Replace all instances of `bzero` with memset by find-replace-edit.
This is straightforward replacement which is suboptimal in a few cases
(for example we could use calloc instead of malloc+memset(0))
Inspired by #855
There are too many defines that are, eventually, used in one place so
just inlining.
Current code generates following warning:
```
warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined]
```
With the fix there is no warning
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
openssl-3.0 deprecated some APIs and introduced new APIs instead:
`SSL_get_peer_certificate ` -> `SSL_get1_peer_certificate `
`FIPS_mode()`->`EVP_default_properties_is_fips_enabled()`
`EVP_MD_CTX_set_flags()`->`EVP_default_properties_enable_fips()`
specifically for enabling FIPS mode
This change should workaround that by ifdef-ing old/new versions of
openssl and APIs - so pre-3.0 use existing APIs (so not change there)
and >=3.0 will use new APIs (whether it actually works or not is still
TBD as this is just a first step in openssl-3.0 support)
Should fix#886
Test Plan:
Run CI build that supports ubuntu-20.04 (openssl-1.1.1) and ubuntu-22.04
(openssl-3.0.2)
Both builds pass
None of them have FIPS support (which for 1.1.x stays the same as
before)
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
- Preserve file timestamps when using `install`
- Use permissions `0644` rather than default `0755` for installing man
pages
The alternative calls of `cp` are using `cp -p` as well (if `install` is
unavailable).
`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
Fixes#977 and #952
Test:
Build in a docker container running running openssl-1.0.2g (ubuntu
16.04) successfully (without the fix getting the same errors)
- omit publishing and releasing Docker images in forks
- verify Git tag to match Makefile before releasing
- auto-cancel concurrent CI pipelines for the same Git ref
`vsnprintf` will stop at the max buffer size as provided in its 2nd
argument
But the return value is `The number of characters that would have been
written if n had been sufficiently large` meaning it can be larger than
actual buffer size
`fwrite` will actually use the larger, incorrect number and dump
unrelated memory to log (and crash with high confidence)
Test:
- Query admin interface with super long path (>16KB) - crash
- With the fix - no crash with the same input, log line cut off
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
Writing outside of a buffer can only happen if incoming HTTP request is longer than UDP_STUN_BUFFER_SIZE (16KB).
This change validates that the request is no longer than the buffer size and drops it if it is the case
Fixes#342
Test plan:
- Run in debugger and send a 16KB request using curl - response returns, logs correct
- Send 16KB + 1b request - warning logged and request dropped
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
When using `turnutils_uclient` with `-S` flag (TLS or DTLS) it is not required to load certificates. Only load certificates when corresponding flags are provided
Fixes#376 which prevented using `turnutils_uclient` for testing TLS/DTLS connections
Test plan:
- Run local turnserver with certificates `./bin/turnserver --cert ./bin/public.pem --pkey ./bin/private.key --use-auth-secret --static-auth-secret=secret --realm=north.gov --allow-loopback-peers --no-cli --verbose`
- Run fixed uclient without TLS/DTLS`./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1` and get success result (just to make sure non-secure still works)
- Run fixed uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` and get success result
- Run fixed uclient with DTLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -S 127.0.0.1` and get success result
- Run unpatched uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` - error about missing certificate files
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
Actually, as below, before fixing, the sessions_map may be larger and
larger when register_callback_on_ioa_socket inside
open_client_connection_session retrun -1. The reason is that, if
register_callback_on_ioa_socket return -1, no read/write/ event will be
registered and no timeout event will be registered, in this case, the
session will never be deleted from sessions_map.
After fixing, when register_callback_on_ioa_socket fail,it doesn't
return immediately, instead, we still register
client_to_be_allocated_timeout_handler in the next step of
open_client_connection_session. In this case, the unuseful session will
be deleted and freed after timeout.
@eakraly @ggarber
Add GitHub action that builds and runs tests using openssl-3.0 (default
version in ubuntu 22.04)
It is expected to fail until openssl-3.0 compatibility is introduced
(#955)
A change in cmake action is to make sure we actually run ubuntu:20.04
(which uses openssl-1.1.1). Otherwise, GH will change the version of
ubuntu-latest at some point and it might not be very visible
Unfortunately, PR #789 breaks the possibility to compile coturn in Oracle Solaris 11.4 (SRU 48). It is caused by the fact that LOG_FTP is not defined in Oracle Solaris' "/usr/include/sys/syslog.h".
They define the following syslog facility codes:
```
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* netnews subsystem */
#define LOG_UUCP (8<<3) /* uucp subsystem */
#define LOG_AUTHPRIV (10<<3) /* sensitive/private security/auth messages */
#define LOG_AUDIT (13<<3) /* audit subsystem */
#define LOG_CRON (15<<3) /* cron/at subsystem */
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */
#define LOG_LOCAL2 (18<<3) /* reserved for local use */
#define LOG_LOCAL3 (19<<3) /* reserved for local use */
#define LOG_LOCAL4 (20<<3) /* reserved for local use */
#define LOG_LOCAL5 (21<<3) /* reserved for local use */
#define LOG_LOCAL6 (22<<3) /* reserved for local use */
#define LOG_LOCAL7 (23<<3) /* reserved for local use */
```
So omitting LOG_FTP should fix this for Solaris. As I really doubt that it is needed, I hereby submit a PR which omits LOG_FTP for all operating systems. Other Solaris derivatives (OpenIndiana Hipster, OmniOS) don't seem to be affected, I've checked and found that in their recent versions, LOG_FTP is defined. FreeBSD does also define LOG_FTP.
systemd is not available on macOS - should be disabled in CMake
Test plan:
- Run cmake in a clean folder
- Run make
- Observe that compilation error about missing include `<systemd/sd-daemon.h>` is gone
macOS does not have `pthread_barrier_*` so need to define `TURN_NO_THREAD_BARRIERS` as a workaround
Fixes#946
Tests plan:
- run cmake to generate make files
- run make to build turnserver
- run `examples/run_tests.sh` and pass successfully
