check-origin-consistency

11 years ago · 851409a197
parent 863de36bb4
commit 851409a197
11 changed files with 57 additions and 20 deletions
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 08/14/2014 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.1.2.1 'Vitari':
 	- The origin attribute is verified in the subsequent 
-	session messages.
+	session messages (server flag --check-origin-consistency).
 	- MySQL SSL connection support.
 	- Crash fixed when the DB connection string is incorrect.
 	- Minor docs fixes.
--- a/README.turnserver
+++ b/README.turnserver
@ -270,6 +270,11 @@ Flags:
 			ALTERNATE-SERVER mechanism. The TURN client must support 
 			300 ALTERNATE-SERVER response for this functionality.
 			
+--check-origin-consistency		The flag that sets the origin consistency 
+			check: across the session, all requests must have the same
+			main ORIGIN attribute value (if the ORIGIN was
+			initially used by the session).
+
 -h			Help.
    
 Options with required values:  
@ -388,8 +393,8 @@ Options with required values:
 			and the userdb file). Must be used with long-term credentials 
 			mechanism or with TURN REST API.

-C, --rest-api-separator	This is the timestamp/username separator symbol (character) in TURN REST API.
-				The default value is :.
+-C, --rest-api-separator	This is the timestamp/username separator symbol 
+			(character) in TURN REST API. The default value is :.

 -q, --user-quota	Per-user allocations quota: how many concurrent 
 			allocations a user can create. This option can also be set 
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -306,6 +306,13 @@
 #
 #realm=mycompany.org

+# The flag that sets the origin consistency 
+# check: across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
 # Per-user allocation quota.
 # default value is 0 (no quota, unlimited number of sessions per user).
 # This option can also be set through the database, for a particular realm.
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "17 August 2014" "" ""
+.TH TURN 1 "18 August 2014" "" ""
 .SH GENERAL INFORMATION

 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "17 August 2014" "" ""
+.TH TURN 1 "18 August 2014" "" ""
 .SH GENERAL INFORMATION

 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@ -410,6 +410,13 @@ ALTERNATE\-SERVER mechanism. The TURN client must support
 300 ALTERNATE\-SERVER response for this functionality.
 .TP
 .B
+\fB\-\-check\-origin\-consistency\fP
+The flag that sets the origin consistency 
+check: across the session, all requests must have the same
+main ORIGIN attribute value (if the ORIGIN was
+initially used by the session).
+.TP
+.B
 \fB\-h\fP
 Help.
 .TP
@ -566,8 +573,8 @@ mechanism or with TURN REST API.
 .TP
 .B
 \fB\-C\fP, \fB\-\-rest\-api\-separator\fP
-This is the timestamp/username separator symbol (character) in TURN REST API.
-The default value is :.
+This is the timestamp/username separator symbol 
+(character) in TURN REST API. The default value is :.
 .TP
 .B
 \fB\-q\fP, \fB\-\-user\-quota\fP
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "17 August 2014" "" ""
+.TH TURN 1 "18 August 2014" "" ""
 .SH GENERAL INFORMATION

 A set of turnutils_* programs provides some utility functionality to be used
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -81,7 +81,7 @@ DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1,
 NEV_UNKNOWN, 
 { "Unknown", "UDP listening socket per session", "UDP thread per network endpoint", "UDP thread per CPU core" },
 //////////////// Relay servers //////////////////////////////////
-LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,"",
+LOW_DEFAULT_PORTS_BOUNDARY,HIGH_DEFAULT_PORTS_BOUNDARY,0,0,0,"",
 0,NULL,0,NULL,DEFAULT_GENERAL_RELAY_SERVERS_NUMBER,0,
 ////////////// Auth server /////////////////////////////////////
 {NULL,NULL,NULL,0,NULL},
@ -397,6 +397,10 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "						server is not using any database (just the commands-line settings\n"
 "						and the userdb file). Must be used with long-term credentials \n"
 "						mechanism or with TURN REST API.\n"
+" --check-origin-consistency			The flag that sets the origin consistency check:\n"
+"						across the session, all requests must have the same\n"
+"						main ORIGIN attribute value (if the ORIGIN was\n"
+"						initially used by the session).\n"
 " -q, --user-quota		<number>	Per-user allocation quota: how many concurrent allocations a user can create.\n"
 "						This option can also be set through the database, for a particular realm.\n"
 " -Q, --total-quota		<number>	Total allocations quota: global limit on concurrent allocations.\n"
@ -670,6 +674,7 @@ enum EXTRA_OPTS {
 	NO_TLSV1_OPT,
 	NO_TLSV1_1_OPT,
 	NO_TLSV1_2_OPT,
+	CHECK_ORIGIN_CONSISTENCY_OPT,
 	ADMIN_MAX_BPS_OPT,
 	ADMIN_TOTAL_QUOTA_OPT,
 	ADMIN_USER_QUOTA_OPT
@ -734,6 +739,7 @@ static const struct myoption long_options[] = {
 				{ "Verbose", optional_argument, NULL, 'V' },
 				{ "daemon", optional_argument, NULL, 'o' },
 				{ "fingerprint", optional_argument, NULL, 'f' },
+				{ "check-origin-consistency", optional_argument, NULL, CHECK_ORIGIN_CONSISTENCY_OPT },
 				{ "no-udp", optional_argument, NULL, NO_UDP_OPT },
 				{ "no-tcp", optional_argument, NULL, NO_TCP_OPT },
 				{ "no-tls", optional_argument, NULL, NO_TLS_OPT },
@ -1152,6 +1158,9 @@ static void set_option(int c, char *value)
 		turn_params.bps_capacity = (band_limit_t)atoi(value);
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%lu bytes per second allowed, combined server capacity\n",(unsigned long)turn_params.bps_capacity);
 		break;
+	case CHECK_ORIGIN_CONSISTENCY_OPT:
+		turn_params.check_origin = get_bool_value(value);
+		break;
 	case NO_UDP_OPT:
 		turn_params.no_udp = get_bool_value(value);
 		break;
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -250,6 +250,8 @@ typedef struct _turn_params_ {
  u16bits min_port;
  u16bits max_port;

