Add option no-rfc5780

To avoid any amplifiaction STUN binding attacks.

ChangeLog

@@ -21,6 +21,8 @@ Version 4.5.3 'dan Eider':
 		* Readme.turnserver: how to run server as a daemon
 	- merge PR #739 (by hills)
 		* SSL reload has hidden bugs which cause crashes
+	- Fix regression in PR #739
+	- Add option to disable RFC8750
 
 10/01/2021 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
 Version 4.5.2 'dan Eider':

README.turnserver

@@ -605,10 +605,17 @@ Options with values:
 
 --web-admin-port=<port>  Web-admin server port. Default is 8080.
 --web-admin-listen-on-workers   Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.
-			By default it is disabled for security resons!
+			By default it is disabled for security reasons!
 			(This behavior used to be the default behavior, and was enabled by default.)
 
 --ne=[1|2|3]		Set network engine type for the process (for internal purposes).
+--no-rfc5780		Disable RFC5780 (NAT behavior discovery).
+                    Originally, if there are more than one listener address from the same
+                    address family, then by default the NAT behavior discovery feature enabled.
+                    This option disables this original behavior, because the NAT behavior discovery
+                    adds attributes to response, and this increase the possibility of an amplification attack.
+                    Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
+
 
 ==================================
 

examples/etc/turnserver.conf

@@ -759,3 +759,13 @@
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
+
+# Disable RFC5780 (NAT behavior discovery).
+#Originally, if there are more than one listener address from the same
+#address family, then by default the NAT behavior discovery feature enabled.
+#This option disables the original behavior, because the NAT behavior discovery
+#adds extra attributes to response, and this increase the possibility of
+#an amplification attack.
+#Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
+#
+no-rfc5780

src/apps/relay/mainrelay.c

@@ -115,10 +115,24 @@ DH_2066, "", "", "",
 NULL, PTHREAD_MUTEX_INITIALIZER,
 
 //////////////// Common params ////////////////////
-TURN_VERBOSE_NONE,0,0,0,0,
-"/var/run/turnserver.pid","",
-DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1,
-0,0,0,0,0,
+TURN_VERBOSE_NONE, /* verbose */
+0, /* turn_daemon */
+0, /* no_software_attribute */
+0, /* web_admin_listen_on_workers */
+0, /* do_not_use_config_file */
+"/var/run/turnserver.pid", /* pidfile */
+"", /* acme_redirect */
+DEFAULT_STUN_PORT, /* listener_port*/
+DEFAULT_STUN_TLS_PORT, /* tls_listener_port */
+0, /* alt_listener_port */
+0, /* alt_tls_listener_port */
+0, /* tcp_proxy_port */
+1, /* rfc5780 */
+0, /* no_udp */
+0, /* no_tcp */
+0, /* tcp_use_proxy */
+0, /* no_tcp_relay */
+0, /* no_udp_relay */
 "",
 "",0,
 {
@@ -676,6 +690,12 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --cli-max-output-sessions			Maximum number of output sessions in ps CLI command.\n"
 "						This value can be changed on-the-fly in CLI. The default value is 256.\n"
 " --ne=[1|2|3]					Set network engine type for the process (for internal purposes).\n"
+" --no-rfc5780					Disable RFC5780 (NAT behavior discovery).\n"
+"						Originally, if there are more than one listener address from the same\n"
+"						address family, then by default the NAT behavior discovery feature enabled.\n"
+"						This option disables this original behavior, because the NAT behavior discovery\n"
+"						adds attributes to response, and this increase the possibility of an amplification attack.\n"
+"						Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n"
 " -h						Help\n"
 "\n";
 
@@ -821,7 +841,8 @@ enum EXTRA_OPTS {
 	NO_HTTP_OPT,
 	SECRET_KEY_OPT,
 	ACME_REDIRECT_OPT,
-	LOG_BINDING_OPT
+	LOG_BINDING_OPT,
+	NO_RFC5780
 };
 
 struct myoption {
@@ -958,7 +979,7 @@ static const struct myoption long_options[] = {
 				{ "allocation-default-address-family", required_argument, NULL, 'A' },
 				{ "acme-redirect", required_argument, NULL, ACME_REDIRECT_OPT },
 				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
-
+				{ "no-rfc5780", optional_argument, NULL, NO_RFC5780 },
 				{ NULL, no_argument, NULL, 0 }
 };
 
@@ -1632,6 +1653,9 @@ static void set_option(int c, char *value)
 	case LOG_BINDING_OPT:
 		turn_params.log_binding = get_bool_value(value);
 		break;
+	case NO_RFC5780:
+		turn_params.rfc5780 = 0;
+		break;
 
 	/* these options have been already taken care of before: */
 	case 'l':

src/apps/relay/netengine.c

@@ -1089,11 +1089,15 @@ static void setup_listener(void)
 		bufferevent_enable(turn_params.listener.in_buf, EV_READ);
 	}
 
-	if(turn_params.listener.addrs_number<2 || turn_params.external_ip) {
-		turn_params.rfc5780 = 0;
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided\n");
+	if (turn_params.rfc5780 == 1) {
+		if(turn_params.listener.addrs_number<2 || turn_params.external_ip) {
+			turn_params.rfc5780 = 0;
+			TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided\n");
+		} else {
+			turn_params.listener.services_number = turn_params.listener.services_number * 2;
+		}
 	} else {
-		turn_params.listener.services_number = turn_params.listener.services_number * 2;
+		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "INFO: RFC5780 disabled! /NAT behavior discovery/\n");
 	}
 
 	turn_params.listener.udp_services = (dtls_listener_relay_server_type***)allocate_super_memory_engine(turn_params.listener.ioa_eng, sizeof(dtls_listener_relay_server_type**)*turn_params.listener.services_number);