[BREAKING] Invert no-stun-backward-compatibility to be default on (#1689)
Deprecate `--no-stun-backward-compatibility` and set it to true by default Add new option `--stun-backward-compatibility`, off by default Update example/recommended configuration files This is a breaking change as passing `--no-stun-backward-compatibility` will be rejected as invalid argument
This commit is contained in:
Pavel Punsky
GitHub
parent
368355a06f
commit
4cc076d424
@ -634,8 +634,8 @@ Options with values:
|
||||
address family, then by default the NAT behavior discovery feature enabled.
|
||||
This option enables this original behavior, because the NAT behavior discovery
|
||||
adds attributes to response, and this increase the possibility of an amplification attack.
|
||||
Strongly encouraged to not use this option to decrease gain factor in STUN binding responses.
|
||||
--no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
|
||||
Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
|
||||
--stun-backward-compatibility Enable handling old STUN Binding requests using MAPPED-ADDRESS attribute in binding response (instead of XOR-MAPPED-ADDRESS).
|
||||
--response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
|
||||
|
||||
|
||||
|
||||
@ -789,13 +789,13 @@ cli-password=CHANGE_ME
|
||||
#
|
||||
# rfc5780
|
||||
|
||||
# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
|
||||
# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
|
||||
# Enable handling old STUN Binding requests and enable MAPPED-ADDRESS
|
||||
# attribute in binding response (instead of the XOR-MAPPED-ADDRESS).
|
||||
#
|
||||
# Strongly encouraged to use this option to decrease gain factor in STUN
|
||||
# Strongly encouraged to keep this option off to decrease gain factor in STUN
|
||||
# binding responses.
|
||||
#
|
||||
no-stun-backward-compatibility
|
||||
# stun-backward-compatibility
|
||||
|
||||
# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
|
||||
#
|
||||
|
||||
@ -813,13 +813,13 @@
|
||||
#
|
||||
# rfc5780
|
||||
|
||||
# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
|
||||
# Enable handling old STUN Binding requests and disable MAPPED-ADDRESS
|
||||
# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
|
||||
#
|
||||
# Strongly encouraged to use this option to decrease gain factor in STUN
|
||||
# Strongly encouraged to keep this option off to decrease gain factor in STUN
|
||||
# binding responses.
|
||||
#
|
||||
no-stun-backward-compatibility
|
||||
# stun-backward-compatibility
|
||||
|
||||
# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
|
||||
#
|
||||
|
||||
@ -223,7 +223,7 @@ turn_params_t turn_params = {
|
||||
false, /* no_dynamic_realms */
|
||||
|
||||
false, /* log_binding */
|
||||
false, /* no_stun_backward_compatibility */
|
||||
false, /* stun_backward_compatibility */
|
||||
false, /* response_origin_only_with_rfc5780 */
|
||||
false /* respond_http_unsupported */
|
||||
};
|
||||
@ -1335,9 +1335,10 @@ static char Usage[] =
|
||||
"amplification attack.)\n"
|
||||
" Strongly encouraged to keep it off to decrease gain factor in STUN "
|
||||
"binding responses.\n"
|
||||
" --no-stun-backward-compatibility Disable handling old STUN Binding requests and disable MAPPED-ADDRESS "
|
||||
" --stun-backward-compatibility Enable handling old STUN Binding requests and enable "
|
||||
"MAPPED-ADDRESS "
|
||||
"attribute\n"
|
||||
" in binding response (use only the XOR-MAPPED-ADDRESS).\n"
|
||||
" in binding response (instead of XOR-MAPPED-ADDRESS).\n"
|
||||
" --response-origin-only-with-rfc5780 Only send RESPONSE-ORIGIN attribute in binding response if "
|
||||
"RFC5780 is enabled.\n"
|
||||
