1use alloc::borrow::ToOwned;
12use alloc::collections::{BTreeMap, VecDeque};
13use alloc::string::String;
14use alloc::vec;
15use alloc::vec::Vec;
16use byteorder::{BigEndian, ByteOrder};
17use core::net::{IpAddr, SocketAddr};
18use core::time::Duration;
19use pnet_packet::Packet;
20use turn_types::tcp::{IncomingTcp, StoredTcp, TurnTcpBuffer};
21use turn_types::transmit::{DelayedChannel, DelayedMessage, TransmitBuild};
22
23use stun_proto::agent::{StunAgent, Transmit};
24use stun_proto::types::attribute::{
25 AttributeType, ErrorCode, Fingerprint, MessageIntegrity, Nonce, Realm, Username,
26 XorMappedAddress,
27};
28use stun_proto::types::message::{
29 LongTermCredentials, Message, MessageClass, MessageIntegrityCredentials, MessageType,
30 MessageWrite, MessageWriteExt, MessageWriteVec, TransactionId, BINDING,
31};
32use stun_proto::types::prelude::{Attribute, AttributeFromRaw, AttributeStaticType};
33use stun_proto::types::TransportType;
34use stun_proto::Instant;
35use turn_types::channel::ChannelData;
36
37use turn_types::message::CREATE_PERMISSION;
38
39use turn_types::attribute::{
40 AdditionalAddressFamily, AddressErrorCode, Data as AData, EvenPort, Icmp,
41 RequestedAddressFamily, ReservationToken,
42};
43use turn_types::attribute::{
44 ChannelNumber, Lifetime, RequestedTransport, XorPeerAddress, XorRelayedAddress,
45};
46use turn_types::message::{ALLOCATE, CHANNEL_BIND, DATA, REFRESH, SEND};
47use turn_types::stun::message::{IntegrityAlgorithm, IntegrityKey};
48use turn_types::AddressFamily;
49
50use tracing::{debug, error, info, trace, warn};
51
52use crate::api::{
53 DelayedMessageOrChannelSend, SocketAllocateError, TurnServerApi, TurnServerPollRet,
54};
55
56static MINIMUM_NONCE_EXPIRY_DURATION: Duration = Duration::from_secs(30);
57static DEFAULT_NONCE_EXPIRY_DURATION: Duration = Duration::from_secs(3600);
58static MAXIMUM_ALLOCATION_DURATION: Duration = Duration::from_secs(3600);
59static DEFAULT_ALLOCATION_DURATION: Duration = Duration::from_secs(600);
60static PERMISSION_DURATION: Duration = Duration::from_secs(300);
61static CHANNEL_DURATION: Duration = Duration::from_secs(600);
62
63#[derive(Debug)]
65pub struct TurnServer {
66 realm: String,
67 stun: StunAgent,
68
69 clients: Vec<Client>,
70 nonces: Vec<NonceData>,
71 earliest_nonce_expiry: Option<Instant>,
72 pending_transmits: VecDeque<Transmit<Vec<u8>>>,
73 pending_allocates: VecDeque<PendingClient>,
74
75 users: BTreeMap<String, IntegrityKey>,
77 nonce_expiry_duration: Duration,
78}
79
80#[derive(Debug)]
81struct PendingClient {
82 client: Client,
83 transaction_id: TransactionId,
84 to_ask_families: smallvec::SmallVec<[AddressFamily; 2]>,
85 pending_families: smallvec::SmallVec<[AddressFamily; 2]>,
86 pending_sockets:
87 smallvec::SmallVec<[(AddressFamily, Result<SocketAddr, SocketAllocateError>); 2]>,
88 requested_lifetime: Option<u32>,
89}
90
91#[derive(Debug)]
92struct NonceData {
93 nonce: String,
94 expires_at: Instant,
95
96 transport: TransportType,
97 remote_addr: SocketAddr,
98 local_addr: SocketAddr,
99 tcp_buffer: TurnTcpBuffer,
100}
101
102#[derive(Debug)]
103struct ForwardChannelData {
104 transport: TransportType,
105 from: SocketAddr,
106 to: SocketAddr,
107}
108
109impl TurnServer {
110 pub fn new(ttype: TransportType, listen_addr: SocketAddr, realm: String) -> Self {
123 let stun = StunAgent::builder(ttype, listen_addr).build();
124 Self {
125 realm,
126 stun,
127 clients: vec![],
128 nonces: vec![],
129 earliest_nonce_expiry: None,
130 pending_transmits: VecDeque::default(),
131 pending_allocates: VecDeque::default(),
132 users: BTreeMap::default(),
133 nonce_expiry_duration: DEFAULT_NONCE_EXPIRY_DURATION,
134 }
135 }
136
137 pub fn transport(&self) -> TransportType {
139 self.stun.transport()
140 }
141
142 fn generate_nonce() -> String {
143 #[cfg(not(feature = "std"))]
144 {
145 use rand::Rng;
146 use rand::TryRngCore;
147 let mut rng = rand::rngs::OsRng.unwrap_err();
148 String::from_iter((0..16).map(|_| rng.sample(rand::distr::Alphanumeric) as char))
149 }
150 #[cfg(feature = "std")]
151 {
152 use rand::Rng;
153 let mut rng = rand::rng();
154 String::from_iter((0..16).map(|_| rng.sample(rand::distr::Alphanumeric) as char))
155 }
156 }
157
158 fn recalculate_nonce_expiry(&mut self, now: Instant) {
159 self.earliest_nonce_expiry = self
160 .nonces
161 .iter()
162 .try_fold(now + self.nonce_expiry_duration, |ret, val| {
163 Some(ret.min(val.expires_at))
164 });
165 }
166
167 fn validate_nonce(
168 &mut self,
169 ttype: TransportType,
170 from: SocketAddr,
171 to: SocketAddr,
172 now: Instant,
173 ) -> String {
174 let nonce_expiry_duration = self.nonce_expiry_duration;
181 let nonce_data = self.mut_nonce_from_5tuple(ttype, to, from);
182 if let Some(nonce_data) = nonce_data {
183 if nonce_data.expires_at < now {
184 nonce_data.nonce = Self::generate_nonce();
185 nonce_data.expires_at = now + nonce_expiry_duration;
186 let ret = nonce_data.nonce.clone();
187 if self
188 .earliest_nonce_expiry
189 .map_or(true, |earliest| earliest < now)
190 {
191 self.recalculate_nonce_expiry(now);
192 }
193 ret
194 } else {
195 nonce_data.nonce.clone()
196 }
197 } else {
198 let nonce_value = Self::generate_nonce();
199 self.nonces.push(NonceData {
200 transport: ttype,
201 remote_addr: from,
202 local_addr: to,
203 nonce: nonce_value.clone(),
204 expires_at: now + self.nonce_expiry_duration,
205 tcp_buffer: TurnTcpBuffer::new(),
206 });
207 self.recalculate_nonce_expiry(now);
208 nonce_value
209 }
210 }
211
212 fn validate_stun(
213 &mut self,
214 msg: &Message<'_>,
215 ttype: TransportType,
216 from: SocketAddr,
217 to: SocketAddr,
218 now: Instant,
219 ) -> Result<&IntegrityKey, MessageWriteVec> {
220 let mut integrity = None;
221 let mut username = None;
222 let mut realm = None;
223 let mut nonce = None;
224
225 for (_offset, attr) in msg.iter_attributes() {
226 match attr.get_type() {
227 MessageIntegrity::TYPE => integrity = MessageIntegrity::from_raw(attr).ok(),
228 Username::TYPE => username = Username::from_raw(attr).ok(),
229 Realm::TYPE => realm = Realm::from_raw(attr).ok(),
230 Nonce::TYPE => nonce = Nonce::from_raw(attr).ok(),
231 _ => (),
232 }
233 }
234
235 if integrity.is_none() {
237 let nonce_value = self.validate_nonce(ttype, from, to, now);
245 trace!("no message-integrity, returning unauthorized with nonce: {nonce_value}",);
246 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
247 let nonce = Nonce::new(&nonce_value).unwrap();
248 builder.add_attribute(&nonce).unwrap();
249 let realm = Realm::new(&self.realm).unwrap();
250 builder.add_attribute(&realm).unwrap();
251 let error = ErrorCode::builder(ErrorCode::UNAUTHORIZED).build().unwrap();
252 builder.add_attribute(&error).unwrap();
253 return Err(builder);
254 }
255
256 let Some(((username, _realm), nonce)) = username.zip(realm).zip(nonce) else {
262 trace!("bad request due to missing username, realm, nonce");
263 return Err(Self::bad_request(msg));
264 };
265
266 let nonce_value = self.validate_nonce(ttype, from, to, now);
267 if nonce_value != nonce.nonce() {
268 trace!("stale nonce");
269 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
270 let error = ErrorCode::builder(ErrorCode::STALE_NONCE).build().unwrap();
271 builder.add_attribute(&error).unwrap();
272 let realm = Realm::new(&self.realm).unwrap();
273 builder.add_attribute(&realm).unwrap();
274 let nonce = Nonce::new(&nonce_value).unwrap();
275 builder.add_attribute(&nonce).unwrap();
276
277 return Err(builder);
