/*
* Init credential for the allocation. We use static credential, meaning that
* the user's password must not change during allocation.
*/
static pj_status_t init_cred(pj_turn_allocation *alloc, const pj_stun_msg *req)
{
const pj_stun_username_attr *user;
const pj_stun_realm_attr *realm;
const pj_stun_nonce_attr *nonce;
pj_status_t status;
realm = (const pj_stun_realm_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_REALM, 0);
PJ_ASSERT_RETURN(realm != NULL, PJ_EBUG);
user = (const pj_stun_username_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_USERNAME, 0);
PJ_ASSERT_RETURN(user != NULL, PJ_EBUG);
nonce = (const pj_stun_nonce_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_NONCE, 0);
PJ_ASSERT_RETURN(nonce != NULL, PJ_EBUG);
/* Lookup the password */
status = pj_turn_get_password(NULL, NULL, &realm->value,
&user->value, alloc->pool,
&alloc->cred.data.static_cred.data_type,
&alloc->cred.data.static_cred.data);
if (status != PJ_SUCCESS)
return status;
/* Save credential */
alloc->cred.type = PJ_STUN_AUTH_CRED_STATIC;
pj_strdup(alloc->pool, &alloc->cred.data.static_cred.realm, &realm->value);
pj_strdup(alloc->pool, &alloc->cred.data.static_cred.username, &user->value);
pj_strdup(alloc->pool, &alloc->cred.data.static_cred.nonce, &nonce->value);
return PJ_SUCCESS;
}
static int long_term_check1(void)
{
/* SHOULD NOT contain USERNAME or MESSAGE-INTEGRITY */
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
return -800;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_MESSAGE_INTEGRITY, 0))
return -800;
return 0;
}
static int long_term_check3(void)
{
/* response SHOULD NOT include a USERNAME, NONCE, and REALM */
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
return -1000;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0))
return -1010;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0))
return -1020;
return 0;
}
static int long_term_check2(void)
{
/* response SHOULD NOT include a USERNAME, NONCE, REALM or
* MESSAGE-INTEGRITY attribute.
*/
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_USERNAME, 0))
return -900;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0))
return -910;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0))
return -920;
if (pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_MESSAGE_INTEGRITY, 0))
return -930;
return 0;
}
/*
* Notify the STUN transaction about the arrival of STUN response.
*/
PJ_DEF(pj_status_t) pj_stun_client_tsx_on_rx_msg(pj_stun_client_tsx *tsx,
const pj_stun_msg *msg,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
pj_stun_errcode_attr *err_attr;
pj_status_t status;
/* Must be STUN response message */
if (!PJ_STUN_IS_SUCCESS_RESPONSE(msg->hdr.type) &&
!PJ_STUN_IS_ERROR_RESPONSE(msg->hdr.type))
{
PJ_LOG(4,(tsx->obj_name,
"STUN rx_msg() error: not response message"));
return PJNATH_EINSTUNMSGTYPE;
}
/* We have a response with matching transaction ID.
* We can cancel retransmit timer now.
*/
pj_timer_heap_cancel_if_active(tsx->timer_heap, &tsx->retransmit_timer,
TIMER_INACTIVE);
/* Find STUN error code attribute */
err_attr = (pj_stun_errcode_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_ERROR_CODE, 0);
if (err_attr && err_attr->err_code <= 200) {
/* draft-ietf-behave-rfc3489bis-05.txt Section 8.3.2:
* Any response between 100 and 299 MUST result in the cessation
* of request retransmissions, but otherwise is discarded.
*/
PJ_LOG(4,(tsx->obj_name,
"STUN rx_msg() error: received provisional %d code (%.*s)",
err_attr->err_code,
(int)err_attr->reason.slen,
err_attr->reason.ptr));
return PJ_SUCCESS;
}
if (err_attr == NULL) {
status = PJ_SUCCESS;
} else {
status = PJ_STATUS_FROM_STUN_CODE(err_attr->err_code);
}
/* Call callback */
if (!tsx->complete) {
tsx->complete = PJ_TRUE;
if (tsx->cb.on_complete) {
tsx->cb.on_complete(tsx, status, msg, src_addr, src_addr_len);
}
/* We might have been destroyed, don't try to access the object */
}
return PJ_SUCCESS;
}
/* 420 response MUST contain UNKNOWN-ATTRIBUTES */
static int verify1(pj_stun_msg *msg)
{
pj_stun_errcode_attr *aerr;
pj_stun_unknown_attr *aunk;
if (!PJ_STUN_IS_ERROR_RESPONSE(msg->hdr.type)) {
PJ_LOG(1,(THIS_FILE, " expecting error message"));
return -100;
}
aerr = (pj_stun_errcode_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_ERROR_CODE, 0);
if (aerr == NULL) {
PJ_LOG(1,(THIS_FILE, " missing ERROR-CODE attribute"));
return -110;
}
if (aerr->err_code != 420) {
PJ_LOG(1,(THIS_FILE, " expecting 420 error"));
return -120;
}
aunk = (pj_stun_unknown_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_UNKNOWN_ATTRIBUTES, 0);
if (aunk == NULL) {
PJ_LOG(1,(THIS_FILE, " missing UNKNOWN-ATTRIBUTE attribute"));
return -130;
}
if (aunk->attr_count != 1) {
PJ_LOG(1,(THIS_FILE, " expecting one unknown attribute"));
return -140;
}
if (aunk->attrs[0] != 0xff) {
PJ_LOG(1,(THIS_FILE, " expecting 0xff as unknown attribute"));
return -150;
}
return 0;
}
/*
* Callback notification from STUN session when it receives STUN
* indications. This callback was trigger by STUN incoming message
* processing in pj_turn_allocation_on_rx_client_pkt().
*/
static pj_status_t stun_on_rx_indication(pj_stun_session *sess,
const pj_uint8_t *pkt,
unsigned pkt_len,
const pj_stun_msg *msg,
void *token,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
pj_stun_xor_peer_addr_attr *peer_attr;
pj_stun_data_attr *data_attr;
pj_turn_allocation *alloc;
pj_turn_permission *perm;
pj_ssize_t len;
PJ_UNUSED_ARG(pkt);
PJ_UNUSED_ARG(pkt_len);
PJ_UNUSED_ARG(token);
PJ_UNUSED_ARG(src_addr);
PJ_UNUSED_ARG(src_addr_len);
alloc = (pj_turn_allocation*) pj_stun_session_get_user_data(sess);
/* Only expect Send Indication */
if (msg->hdr.type != PJ_STUN_SEND_INDICATION) {
/* Ignore */
return PJ_SUCCESS;
}
/* Get XOR-PEER-ADDRESS attribute */
peer_attr = (pj_stun_xor_peer_addr_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_XOR_PEER_ADDR, 0);
/* MUST have XOR-PEER-ADDRESS attribute */
if (!peer_attr)
return PJ_SUCCESS;
/* Get DATA attribute */
data_attr = (pj_stun_data_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_DATA, 0);
/* Create/update/refresh the permission */
perm = lookup_permission_by_addr(alloc, &peer_attr->sockaddr,
pj_sockaddr_get_len(&peer_attr->sockaddr));
if (perm == NULL) {
perm = create_permission(alloc, &peer_attr->sockaddr,
pj_sockaddr_get_len(&peer_attr->sockaddr));
}
refresh_permission(perm);
/* Return if we don't have data */
if (data_attr == NULL)
return PJ_SUCCESS;
/* Relay the data to peer */
len = data_attr->length;
pj_sock_sendto(alloc->relay.tp.sock, data_attr->data,
&len, 0, &peer_attr->sockaddr,
pj_sockaddr_get_len(&peer_attr->sockaddr));
return PJ_SUCCESS;
}
/*
* Callback notification from STUN session when it receives STUN
* requests. This callback was trigger by STUN incoming message
* processing in pj_turn_allocation_on_rx_client_pkt().
