From 68feff5ca3908e4c9427df8ba510f1a8c167c3d8 Mon Sep 17 00:00:00 2001 From: Byron Clark Date: Fri, 24 May 2019 00:01:52 +0000 Subject: [PATCH 01/32] Use EVP_MD_CTX instead of MD5_CTX. Switch to EVP_MD_CTX APIs for MD5 to match how other digest types are created in this function. --- src/client/ns_turn_msg.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 6048312..b015f4f 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -235,10 +235,21 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd return -1; #endif } else { - MD5_CTX ctx; - MD5_Init(&ctx); - MD5_Update(&ctx,str,strl); - MD5_Final(key,&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + unsigned int keylen = 0; + EVP_MD_CTX ctx; + EVP_DigestInit(&ctx,EVP_md5()); + EVP_DigestUpdate(&ctx,str,strl); + EVP_DigestFinal(&ctx,key,&keylen); + EVP_MD_CTX_cleanup(&ctx); +#else + unsigned int keylen = 0; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(ctx,EVP_md5()); + EVP_DigestUpdate(ctx,str,strl); + EVP_DigestFinal(ctx,key,&keylen); + EVP_MD_CTX_free(ctx); +#endif } free(str); From 6b01b6f450f5b1c51ee73bdd6f3e19a1a7abda08 Mon Sep 17 00:00:00 2001 From: Byron Clark Date: Fri, 24 May 2019 00:16:36 +0000 Subject: [PATCH 02/32] Allow MD5 in FIPS mode. This is one of those special cases where a non approved cryptographic algorithm is allowed when operating in FIPS mode. Inform OpenSSL that this is the case. In the STUN RFC the long-term credential mechanism requires that the key used in the HMAC-SHA1 generation be the MD5 of specific values: https://tools.ietf.org/html/rfc5389#section-15.4 Since this is obfuscating parameters to be used in an approved cryptographic algorithm, this is allowed usage per the [FIPS 140-2 Implementation Guidance](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf). See page 81. Without this change, coturn crashes when trying to set up any long-term credential mechanism. --- src/client/ns_turn_msg.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index b015f4f..db761d1 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -238,14 +238,25 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd #if OPENSSL_VERSION_NUMBER < 0x10100000L unsigned int keylen = 0; EVP_MD_CTX ctx; - EVP_DigestInit(&ctx,EVP_md5()); + EVP_MD_CTX_init(&ctx); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } +#endif + EVP_DigestInit_ex(&ctx,EVP_md5(), NULL); EVP_DigestUpdate(&ctx,str,strl); EVP_DigestFinal(&ctx,key,&keylen); EVP_MD_CTX_cleanup(&ctx); #else unsigned int keylen = 0; EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx,EVP_md5()); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) { + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + } +#endif + EVP_DigestInit_ex(ctx,EVP_md5(), NULL); EVP_DigestUpdate(ctx,str,strl); EVP_DigestFinal(ctx,key,&keylen); EVP_MD_CTX_free(ctx); From 0e03fa86df3c2ba3afb3793c724d3579afd1ecf3 Mon Sep 17 00:00:00 2001 From: Byron Clark Date: Sun, 26 May 2019 10:52:51 -0600 Subject: [PATCH 03/32] Remove OPENSSL_FIPS wrappers. Because we're building with a FIPS enabled OpenSSL instead of the FIPS canister, the resulting build should be usable on both FIPS and non-FIPS enabled systems. Since we can't rely on building with a FIPS enabled OpenSSL, defer the check to runtime. --- src/client/ns_turn_msg.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index db761d1..4bb466a 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -239,11 +239,9 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd unsigned int keylen = 0; EVP_MD_CTX ctx; EVP_MD_CTX_init(&ctx); -#ifdef OPENSSL_FIPS if (FIPS_mode()) { EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } -#endif EVP_DigestInit_ex(&ctx,EVP_md5(), NULL); EVP_DigestUpdate(&ctx,str,strl); EVP_DigestFinal(&ctx,key,&keylen); @@ -251,11 +249,9 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd #else unsigned int keylen = 0; EVP_MD_CTX *ctx = EVP_MD_CTX_new(); -#ifdef OPENSSL_FIPS if (FIPS_mode()) { EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); } -#endif EVP_DigestInit_ex(ctx,EVP_md5(), NULL); EVP_DigestUpdate(ctx,str,strl); EVP_DigestFinal(ctx,key,&keylen); From d355b992a7167077d4e60713d78931e83b91a886 Mon Sep 17 00:00:00 2001 From: xthursdayx Date: Sat, 9 Nov 2019 15:52:37 -0500 Subject: [PATCH 04/32] Updated turnserver.conf Edited turnserver.conf for typos and language clarity. --- examples/etc/turnserver.conf | 136 +++++++++++++++++------------------ 1 file changed, 68 insertions(+), 68 deletions(-) diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index d8189f5..0c01ad5 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -1,9 +1,9 @@ # Coturn TURN SERVER configuration file # -# Boolean values note: where boolean value is supposed to be used, -# you can use '0', 'off', 'no', 'false', 'f' as 'false, -# and you can use '1', 'on', 'yes', 'true', 't' as 'true' -# If the value is missed, then it means 'true'. +# Boolean values note: where a boolean value is supposed to be used, +# you can use '0', 'off', 'no', 'false', or 'f' as 'false, +# and you can use '1', 'on', 'yes', 'true', or 't' as 'true' +# If the value is missing, then it means 'true' by default. # # Listener interface device (optional, Linux only). @@ -22,10 +22,10 @@ # port(s), too - if allowed by configuration. The TURN server # "automatically" recognizes the type of traffic. Actually, two listening # endpoints (the "plain" one and the "tls" one) are equivalent in terms of -# functionality; but we keep both endpoints to satisfy the RFC 5766 specs. -# For secure TCP connections, we currently support SSL version 3 and +# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs. +# For secure TCP connections, Coturn currently supports SSL version 3 and # TLS version 1.0, 1.1 and 1.2. -# For secure UDP connections, we support DTLS version 1. +# For secure UDP connections, Coturn supports DTLS version 1. # #tls-listening-port=5349 @@ -133,8 +133,8 @@ # # If this parameter is not set, then the default OS-dependent # thread pattern algorithm will be employed. Usually the default -# algorithm is the most optimal, so you have to change this option -# only if you want to make some fine tweaks. +# algorithm is optimal, so you have to change this option +# if you want to make some fine tweaks. # # In the older systems (Linux kernel before 3.9), # the number of UDP threads is always one thread per network listening @@ -155,7 +155,7 @@ # Uncomment to run TURN server in 'extra' verbose mode. # This mode is very annoying and produces lots of output. -# Not recommended under any normal circumstances. +# Not recommended under normal circumstances. # #Verbose @@ -169,11 +169,11 @@ # #lt-cred-mech -# This option is opposite to lt-cred-mech. +# This option is the opposite of lt-cred-mech. # (TURN Server with no-auth option allows anonymous access). # If neither option is defined, and no users are defined, # then no-auth is default. If at least one user is defined, -# in this file or in command line or in usersdb file, then +# in this file, in command line or in usersdb file, then # lt-cred-mech is default. # #no-auth @@ -193,34 +193,33 @@ # turn password -> base64(hmac(secret key, usercombo)) # # This allows TURN credentials to be accounted for a specific user id. -# If you don't have a suitable id, the timestamp alone can be used. -# This option is just turning on secret-based authentication. -# The actual value of the secret is defined either by option static-auth-secret, +# If you don't have a suitable id, then the timestamp alone can be used. +# This option is enabled by turning on secret-based authentication. +# The actual value of the secret is defined either by the option static-auth-secret, # or can be found in the turn_secret table in the database (see below). # # Read more about it: # - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 # - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf # -# Be aware that use-auth-secret overrides some part of lt-cred-mech. -# Notice that this feature depends internally on lt-cred-mech, so if you set -# use-auth-secret then it enables internally automatically lt-cred-mech option -# like if you enable both. +# Be aware that use-auth-secret overrides some parts of lt-cred-mech. +# The use-auth-secret feature depends internally on lt-cred-mech, so if you set +# this option then it automatically enables lt-cred-mech internally +# as if you had enabled both. # -# You can use only one auth mechanisms in the same time because, -# both mechanism use the username and password validation in different way. -# -# This way be aware that you can't use both auth mechnaism in the same time! -# Use in config either the lt-cred-mech or the use-auth-secret +# Note that you can use only one auth mechanism at the same time! This is because, +# both mechanisms conduct username and password validation in different ways. +# +# Use either lt-cred-mech or use-auth-secret in the conf # to avoid any confusion. # #use-auth-secret # 'Static' authentication secret value (a string) for TURN REST API only. # If not set, then the turn server -# will try to use the 'dynamic' value in turn_secret table -# in user database (if present). The database-stored value can be