This pull request is a split of PR #1061
As @KangLin pointed out in the original PR those sockets should ideally
be permanently non-blocking for performance reasons, but they are NOT at
the moment.
Someone with more knowledge about the code in dtls_listener.c should
probably have a look if it would be feasible to change the sockets to
non-blocking already at creation, similar to what is done in
udpserver.c...
There are two different API's in OpenSSL for configuring TLS ciphers,
one for TLS 1.2 and below, and another for TLS 1.3. coturn only calls
the TLS 1.2 API when handling the `--cipher-list` configuration option,
which means that it's not possible to use non-default ciphersuites with
TLS 1.3 connections.
This PR calls appropriate OpenSSL API to allow TLS 1.3 ciphersuites to be configured.
coturn running inside a docker container runs as PID 1, however PID 1
has special signal handling semantics (see the note at the bottom of the
section
[here](https://docs.docker.com/engine/reference/run/#foreground)).
coturn relies on the default behaviour of SIGTERM to terminate the
process, however as no signal handler is explicitly installed, it
doesn't respond to SIGTERM when running inside a container. This PR
fixes this problem by installing explicit signal handlers for SIGINT and
SIGTERM, which trigger the same termination mechanism as the admin
interface "halt" command.
This is a port of wireapp#6 for upstream.
This PR fixes some errata from #996 and #989:
- Some DTLS code was left over in the common path for allocating and
initialising `SSL_CTX`'s, and the DTLS-specific configuration code was
erroneously operating on the TLS context instead of the DTLS context.
- In both the TLS and DTLS codepaths, the previous refactoring inverted
the logic for the `--no-tlsv1`/`--no-tlsv1_1`/etc command line options,
so that these options would instead *enable* the respective (D)TLS
versions, instead of disabling this. This would mean that by default
coturn would only support TLS 1.3 and DTLS 1.2, and no earlier versions.
I've also regenerated the manual pages (with the `make-man.sh` script)
to match the documentation in the README files.
TURN_USERDB_TYPE enum does not need to be "dynamic" based on what
libraries actually available during the build - all potentially
supported DB options are now enumerated.
Printing (to log or http) the DB type name is done with much less code
(using a helper function `userdb_type_to_string`)
Fix memory corruption introduced by commit
c8663f4a91
If there was an unsuccessful session registration in
open_client_connection_session, it adds a timer (before it didn't).
Later during runtime, at session destruction, it removes the
client_socket in close_ioa_socket. Then the timer gets triggered and
runs the cleanup method client_to_be_allocated_timeout_handler and tries
to access the stored client_socket. This then fails as it already was
freed.
The fix just sets the client_socket pointer to null and then the timer
should detect this and not access already freed memory.
The issue affects version 4.6.0, 4.6.0-r0 and 4.6.0-r1.
Co-authored-by: Paul Kramer <paul.kramer@logmein.com>
Fix memory corruption introduced by commit
c8663f4a91
If there was an unsuccessful session registration in
open_client_connection_session, it adds a timer (before it didn't).
Later during runtime, at session destruction, it removes the
client_socket in close_ioa_socket. Then the timer gets triggered and
runs the cleanup method client_to_be_allocated_timeout_handler and tries
to access the stored client_socket. This then fails as it already was
freed.
The fix just sets the client_socket pointer to null and then the timer
should detect this and not access already freed memory.
The issue affects version 4.6.0, 4.6.0-r0 and 4.6.0-r1.
Co-authored-by: Paul Kramer <paul.kramer@logmein.com>
Reformatting and removing some duplications:
- Some lines have WARNING WARNING: cleaned up.
- Lines printed using perror: only LOG_ mechanism should be used.
- Printing IO mechanism (epoll for example) for each thread: selected
mechanism logged once
- Duplicate lines (perror and also LOG): duplication removed
- Duplicates: clean up (because calling function multiple times -
configuration load)
Example usage with make:
make CPPFLAGS="-DTURN_SERVER_BUILD_INFO=\"\\\" git: $(git rev-parse
HEAD) build: 123\\\"\""
Example usage with cmake:
cmake .. -DTURN_SERVER_BUILD_INFO="\" git: $(git rev-parse HEAD) build:
123\""
I would like to get feedback on this and see if people is confortable
with these clang rules.
Right now is using the "llvm" style increasing the line length from 80
to 120 given that coturn is using long lines often.