*/
static pj_status_t stun_on_rx_request(pj_stun_session *sess,
const pj_uint8_t *pkt,
unsigned pkt_len,
const pj_stun_rx_data *rdata,
void *token,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
const pj_stun_msg *msg = rdata->msg;
pj_turn_allocation *alloc;
PJ_UNUSED_ARG(pkt);
PJ_UNUSED_ARG(pkt_len);
PJ_UNUSED_ARG(token);
PJ_UNUSED_ARG(src_addr);
PJ_UNUSED_ARG(src_addr_len);
alloc = (pj_turn_allocation*) pj_stun_session_get_user_data(sess);
/* Refuse to serve any request if we've been shutdown */
if (alloc->relay.lifetime == 0) {
/* Reject with 437 if we're shutting down */
send_reply_err(alloc, rdata, PJ_TRUE,
PJ_STUN_SC_ALLOCATION_MISMATCH, NULL);
return PJ_SUCCESS;
}
if (msg->hdr.type == PJ_STUN_REFRESH_REQUEST) {
/*
* Handle REFRESH request
*/
pj_stun_lifetime_attr *lifetime;
pj_stun_bandwidth_attr *bandwidth;
/* Get LIFETIME attribute */
lifetime = (pj_stun_lifetime_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_LIFETIME, 0);
/* Get BANDWIDTH attribute */
bandwidth = (pj_stun_bandwidth_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_BANDWIDTH, 0);
/* TODO: process bandwidth */
PJ_UNUSED_ARG(bandwidth);
if (lifetime && lifetime->value==0) {
/*
* This is deallocation request.
*/
alloc->relay.lifetime = 0;
/* Respond first */
send_reply_ok(alloc, rdata);
/* Shutdown allocation */
PJ_LOG(4,(alloc->obj_name,
"Client %s request to dealloc, shutting down",
alloc->info));
alloc_shutdown(alloc);
} else {
/*
* This is a refresh request.
*/
/* Update lifetime */
if (lifetime) {
alloc->relay.lifetime = lifetime->value;
}
/* Update bandwidth */
// TODO:
/* Update expiration timer */
resched_timeout(alloc);
/* Send reply */
send_reply_ok(alloc, rdata);
}
} else if (msg->hdr.type == PJ_STUN_CHANNEL_BIND_REQUEST) {
/*
* ChannelBind request.
*/
pj_stun_channel_number_attr *ch_attr;
pj_stun_xor_peer_addr_attr *peer_attr;
pj_turn_permission *p1, *p2;
ch_attr = (pj_stun_channel_number_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_CHANNEL_NUMBER, 0);
peer_attr = (pj_stun_xor_peer_addr_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_XOR_PEER_ADDR, 0);
if (!ch_attr || !peer_attr) {
send_reply_err(alloc, rdata, PJ_TRUE,
PJ_STUN_SC_BAD_REQUEST, NULL);
return PJ_SUCCESS;
}
/* Find permission with the channel number */
p1 = lookup_permission_by_chnum(alloc, PJ_STUN_GET_CH_NB(ch_attr->value));
/* If permission is found, this is supposed to be a channel bind
* refresh. Make sure it's for the same peer.
*/
if (p1) {
if (pj_sockaddr_cmp(&p1->hkey.peer_addr, &peer_attr->sockaddr)) {
/* Address mismatch. Send 400 */
send_reply_err(alloc, rdata, PJ_TRUE,
PJ_STUN_SC_BAD_REQUEST,
"Peer address mismatch");
return PJ_SUCCESS;
}
/* Refresh permission */
refresh_permission(p1);
/* Send response */
send_reply_ok(alloc, rdata);
/* Done */
return PJ_SUCCESS;
}
/* If permission is not found, create a new one. Make sure the peer
* has not alreadyy assigned with a channel number.
*/
p2 = lookup_permission_by_addr(alloc, &peer_attr->sockaddr,
pj_sockaddr_get_len(&peer_attr->sockaddr));
if (p2 && p2->channel != PJ_TURN_INVALID_CHANNEL) {
send_reply_err(alloc, rdata, PJ_TRUE, PJ_STUN_SC_BAD_REQUEST,
"Peer address already assigned a channel number");
return PJ_SUCCESS;
}
/* Create permission if it doesn't exist */
if (!p2) {
p2 = create_permission(alloc, &peer_attr->sockaddr,
pj_sockaddr_get_len(&peer_attr->sockaddr));
if (!p2)
return PJ_SUCCESS;
}
/* Assign channel number to permission */
p2->channel = PJ_STUN_GET_CH_NB(ch_attr->value);
/* Register to hash table */
pj_assert(sizeof(p2->channel)==2);
pj_hash_set(alloc->pool, alloc->ch_table, &p2->channel,
sizeof(p2->channel), 0, p2);
/* Update */
refresh_permission(p2);
/* Reply */
send_reply_ok(alloc, rdata);
return PJ_SUCCESS;
} else if (msg->hdr.type == PJ_STUN_ALLOCATE_REQUEST) {
/* Respond with 437 (section 6.3 turn-07) */
send_reply_err(alloc, rdata, PJ_TRUE, PJ_STUN_SC_ALLOCATION_MISMATCH,
NULL);
} else {
/* Respond with Bad Request? */
send_reply_err(alloc, rdata, PJ_TRUE, PJ_STUN_SC_BAD_REQUEST, NULL);
}
return PJ_SUCCESS;
}
/* Parse ALLOCATE request */
static pj_status_t parse_allocate_req(alloc_request *cfg,
pj_stun_session *sess,
const pj_stun_rx_data *rdata,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
const pj_stun_msg *req = rdata->msg;
pj_stun_bandwidth_attr *attr_bw;
pj_stun_req_transport_attr *attr_req_tp;
pj_stun_res_token_attr *attr_res_token;
pj_stun_lifetime_attr *attr_lifetime;
pj_bzero(cfg, sizeof(*cfg));
/* Get BANDWIDTH attribute, if any. */
attr_bw = (pj_stun_uint_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_BANDWIDTH, 0);
if (attr_bw) {
cfg->bandwidth = attr_bw->value;
} else {
cfg->bandwidth = DEFA_CLIENT_BANDWIDTH;
}
/* Check if we can satisfy the bandwidth */
if (cfg->bandwidth > MAX_CLIENT_BANDWIDTH) {
pj_stun_session_respond(sess, rdata,
PJ_STUN_SC_ALLOCATION_QUOTA_REACHED,
"Invalid bandwidth", NULL, PJ_TRUE,
src_addr, src_addr_len);
return PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_ALLOCATION_QUOTA_REACHED);
}
/* MUST have REQUESTED-TRANSPORT attribute */
attr_req_tp = (pj_stun_uint_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_REQ_TRANSPORT, 0);
if (attr_req_tp == NULL) {
pj_stun_session_respond(sess, rdata, PJ_STUN_SC_BAD_REQUEST,
"Missing REQUESTED-TRANSPORT attribute",
NULL, PJ_TRUE, src_addr, src_addr_len);
return PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_BAD_REQUEST);
}
cfg->tp_type = PJ_STUN_GET_RT_PROTO(attr_req_tp->value);
/* Can only support UDP for now */
if (cfg->tp_type != PJ_TURN_TP_UDP) {
pj_stun_session_respond(sess, rdata, PJ_STUN_SC_UNSUPP_TRANSPORT_PROTO,
NULL, NULL, PJ_TRUE, src_addr, src_addr_len);
return PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_UNSUPP_TRANSPORT_PROTO);
}
/* Get RESERVATION-TOKEN attribute, if any */
attr_res_token = (pj_stun_res_token_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_RESERVATION_TOKEN,
0);
if (attr_res_token) {
/* We don't support RESERVATION-TOKEN for now */
pj_stun_session_respond(sess, rdata,
PJ_STUN_SC_BAD_REQUEST,
"RESERVATION-TOKEN is not supported", NULL,
PJ_TRUE, src_addr, src_addr_len);
return PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_BAD_REQUEST);
}
/* Get LIFETIME attribute */
attr_lifetime = (pj_stun_uint_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_LIFETIME, 0);
if (attr_lifetime) {
cfg->lifetime = attr_lifetime->value;
if (cfg->lifetime < MIN_LIFETIME) {
pj_stun_session_respond(sess, rdata, PJ_STUN_SC_BAD_REQUEST,
"LIFETIME too short", NULL,
PJ_TRUE, src_addr, src_addr_len);
return PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_BAD_REQUEST);
}
if (cfg->lifetime > MAX_LIFETIME)
cfg->lifetime = MAX_LIFETIME;
} else {
cfg->lifetime = DEF_LIFETIME;
}
return PJ_SUCCESS;
}
/* This callback is called by the STUN session when outgoing transaction
* is complete
*/
static void sess_on_request_complete(pj_stun_session *sess,
pj_status_t status,
void *token,
pj_stun_tx_data *tdata,
const pj_stun_msg *response,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
pj_stun_sock *stun_sock;
const pj_stun_sockaddr_attr *mapped_attr;
pj_stun_sock_op op;
pj_bool_t mapped_changed;
pj_bool_t resched = PJ_TRUE;
stun_sock = (pj_stun_sock *) pj_stun_session_get_user_data(sess);
PJ_UNUSED_ARG(tdata);
PJ_UNUSED_ARG(token);
PJ_UNUSED_ARG(src_addr);
PJ_UNUSED_ARG(src_addr_len);
/* Check if this is a keep-alive or the first Binding request */
if (pj_sockaddr_has_addr(&stun_sock->mapped_addr))
op = PJ_STUN_SOCK_KEEP_ALIVE_OP;
else
op = PJ_STUN_SOCK_BINDING_OP;
/* Handle failure */
if (status != PJ_SUCCESS) {
resched = sess_fail(stun_sock, op, status);
goto on_return;
}
/* Get XOR-MAPPED-ADDRESS, or MAPPED-ADDRESS when XOR-MAPPED-ADDRESS
* doesn't exist.