changed on-the-fly -# by a separate program, so this is why that other mode is 'dynamic'. +# will try to use the 'dynamic' value in the turn_secret table +# in the user database (if present). The database-stored value can be changed on-the-fly +# by a separate program, so this is why that mode is considered 'dynamic'. # #static-auth-secret=north @@ -234,10 +233,10 @@ # #oauth -# 'Static' user accounts for long term credentials mechanism, only. +# 'Static' user accounts for the long term credentials mechanism, only. # This option cannot be used with TURN REST API. # 'Static' user accounts are NOT dynamically checked by the turnserver process, -# so that they can NOT be changed while the turnserver is running. +# so they can NOT be changed while the turnserver is running. # #user=username1:key1 #user=username2:key2 @@ -263,14 +262,14 @@ # SQLite database file name. # -# Default file name is /var/db/turndb or /usr/local/var/db/turndb or +# The default file name is /var/db/turndb or /usr/local/var/db/turndb or # /var/lib/turn/turndb. # #userdb=/var/db/turndb -# PostgreSQL database connection string in the case that we are using PostgreSQL +# PostgreSQL database connection string in the case that you are using PostgreSQL # as the user database. -# This database can be used for long-term credential mechanism +# This database can be used for the long-term credential mechanism # and it can store the secret value for secret-based timed authentication in TURN REST API. # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL # versions connection string format, see @@ -279,9 +278,9 @@ # #psql-userdb="host= dbname= user= password= connect_timeout=30" -# MySQL database connection string in the case that we are using MySQL +# MySQL database connection string in the case that you are using MySQL # as the user database. -# This database can be used for long-term credential mechanism +# This database can be used for the long-term credential mechanism # and it can store the secret value for secret-based timed authentication in TURN REST API. # # Optional connection string parameters for the secure communications (SSL): @@ -289,33 +288,33 @@ # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the # command options description). # -# Use string format as below (space separated parameters, all optional): +# Use the string format below (space separated parameters, all optional): # #mysql-userdb="host= dbname= user= password= port= connect_timeout= read_timeout=" -# If you want to use in the MySQL connection string the password in encrypted format, -# then set in this option the MySQL password encryption secret key file. +# If you want to use an encrypted password in the MySQL connection string, +# then set the MySQL password encryption secret key file with this option. # -# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! -# If you want to use cleartext password then do not set this option! +# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format! +# If you want to use a cleartext password then do not set this option! # -# This is the file path which contain secret key of aes encryption while using password encryption. +# This is the file path for the aes encrypted secret key used for password encryption. # #secret-key-file=/path/ -# MongoDB database connection string in the case that we are using MongoDB +# MongoDB database connection string in the case that you are using MongoDB # as the user database. # This database can be used for long-term credential mechanism # and it can store the secret value for secret-based timed authentication in TURN REST API. -# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html +# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html # #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]" -# Redis database connection string in the case that we are using Redis +# Redis database connection string in the case that you are using Redis # as the user database. # This database can be used for long-term credential mechanism # and it can store the secret value for secret-based timed authentication in TURN REST API. -# Use string format as below (space separated parameters, all optional): +# Use the string format below (space separated parameters, all optional): # #redis-userdb="ip= dbname= password= port= connect_timeout=" @@ -323,23 +322,23 @@ # This database keeps allocations status information, and it can be also used for publishing # and delivering traffic and allocation event notifications. # The connection string has the same parameters as redis-userdb connection string. -# Use string format as below (space separated parameters, all optional): +# Use the string format below (space separated parameters, all optional): # #redis-statsdb="ip= dbname= password= port= connect_timeout=" # The default realm to be used for the users when no explicit -# origin/realm relationship was found in the database, or if the TURN +# origin/realm relationship is found in the database, or if the TURN # server is not using any database (just the commands-line settings # and the userdb file). Must be used with long-term credentials # mechanism or with TURN REST API. # -# Note: If default realm is not specified at all, then realm falls back to the host domain name. -# If domain name is empty string, or '(None)', then it is initialized to am empty string. +# Note: If the default realm is not specified, then realm falls back to the host domain name. +# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string. # #realm=mycompany.org -# The flag that sets the origin consistency -# check: across the session, all requests must have the same +# This flag sets the origin consistency +# check. Across the session, all requests must have the same # main ORIGIN attribute value (if the ORIGIN was # initially used by the session). # @@ -359,7 +358,7 @@ # Max bytes-per-second bandwidth a TURN session is allowed to handle # (input and output network streams are treated separately). Anything above -# that limit will be dropped or temporary suppressed (within +# that limit will be dropped or temporarily suppressed (within # the available buffer limits). # This option can also be set through the database, for a particular realm. # @@ -403,9 +402,9 @@ #no-tcp-relay # Uncomment if extra security is desired, -# with nonce value having limited lifetime. +# with nonce value having a limited lifetime. # By default, the nonce value is unique for a session, -# and has unlimited lifetime. +# and has an unlimited lifetime. # Set this option to limit the nonce lifetime. # It defaults to 600 secs (10 min) if no value is provided. After that delay, # the client will get 438 error and will have to re-authenticate itself. @@ -435,6 +434,7 @@ # Certificate file. # Use an absolute path or path relative to the # configuration file. +# Use PEM file format. # #cert=/usr/local/etc/turn_server_cert.pem @@ -457,7 +457,7 @@ # CA file in OpenSSL format. # Forces TURN server to verify the client SSL certificates. -# By default it is not set: there is no default value and the client +# By default this is not set: there is no default value and the client # certificate is not checked. # # Example: @@ -485,16 +485,16 @@ #dh-file= # Flag to prevent stdout log messages. -# By default, all log messages are going to both stdout and to -# the configured log file. With this option everything will be -# going to the configured log only (unless the log file itself is stdout). +# By default, all log messages go to both stdout and to +# the configured log file. With this option everything will +# go to the configured log only (unless the log file itself is stdout). # #no-stdout-log # Option to set the log file name. # By default, the turnserver tries to open a log file in -# /var/log, /var/tmp, /tmp and current directories directories -# (which open operation succeeds first that file will be used). +# /var/log, /var/tmp, /tmp and the current directory +# (Whichever file open operation succeeds first will be used). # With this option you can set the definite log file name. # The special names are "stdout" and "-" - they will force everything # to the stdout. Also, the "syslog" name will force everything to @@ -515,14 +515,14 @@ #simple-log # Option to set the "redirection" mode. The value of this option -# will be the address of the alternate server for UDP & TCP service in form of +# will be the address of the alternate server for UDP & TCP service in the form of # [:]. The server will send this value in the attribute # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client. # Client will receive only values with the same address family # as the client network endpoint address family. -# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. +# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality. # The client must use the obtained value for subsequent TURN communications. -# If more than one --alternate-server options are provided, then the functionality +# If more than one --alternate-server option is provided, then the functionality # can be more accurately described as "load-balancing" than a mere "redirection". # If the port number is