From eda11698f0f5512e0149e807e39b5737187ae33f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 2 Jun 2021 23:45:44 +0200 Subject: [PATCH] Add option no-rfc5780 To avoid any amplifiaction STUN binding attacks. --- ChangeLog | 2 ++ README.turnserver | 9 ++++++++- examples/etc/turnserver.conf | 10 ++++++++++ src/apps/relay/mainrelay.c | 36 ++++++++++++++++++++++++++++++------ src/apps/relay/netengine.c | 12 ++++++++---- 5 files changed, 58 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 367c1252..e6b0ed99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ Version 4.5.3 'dan Eider': * Readme.turnserver: how to run server as a daemon - merge PR #739 (by hills) * SSL reload has hidden bugs which cause crashes + - Fix regression in PR #739 + - Add option to disable RFC8750 10/01/2021 Oleg Moskalenko Mihály Mészáros Version 4.5.2 'dan Eider': diff --git a/README.turnserver b/README.turnserver index 7ed7dc4f..9972264c 100644 --- a/README.turnserver +++ b/README.turnserver @@ -605,10 +605,17 @@ Options with values: --web-admin-port= Web-admin server port. Default is 8080. --web-admin-listen-on-workers Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports. - By default it is disabled for security resons! + By default it is disabled for security reasons! (This behavior used to be the default behavior, and was enabled by default.) --ne=[1|2|3] Set network engine type for the process (for internal purposes). +--no-rfc5780 Disable RFC5780 (NAT behavior discovery). + Originally, if there are more than one listener address from the same + address family, then by default the NAT behavior discovery feature enabled. + This option disables this original behavior, because the NAT behavior discovery + adds attributes to response, and this increase the possibility of an amplification attack. + Strongly encouraged to use this option to decrease gain factor in STUN binding responses. + ================================== diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index 4bbb5c76..47b0beca 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -759,3 +759,13 @@ #no-tlsv1 #no-tlsv1_1 #no-tlsv1_2 + +# Disable RFC5780 (NAT behavior discovery). +#Originally, if there are more than one listener address from the same +#address family, then by default the NAT behavior discovery feature enabled. +#This option disables the original behavior, because the NAT behavior discovery +#adds extra attributes to response, and this increase the possibility of +#an amplification attack. +#Strongly encouraged to use this option to decrease gain factor in STUN binding responses. +# +no-rfc5780 \ No newline at end of file diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 9d951868..d5e04e9b 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -115,10 +115,24 @@ DH_2066, "", "", "", NULL, PTHREAD_MUTEX_INITIALIZER, //////////////// Common params //////////////////// -TURN_VERBOSE_NONE,0,0,0,0, -"/var/run/turnserver.pid","", -DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1, -0,0,0,0,0, +TURN_VERBOSE_NONE, /* verbose */ +0, /* turn_daemon */ +0, /* no_software_attribute */ +0, /* web_admin_listen_on_workers */ +0, /* do_not_use_config_file */ +"/var/run/turnserver.pid", /* pidfile */ +"", /* acme_redirect */ +DEFAULT_STUN_PORT, /* listener_port*/ +DEFAULT_STUN_TLS_PORT, /* tls_listener_port */ +0, /* alt_listener_port */ +0, /* alt_tls_listener_port */ +0, /* tcp_proxy_port */ +1, /* rfc5780 */ +0, /* no_udp */ +0, /* no_tcp */ +0, /* tcp_use_proxy */ +0, /* no_tcp_relay */ +0, /* no_udp_relay */ "", "",0, { @@ -676,6 +690,12 @@ static char Usage[] = "Usage: turnserver [options]\n" " --cli-max-output-sessions Maximum number of output sessions in ps CLI command.\n" " This value can be changed on-the-fly in CLI. The default value is 256.\n" " --ne=[1|2|3] Set network engine type for the process (for internal purposes).\n" +" --no-rfc5780 Disable RFC5780 (NAT behavior discovery).\n" +" Originally, if there are more than one listener address from the same\n" +" address family, then by default the NAT behavior discovery feature enabled.\n" +" This option disables this original behavior, because the NAT behavior discovery\n" +" adds attributes to response, and this increase the possibility of an amplification attack.\n" +" Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n" " -h Help\n" "\n"; @@ -821,7 +841,8 @@ enum EXTRA_OPTS { NO_HTTP_OPT, SECRET_KEY_OPT, ACME_REDIRECT_OPT, - LOG_BINDING_OPT + LOG_BINDING_OPT, + NO_RFC5780 }; struct myoption { @@ -958,7 +979,7 @@ static const struct myoption long_options[] = { { "allocation-default-address-family", required_argument, NULL, 'A' }, { "acme-redirect", required_argument, NULL, ACME_REDIRECT_OPT }, { "log-binding", optional_argument, NULL, LOG_BINDING_OPT }, - + { "no-rfc5780", optional_argument, NULL, NO_RFC5780 }, { NULL, no_argument, NULL, 0 } }; @@ -1632,6 +1653,9 @@ static void set_option(int c, char *value) case LOG_BINDING_OPT: turn_params.log_binding = get_bool_value(value); break; + case NO_RFC5780: + turn_params.rfc5780 = 0; + break; /* these options have been already taken care of before: */ case 'l': diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 1575bbc5..86d79e3b 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1089,11 +1089,15 @@ static void setup_listener(void) bufferevent_enable(turn_params.listener.in_buf, EV_READ); } - if(turn_params.listener.addrs_number<2 || turn_params.external_ip) { - turn_params.rfc5780 = 0; - TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided\n"); + if (turn_params.rfc5780 == 1) { + if(turn_params.listener.addrs_number<2 || turn_params.external_ip) { + turn_params.rfc5780 = 0; + TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided\n"); + } else { + turn_params.listener.services_number = turn_params.listener.services_number * 2; + } } else { - turn_params.listener.services_number = turn_params.listener.services_number * 2; + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "INFO: RFC5780 disabled! /NAT behavior discovery/\n"); } turn_params.listener.udp_services = (dtls_listener_relay_server_type***)allocate_super_memory_engine(turn_params.listener.ioa_eng, sizeof(dtls_listener_relay_server_type**)*turn_params.listener.services_number);