*/
mapped_attr = (const pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_XOR_MAPPED_ADDR,
0);
if (mapped_attr==NULL) {
mapped_attr = (const pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_MAPPED_ADDR,
0);
}
if (mapped_attr == NULL) {
resched = sess_fail(stun_sock, op, PJNATH_ESTUNNOMAPPEDADDR);
goto on_return;
}
/* Determine if mapped address has changed, and save the new mapped
* address and call callback if so
*/
mapped_changed = !pj_sockaddr_has_addr(&stun_sock->mapped_addr) ||
pj_sockaddr_cmp(&stun_sock->mapped_addr,
&mapped_attr->sockaddr) != 0;
if (mapped_changed) {
/* Print mapped adress */
{
char addrinfo[PJ_INET6_ADDRSTRLEN+10];
PJ_LOG(4,(stun_sock->obj_name,
"STUN mapped address found/changed: %s",
pj_sockaddr_print(&mapped_attr->sockaddr,
addrinfo, sizeof(addrinfo), 3)));
}
pj_sockaddr_cp(&stun_sock->mapped_addr, &mapped_attr->sockaddr);
if (op==PJ_STUN_SOCK_KEEP_ALIVE_OP)
op = PJ_STUN_SOCK_MAPPED_ADDR_CHANGE;
}
/* Notify user */
resched = (*stun_sock->cb.on_status)(stun_sock, op, PJ_SUCCESS);
on_return:
/* Start/restart keep-alive timer */
if (resched)
start_ka_timer(stun_sock);
}
/* On received data from peer */
static pj_bool_t alloc_on_data_recvfrom(pj_activesock_t *asock,
void *data,
pj_size_t size,
const pj_sockaddr_t *src_addr,
int addr_len,
pj_status_t status)
{
turn_allocation *alloc;
pj_stun_xor_peer_addr_attr *pa;
pj_stun_data_attr *da;
char peer_info[PJ_INET6_ADDRSTRLEN+10];
char client_info[PJ_INET6_ADDRSTRLEN+10];
pj_uint8_t buffer[1500];
pj_ssize_t sent;
unsigned i;
if (status != PJ_SUCCESS)
return PJ_TRUE;
alloc = (turn_allocation*) pj_activesock_get_user_data(asock);
pj_sockaddr_print(&alloc->client_addr, client_info, sizeof(client_info), 3);
pj_sockaddr_print(src_addr, peer_info, sizeof(peer_info), 3);
/* Check that this peer has a permission */
for (i=0; i<alloc->perm_cnt; ++i) {
if (pj_sockaddr_get_len(&alloc->perm[i]) == (unsigned)addr_len &&
pj_memcmp(pj_sockaddr_get_addr(&alloc->perm[i]),
pj_sockaddr_get_addr(src_addr),
addr_len) == 0)
{
break;
}
}
if (i==alloc->perm_cnt) {
PJ_LOG(5,("", "Client %s received %d bytes unauthorized data from peer %s",
client_info, size, peer_info));
if (alloc->perm_cnt == 0)
PJ_LOG(5,("", "Client %s has no permission", client_info));
return PJ_TRUE;
}
/* Format a Data indication */
pa = (pj_stun_xor_peer_addr_attr*)
pj_stun_msg_find_attr(alloc->data_ind, PJ_STUN_ATTR_XOR_PEER_ADDR, 0);
da = (pj_stun_data_attr*)
pj_stun_msg_find_attr(alloc->data_ind, PJ_STUN_ATTR_DATA, 0);
pj_assert(pa && da);
pj_sockaddr_cp(&pa->sockaddr, src_addr);
da->data = (pj_uint8_t*)data;
da->length = size;
/* Encode Data indication */
status = pj_stun_msg_encode(alloc->data_ind, buffer, sizeof(buffer), 0,
NULL, &size);
if (status != PJ_SUCCESS)
return PJ_TRUE;
/* Send */
sent = size;
PJ_LOG(5,("", "Forwarding %d bytes data from peer %s to client %s",
sent, peer_info, client_info));
pj_activesock_sendto(alloc->test_srv->turn_sock, &alloc->send_key, buffer,
&sent, 0, &alloc->client_addr,
pj_sockaddr_get_len(&alloc->client_addr));
return PJ_TRUE;
}
static pj_bool_t turn_on_data_recvfrom(pj_activesock_t *asock,
void *data,
pj_size_t size,
const pj_sockaddr_t *src_addr,
int addr_len,
pj_status_t status)
{
test_server *test_srv;
pj_pool_t *pool;
turn_allocation *alloc;
pj_stun_msg *req, *resp = NULL;
pj_str_t auth_key = { NULL, 0 };
char client_info[PJ_INET6_ADDRSTRLEN+10];
unsigned i;
pj_ssize_t len;
if (status != PJ_SUCCESS)
return PJ_TRUE;
pj_sockaddr_print(src_addr, client_info, sizeof(client_info), 3);
test_srv = (test_server*) pj_activesock_get_user_data(asock);
pool = pj_pool_create(test_srv->stun_cfg->pf, NULL, 512, 512, NULL);
/* Find the client */
for (i=0; i<test_srv->turn_alloc_cnt; i++) {
if (pj_sockaddr_cmp(&test_srv->turn_alloc[i].client_addr, src_addr)==0)
break;
}
if (pj_stun_msg_check((pj_uint8_t*)data, size, PJ_STUN_NO_FINGERPRINT_CHECK)!=PJ_SUCCESS) {
/* Not STUN message, this probably is a ChannelData */
pj_turn_channel_data cd;
const pj_turn_channel_data *pcd = (const pj_turn_channel_data*)data;
pj_ssize_t sent;
if (i==test_srv->turn_alloc_cnt) {
/* Invalid data */
PJ_LOG(1,(THIS_FILE,
"TURN Server received strayed data"));
goto on_return;
}
alloc = &test_srv->turn_alloc[i];
cd.ch_number = pj_ntohs(pcd->ch_number);
cd.length = pj_ntohs(pcd->length);
/* For UDP check the packet length */
if (size < cd.length+sizeof(cd)) {
PJ_LOG(1,(THIS_FILE,
"TURN Server: ChannelData discarded: UDP size error"));
goto on_return;
}
/* Lookup peer */
for (i=0; i<alloc->perm_cnt; ++i) {
if (alloc->chnum[i] == cd.ch_number)
break;
}
if (i==alloc->perm_cnt) {
PJ_LOG(1,(THIS_FILE,
"TURN Server: ChannelData discarded: invalid channel number"));
goto on_return;
}
/* Relay the data to peer */
sent = cd.length;
pj_activesock_sendto(alloc->sock, &alloc->send_key,
pcd+1, &sent, 0,
&alloc->perm[i],
pj_sockaddr_get_len(&alloc->perm[i]));
/* Done */
goto on_return;
}
status = pj_stun_msg_decode(pool, (pj_uint8_t*)data, size,
PJ_STUN_IS_DATAGRAM | PJ_STUN_CHECK_PACKET |
PJ_STUN_NO_FINGERPRINT_CHECK,
&req, NULL, NULL);
if (status != PJ_SUCCESS) {
char errmsg[PJ_ERR_MSG_SIZE];
pj_strerror(status, errmsg, sizeof(errmsg));
PJ_LOG(1,("", "STUN message decode error from client %s: %s", client_info, errmsg));
goto on_return;
}
if (i==test_srv->turn_alloc_cnt) {
/* New client */
//pj_str_t ip_addr;
pj_stun_username_attr *uname;
pj_activesock_cb alloc_sock_cb;
turn_allocation *alloc;
/* Must be Allocate request */
if (req->hdr.type != PJ_STUN_ALLOCATE_REQUEST) {
PJ_LOG(1,(THIS_FILE, "Invalid %s %s from client %s",
pj_stun_get_method_name(req->hdr.type),
pj_stun_get_class_name(req->hdr.type),
client_info));
if (PJ_STUN_IS_REQUEST(req->hdr.type))
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_BAD_REQUEST, NULL, &resp);
goto send_pkt;
}
test_srv->turn_stat.rx_allocate_cnt++;
/* Skip if we're not responding to Allocate request */
if (!test_srv->turn_respond_allocate)
return PJ_TRUE;
/* Check if we have too many clients */
if (test_srv->turn_alloc_cnt == MAX_TURN_ALLOC) {