Co-authored-by: Pavel Punsky <eakraly@users.noreply.github.com>
Prometheus would aggregate across all labels (when not specifying)
In this scenario `turn_total_allocations` does not need separate label
"type=all" as such in this case the result would be double the actual
amount
The `sm_allocated` field is an array of `size_t` values. Therefore its
size must be calculated as `n * sizeof(size_t)`.
Our static code analysis tool complained:
```
Sizeof not portable (SIZEOF_MISMATCH)
suspicious_sizeof: Passing argument r->sm_allocated of type size_t * and argument (r->sm_chunk + 1) * 8UL /* sizeof (size_t *) */ to function realloc is suspicious. In this case, sizeof (size_t *) is equal to sizeof (size_t), but this is not a portable assumption.
```
Fix: #1045
`TURN_NO_HIREDIS` is defined when hiredis library is not present and any
redis functionality must be disabled
While all above is correct, it does not require ifdef-ing out all
related code.
For example, redis related fields in `turn_params` do not need to be
compiled out. Same for certain function parameters.
This PR reduces amount of places in code where `TURN_NO_HIREDIS` is used
to make code simpler by moving as much usage of this define into
dbd_redis.h/c files and compiling them unconditionally.
- Always compile/link `dbd_redis.c`
- Move many `TURN_NO_HIREDIS` decisions into `dbd_redis.c`
- Delete empty function redis_async_init
Disables default log output to stdout if stdout is set as logfile.
When execute `turnutils_stunclient` , the output will be duplicated as
in the following example.
```
$ ./turnutils_stunclient stun.example.com
0: : IPv4. UDP reflexive addr: 203.0.113.1:10000
0: : IPv4. UDP reflexive addr: 203.0.113.1:10000
```
This is because stdout is set in `set_logfile` and furthermore log
output to stdout is done by default.
In this change, call `set_no_stdout_log` to disable default log output
to stdout when stdout is set as logfile.
This solves the problem of duplicate output to stdout of the same log.
`TURN_NO_PROMETHEUS` is defined when prometheus libraries are not
present and any prometheus functionality must be disabled
While all above is correct, it does not require ifdef-ing out all
related code.
For example, prometheus related fields in turn_params do not need to be
compiled out. Same for certain function parameters.
This PR reduces amount of places in code where `TURN_NO_PROMETHEUS` is
used to make code simpler by moving as much usage of this define into
prom_server.h/c files and compiling them unconditionally.
- Always compile/link prom_server.c
- Move many TURN_NO_PROMETHEUS decisions into prom_server.c
The following changes have been made:
1. Replace deprecated functions with new standard functions
2. Add corresponding MSVC functions for non-standard functions
3. Remove warnings about unsafe functions
4. CMAKE: modify find pack Libevent and openssl
5. Modify include files
6. Use pthread4W
7. Modify socket in windows
8. Add CI - github action
8.1. msvc
8.2. mingw
10. The database:
9.1. sqlite, pgsql, hiredis, mongo is test compiled.
9.2. mysql, isnot test compiled.
11. The applications、server can be compiled and run successfully!
12. Add vcpkg manifest mode in cmake.
Modify SSL backlog buffer from LIFO to queue/FIFO
If data ends up in the ssl_backlog_buffer because we are waiting for a
handshake to finish, then this change ensures that the data is sent out
in the proper order once the handshake completes. Previous code was
sending in LIFO order.
Rewriting openssl initialization code (threading support to make it
cleaner
- Regroup functions so that there is one ifdef (for old code and new
code)
- Modern openssl (>1.0.2) does not need any synchornization routines so
they are empty
- Old openssl (<=1.0.2) now require `OPENSSL_THREADS` which allows
running multiple threads in turnserver. Not having turnserver
multi-threaded is a huge waste. `OPENSSL_THREADS` is now a requirement.
Test Plan:
- CI builds pass for openssl versions 1.0.2, 1.1.1, 3.0, including tests
Essentially, for a DTLS client (that we haven't heard from before), the code in handle_udp_packet will have created the chs/ioa_socket in the block just above my change (see dtls_server_input_handler's call to dtls_accept_client_connection that calls create_ioa_socket_from_ssl). This only happens if the first message received from a client is a DTLS handshake. Otherwise, we have received UDP data from a new endpoint that is not a DTLS handshake, so it is raw UDP and the code just below my if statement will have created a UDP_SOCKET in the create_ioa_socket_from_fd call, allowing further processing of the RAW UDP.
This was tested by trying to perform a TURN allocation via UDP (not DTLS) when no-udp setting was enabled.
