bahavior, and was enabled by default.)
--ne=[1|2|3] Set network engine type for the process (for internal purposes).
==================================

8
examples/cpu-mem.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
while sleep 1; do
DATE="$(date)";
PS="$( ps -p `pidof turnserver` -o 'pcpu,pmem,rss,vsz')";
TOP="$( top -p `pidof turnserver` -n1 -b -H -c )"
OUTPUT=$DATE"\n\n"$TOP"\n\nps\n"$PS"\n";
echo -e "$OUTPUT" | tee -a cpu-mem.log;
done;

25
examples/etc/turnserver.conf
View File

@ -569,10 +569,17 @@
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
#no-loopback-peers
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
@ -658,6 +665,20 @@
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.

6
examples/run_all_clients.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
for i in secure_udp_client.sh secure_dtls_client.sh secure_tcp_client_c2c_tcp_relay.sh secure_tls_client_c2c_tcp_relay.sh secure_tls_client.sh secure_udp_client.sh secure_sctp_client.sh secure_tcp_client.sh secure_udp_c2c.sh;
do
echo $i
./scripts/longtermsecure/$i $@
done

7
examples/scripts/basic/relay.sh
View File

@ -14,6 +14,7 @@
# --no-auth means that no authentication to be used,
# allow anonymous users.
# start TLS and DTLS services.
# --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -23,8 +24,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="bin:../bin:../../bin:${PATH}" turnserver -v --syslog -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --no-tls --no-dtls --no-auth --db="var/db/turndb" $@
PATH="bin:../bin:../../bin:${PATH}" turnserver -v --syslog -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --cli-password secred --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --no-tls --no-dtls --no-auth --db="var/db/turndb" $@

3
examples/scripts/loadbalance/master_relay.sh
View File

@ -25,6 +25,7 @@
# 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here
# (for the sake of simplicity).
# 11) --alternate-server options set the "slave" servers.
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -34,5 +35,5 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls --alternate-server=127.0.0.1:3333 --alternate-server=127.0.0.1:4444 $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls --alternate-server=127.0.0.1:3333 --alternate-server=127.0.0.1:4444 --cli-password=secret $@

3
examples/scripts/loadbalance/slave_relay_1.sh
View File

@ -25,6 +25,7 @@
# 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here
# (for the sake of simplicity).
# 11) -p 3333 means that we are using UDP & TCP listening port 3333.
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -34,4 +35,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=10000 --max-port=19999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 3333 --cli-port=5767 $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=10000 --max-port=19999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 3333 --cli-port=5767 --cli-password=secret $@

3
examples/scripts/loadbalance/slave_relay_2.sh
View File

@ -25,6 +25,7 @@
# 10) --no-dtls and --no-tls measn that we are not using DTLS & TLS protocols here
# (for the sake of simplicity).
# 11) -p 4444 means that we are using UDP & TCP listening port 4444.
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -34,4 +35,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --max-bps=3000000 -f -m 3 --min-port=20000 --max-port=29999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 4444 --cli-port=5768 $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -E 127.0.0.1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=20000 --max-port=29999 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --log-file=stdout -v --no-dtls --no-tls -p 4444 --cli-port=5768 --cli-password=secret $@

3
examples/scripts/longtermsecure/secure_relay.sh
View File

@ -23,6 +23,7 @@
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) "-v" means normal verbose mode (with some moderate logging).
# 12) --cipher-list=ALL means that we support all OpenSSL ciphers
# 13) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -32,4 +33,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --db=var/db/turndb $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --cipher-list=ALL --cli-password=secret --db=var/db/turndb $@

3
examples/scripts/longtermsecure/secure_relay_cert.sh
View File

@ -26,6 +26,7 @@
# 11) "--log-file=stdout" means that all log output will go to the stdout.
# 12) "-v" means normal verbose mode (with some moderate logging).
# 13) --cipher-list="ALL:!eNULL:!aNULL:!NULL" measn "all ciphers, except anonymous".
# 14) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -35,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --db=var/db/turndb $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@

3
examples/scripts/longtermsecuredb/secure_relay_with_db_mongo.sh
View File

@ -22,6 +22,7 @@
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - support oAuth security dialog
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -31,4 +32,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

3
examples/scripts/longtermsecuredb/secure_relay_with_db_mysql.sh
View File

@ -23,6 +23,7 @@
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - support oAuth security dialog
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -32,4 +33,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

3
examples/scripts/longtermsecuredb/secure_relay_with_db_mysql_ssl.sh
View File

@ -24,6 +24,7 @@
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - support oAuth security dialog
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -33,4 +34,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn cipher=DHE-RSA-AES256-SHA connect_timeout=30 read_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

5
examples/scripts/longtermsecuredb/secure_relay_with_db_psql.sh
View File

@ -23,6 +23,7 @@
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - support oAuth security dialog
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -32,7 +33,7 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@
# Newer PostgreSQL style connection string example:
# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
# PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --psql-userdb=postgresql://turn:turn@/turn --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

3
examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh
View File

@ -26,6 +26,7 @@
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --oauth - support oAuth security dialog
# 13) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -35,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 ---allow-loopback-peers -max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

3
examples/scripts/longtermsecuredb/secure_relay_with_db_sqlite.sh
View File

@ -22,6 +22,7 @@
# 9) "--log-file=stdout" means that all log output will go to the stdout.
# 10) --cipher-list=ALL means that we support all OpenSSL ciphers
# 11) --oauth - support oAuth security dialog
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -31,5 +32,5 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@

3
examples/scripts/mobile/mobile_relay.sh
View File

@ -24,6 +24,7 @@
# 11) "-v" means normal verbose mode (with some moderate logging).
# 12) "--mobility" turns on the Mobile ICE TURN functionality.
# 13) --cipher-list=ALL means that we support all OpenSSL ciphers
# 14) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -33,4 +34,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -v --mobility --cipher-list=ALL --cli-password=secret $@

