mirror of
				https://github.com/coturn/coturn.git
				synced 2025-10-25 13:00:59 +02:00 
			
		
		
		
	Add option no-rfc5780
To avoid any amplifiaction STUN binding attacks.
This commit is contained in:
		
							parent
							
								
									8c9622ad18
								
							
						
					
					
						commit
						eda11698f0
					
				| @ -21,6 +21,8 @@ Version 4.5.3 'dan Eider': | ||||
| 		* Readme.turnserver: how to run server as a daemon | ||||
| 	- merge PR #739 (by hills) | ||||
| 		* SSL reload has hidden bugs which cause crashes | ||||
| 	- Fix regression in PR #739 | ||||
| 	- Add option to disable RFC8750 | ||||
| 
 | ||||
| 10/01/2021 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu> | ||||
| Version 4.5.2 'dan Eider': | ||||
|  | ||||
| @ -605,10 +605,17 @@ Options with values: | ||||
| 
 | ||||
| --web-admin-port=<port>  Web-admin server port. Default is 8080. | ||||
| --web-admin-listen-on-workers   Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports. | ||||
| 			By default it is disabled for security resons! | ||||
| 			By default it is disabled for security reasons! | ||||
| 			(This behavior used to be the default behavior, and was enabled by default.) | ||||
| 
 | ||||
| --ne=[1|2|3]		Set network engine type for the process (for internal purposes). | ||||
| --no-rfc5780		Disable RFC5780 (NAT behavior discovery). | ||||
|                     Originally, if there are more than one listener address from the same | ||||
|                     address family, then by default the NAT behavior discovery feature enabled. | ||||
|                     This option disables this original behavior, because the NAT behavior discovery | ||||
|                     adds attributes to response, and this increase the possibility of an amplification attack. | ||||
|                     Strongly encouraged to use this option to decrease gain factor in STUN binding responses. | ||||
| 					 | ||||
| 
 | ||||
| ================================== | ||||
| 
 | ||||
|  | ||||
| @ -759,3 +759,13 @@ | ||||
| #no-tlsv1 | ||||
| #no-tlsv1_1 | ||||
| #no-tlsv1_2 | ||||
| 
 | ||||
| # Disable RFC5780 (NAT behavior discovery). | ||||
| #Originally, if there are more than one listener address from the same | ||||
| #address family, then by default the NAT behavior discovery feature enabled. | ||||
| #This option disables the original behavior, because the NAT behavior discovery | ||||
| #adds extra attributes to response, and this increase the possibility of | ||||
| #an amplification attack. | ||||
| #Strongly encouraged to use this option to decrease gain factor in STUN binding responses. | ||||
| # | ||||
| no-rfc5780 | ||||
| @ -115,10 +115,24 @@ DH_2066, "", "", "", | ||||
| NULL, PTHREAD_MUTEX_INITIALIZER, | ||||
| 
 | ||||
| //////////////// Common params ////////////////////
 | ||||
| TURN_VERBOSE_NONE,0,0,0,0, | ||||
| "/var/run/turnserver.pid","", | ||||
| DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1, | ||||
| 0,0,0,0,0, | ||||
| TURN_VERBOSE_NONE, /* verbose */ | ||||
| 0, /* turn_daemon */ | ||||
| 0, /* no_software_attribute */ | ||||
| 0, /* web_admin_listen_on_workers */ | ||||
| 0, /* do_not_use_config_file */ | ||||
| "/var/run/turnserver.pid", /* pidfile */ | ||||
| "", /* acme_redirect */ | ||||
| DEFAULT_STUN_PORT, /* listener_port*/ | ||||
| DEFAULT_STUN_TLS_PORT, /* tls_listener_port */ | ||||
| 0, /* alt_listener_port */ | ||||
| 0, /* alt_tls_listener_port */ | ||||