omitted, then the default port # number 3478 for the UDP/TCP protocols will be used. @@ -532,7 +532,7 @@ # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . # Multiple alternate servers can be set. They will be used in the # round-robin manner. All servers in the pool are considered of equal weight and -# the load will be distributed equally. For example, if we have 4 alternate servers, +# the load will be distributed equally. For example, if you have 4 alternate servers, # then each server will receive 25% of ALLOCATE requests. A alternate TURN server # address can be used more than one time with the alternate-server option, so this # can emulate "weighting" of the servers. @@ -629,12 +629,12 @@ # User name to run the process. After the initialization, the turnserver process -# will make an attempt to change the current user ID to that user. +# will attempt to change the current user ID to that user. # #proc-user= # Group name to run the process. After the initialization, the turnserver process -# will make an attempt to change the current group ID to that group. +# will attempt to change the current group ID to that group. # #proc-group= @@ -654,8 +654,8 @@ #cli-port=5766 # CLI access password. Default is empty (no password). -# For the security reasons, it is recommended to use the encrypted -# for of the password (see the -P command in the turnadmin utility). +# For the security reasons, it is recommended that you use the encrypted +# form of the password (see the -P command in the turnadmin utility). # # Secure form for password 'qwerty': # @@ -685,7 +685,7 @@ #web-admin-listen-on-workers # Server relay. NON-STANDARD AND DANGEROUS OPTION. -# Only for those applications when we want to run +# Only for those applications when you want to run # server applications on the relay endpoints. # This option eliminates the IP permissions check on # the packets incoming to the relay endpoints. From 25338fa1c086bb028fadc8bd049ce043703c02f1 Mon Sep 17 00:00:00 2001 From: chanduthedev Date: Mon, 11 Nov 2019 14:59:41 +0800 Subject: [PATCH 05/32] added null check for second char --- src/apps/common/apputils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/apps/common/apputils.c b/src/apps/common/apputils.c index 2dbb923..57ee9e0 100644 --- a/src/apps/common/apputils.c +++ b/src/apps/common/apputils.c @@ -786,7 +786,7 @@ void print_abs_file_name(const char *msg1, const char *msg2, const char *fn) if(fn[0]=='/') { STRCPY(absfn,fn); } else { - if(fn[0]=='.' && fn[1]=='/') + if(fn[0]=='.' && fn[1] && fn[1]=='/') fn+=2; if(!getcwd(absfn,sizeof(absfn)-1)) absfn[0]=0; From 763d1f1b9ce7b363ffac9adf446a19084d1f6cf1 Mon Sep 17 00:00:00 2001 From: Feral Interactive Date: Fri, 1 Nov 2019 11:35:01 +0000 Subject: [PATCH 06/32] Fix a memory leak when an SHATYPE isn't supported. Deallocating `str` happens at the end of the function, so don't skip it when encountering an unsupported SHATYPE. --- src/client/ns_turn_msg.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 6048312..77d5b54 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -154,6 +154,8 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd, hmackey_t key, SHATYPE shatype) { + int ret; + ERR_clear_error(); UNUSED_ARG(shatype); @@ -188,9 +190,10 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd EVP_DigestFinal(ctx,key,&keylen); EVP_MD_CTX_free(ctx); #endif + ret = 0; #else fprintf(stderr,"SHA256 is not supported\n"); - return -1; + ret = -1; #endif } else if(shatype == SHATYPE_SHA384) { #if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) @@ -209,9 +212,10 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd EVP_DigestFinal(ctx,key,&keylen); EVP_MD_CTX_free(ctx); #endif + ret = 0; #else fprintf(stderr,"SHA384 is not supported\n"); - return -1; + ret = -1; #endif } else if(shatype == SHATYPE_SHA512) { #if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) @@ -230,20 +234,22 @@ int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd EVP_DigestFinal(ctx,key,&keylen); EVP_MD_CTX_free(ctx); #endif + ret = 0; #else fprintf(stderr,"SHA512 is not supported\n"); - return -1; + ret = -1; #endif } else { MD5_CTX ctx; MD5_Init(&ctx); MD5_Update(&ctx,str,strl); MD5_Final(key,&ctx); + ret = 0; } free(str); - return 0; + return ret; } #define PWD_SALT_SIZE (8) From b1990b6130ca6de9892a44aa19d005825c7da85e Mon Sep 17 00:00:00 2001 From: Feral Interactive Date: Fri, 1 Nov 2019 11:29:23 +0000 Subject: [PATCH 07/32] Liberally apply const where appropriate. --- src/client/ns_turn_msg.c | 32 ++++++++++++++++---------------- src/client/ns_turn_msg.h | 10 +++++----- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 6048312..d3d7b15 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -152,23 +152,23 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size return 0; } -int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd, hmackey_t key, SHATYPE shatype) +int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, hmackey_t key, SHATYPE shatype) { ERR_clear_error(); UNUSED_ARG(shatype); - size_t ulen = strlen((char*)uname); - size_t rlen = strlen((char*)realm); - size_t plen = strlen((char*)upwd); + size_t ulen = strlen((const char*)uname); + size_t rlen = strlen((const char*)realm); + size_t plen = strlen((const char*)upwd); size_t sz = ulen+1+rlen+1+plen+1+10; size_t strl = ulen+1+rlen+1+plen; uint8_t *str = (uint8_t*)malloc(sz+1); - strncpy((char*)str,(char*)uname,sz); + strncpy((char*)str,(const char*)uname,sz); str[ulen]=':'; - strncpy((char*)str+ulen+1,(char*)realm,sz-ulen-1); + strncpy((char*)str+ulen+1,(const char*)realm,sz-ulen-1); str[ulen+1+rlen]=':'; - strncpy((char*)str+ulen+1+rlen+1,(char*)upwd,sz-ulen-1-rlen-1); + strncpy((char*)str+ulen+1+rlen+1,(const char*)upwd,sz-ulen-1-rlen-1); str[strl]=0; if(shatype == SHATYPE_SHA256) { @@ -1798,22 +1798,22 @@ int stun_attr_add_integrity_str(turn_credential_type ct, uint8_t *buf, size_t *l return 0; } -int stun_attr_add_integrity_by_key_str(uint8_t *buf, size_t *len, uint8_t *uname, uint8_t *realm, hmackey_t key, uint8_t *nonce, SHATYPE shatype) +int stun_attr_add_integrity_by_key_str(uint8_t *buf, size_t *len, const uint8_t *uname, const uint8_t *realm, hmackey_t key, const uint8_t *nonce, SHATYPE shatype) { - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((char*)uname))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((const char*)uname))<0) return -1; - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_NONCE, nonce, strlen((char*)nonce))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_NONCE, nonce, strlen((const char*)nonce))<0) return -1; - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_REALM, realm, strlen((char*)realm))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_REALM, realm, strlen((const char*)realm))<0) return -1; password_t p; return stun_attr_add_integrity_str(TURN_CREDENTIALS_LONG_TERM, buf, len, key, p, shatype); } -int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, uint8_t *uname, uint8_t *realm, uint8_t *upwd, uint8_t *nonce, SHATYPE shatype) +int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, const uint8_t *nonce, SHATYPE shatype) { hmackey_t key; @@ -1823,9 +1823,9 @@ int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, uint8_t *unam return stun_attr_add_integrity_by_key_str(buf, len, uname, realm, key, nonce, shatype); } -int stun_attr_add_integrity_by_user_short_term_str(uint8_t *buf, size_t *len, uint8_t *uname, password_t pwd, SHATYPE shatype) +int stun_attr_add_integrity_by_user_short_term_str(uint8_t *buf, size_t *len, const uint8_t *uname, password_t pwd, SHATYPE shatype) { - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((char*)uname))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((const char*)uname))<0) return -1; hmackey_t key; @@ -1917,13 +1917,13 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, uint8_t *bu /* * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ -int stun_check_message_integrity_str(turn_credential_type ct, uint8_t *buf, size_t len, uint8_t *uname, uint8_t *realm, uint8_t *upwd, SHATYPE shatype) +int stun_check_message_integrity_str(turn_credential_type ct, uint8_t *buf, size_t len, const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, SHATYPE shatype) { hmackey_t key; password_t pwd; if(ct == TURN_CREDENTIALS_SHORT_TERM) - strncpy((char*)pwd,(char*)upwd,sizeof(password_t)); + strncpy((char*)pwd,(const char*)upwd,sizeof(password_t)); else if (stun_produce_integrity_key_str(uname, realm, upwd, key, shatype) < 0) return -1; diff --git a/src/client/ns_turn_msg.h b/src/client/ns_turn_msg.h index 0435272..5588569 100644 --- a/src/client/ns_turn_msg.h +++ b/src/client/ns_turn_msg.h @@ -182,11 +182,11 @@ void print_bin_func(const char *name, size_t len, const void *s, const char *fun * Return -1 if failure, 0 if the integrity is not correct, 1 if OK */ int stun_check_message_integrity_by_key_str(turn_credential_type ct, uint8_t *buf, size_t len, hmackey_t key, password_t pwd, SHATYPE shatype); -int stun_check_message_integrity_str(turn_credential_type ct, uint8_t *buf, size_t len, uint8_t *uname, uint8_t *realm, uint8_t *upwd, SHATYPE shatype); +int stun_check_message_integrity_str(turn_credential_type