278 }
279
280 let password_key = self.users.get(username.username());
289 if password_key.map_or(true, |password_key| {
290 msg.validate_integrity_with_key(password_key).is_err()
291 }) {
292 trace!("integrity failed");
293 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
294 let error = ErrorCode::builder(ErrorCode::UNAUTHORIZED).build().unwrap();
295 builder.add_attribute(&error).unwrap();
296 let realm = Realm::new(&self.realm).unwrap();
297 builder.add_attribute(&realm).unwrap();
298 let nonce = Nonce::new(&nonce_value).unwrap();
299 builder.add_attribute(&nonce).unwrap();
300 return Err(builder);
301 }
302 let password_key = password_key.unwrap();
303
304 if let Some(client) = self.client_from_5tuple(ttype, to, from) {
313 if client.username != username.username() {
314 trace!("mismatched username");
315 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
316 let error = ErrorCode::builder(ErrorCode::WRONG_CREDENTIALS)
317 .build()
318 .unwrap();
319 builder.add_attribute(&error).unwrap();
320 builder
321 .add_message_integrity_with_key(password_key, IntegrityAlgorithm::Sha1)
322 .unwrap();
323 return Err(builder);
324 }
325 }
326
327 Ok(password_key)
328 }
329
330 fn server_error(msg: &Message<'_>) -> MessageWriteVec {
331 let mut response = Message::builder_error(msg, MessageWriteVec::new());
332 let error = ErrorCode::builder(ErrorCode::SERVER_ERROR).build().unwrap();
333 response.add_attribute(&error).unwrap();
334 response.add_fingerprint().unwrap();
335 response
336 }
337
338 fn bad_request(msg: &Message<'_>) -> MessageWriteVec {
339 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
340 let error = ErrorCode::builder(ErrorCode::BAD_REQUEST).build().unwrap();
341 builder.add_attribute(&error).unwrap();
342 builder
343 }
344
345 fn bad_request_signed(msg: &Message<'_>, key: &IntegrityKey) -> MessageWriteVec {
346 let mut builder = Self::bad_request(msg);
347 builder
348 .add_message_integrity_with_key(key, IntegrityAlgorithm::Sha1)
349 .unwrap();
350 builder
351 }
352
353 fn allocation_mismatch(msg: &Message<'_>, key: &IntegrityKey) -> MessageWriteVec {
354 let mut response = Message::builder_error(msg, MessageWriteVec::new());
355 let error = ErrorCode::builder(ErrorCode::ALLOCATION_MISMATCH)
356 .build()
357 .unwrap();
358 response.add_attribute(&error).unwrap();
359 response
360 .add_message_integrity_with_key(key, IntegrityAlgorithm::Sha1)
361 .unwrap();
362 response.add_fingerprint().unwrap();
363 response
364 }
365
366 fn handle_stun_binding(
367 &mut self,
368 msg: &Message<'_>,
369 _ttype: TransportType,
370 from: SocketAddr,
371 to: SocketAddr,
372 now: Instant,
373 ) -> Result<Transmit<Vec<u8>>, MessageWriteVec> {
374 let response = if let Some(error_msg) =
375 Message::check_attribute_types(msg, &[Fingerprint::TYPE], &[], MessageWriteVec::new())
376 {
377 error_msg
378 } else {
379 let mut response = Message::builder_success(msg, MessageWriteVec::new());
380 let xor_addr = XorMappedAddress::new(from, msg.transaction_id());
381 response.add_attribute(&xor_addr).unwrap();
382 response.add_fingerprint().unwrap();
383 response
384 };
385 let response = response.finish();
386
387 let Ok(transmit) = self.stun.send(response, to, now) else {
388 error!("Failed to send");
389 return Err(Self::server_error(msg));
390 };
391
392 Ok(transmit)
393 }
394
395 fn handle_stun_allocate(
396 &mut self,
397 msg: &Message<'_>,
398 ttype: TransportType,
399 from: SocketAddr,
400 to: SocketAddr,
401 now: Instant,
402 ) -> Result<(), MessageWriteVec> {
403 let key = self.validate_stun(msg, ttype, from, to, now)?.clone();
404 let mut address_families = smallvec::SmallVec::<[AddressFamily; 2]>::new();
405
406 if let Some(_client) = self.mut_client_from_5tuple(ttype, to, from) {
407 trace!("allocation mismatch");
408 return Err(Self::allocation_mismatch(msg, &key));
409 };
410
411 let mut requested_transport = None;
412 let mut lifetime = None;
413 let mut reservation_token = None;
414 let mut even_port = None;
415 let mut requested_address_family = None;
416 let mut additional_address_family = None;
417 let mut username = None;
418
419 let mut unknown_attributes = smallvec::SmallVec::<[AttributeType; 4]>::default();
420 for (_offset, attr) in msg.iter_attributes() {
421 match attr.get_type() {
422 Realm::TYPE | Nonce::TYPE | MessageIntegrity::TYPE => (),
424 Username::TYPE => {
425 username = Username::from_raw(attr)
426 .ok()
427 .map(|u| u.username().to_owned())
428 }
429 RequestedTransport::TYPE => {
430 requested_transport = RequestedTransport::from_raw(attr).ok()
431 }
432 Lifetime::TYPE => lifetime = Lifetime::from_raw(attr).ok(),
433 ReservationToken::TYPE => reservation_token = Some(attr),
434 EvenPort::TYPE => even_port = Some(attr),
435 RequestedAddressFamily::TYPE => {
436 if additional_address_family.is_some() {
437 return Err(Self::bad_request_signed(msg, &key));
438 } else {
439 requested_address_family = Some(attr)
440 }
441 }
442 AdditionalAddressFamily::TYPE => {
443 if requested_address_family.is_some() {
444 return Err(Self::bad_request_signed(msg, &key));
445 } else {
446 additional_address_family = Some(attr)
447 }
448 }
449 atype => {
450 if atype.comprehension_required() {
451 unknown_attributes.push(atype);
452 }
453 }
454 }
455 }
456 if !unknown_attributes.is_empty() {
457 trace!("unknown attributes: {unknown_attributes:?}");
458 let mut err =
459 Message::unknown_attributes(msg, &unknown_attributes, MessageWriteVec::new());
460 err.add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
461 .unwrap();
462 return Err(err);
463 }
464
465 let Some(requested_transport) = requested_transport else {
466 return Err(Self::bad_request_signed(msg, &key));
467 };
468
469 if requested_transport.protocol() != RequestedTransport::UDP {
470 debug!(
471 "unsupported RequestedTransport {}",
472 requested_transport.protocol()
473 );
474 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
475 let error = ErrorCode::builder(ErrorCode::UNSUPPORTED_TRANSPORT_PROTOCOL)
476 .build()
477 .unwrap();
478 builder.add_attribute(&error).unwrap();
479 builder
480 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
481 .unwrap();
482 return Err(builder);
483 }
484
485 if let Some(additional) = additional_address_family {
486 let Ok(additional) = AdditionalAddressFamily::from_raw(additional) else {
487 return Err(Self::bad_request_signed(msg, &key));
488 };
489 if requested_address_family.is_some()
498 || additional.family() == AddressFamily::IPV4
499 || reservation_token.is_some()
500 || even_port.is_some()
501 {
502 debug!(
503 "AdditionalAddressFamily with either {} == IPV4, ReservationToken {}, RequestedAddressFamily {}, or EvenPort {}. Bad Request",
504 additional.family(),
505 reservation_token.is_some(),
506 requested_address_family.is_some(),
507 even_port.is_some(),
508 );
509 return Err(Self::bad_request_signed(msg, &key));
510 }
511 address_families.push(AddressFamily::IPV4);
512 address_families.push(additional.family());
513 }
514
515 if let Some(requested) = requested_address_family {
516 let Ok(requested) = RequestedAddressFamily::from_raw(requested) else {
517 return Err(Self::bad_request_signed(msg, &key));
518 };
519 if reservation_token.is_some() {
520 debug!("RequestedAddressFamily with ReservationToken -> Bad Request");
521 return Err(Self::bad_request_signed(msg, &key));
522 }
523 address_families.push(requested.family());
524 } else if address_families.is_empty() {
525 address_families.push(AddressFamily::IPV4);