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_INSUFFICIENT_CAPACITY, NULL, &resp);
goto send_pkt;
}
/* Get USERNAME attribute */
uname = (pj_stun_username_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_USERNAME, 0);
/* Reject if it doesn't have MESSAGE-INTEGRITY or USERNAME attributes or
* the user is incorrect
*/
if (pj_stun_msg_find_attr(req, PJ_STUN_ATTR_MESSAGE_INTEGRITY, 0) == NULL ||
uname==NULL || pj_stricmp2(&uname->value, TURN_USERNAME) != 0)
{
pj_str_t tmp;
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_UNAUTHORIZED, NULL, &resp);
pj_stun_msg_add_string_attr(pool, resp, PJ_STUN_ATTR_REALM, &test_srv->domain);
pj_stun_msg_add_string_attr(pool, resp, PJ_STUN_ATTR_NONCE, pj_cstr(&tmp, TURN_NONCE));
goto send_pkt;
}
pj_bzero(&alloc_sock_cb, sizeof(alloc_sock_cb));
alloc_sock_cb.on_data_recvfrom = &alloc_on_data_recvfrom;
/* Create allocation */
alloc = &test_srv->turn_alloc[test_srv->turn_alloc_cnt];
alloc->perm_cnt = 0;
alloc->test_srv = test_srv;
pj_memcpy(&alloc->client_addr, src_addr, addr_len);
pj_ioqueue_op_key_init(&alloc->send_key, sizeof(alloc->send_key));
alloc->pool = pj_pool_create(test_srv->stun_cfg->pf, "alloc", 512, 512, NULL);
/* Create relay socket */
pj_sockaddr_in_init(&alloc->alloc_addr.ipv4, NULL, 0);
pj_gethostip(pj_AF_INET(), &alloc->alloc_addr);
status = pj_activesock_create_udp(alloc->pool, &alloc->alloc_addr, NULL,
test_srv->stun_cfg->ioqueue,
&alloc_sock_cb, alloc,
&alloc->sock, &alloc->alloc_addr);
if (status != PJ_SUCCESS) {
pj_pool_release(alloc->pool);
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_SERVER_ERROR, NULL, &resp);
goto send_pkt;
}
//pj_sockaddr_set_str_addr(pj_AF_INET(), &alloc->alloc_addr, &ip_addr);
pj_activesock_set_user_data(alloc->sock, alloc);
status = pj_activesock_start_recvfrom(alloc->sock, alloc->pool, 1500, 0);
if (status != PJ_SUCCESS) {
pj_activesock_close(alloc->sock);
pj_pool_release(alloc->pool);
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_SERVER_ERROR, NULL, &resp);
goto send_pkt;
}
/* Create Data indication */
status = pj_stun_msg_create(alloc->pool, PJ_STUN_DATA_INDICATION,
PJ_STUN_MAGIC, NULL, &alloc->data_ind);
if (status != PJ_SUCCESS) {
pj_activesock_close(alloc->sock);
pj_pool_release(alloc->pool);
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_SERVER_ERROR, NULL, &resp);
goto send_pkt;
}
pj_stun_msg_add_sockaddr_attr(alloc->pool, alloc->data_ind,
PJ_STUN_ATTR_XOR_PEER_ADDR, PJ_TRUE,
&alloc->alloc_addr,
pj_sockaddr_get_len(&alloc->alloc_addr));
pj_stun_msg_add_binary_attr(alloc->pool, alloc->data_ind,
PJ_STUN_ATTR_DATA, (pj_uint8_t*)"", 1);
/* Create response */
resp = create_success_response(test_srv, alloc, req, pool, 600, &auth_key);
if (resp == NULL) {
pj_activesock_close(alloc->sock);
pj_pool_release(alloc->pool);
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_SERVER_ERROR, NULL, &resp);
goto send_pkt;
}
++test_srv->turn_alloc_cnt;
} else {
alloc = &test_srv->turn_alloc[i];
if (req->hdr.type == PJ_STUN_ALLOCATE_REQUEST) {
test_srv->turn_stat.rx_allocate_cnt++;
/* Skip if we're not responding to Allocate request */
if (!test_srv->turn_respond_allocate)
return PJ_TRUE;
resp = create_success_response(test_srv, alloc, req, pool, 0, &auth_key);
} else if (req->hdr.type == PJ_STUN_REFRESH_REQUEST) {
pj_stun_lifetime_attr *lf_attr;
test_srv->turn_stat.rx_refresh_cnt++;
/* Skip if we're not responding to Refresh request */
if (!test_srv->turn_respond_refresh)
return PJ_TRUE;
lf_attr = (pj_stun_lifetime_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_LIFETIME, 0);
if (lf_attr && lf_attr->value != 0) {
resp = create_success_response(test_srv, alloc, req, pool, 600, &auth_key);
pj_array_erase(test_srv->turn_alloc, sizeof(test_srv->turn_alloc[0]),
test_srv->turn_alloc_cnt, i);
--test_srv->turn_alloc_cnt;
} else
resp = create_success_response(test_srv, alloc, req, pool, 0, &auth_key);
} else if (req->hdr.type == PJ_STUN_CREATE_PERM_REQUEST) {
for (i=0; i<req->attr_count; ++i) {
if (req->attr[i]->type == PJ_STUN_ATTR_XOR_PEER_ADDR) {
pj_stun_xor_peer_addr_attr *pa = (pj_stun_xor_peer_addr_attr*)req->attr[i];
unsigned j;
for (j=0; j<alloc->perm_cnt; ++j) {
if (pj_sockaddr_cmp(&alloc->perm[j], &pa->sockaddr)==0)
break;
}
if (j==alloc->perm_cnt && alloc->perm_cnt < MAX_TURN_PERM) {
char peer_info[PJ_INET6_ADDRSTRLEN];
pj_sockaddr_print(&pa->sockaddr, peer_info, sizeof(peer_info), 3);
pj_sockaddr_cp(&alloc->perm[alloc->perm_cnt], &pa->sockaddr);
++alloc->perm_cnt;
PJ_LOG(5,("", "Permission %s added to client %s, perm_cnt=%d",
peer_info, client_info, alloc->perm_cnt));
}
}
}
resp = create_success_response(test_srv, alloc, req, pool, 0, &auth_key);
} else if (req->hdr.type == PJ_STUN_SEND_INDICATION) {
pj_stun_xor_peer_addr_attr *pa;
pj_stun_data_attr *da;
test_srv->turn_stat.rx_send_ind_cnt++;
pa = (pj_stun_xor_peer_addr_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_XOR_PEER_ADDR, 0);
da = (pj_stun_data_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_DATA, 0);
if (pa && da) {
unsigned j;
char peer_info[PJ_INET6_ADDRSTRLEN];
pj_ssize_t sent;
pj_sockaddr_print(&pa->sockaddr, peer_info, sizeof(peer_info), 3);
for (j=0; j<alloc->perm_cnt; ++j) {
if (pj_sockaddr_cmp(&alloc->perm[j], &pa->sockaddr)==0)
break;
}
if (j==alloc->perm_cnt) {
PJ_LOG(5,("", "SendIndication to %s is rejected (no permission)",
peer_info, client_info, alloc->perm_cnt));
} else {
PJ_LOG(5,(THIS_FILE, "Relaying %d bytes data from client %s to peer %s, "
"perm_cnt=%d",
da->length, client_info, peer_info, alloc->perm_cnt));
sent = da->length;
pj_activesock_sendto(alloc->sock, &alloc->send_key,
da->data, &sent, 0,
&pa->sockaddr,
pj_sockaddr_get_len(&pa->sockaddr));
}
} else {
PJ_LOG(1,(THIS_FILE, "Invalid Send Indication from %s", client_info));
}
} else if (req->hdr.type == PJ_STUN_CHANNEL_BIND_REQUEST) {
pj_stun_xor_peer_addr_attr *pa;
pj_stun_channel_number_attr *cna;
unsigned j, cn;
pa = (pj_stun_xor_peer_addr_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_XOR_PEER_ADDR, 0);
cna = (pj_stun_channel_number_attr*)