ct, uint8_t *buf, size_t len, const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, SHATYPE shatype); int stun_attr_add_integrity_str(turn_credential_type ct, uint8_t *buf, size_t *len, hmackey_t key, password_t pwd, SHATYPE shatype); -int stun_attr_add_integrity_by_key_str(uint8_t *buf, size_t *len, uint8_t *uname, uint8_t *realm, hmackey_t key, uint8_t *nonce, SHATYPE shatype); -int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, uint8_t *uname, uint8_t *realm, uint8_t *upwd, uint8_t *nonce, SHATYPE shatype); -int stun_attr_add_integrity_by_user_short_term_str(uint8_t *buf, size_t *len, uint8_t *uname, password_t pwd, SHATYPE shatype); +int stun_attr_add_integrity_by_key_str(uint8_t *buf, size_t *len, const uint8_t *uname, const uint8_t *realm, hmackey_t key, const uint8_t *nonce, SHATYPE shatype); +int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, const uint8_t *nonce, SHATYPE shatype); +int stun_attr_add_integrity_by_user_short_term_str(uint8_t *buf, size_t *len, const uint8_t *uname, password_t pwd, SHATYPE shatype); size_t get_hmackey_size(SHATYPE shatype); /* @@ -196,7 +196,7 @@ size_t get_hmackey_size(SHATYPE shatype); #define TURN_RANDOM_SIZE (sizeof(long)) long turn_random(void); -int stun_produce_integrity_key_str(uint8_t *uname, uint8_t *realm, uint8_t *upwd, hmackey_t key, SHATYPE shatype); +int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, const uint8_t *upwd, hmackey_t key, SHATYPE shatype); int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size_t sz, uint8_t *hmac, unsigned int *hmac_len, SHATYPE shatype); /* RFC 5780 */ From 353e3b98e651706631afbf10f05acbef18a5c14b Mon Sep 17 00:00:00 2001 From: Feral Interactive Date: Fri, 1 Nov 2019 11:32:34 +0000 Subject: [PATCH 08/32] Add some casts to appease compiler warnings about narrowing. --- src/client/ns_turn_msg.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index d3d7b15..cfd5db4 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -119,7 +119,7 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size if(shatype == SHATYPE_SHA256) { #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) - if (!HMAC(EVP_sha256(), key, keylen, buf, len, hmac, hmac_len)) { + if (!HMAC(EVP_sha256(), key, (int)keylen, buf, len, hmac, hmac_len)) { return -1; } #else @@ -128,7 +128,7 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size #endif } else if(shatype == SHATYPE_SHA384) { #if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) - if (!HMAC(EVP_sha384(), key, keylen, buf, len, hmac, hmac_len)) { + if (!HMAC(EVP_sha384(), key, (int)keylen, buf, len, hmac, hmac_len)) { return -1; } #else @@ -137,7 +137,7 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size #endif } else if(shatype == SHATYPE_SHA512) { #if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) - if (!HMAC(EVP_sha512(), key, keylen, buf, len, hmac, hmac_len)) { + if (!HMAC(EVP_sha512(), key, (int)keylen, buf, len, hmac, hmac_len)) { return -1; } #else @@ -145,7 +145,7 @@ int stun_calculate_hmac(const uint8_t *buf, size_t len, const uint8_t *key, size return -1; #endif } else - if (!HMAC(EVP_sha1(), key, keylen, buf, len, hmac, hmac_len)) { + if (!HMAC(EVP_sha1(), key, (int)keylen, buf, len, hmac, hmac_len)) { return -1; } @@ -714,7 +714,7 @@ static void stun_init_error_response_common_str(uint8_t* buf, size_t *len, avalue[3] = (uint8_t) (error_code % 100); strncpy((char*) (avalue + 4), (const char*) reason, sizeof(avalue)-4); avalue[sizeof(avalue)-1]=0; - int alen = 4 + strlen((const char*) (avalue+4)); + int alen = 4 + (int)strlen((const char*) (avalue+4)); //"Manual" padding for compatibility with classic old stun: { @@ -1054,7 +1054,7 @@ int stun_set_allocate_response_str(uint8_t* buf, size_t *len, stun_tid* tid, } if(mobile_id && *mobile_id) { - if(stun_attr_add_str(buf,len,STUN_ATTRIBUTE_MOBILITY_TICKET,(uint8_t*)mobile_id,strlen(mobile_id))<0) return -1; + if(stun_attr_add_str(buf,len,STUN_ATTRIBUTE_MOBILITY_TICKET,(uint8_t*)mobile_id,(int)strlen(mobile_id))<0) return -1; } } else { @@ -1503,7 +1503,7 @@ int stun_attr_add_channel_number_str(uint8_t* buf, size_t *len, uint16_t chnumbe int stun_attr_add_bandwidth_str(uint8_t* buf, size_t *len, band_limit_t bps0) { - uint32_t bps = (band_limit_t)(bps0 >> 7); + uint32_t bps = (uint32_t)(band_limit_t)(bps0 >> 7); uint32_t field=nswap32(bps); @@ -1521,7 +1521,7 @@ int stun_attr_add_address_error_code(uint8_t* buf, size_t *len, int requested_ad avalue[3] = (uint8_t) (error_code % 100); strncpy((char*) (avalue + 4), (const char*) reason, sizeof(avalue)-4); avalue[sizeof(avalue)-1]=0; - int alen = 4 + strlen((const char*) (avalue+4)); + int alen = 4 + (int)strlen((const char*) (avalue+4)); //"Manual" padding for compatibility with classic old stun: { @@ -1590,7 +1590,7 @@ int stun_attr_add_fingerprint_str(uint8_t *buf, size_t *len) { uint32_t crc32 = 0; stun_attr_add_str(buf, len, STUN_ATTRIBUTE_FINGERPRINT, (uint8_t*)&crc32, 4); - crc32 = ns_crc32(buf,*len-8); + crc32 = ns_crc32(buf,(int)*len-8); *((uint32_t*)(buf+*len-4)) = nswap32(crc32 ^ ((uint32_t)0x5354554e)); return 0; } @@ -1800,13 +1800,13 @@ int stun_attr_add_integrity_str(turn_credential_type ct, uint8_t *buf, size_t *l int stun_attr_add_integrity_by_key_str(uint8_t *buf, size_t *len, const uint8_t *uname, const uint8_t *realm, hmackey_t key, const uint8_t *nonce, SHATYPE shatype) { - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((const char*)uname))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, (int)strlen((const char*)uname))<0) return -1; - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_NONCE, nonce, strlen((const char*)nonce))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_NONCE, nonce, (int)strlen((const char*)nonce))<0) return -1; - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_REALM, realm, strlen((const char*)realm))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_REALM, realm, (int)strlen((const char*)realm))<0) return -1; password_t p; @@ -1825,7 +1825,7 @@ int stun_attr_add_integrity_by_user_str(uint8_t *buf, size_t *len, const uint8_t int stun_attr_add_integrity_by_user_short_term_str(uint8_t *buf, size_t *len, const uint8_t *uname, password_t pwd, SHATYPE shatype) { - if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, strlen((const char*)uname))<0) + if(stun_attr_add_str(buf, len, STUN_ATTRIBUTE_USERNAME, uname, (int)strlen((const char*)uname))<0) return -1; hmackey_t key; @@ -1887,7 +1887,7 @@ int stun_check_message_integrity_by_key_str(turn_credential_type ct, uint8_t *bu if (orig_len < 0) return -1; - int new_len = ((const uint8_t*) sar - buf) + 4 + shasize; + int new_len = (int)((const uint8_t*) sar - buf) + 4 + shasize; if (new_len > orig_len) return -1; @@ -2397,7 +2397,7 @@ int decode_oauth_token_normal(const uint8_t *server_name, const encoded_oauth_to } static void generate_random_nonce(unsigned char *nonce, size_t sz) { - if(!RAND_bytes(nonce, sz)) { + if(!RAND_bytes(nonce, (int)sz)) { size_t i; for(i=0;i Date: Fri, 1 Nov 2019 11:37:29 +0000 Subject: [PATCH 09/32] Validate the size of the buffer in stun_get_command_message_len_str(). Without this the caller could read off the end of the underlying buffer if it receives a maliciously crafted packet with an invalid header size. --- src/client/ns_turn_msg.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 6048312..889cf44 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -360,7 +360,14 @@ int stun_get_command_message_len_str(const uint8_t* buf, size_t len) { if (len < STUN_HEADER_LENGTH) return -1; - return (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH); + + /* Validate the size the buffer claims to be */ + int bufLen = (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH); + if (bufLen > len) { + return -1; + } + + return bufLen; } static int stun_set_command_message_len_str(uint8_t* buf, int len) { From 9b8baa805582ae66d2a1ed68483609f90fcfb4d0 Mon Sep 17 00:00:00 2001 From: Feral Interactive Date: Fri, 1 Nov 2019 11:38:12 +0000 Subject: [PATCH 10/32] Validate the size of an attribute before returning it to the caller. Previously this was being done in stun_attr_get_next_str() to check that the previous attribute didn't exceed the size of the underlying buffer, however by that point any maliciously crafted attributes would have already had their chance to attack the caller. --- src/client/ns_turn_msg.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 889cf44..b77ebae 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -1358,10 +1358,34 @@ stun_attr_ref stun_attr_get_first_by_type_str(const uint8_t* buf, size_t len, ui return NULL; } +static stun_attr_ref stun_attr_check_valid(stun_attr_ref attr, size_t remaining) { + + if(remaining >= 4) { + /* Read the size of the attribute */ + int attrlen = stun_attr_get_len(attr); + remaining -= 4; + + /* Round to boundary */ + uint16_t rem4 = ((uint16_t)attrlen) & 0x0003; + if(rem4) { + attrlen = attrlen+4-(int)rem4; + } + + /* Check that there's enough space remaining */ + if(attrlen <= remaining) { + return attr; + } + } + + return NULL; +} + stun_attr_ref stun_attr_get_first_str(const uint8_t* buf, size_t len) { - if(stun_get_command_message_len_str(buf,len)>STUN_HEADER_LENGTH) { - return (stun_attr_ref)(buf+STUN_HEADER_LENGTH); + int bufLen = stun_get_command_message_len_str(buf,len); + if(bufLen > STUN_HEADER_LENGTH) { + stun_attr_ref attr = (stun_attr_ref)(buf+STUN_HEADER_LENGTH); + return stun_attr_check_valid(attr, bufLen - STUN_HEADER_LENGTH); } return NULL; @@ -1377,8 +1401,11 @@ stun_attr_ref stun_attr_get_next_str(const uint8_t* buf, size_t len, stun_attr_r if(rem4) { attrlen = attrlen+4-(int)rem4; } - const uint8_t* attr_end=(const uint8_t*)prev+4+attrlen; - if(attr_end Date: Fri, 1 Nov 2019 11:33:53 +0000 Subject: [PATCH 11/32] Silence shadow variable declaration warning. 