526 }
527
528 if let Some(_reservation_token) = reservation_token {
529 if even_port.is_some() {
540 debug!("ReservationToken with EvenPort -> Bad Request");
541 return Err(Self::bad_request_signed(msg, &key));
542 }
543
544 }
546
547 let client = Client {
553 transport: ttype,
554 remote_addr: from,
555 local_addr: to,
556 allocations: vec![],
557 username: username.unwrap(),
558 key,
559 };
560 debug!("have new pending ALLOCATE from client {ttype} from {from} to {to}");
561
562 self.pending_allocates.push_front(PendingClient {
563 client,
564 transaction_id: msg.transaction_id(),
565 to_ask_families: address_families.clone(),
566 pending_families: address_families,
567 pending_sockets: Default::default(),
568 requested_lifetime: lifetime.map(|lt| lt.seconds()),
569 });
570
571 Ok(())
572 }
573
574 fn handle_stun_refresh(
575 &mut self,
576 msg: &Message<'_>,
577 ttype: TransportType,
578 from: SocketAddr,
579 to: SocketAddr,
580 now: Instant,
581 ) -> Result<Transmit<Vec<u8>>, MessageWriteVec> {
582 let key = self.validate_stun(msg, ttype, from, to, now)?.clone();
583
584 let Some(client) = self.mut_client_from_5tuple(ttype, to, from) else {
585 trace!("allocation mismatch");
586 return Err(Self::allocation_mismatch(msg, &key));
587 };
588
589 let mut request_lifetime = None;
590 let mut requested_family = None;
591
592 let mut unknown_attributes = smallvec::SmallVec::<[AttributeType; 4]>::default();
593 for (_offset, attr) in msg.iter_attributes() {
594 match attr.get_type() {
595 Username::TYPE | Realm::TYPE | Nonce::TYPE | MessageIntegrity::TYPE => (),
597 Lifetime::TYPE => {
598 request_lifetime = Lifetime::from_raw(attr).ok().map(|lt| lt.seconds())
599 }
600 RequestedAddressFamily::TYPE => {
601 requested_family = RequestedAddressFamily::from_raw(attr)
602 .ok()
603 .map(|r| r.family())
604 }
605 atype => {
606 if atype.comprehension_required() {
607 unknown_attributes.push(atype);
608 }
609 }
610 }
611 }
612 if !unknown_attributes.is_empty() {
613 trace!("unknown attributes: {unknown_attributes:?}");
614 let mut err =
615 Message::unknown_attributes(msg, &unknown_attributes, MessageWriteVec::new());
616 err.add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
617 .unwrap();
618 return Err(err);
619 }
620
621 let mut request_lifetime =
623 request_lifetime.unwrap_or(DEFAULT_ALLOCATION_DURATION.as_secs() as u32);
624 if request_lifetime > 0 {
625 request_lifetime = request_lifetime.clamp(
626 DEFAULT_ALLOCATION_DURATION.as_secs() as u32,
627 MAXIMUM_ALLOCATION_DURATION.as_secs() as u32,
628 );
629 }
630 let mut modified = false;
631 if request_lifetime == 0 {
632 if let Some(family) = requested_family {
633 client.allocations.retain(|allocation| {
634 if (family == AddressFamily::IPV4 && allocation.addr.is_ipv4())
635 || (family == AddressFamily::IPV6 && allocation.addr.is_ipv6())
636 {
637 modified = true;
638 false
639 } else {
640 true
641 }
642 });
643 if client.allocations.is_empty() {
644 self.remove_client_by_5tuple(ttype, to, from);
645 }
646 } else {
647 self.remove_client_by_5tuple(ttype, to, from);
648 modified = true;
649 }
650 } else {
651 for allocation in client.allocations.iter_mut() {
652 if requested_family.map_or(true, |family| {
653 (family == AddressFamily::IPV4 && allocation.addr.is_ipv4())
654 || (family == AddressFamily::IPV6 && allocation.addr.is_ipv6())
655 }) {
656 modified = true;
657 allocation.expires_at = now + Duration::from_secs(request_lifetime as u64)
658 }
659 }
660 }
661
662 let mut builder = if modified {
663 let mut builder = Message::builder_success(msg, MessageWriteVec::new());
664 let lifetime = Lifetime::new(request_lifetime);
665 builder.add_attribute(&lifetime).unwrap();
666 builder
667 } else {
668 trace!("peer address family mismatch");
669 let mut builder = Message::builder_error(msg, MessageWriteVec::new());
670 builder
671 .add_attribute(
672 &ErrorCode::builder(ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH)
673 .build()
674 .unwrap(),
675 )
676 .unwrap();
677 builder
678 };
679 builder
680 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
681 .unwrap();
682 let response = builder.finish();
683 let Ok(transmit) = self.stun.send(response, from, now) else {
684 error!("Failed to send");
685 return Err(Self::server_error(msg));
686 };
687
688 info!("Successfully refreshed allocation {ttype}, from {from} to {to}");
689
690 Ok(transmit)
691 }
692
693 fn handle_stun_create_permission(
694 &mut self,
695 msg: &Message<'_>,
696 ttype: TransportType,
697 from: SocketAddr,
698 to: SocketAddr,
699 now: Instant,
700 ) -> Result<Transmit<Vec<u8>>, MessageWriteVec> {
701 let key = self.validate_stun(msg, ttype, from, to, now)?.clone();
702
703 let Some(client) = self.mut_client_from_5tuple(ttype, to, from) else {
704 trace!("allocation mismatch");
705 return Err(Self::allocation_mismatch(msg, &key));
706 };
707
708 let mut peer_addresses = smallvec::SmallVec::<[SocketAddr; 4]>::default();
709 let mut unknown_attributes = smallvec::SmallVec::<[AttributeType; 4]>::default();
710 for (_offset, attr) in msg.iter_attributes() {
711 match attr.get_type() {
712 Username::TYPE | Realm::TYPE | Nonce::TYPE | MessageIntegrity::TYPE => (),
714 XorPeerAddress::TYPE => {
715 let Ok(xor_peer_addr) = XorPeerAddress::from_raw(attr) else {
716 return Err(Self::bad_request_signed(msg, &key));
717 };
718 peer_addresses.push(xor_peer_addr.addr(msg.transaction_id()));
719 }
720 atype => {
721 if atype.comprehension_required() {
722 unknown_attributes.push(atype);
723 }
724 }
725 }
726 }
727 if !unknown_attributes.is_empty() {
728 trace!("unknown attributes: {unknown_attributes:?}");
729 let mut err =
730 Message::unknown_attributes(msg, &unknown_attributes, MessageWriteVec::new());
731 err.add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
732 .unwrap();
733 return Err(err);
734 }
735 if peer_addresses.is_empty() {
736 return Err(Self::bad_request_signed(msg, &key));
737 }
738
739 for peer_addr in peer_addresses.iter() {
740 let Some(alloc) = client
741 .allocations
742 .iter_mut()
743 .find(|a| a.addr.is_ipv4() == peer_addr.is_ipv4())
744 else {
745 trace!("peer address family mismatch");
746 let mut response = Message::builder_error(msg, MessageWriteVec::new());
747 response
748 .add_attribute(
749 &ErrorCode::builder(ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH)
750 .build()
751 .unwrap(),
752 )
753 .unwrap();
754 response
755 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
756 .unwrap();
757 response.add_fingerprint().unwrap();
758 return Err(response);
759 };
760
761 if now > alloc.expires_at {
762 trace!("allocation has expired");
763 return Err(Self::allocation_mismatch(msg, &key));
765 }
766
767 if let Some(position) = alloc
769 .permissions
770 .iter()
771 .position(|perm| perm.ttype == TransportType::Udp && perm.addr == peer_addr.ip())
772 {
773 alloc.permissions[position].expires_at = now + PERMISSION_DURATION;
774 } else {
775 alloc.permissions.push(Permission {
776 addr: peer_addr.ip(),
777 ttype: TransportType::Udp,
778 expires_at: now + PERMISSION_DURATION,
779 });
780 }
781 }
782
783 let mut builder = Message::builder_success(msg, MessageWriteVec::new());
784 builder
785 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
786 .unwrap();
787 let response = builder.finish();
788
789 let Ok(transmit) = self.stun.send(response, from, now) else {
790 error!("Failed to send");
791 return Err(Self::server_error(msg));
792 };
793 debug!(