23
examples/scripts/pack.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# Run it from the root of the coturn source tree
V=4.5.1.0
PACKDIR=`pwd`/../coturn-releases/
SRCDIR=`pwd`
DDIR=turnserver-${V}
cd ${SRCDIR}/
make distclean
cd ${PACKDIR}
rm -rf tmp
mkdir tmp
cd tmp
mkdir ${DDIR}
cp -R ${SRCDIR}/* ${DDIR}/
tar cvfz ../${DDIR}.tar.gz ${DDIR}
cd ..
rm -rf tmp
cp -a ${SRCDIR}/ChangeLog ${PACKDIR}

3
examples/scripts/restapi/secure_relay_secret.sh
View File

@ -23,6 +23,7 @@
# 11) "-q 100" means that single user can create no more than 100 sessions
# 12) "-Q 300" means that there may be no more than 300 sessions totally
# 13) --cipher-list=ALL means that we support all OpenSSL ciphers
# 14) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -32,5 +33,5 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/restapi/secure_relay_secret_with_db_mongo.sh
View File

@ -25,6 +25,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -34,4 +35,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mongo-userdb="mongodb://localhost/coturn" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/restapi/secure_relay_secret_with_db_mysql.sh
View File

@ -26,6 +26,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -35,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/restapi/secure_relay_secret_with_db_psql.sh
View File

@ -26,6 +26,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -35,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/restapi/secure_relay_secret_with_db_redis.sh
View File

@ -26,6 +26,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -35,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/restapi/secure_relay_secret_with_db_sqlite.sh
View File

@ -25,6 +25,7 @@
# 9) "--pkey=example_turn_server_pkey.pem" sets the OpenSSL private key name.
# 10) "--log-file=stdout" means that all log output will go to the stdout.
# 11) --cipher-list=ALL means that we support all OpenSSL ciphers
# 12) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -34,4 +35,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --realm=north.gov --db="var/db/turndb" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --cli-password=secret $@

3
examples/scripts/selfloadbalance/secure_relay.sh
View File

@ -30,6 +30,7 @@
# 12) "--log-file=stdout" means that all log output will go to the stdout.
# 13) "-v" means normal verbose mode (with some moderate logging).
# 14) --cipher-list=ALL means that we support all OpenSSL ciphers
# 15) --cli-password=secret means that cli password set to "secret"
# Other parameters (config file name, etc) are default.
if [ -d examples ] ; then
@ -39,4 +40,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --db=var/db/turndb $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --aux-server=127.0.0.1:12345 --aux-server=[::1]:12345 --aux-server=127.0.0.1:12346 --aux-server=[::1]:12346 --udp-self-balance --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=gorst:hero -r north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --db=var/db/turndb --cli-password=secret $@

2
man/man1/turnadmin.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "27 September 2018" "" ""
.TH TURN 1 "31 October 2018" "" ""
.SH GENERAL INFORMATION
\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage

28
man/man1/turnserver.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "27 September 2018" "" ""
.TH TURN 1 "31 October 2018" "" ""
.SH GENERAL INFORMATION
The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
@ -358,8 +358,12 @@ Run as TURN server only, all STUN requests will be ignored.
Option to suppress STUN functionality, only TURN requests will be processed.
.TP
.B
\fB\-\-no\-loopback\-peers\fP
Disallow peers on the loopback addresses (127.x.x.x and ::1).
\fB\-\-allow\-loopback\-peers\fP
Allow peers on the loopback addresses (127.x.x.x and ::1).
Allow it only for testing in a development environment!
In production it adds a possible security vulnerability,
and so due to security reasons, it is not allowed
using it together with empty cli\-password.
.TP
.B
\fB\-\-no\-multicast\-peers\fP
@ -794,6 +798,24 @@ Maximum number of output sessions in ps CLI command.
This value can be changed on\-the\-fly in CLI. The default value is 256.
.TP
.B
\fB\-\-web\-admin\fP
Enable Turn Web\-admin support. By default it is disabled.
.TP
.B
\fB\-\-web\-admin\-ip\fP=<IP>
Local system IP address to be used for Web\-admin server endpoint. Default value is 127.0.0.1.
.TP
.B
\fB\-\-web\-admin\-port\fP=<port>
Web\-admin server port. Default is 8080.
.TP
.B
\fB\-\-web\-admin\-listen\-on\-workers\fP
Enable for web\-admin server to listens on STUN/TURN workers STUN/TURN ports.
By default it is disabled for security resons!
(This beahvior used to be the default bahavior, and was enabled by default.)
.TP
.B
\fB\-\-ne\fP=[1|2|3]
Set network engine type for the process (for internal purposes).
.PP

2
man/man1/turnutils.1
View File

@ -1,5 +1,5 @@
.\" Text automatically generated by txt2man
.TH TURN 1 "27 September 2018" "" ""
.TH TURN 1 "31 October 2018" "" ""
.SH GENERAL INFORMATION
A set of turnutils_* programs provides some utility functionality to be used

2
rpm/build.settings.sh
View File

@ -2,7 +2,7 @@
# Common settings script.
TURNVERSION=4.5.0.8
TURNVERSION=4.5.1.0
BUILDDIR=~/rpmbuild
ARCH=`uname -p`
TURNSERVER_GIT_URL=https://github.com/coturn/coturn.git