'sar', 'value', and 'vlen' already exist in an outer scope and are safe to reuse since they're overwritten before being used again. --- src/client/ns_turn_msg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index cfd5db4..4430289 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -522,11 +522,11 @@ int stun_is_challenge_response_str(const uint8_t* buf, size_t len, int *err_code realm[vlen]=0; { - stun_attr_ref sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION); + sar = stun_attr_get_first_by_type_str(buf,len,STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION); if(sar) { - const uint8_t *value = stun_attr_get_value(sar); + value = stun_attr_get_value(sar); if(value) { - size_t vlen = (size_t)stun_attr_get_len(sar); + vlen = (size_t)stun_attr_get_len(sar); if(vlen>0) { if(server_name) { bcopy(value,server_name,vlen); From 3a9924dd4d9a7b956bccfd52d5261626dc1a6db3 Mon Sep 17 00:00:00 2001 From: Oskar Niburski Date: Thu, 12 Dec 2019 18:13:38 -0800 Subject: [PATCH 12/32] Update README.docker --- docker/README.docker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.docker b/docker/README.docker index 0f7cbfe..0f88e58 100644 --- a/docker/README.docker +++ b/docker/README.docker @@ -1,5 +1,5 @@ Before you begin - * copy db schema run ./cp_schema.sh + * copy db schema run ./cp-schema.sh * edit turnserver/turnserver.cfg according your db selection (mysql or postgresql or redis or mongodb) # start From 3f3a3623c88ee7171f5240ac2267e12d1b63c1e6 Mon Sep 17 00:00:00 2001 From: Alessandro Polidori Date: Thu, 19 Dec 2019 17:41:02 +0100 Subject: [PATCH 13/32] turnserver.conf: add --prod section to enhance security --- docker/coturn/turnserver.conf | 9 +++++++++ examples/etc/turnserver.conf | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index c1bf130..d455dd3 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -575,6 +575,15 @@ syslog # #stun-only +# Option to hide software version. Enhance security when used in production. +# Revealing the specific software version of the agent through the +# SOFTWARE attribute might allow them to become more vulnerable to +# attacks against software that is known to contain security holes. +# Implementers SHOULD make usage of the SOFTWARE attribute a +# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) +# +#prod + # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. # By default, this option is NOT set. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index d8189f5..b397472 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -559,6 +559,15 @@ # #stun-only +# Option to hide software version. Enhance security when used in production. +# Revealing the specific software version of the agent through the +# SOFTWARE attribute might allow them to become more vulnerable to +# attacks against software that is known to contain security holes. +# Implementers SHOULD make usage of the SOFTWARE attribute a +# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) +# +#prod + # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. # By default, this option is NOT set. From 7af87e8107a0e9affaf096923c7e368ba0a4409c Mon Sep 17 00:00:00 2001 From: Corey Cole Date: Mon, 30 Dec 2019 10:29:25 -0800 Subject: [PATCH 14/32] docs(turnadmin): fix typo --- man/man1/turnadmin.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index a1dab5a..d59aa3e 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -71,7 +71,7 @@ Generate and print to the standard output an encrypted form of a password (for web admin user or CLI). The value then can be used as a safe key for the password storage on disk or in the database. Every invocation for the same password -produces a different result. The for mat of the encrypted password is: +produces a different result. The format of the encrypted password is: $5$<\.\.\.salt\.\.\.>$<\.\.\.sha256(salt+password)\.\.\.>. Salt is 16 characters, the sha256 output is 64 characters. Character 5 is the algorithm id (sha256). Only sha256 is supported as the hash function. From d1e04869b0ea88f92a7bd1200facf78400d422fd Mon Sep 17 00:00:00 2001 From: seungbin-ko Date: Mon, 10 Feb 2020 18:09:56 +0900 Subject: [PATCH 15/32] Updated INSTALL Fix typos about INSTALL filenames. --- INSTALL | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 1e7b38f..a445f4f 100644 --- a/INSTALL +++ b/INSTALL @@ -15,7 +15,7 @@ Unpack the archive: $ tar xvfz turnserver-<...>.tar.gz -Read the INSTALl file: +Read the INSTALL file: $ cat INSTALL From 092c5ad7e7a436ce8a01fd9228f9bff8207d7eaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 12 Feb 2020 10:53:46 +0100 Subject: [PATCH 16/32] Update travis macOS image --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3d1e5e6..a9f4d68 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,7 +65,7 @@ matrix: - libmysqlclient-dev - libhiredis-dev - os: osx - osx_image: xcode10.3 + osx_image: xcode11.3 # - os: osx # osx_image: xcode9.4 From 33692365ad33ab479556eed683ce2b0ff0cdfe87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 12 Feb 2020 11:06:41 +0100 Subject: [PATCH 17/32] Fix typo in README and run make-man.sh --- README.turnadmin | 2 +- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 2 +- man/man1/turnutils.1 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.turnadmin b/README.turnadmin index ea504d7..e022f00 100644 --- a/README.turnadmin +++ b/README.turnadmin @@ -51,7 +51,7 @@ Commands: output an encrypted form of a password (for web admin user or CLI). The value then can be used as a safe key for the password storage on disk or in the database. Every invocation for the same password -produces a different result. The for mat of the encrypted password is: +produces a different result. The format of the encrypted password is: $5$<...salt...>$<...sha256(salt+password)...>. Salt is 16 characters, the sha256 output is 64 characters. Character 5 is the algorithm id (sha256). Only sha256 is supported as the hash function. diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index d59aa3e..92b1662 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "29 January 2019" "" "" +.TH TURN 1 "12 February 2020" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 4cbac6d..6c7e96a 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "29 January 2019" "" "" +.TH TURN 1 "12 February 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 74d1e42..7da6552 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "29 January 2019" "" "" +.TH TURN 1 "12 February 2020" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used From 047102a44b80cea554edd1397b69ea67cf20ddc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 12 Feb 2020 11:30:27 +0100 Subject: [PATCH 18/32] Update travis ubuntu version to bionic --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index a9f4d68..e0ff277 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ matrix: include: - os: linux arch: amd64 - dist: xenial + dist: bionic sudo: required addons: apt: @@ -31,7 +31,7 @@ matrix: - libhiredis-dev - os: linux arch: arm64 - dist: precise + dist: bionic sudo: required addons: apt: From 51a7c2b9bf924890c7a3ff4db9c4976c5a93340a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Mon, 17 Feb 2020 10:34:56 +0100 Subject: [PATCH 19/32] Fix: CVE-2020-6061/TALOS-2020-0984 --- src/apps/relay/http_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c index 573af49..1126b49 100644 --- a/src/apps/relay/http_server.c +++ b/src/apps/relay/http_server.c @@ -103,7 +103,7 @@ const char* get_http_date_header() static struct headers_list * post_parse(char *data, size_t data_len) { - while((*data=='\r')||(*data=='\n')) ++data; + while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } char *post_data = (char*)calloc(data_len + 1, sizeof(char)); memcpy(post_data, data, data_len); char *fmarker = NULL; From e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 18 Feb 2020 12:31:38 +0100 Subject: [PATCH 20/32] Fix: CVE-2020-6062 / TALOS-2020-0985 --- src/apps/relay/http_server.c | 63 ++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/src/apps/relay/http_server.c b/src/apps/relay/http_server.c index 1126b49..ff8e399 100644 --- a/src/apps/relay/http_server.c +++ b/src/apps/relay/http_server.c @@ -104,35 +104,44 @@ const char* get_http_date_header() static struct headers_list * post_parse(char *data, size_t data_len) { while((*data=='\r')||(*data=='\n')) { ++data; --data_len; } - char *post_data = (char*)calloc(data_len + 1, sizeof(char)); - memcpy(post_data, data, data_len); - char *fmarker = NULL; - char *fsplit = strtok_r(post_data, "&", &fmarker); - struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); - bzero(list,sizeof(struct headers_list)); - while (fsplit != NULL) { - char *vmarker = NULL; - char *key = strtok_r(fsplit, "=", &vmarker); - char *value = strtok_r(NULL, "=", &vmarker); - char empty[1]; - empty[0]=0; - value = value ? value : empty; - value = evhttp_decode_uri(value); - char *p = value; - while (*p) { - if (*p == '+') - *p = ' '; - p++; + if (data_len) { + char *post_data = (char*)calloc(data_len + 1, sizeof(char)); + if (post_data != NULL) { + memcpy(post_data, data, data_len); + char *fmarker = NULL; + char *fsplit = strtok_r(post_data, "&", &fmarker); + struct headers_list *list = (struct headers_list*)malloc(sizeof(struct headers_list)); + bzero(list,sizeof(struct headers_list)); + while (fsplit != NULL) { + char *vmarker = NULL; + char *key = strtok_r(fsplit, "=", &vmarker); + if (key == NULL) + break; + else { + char *value = strtok_r(NULL, "=", &vmarker); + char empty[1]; + empty[0]=0; + value = value ? value : empty; + value = evhttp_decode_uri(value); + char *p = value; + while (*p) { + if (*p == '+') + *p = ' '; + p++; + } + list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); + list->keys[list->n] = strdup(key); + list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); + list->values[list->n] = value; + ++(list->n); + fsplit = strtok_r(NULL, "&", &fmarker); + } + } + free(post_data); + return list; } - list->keys = (char**)realloc(list->keys,sizeof(char*)*(list->n+1)); - list->keys[list->n] = strdup(key); - list->values = (char**)realloc(list->values,sizeof(char*)*(list->n+1)); - list->values[list->n] = value; - ++(list->n); - fsplit = strtok_r(NULL, "&", &fmarker); } - free(post_data); - return list; + return NULL; } static struct http_request* parse_http_request_1(struct http_request* ret, char* request, int parse_post) From 8eb779a3cf792804c5f5b9091857e88536ff3ba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 19 Feb 2020 10:52:59 +0100 Subject: [PATCH 21/32] update Changelog --- ChangeLog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ChangeLog b/ChangeLog index c7dfb3d..e5e4239 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,22 @@ Version 4.5.1.2 'dan Eider': - merge PR #417 Append only to log files rather to override them (by robert-scheck) - merge PR #442 Updated incorrect string length check for 'ssh' (by chanduthedev) - merge PR #449 Fix Dockerfile for latest Debian (by rao-donut) + - http server NULL dereference + * Reported (by quarkslab.com, cisco/talos) + * CVE-2020-6061 / TALOS-2020-0984 + - http server out of bound read + * Reported (by quarkslab.com, cisco/talos) + * CVE-2020-6061 / TALOS-2020-0984 + - merge PR #472 STUN input validation (by bobsayshilol) + - merge PR #398 FIPS (by byronclark) + - merge PR #478 prod (by alepolidori) + - merge PR #463 fix typos and grammar (by xthursdayx) + - update travis config ubuntu/mac images + - merge PR #466 added null check for second char (by chanduthedev) + - merge PR #470 compiler warning fixes (by bobsayshilol) + - merge PR #475 Update README.docker (by raksonibs) + - merge PR #471 Fix a memory leak when an SHATYPE isn't supported (by bobsayshilol) + - merge PR #488 Fix typos about INSTALL filenames (by raccoonback) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From 4722697645cf033de8cf4f34e4214af750746365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 3 Mar 2020 15:11:29 +0100 Subject: [PATCH 22/32] Fix compiler warnings * Changed type from int to size_t to avoid warning warning: comparison between signed and unsigned integer expressions * Fixed string truncation warning --- ChangeLog | 2 ++ src/apps/common/ns_turn_utils.c | 13 +++++++++---- src/client/ns_turn_msg.c | 4 ++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5e4239..a5a43eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,8 @@ Version 4.5.1.2 'dan Eider': - merge PR #475 Update README.docker (by raksonibs) - merge PR #471 Fix a memory leak when an SHATYPE isn't supported (by bobsayshilol) - merge PR #488 Fix typos about INSTALL filenames (by raccoonback) + - fix compiler warning comparison between signed and unsigned integer expressions + - fix compiler warning string truncation 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c index a4b46a2..04b180c 100644 --- a/src/apps/common/ns_turn_utils.c +++ b/src/apps/common/ns_turn_utils.c @@ -393,7 +393,8 @@ static void set_rtpfile(void) else snprintf(logtail, FILE_STR_LEN, "turn_%d_", (int)getpid()); - snprintf(logbase, FILE_STR_LEN, "/var/log/turnserver/%s", logtail); + if (snprintf(logbase, FILE_STR_LEN, "/var/log/turnserver/%s", logtail)<0) + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n"); set_log_file_name(logbase, logf); @@ -401,20 +402,24 @@ static void set_rtpfile(void) if(_rtpfile) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); else { - snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail); + if (snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail)<0) + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n"); set_log_file_name(logbase, logf); _rtpfile = fopen(logf, "a"); if(_rtpfile) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); else { - snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail); + if (snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail)<0) + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n"); + set_log_file_name(logbase, logf); _rtpfile = fopen(logf, "a"); if(_rtpfile) TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf); else { - snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail); + if (snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail)<0) + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n"); set_log_file_name(logbase, logf); _rtpfile = fopen(logf, "a"); if(_rtpfile) diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index c992e5c..2a4008d 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -386,7 +386,7 @@ int stun_get_command_message_len_str(const uint8_t* buf, size_t len) return -1; /* Validate the size the buffer claims to be */ - int bufLen = (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH); + size_t bufLen = (size_t) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH); if (bufLen > len) { return -1; } @@ -1386,7 +1386,7 @@ static stun_attr_ref stun_attr_check_valid(stun_attr_ref attr, size_t remaining) if(remaining >= 4) { /* Read the size of the attribute */ - int attrlen = stun_attr_get_len(attr); + size_t attrlen = stun_attr_get_len(attr); remaining -= 4; /* Round to boundary */ From 520e172b22c7b35fd8e90ed113f2464281b15ad6 Mon Sep 17 00:00:00 2001 From: Danilo Bargen Date: Fri, 13 Mar 2020 11:01:15 +0100 Subject: [PATCH 23/32] Rename "prod" config option to "no-software-attribute" As discussed in https://github.com/coturn/coturn/pull/478, if the parameter only controls whether or not to send the software attribute and not other production-relevant configurations, it should be named accordingly. The old --prod configuration option still works, but is now deprecated and undocumented. --- README.turnserver | 2 +- docker/coturn/turnserver.conf | 2 +- examples/etc/turnserver.conf | 2 +- man/man1/turnserver.1 | 4 ++-- src/apps/relay/mainrelay.c | 11 ++++++----- src/apps/relay/mainrelay.h | 2 +- src/apps/relay/netengine.c | 2 +- src/apps/relay/turn_admin_server.c | 2 +- src/server/ns_turn_server.c | 6 +++--- src/server/ns_turn_server.h | 4 ++-- 10 files changed, 19 insertions(+), 18 deletions(-) diff --git a/README.turnserver b/README.turnserver index 4f2b28d..bdb5ebe 100644 --- a/README.turnserver +++ b/README.turnserver @@ -158,7 +158,7 @@ Flags: -o, --daemon Run server as daemon. ---prod Production mode: hide the software version. +--no-software-attribute Production mode: hide the software version. -f, --fingerprint Use fingerprints in the TURN messages. If an incoming request contains a fingerprint, then TURN server will always add diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index d455dd3..0389f72 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -582,7 +582,7 @@ syslog # Implementers SHOULD make usage of the SOFTWARE attribute a # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) # -#prod +#no-software-attribute # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index e917407..0d0417a 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -566,7 +566,7 @@ # Implementers SHOULD make usage of the SOFTWARE attribute a # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) # -#prod +#no-software-attribute # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 6c7e96a..2bfbcf1 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -236,8 +236,8 @@ Extra verbose mode, very annoying and not recommended. Run server as daemon. .TP .B -\fB\-\-prod\fP -Production mode: hide the software version. +\fB\-\-no-software-attribute\fP +Do not send the software version. Should be used in production. .TP .B \fB\-f\fP, \fB\-\-fingerprint\fP diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6..8ff7733 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -448,7 +448,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " -v, --verbose 'Moderate' verbose mode.