pj_stun_msg_find_attr(req, PJ_STUN_ATTR_CHANNEL_NUMBER, 0);
cn = PJ_STUN_GET_CH_NB(cna->value);
resp = create_success_response(test_srv, alloc, req, pool, 0, &auth_key);
for (j=0; j<alloc->perm_cnt; ++j) {
if (pj_sockaddr_cmp(&alloc->perm[j], &pa->sockaddr)==0)
break;
}
if (i==alloc->perm_cnt) {
if (alloc->perm_cnt==MAX_TURN_PERM) {
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_INSUFFICIENT_CAPACITY, NULL, &resp);
goto send_pkt;
}
pj_sockaddr_cp(&alloc->perm[i], &pa->sockaddr);
++alloc->perm_cnt;
}
alloc->chnum[i] = cn;
resp = create_success_response(test_srv, alloc, req, pool, 0, &auth_key);
} else if (PJ_STUN_IS_REQUEST(req->hdr.type)) {
pj_stun_msg_create_response(pool, req, PJ_STUN_SC_BAD_REQUEST, NULL, &resp);
}
}
send_pkt:
if (resp) {
status = pj_stun_msg_encode(resp, (pj_uint8_t*)data, MAX_STUN_PKT,
0, &auth_key, &size);
if (status != PJ_SUCCESS)
goto on_return;
len = size;
status = pj_activesock_sendto(asock, &test_srv->send_key, data, &len,
0, src_addr, addr_len);
}
on_return:
pj_pool_release(pool);
return PJ_TRUE;
}
static pj_status_t handle_auth_challenge(pj_stun_session *sess,
const pj_stun_tx_data *request,
const pj_stun_msg *response,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len,
pj_bool_t *notify_user)
{
const pj_stun_errcode_attr *ea;
*notify_user = PJ_TRUE;
if (response==NULL)
return PJ_SUCCESS;
if (sess->auth_type != PJ_STUN_AUTH_LONG_TERM)
return PJ_SUCCESS;
if (!PJ_STUN_IS_ERROR_RESPONSE(response->hdr.type)) {
sess->auth_retry = 0;
return PJ_SUCCESS;
}
ea = (const pj_stun_errcode_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_ERROR_CODE, 0);
if (!ea) {
PJ_LOG(4,(SNAME(sess), "Invalid error response: no ERROR-CODE"
" attribute"));
*notify_user = PJ_FALSE;
return PJNATH_EINSTUNMSG;
}
if (ea->err_code == PJ_STUN_SC_UNAUTHORIZED ||
ea->err_code == PJ_STUN_SC_STALE_NONCE)
{
const pj_stun_nonce_attr *anonce;
const pj_stun_realm_attr *arealm;
pj_stun_tx_data *tdata;
unsigned i;
pj_status_t status;
anonce = (const pj_stun_nonce_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_NONCE, 0);
if (!anonce) {
PJ_LOG(4,(SNAME(sess), "Invalid response: missing NONCE"));
*notify_user = PJ_FALSE;
return PJNATH_EINSTUNMSG;
}
/* Bail out if we've supplied the correct nonce */
if (pj_strcmp(&anonce->value, &sess->next_nonce)==0) {
return PJ_SUCCESS;
}
/* Bail out if we've tried too many */
if (++sess->auth_retry > 3) {
PJ_LOG(4,(SNAME(sess), "Error: authentication failed (too "
"many retries)"));
return PJ_STATUS_FROM_STUN_CODE(401);
}
/* Save next_nonce */
pj_strdup(sess->pool, &sess->next_nonce, &anonce->value);
/* Copy the realm from the response */
arealm = (pj_stun_realm_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_REALM, 0);
if (arealm) {
pj_strdup(sess->pool, &sess->server_realm, &arealm->value);
while (sess->server_realm.slen &&
!sess->server_realm.ptr[sess->server_realm.slen-1])
{
--sess->server_realm.slen;
}
}
/* Create new request */
status = pj_stun_session_create_req(sess, request->msg->hdr.type,
request->msg->hdr.magic,
NULL, &tdata);
if (status != PJ_SUCCESS)
return status;
/* Duplicate all the attributes in the old request, except
* USERNAME, REALM, M-I, and NONCE, which will be filled in
* later.
*/
for (i=0; i<request->msg->attr_count; ++i) {
const pj_stun_attr_hdr *asrc = request->msg->attr[i];
if (asrc->type == PJ_STUN_ATTR_USERNAME ||
asrc->type == PJ_STUN_ATTR_REALM ||
asrc->type == PJ_STUN_ATTR_MESSAGE_INTEGRITY ||
asrc->type == PJ_STUN_ATTR_NONCE)
{
continue;
}
tdata->msg->attr[tdata->msg->attr_count++] =
pj_stun_attr_clone(tdata->pool, asrc);
}
/* Will retry the request with authentication, no need to
* notify user.
*/
*notify_user = PJ_FALSE;
PJ_LOG(4,(SNAME(sess), "Retrying request with new authentication"));
/* Retry the request */
status = pj_stun_session_send_msg(sess, request->token, PJ_TRUE,
request->retransmit, src_addr,
src_addr_len, tdata);
} else {
sess->auth_retry = 0;
}
return PJ_SUCCESS;
}
static pj_status_t apply_msg_options(pj_stun_session *sess,
pj_pool_t *pool,
const pj_stun_req_cred_info *auth_info,
pj_stun_msg *msg)
{
pj_status_t status = 0;
pj_str_t realm, username, nonce, auth_key;
/* If the agent is sending a request, it SHOULD add a SOFTWARE attribute
* to the request. The server SHOULD include a SOFTWARE attribute in all
* responses.
*
* If magic value is not PJ_STUN_MAGIC, only apply the attribute for
* responses.
*/
if (sess->srv_name.slen &&
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_SOFTWARE, 0)==NULL &&
(PJ_STUN_IS_RESPONSE(msg->hdr.type) ||
(PJ_STUN_IS_REQUEST(msg->hdr.type) && msg->hdr.magic==PJ_STUN_MAGIC)))
{
pj_stun_msg_add_string_attr(pool, msg, PJ_STUN_ATTR_SOFTWARE,
&sess->srv_name);
}
if (pj_stun_auth_valid_for_msg(msg) && auth_info) {
realm = auth_info->realm;
username = auth_info->username;
nonce = auth_info->nonce;
auth_key = auth_info->auth_key;
} else {
realm.slen = username.slen = nonce.slen = auth_key.slen = 0;
}
/* Create and add USERNAME attribute if needed */
if (username.slen && PJ_STUN_IS_REQUEST(msg->hdr.type)) {
status = pj_stun_msg_add_string_attr(pool, msg,
PJ_STUN_ATTR_USERNAME,
&username);
PJ_ASSERT_RETURN(status==PJ_SUCCESS, status);
}
/* Add REALM only when long term credential is used */
if (realm.slen && PJ_STUN_IS_REQUEST(msg->hdr.type)) {
status = pj_stun_msg_add_string_attr(pool, msg,
PJ_STUN_ATTR_REALM,
&realm);
PJ_ASSERT_RETURN(status==PJ_SUCCESS, status);
}
/* Add NONCE when desired */
if (nonce.slen &&
(PJ_STUN_IS_REQUEST(msg->hdr.type) ||
PJ_STUN_IS_ERROR_RESPONSE(msg->hdr.type)))
{
status = pj_stun_msg_add_string_attr(pool, msg,
PJ_STUN_ATTR_NONCE,
&nonce);
}
/* Add MESSAGE-INTEGRITY attribute */
if (username.slen && auth_key.slen) {
status = pj_stun_msg_add_msgint_attr(pool, msg);
PJ_ASSERT_RETURN(status==PJ_SUCCESS, status);
}
/* Add FINGERPRINT attribute if necessary */
if (sess->use_fingerprint) {
status = pj_stun_msg_add_uint_attr(pool, msg,
PJ_STUN_ATTR_FINGERPRINT, 0);
PJ_ASSERT_RETURN(status==PJ_SUCCESS, status);
}
return PJ_SUCCESS;
}
/*
* Callback upon request completion.
