diff --git a/README.turnserver b/README.turnserver index e8f8d92..a1c0833 100644 --- a/README.turnserver +++ b/README.turnserver @@ -634,8 +634,8 @@ Options with values: address family, then by default the NAT behavior discovery feature enabled. This option enables this original behavior, because the NAT behavior discovery adds attributes to response, and this increase the possibility of an amplification attack. - Strongly encouraged to not use this option to decrease gain factor in STUN binding responses. ---no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS). + Strongly encouraged to use this option to decrease gain factor in STUN binding responses. +--stun-backward-compatibility Enable handling old STUN Binding requests using MAPPED-ADDRESS attribute in binding response (instead of XOR-MAPPED-ADDRESS). --response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index df24b28..3381f3a 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -789,13 +789,13 @@ cli-password=CHANGE_ME # # rfc5780 -# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS -# attribute in binding response (use only the XOR-MAPPED-ADDRESS). +# Enable handling old STUN Binding requests and enable MAPPED-ADDRESS +# attribute in binding response (instead of the XOR-MAPPED-ADDRESS). # -# Strongly encouraged to use this option to decrease gain factor in STUN +# Strongly encouraged to keep this option off to decrease gain factor in STUN # binding responses. # -no-stun-backward-compatibility +# stun-backward-compatibility # Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. # diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index ad41f17..798ccae 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -813,13 +813,13 @@ # # rfc5780 -# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS +# Enable handling old STUN Binding requests and disable MAPPED-ADDRESS # attribute in binding response (use only the XOR-MAPPED-ADDRESS). # -# Strongly encouraged to use this option to decrease gain factor in STUN +# Strongly encouraged to keep this option off to decrease gain factor in STUN # binding responses. # -no-stun-backward-compatibility +# stun-backward-compatibility # Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. # diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 3308ade..9a0313f 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -223,7 +223,7 @@ turn_params_t turn_params = { false, /* no_dynamic_realms */ false, /* log_binding */ - false, /* no_stun_backward_compatibility */ + false, /* stun_backward_compatibility */ false, /* response_origin_only_with_rfc5780 */ false /* respond_http_unsupported */ }; @@ -1335,9 +1335,10 @@ static char Usage[] = "amplification attack.)\n" " Strongly encouraged to keep it off to decrease gain factor in STUN " "binding responses.\n" - " --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS " + " --stun-backward-compatibility Enable handling old STUN Binding requests and enable " + "MAPPED-ADDRESS " "attribute\n" - " in binding response (use only the XOR-MAPPED-ADDRESS).\n" + " in binding response (instead of XOR-MAPPED-ADDRESS).\n" " --response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if " "RFC5780 is enabled.\n" " --respond-http-unsupported Return an HTTP reponse with a 400 status code to HTTP " @@ -1499,7 +1500,7 @@ enum EXTRA_OPTS { LOG_BINDING_OPT, NO_RFC5780, ENABLE_RFC5780, - NO_STUN_BACKWARD_COMPATIBILITY_OPT, + STUN_BACKWARD_COMPATIBILITY_OPT, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT, RESPOND_HTTP_UNSUPPORTED_OPT, VERSION_OPT @@ -1643,7 +1644,7 @@ static const struct myoption long_options[] = { {"log-binding", optional_argument, NULL, LOG_BINDING_OPT}, {"no-rfc5780", optional_argument, NULL, NO_RFC5780}, {"rfc5780", optional_argument, NULL, ENABLE_RFC5780}, - {"no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT}, + {"stun-backward-compatibility", optional_argument, NULL, STUN_BACKWARD_COMPATIBILITY_OPT}, {"response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT}, {"respond-http-unsupported", optional_argument, NULL, RESPOND_HTTP_UNSUPPORTED_OPT}, {"version", optional_argument, NULL, VERSION_OPT}, @@ -2355,8 +2356,8 @@ static void set_option(int c, char *value) { case ENABLE_RFC5780: turn_params.rfc5780 = true; break; - case NO_STUN_BACKWARD_COMPATIBILITY_OPT: - turn_params.no_stun_backward_compatibility = get_bool_value(value); + case STUN_BACKWARD_COMPATIBILITY_OPT: + turn_params.stun_backward_compatibility = get_bool_value(value); break; case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT: turn_params.response_origin_only_with_rfc5780 = get_bool_value(value); diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 45e8749..c525f33 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -330,7 +330,7 @@ typedef struct _turn_params_ { bool no_dynamic_realms; bool log_binding; - bool no_stun_backward_compatibility; + bool stun_backward_compatibility; bool response_origin_only_with_rfc5780; bool respond_http_unsupported; } turn_params_t; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 41adb56..a2a657d 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1663,7 +1663,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int &turn_params.ip_blacklist, send_socket_to_relay, &turn_params.secure_stun, &turn_params.mobility, turn_params.server_relay, send_turn_session_info, send_https_socket, allocate_bps, turn_params.oauth, turn_params.oauth_server_name, turn_params.acme_redirect, turn_params.allocation_default_address_family, - &turn_params.log_binding, &turn_params.no_stun_backward_compatibility, + &turn_params.log_binding, &turn_params.stun_backward_compatibility, &turn_params.response_origin_only_with_rfc5780, &turn_params.respond_http_unsupported); if (to_set_rfc5780) { diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index c8e32ae..c83781f 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -1123,7 +1123,7 @@ void stun_set_binding_request_str(uint8_t *buf, size_t *len) { stun_init_request bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, const ioa_addr *reflexive_addr, int error_code, const uint8_t *reason, uint32_t cookie, bool old_stun, - bool no_stun_backward_compatibility) + bool stun_backward_compatibility) { if (!error_code) { @@ -1138,7 +1138,7 @@ bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, con } } if (reflexive_addr) { - if (!no_stun_backward_compatibility && + if (stun_backward_compatibility && !stun_attr_add_addr_str(buf, len, STUN_ATTRIBUTE_MAPPED_ADDRESS, reflexive_addr)) { return false; } diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h index 160d4e8..a611af0 100644 --- a/src/client/ns_turn_msg.h +++ b/src/client/ns_turn_msg.h @@ -131,7 +131,7 @@ bool is_channel_msg_str(const uint8_t *buf, size_t blen); void stun_set_binding_request_str(uint8_t *buf, size_t *len); bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, const ioa_addr *reflexive_addr, int error_code, const uint8_t *reason, uint32_t cookie, bool old_stun, - bool no_stun_backward_compatibility); + bool stun_backward_compatibility); bool stun_is_binding_request_str(const uint8_t *buf, size_t len, size_t offset); bool stun_is_binding_response_str(const uint8_t *buf, size_t len); diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index f54358a..767ffc9 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -2857,7 +2857,7 @@ static int handle_turn_binding(turn_turnserver *server, ts_ur_super_session *ss, size_t len = ioa_network_buffer_get_size(nbh); if (stun_set_binding_response_str(ioa_network_buffer_data(nbh), &len, tid, get_remote_addr_from_ioa_socket(ss->client_socket), 0, NULL, cookie, old_stun, - *server->no_stun_backward_compatibility)) { + *server->stun_backward_compatibility)) { addr_cpy(response_origin, get_local_addr_from_ioa_socket(ss->client_socket)); @@ -4565,7 +4565,7 @@ static int read_client_connection(turn_turnserver *server, ts_ur_super_session * } else if (old_stun_is_command_message_str(ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh), &old_stun_cookie) && - !(*(server->no_stun)) && !(*(server->no_stun_backward_compatibility))) { + !(*(server->no_stun)) && !(*(server->stun_backward_compatibility))) { ioa_network_buffer_handle nbh = ioa_network_buffer_allocate(server->e); int resp_constructed = 0; @@ -4900,7 +4900,7 @@ void init_turn_server(turn_turnserver *server, turnserver_id id, int verbose, io send_turn_session_info_cb send_turn_session_info, send_https_socket_cb send_https_socket, allocate_bps_cb allocate_bps_func, int oauth, const char *oauth_server_name, const char *acme_redirect, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, - bool *log_binding, bool *no_stun_backward_compatibility, bool *response_origin_only_with_rfc5780, + bool *log_binding, bool *stun_backward_compatibility, bool *response_origin_only_with_rfc5780, bool *respond_http_unsupported) { if (!server) { @@ -4977,7 +4977,7 @@ void init_turn_server(turn_turnserver *server, turnserver_id id, int verbose, io server->log_binding = log_binding; - server->no_stun_backward_compatibility = no_stun_backward_compatibility; + server->stun_backward_compatibility = stun_backward_compatibility; server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780; diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 94a0dc5..2978079 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -194,8 +194,8 @@ struct _turn_turnserver { /* Log Binding Requrest */ bool *log_binding; - /* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */ - bool *no_stun_backward_compatibility; + /* Enable handling old STUN Binding Requests and enable MAPPED-ADDRESS attribute in response */ + bool *stun_backward_compatibility; /* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */ bool *response_origin_only_with_rfc5780; @@ -225,7 +225,7 @@ void init_turn_server( int server_relay, send_turn_session_info_cb send_turn_session_info, send_https_socket_cb send_https_socket, allocate_bps_cb allocate_bps_func, int oauth, const char *oauth_server_name, const char *acme_redirect, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, bool *log_binding, - bool *no_stun_backward_compatibility, bool *response_origin_only_with_rfc5780, bool *respond_http_unsupported); + bool *stun_backward_compatibility, bool *response_origin_only_with_rfc5780, bool *respond_http_unsupported); ioa_engine_handle turn_server_get_engine(turn_turnserver *s);