Split out work on libtelnet from #855
Required to update libtelnet to introduce compatibility with Windows
This change contains vanilla code of
[libtelnet](https://github.com/seanmiddleditch/libtelnet) v0.23 (latest
tag)
Test Plan:
- run turnserver locally, set cli password, connect to the turnserver
cli interface
- run a few commands - get output
This code is in as back as git can see. Removed for now as it has no use
at all.
Also reduces traffic to redis (though will not reduce any load on redis)
Refs #150
Using clang-tidy to detect unused header files
Inspired by #855
Test Plan:
- Rebuild all on mac, review no warnings/errors
- Pass builds/docker build - review for no issues
Similar to #989, use a single SSL context for all versions of DTLS
protocol
- Add support for modern API (protocol version independent APIs)
- Add DTLS test to the CI test
- Removing calls to `SSL_CTX_set_read_ahead` in DTLS context (does
nothing as DTLS is datagram protocol - we always get the whole datagram
so this call has no impact)
Fixes#924
Hello, and thank you for this great project!
When sending a mobility refresh request, the server is responding with
an invalid stun packet. Specifically, only the last 24 bytes generated
for message integrity are sent.
Request:
Response:
This appears to be caused by the buffer length not being updated when
`STUN_ATTRIBUTE_SOFTWARE` is added to the response, as it's being
assigned to a `len` variable scoped to that conditional.
As a result, the next call to `stun_get_command_message_len_str` when
handling message integrity returns `-1` and resizes the buffer, etc.
Passing in the original `len` to `stun_attr_add_str` for attribute
software fixes the issue, but apologies if this is not the right way to
fix this!
STRCPY macro makes pointer comparison which creates a warning
In those places, replace the macro with `strncpy` with careful review of
destination buffer size
With this change I do not get compiler warnings at all
Install dependencies and build with prometheus support during CI builds
Ubuntu 16.04 has issues supporting `MHD_USE_EPOLL_INTERNAL_THREAD` so
disabling it (using SELECT)
Should not impact anything as the only reason we use Ubuntu 16.04 is to
validate build against openssl-1.0.2
Fixes #998
openssl allows multiple TLS version support through a single SSL_CTX
object.
This PR replaces 4 per-version SSL_CTX objects with a single object
(DTLS is not yet changed).
SSL context initialization code for openssl with modern API (>=1.1.0)
uses `TLS_server_method` and `SSL_CTX_set_min_proto_version` instead of
enabling specific TLS version. Byproduct of this is TLSv1_3 support when
used with openssl-1.1.1 and above
TLS 1.2 and TLS 1.3 cannot be disabled (as before)
Test plan:
- run_tests.sh script now runs turnserver with SSL certificate (which
enables TLS support)
- run_tests.sh now has one more basic test that uses TLS protocol
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
Before:
```
./bin/turnserver --prometheus -m 32
...
Socket descriptor larger than FD_SETSIZE: 2660 > 1024
0: : ERROR: Could not start Prometheus collector!
```
After:
```
./bin/turnserver --prometheus -m 32
...
0: : Prometheus collector started successfully.
```
Also added `MHD_USE_ERROR_LOG` so the actual problems during startup of
promhttp are printed. Without it the `Socket descriptor larger than
FD_SETSIZE: 2660 > 1024` error was not visible and finding the cause of
the startup problems of promhttp was not obvious at first.
Replace all instances of `bzero` with memset by find-replace-edit.
This is straightforward replacement which is suboptimal in a few cases
(for example we could use calloc instead of malloc+memset(0))
Inspired by #855
There are too many defines that are, eventually, used in one place so
just inlining.
Current code generates following warning:
```
warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined]
```
With the fix there is no warning
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
openssl-3.0 deprecated some APIs and introduced new APIs instead:
`SSL_get_peer_certificate ` -> `SSL_get1_peer_certificate `
`FIPS_mode()`->`EVP_default_properties_is_fips_enabled()`
`EVP_MD_CTX_set_flags()`->`EVP_default_properties_enable_fips()`
specifically for enabling FIPS mode
This change should workaround that by ifdef-ing old/new versions of
openssl and APIs - so pre-3.0 use existing APIs (so not change there)
and >=3.0 will use new APIs (whether it actually works or not is still
TBD as this is just a first step in openssl-3.0 support)
Should fix#886
Test Plan:
Run CI build that supports ubuntu-20.04 (openssl-1.1.1) and ubuntu-22.04
(openssl-3.0.2)
Both builds pass
None of them have FIPS support (which for 1.1.x stays the same as
before)
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
- Preserve file timestamps when using `install`
- Use permissions `0644` rather than default `0755` for installing man
pages
The alternative calls of `cp` are using `cp -p` as well (if `install` is
unavailable).