*/
static void on_request_complete(pj_stun_session *stun_sess,
pj_status_t status,
void *token,
pj_stun_tx_data *tdata,
const pj_stun_msg *response,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
nat_detect_session *sess;
pj_stun_sockaddr_attr *mattr = NULL;
pj_stun_changed_addr_attr *ca = NULL;
pj_uint32_t *tsx_id;
int cmp;
unsigned test_id;
PJ_UNUSED_ARG(token);
PJ_UNUSED_ARG(tdata);
PJ_UNUSED_ARG(src_addr);
PJ_UNUSED_ARG(src_addr_len);
sess = (nat_detect_session*) pj_stun_session_get_user_data(stun_sess);
pj_grp_lock_acquire(sess->grp_lock);
/* Find errors in the response */
if (status == PJ_SUCCESS) {
/* Check error message */
if (PJ_STUN_IS_ERROR_RESPONSE(response->hdr.type)) {
pj_stun_errcode_attr *eattr;
int err_code;
eattr = (pj_stun_errcode_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_ERROR_CODE, 0);
if (eattr != NULL)
err_code = eattr->err_code;
else
err_code = PJ_STUN_SC_SERVER_ERROR;
status = PJ_STATUS_FROM_STUN_CODE(err_code);
} else {
/* Get MAPPED-ADDRESS or XOR-MAPPED-ADDRESS */
mattr = (pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_XOR_MAPPED_ADDR, 0);
if (mattr == NULL) {
mattr = (pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_MAPPED_ADDR, 0);
}
if (mattr == NULL) {
status = PJNATH_ESTUNNOMAPPEDADDR;
}
/* Get CHANGED-ADDRESS attribute */
ca = (pj_stun_changed_addr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_CHANGED_ADDR, 0);
if (ca == NULL) {
status = PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_SERVER_ERROR);
}
}
}
/* Save the result */
tsx_id = (pj_uint32_t*) tdata->msg->hdr.tsx_id;
test_id = tsx_id[2];
if (test_id >= ST_MAX) {
PJ_LOG(4,(sess->pool->obj_name, "Invalid transaction ID %u in response",
test_id));
end_session(sess, PJ_STATUS_FROM_STUN_CODE(PJ_STUN_SC_SERVER_ERROR),
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
goto on_return;
}
PJ_LOG(5,(sess->pool->obj_name, "Completed %s, status=%d",
test_names[test_id], status));
sess->result[test_id].complete = PJ_TRUE;
sess->result[test_id].status = status;
if (status == PJ_SUCCESS) {
pj_memcpy(&sess->result[test_id].ma, &mattr->sockaddr.ipv4,
sizeof(pj_sockaddr_in));
pj_memcpy(&sess->result[test_id].ca, &ca->sockaddr.ipv4,
sizeof(pj_sockaddr_in));
}
/* Send Test 1B only when Test 2 completes. Must not send Test 1B
* before Test 2 completes to avoid creating mapping on the NAT.
*/
if (!sess->result[ST_TEST_1B].executed &&
sess->result[ST_TEST_2].complete &&
sess->result[ST_TEST_2].status != PJ_SUCCESS &&
sess->result[ST_TEST_1].complete &&
sess->result[ST_TEST_1].status == PJ_SUCCESS)
{
cmp = pj_memcmp(&sess->local_addr, &sess->result[ST_TEST_1].ma,
sizeof(pj_sockaddr_in));
if (cmp != 0)
send_test(sess, ST_TEST_1B, &sess->result[ST_TEST_1].ca, 0);
}
if (test_completed(sess)<3 || test_completed(sess)!=test_executed(sess))
goto on_return;
/* Handle the test result according to RFC 3489 page 22:
+--------+
| Test |
| 1 |
+--------+
|
|
V
/\ /\
N / \ Y / \ Y +--------+
UDP <-------/Resp\--------->/ IP \------------->| Test |
Blocked \ ? / \Same/ | 2 |
\ / \? / +--------+
\/ \/ |
| N |
| V
V /\
+--------+ Sym. N / \
| Test | UDP <---/Resp\
| 2 | Firewall \ ? /
+--------+ \ /
| \/
V |Y
/\ /\ |
Symmetric N / \ +--------+ N / \ V
NAT <--- / IP \<-----| Test |<--- /Resp\ Open
\Same/ | 1B | \ ? / Internet
\? / +--------+ \ /
\/ \/
| |Y
| |
| V
| Full
| Cone
V /\
+--------+ / \ Y
| Test |------>/Resp\---->Restricted
| 3 | \ ? /
+--------+ \ /
\/
|N
| Port
+------>Restricted
Figure 2: Flow for type discovery process
*/
switch (sess->result[ST_TEST_1].status) {
case PJNATH_ESTUNTIMEDOUT:
/*
* Test 1 has timed-out. Conclude with NAT_TYPE_BLOCKED.
*/
end_session(sess, PJ_SUCCESS, PJ_STUN_NAT_TYPE_BLOCKED);
break;
case PJ_SUCCESS:
/*
* Test 1 is successful. Further tests are needed to detect
* NAT type. Compare the MAPPED-ADDRESS with the local address.
*/
cmp = pj_memcmp(&sess->local_addr, &sess->result[ST_TEST_1].ma,
sizeof(pj_sockaddr_in));
if (cmp==0) {
/*
* MAPPED-ADDRESS and local address is equal. Need one more
* test to determine NAT type.
*/
switch (sess->result[ST_TEST_2].status) {
case PJ_SUCCESS:
/*
* Test 2 is also successful. We're in the open.
*/
end_session(sess, PJ_SUCCESS, PJ_STUN_NAT_TYPE_OPEN);
break;
case PJNATH_ESTUNTIMEDOUT:
/*
* Test 2 has timed out. We're behind somekind of UDP
* firewall.
*/
end_session(sess, PJ_SUCCESS, PJ_STUN_NAT_TYPE_SYMMETRIC_UDP);
break;
default:
/*
* We've got other error with Test 2.
*/
end_session(sess, sess->result[ST_TEST_2].status,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
} else {
/*
* MAPPED-ADDRESS is different than local address.
* We're behind NAT.
*/
switch (sess->result[ST_TEST_2].status) {
case PJ_SUCCESS:
/*
* Test 2 is successful. We're behind a full-cone NAT.
*/
end_session(sess, PJ_SUCCESS, PJ_STUN_NAT_TYPE_FULL_CONE);
break;
case PJNATH_ESTUNTIMEDOUT:
/*
* Test 2 has timed-out Check result of test 1B..
*/
switch (sess->result[ST_TEST_1B].status) {
case PJ_SUCCESS:
/*
* Compare the MAPPED-ADDRESS of test 1B with the
* MAPPED-ADDRESS returned in test 1..
*/
cmp = pj_memcmp(&sess->result[ST_TEST_1].ma,
&sess->result[ST_TEST_1B].ma,
sizeof(pj_sockaddr_in));
if (cmp != 0) {
/*
* MAPPED-ADDRESS is different, we're behind a
* symmetric NAT.
*/
end_session(sess, PJ_SUCCESS,
PJ_STUN_NAT_TYPE_SYMMETRIC);
} else {
/*
* MAPPED-ADDRESS is equal. We're behind a restricted
* or port-restricted NAT, depending on the result of
* test 3.
*/
switch (sess->result[ST_TEST_3].status) {
case PJ_SUCCESS:
/*
* Test 3 is successful, we're behind a restricted
* NAT.
*/
end_session(sess, PJ_SUCCESS,
PJ_STUN_NAT_TYPE_RESTRICTED);
break;
case PJNATH_ESTUNTIMEDOUT:
/*
* Test 3 failed, we're behind a port restricted
* NAT.
*/
end_session(sess, PJ_SUCCESS,
PJ_STUN_NAT_TYPE_PORT_RESTRICTED);
break;
default:
/*
* Got other error with test 3.
*/
end_session(sess, sess->result[ST_TEST_3].status,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
}
break;
case PJNATH_ESTUNTIMEDOUT:
/*
* Strangely test 1B has failed. Maybe connectivity was
* lost? Or perhaps port 3489 (the usual port number in
* CHANGED-ADDRESS) is blocked?
*/
switch (sess->result[ST_TEST_3].status) {
case PJ_SUCCESS:
/* Although test 1B failed, test 3 was successful.
* It could be that port 3489 is blocked, while the
* NAT itself looks to be a Restricted one.
*/
end_session(sess, PJ_SUCCESS,
PJ_STUN_NAT_TYPE_RESTRICTED);
break;
default:
/* Can't distinguish between Symmetric and Port
* Restricted, so set the type to Unknown
*/
end_session(sess, PJ_SUCCESS,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
break;
default:
/*
* Got other error with test 1B.