4
rpm/turnserver.spec
View File

@ -1,5 +1,5 @@
Name: turnserver
Version: 4.5.0.8
Version: 4.5.1.0
Release: 0%{dist}
Summary: Coturn TURN Server
@ -295,6 +295,8 @@ fi
%{_includedir}/turn/client/TurnMsgLib.h
%changelog
* Thu Dec 6 2018 Mészáros Mihály <misi@majd.eu>
- Sync to 4.5.1.0
* Thu Sep 27 2018 Oleg Moskalenko <mom040267@gmail.com>
- Sync to 4.5.0.8
* Sun Dec 10 2017 Oleg Moskalenko <mom040267@gmail.com>

9
src/apps/common/ns_turn_utils.c
View File

@ -867,11 +867,11 @@ char *turn_strdup_func(const char* s, const char* function, int line) {
////////////////////////////////
int is_secure_username(const u08bits *username)
int is_secure_string(const u08bits *string, int sanitizesql)
{
int ret = 0;
if(username) {
unsigned char *s0 = (unsigned char*)turn_strdup((const char*)username);
if(string) {
unsigned char *s0 = (unsigned char*)turn_strdup((const char*)string);
unsigned char *s = s0;
while(*s) {
*s = (unsigned char)tolower((int)*s);
@ -880,7 +880,7 @@ int is_secure_username(const u08bits *username)
s = s0;
if(strstr((char*)s," ")||strstr((char*)s,"\t")||strstr((char*)s,"'")||strstr((char*)s,"\"")||strstr((char*)s,"\n")||strstr((char*)s,"\r")||strstr((char*)s,"\\")) {
;
} else if(strstr((char*)s,"union")&&strstr((char*)s,"select")) {
} else if(sanitizesql && strstr((char*)s,"union")&&strstr((char*)s,"select")) {
;
} else {
ret = 1;
@ -891,4 +891,3 @@ int is_secure_username(const u08bits *username)
}
//////////////////////////////////////////////////////////////////

2
src/apps/common/ns_turn_utils.h
View File

@ -78,7 +78,7 @@ void rollover_logfile(void);
///////////////////////////////////////////////////////
int is_secure_username(const u08bits *username);
int is_secure_string(const u08bits *string, int sanitizesql);
///////////////////////////////////////////////////////

2
src/apps/relay/http_server.c
View File

@ -64,7 +64,7 @@ static void write_http_echo(ioa_socket_handle s)
char content_http[1025];
const char* title = "TURN Server";
snprintf(content_http,sizeof(content_http)-1,"<!DOCTYPE html>\r\n<html>\r\n <head>\r\n <title>%s</title>\r\n </head>\r\n <body>\r\n <b>%s</b> <br> <b><i>use https connection for the admin session</i></b>\r\n </body>\r\n</html>\r\n",title,title);
snprintf(data_http,sizeof(data_http)-1,"HTTP/1.0 200 OK\r\nServer: %s\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: %d\r\n\r\n%s",TURN_SOFTWARE,(int)strlen(content_http),content_http);
snprintf(data_http,sizeof(data_http)-1,"HTTP/1.0 200 OK\r\nServer: %s\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: %d\r\n\r\n%.906s",TURN_SOFTWARE,(int)strlen(content_http),content_http);
len_http = strlen(data_http);
ns_bcopy(data_http,data,len_http);
ioa_network_buffer_set_size(nbh_http,len_http);