794 "allocation {ttype} from {from} to {to} successfully created permission for {:?}",
795 peer_addresses
796 );
797
798 Ok(transmit)
799 }
800
801 fn handle_stun_channel_bind(
802 &mut self,
803 msg: &Message<'_>,
804 ttype: TransportType,
805 from: SocketAddr,
806 to: SocketAddr,
807 now: Instant,
808 ) -> Result<Transmit<Vec<u8>>, MessageWriteVec> {
809 let key = self.validate_stun(msg, ttype, from, to, now)?.clone();
810
811 let Some(client) = self.mut_client_from_5tuple(ttype, to, from) else {
812 trace!("allocation mismatch");
813 return Err(Self::allocation_mismatch(msg, &key));
814 };
815
816 let mut xor_peer_address = None;
817 let mut channel_number = None;
818
819 let mut unknown_attributes = smallvec::SmallVec::<[AttributeType; 4]>::default();
820 for (_offset, attr) in msg.iter_attributes() {
821 match attr.get_type() {
822 Username::TYPE | Realm::TYPE | Nonce::TYPE | MessageIntegrity::TYPE => (),
824 XorPeerAddress::TYPE => xor_peer_address = XorPeerAddress::from_raw(attr).ok(),
825 ChannelNumber::TYPE => channel_number = ChannelNumber::from_raw(attr).ok(),
826 atype => {
827 if atype.comprehension_required() {
828 unknown_attributes.push(atype);
829 }
830 }
831 }
832 }
833 if !unknown_attributes.is_empty() {
834 trace!("unknown attributes: {unknown_attributes:?}");
835 let mut err =
836 Message::unknown_attributes(msg, &unknown_attributes, MessageWriteVec::new());
837 err.add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
838 .unwrap();
839 return Err(err);
840 }
841
842 let peer_addr = xor_peer_address.map(|peer_addr| peer_addr.addr(msg.transaction_id()));
843 let channel_no = channel_number.map(|channel| channel.channel());
844
845 let Some(peer_addr) = peer_addr else {
846 trace!("No peer address");
847 return Err(Self::bad_request_signed(msg, &key));
848 };
849
850 let Some(alloc) = client
851 .allocations
852 .iter_mut()
853 .find(|allocation| allocation.addr.is_ipv4() == peer_addr.is_ipv4())
854 else {
855 trace!("peer address family mismatch");
856 let mut response = Message::builder_error(msg, MessageWriteVec::new());
857 response
858 .add_attribute(
859 &ErrorCode::builder(ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH)
860 .build()
861 .unwrap(),
862 )
863 .unwrap();
864 response
865 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
866 .unwrap();
867 response.add_fingerprint().unwrap();
868 return Err(response);
869 };
870
871 if now > alloc.expires_at {
872 trace!("allocation has expired");
873 return Err(Self::allocation_mismatch(msg, &key));
875 }
876
877 let mut existing = alloc.channels.iter_mut().find(|channel| {
878 channel.peer_addr == peer_addr && channel.peer_transport == TransportType::Udp
879 });
880
881 let Some(channel_no) = channel_no else {
882 debug!("Bad request: no requested channel id");
883 return Err(Self::bad_request_signed(msg, &key));
884 };
885
886 if !(0x4000..=0x7fff).contains(&channel_no) {
889 trace!("Channel id out of range");
890 return Err(Self::bad_request_signed(msg, &key));
891 }
892 if existing
893 .as_ref()
894 .is_some_and(|existing| existing.id != channel_no)
895 {
896 trace!("channel peer address does not match channel ID");
897 return Err(Self::bad_request_signed(msg, &key));
898 }
899
900 if let Some(existing) = existing.as_mut() {
901 existing.expires_at = now + CHANNEL_DURATION;
902 } else {
903 alloc.channels.push(Channel {
904 id: channel_no,
905 peer_addr,
906 peer_transport: TransportType::Udp,
907 expires_at: now + CHANNEL_DURATION,
908 });
909 }
910
911 if let Some(existing) = alloc
912 .permissions
913 .iter_mut()
914 .find(|perm| perm.ttype == TransportType::Udp && perm.addr == peer_addr.ip())
915 {
916 existing.expires_at = now + PERMISSION_DURATION;
917 } else {
918 alloc.permissions.push(Permission {
919 addr: peer_addr.ip(),
920 ttype: TransportType::Udp,
921 expires_at: now + PERMISSION_DURATION,
922 });
923 }
924
925 let mut builder = Message::builder_success(msg, MessageWriteVec::new());
926 builder
927 .add_message_integrity_with_key(&key, IntegrityAlgorithm::Sha1)
928 .unwrap();
929 let response = builder.finish();
930
931 let Ok(transmit) = self.stun.send(response, from, now) else {
932 error!("Failed to send");
933 return Err(Self::server_error(msg));
934 };
935
936 debug!("allocation {ttype} from {from} to {to} successfully created channel {channel_no} for {:?}", peer_addr.ip());
937
938 Ok(transmit)
939 }
940
941 fn handle_stun_send_indication<'a>(
942 &mut self,
943 msg: &'a Message<'a>,
944 ttype: TransportType,
945 from: SocketAddr,
946 to: SocketAddr,
947 now: Instant,
948 ) -> Result<
949 (
950 TransportType,
951 SocketAddr,
952 SocketAddr,
953 core::ops::Range<usize>,
954 ),
955 (),
956 > {
957 let mut peer_address = None;
958 let mut data = None;
959
960 for (offset, attr) in msg.iter_attributes() {
961 match attr.get_type() {
962 XorPeerAddress::TYPE => {
963 peer_address = Some(
964 XorPeerAddress::from_raw(attr)
965 .map_err(|_| ())?
966 .addr(msg.transaction_id()),
967 );
968 }
969 AData::TYPE => data = AData::from_raw(attr).ok().map(|adata| (offset + 4, adata)),
970 atype => {
971 if atype.comprehension_required() {
972 return Err(());
973 }
974 }
975 }
976 }
977 let Some((peer_address, (offset, data))) = peer_address.zip(data) else {
978 return Err(());
979 };
980
981 let Some(client) = self.client_from_5tuple(ttype, to, from) else {
982 trace!("no client for transport {ttype:?} from {from:?}, to {to:?}");
983 return Err(());
984 };
985
986 let Some(alloc) = client
987 .allocations
988 .iter()
989 .find(|allocation| allocation.addr.ip().is_ipv4() == peer_address.is_ipv4())
990 else {
991 trace!("no allocation available");
992 return Err(());
993 };
994 if now > alloc.expires_at {
995 debug!("{} allocation {} expired", alloc.ttype, alloc.addr);
996 return Err(());
997 }
998
999 let Some(_permission) = alloc.have_permission(peer_address.ip(), now) else {
1000 trace!("no permission for {}", peer_address);
1001 return Err(());
1002 };
1003
1004 trace!("have {} to send to {:?}", data.data().len(), peer_address);
1005 Ok((
1006 alloc.ttype,
1007 alloc.addr,
1008 peer_address,
1009 offset..offset + data.data().len(),
1010 ))
1011 }
1012
1013 #[tracing::instrument(
1014 name = "turn_server_handle_stun",
1015 skip(self, msg, ttype, from, to, now),
1016 fields(
1017 msg.transaction = %msg.transaction_id(),
1018 msg.method = %msg.method(),
1019 )
1020 )]
1021 fn handle_stun<'a>(
1022 &mut self,
1023 msg: &'a Message<'a>,
1024 ttype: TransportType,
1025 from: SocketAddr,
1026 to: SocketAddr,
1027 now: Instant,
1028 ) -> Result<Option<InternalHandleStun>, MessageWriteVec> {
1029 trace!("received STUN message {msg}");
1030 let ret = if msg.has_class(stun_proto::types::message::MessageClass::Request) {
1031 match msg.method() {
1032 BINDING => self
1033 .handle_stun_binding(msg, ttype, from, to, now)
1034 .map(|t| Some(InternalHandleStun::Transmit(t))),
1035 ALLOCATE => self
1036 .handle_stun_allocate(msg, ttype, from, to, now)
1037 .map(|_| None),
1038 REFRESH => self
1039 .handle_stun_refresh(msg, ttype, from, to, now)
1040 .map(|t| Some(InternalHandleStun::Transmit(t))),
1041 CREATE_PERMISSION => self
1042 .handle_stun_create_permission(msg, ttype, from, to, now)
1043 .map(|t| Some(InternalHandleStun::Transmit(t))),
1044 CHANNEL_BIND => self
1045 .handle_stun_channel_bind(msg, ttype, from, to, now)
1046 .map(|t| Some(InternalHandleStun::Transmit(t))),
1047 _ => {
1048 let key = self.validate_stun(msg, ttype, from, to, now)?.clone();