`SSL_OP_NO_RENEGOTIATION` is only supported in openssl-1.1.0 and above
Older versions have `SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS `
Fixes#977 and #952
Test:
Build in a docker container running running openssl-1.0.2g (ubuntu
16.04) successfully (without the fix getting the same errors)
- omit publishing and releasing Docker images in forks
- verify Git tag to match Makefile before releasing
- auto-cancel concurrent CI pipelines for the same Git ref
`vsnprintf` will stop at the max buffer size as provided in its 2nd
argument
But the return value is `The number of characters that would have been
written if n had been sufficiently large` meaning it can be larger than
actual buffer size
`fwrite` will actually use the larger, incorrect number and dump
unrelated memory to log (and crash with high confidence)
Test:
- Query admin interface with super long path (>16KB) - crash
- With the fix - no crash with the same input, log line cut off
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
Writing outside of a buffer can only happen if incoming HTTP request is longer than UDP_STUN_BUFFER_SIZE (16KB).
This change validates that the request is no longer than the buffer size and drops it if it is the case
Fixes#342
Test plan:
- Run in debugger and send a 16KB request using curl - response returns, logs correct
- Send 16KB + 1b request - warning logged and request dropped
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
When using `turnutils_uclient` with `-S` flag (TLS or DTLS) it is not required to load certificates. Only load certificates when corresponding flags are provided
Fixes#376 which prevented using `turnutils_uclient` for testing TLS/DTLS connections
Test plan:
- Run local turnserver with certificates `./bin/turnserver --cert ./bin/public.pem --pkey ./bin/private.key --use-auth-secret --static-auth-secret=secret --realm=north.gov --allow-loopback-peers --no-cli --verbose`
- Run fixed uclient without TLS/DTLS`./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1` and get success result (just to make sure non-secure still works)
- Run fixed uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` and get success result
- Run fixed uclient with DTLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -S 127.0.0.1` and get success result
- Run unpatched uclient with TLS `./bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret -t -S 127.0.0.1` - error about missing certificate files
Co-authored-by: Pavel Punsky <pavel.punsky@epicgames.com>
Actually, as below, before fixing, the sessions_map may be larger and
larger when register_callback_on_ioa_socket inside
open_client_connection_session retrun -1. The reason is that, if
register_callback_on_ioa_socket return -1, no read/write/ event will be
registered and no timeout event will be registered, in this case, the
session will never be deleted from sessions_map.
After fixing, when register_callback_on_ioa_socket fail,it doesn't
return immediately, instead, we still register
client_to_be_allocated_timeout_handler in the next step of
open_client_connection_session. In this case, the unuseful session will
be deleted and freed after timeout.
@eakraly @ggarber
Add GitHub action that builds and runs tests using openssl-3.0 (default
version in ubuntu 22.04)
It is expected to fail until openssl-3.0 compatibility is introduced
(#955)
A change in cmake action is to make sure we actually run ubuntu:20.04
(which uses openssl-1.1.1). Otherwise, GH will change the version of
ubuntu-latest at some point and it might not be very visible
Unfortunately, PR #789 breaks the possibility to compile coturn in Oracle Solaris 11.4 (SRU 48). It is caused by the fact that LOG_FTP is not defined in Oracle Solaris' "/usr/include/sys/syslog.h".
They define the following syslog facility codes:
```
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* netnews subsystem */
#define LOG_UUCP (8<<3) /* uucp subsystem */
#define LOG_AUTHPRIV (10<<3) /* sensitive/private security/auth messages */
#define LOG_AUDIT (13<<3) /* audit subsystem */
#define LOG_CRON (15<<3) /* cron/at subsystem */
/* other codes through 15 reserved for system use */
#define LOG_LOCAL0 (16<<3) /* reserved for local use */
#define LOG_LOCAL1 (17<<3) /* reserved for local use */
#define LOG_LOCAL2 (18<<3) /* reserved for local use */
#define LOG_LOCAL3 (19<<3) /* reserved for local use */
#define LOG_LOCAL4 (20<<3) /* reserved for local use */
#define LOG_LOCAL5 (21<<3) /* reserved for local use */
#define LOG_LOCAL6 (22<<3) /* reserved for local use */
#define LOG_LOCAL7 (23<<3) /* reserved for local use */
```
So omitting LOG_FTP should fix this for Solaris. As I really doubt that it is needed, I hereby submit a PR which omits LOG_FTP for all operating systems. Other Solaris derivatives (OpenIndiana Hipster, OmniOS) don't seem to be affected, I've checked and found that in their recent versions, LOG_FTP is defined. FreeBSD does also define LOG_FTP.
systemd is not available on macOS - should be disabled in CMake
Test plan:
- Run cmake in a clean folder
- Run make
- Observe that compilation error about missing include `<systemd/sd-daemon.h>` is gone
macOS does not have `pthread_barrier_*` so need to define `TURN_NO_THREAD_BARRIERS` as a workaround
Fixes#946
Tests plan:
- run cmake to generate make files
- run make to build turnserver
- run `examples/run_tests.sh` and pass successfully