83
src/apps/relay/mainrelay.c
View File

@ -106,7 +106,8 @@ DH_1066, "", "", "",
NULL, PTHREAD_MUTEX_INITIALIZER,
TURN_VERBOSE_NONE,0,0,0,
//////////////// Common params ////////////////////
TURN_VERBOSE_NONE,0,0,0,0,
"/var/run/turnserver.pid",
DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1,
0,0,0,0,
@ -430,7 +431,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
" In more complex case when more than one IP address is involved,\n"
" that option must be used several times in the command line, each entry must\n"
" have form \"-X public-ip/private-ip\", to map all involved addresses.\n"
" --no-loopback-peers Disallow peers on the loopback addresses (127.x.x.x and ::1).\n"
" --allow-loopback-peers Allow peers on the loopback addresses (127.x.x.x and ::1).\n"
" --no-multicast-peers Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).\n"
" -m, --relay-threads <number> Number of relay threads to handle the established connections\n"
" (in addition to authentication thread and the listener thread).\n"
@ -614,7 +615,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
" After the initialization, the turnserver process\n"
" will make an attempt to change the current group ID to that group.\n"
" --mobility Mobility with ICE (MICE) specs support.\n"
" --no-http Turn OFF the HTTP-Admin-Interface. By default it is always ON.\n"
" -K, --keep-address-family TURN server allocates address family according TURN\n"
" Client <=> Server communication address family. \n"
" !! It breaks RFC6156 section-4.2 (violates default IPv4) !!\n"
@ -626,6 +626,13 @@ static char Usage[] = "Usage: turnserver [options]\n"
" For the security reasons, it is recommended to use the encrypted\n"
" for of the password (see the -P command in the turnadmin utility).\n"
" The dollar signs in the encrypted form must be escaped.\n"
" --web-admin Enable Turn Web-admin support. By default it is disabled.\n"
" --web-admin-ip=<IP> Local system IP address to be used for Web-admin server endpoint. Default value\n"
" is 127.0.0.1.\n"
" --web-admin-port=<port> Web-admin server port. Default is 8080.\n"
" --web-admin-listen-on-workers Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.\n"
" By default it is disabled for security resons!\n"
" (This beahvior used to be the default bahavior, and was enabled by default.)\n"
" --server-relay Server relay. NON-STANDARD AND DANGEROUS OPTION. Only for those applications\n"
" when we want to run server applications on the relay endpoints.\n"
" This option eliminates the IP permissions check on the packets\n"
@ -733,7 +740,7 @@ enum EXTRA_OPTS {
ALTERNATE_SERVER_OPT,
TLS_ALTERNATE_SERVER_OPT,
NO_MULTICAST_PEERS_OPT,
NO_LOOPBACK_PEERS_OPT,
ALLOW_LOOPBACK_PEERS_OPT,
MAX_ALLOCATE_TIMEOUT_OPT,
ALLOWED_PEER_IPS,
DENIED_PEER_IPS,
@ -750,6 +757,10 @@ enum EXTRA_OPTS {
CLI_IP_OPT,
CLI_PORT_OPT,
CLI_PASSWORD_OPT,
WEB_ADMIN_OPT,
WEB_ADMIN_IP_OPT,
WEB_ADMIN_PORT_OPT,
WEB_ADMIN_LISTEN_ON_WORKERS_OPT,
SERVER_RELAY_OPT,
CLI_MAX_SESSIONS_OPT,
EC_CURVE_NAME_OPT,
@ -861,7 +872,7 @@ static const struct myoption long_options[] = {
{ "rest-api-separator", required_argument, NULL, 'C' },
{ "max-allocate-timeout", required_argument, NULL, MAX_ALLOCATE_TIMEOUT_OPT },
{ "no-multicast-peers", optional_argument, NULL, NO_MULTICAST_PEERS_OPT },
{ "no-loopback-peers", optional_argument, NULL, NO_LOOPBACK_PEERS_OPT },
{ "allow-loopback-peers", optional_argument, NULL, ALLOW_LOOPBACK_PEERS_OPT },
{ "allowed-peer-ip", required_argument, NULL, ALLOWED_PEER_IPS },
{ "denied-peer-ip", required_argument, NULL, DENIED_PEER_IPS },
{ "cipher-list", required_argument, NULL, CIPHER_LIST_OPT },
@ -876,7 +887,10 @@ static const struct myoption long_options[] = {
{ "cli-ip", required_argument, NULL, CLI_IP_OPT },
{ "cli-port", required_argument, NULL, CLI_PORT_OPT },
{ "cli-password", required_argument, NULL, CLI_PASSWORD_OPT },
{ "no-http", optional_argument, NULL, NO_HTTP_OPT },
{ "web-admin", optional_argument, NULL, WEB_ADMIN_OPT },
{ "web-admin-ip", required_argument, NULL, WEB_ADMIN_IP_OPT },
{ "web-admin-port", required_argument, NULL, WEB_ADMIN_PORT_OPT },
{ "web-admin-listen-on-workers", optional_argument, NULL, WEB_ADMIN_LISTEN_ON_WORKERS_OPT },
{ "server-relay", optional_argument, NULL, SERVER_RELAY_OPT },
{ "cli-max-output-sessions", required_argument, NULL, CLI_MAX_SESSIONS_OPT },
{ "ec-curve-name", required_argument, NULL, EC_CURVE_NAME_OPT },
@ -1166,9 +1180,6 @@ static void set_option(int c, char *value)
case NO_CLI_OPT:
use_cli = !get_bool_value(value);
break;
case NO_HTTP_OPT:
use_http = !get_bool_value(value);
break;
case CLI_IP_OPT:
if(make_ioa_addr((const u08bits*)value,0,&cli_addr)<0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"Cannot set cli address: %s\n",value);
@ -1182,6 +1193,22 @@ static void set_option(int c, char *value)
case CLI_PASSWORD_OPT:
STRCPY(cli_password,value);
break;
case WEB_ADMIN_OPT:
use_web_admin = get_bool_value(value);
break;
case WEB_ADMIN_IP_OPT:
if(make_ioa_addr((const u08bits*)value, 0, &web_admin_addr) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot set web-admin address: %s\n", value);
} else {
web_admin_addr_set = 1;
}
break;
case WEB_ADMIN_PORT_OPT:
web_admin_port = atoi(value);
break;
case WEB_ADMIN_LISTEN_ON_WORKERS_OPT:
turn_params.web_admin_listen_on_workers = get_bool_value(value);
break;
case PROC_USER_OPT: {
struct passwd* pwd = getpwnam(value);
if(!pwd) {
@ -1250,8 +1277,8 @@ static void set_option(int c, char *value)
case NO_MULTICAST_PEERS_OPT:
turn_params.no_multicast_peers = get_bool_value(value);
break;
case NO_LOOPBACK_PEERS_OPT:
turn_params.no_loopback_peers = get_bool_value(value);
case ALLOW_LOOPBACK_PEERS_OPT:
turn_params.allow_loopback_peers = get_bool_value(value);
break;
case STALE_NONCE_OPT:
turn_params.stale_nonce = get_int_value(value, STUN_DEFAULT_NONCE_EXPIRATION_TIME);
@ -1604,7 +1631,7 @@ static void read_config_file(int argc, char **argv, int pass)
if (full_path_to_config_file)
f = fopen(full_path_to_config_file, "r");
if (f && full_path_to_config_file) {
if (f) {
char sbuf[1025];
char sarg[1035];
@ -1653,6 +1680,11 @@ static void read_config_file(int argc, char **argv, int pass)
} else
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: Cannot find config file: %s. Default and command-line settings will be used.\n",
config_file);
if (full_path_to_config_file) {
turn_free(full_path_to_config_file, strlen(full_path_to_config_file)+1);
full_path_to_config_file = NULL;
}
}
}
@ -1791,7 +1823,7 @@ static int adminmain(int argc, char **argv)
#endif
case 'u':
STRCPY(user,optarg);
if(!is_secure_username((u08bits*)user)) {
if(!is_secure_string((u08bits*)user,1)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong user name structure or symbols, choose another name: %s\n",user);
exit(-1);
}
@ -1836,7 +1868,9 @@ static int adminmain(int argc, char **argv)
}
else{
fseek (fptr, 0, SEEK_SET);
fread (generated_key, sizeof(char), 16, fptr);
if( fread(generated_key, sizeof(char), 16, fptr) !=0 ){
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: Secret-Key file is empty\n",__FUNCTION__);
}
fclose (fptr);
}
break;
@ -2201,11 +2235,24 @@ int main(int argc, char **argv)
exit(-1);
}
if(use_ltc && use_tltc) {
if(use_ltc && use_tltc) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "\nCONFIGURATION ALERT: You specified --lt-cred-mech and --use-auth-secret in the same time.\n"
"Be aware that you could not mix the username/password and the shared secret based auth methohds. \n"
"Shared secret overrides username/password based auth method. Check your configuration!\n");
}
}
if(turn_params.allow_loopback_peers) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "CONFIG WARNING: allow_loopback_peers opens a possible security vulnerability. Do not use in production!!\n");
if(cli_password[0]==0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: allow_loopback_peers and empty cli password cannot be used together.\n");
exit(-1);
}
}
if(cli_password[0]==0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n");
use_cli = 0;
}
if(!use_lt_credentials && !anon_credentials) {
if(turn_params.default_users_db.ram_db.users_number) {
@ -2861,7 +2908,9 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho
perror("Cannot open Secret-Key file");
} else {
fseek (f, 0, SEEK_SET);
fread (turn_params.secret_key, sizeof(char), 16, f);
if ( fread(turn_params.secret_key, sizeof(char), 16, f) != 0 ){
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: Secret-Key file is empty\n",__FUNCTION__);
}
fclose (f);
}
}