1049 let Some(_client) = self.mut_client_from_5tuple(ttype, to, from) else {
1050 return Err(Self::allocation_mismatch(msg, &key));
1051 };
1052
1053 Err(Self::bad_request_signed(msg, &key))
1054 }
1055 }
1056 } else if msg.has_class(stun_proto::types::message::MessageClass::Indication) {
1057 match msg.method() {
1058 SEND => Ok(self
1059 .handle_stun_send_indication(msg, ttype, from, to, now)
1060 .ok()
1061 .map(|(transport, from, to, range)| {
1062 InternalHandleStun::Data(transport, from, to, range)
1063 })),
1064 _ => Ok(None),
1065 }
1066 } else {
1067 Ok(None)
1068 };
1069 ret
1070 }
1071
1072 fn mut_nonce_from_5tuple(
1073 &mut self,
1074 ttype: TransportType,
1075 local_addr: SocketAddr,
1076 remote_addr: SocketAddr,
1077 ) -> Option<&mut NonceData> {
1078 self.nonces.iter_mut().find(|nonce| {
1079 nonce.transport == ttype
1080 && nonce.remote_addr == remote_addr
1081 && nonce.local_addr == local_addr
1082 })
1083 }
1084
1085 fn client_from_5tuple(
1086 &self,
1087 ttype: TransportType,
1088 local_addr: SocketAddr,
1089 remote_addr: SocketAddr,
1090 ) -> Option<&Client> {
1091 self.clients.iter().find(|client| {
1092 client.transport == ttype
1093 && client.remote_addr == remote_addr
1094 && client.local_addr == local_addr
1095 })
1096 }
1097
1098 fn mut_client_from_5tuple(
1099 &mut self,
1100 ttype: TransportType,
1101 local_addr: SocketAddr,
1102 remote_addr: SocketAddr,
1103 ) -> Option<&mut Client> {
1104 self.clients.iter_mut().find(|client| {
1105 client.transport == ttype
1106 && client.remote_addr == remote_addr
1107 && client.local_addr == local_addr
1108 })
1109 }
1110
1111 fn remove_client_by_5tuple(
1112 &mut self,
1113 ttype: TransportType,
1114 local_addr: SocketAddr,
1115 remote_addr: SocketAddr,
1116 ) {
1117 info!("attempting to remove client {ttype}, {remote_addr} -> {local_addr}");
1118 self.clients.retain(|client| {
1119 client.transport != ttype
1120 && client.remote_addr != remote_addr
1121 && client.local_addr == local_addr
1122 })
1123 }
1124
1125 fn allocation_from_public_5tuple(
1126 &self,
1127 ttype: TransportType,
1128 local_addr: SocketAddr,
1129 remote_addr: SocketAddr,
1130 ) -> Option<(&Client, &Allocation, &Permission)> {
1131 self.clients.iter().find_map(|client| {
1132 client
1133 .allocations
1134 .iter()
1135 .find_map(|allocation| {
1136 if allocation.ttype == ttype && allocation.addr == local_addr {
1137 allocation
1138 .permissions
1139 .iter()
1140 .find(|permission| permission.addr == remote_addr.ip())
1141 .map(|permission| (allocation, permission))
1142 } else {
1143 None
1144 }
1145 })
1146 .map(|(allocation, permission)| (client, allocation, permission))
1147 })
1148 }
1149
1150 fn handle_channel(
1151 &mut self,
1152 transport: TransportType,
1153 from: SocketAddr,
1154 to: SocketAddr,
1155 channel: ChannelData<'_>,
1156 now: Instant,
1157 ) -> Option<ForwardChannelData> {
1158 let Some(client) = self.client_from_5tuple(transport, to, from) else {
1159 trace!(
1160 "No handler for {} bytes over {:?} from {:?}, to {:?}. Ignoring",
1161 channel.data().len() + 4,
1162 transport,
1163 from,
1164 to
1165 );
1166 return None;
1167 };
1168 trace!(
1169 "received channel {} with {} bytes from {:?}",
1170 channel.id(),
1171 channel.data().len(),
1172 from
1173 );
1174 let Some((allocation, existing)) = client.allocations.iter().find_map(|allocation| {
1175 allocation
1176 .channel_from_id(channel.id())
1177 .map(|perm| (allocation, perm))
1178 }) else {
1179 warn!(
1180 "no channel id {} for this client {:?}",
1181 channel.id(),
1182 client.remote_addr
1183 );
1184 return None;
1186 };
1187 if existing.expires_at < now {
1188 trace!(
1189 "channel for {from} expired {:?} ago",
1190 now - existing.expires_at
1191 );
1192 return None;
1193 }
1194
1195 let Some(permission) = allocation.permission_from_5tuple(
1198 allocation.ttype,
1199 allocation.addr,
1200 existing.peer_addr,
1201 ) else {
1202 warn!(
1203 "no permission for {:?} for this allocation {:?}",
1204 existing.peer_addr, allocation.addr
1205 );
1206 return None;
1207 };
1208 if permission.expires_at < now {
1209 trace!(
1210 "permission for {from} expired {:?} ago",
1211 now - permission.expires_at
1212 );
1213 return None;
1214 }
1215 Some(ForwardChannelData {
1216 transport: allocation.ttype,
1217 from: allocation.addr,
1218 to: existing.peer_addr,
1219 })
1220 }
1221
1222 fn handle_listen_tcp_stored_message(
1223 &mut self,
1224 remote_addr: SocketAddr,
1225 data: Vec<u8>,
1226 now: Instant,
1227 ) -> Option<Transmit<Vec<u8>>> {
1228 let listen_addr = self.listen_address();
1229 let Ok(msg) = Message::from_bytes(&data) else {
1230 return None;
1231 };
1232 match self.handle_stun(&msg, TransportType::Tcp, remote_addr, listen_addr, now) {
1233 Err(builder) => Some(Transmit::new(
1234 builder.finish(),
1235 TransportType::Tcp,
1236 listen_addr,
1237 remote_addr,
1238 )),
1239 Ok(Some(InternalHandleStun::Transmit(transmit))) => Some(transmit),
1240 Ok(Some(InternalHandleStun::Data(transport, from, to, range))) => Some(Transmit::new(
1241 data[range.start..range.end].to_vec(),
1242 transport,
1243 from,
1244 to,
1245 )),
1246 Ok(None) => None,
1247 }
1248 }
1249}
1250
1251impl TurnServerApi for TurnServer {
1252 fn add_user(&mut self, username: String, password: String) {
1253 let key = MessageIntegrityCredentials::LongTerm(LongTermCredentials::new(
1254 username.to_owned(),
1255 password.to_owned(),
1256 self.realm.clone(),
1257 ))
1258 .make_key();
1259 self.users.insert(username, key);
1260 }
1261
1262 fn listen_address(&self) -> SocketAddr {
1263 self.stun.local_addr()
1264 }
1265
1266 fn set_nonce_expiry_duration(&mut self, expiry_duration: Duration) {
1267 if expiry_duration < MINIMUM_NONCE_EXPIRY_DURATION {
1268 panic!("Attempted to set a nonce expiry duration ({expiry_duration:?}) of less than the allowed minimum ({MINIMUM_NONCE_EXPIRY_DURATION:?})");
1269 }
1270 self.nonce_expiry_duration = expiry_duration;
1271 }
1272
1273 #[tracing::instrument(
1274 name = "turn_server_recv_icmp",
1275 skip(self, bytes, now),
1276 fields(
1277 data_len = bytes.as_ref().len(),
1278 )
1279 )]
1280 fn recv_icmp<T: AsRef<[u8]>>(
1281 &mut self,
1282 family: AddressFamily,
1283 bytes: T,
1284 now: Instant,
1285 ) -> Option<Transmit<Vec<u8>>> {
1286 use pnet_packet::udp;
1287 let bytes = bytes.as_ref();
1288 trace!("have incoming icmp data");
1289 if bytes.len() < 8 {
1290 return None;
1291 }
1292
1293 let icmpv4;
1294 let ipv4;
1295 let icmpv6;
1296 let ipv6;
1297 let source;
1298 let destination;
1299 let icmp_code;
1300 let icmp_type;
1301 let icmp_data;
1302 let payload = match family {
1303 AddressFamily::IPV4 => {
1304 use pnet_packet::{icmp, ipv4};
1305 icmpv4 = icmp::IcmpPacket::new(bytes)?;
1306 trace!("parsed icmp: {icmpv4:?}");
1307 icmp_code = icmpv4.get_icmp_code().0;
1308 icmp_type = icmpv4.get_icmp_type().0;
1309 if ![
1311 icmp::IcmpTypes::DestinationUnreachable,
1312 icmp::IcmpTypes::TimeExceeded,
1313 ]
1314 .contains(&icmpv4.get_icmp_type())
1315 {
1316 debug!("ICMPv4 is not an actionable type");
1317 return None;
1318 }
1319 if icmpv4.get_icmp_type() == icmp::IcmpTypes::DestinationUnreachable &&
1320 icmpv4.get_icmp_code() == icmp::destination_unreachable::IcmpCodes::FragmentationRequiredAndDFFlagSet
1321 {
1322 icmp_data = BigEndian::read_u32(icmpv4.payload());
1323 } else {
1324 icmp_data = 0;
1325 };
1326 ipv4 = ipv4::Ipv4Packet::new(&icmpv4.payload()[4..])?;
1327 trace!("parsed ipv4: {ipv4:?}");