\n" " -V, --Verbose Extra verbose mode, very annoying (for debug purposes only).\n" " -o, --daemon Start process as daemon (detach from current shell).\n" -" --prod Production mode: hide the software version.\n" +" --no-software-attribute Production mode: hide the software version (formerly --prod).\n" " -f, --fingerprint Use fingerprints in the TURN messages.\n" " -a, --lt-cred-mech Use the long-term credential mechanism.\n" " -z, --no-auth Do not use any credential mechanism, allow anonymous access.\n" @@ -779,7 +779,7 @@ enum EXTRA_OPTS { ADMIN_USER_QUOTA_OPT, SERVER_NAME_OPT, OAUTH_OPT, - PROD_OPT, + NO_SOFTWARE_ATTRIBUTE_OPT, NO_HTTP_OPT, SECRET_KEY_OPT }; @@ -844,7 +844,8 @@ static const struct myoption long_options[] = { { "verbose", optional_argument, NULL, 'v' }, { "Verbose", optional_argument, NULL, 'V' }, { "daemon", optional_argument, NULL, 'o' }, - { "prod", optional_argument, NULL, PROD_OPT }, +/* deprecated: */ { "prod", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT }, + { "no-software-attribute", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT }, { "fingerprint", optional_argument, NULL, 'f' }, { "check-origin-consistency", optional_argument, NULL, CHECK_ORIGIN_CONSISTENCY_OPT }, { "no-udp", optional_argument, NULL, NO_UDP_OPT }, @@ -1378,8 +1379,8 @@ static void set_option(int c, char *value) anon_credentials = 1; } break; - case PROD_OPT: - turn_params.prod = get_bool_value(value); + case NO_SOFTWARE_ATTRIBUTE_OPT: + turn_params.no_software_attribute = get_bool_value(value); break; case 'f': turn_params.fingerprint = get_bool_value(value); diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index ea13984..4394c33 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -213,7 +213,7 @@ typedef struct _turn_params_ { int verbose; int turn_daemon; - int prod; + int no_software_attribute; int web_admin_listen_on_workers; int do_not_use_config_file; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 1a69dcd..acf4208 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1651,7 +1651,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int &turn_params.permission_lifetime, &turn_params.stun_only, &turn_params.no_stun, - &turn_params.prod, + &turn_params.no_software_attribute, &turn_params.web_admin_listen_on_workers, &turn_params.alternate_servers_list, &turn_params.tls_alternate_servers_list, diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index dade161..7ad2ab1 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -1659,7 +1659,7 @@ static void https_finish_page(struct str_buffer *sb, ioa_socket_handle s, int cc str_buffer_append(sb,"\r\n\r\n"); send_str_from_ioa_socket_tcp(s,"HTTP/1.1 200 OK\r\nServer: "); - if(!turn_params.prod) { + if(!turn_params.no_software_attribute) { send_str_from_ioa_socket_tcp(s,TURN_SOFTWARE); } send_str_from_ioa_socket_tcp(s,"\r\n"); diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 16a6511..38a1513 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -64,7 +64,7 @@ static inline int get_family(int stun_family, ioa_engine_handle e, ioa_socket_ha //////////////////////////////////////////////// const char * get_version(turn_turnserver *server) { - if(server && !*server->prod) { + if(server && !*server->no_software_attribute) { return (const char *) TURN_SOFTWARE; } else { return (const char *) "None"; @@ -4900,7 +4900,7 @@ void init_turn_server(turn_turnserver* server, vintp permission_lifetime, vintp stun_only, vintp no_stun, - vintp prod, + vintp no_software_attribute, vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, @@ -4962,7 +4962,7 @@ void init_turn_server(turn_turnserver* server, server->permission_lifetime = permission_lifetime; server->stun_only = stun_only; server->no_stun = no_stun; - server->prod = prod; + server->no_software_attribute = no_software_attribute; server-> web_admin_listen_on_workers = web_admin_listen_on_workers; server->dont_fragment = dont_fragment; diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 628457f..924a507 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -120,7 +120,7 @@ struct _turn_turnserver { vintp permission_lifetime; vintp stun_only; vintp no_stun; - vintp prod; + vintp no_software_attribute; vintp web_admin_listen_on_workers; vintp secure_stun; turn_credential_type ct; @@ -199,7 +199,7 @@ void init_turn_server(turn_turnserver* server, vintp permission_lifetime, vintp stun_only, vintp no_stun, - vintp prod, + vintp no_software_attribute, vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, From 801832e94ff5843653b297a8e6e09154372ca6c5 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 30 Mar 2020 19:24:14 +0200 Subject: [PATCH 24/32] Replace coTURN by Coturn The official spelling of *Coturn* seems to be just with a capital starting letter, replace all occurrences of *coTURN* with the command below. git grep -l coTURN | xargs sed -i 's/coTURN/Coturn/g' --- docker/coturn/Dockerfile | 4 ++-- docker/coturn/turnserver.conf | 2 +- docker/docker-compose-all.yml | 2 +- docker/docker-compose-mongodb.yml | 2 +- docker/docker-compose-mysql.yml | 2 +- docker/docker-compose-postgresql.yml | 2 +- docker/docker-compose-redis.yml | 2 +- examples/etc/coturn.service | 2 +- examples/etc/turnserver.conf | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docker/coturn/Dockerfile b/docker/coturn/Dockerfile index 00722ee..b8fd207 100644 --- a/docker/coturn/Dockerfile +++ b/docker/coturn/Dockerfile @@ -8,11 +8,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get install -y build-essential git debhelper dpkg-dev libssl-dev libevent-dev sqlite3 libsqlite3-dev postgresql-client libpq-dev default-mysql-client default-libmysqlclient-dev libhiredis-dev libmongoc-dev libbson-dev -# Clone coTURN +# Clone Coturn WORKDIR ${BUILD_PREFIX} RUN git clone https://github.com/coturn/coturn.git -# Build coTURN +# Build Coturn WORKDIR coturn RUN ./configure RUN make diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index d455dd3..88583e0 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -640,7 +640,7 @@ no-loopback-peers # Allocate Address Family according # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. -# (By default coTURN works according RFC 6156.) +# (By default Coturn works according RFC 6156.) # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! # #keep-address-family diff --git a/docker/docker-compose-all.yml b/docker/docker-compose-all.yml index d3e06be..c1e4778 100644 --- a/docker/docker-compose-all.yml +++ b/docker/docker-compose-all.yml @@ -49,7 +49,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-mongodb.yml b/docker/docker-compose-mongodb.yml index c4c675f..a163d23 100644 --- a/docker/docker-compose-mongodb.yml +++ b/docker/docker-compose-mongodb.yml @@ -13,7 +13,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-mysql.yml b/docker/docker-compose-mysql.yml index 2a68266..0600155 100644 --- a/docker/docker-compose-mysql.yml +++ b/docker/docker-compose-mysql.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-postgresql.yml b/docker/docker-compose-postgresql.yml index 514a00e..b0376ce 100644 --- a/docker/docker-compose-postgresql.yml +++ b/docker/docker-compose-postgresql.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-redis.yml b/docker/docker-compose-redis.yml index 4ae6f07..32d4109 100644 --- a/docker/docker-compose-redis.yml +++ b/docker/docker-compose-redis.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/examples/etc/coturn.service b/examples/etc/coturn.service index 45fb9a2..c3831f8 100644 --- a/examples/etc/coturn.service +++ b/examples/etc/coturn.service @@ -1,5 +1,5 @@ [Unit] -Description=coTURN STUN/TURN Server +Description=Coturn STUN/TURN Server Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1) After=network.target After=network-online.target diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index e917407..8eeaace 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -631,7 +631,7 @@ # Allocate Address Family according # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. -# (By default coTURN works according RFC 6156.) +# (By default Coturn works according RFC 6156.) # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! # #keep-address-family From aabfce8709e098d2f052318ac0f4839c407380b6 Mon Sep 17 00:00:00 2001 From: ooookai Date: Mon, 6 Apr 2020 01:48:53 +0800 Subject: [PATCH 25/32] Update README.docker --- docker/README.docker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.docker b/docker/README.docker index 0f88e58..3e7d6dc 100644 --- a/docker/README.docker +++ b/docker/README.docker @@ -1,6 +1,6 @@ Before you begin * copy db schema run ./cp-schema.sh - * edit turnserver/turnserver.cfg according your db selection (mysql or postgresql or redis or mongodb) + * edit turnserver/turnserver.conf according your db selection (mysql or postgresql or redis or mongodb) # start From acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Sat, 11 Apr 2020 10:33:55 +0200 Subject: [PATCH 26/32] Drop of supplementary group IDs Fix related to POS36-C and rpmlint error "missing-call-to-setgroups-before-setuid". --- src/apps/relay/mainrelay.