6
src/apps/relay/mainrelay.h
View File

@ -214,6 +214,7 @@ typedef struct _turn_params_ {
int verbose;
int turn_daemon;
int prod;
int web_admin_listen_on_workers;
int do_not_use_config_file;
@ -254,7 +255,7 @@ typedef struct _turn_params_ {
vint check_origin;
vint no_multicast_peers;
vint no_loopback_peers;
vint allow_loopback_peers;
char relay_ifname[1025];
@ -352,6 +353,9 @@ void del_tls_alternate_server(const char *saddr);
void add_listener_addr(const char* addr);
int add_relay_addr(const char* addr);
////////// SSL CTX ////////////////////
void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params);
///////// Auth ////////////////
void send_auth_message_to_auth_server(struct auth_message *am);

6
src/apps/relay/netengine.c
View File

@ -334,7 +334,7 @@ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb
UNUSED_ARG(events);
}
static void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params)
void set_ssl_ctx(ioa_engine_handle e, turn_params_t *params)
{
update_ssl_ctx_cb_args_t *args = (update_ssl_ctx_cb_args_t *)turn_malloc(sizeof(update_ssl_ctx_cb_args_t));
args->engine = e;
@ -1655,11 +1655,12 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
&turn_params.stun_only,
&turn_params.no_stun,
&turn_params.prod,
&turn_params.web_admin_listen_on_workers,
&turn_params.alternate_servers_list,
&turn_params.tls_alternate_servers_list,
&turn_params.aux_servers_list,
turn_params.udp_self_balance,
&turn_params.no_multicast_peers, &turn_params.no_loopback_peers,
&turn_params.no_multicast_peers, &turn_params.allow_loopback_peers,
&turn_params.ip_whitelist, &turn_params.ip_blacklist,
send_socket_to_relay,
&turn_params.secure_stun, &turn_params.mobility,
@ -1669,7 +1670,6 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
allocate_bps,
turn_params.oauth,
turn_params.oauth_server_name,
use_http,
turn_params.keep_address_family);
if(to_set_rfc5780) {