*/
end_session(sess, sess->result[ST_TEST_1B].status,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
break;
default:
/*
* We've got other error with Test 2.
*/
end_session(sess, sess->result[ST_TEST_2].status,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
}
break;
default:
/*
* We've got other error with Test 1.
*/
end_session(sess, sess->result[ST_TEST_1].status,
PJ_STUN_NAT_TYPE_ERR_UNKNOWN);
break;
}
on_return:
pj_grp_lock_release(sess->grp_lock);
}
static int run_client_test(const char *title,
pj_bool_t server_responding,
pj_stun_auth_type server_auth_type,
pj_stun_auth_type client_auth_type,
const char *realm,
const char *username,
const char *nonce,
const char *password,
pj_bool_t dummy_mi,
pj_bool_t expected_error,
pj_status_t expected_code,
const char *expected_realm,
const char *expected_nonce,
int (*more_check)(void))
{
pj_pool_t *pool;
pj_stun_session_cb sess_cb;
pj_stun_auth_cred cred;
pj_stun_tx_data *tdata;
pj_status_t status;
int rc = 0;
PJ_LOG(3,(THIS_FILE, " %s test", title));
/* Create client */
pool = pj_pool_create(mem, "client", 1000, 1000, NULL);
client = PJ_POOL_ZALLOC_T(pool, struct client);
client->pool = pool;
client->responding = PJ_TRUE;
/* Create STUN session */
pj_bzero(&sess_cb, sizeof(sess_cb));
sess_cb.on_request_complete = &client_on_request_complete;
sess_cb.on_send_msg = &client_send_msg;
status = pj_stun_session_create(&stun_cfg, "client", &sess_cb, PJ_FALSE, NULL, &client->sess);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -200;
}
/* Create semaphore */
status = pj_sem_create(pool, "client", 0, 1, &client->test_complete);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -205;
}
/* Create client socket */
status = pj_sock_socket(pj_AF_INET(), pj_SOCK_DGRAM(), 0, &client->sock);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -210;
}
/* Bind client socket */
status = pj_sock_bind_in(client->sock, 0, 0);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -220;
}
/* Create client thread */
status = pj_thread_create(pool, "client", &client_thread, NULL, 0, 0, &client->thread);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -230;
}
/* Initialize credential */
pj_bzero(&cred, sizeof(cred));
cred.type = PJ_STUN_AUTH_CRED_STATIC;
if (realm) cred.data.static_cred.realm = pj_str((char*)realm);
if (username) cred.data.static_cred.username = pj_str((char*)username);
if (nonce) cred.data.static_cred.nonce = pj_str((char*)nonce);
if (password) cred.data.static_cred.data = pj_str((char*)password);
cred.data.static_cred.data_type = PJ_STUN_PASSWD_PLAIN;
status = pj_stun_session_set_credential(client->sess, client_auth_type, &cred);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -240;
}
/* Create the server */
status = create_std_server(server_auth_type, server_responding);
if (status != 0) {
destroy_client_server();
return status;
}
/* Create request */
status = pj_stun_session_create_req(client->sess, PJ_STUN_BINDING_REQUEST,
PJ_STUN_MAGIC, NULL, &tdata);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -250;
}
/* Add our own attributes if client authentication is set to none */
if (client_auth_type == PJ_STUN_AUTH_NONE) {
pj_str_t tmp;
if (realm)
pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_REALM, pj_cstr(&tmp, realm));
if (username)
pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_USERNAME, pj_cstr(&tmp, username));
if (nonce)
pj_stun_msg_add_string_attr(tdata->pool, tdata->msg, PJ_STUN_ATTR_NONCE, pj_cstr(&tmp, nonce));
if (password) {
// ignored
}
if (dummy_mi) {
pj_stun_msgint_attr *mi;
pj_stun_msgint_attr_create(tdata->pool, &mi);
pj_stun_msg_add_attr(tdata->msg, &mi->hdr);
}
}
/* Send the request */
status = pj_stun_session_send_msg(client->sess, NULL, PJ_FALSE, PJ_TRUE, &server->addr,
pj_sockaddr_get_len(&server->addr), tdata);
if (status != PJ_SUCCESS) {
destroy_client_server();
return -270;
}
/* Wait until test complete */
pj_sem_wait(client->test_complete);
/* Verify response */
if (expected_error) {
if (expected_code != client->response_status) {
char e1[PJ_ERR_MSG_SIZE], e2[PJ_ERR_MSG_SIZE];
pj_strerror(expected_code, e1, sizeof(e1));
pj_strerror(client->response_status, e2, sizeof(e2));
PJ_LOG(3,(THIS_FILE, " err: expecting %d (%s) but got %d (%s) response",
expected_code, e1, client->response_status, e2));
rc = -500;
}
} else {
int res_code = 0;
pj_stun_realm_attr *arealm;
pj_stun_nonce_attr *anonce;
if (client->response_status != 0) {
PJ_LOG(3,(THIS_FILE, " err: expecting successful operation but got error %d",
client->response_status));
rc = -600;
goto done;
}
if (PJ_STUN_IS_ERROR_RESPONSE(client->response->hdr.type)) {
pj_stun_errcode_attr *aerr = NULL;
aerr = (pj_stun_errcode_attr*)
pj_stun_msg_find_attr(client->response,
PJ_STUN_ATTR_ERROR_CODE, 0);
if (aerr == NULL) {
PJ_LOG(3,(THIS_FILE, " err: received error response without ERROR-CODE"));
rc = -610;
goto done;
}
res_code = aerr->err_code;
} else {
res_code = 0;
}
/* Check that code matches */
if (expected_code != res_code) {
PJ_LOG(3,(THIS_FILE, " err: expecting response code %d but got %d",
expected_code, res_code));
rc = -620;
goto done;
}
/* Find REALM and NONCE attributes */
arealm = (pj_stun_realm_attr*)
pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_REALM, 0);
anonce = (pj_stun_nonce_attr*)
pj_stun_msg_find_attr(client->response, PJ_STUN_ATTR_NONCE, 0);
if (expected_realm) {
if (arealm == NULL) {
PJ_LOG(3,(THIS_FILE, " err: expecting REALM in esponse"));
rc = -630;
goto done;
}
if (pj_strcmp2(&arealm->value, expected_realm)!=0) {
PJ_LOG(3,(THIS_FILE, " err: REALM mismatch in response"));
rc = -640;
goto done;
}
} else {
if (arealm != NULL) {
PJ_LOG(3,(THIS_FILE, " err: non expecting REALM in response"));
rc = -650;
goto done;
}
}
if (expected_nonce) {
if (anonce == NULL) {
PJ_LOG(3,(THIS_FILE, " err: expecting NONCE in esponse"));
rc = -660;
goto done;
}
if (pj_strcmp2(&anonce->value, expected_nonce)!=0) {
PJ_LOG(3,(THIS_FILE, " err: NONCE mismatch in response"));
rc = -670;
goto done;
}
} else {
if (anonce != NULL) {
PJ_LOG(3,(THIS_FILE, " err: non expecting NONCE in response"));
rc = -680;
goto done;
}
}
}
/* Our tests are okay so far. Let caller do some more tests if
* it wants to.
*/
if (rc==0 && more_check) {
rc = (*more_check)();
}
done:
destroy_client_server();
return rc;
}
/*
* Create relay.