| 0, /* tcp_proxy_port */ | ||||
| 1, /* rfc5780 */ | ||||
| 0, /* no_udp */ | ||||
| 0, /* no_tcp */ | ||||
| 0, /* tcp_use_proxy */ | ||||
| 0, /* no_tcp_relay */ | ||||
| 0, /* no_udp_relay */ | ||||
| "", | ||||
| "",0, | ||||
| { | ||||
| @ -676,6 +690,12 @@ static char Usage[] = "Usage: turnserver [options]\n" | ||||
| " --cli-max-output-sessions			Maximum number of output sessions in ps CLI command.\n" | ||||
| "						This value can be changed on-the-fly in CLI. The default value is 256.\n" | ||||
| " --ne=[1|2|3]					Set network engine type for the process (for internal purposes).\n" | ||||
| " --no-rfc5780					Disable RFC5780 (NAT behavior discovery).\n" | ||||
| "						Originally, if there are more than one listener address from the same\n" | ||||
| "						address family, then by default the NAT behavior discovery feature enabled.\n" | ||||
| "						This option disables this original behavior, because the NAT behavior discovery\n" | ||||
| "						adds attributes to response, and this increase the possibility of an amplification attack.\n" | ||||
| "						Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n" | ||||
| " -h						Help\n" | ||||
| "\n"; | ||||
| 
 | ||||
| @ -821,7 +841,8 @@ enum EXTRA_OPTS { | ||||
| 	NO_HTTP_OPT, | ||||
| 	SECRET_KEY_OPT, | ||||
| 	ACME_REDIRECT_OPT, | ||||
| 	LOG_BINDING_OPT | ||||
| 	LOG_BINDING_OPT, | ||||
| 	NO_RFC5780 | ||||
| }; | ||||
| 
 | ||||
| struct myoption { | ||||
| @ -958,7 +979,7 @@ static const struct myoption long_options[] = { | ||||
| 				{ "allocation-default-address-family", required_argument, NULL, 'A' }, | ||||
| 				{ "acme-redirect", required_argument, NULL, ACME_REDIRECT_OPT }, | ||||
| 				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT }, | ||||
| 
 | ||||
| 				{ "no-rfc5780", optional_argument, NULL, NO_RFC5780 }, | ||||
| 				{ NULL, no_argument, NULL, 0 } | ||||
| }; | ||||
| 
 | ||||
| @ -1632,6 +1653,9 @@ static void set_option(int c, char *value) | ||||
| 	case LOG_BINDING_OPT: | ||||
| 		turn_params.log_binding = get_bool_value(value); | ||||
| 		break; | ||||
| 	case NO_RFC5780: | ||||
| 		turn_params.rfc5780 = 0; | ||||
| 		break; | ||||
| 
 | ||||
| 	/* these options have been already taken care of before: */ | ||||
| 	case 'l': | ||||
|  | ||||
| @ -1089,12 +1089,16 @@ static void setup_listener(void) | ||||
| 		bufferevent_enable(turn_params.listener.in_buf, EV_READ); | ||||
| 	} | ||||
| 
 | ||||
| 	if (turn_params.rfc5780 == 1) { | ||||
| 		if(turn_params.listener.addrs_number<2 || turn_params.external_ip) { | ||||
| 			turn_params.rfc5780 = 0; | ||||
| 			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided\n"); | ||||
| 		} else { | ||||
| 			turn_params.listener.services_number = turn_params.listener.services_number * 2; | ||||
| 		} | ||||
| 	} else { | ||||
| 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "INFO: RFC5780 disabled! /NAT behavior discovery/\n"); | ||||
| 	} | ||||
| 
 | ||||
| 	turn_params.listener.udp_services = (dtls_listener_relay_server_type***)allocate_super_memory_engine(turn_params.listener.ioa_eng, sizeof(dtls_listener_relay_server_type**)*turn_params.listener.services_number); | ||||
| 	turn_params.listener.dtls_services = (dtls_listener_relay_server_type***)allocate_super_memory_engine(turn_params.listener.ioa_eng, sizeof(dtls_listener_relay_server_type**)*turn_params.listener.services_number); | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user