171
src/apps/relay/turn_admin_server.c
View File

@ -71,14 +71,14 @@
#include "dbdrivers/dbdriver.h"
#include "tls_listener.h"
///////////////////////////////
struct admin_server adminserver;
int use_cli = 1;
int use_http = 1;
ioa_addr cli_addr;
int cli_addr_set = 0;
@ -88,6 +88,14 @@ char cli_password[CLI_PASSWORD_LENGTH] = "";
int cli_max_output_sessions = DEFAULT_CLI_MAX_OUTPUT_SESSIONS;
int use_web_admin = 0;
ioa_addr web_admin_addr;
int web_admin_addr_set = 0;
int web_admin_port = WEB_ADMIN_DEFAULT_PORT;
///////////////////////////////
struct cli_session {
@ -181,7 +189,7 @@ struct toggleable_command tcmds[] = {
{"no-udp-relay",&turn_params.no_udp_relay},
{"no-tcp-relay",&turn_params.no_tcp_relay},
{"no-multicast-peers",&turn_params.no_multicast_peers},
{"no-loopback-peers",&turn_params.no_loopback_peers},
{"allow-loopback-peers",&turn_params.allow_loopback_peers},
{"mobility",&turn_params.mobility},
{NULL,NULL}
};
@ -434,13 +442,13 @@ static int print_session(ur_map_key_type key, ur_map_value_type value, void *arg
const char *pn=csarg->pname;
if(pn[0]) {
if(!strcmp(pn,"TLS") || !strcmp(pn,"tls") || !strcmp(pn,"Tls")) {
if((tsi->client_protocol != TLS_SOCKET)||(tsi->client_protocol != TLS_SCTP_SOCKET))
if((tsi->client_protocol != TLS_SOCKET)&&(tsi->client_protocol != TLS_SCTP_SOCKET))
return 0;
} else if(!strcmp(pn,"DTLS") || !strcmp(pn,"dtls") || !strcmp(pn,"Dtls")) {
if(tsi->client_protocol != DTLS_SOCKET)
return 0;
} else if(!strcmp(pn,"TCP") || !strcmp(pn,"tcp") || !strcmp(pn,"Tcp")) {
if((tsi->client_protocol != TCP_SOCKET)||(tsi->client_protocol != SCTP_SOCKET))
if((tsi->client_protocol != TCP_SOCKET)&&(tsi->client_protocol != SCTP_SOCKET))
return 0;
} else if(!strcmp(pn,"UDP") || !strcmp(pn,"udp") || !strcmp(pn,"Udp")) {
if(tsi->client_protocol != UDP_SOCKET)
@ -750,7 +758,7 @@ static void cli_print_configuration(struct cli_session* cs)
}
cli_print_flag(cs,turn_params.no_multicast_peers,"no-multicast-peers",1);
cli_print_flag(cs,turn_params.no_loopback_peers,"no-loopback-peers",1);
cli_print_flag(cs,turn_params.allow_loopback_peers,"allow-loopback-peers",1);
myprintf(cs,"\n");
@ -1188,6 +1196,115 @@ static void cliserver_input_handler(struct evconnlistener *l, evutil_socket_t fd
}
}
static void web_admin_input_handler(ioa_socket_handle s, int event_type,
ioa_net_data *in_buffer, void *arg, int can_resume) {
UNUSED_ARG(event_type);
UNUSED_ARG(can_resume);
UNUSED_ARG(arg);
int to_be_closed = 0;
int buffer_size = (int)ioa_network_buffer_get_size(in_buffer->nbh);
if (buffer_size > 0) {
SOCKET_TYPE st = get_ioa_socket_type(s);
if(is_stream_socket(st)) {
if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), buffer_size)) {
const char *proto = "HTTP";
ioa_network_buffer_data(in_buffer->nbh)[buffer_size] = 0;
if(st == TLS_SOCKET) {
proto = "HTTPS";
set_ioa_socket_app_type(s, HTTPS_CLIENT_SOCKET);
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s (%s %s) request: %s\n", __FUNCTION__, proto, get_ioa_socket_cipher(s), get_ioa_socket_ssl_method(s), (char*)ioa_network_buffer_data(in_buffer->nbh));
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s socket to be detached: 0x%lx, st=%d, sat=%d\n", __FUNCTION__,(long)s, get_ioa_socket_type(s), get_ioa_socket_app_type(s));
ioa_socket_handle new_s = detach_ioa_socket(s);
if(new_s) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s new detached socket: 0x%lx, st=%d, sat=%d\n", __FUNCTION__,(long)new_s, get_ioa_socket_type(new_s), get_ioa_socket_app_type(new_s));
send_https_socket(new_s);
}
to_be_closed = 1;
} else {
set_ioa_socket_app_type(s, HTTP_CLIENT_SOCKET);
if(adminserver.verbose) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s request: %s\n", __FUNCTION__, proto, (char*)ioa_network_buffer_data(in_buffer->nbh));
}
handle_http_echo(s);
}
}
}
}
if (to_be_closed) {
if(adminserver.verbose) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,
"%s: web-admin socket to be closed in client handler: s=0x%lx\n", __FUNCTION__, (long)s);
}
set_ioa_socket_tobeclosed(s);
}
}
static int send_socket_to_admin_server(ioa_engine_handle e, struct message_to_relay *sm)
{
// sm->relay_server is null for us.
sm->t = RMT_SOCKET;
if (sm->m.sm.s->defer_nbh) {
if (!sm->m.sm.nd.nbh) {
sm->m.sm.nd.nbh = sm->m.sm.s->defer_nbh;
sm->m.sm.s->defer_nbh = NULL;
} else {
ioa_network_buffer_delete(e, sm->m.sm.s->defer_nbh);
sm->m.sm.s->defer_nbh = NULL;
}
}
ioa_socket_handle s = sm->m.sm.s;
if (!s) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: web-admin socket EMPTY\n", __FUNCTION__);
} else if (s->read_event || s->bev) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: web-admin socket wrongly preset: 0x%lx : 0x%lx\n",
__FUNCTION__, (long) s->read_event, (long) s->bev);
IOA_CLOSE_SOCKET(s);
sm->m.sm.s = NULL;
} else {
s->e = e;
struct socket_message *msg = &(sm->m.sm);
if(register_callback_on_ioa_socket(e, msg->s, IOA_EV_READ,
web_admin_input_handler, NULL, 0) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: Failed to register callback on web-admin ioa socket\n", __FUNCTION__);
IOA_CLOSE_SOCKET(s);
sm->m.sm.s = NULL;
} else {
if(msg->nd.nbh) {
web_admin_input_handler(msg->s, IOA_EV_READ, &(msg->nd), NULL, msg->can_resume);
ioa_network_buffer_delete(e, msg->nd.nbh);
msg->nd.nbh = NULL;
}
}
}
ioa_network_buffer_delete(e, sm->m.sm.nd.nbh);
sm->m.sm.nd.nbh = NULL;
return 0;
}
void setup_admin_thread(void)
{
adminserver.event_base = turn_event_base_new();
@ -1199,6 +1316,12 @@ void setup_admin_thread(void)
#endif
);
if(use_web_admin) {
// Support encryption on this ioa engine
// because the web-admin needs HTTPS
set_ssl_ctx(adminserver.e, &turn_params);
}
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"IO method (admin thread): %s\n",event_base_get_method(adminserver.event_base));
{
@ -1212,7 +1335,8 @@ void setup_admin_thread(void)
bufferevent_setcb(adminserver.in_buf, admin_server_receive_message, NULL, NULL, &adminserver);
bufferevent_enable(adminserver.in_buf, EV_READ);
}
if (use_http) {
{
struct bufferevent *pair[2];
bufferevent_pair_new(adminserver.event_base, TURN_BUFFEREVENTS_OPTIONS, pair);
@ -1224,6 +1348,31 @@ void setup_admin_thread(void)
bufferevent_enable(adminserver.https_in_buf, EV_READ);
}
// Setup the web-admin server
if(use_web_admin) {
if(!web_admin_addr_set) {
if(make_ioa_addr((const u08bits*)WEB_ADMIN_DEFAULT_IP, 0, &web_admin_addr) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot set web-admin address %s\n", WEB_ADMIN_DEFAULT_IP);
return;
}
}
addr_set_port(&web_admin_addr, web_admin_port);
char saddr[129];
addr_to_string_no_port(&web_admin_addr,(u08bits*)saddr);
tls_listener_relay_server_type *tls_service = create_tls_listener_server(turn_params.listener_ifname, saddr, web_admin_port, turn_params.verbose, adminserver.e, send_socket_to_admin_server, NULL);
if (tls_service == NULL) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"Cannot create web-admin listener\n");
return;
}
addr_debug_print(adminserver.verbose, &web_admin_addr, "web-admin listener opened on ");
}
if(use_cli) {
if(!cli_addr_set) {
if(make_ioa_addr((const u08bits*)CLI_DEFAULT_IP,0,&cli_addr)<0) {
@ -2002,7 +2151,7 @@ static void write_pc_page(ioa_socket_handle s)
https_print_uint(sb,(unsigned long)turn_params.max_port,"max-port",0);
https_print_flag(sb,turn_params.no_multicast_peers,"no-multicast-peers","no-multicast-peers");
https_print_flag(sb,turn_params.no_loopback_peers,"no-loopback-peers","no-loopback-peers");
https_print_flag(sb,turn_params.allow_loopback_peers,"allow-loopback-peers","allow-loopback-peers");
https_print_empty_row(sb,2);
@ -2157,13 +2306,13 @@ static int https_print_session(ur_map_key_type key, ur_map_value_type value, voi
const char *pn=csarg->client_protocol;
if(pn[0]) {
if(!strcmp(pn,"TLS") || !strcmp(pn,"tls") || !strcmp(pn,"Tls")) {
if((tsi->client_protocol != TLS_SOCKET)||(tsi->client_protocol != TLS_SCTP_SOCKET))
if((tsi->client_protocol != TLS_SOCKET)&&(tsi->client_protocol != TLS_SCTP_SOCKET))
return 0;
} else if(!strcmp(pn,"DTLS") || !strcmp(pn,"dtls") || !strcmp(pn,"Dtls")) {
if(tsi->client_protocol != DTLS_SOCKET)
return 0;
} else if(!strcmp(pn,"TCP") || !strcmp(pn,"tcp") || !strcmp(pn,"Tcp")) {
if((tsi->client_protocol != TCP_SOCKET)||(tsi->client_protocol != SCTP_SOCKET))
if((tsi->client_protocol != TCP_SOCKET)&&(tsi->client_protocol != SCTP_SOCKET))
return 0;
} else if(!strcmp(pn,"UDP") || !strcmp(pn,"udp") || !strcmp(pn,"Udp")) {
if(tsi->client_protocol != UDP_SOCKET)
@ -3146,7 +3295,7 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr)
s->special_session_size = sizeof(struct admin_session);
}
if(!(as->as_ok) && uname && pwd) {
if(!(as->as_ok) && uname && is_secure_string((const u08bits*)uname,1)) {
const turn_dbdriver_t * dbd = get_dbdriver();
if (dbd && dbd->get_admin_user) {
password_t password;