*/
static pj_status_t create_relay(pj_turn_srv *srv,
pj_turn_allocation *alloc,
const pj_stun_msg *msg,
const alloc_request *req,
pj_turn_relay_res *relay)
{
enum { RETRY = 40 };
pj_pool_t *pool = alloc->pool;
int retry, retry_max, sock_type;
pj_ioqueue_callback icb;
int af, namelen;
pj_stun_string_attr *sa;
pj_status_t status;
pj_bzero(relay, sizeof(*relay));
relay->allocation = alloc;
relay->tp.sock = PJ_INVALID_SOCKET;
/* TODO: get the requested address family from somewhere */
af = alloc->transport->listener->addr.addr.sa_family;
/* Save realm */
sa = (pj_stun_string_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_REALM, 0);
PJ_ASSERT_RETURN(sa, PJ_EINVALIDOP);
pj_strdup(pool, &relay->realm, &sa->value);
/* Save username */
sa = (pj_stun_string_attr*)
pj_stun_msg_find_attr(msg, PJ_STUN_ATTR_USERNAME, 0);
PJ_ASSERT_RETURN(sa, PJ_EINVALIDOP);
pj_strdup(pool, &relay->user, &sa->value);
/* Lifetime and timeout */
relay->lifetime = req->lifetime;
pj_timer_entry_init(&relay->timer, TIMER_ID_NONE, relay,
&relay_timeout_cb);
resched_timeout(alloc);
/* Transport type */
relay->hkey.tp_type = req->tp_type;
/* Create the socket */
if (req->tp_type == PJ_TURN_TP_UDP) {
sock_type = pj_SOCK_DGRAM();
} else if (req->tp_type == PJ_TURN_TP_TCP) {
sock_type = pj_SOCK_STREAM();
} else {
pj_assert(!"Unknown transport");
return PJ_EINVALIDOP;
}
status = pj_sock_socket(af, sock_type, 0, &relay->tp.sock);
if (status != PJ_SUCCESS) {
pj_bzero(relay, sizeof(*relay));
return status;
}
/* Find suitable port for this allocation */
if (req->rpp_port) {
retry_max = 1;
} else {
retry_max = RETRY;
}
for (retry=0; retry<retry_max; ++retry) {
pj_uint16_t port;
pj_sockaddr bound_addr;
pj_lock_acquire(srv->core.lock);
if (req->rpp_port) {
port = (pj_uint16_t) req->rpp_port;
} else if (req->tp_type == PJ_TURN_TP_UDP) {
port = (pj_uint16_t) srv->ports.next_udp++;
if (srv->ports.next_udp > srv->ports.max_udp)
srv->ports.next_udp = srv->ports.min_udp;
} else if (req->tp_type == PJ_TURN_TP_TCP) {
port = (pj_uint16_t) srv->ports.next_tcp++;
if (srv->ports.next_tcp > srv->ports.max_tcp)
srv->ports.next_tcp = srv->ports.min_tcp;
} else {
pj_assert(!"Invalid transport");
port = 0;
}
pj_lock_release(srv->core.lock);
pj_sockaddr_init(af, &bound_addr, NULL, port);
status = pj_sock_bind(relay->tp.sock, &bound_addr,
pj_sockaddr_get_len(&bound_addr));
if (status == PJ_SUCCESS)
break;
}
if (status != PJ_SUCCESS) {
/* Unable to allocate port */
PJ_LOG(4,(THIS_FILE, "Unable to allocate relay, giving up: err %d",
status));
pj_sock_close(relay->tp.sock);
relay->tp.sock = PJ_INVALID_SOCKET;
return status;
}
/* Init relay key */
namelen = sizeof(relay->hkey.addr);
status = pj_sock_getsockname(relay->tp.sock, &relay->hkey.addr, &namelen);
if (status != PJ_SUCCESS) {
PJ_LOG(4,(THIS_FILE, "pj_sock_getsockname() failed: err %d",
status));
pj_sock_close(relay->tp.sock);
relay->tp.sock = PJ_INVALID_SOCKET;
return status;
}
if (!pj_sockaddr_has_addr(&relay->hkey.addr)) {
pj_sockaddr_copy_addr(&relay->hkey.addr,
&alloc->transport->listener->addr);
}
if (!pj_sockaddr_has_addr(&relay->hkey.addr)) {
pj_sockaddr tmp_addr;
pj_gethostip(af, &tmp_addr);
pj_sockaddr_copy_addr(&relay->hkey.addr, &tmp_addr);
}
/* Init ioqueue */
pj_bzero(&icb, sizeof(icb));
icb.on_read_complete = &on_rx_from_peer;
status = pj_ioqueue_register_sock(pool, srv->core.ioqueue, relay->tp.sock,
relay, &icb, &relay->tp.key);
if (status != PJ_SUCCESS) {
PJ_LOG(4,(THIS_FILE, "pj_ioqueue_register_sock() failed: err %d",
status));
pj_sock_close(relay->tp.sock);
relay->tp.sock = PJ_INVALID_SOCKET;
return status;
}
/* Kick off pending read operation */
pj_ioqueue_op_key_init(&relay->tp.read_key, sizeof(relay->tp.read_key));
on_rx_from_peer(relay->tp.key, &relay->tp.read_key, 0);
/* Done */
return PJ_SUCCESS;
}
/* This callback is called by the STUN session when outgoing transaction
* is complete
*/
static void sess_on_request_complete(pj_stun_session *sess,
pj_status_t status,
void *token,
pj_stun_tx_data *tdata,
const pj_stun_msg *response,
const pj_sockaddr_t *src_addr,
unsigned src_addr_len)
{
pj_stun_sock *stun_sock;
const pj_stun_sockaddr_attr *mapped_attr;
pj_stun_sock_op op;
pj_bool_t mapped_changed;
pj_bool_t resched = PJ_TRUE;
stun_sock = (pj_stun_sock *) pj_stun_session_get_user_data(sess);
if (!stun_sock)
return;
PJ_UNUSED_ARG(tdata);
PJ_UNUSED_ARG(token);
PJ_UNUSED_ARG(src_addr);
PJ_UNUSED_ARG(src_addr_len);
/* Check if this is a keep-alive or the first Binding request */
if (pj_sockaddr_has_addr(&stun_sock->mapped_addr))
op = PJ_STUN_SOCK_KEEP_ALIVE_OP;
else
op = PJ_STUN_SOCK_BINDING_OP;
/* Handle failure */
if (status != PJ_SUCCESS) {
resched = sess_fail(stun_sock, op, status);
goto on_return;
}
/* Get XOR-MAPPED-ADDRESS, or MAPPED-ADDRESS when XOR-MAPPED-ADDRESS
* doesn't exist.
*/
mapped_attr = (const pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_XOR_MAPPED_ADDR,
0);
if (mapped_attr==NULL) {
mapped_attr = (const pj_stun_sockaddr_attr*)
pj_stun_msg_find_attr(response, PJ_STUN_ATTR_MAPPED_ADDR,
0);
}
if (mapped_attr == NULL) {
resched = sess_fail(stun_sock, op, PJNATH_ESTUNNOMAPPEDADDR);
goto on_return;
}
/* Determine if mapped address has changed, and save the new mapped
* address and call callback if so
*/
mapped_changed = !pj_sockaddr_has_addr(&stun_sock->mapped_addr) ||
pj_sockaddr_cmp(&stun_sock->mapped_addr,
&mapped_attr->sockaddr) != 0;
if (mapped_changed) {
/* Print mapped adress */
{
char addrinfo[PJ_INET6_ADDRSTRLEN+10];
PJ_LOG(2,(stun_sock->obj_name,
"STUN mapped address found/changed: %s",
pj_sockaddr_print(&mapped_attr->sockaddr,
addrinfo, sizeof(addrinfo), 3)));
}
pj_sockaddr_cp(&stun_sock->mapped_addr, &mapped_attr->sockaddr);
if (op==PJ_STUN_SOCK_KEEP_ALIVE_OP) {
op = PJ_STUN_SOCK_MAPPED_ADDR_CHANGE;
PJ_LOG(2, (THIS_FILE, "sess_on_rquest_complete() Operation is PJ_STUN_SOCK_MAPPED_ADDR_CHANGE."));
}
}
// 2013-10-16 DEAN
// 2013-10-21 DEAN
{
int addr_len = sizeof(stun_sock->current_local_addr);
char addrinfo1[PJ_INET6_ADDRSTRLEN+10];
char addrinfo2[PJ_INET6_ADDRSTRLEN+10];
pj_sock_getsockname(stun_sock->sock_fd, &stun_sock->current_local_addr,
&addr_len);
PJ_LOG(6,(stun_sock->obj_name,
"Current Local address: %s",
pj_sockaddr_print(&stun_sock->current_local_addr,
addrinfo1, sizeof(addrinfo1), 3)));
/*
* Find out which interface is used to send to the server.
*/
status = get_local_interface(&stun_sock->srv_addr, &((pj_sockaddr_in *)(&stun_sock->current_local_addr))->sin_addr);
PJ_LOG(6,(stun_sock->obj_name,
"Current Local address: %s",
pj_sockaddr_print(&stun_sock->current_local_addr,
addrinfo2, sizeof(addrinfo2), 3)));
}
/* Notify user */
resched = (*stun_sock->cb.on_status)(stun_sock, op, PJ_SUCCESS);
PJ_LOG(5, (THIS_FILE, "sess_on_request_complete() resched=%d.", resched));
on_return:
/* Start/restart keep-alive timer */
if (resched)
start_ka_timer(stun_sock);
}