1328 source = IpAddr::V4(ipv4.get_source().octets().into());
1329 destination = IpAddr::V4(ipv4.get_destination().octets().into());
1330 ipv4.payload()
1331 }
1332 AddressFamily::IPV6 => {
1333 use pnet_packet::{icmpv6, ipv6};
1334 icmpv6 = icmpv6::Icmpv6Packet::new(bytes)?;
1335 icmp_type = icmpv6.get_icmpv6_type().0;
1336 icmp_code = icmpv6.get_icmpv6_code().0;
1337 if ![
1339 icmpv6::Icmpv6Types::DestinationUnreachable,
1340 icmpv6::Icmpv6Types::PacketTooBig,
1341 icmpv6::Icmpv6Types::TimeExceeded,
1342 ]
1343 .contains(&icmpv6.get_icmpv6_type())
1344 {
1345 debug!("ICMPv6 is not an actionable type");
1346 return None;
1347 }
1348 if icmpv6.get_icmpv6_type() == icmpv6::Icmpv6Types::PacketTooBig {
1349 icmp_data = BigEndian::read_u32(icmpv6.payload());
1350 } else {
1351 icmp_data = 0;
1352 };
1353 ipv6 = ipv6::Ipv6Packet::new(&icmpv6.payload()[4..])?;
1354 trace!("parsed ipv6: {ipv6:?}");
1355 source = IpAddr::V6(ipv6.get_source().segments().into());
1356 destination = IpAddr::V6(ipv6.get_destination().segments().into());
1357 ipv6.payload()
1358 }
1359 };
1360 let udp = udp::UdpPacket::new(payload)?;
1361 let source = SocketAddr::new(source, udp.get_source());
1362 let destination = SocketAddr::new(destination, udp.get_destination());
1363 let (client, allocation, permission) =
1364 self.allocation_from_public_5tuple(TransportType::Udp, source, destination)?;
1365 if allocation.expires_at < now || permission.expires_at < now {
1366 return None;
1367 }
1368
1369 info!(
1370 "sending ICMP (type:{icmp_type}, code:{icmp_code}, data{icmp_data}) DATA indication to client {}",
1371 client.remote_addr
1372 );
1373 let mut msg = Message::builder(
1374 MessageType::from_class_method(MessageClass::Indication, DATA),
1375 TransactionId::generate(),
1376 MessageWriteVec::new(),
1377 );
1378 msg.add_attribute(&XorPeerAddress::new(destination, msg.transaction_id()))
1379 .unwrap();
1380 msg.add_attribute(&Icmp::new(icmp_type, icmp_code, icmp_data))
1381 .unwrap();
1382 self.stun.send(msg.finish(), client.remote_addr, now).ok()
1383 }
1384
1385 #[tracing::instrument(
1386 name = "turn_server_recv",
1387 skip(self, transmit, now),
1388 fields(
1389 transport = %transmit.transport,
1390 remote_addr = %transmit.from,
1391 local_addr = %transmit.to,
1392 data_len = transmit.data.as_ref().len(),
1393 )
1394 )]
1395 fn recv<T: AsRef<[u8]> + core::fmt::Debug>(
1396 &mut self,
1397 transmit: Transmit<T>,
1398 now: Instant,
1399 ) -> Option<TransmitBuild<DelayedMessageOrChannelSend<T>>> {
1400 trace!("executing at {now:?}");
1401 if let Some((client, allocation, permission)) =
1402 self.allocation_from_public_5tuple(transmit.transport, transmit.to, transmit.from)
1403 {
1404 if permission.expires_at < now {
1407 trace!(
1408 "permission for {} expired {:?} ago",
1409 permission.addr,
1410 now - permission.expires_at
1411 );
1412 return None;
1413 }
1414
1415 if let Some(existing) =
1416 allocation.channel_from_5tuple(transmit.transport, transmit.to, transmit.from)
1417 {
1418 debug!(
1419 "found existing channel {} for {:?} for this allocation {:?}",
1420 existing.id, transmit.from, allocation.addr
1421 );
1422 Some(TransmitBuild::new(
1423 DelayedMessageOrChannelSend::Channel(DelayedChannel::new(
1424 existing.id,
1425 transmit.data,
1426 )),
1427 client.transport,
1428 client.local_addr,
1429 client.remote_addr,
1430 ))
1431 } else {
1432 debug!(
1434 "no channel for {:?} for this allocation {:?}, using DATA indication",
1435 transmit.from, allocation.addr
1436 );
1437
1438 Some(TransmitBuild::new(
1439 DelayedMessageOrChannelSend::Message(DelayedMessage::for_client(
1440 transmit.from,
1441 transmit.data,
1442 )),
1443 client.transport,
1444 client.local_addr,
1445 client.remote_addr,
1446 ))
1447 }
1448 } else if transmit.transport == self.stun.transport()
1449 && transmit.to == self.stun.local_addr()
1450 {
1451 match transmit.transport {
1452 TransportType::Tcp => {
1453 let tcp_buffer = if let Some(tcp_buffer) = self
1454 .mut_nonce_from_5tuple(transmit.transport, transmit.to, transmit.from)
1455 .map(|nonce| &mut nonce.tcp_buffer)
1456 {
1457 tcp_buffer
1458 } else {
1459 let nonce_value = Self::generate_nonce();
1460 self.nonces.push(NonceData {
1461 transport: transmit.transport,
1462 remote_addr: transmit.from,
1463 local_addr: transmit.to,
1464 nonce: nonce_value.clone(),
1465 expires_at: now + self.nonce_expiry_duration,
1466 tcp_buffer: TurnTcpBuffer::new(),
1467 });
1468 self.recalculate_nonce_expiry(now);
1469 &mut self.nonces.last_mut().unwrap().tcp_buffer
1470 };
1471 match tcp_buffer.incoming_tcp(transmit) {
1472 None => None,
1473 Some(IncomingTcp::CompleteMessage(transmit, range)) => {
1474 let Ok(msg) = Message::from_bytes(
1475 &transmit.data.as_ref()[range.start..range.end],
1476 ) else {
1477 return None;
1478 };
1479 match self.handle_stun(
1480 &msg,
1481 transmit.transport,
1482 transmit.from,
1483 transmit.to,
1484 now,
1485 ) {
1486 Err(builder) => Some(TransmitBuild::new(
1487 DelayedMessageOrChannelSend::Owned(builder.finish()),
1488 transmit.transport,
1489 transmit.to,
1490 transmit.from,
1491 )),
1492 Ok(Some(InternalHandleStun::Transmit(transmit))) => {
1493 Some(TransmitBuild::new(
1494 DelayedMessageOrChannelSend::Owned(transmit.data),
1495 transmit.transport,
1496 transmit.from,
1497 transmit.to,
1498 ))
1499 }
1500 Ok(Some(InternalHandleStun::Data(transport, from, to, range))) => {
1501 Some(TransmitBuild::new(
1502 DelayedMessageOrChannelSend::Range(transmit.data, range),
1503 transport,
1504 from,
1505 to,
1506 ))
1507 }
1508 Ok(None) => None,
1509 }
1510 }
1511 Some(IncomingTcp::CompleteChannel(transmit, range)) => {
1512 let Ok(channel) =
1513 ChannelData::parse(&transmit.data.as_ref()[range.start..range.end])
1514 else {
1515 return None;
1516 };
1517 let ForwardChannelData {
1518 transport,
1519 from,
1520 to,
1521 } = self.handle_channel(
1522 transmit.transport,
1523 transmit.from,
1524 transmit.to,
1525 channel,
1526 now,
1527 )?;
1528 Some(TransmitBuild::new(
1529 DelayedMessageOrChannelSend::Range(
1530 transmit.data,
1531 4 + range.start..range.end,
1532 ),
1533 transport,
1534 from,
1535 to,
1536 ))
1537 }
1538 Some(IncomingTcp::StoredMessage(data, transmit)) => self
1539 .handle_listen_tcp_stored_message(transmit.from, data, now)
1540 .map(|transmit| {
1541 TransmitBuild::new(
1542 DelayedMessageOrChannelSend::Owned(transmit.data),
1543 transmit.transport,
1544 transmit.from,
1545 transmit.to,
1546 )
1547 }),
1548 Some(IncomingTcp::StoredChannel(data, transmit)) => {
1549 let Ok(channel) = ChannelData::parse(&data) else {
1550 return None;
1551 };
1552 let ForwardChannelData {
1553 transport,
1554 from,
1555 to,
1556 } = self.handle_channel(
1557 transmit.transport,
1558 transmit.from,
1559 transmit.to,
1560 channel,
1561 now,
1562 )?;
1563 Some(TransmitBuild::new(
1564 DelayedMessageOrChannelSend::Owned(data[4..].to_vec()),
1565 transport,
1566 from,
1567 to,
1568 ))
1569 }
1570 }
1571 }
1572 TransportType::Udp => match Message::from_bytes(transmit.data.as_ref()) {
1573 Ok(msg) => {
1574 match self.handle_stun(
1575 &msg,
1576 transmit.transport,
1577 transmit.from,
1578 transmit.to,
1579 now,
1580 ) {
1581 Err(builder) => Some(TransmitBuild::new(
1582 DelayedMessageOrChannelSend::Owned(builder.finish()),
1583 transmit.transport,
1584 transmit.to,
1585 transmit.from,
1586 )),
1587 Ok(Some(InternalHandleStun::Transmit(transmit))) => {
1588 Some(TransmitBuild::new(
1589 DelayedMessageOrChannelSend::Owned(transmit.data),