12
src/apps/relay/turn_admin_server.h
View File

@ -81,8 +81,6 @@ extern struct admin_server adminserver;
extern int use_cli;
extern int use_http;
#define CLI_DEFAULT_IP ("127.0.0.1")
extern ioa_addr cli_addr;
extern int cli_addr_set;
@ -96,6 +94,16 @@ extern char cli_password[CLI_PASSWORD_LENGTH];
#define DEFAULT_CLI_MAX_OUTPUT_SESSIONS (256)
extern int cli_max_output_sessions;
extern int use_web_admin;
#define WEB_ADMIN_DEFAULT_IP ("127.0.0.1")
extern ioa_addr web_admin_addr;
extern int web_admin_addr_set;
#define WEB_ADMIN_DEFAULT_PORT (8080)
extern int web_admin_port;
////////////////////////////////////////////
void setup_admin_thread(void);

2
src/client/ns_turn_ioaddr.c
View File

@ -340,7 +340,7 @@ int addr_to_string(const ioa_addr* addr, u08bits* saddr)
if (addr && saddr) {
s08bits addrtmp[MAX_IOA_ADDR_STRING];
s08bits addrtmp[INET6_ADDRSTRLEN];
if (addr->ss.sa_family == AF_INET) {
inet_ntop(AF_INET, &addr->s4.sin_addr, addrtmp, INET_ADDRSTRLEN);

2
src/ns_turn_defs.h
View File

@ -31,7 +31,7 @@
#ifndef __IOADEFS__
#define __IOADEFS__
#define TURN_SERVER_VERSION "4.5.0.8"
#define TURN_SERVER_VERSION "4.5.1.0"
#define TURN_SERVER_VERSION_NAME "dan Eider"
#define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"

