RESPONSE_ORIGIN attribute only if rfc5780 is on

ChangeLog

@@ -23,10 +23,14 @@ Version 4.5.3 'dan Eider':
 		* SSL reload has hidden bugs which cause crashes
 	- Fix regression in PR #739
 	- Try to mitigate amplification attatck 
-		* Add option --no-rfc5780
+		* Add new option --no-rfc5780
 		  to force disable RFC8750
 		* Add new option --no-stun-backward-compatibility
-		  Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+		  Disable handling old STUN Binding requests and disable
+		  MAPPED-ADDRESS attribute in binding response (use only the
+		  XOR-MAPPED-ADDRESS)
+		* Add new option --response-origin-only-with-rfc5780
+		  Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled
 
 10/01/2021 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
 Version 4.5.2 'dan Eider':

README.turnserver

@@ -616,6 +616,7 @@ Options with values:
                     adds attributes to response, and this increase the possibility of an amplification attack.
                     Strongly encouraged to use this option to decrease gain factor in STUN binding responses.
 --no-stun-backward-compatibility		Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+--response-origin-only-with-rfc5780		Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
 					
 
 ==================================

examples/etc/turnserver.conf

@@ -781,3 +781,9 @@ no-rfc5780
 #
 no-stun-backward-compatibility
 
+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+response-origin-only-with-rfc5780

src/apps/relay/mainrelay.c

@@ -188,6 +188,7 @@ ALLOCATION_DEFAULT_ADDRESS_FAMILY_IPV4,  /* allocation_default_address_family */
 
 0,  /* log_binding */
 0,	/* no_stun_backward_compatibility */
+0	/* response_origin_only_with_rfc5780 */
 };
 
 //////////////// OpenSSL Init //////////////////////
@@ -699,6 +700,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "						Strongly encouraged to use this option to decrease gain factor in STUN binding responses.\n"
 " --no-stun-backward-compatibility		Disable handling old STUN Binding requests and disable MAPPED-ADDRESS attribute\n"
 "						in binding response (use only the XOR-MAPPED-ADDRESS).\n"
+" --response-origin-only-with-rfc5780		Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.\n"
 " -h						Help\n"
 "\n";
 
@@ -846,7 +848,8 @@ enum EXTRA_OPTS {
 	ACME_REDIRECT_OPT,
 	LOG_BINDING_OPT,
 	NO_RFC5780,
-	NO_STUN_BACKWARD_COMPATIBILITY_OPT
+	NO_STUN_BACKWARD_COMPATIBILITY_OPT,
+	RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT
 };
 
 struct myoption {
@@ -985,6 +988,7 @@ static const struct myoption long_options[] = {
 				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
 				{ "no-rfc5780", optional_argument, NULL, NO_RFC5780 },
 				{ "no-stun-backward-compatibility", optional_argument, NULL, NO_STUN_BACKWARD_COMPATIBILITY_OPT },
+				{ "response-origin-only-with-rfc5780", optional_argument, NULL, RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT },
 				{ NULL, no_argument, NULL, 0 }
 };
 
@@ -1664,6 +1668,9 @@ static void set_option(int c, char *value)
 	case NO_STUN_BACKWARD_COMPATIBILITY_OPT:
 		turn_params.no_stun_backward_compatibility = get_bool_value(value);
 		break;
+	case RESPONSE_ORIGIN_ONLY_WITH_RFC5780_OPT:
+		turn_params.response_origin_only_with_rfc5780 = get_bool_value(value);
+		break;
 
 	/* these options have been already taken care of before: */
 	case 'l':

src/apps/relay/mainrelay.h

@@ -340,6 +340,7 @@ typedef struct _turn_params_ {
 
   vint log_binding;
   vint no_stun_backward_compatibility;
+  vint response_origin_only_with_rfc5780;
 } turn_params_t;
 
 extern turn_params_t turn_params;

src/apps/relay/netengine.c

@@ -1695,7 +1695,8 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
 		turn_params.acme_redirect,
 		turn_params.allocation_default_address_family,
 		&turn_params.log_binding,
-		&turn_params.no_stun_backward_compatibility
+		&turn_params.no_stun_backward_compatibility,
+		&turn_params.response_origin_only_with_rfc5780
 		);
 	
 	if(to_set_rfc5780) {

src/server/ns_turn_server.c

@@ -2881,14 +2881,16 @@ static int handle_turn_binding(turn_turnserver *server,
 
 			if(!is_rfc5780(server)) {
 
-				if(old_stun) {
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-								OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin);
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-								OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin);
-				} else {
-					stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
-							STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin);
+				if(!(*server->response_origin_only_with_rfc5780)) {
+					if(old_stun) {
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+									OLD_STUN_ATTRIBUTE_SOURCE_ADDRESS, response_origin);
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+									OLD_STUN_ATTRIBUTE_CHANGED_ADDRESS, response_origin);
+					} else {
+						stun_attr_add_addr_str(ioa_network_buffer_data(nbh), &len,
+								STUN_ATTRIBUTE_RESPONSE_ORIGIN, response_origin);
+					}
 				}
 
 			} else if(ss->client_socket) {
@@ -4937,7 +4939,8 @@ void init_turn_server(turn_turnserver* server,
 		const char* acme_redirect,
 		ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
 		vintp log_binding,
-		vintp no_stun_backward_compatibility) {
+		vintp no_stun_backward_compatibility,
+		vintp response_origin_only_with_rfc5780) {
 
 	if (!server)
 		return;
@@ -5013,6 +5016,8 @@ void init_turn_server(turn_turnserver* server,
 	server->log_binding = log_binding;
 
 	server->no_stun_backward_compatibility = no_stun_backward_compatibility;
+
+	server->response_origin_only_with_rfc5780 = response_origin_only_with_rfc5780;
 }
 
 ioa_engine_handle turn_server_get_engine(turn_turnserver *s) {

src/server/ns_turn_server.h

@@ -190,6 +190,9 @@ struct _turn_turnserver {
 
 	/* Disable handling old STUN Binding Requests and disable MAPPED-ADDRESS attribute in response */
 	vintp no_stun_backward_compatibility;
+
+	/* Only send RESPONSE-ORIGIN attribute in response if RFC5780 is enabled */
+	vintp response_origin_only_with_rfc5780;
 };
 
 const char * get_version(turn_turnserver *server);
@@ -238,7 +241,8 @@ void init_turn_server(turn_turnserver* server,
 					const char* acme_redirect,
 					ALLOCATION_DEFAULT_ADDRESS_FAMILY allocation_default_address_family,
 					vintp log_binding,
-					vintp no_stun_backward_compatibility
+					vintp no_stun_backward_compatibility,
+					vintp response_origin_only_with_rfc5780
 					);
 
 ioa_engine_handle turn_server_get_engine(turn_turnserver *s);