1590 transmit.transport,
1591 transmit.from,
1592 transmit.to,
1593 ))
1594 }
1595 Ok(Some(InternalHandleStun::Data(transport, from, to, range))) => {
1596 Some(TransmitBuild::new(
1597 DelayedMessageOrChannelSend::Range(transmit.data, range),
1598 transport,
1599 from,
1600 to,
1601 ))
1602 }
1603 Ok(None) => None,
1604 }
1605 }
1606 Err(_) => {
1607 let Ok(channel) = ChannelData::parse(transmit.data.as_ref()) else {
1608 return None;
1609 };
1610 let ForwardChannelData {
1611 transport,
1612 from,
1613 to,
1614 } = self.handle_channel(
1615 transmit.transport,
1616 transmit.from,
1617 transmit.to,
1618 channel,
1619 now,
1620 )?;
1621 let channel_len = channel.data().len();
1622 Some(TransmitBuild::new(
1623 DelayedMessageOrChannelSend::Range(transmit.data, 4..4 + channel_len),
1624 transport,
1625 from,
1626 to,
1627 ))
1628 }
1629 },
1630 }
1631 } else {
1632 None
1633 }
1634 }
1635
1636 #[tracing::instrument(level = "debug", name = "turn_server_poll", skip(self), ret)]
1637 fn poll(&mut self, now: Instant) -> TurnServerPollRet {
1638 let mut lowest_wait = now + Duration::from_secs(3600);
1639 for pending in self.pending_allocates.iter_mut() {
1640 if let Some(family) = pending.to_ask_families.pop() {
1641 return TurnServerPollRet::AllocateSocketUdp {
1643 transport: pending.client.transport,
1644 local_addr: pending.client.local_addr,
1645 remote_addr: pending.client.remote_addr,
1646 family,
1647 };
1648 }
1649 }
1650
1651 for client in self.clients.iter_mut() {
1652 client.allocations.retain_mut(|allocation| {
1653 if allocation.expires_at >= now {
1654 allocation
1655 .permissions
1656 .retain_mut(|permission| permission.expires_at >= now);
1657 allocation
1658 .channels
1659 .retain_mut(|channel| channel.expires_at >= now);
1660 lowest_wait = lowest_wait.min(allocation.expires_at);
1661 true
1662 } else {
1663 false
1664 }
1665 });
1666 }
1667
1668 if let Some(earliest) = self.earliest_nonce_expiry {
1669 if earliest < now {
1670 self.nonces.retain(|nonce| nonce.expires_at >= now);
1671 self.recalculate_nonce_expiry(now);
1672 };
1673 if let Some(earliest) = self.earliest_nonce_expiry {
1674 lowest_wait = lowest_wait.min(earliest);
1675 }
1676 }
1677
1678 TurnServerPollRet::WaitUntil(lowest_wait.max(now))
1679 }
1680
1681 #[tracing::instrument(name = "turn_server_poll_transmit", skip(self))]
1682 fn poll_transmit(&mut self, now: Instant) -> Option<Transmit<Vec<u8>>> {
1683 if let Some(transmit) = self.pending_transmits.pop_back() {
1684 return Some(transmit);
1685 }
1686 if self.stun.transport() != TransportType::Tcp {
1687 return None;
1688 }
1689 let nonce_len = self.nonces.len();
1690 for i in 0..nonce_len {
1691 let nonce = &mut self.nonces[i];
1692 let local_addr = nonce.local_addr;
1693 let remote_addr = nonce.remote_addr;
1694
1695 let ret = match nonce.tcp_buffer.poll_recv() {
1696 Some(StoredTcp::Message(msg)) => {
1697 self.handle_listen_tcp_stored_message(remote_addr, msg, now)
1698 }
1699 Some(StoredTcp::Channel(channel)) => {
1700 let Ok(channel) = ChannelData::parse(&channel) else {
1701 return None;
1702 };
1703 let ForwardChannelData {
1704 transport,
1705 from,
1706 to,
1707 } = self.handle_channel(
1708 TransportType::Tcp,
1709 remote_addr,
1710 local_addr,
1711 channel,
1712 now,
1713 )?;
1714 Some(Transmit::new(channel.data().to_vec(), transport, from, to))
1715 }
1716 None => continue,
1717 };
1718 if ret.is_some() {
1719 return ret;
1720 }
1721 }
1722 None
1723 }
1724
1725 #[tracing::instrument(name = "turn_server_allocated_udp_socket", skip(self))]
1726 fn allocated_udp_socket(
1727 &mut self,
1728 transport: TransportType,
1729 local_addr: SocketAddr,
1730 remote_addr: SocketAddr,
1731 family: AddressFamily,
1732 socket_addr: Result<SocketAddr, SocketAllocateError>,
1733 now: Instant,
1734 ) {
1735 let Some(position) = self.pending_allocates.iter().position(|pending| {
1736 pending.client.transport == transport
1737 && pending.client.local_addr == local_addr
1738 && pending.client.remote_addr == remote_addr
1739 && pending.pending_families.contains(&family)
1740 }) else {
1741 warn!("No pending allocation for transport: {transport}, local: {local_addr:?}, remote {remote_addr:?}");
1742 return;
1743 };
1744 info!("pending allocation for transport: {transport}, local: {local_addr:?}, remote {remote_addr:?} family {family} resulted in Udp {socket_addr:?}");
1745 let pending = &mut self.pending_allocates[position];
1746 pending.pending_sockets.push((family, socket_addr));
1747 pending.pending_families.retain(|fam| *fam != family);
1748 if !pending.pending_families.is_empty() || !pending.to_ask_families.is_empty() {
1749 trace!(
1750 "Still waiting for more allocation results before sending a reply to the client"
1751 );
1752 return;
1753 }
1754
1755 let mut pending = self.pending_allocates.remove(position).unwrap();
1756 let transaction_id = pending.transaction_id;
1757 let to = pending.client.remote_addr;
1758 let lifetime_seconds = pending
1759 .requested_lifetime
1760 .unwrap_or(DEFAULT_ALLOCATION_DURATION.as_secs() as u32)
1761 .clamp(
1762 DEFAULT_ALLOCATION_DURATION.as_secs() as u32,
1763 MAXIMUM_ALLOCATION_DURATION.as_secs() as u32,
1764 );
1765
1766 let is_all_error = pending.pending_sockets.iter().all(|addr| addr.1.is_err());
1767 let n_pending_sockets = pending.pending_sockets.len();
1768
1769 let mut builder = Message::builder(
1770 MessageType::from_class_method(
1771 if is_all_error {
1772 MessageClass::Error
1773 } else {
1774 MessageClass::Success
1775 },
1776 ALLOCATE,
1777 ),
1778 transaction_id,
1779 MessageWriteVec::new(),
1780 );
1781
1782 if is_all_error && pending.pending_sockets.len() > 1 {
1783 trace!("Returning insufficient capacity");
1784 let error = ErrorCode::builder(ErrorCode::INSUFFICIENT_CAPACITY)
1786 .build()
1787 .unwrap();
1788 builder.add_attribute(&error).unwrap();
1789 } else {
1790 for (family, socket_addr) in pending.pending_sockets {
1791 match socket_addr {
1792 Ok(addr) => {
1793 pending.client.allocations.push(Allocation {
1794 addr,
1795 ttype: TransportType::Udp,
1796 expires_at: now + Duration::from_secs(lifetime_seconds as u64),
1797 permissions: vec![],
1798 channels: vec![],
1799 });
1800 let relayed_address = XorRelayedAddress::new(addr, transaction_id);
1801 builder.add_attribute(&relayed_address).unwrap();
1802 let lifetime = Lifetime::new(lifetime_seconds);
1803 builder.add_attribute(&lifetime).unwrap();
1804 let mapped_address =
1806 XorMappedAddress::new(pending.client.remote_addr, transaction_id);
1807 builder.add_attribute(&mapped_address).unwrap();
1808 }
1809 Err(e) => {
1810 if n_pending_sockets > 1 {
1811 let error = AddressErrorCode::new(
1814 family,
1815 ErrorCode::builder(e.into_error_code()).build().unwrap(),
1816 );
1817 builder.add_attribute(&error).unwrap();
1818 } else {
1819 let error = ErrorCode::builder(e.into_error_code()).build().unwrap();
1820 builder.add_attribute(&error).unwrap();
1821 }
1822 }
1823 }
1824 }
1825 }
1826 builder
1827 .add_message_integrity_with_key(&pending.client.key, IntegrityAlgorithm::Sha1)
1828 .unwrap();
1829 let msg = builder.finish();
1830
1831 let Ok(transmit) = self.stun.send(msg, to, now) else {
1832 unreachable!();
1833 };
1834 if socket_addr.is_ok() {
1835 self.clients.push(pending.client);
1836 }
1837 self.pending_transmits.push_back(transmit);
1838 }
1839}
1840
1841#[derive(Debug)]
1842struct Client {
1843 transport: TransportType,
1844 local_addr: SocketAddr,
1845 remote_addr: SocketAddr,
1846