40
src/server/ns_turn_server.c
View File

@ -271,7 +271,7 @@ static int good_peer_addr(turn_turnserver *server, const char* realm, ioa_addr *
if(server && peer_addr) {
if(*(server->no_multicast_peers) && ioa_addr_is_multicast(peer_addr))
return 0;
if(*(server->no_loopback_peers) && ioa_addr_is_loopback(peer_addr))
if( !*(server->allow_loopback_peers) && ioa_addr_is_loopback(peer_addr))
return 0;
{
@ -1029,7 +1029,7 @@ static int handle_turn_allocate(turn_turnserver *server,
}
ns_bcopy(value,username,ulen);
username[ulen]=0;
if(!is_secure_username(username)) {
if(!is_secure_string(username,1)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)username);
username[0]=0;
*err_code = 400;
@ -3346,6 +3346,13 @@ static int check_stun_auth(turn_turnserver *server,
ns_bcopy(stun_attr_get_value(sar),realm,alen);
realm[alen]=0;
if(!is_secure_string(realm,0)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong realm: %s\n", __FUNCTION__, (char*)realm);
realm[0]=0;
*err_code = 400;
return -1;
}
if(method == STUN_METHOD_CONNECTION_BIND) {
get_realm_options_by_name((char *)realm, &(ss->realm_options));
@ -3381,7 +3388,7 @@ static int check_stun_auth(turn_turnserver *server,
ns_bcopy(stun_attr_get_value(sar),usname,alen);
usname[alen]=0;
if(!is_secure_username(usname)) {
if(!is_secure_string(usname,1)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: wrong username: %s\n", __FUNCTION__, (char*)usname);
usname[0]=0;
*err_code = 400;
@ -4563,14 +4570,13 @@ static int read_client_connection(turn_turnserver *server,
ioa_network_buffer_delete(server->e, nbh);
return 0;
}
} else {
if (server->use_http) {
SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket);
if(is_stream_socket(st)) {
if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) {
const char *proto = "HTTP";
ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0;
SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket);
if(is_stream_socket(st)) {
if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) {
const char *proto = "HTTP";
ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0;
if (*server->web_admin_listen_on_workers) {
if(st==TLS_SOCKET) {
proto = "HTTPS";
set_ioa_socket_app_type(ss->client_socket,HTTPS_CLIENT_SOCKET);
@ -4592,11 +4598,14 @@ static int read_client_connection(turn_turnserver *server,
handle_http_echo(ss->client_socket);
}
return 0;
} else {
ss->to_be_closed = 1;
return 0;
}
}
}
}
//Unrecognized message received, ignore it
FUNCEND;
@ -4838,11 +4847,12 @@ void init_turn_server(turn_turnserver* server,
vintp stun_only,
vintp no_stun,
vintp prod,
vintp web_admin_listen_on_workers,
turn_server_addrs_list_t *alternate_servers_list,
turn_server_addrs_list_t *tls_alternate_servers_list,
turn_server_addrs_list_t *aux_servers_list,
int self_udp_balance,
vintp no_multicast_peers, vintp no_loopback_peers,
vintp no_multicast_peers, vintp allow_loopback_peers,
ip_range_list_t* ip_whitelist, ip_range_list_t* ip_blacklist,
send_socket_to_relay_cb send_socket_to_relay,
vintp secure_stun, vintp mobility, int server_relay,
@ -4851,7 +4861,6 @@ void init_turn_server(turn_turnserver* server,
allocate_bps_cb allocate_bps_func,
int oauth,
const char* oauth_server_name,
int use_http,
int keep_address_family) {
if (!server)
@ -4870,7 +4879,7 @@ void init_turn_server(turn_turnserver* server,
server->chquotacb = chquotacb;
server->raqcb = raqcb;
server->no_multicast_peers = no_multicast_peers;
server->no_loopback_peers = no_loopback_peers;
server->allow_loopback_peers = allow_loopback_peers;
server->secure_stun = secure_stun;
server->mobility = mobility;
server->server_relay = server_relay;
@ -4900,6 +4909,7 @@ void init_turn_server(turn_turnserver* server,
server->stun_only = stun_only;
server->no_stun = no_stun;
server->prod = prod;
server-> web_admin_listen_on_workers = web_admin_listen_on_workers;
server->dont_fragment = dont_fragment;
server->fingerprint = fingerprint;
@ -4919,8 +4929,6 @@ void init_turn_server(turn_turnserver* server,
server->allocate_bps_func = allocate_bps_func;
server->use_http = use_http;
server->keep_address_family = keep_address_family;
set_ioa_timer(server->e, 1, 0, timer_timeout_handler, server, 1, "timer_timeout_handler");

10
src/server/ns_turn_server.h
View File

@ -121,6 +121,7 @@ struct _turn_turnserver {
vintp stun_only;
vintp no_stun;
vintp prod;
vintp web_admin_listen_on_workers;
vintp secure_stun;
turn_credential_type ct;
get_alt_addr_cb alt_addr_cb;
@ -132,7 +133,7 @@ struct _turn_turnserver {
release_allocation_quota_cb raqcb;
int external_ip_set;
ioa_addr external_ip;
vintp no_loopback_peers;
vintp allow_loopback_peers;
vintp no_multicast_peers;
send_turn_session_info_cb send_turn_session_info;
send_https_socket_cb send_https_socket;
@ -170,9 +171,6 @@ struct _turn_turnserver {
int oauth;
const char* oauth_server_name;
/* HTTP-Admin-Server: */
int use_http;
/* Keep Address Family */
int keep_address_family;
};
@ -202,12 +200,13 @@ void init_turn_server(turn_turnserver* server,
vintp stun_only,
vintp no_stun,
vintp prod,
vintp web_admin_listen_on_workers,
turn_server_addrs_list_t *alternate_servers_list,
turn_server_addrs_list_t *tls_alternate_servers_list,
turn_server_addrs_list_t *aux_servers_list,
int self_udp_balance,
vintp no_multicast_peers,
vintp no_loopback_peers,
vintp allow_loopback_peers,
ip_range_list_t* ip_whitelist,
ip_range_list_t* ip_blacklist,
send_socket_to_relay_cb send_socket_to_relay,
@ -219,7 +218,6 @@ void init_turn_server(turn_turnserver* server,
allocate_bps_cb allocate_bps_func,
int oauth,
const char* oauth_server_name,
int use_http,
int keep_address_family);
ioa_engine_handle turn_server_get_engine(turn_turnserver *s);