+  vint check_origin;
+
  vint no_multicast_peers;
  vint no_loopback_peers;

--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@ -1574,6 +1574,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
 			 check_new_allocation_quota,
 			 release_allocation_quota,
 			 turn_params.external_ip,
+			 &turn_params.check_origin,
 			 &turn_params.no_tcp_relay,
 			 &turn_params.no_udp_relay,
 			 &turn_params.stale_nonce,
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@ -3506,24 +3506,26 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
 							ioa_network_buffer_get_size(in_buffer->nbh), sar);
 				}

-				if(ss->origin[0]) {
-					if(!origin_found) {
+				if(server->check_origin && *(server->check_origin)) {
+					if(ss->origin[0]) {
+						if(!origin_found) {
+							err_code = 441;
+							reason = (const u08bits *)"The origin attribute does not match the initial session origin value";
+							if(server->verbose) {
+								char smethod[129];
+								stun_method_str(method,smethod);
+								log_method(ss, smethod, err_code, reason);
+							}
+						}
+					} else if(norigins > 0){
 						err_code = 441;
-						reason = (const u08bits *)"The origin attribute does not match the initial session origin value";
+						reason = (const u08bits *)"The origin attribute is empty, does not match the initial session origin value";
 						if(server->verbose) {
 							char smethod[129];
 							stun_method_str(method,smethod);
 							log_method(ss, smethod, err_code, reason);
 						}
 					}
-				} else if(norigins > 0){
-					err_code = 441;
-					reason = (const u08bits *)"The origin attribute is empty, does not match the initial session origin value";
-					if(server->verbose) {
-						char smethod[129];
-						stun_method_str(method,smethod);
-						log_method(ss, smethod, err_code, reason);
-					}
 				}
 			}

@ -4675,6 +4677,7 @@ void init_turn_server(turn_turnserver* server,
 		check_new_allocation_quota_cb chquotacb,
 		release_allocation_quota_cb raqcb,
 		ioa_addr *external_ip,
+		vintp check_origin,
 		vintp no_tcp_relay,
 		vintp no_udp_relay,
 		vintp stale_nonce,
@ -4718,6 +4721,7 @@ void init_turn_server(turn_turnserver* server,

 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"turn server id=%d created\n",(int)id);

+	server->check_origin = check_origin;
 	server->no_tcp_relay = no_tcp_relay;
 	server->no_udp_relay = no_udp_relay;

--- a/src/server/ns_turn_server.h
+++ b/src/server/ns_turn_server.h
@ -112,6 +112,7 @@ struct _turn_turnserver {
 	int verbose;
 	int fingerprint;
 	int rfc5780;
+	vintp check_origin;
 	vintp stale_nonce;
 	vintp stun_only;
 	vintp no_stun;
@ -174,6 +175,7 @@ void init_turn_server(turn_turnserver* server,
 				    check_new_allocation_quota_cb chquotacb,
 				    release_allocation_quota_cb raqcb,
 				    ioa_addr *external_addr,
+				    vintp check_origin,
 				    vintp no_tcp_relay,
 				    vintp no_udp_relay,
 				    vintp stale_nonce,