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6..5a21cfa 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2061,6 +2061,7 @@ static void set_network_engine(void) static void drop_privileges(void) { + setgroups(0, NULL); if(procgroupid_set) { if(getgid() != procgroupid) { if (setgid(procgroupid) != 0) { From fb8dc8a7362ad00334819e86ff374bfdde46c91b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 15 Apr 2020 22:07:26 +0200 Subject: [PATCH 27/32] Change DH key size default from 1066 to 2066 --- README.turnserver | 6 +++--- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 10 +++++----- man/man1/turnutils.1 | 2 +- src/apps/relay/mainrelay.c | 22 +++++++++++----------- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/README.turnserver b/README.turnserver index 4f2b28d..0d14a8f 100644 --- a/README.turnserver +++ b/README.turnserver @@ -190,9 +190,9 @@ Flags: --oauth Support oAuth authentication, as in the third-party STUN/TURN RFC 7635. ---dh566 Use 566 bits predefined DH TLS key. Default size of the key is 1066. +--dh566 Use 566 bits predefined DH TLS key. Default size of the key is 2066. ---dh2066 Use 2066 bits predefined DH TLS key. Default size of the key is 1066. +--dh1066 Use 1066 bits predefined DH TLS key. Default size of the key is 2066. --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol. @@ -457,7 +457,7 @@ Options with values: by this option. --dh-file Use custom DH TLS key, stored in PEM format in the file. - Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. + Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file. -l, --log-file Option to set the full path name of the log file. By default, the turnserver tries to open a log file in diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 92b1662..328b53c 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 6c7e96a..24f45b9 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -281,11 +281,11 @@ Support oAuth authentication, as in the third\-party STUN/TURN RFC 7635. .TP .B \fB\-\-dh566\fP -Use 566 bits predefined DH TLS key. Default size of the key is 1066. +Use 566 bits predefined DH TLS key. Default size of the key is 2066. .TP .B -\fB\-\-dh2066\fP -Use 2066 bits predefined DH TLS key. Default size of the key is 1066. +\fB\-\-dh1066\fP +Use 1066 bits predefined DH TLS key. Default size of the key is 2066. .TP .B \fB\-\-no\-tlsv1\fP @@ -667,7 +667,7 @@ by this option. .B \fB\-\-dh\-file\fP Use custom DH TLS key, stored in PEM format in the file. -Flags \fB\-\-dh566\fP and \fB\-\-dh2066\fP are ignored when the DH key is taken from a file. +Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken from a file. .TP .B \fB\-l\fP, \fB\-\-log\-file\fP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 7da6552..9a0778c 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6..82be545 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -90,7 +90,7 @@ NULL, NULL, #endif -DH_1066, "", "", "", +DH_2066, "", "", "", "turn_server_cert.pem","turn_server_pkey.pem", "", "", 0,0,0, #if !TLS_SUPPORTED @@ -555,10 +555,10 @@ static char Usage[] = "Usage: turnserver [options]\n" " if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,\n" " an optimal curve will be automatically calculated, if not defined\n" " by this option.\n" -" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 1066.\n" -" --dh2066 Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n" +" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 2066.\n" +" --dh1066 Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.\n" " --dh-file Use custom DH TLS key, stored in PEM format in the file.\n" -" Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n" +" Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.\n" " --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol.\n" " --no-tlsv1_1 Do not allow TLSv1.1 protocol.\n" " --no-tlsv1_2 Do not allow TLSv1.2/DTLSv1.2 protocol.\n" @@ -766,7 +766,7 @@ enum EXTRA_OPTS { CLI_MAX_SESSIONS_OPT, EC_CURVE_NAME_OPT, DH566_OPT, - DH2066_OPT, + DH1066_OPT, NE_TYPE_OPT, NO_SSLV2_OPT, /*deprecated*/ NO_SSLV3_OPT, /*deprecated*/ @@ -896,7 +896,7 @@ static const struct myoption long_options[] = { { "cli-max-output-sessions", required_argument, NULL, CLI_MAX_SESSIONS_OPT }, { "ec-curve-name", required_argument, NULL, EC_CURVE_NAME_OPT }, { "dh566", optional_argument, NULL, DH566_OPT }, - { "dh2066", optional_argument, NULL, DH2066_OPT }, + { "dh1066", optional_argument, NULL, DH1066_OPT }, { "ne", required_argument, NULL, NE_TYPE_OPT }, { "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */ { "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */ @@ -1162,9 +1162,9 @@ static void set_option(int c, char *value) if(get_bool_value(value)) turn_params.dh_key_size = DH_566; break; - case DH2066_OPT: + case DH1066_OPT: if(get_bool_value(value)) - turn_params.dh_key_size = DH_2066; + turn_params.dh_key_size = DH_1066; break; case EC_CURVE_NAME_OPT: STRCPY(turn_params.ec_curve_name,value); @@ -2899,10 +2899,10 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho if(!dh) { if(turn_params.dh_key_size == DH_566) dh = get_dh566(); - else if(turn_params.dh_key_size == DH_2066) - dh = get_dh2066(); - else + else if(turn_params.dh_key_size == DH_1066) dh = get_dh1066(); + else + dh = get_dh2066(); } /* From 86dcad0e0fec7a97a6dd1045a85deb7b0774f6f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 15 Apr 2020 22:15:48 +0200 Subject: [PATCH 28/32] Update --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index a5a43eb..e3aba5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -51,6 +51,7 @@ Version 4.5.1.2 'dan Eider': - merge PR #488 Fix typos about INSTALL filenames (by raccoonback) - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation + - change Diffie Hellman default key length from 1066 to 2066 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From b8bf7c7c2ee08e3110cba4905996462624b97e62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:09:02 +0200 Subject: [PATCH 29/32] Update Changelog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e3aba5b..33120a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,7 @@ Version 4.5.1.2 'dan Eider': - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation - change Diffie Hellman default key length from 1066 to 2066 + - merge PR #522 Drop of supplementary group IDs (by weberhofer) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From a0de5483577d6795065224b155829d021af889a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:16:30 +0200 Subject: [PATCH 30/32] Update man and Changelog --- ChangeLog | 3 ++- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 2 +- man/man1/turnutils.1 | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 33120a8..bc8fd7f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,7 +52,8 @@ Version 4.5.1.2 'dan Eider': - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation - change Diffie Hellman default key length from 1066 to 2066 - - merge PR #522 Drop of supplementary group IDs (by weberhofer) + - merge PR #522 drop of supplementary group IDs (by weberhofer) + - merge PR #514 Unify spelling of Coturn (by paulmenzel) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 328b53c..6373ea0 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 24f45b9..184e4ff 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 9a0778c..fbe7cff 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used From 70a93345e4a27edb8d388bb49ae91f692d580be2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:21:33 +0200 Subject: [PATCH 31/32] Update changelog, update man --- ChangeLog | 1 + man/man1/turnserver.1 | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc8fd7f..4fac0b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,7 @@ Version 4.5.1.2 'dan Eider': - change Diffie Hellman default key length from 1066 to 2066 - merge PR #522 drop of supplementary group IDs (by weberhofer) - merge PR #514 Unify spelling of Coturn (by paulmenzel) + - merge PR#506 Rename "prod" config option to "no-software-attribute" 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index a10562e..edbbcbd 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -234,10 +234,8 @@ Extra verbose mode, very annoying and not recommended. .B \fB\-o\fP, \fB\-\-daemon\fP Run server as daemon. -.TP -.B -\fB\-\-no-software-attribute\fP -Do not send the software version. Should be used in production. +.PP +\fB\-\-no\-software\-attribute\fP Production mode: hide the software version. .TP .B \fB\-f\fP, \fB\-\-fingerprint\fP From 656d38d04a9f219a688fde26694d0c5c644d70c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:41:26 +0200 Subject: [PATCH 32/32] Update changelog --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4fac0b4..906827e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,7 +54,8 @@ Version 4.5.1.2 'dan Eider': - change Diffie Hellman default key length from 1066 to 2066 - merge PR #522 drop of supplementary group IDs (by weberhofer) - merge PR #514 Unify spelling of Coturn (by paulmenzel) - - merge PR#506 Rename "prod" config option to "no-software-attribute" + - merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn) + - merge PR #519 fix config extension in README.docker (by ooookai) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider':