static void msg_recv(struct nat_hairpinning *nh, int proto, void *sock,
const struct sa *src, struct mbuf *mb)
{
struct stun_unknown_attr ua;
struct stun_msg *msg;
if (0 != stun_msg_decode(&msg, mb, &ua))
return;
switch (stun_msg_class(msg)) {
case STUN_CLASS_REQUEST:
(void)stun_reply(proto, sock, src, 0, msg, NULL, 0, false, 3,
STUN_ATTR_XOR_MAPPED_ADDR, src,
STUN_ATTR_MAPPED_ADDR, src,
STUN_ATTR_SOFTWARE, stun_software);
break;
case STUN_CLASS_ERROR_RESP:
case STUN_CLASS_SUCCESS_RESP:
(void)stun_ctrans_recv(nh->stun, msg, &ua);
break;
default:
DEBUG_WARNING("unknown class 0x%04x\n", stun_msg_class(msg));
break;
}
mem_deref(msg);
}
static void udp_recv_handler(const struct sa *src, struct mbuf *mb, void *arg)
{
struct sip_transport *transp = arg;
struct stun_unknown_attr ua;
struct stun_msg *stun_msg;
struct sip_msg *msg;
int err;
if (mb->end <= 4)
return;
if (!stun_msg_decode(&stun_msg, mb, &ua)) {
if (stun_msg_method(stun_msg) == STUN_METHOD_BINDING) {
switch (stun_msg_class(stun_msg)) {
case STUN_CLASS_REQUEST:
(void)stun_reply(IPPROTO_UDP, transp->sock,
src, 0, stun_msg,
NULL, 0, false, 2,
STUN_ATTR_XOR_MAPPED_ADDR,
src,
STUN_ATTR_SOFTWARE,
transp->sip->software);
break;
default:
(void)stun_ctrans_recv(transp->sip->stun,
stun_msg, &ua);
break;
}
}
mem_deref(stun_msg);
return;
}
err = sip_msg_decode(&msg, mb);
if (err) {
(void)re_fprintf(stderr, "sip: msg decode err: %m\n", err);
return;
}
msg->sock = mem_ref(transp->sock);
msg->src = *src;
msg->dst = transp->laddr;
msg->tp = SIP_TRANSP_UDP;
sip_recv(transp->sip, msg);
mem_deref(msg);
}
int icem_stund_recv(struct icem_comp *comp, const struct sa *src,
struct stun_msg *req, size_t presz)
{
struct icem *icem = comp->icem;
struct ice *ice = icem->ice;
struct stun_attr *attr;
struct pl lu, ru;
enum role rrole = ROLE_UNKNOWN;
uint64_t tiebrk = 0;
uint32_t prio_prflx;
bool use_cand = false;
int err;
/* RFC 5389: Fingerprint errors are silently discarded */
err = stun_msg_chk_fingerprint(req);
if (err)
return err;
err = stun_msg_chk_mi(req, (uint8_t *)ice->lpwd, strlen(ice->lpwd));
if (err) {
if (err == EBADMSG)
goto unauth;
else
goto badmsg;
}
attr = stun_msg_attr(req, STUN_ATTR_USERNAME);
if (!attr)
goto badmsg;
err = re_regex(attr->v.username, strlen(attr->v.username),
"[^:]+:[^]+", &lu, &ru);
if (err) {
DEBUG_WARNING("could not parse USERNAME attribute (%s)\n",
attr->v.username);
goto unauth;
}
if (pl_strcmp(&lu, ice->lufrag))
goto unauth;
if (str_isset(icem->rufrag) && pl_strcmp(&ru, icem->rufrag))
goto unauth;
attr = stun_msg_attr(req, STUN_ATTR_CONTROLLED);
if (attr) {
rrole = ROLE_CONTROLLED;
tiebrk = attr->v.uint64;
}
attr = stun_msg_attr(req, STUN_ATTR_CONTROLLING);
if (attr) {
rrole = ROLE_CONTROLLING;
tiebrk = attr->v.uint64;
}
if (rrole == ice->lrole) {
if (ice->tiebrk >= tiebrk)
ice_switch_local_role(ice);
else
goto conflict;
}
attr = stun_msg_attr(req, STUN_ATTR_PRIORITY);
if (attr)
prio_prflx = attr->v.uint32;
else
goto badmsg;
attr = stun_msg_attr(req, STUN_ATTR_USE_CAND);
if (attr)
use_cand = true;
err = handle_stun(ice, icem, comp, src, prio_prflx,
use_cand, presz > 0);
if (err)
goto badmsg;
return stun_reply(icem->proto, comp->sock, src, presz, req,
(uint8_t *)ice->lpwd, strlen(ice->lpwd), true, 2,
STUN_ATTR_XOR_MAPPED_ADDR, src,
STUN_ATTR_SOFTWARE, sw);
badmsg:
return stunsrv_ereply(comp, src, presz, req, 400, "Bad Request");
unauth:
return stunsrv_ereply(comp, src, presz, req, 401, "Unauthorized");
conflict:
return stunsrv_ereply(comp, src, presz, req, 487, "Role Conflict");
}
void chanbind_request(struct allocation *al, struct restund_msgctx *ctx,
int proto, void *sock, const struct sa *src,
const struct stun_msg *msg)
{
struct chan *chan = NULL, *ch_numb = NULL, *ch_peer;
struct perm *perm = NULL, *permx = NULL;
struct stun_attr *chnr, *peer;
int err = ENOMEM, rerr;
chnr = stun_msg_attr(msg, STUN_ATTR_CHANNEL_NUMBER);
peer = stun_msg_attr(msg, STUN_ATTR_XOR_PEER_ADDR);
if (!chnr || !chan_numb_valid(chnr->v.channel_number) || !peer) {
restund_info("turn: bad chanbind attributes\n");
rerr = stun_ereply(proto, sock, src, 0, msg,
400, "Bad Attributes",
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE, restund_software);
goto out;
}
if (sa_af(&peer->v.xor_peer_addr) != sa_af(&al->rel_addr)) {
restund_info("turn: chanbind peer address family mismatch\n");
rerr = stun_ereply(proto, sock, src, 0, msg,
443, "Peer Address Family Mismatch",
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE, restund_software);
goto out;
}
ch_numb = chan_numb_find(al->chans, chnr->v.channel_number);
ch_peer = chan_peer_find(al->chans, &peer->v.xor_peer_addr);
if (ch_numb != ch_peer) {
restund_info("turn: channel %p/peer %p already bound\n",
ch_numb, ch_peer);
rerr = stun_ereply(proto, sock, src, 0, msg,
400, "Channel/Peer Already Bound",
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE, restund_software);
goto out;
}
if (!ch_numb) {
chan = chan_create(al->chans, chnr->v.channel_number,
&peer->v.xor_peer_addr, al);
if (!chan) {
restund_info("turn: unable to create channel\n");
rerr = stun_ereply(proto, sock, src, 0, msg,
500, "Server Error",
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE,restund_software);
goto out;
}
}
permx = perm_find(al->perms, &peer->v.xor_peer_addr);
if (!permx) {
perm = perm_create(al->perms, &peer->v.xor_peer_addr, al);
if (!perm) {
restund_info("turn: unable to create permission\n");
rerr = stun_ereply(proto, sock, src, 0, msg,
500, "Server Error",
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE,restund_software);
goto out;
}
}
err = rerr = stun_reply(proto, sock, src, 0, msg,
ctx->key, ctx->keylen, ctx->fp, 1,