" --respond-http-unsupported Return an HTTP reponse with a 400 status code to HTTP "
|
||||
@ -1499,7 +1500,7 @@ enum EXTRA_OPTS {
|
||||
LOG_BINDING_OPT,
|
||||
NO_RFC5780,
|
||||
ENABLE_RFC5780,
|
||||
NO_STUN_BACKWARD_COMPATIBILITY_OPT,
|
||||
STUN_BACKWARD_COMPATIBILITY_OPT,
|
||||
RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT,
|
||||
RESPOND_HTTP_UNSUPPORTED_OPT,
|
||||
VERSION_OPT
|
||||
@ -1643,7 +1644,7 @@ static const struct myoption long_options[] = {
|
||||
{"log-binding", optional_argument, NULL, LOG_BINDING_OPT},
|
||||
{"no-rfc5780", optional_argument, NULL, NO_RFC5780},
|
||||
{"rfc5780", optional_argument, NULL, ENABLE_RFC5780},
|
||||
{"no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT},
|
||||
{"stun-backward-compatibility", optional_argument, NULL, STUN_BACKWARD_COMPATIBILITY_OPT},
|
||||
{"response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT},
|
||||
{"respond-http-unsupported", optional_argument, NULL, RESPOND_HTTP_UNSUPPORTED_OPT},
|
||||
{"version", optional_argument, NULL, VERSION_OPT},
|
||||
@ -2355,8 +2356,8 @@ static void set_option(int c, char *value) {
|
||||
case ENABLE_RFC5780:
|
||||
turn_params.rfc5780 = true;
|
||||
break;
|
||||
case NO_STUN_BACKWARD_COMPATIBILITY_OPT:
|
||||
turn_params.no_stun_backward_compatibility = get_bool_value(value);
|
||||
case STUN_BACKWARD_COMPATIBILITY_OPT:
|
||||
turn_params.stun_backward_compatibility = get_bool_value(value);
|
||||
break;
|
||||
case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT:
|
||||
turn_params.response_origin_only_with_rfc5780 = get_bool_value(value);
|
||||
|
||||
@ -330,7 +330,7 @@ typedef struct _turn_params_ {
|
||||
bool no_dynamic_realms;
|
||||
|
||||
bool log_binding;
|
||||
bool no_stun_backward_compatibility;
|
||||
bool stun_backward_compatibility;
|
||||
bool response_origin_only_with_rfc5780;
|
||||
bool respond_http_unsupported;
|
||||
} turn_params_t;
|
||||
|
||||
@ -1663,7 +1663,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
|
||||
&turn_params.ip_blacklist, send_socket_to_relay, &turn_params.secure_stun, &turn_params.mobility,
|
||||
turn_params.server_relay, send_turn_session_info, send_https_socket, allocate_bps, turn_params.oauth,
|
||||
turn_params.oauth_server_name, turn_params.acme_redirect, turn_params.allocation_default_address_family,
|
||||
&turn_params.log_binding, &turn_params.no_stun_backward_compatibility,
|
||||
&turn_params.log_binding, &turn_params.stun_backward_compatibility,
|
||||
&turn_params.response_origin_only_with_rfc5780, &turn_params.respond_http_unsupported);
|
||||
|
||||
if (to_set_rfc5780) {
|
||||
|
||||
@ -1123,7 +1123,7 @@ void stun_set_binding_request_str(uint8_t *buf, size_t *len) { stun_init_request
|
||||
|
||||
bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, const ioa_addr *reflexive_addr,
|
||||
int error_code, const uint8_t *reason, uint32_t cookie, bool old_stun,
|
||||
bool no_stun_backward_compatibility)
|
||||
bool stun_backward_compatibility)
|
||||
|
||||
{
|
||||
if (!error_code) {
|
||||
@ -1138,7 +1138,7 @@ bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, con
|
||||
}
|
||||
}
|
||||
if (reflexive_addr) {
|
||||
if (!no_stun_backward_compatibility &&
|
||||
if (stun_backward_compatibility &&
|
||||
!stun_attr_add_addr_str(buf, len, STUN_ATTRIBUTE_MAPPED_ADDRESS, reflexive_addr)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -131,7 +131,7 @@ bool is_channel_msg_str(const uint8_t *buf, size_t blen);
|
||||
void stun_set_binding_request_str(uint8_t *buf, size_t *len);
|
||||
bool stun_set_binding_response_str(uint8_t *buf, size_t *len, stun_tid *tid, const ioa_addr *reflexive_addr,
|
||||
int error_code, const uint8_t *reason, uint32_t cookie, bool old_stun,
|
||||
bool no_stun_backward_compatibility);
|
||||
bool stun_backward_compatibility);
|
||||
bool stun_is_binding_request_str(const uint8_t *buf, size_t len, size_t offset);
|
||||
bool stun_is_binding_response_str(const uint8_t *buf, size_t len);
|
||||
|
||||
|
||||
@ -2857,7 +2857,7 @@ static int handle_turn_binding(turn_turnserver *server, ts_ur_super_session *ss,
|
||||
size_t len = ioa_network_buffer_get_size(nbh);
|
||||
if (stun_set_binding_response_str(ioa_network_buffer_data(nbh), &len, tid,
|
||||
get_remote_addr_from_ioa_socket(ss->client_socket), 0, NULL, cookie, old_stun,
|
||||
*server->no_stun_backward_compatibility)) {
|
||||
*server->stun_backward_compatibility)) {
|
||||
|
||||
addr_cpy(response_origin, get_local_addr_from_ioa_socket(ss->client_socket));
|
||||
|
||||
@ -4565,7 +4565,7 @@ static int read_client_connection(turn_turnserver *server, ts_ur_super_session *
|
||||
|
||||
} else if (old_stun_is_command_message_str(ioa_network_buffer_data(in_buffer->nbh),
|
||||
ioa_network_buffer_get_size(in_buffer->nbh), &old_stun_cookie) &&
|
||||
!(*(server->no_stun)) && !(*(server->no_stun_backward_compatibility))) {
|
||||
!(*(server->no_stun)) && !(*(server->stun_backward_compatibility))) {
|
||||
|
||||
ioa_network_buffer_handle nbh = ioa_network_buffer_allocate(server->e);
|
||||
int resp_constructed = 0;
|
||||
@ -4900,7 +4900,7 @@ void init_turn_server(turn_turnserver *server, turnserver_id id, int verbose, io
|
||||
send_turn_session_info_cb send_turn_session_info, send_https_socket_cb send_https_socket,
|
||||
allocate_bps_cb allocate_bps_func, int oauth, const char *oauth_server_name,
|
||||
const char *acme_redirect, ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
|
||||
bool *log_binding, bool *no_stun_backward_compatibility, bool *response_origin_only_with_rfc5780,
|
||||
bool *log_binding, bool *stun_backward_compatibility, bool *response_origin_only_with_rfc5780,
|
||||
bool *respond_http_unsupported) {
|
||||
|
||||
if (!server) {
|
||||
@ -4977,7 +4977,7 @@ void init_turn_server(turn_turnserver *server, turnserver_id id, int verbose, io
|
||||
|
||||
server->log_binding = log_binding;
|
||||
|
||||
server->no_stun_backward_compatibility = no_stun_backward_compatibility;
|
||||
server->stun_backward_compatibility = stun_backward_compatibility;
|
||||
|
||||
server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780;
|
||||
|
||||
|
||||
@ -194,8 +194,8 @@ struct _turn_turnserver {
|
||||
/* Log Binding Requrest */
|
||||
bool *log_binding;
|
||||
|
||||
/* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */
|
||||
bool *no_stun_backward_compatibility;
|
||||
/* Enable handling old STUN Binding Requests and enable MAPPED-ADDRESS attribute in response */
|
||||
bool *stun_backward_compatibility;
|
||||
|
||||
/* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */
|
||||
bool *response_origin_only_with_rfc5780;
|
||||
@ -225,7 +225,7 @@ void init_turn_server(
|
||||
int server_relay, send_turn_session_info_cb send_turn_session_info, send_https_socket_cb send_https_socket,
|
||||
allocate_bps_cb allocate_bps_func, int oauth, const char *oauth_server_name, const char *acme_redirect,
|
||||
ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family, bool *log_binding,
|
||||
bool *no_stun_backward_compatibility, bool *response_origin_only_with_rfc5780, bool *respond_http_unsupported);
|
||||
bool *stun_backward_compatibility, bool *response_origin_only_with_rfc5780, bool *respond_http_unsupported);
|
||||
|
||||
ioa_engine_handle turn_server_get_engine(turn_turnserver *s);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user