Store sanitized version of DB connection string with password masked
(replace all chars with * which exposes its length)
Use sanitized version when logging connection string
Fixes#1017 and #272
turnserver includes support for SCTP and tries to initialize listener
sockets with SCTP protocol. On machines where SCTP definitions exist but
the protocol is not provided - socket() returns error which shows up as
`socket: protocol not supported`
This change improves a few related pieces of code:
- Log error instead of perror
- config script detect sctp.h and if not present - defines TURN_NO_SCTP
- CMake fully disables SCTP (for now - requires custom module to detect
SCTP presence)
Fixes#492
Hello,
while using the `redis-statsdb` option, I found that coturn is leaking
sockets (and memory) in case of redis reconnection.
This occurs a lot to me, because in my setup I have a `coturn -> haproxy
-> redis` and if all my redis servers are down, HaProxy abruptly close
the connection to coturn and coturn reconnects periodically. After some
time I can see thousands of pending sockets (`CLOSE_WAIT`) :
```
user@server[11:32:48 UTC]:~$ sudo lsof -i | grep turn
turnserve 461797 root 15u IPv4 12856075 0t0 TCP server:3478 (LISTEN)
turnserve 461797 root 22u IPv4 12856081 0t0 TCP server:3478 (LISTEN)
turnserve 461797 root 23u IPv4 12857384 0t0 UDP server:3478
turnserve 461797 root 24u IPv4 12857385 0t0 UDP server:3478
turnserve 461797 root 36u IPv4 12857390 0t0 TCP server:5766 (LISTEN)
turnserve 461797 root 43u IPv4 12856096 0t0 TCP server:10059->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 46u IPv4 12857403 0t0 TCP server:10087->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 48u IPv4 12856124 0t0 TCP server:53867->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 50u IPv4 12857633 0t0 TCP server:53875->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 51u IPv4 12856138 0t0 TCP server:53877->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 54u IPv4 12857738 0t0 TCP server:10001->haproxy-server:redis (CLOSE_WAIT)
turnserve 461797 root 55u IPv4 12856152 0t0 TCP server:10003->haproxy-server:redis (CLOSE_WAIT)
.... (many many lines)
```
After searching and using valgrind I found 2 interesting leaks:
```
...
==460721== 32 bytes in 1 blocks are definitely lost in loss record 586 of 1,053
==460721== at 0x483877F: malloc (vg_replace_malloc.c:307)
==460721== by 0x1414FF: RyconninfoParse (dbd_redis.c:69)
==460721== by 0x141B04: get_redis_async_connection (dbd_redis.c:169)
==460721== by 0x110D7B: create_ioa_engine (ns_ioalib_engine_impl.c:407)
==460721== by 0x12ECB0: setup_admin_thread (turn_admin_server.c:1309)
==460721== by 0x127724: run_admin_server_thread (netengine.c:1815)
==460721== by 0x4DA9EA6: start_thread (pthread_create.c:477)
==460721== by 0x4EC0AEE: clone (clone.S:95)
...
==460979== 2,170 (688 direct, 1,482 indirect) bytes in 2 blocks are definitely lost in loss record 1,029 of 1,049
==460979== at 0x483AD7B: realloc (vg_replace_malloc.c:834)
==460979== by 0x49A1BD0: ??? (in /usr/lib/x86_64-linux-gnu/libhiredis.so.0.14)
==460979== by 0x49A2829: redisAsyncConnect (in /usr/lib/x86_64-linux-gnu/libhiredis.so.0.14)
==460979== by 0x13DB37: redis_reconnect (hiredis_libevent2.c:331)
==460979== by 0x13D1A7: redisLibeventReadEvent (hiredis_libevent2.c:101)
==460979== by 0x4D5135E: ??? (in /usr/lib/x86_64-linux-gnu/libevent_core-2.1.so.7.0.1)
==460979== by 0x4D51A9E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent_core-2.1.so.7.0.1)
==460979== by 0x126D5A: run_events (netengine.c:1579)
==460979== by 0x127272: run_general_relay_thread (netengine.c:1707)
==460979== by 0x4DA9EA6: start_thread (pthread_create.c:477)
==460979== by 0x4EC0AEE: clone (clone.S:95)
==460979==
...
```
I made 1 commit for each fix.
Obviously with these fixes, I don't have anymore the leaks of thousands
of sockets (even after some time)
Thanks & hope it helps.
Thibaut