STUN_ATTR_SOFTWARE, restund_software);
out:
if (rerr)
restund_warning("turn: chanbind reply: %m\n", rerr);
if (err) {
mem_deref(chan);
mem_deref(perm);
}
else {
chan_refresh(ch_numb);
perm_refresh(permx);
}
}
int trice_stund_recv(struct trice *icem, struct ice_lcand *lcand,
void *sock, const struct sa *src,
struct stun_msg *req, size_t presz)
{
struct stun_attr *attr;
struct pl lu, ru;
bool remote_controlling;
uint64_t tiebrk = 0;
uint32_t prio_prflx;
bool use_cand = false;
int err;
/* RFC 5389: Fingerprint errors are silently discarded */
err = stun_msg_chk_fingerprint(req);
if (err)
return err;
err = stun_msg_chk_mi(req, (uint8_t *)icem->lpwd, strlen(icem->lpwd));
if (err) {
DEBUG_WARNING("message-integrity failed (src=%J)\n", src);
if (err == EBADMSG)
goto unauth;
else
goto badmsg;
}
attr = stun_msg_attr(req, STUN_ATTR_USERNAME);
if (!attr)
goto badmsg;
err = re_regex(attr->v.username, strlen(attr->v.username),
"[^:]+:[^]+", &lu, &ru);
if (err) {
DEBUG_WARNING("could not parse USERNAME attribute (%s)\n",
attr->v.username);
goto unauth;
}
if (pl_strcmp(&lu, icem->lufrag)) {
DEBUG_WARNING("local ufrag err (expected %s, actual %r)\n",
icem->lufrag, &lu);
goto unauth;
}
if (str_isset(icem->rufrag) && pl_strcmp(&ru, icem->rufrag)) {
DEBUG_WARNING("remote ufrag err (expected %s, actual %r)\n",
icem->rufrag, &ru);
goto unauth;
}
attr = stun_msg_attr(req, STUN_ATTR_CONTROLLED);
if (attr) {
remote_controlling = false;
tiebrk = attr->v.uint64;
}
attr = stun_msg_attr(req, STUN_ATTR_CONTROLLING);
if (attr) {
remote_controlling = true;
tiebrk = attr->v.uint64;
}
if (remote_controlling == icem->controlling) {
if (icem->tiebrk >= tiebrk)
trice_switch_local_role(icem);
else
goto conflict;
}
attr = stun_msg_attr(req, STUN_ATTR_PRIORITY);
if (attr)
prio_prflx = attr->v.uint32;
else
goto badmsg;
attr = stun_msg_attr(req, STUN_ATTR_USE_CAND);
if (attr)
use_cand = true;
err = handle_stun_full(icem, lcand, sock, src, prio_prflx, use_cand);
if (err)
goto badmsg;
trice_tracef(icem, 32,
"[%u] STUNSRV: Tx success respons [%H ---> %J]\n",
lcand->attr.compid,
trice_cand_print, lcand, src);
return stun_reply(lcand->attr.proto, sock, src, presz, req,
(uint8_t *)icem->lpwd, strlen(icem->lpwd), true, 2,
STUN_ATTR_XOR_MAPPED_ADDR, src,
STUN_ATTR_SOFTWARE, icem->sw ? icem->sw : sw);
badmsg:
return stunsrv_ereply(icem, lcand, sock, src, presz, req,
400, "Bad Request");
unauth:
return stunsrv_ereply(icem, lcand, sock, src, presz, req,
401, "Unauthorized");
conflict:
return stunsrv_ereply(icem, lcand, sock, src, presz, req,
487, "Role Conflict");
}
static void process_msg(struct turnserver *turn, int proto, void *sock,
const struct sa *src, struct mbuf *mb)
{
struct stun_msg *msg = NULL;
struct sa laddr;
int err = 0;
if (stun_msg_decode(&msg, mb, NULL)) {
uint16_t numb, len;
struct channel *chan;
if (!turn->us_relay)
return;
++turn->n_raw;
numb = ntohs(mbuf_read_u16(mb));
len = ntohs(mbuf_read_u16(mb));
if (mbuf_get_left(mb) < len) {
DEBUG_WARNING("short length: %zu < %u\n",
mbuf_get_left(mb), len);
}
chan = find_channel_numb(turn, numb);
if (!chan) {
DEBUG_WARNING("channel not found: numb=%u\n", numb);
return;
}
/* relay data from channel to peer */
(void)udp_send(turn->us_relay, &chan->peer, mb);
return;
}
#if 0
re_printf("process: %s:%p:%J %s\n",
net_proto2name(proto), sock, src,
stun_method_name(stun_msg_method(msg)));
#endif
switch (stun_msg_method(msg)) {
case STUN_METHOD_ALLOCATE:
/* Max 1 allocation for now */
++turn->n_allocate;
if (turn->us_relay) {
err = EALREADY;
goto out;
}
turn->cli = *src;
err = sa_set_str(&laddr, "127.0.0.1", 0);
if (err)
goto out;
err = udp_listen(&turn->us_relay, &laddr,
relay_udp_recv, turn);
if (err)
goto out;
err = udp_local_get(turn->us_relay, &turn->relay);
if (err)
goto out;
udp_rxbuf_presz_set(turn->us_relay, 4);
err = stun_reply(proto, sock, src, 0,
msg, NULL, 0, false,
2,
STUN_ATTR_XOR_MAPPED_ADDR, src,
STUN_ATTR_XOR_RELAY_ADDR, &turn->relay);
break;
case STUN_METHOD_CREATEPERM: {
struct stun_attr *peer;
++turn->n_createperm;
peer = stun_msg_attr(msg, STUN_ATTR_XOR_PEER_ADDR);
TEST_ASSERT(peer != NULL);
add_permission(turn, &peer->v.xor_peer_addr);
/* todo: install permissions and check them */
err = stun_reply(proto, sock, src, 0,
msg, NULL, 0, false,
0);
}
break;
case STUN_METHOD_CHANBIND: {
struct stun_attr *chnr, *peer;
++turn->n_chanbind;
TEST_ASSERT(turn->us_relay != NULL);
chnr = stun_msg_attr(msg, STUN_ATTR_CHANNEL_NUMBER);
peer = stun_msg_attr(msg, STUN_ATTR_XOR_PEER_ADDR);
if (!chnr || !peer) {
DEBUG_WARNING("CHANBIND: missing chnr/peer attrib\n");
}
TEST_ASSERT(turn->chanc < ARRAY_SIZE(turn->chanv));
turn->chanv[turn->chanc].nr = chnr->v.channel_number;
turn->chanv[turn->chanc].peer = peer->v.xor_peer_addr;
++turn->chanc;
err = stun_reply(proto, sock, src, 0,
msg, NULL, 0, false,
0);
}
break;
case STUN_METHOD_SEND: {
struct stun_attr *peer, *data;
++turn->n_send;
TEST_ASSERT(turn->us_relay != NULL);
peer = stun_msg_attr(msg, STUN_ATTR_XOR_PEER_ADDR);
data = stun_msg_attr(msg, STUN_ATTR_DATA);
if (!peer || !data) {
DEBUG_WARNING("SEND: missing peer/data attrib\n");
goto out;
}
/* check for valid Permission */
if (!find_permission(turn, &peer->v.xor_peer_addr)) {
DEBUG_NOTICE("no permission to peer %j\n",
&peer->v.xor_peer_addr);
goto out;
}
err = udp_send(turn->us_relay, &peer->v.xor_peer_addr,
&data->v.data);
}
break;
default:
DEBUG_WARNING("unknown STUN method: %s\n",
stun_method_name(stun_msg_method(msg)));
err = EPROTO;
break;
}
if (err)
goto out;
out:
if (err && stun_msg_class(msg) == STUN_CLASS_REQUEST) {
(void)stun_ereply(proto, sock, src, 0, msg,
500, "Server Error",
NULL, 0, false, 0);
}
mem_deref(msg);
}