1847 allocations: Vec<Allocation>,
1848 username: String,
1849 key: IntegrityKey,
1850}
1851
1852#[derive(Debug)]
1853struct Allocation {
1854 addr: SocketAddr,
1856 ttype: TransportType,
1857
1858 expires_at: Instant,
1859
1860 permissions: Vec<Permission>,
1861 channels: Vec<Channel>,
1862}
1863
1864impl Allocation {
1865 fn permission_from_5tuple(
1866 &self,
1867 ttype: TransportType,
1868 local_addr: SocketAddr,
1869 remote_addr: SocketAddr,
1870 ) -> Option<&Permission> {
1871 if local_addr != self.addr {
1872 return None;
1873 }
1874 self.permissions
1875 .iter()
1876 .find(|permission| permission.ttype == ttype && remote_addr.ip() == permission.addr)
1877 }
1878
1879 fn channel_from_id(&self, id: u16) -> Option<&Channel> {
1880 self.channels.iter().find(|channel| channel.id == id)
1881 }
1882
1883 fn channel_from_5tuple(
1884 &self,
1885 transport: TransportType,
1886 local_addr: SocketAddr,
1887 remote_addr: SocketAddr,
1888 ) -> Option<&Channel> {
1889 if self.addr != local_addr {
1890 return None;
1891 }
1892 self.channels
1893 .iter()
1894 .find(|channel| transport == channel.peer_transport && remote_addr == channel.peer_addr)
1895 }
1896
1897 #[tracing::instrument(level = "trace", skip(self, now), fields(ttype = %self.ttype, relayed = %self.addr))]
1898 fn have_permission(&self, addr: IpAddr, now: Instant) -> Option<&Permission> {
1899 let Some(permission) = self
1900 .permissions
1901 .iter()
1902 .find(|permission| permission.addr == addr)
1903 else {
1904 trace!("no permission available");
1905 return None;
1907 };
1908 if now > permission.expires_at {
1909 trace!("permission has expired");
1910 return None;
1911 }
1912 debug!("have permission");
1913 Some(permission)
1914 }
1915}
1916
1917#[derive(Debug)]
1918struct Permission {
1919 addr: IpAddr,
1920 ttype: TransportType,
1921
1922 expires_at: Instant,
1923}
1924
1925#[derive(Debug)]
1926struct Channel {
1927 id: u16,
1928 peer_addr: SocketAddr,
1929 peer_transport: TransportType,
1930
1931 expires_at: Instant,
1932}
1933
1934enum InternalHandleStun {
1935 Transmit(Transmit<Vec<u8>>),
1936 Data(
1937 TransportType,
1938 SocketAddr,
1939 SocketAddr,
1940 core::ops::Range<usize>,
1941 ),
1942}
1943
1944#[cfg(test)]
1945mod tests {
1946 use alloc::string::{String, ToString};
1947 use turn_types::{
1948 prelude::DelayedTransmitBuild,
1949 stun::message::{IntegrityAlgorithm, Method},
1950 TurnCredentials,
1951 };
1952
1953 use super::*;
1954
1955 fn listen_address() -> SocketAddr {
1956 "127.0.0.1:3478".parse().unwrap()
1957 }
1958
1959 fn client_address() -> SocketAddr {
1960 "127.0.0.1:1000".parse().unwrap()
1961 }
1962
1963 fn relayed_address() -> SocketAddr {
1964 "10.0.0.1:2222".parse().unwrap()
1965 }
1966
1967 fn ipv6_relayed_address() -> SocketAddr {
1968 "[fda9:8765:4321:1::1]:2222".parse().unwrap()
1969 }
1970
1971 fn peer_address() -> SocketAddr {
1972 "10.0.0.2:44444".parse().unwrap()
1973 }
1974
1975 fn ipv6_peer_address() -> SocketAddr {
1976 "[fd12:3456:789a:1::1]:44444".parse().unwrap()
1977 }
1978
1979 fn credentials() -> TurnCredentials {
1980 TurnCredentials::new("tuser", "tpass")
1981 }
1982
1983 fn new_server(transport: TransportType) -> TurnServer {
1984 let mut server = TurnServer::new(transport, listen_address(), "realm".to_string());
1985 let credentials = credentials();
1986 server.add_user(
1987 credentials.username().to_string(),
1988 credentials.password().to_string(),
1989 );
1990 server
1991 }
1992
1993 fn client_transmit_from<T: AsRef<[u8]> + core::fmt::Debug>(
1994 data: T,
1995 transport: TransportType,
1996 from: SocketAddr,
1997 ) -> Transmit<T> {
1998 Transmit::new(data, transport, from, listen_address())
1999 }
2000
2001 fn client_transmit<T: AsRef<[u8]> + core::fmt::Debug>(
2002 data: T,
2003 transport: TransportType,
2004 ) -> Transmit<T> {
2005 client_transmit_from(data, transport, client_address())
2006 }
2007
2008 #[test]
2009 fn test_server_stun_binding() {
2010 let _init = crate::tests::test_init_log();
2011 let now = Instant::ZERO;
2012 let mut server = new_server(TransportType::Udp);
2013 let (_realm, _nonce) = initial_allocate(&mut server, now);
2014 let reply = server
2015 .recv(
2016 client_transmit(
2017 {
2018 let binding = Message::builder_request(BINDING, MessageWriteVec::new());
2019 binding.finish()
2020 },
2021 server.transport(),
2022 ),
2023 now,
2024 )
2025 .unwrap();
2026 let reply = reply.build();
2027 let msg = Message::from_bytes(&reply.data).unwrap();
2028 assert!(msg.has_method(BINDING));
2029 assert!(msg.has_class(MessageClass::Success));
2030 assert_eq!(
2031 msg.attribute::<XorMappedAddress>()
2032 .unwrap()
2033 .addr(msg.transaction_id()),
2034 client_address()
2035 );
2036 }
2037
2038 fn initial_allocate_msg() -> Vec<u8> {
2039 let allocate = Message::builder_request(ALLOCATE, MessageWriteVec::new());
2040 allocate.finish()
2041 }
2042
2043 fn validate_unsigned_error_reply(msg: &[u8], method: Method, code: u16) -> Message<'_> {
2044 let msg = Message::from_bytes(msg).unwrap();
2045 assert!(msg.has_method(method));
2046 assert!(msg.has_class(MessageClass::Error));
2047 let err = msg.attribute::<ErrorCode>().unwrap();
2048 assert_eq!(err.code(), code);
2049 msg
2050 }
2051
2052 fn validate_signed_error_reply(
2053 msg: &[u8],
2054 method: Method,
2055 code: u16,
2056 credentials: LongTermCredentials,
2057 ) -> Message<'_> {
2058 let msg = Message::from_bytes(msg).unwrap();
2059 assert!(msg.has_method(method));
2060 assert!(msg.has_class(MessageClass::Error));
2061 let err = msg.attribute::<ErrorCode>().unwrap();
2062 assert_eq!(err.code(), code);
2063 msg.validate_integrity(&credentials.into()).unwrap();
2064 msg
2065 }
2066
2067 fn validate_initial_allocate_reply(msg: &[u8]) -> (String, String) {
2068 let msg = validate_unsigned_error_reply(msg, ALLOCATE, ErrorCode::UNAUTHORIZED);
2069 let realm = msg.attribute::<Realm>().unwrap();
2070 let nonce = msg.attribute::<Nonce>().unwrap();
2071 (realm.realm().to_string(), nonce.nonce().to_string())
2072 }
2073
2074 #[test]
2075 fn test_server_initial_allocate_unauthorized_reply() {
2076 let _init = crate::tests::test_init_log();
2077 let now = Instant::ZERO;
2078 let mut server = new_server(TransportType::Udp);
2079 let reply = server
2080 .recv(
2081 client_transmit(initial_allocate_msg(), server.transport()),
2082 now,
2083 )
2084 .unwrap();
2085 validate_initial_allocate_reply(&reply.build().data);
2086 }
2087
2088 #[test]
2089 fn test_server_duplicate_initial_allocate_unauthorized_reply() {
2090 let _init = crate::tests::test_init_log();
2091 let now = Instant::ZERO;
2092 let mut server = new_server(TransportType::Udp);
2093 let reply = server
2094 .recv(
2095 client_transmit(initial_allocate_msg(), server.transport()),
2096 now,
2097 )
2098 .unwrap();
2099 let (realm, nonce) = validate_initial_allocate_reply(&reply.build().data);
2100 let reply = server
2101 .recv(
2102 client_transmit(initial_allocate_msg(), server.transport()),
2103 now,
2104 )
2105 .unwrap();
2106 let (realm2, nonce2) = validate_initial_allocate_reply(&reply.build().data);
2107 assert_eq!(nonce, nonce2);
2108 assert_eq!(realm, realm2);
2109 }
2110
2111 fn initial_allocate(server: &mut TurnServer, now: Instant) -> (String, String) {
2112 let reply = server
2113 .recv(
2114 client_transmit(initial_allocate_msg(), server.transport()),
2115 now,
2116 )
2117 .unwrap();
2118 validate_initial_allocate_reply(&reply.build().data)
2119 }
2120
2121 #[test]
2122 fn test_server_authenticated_allocate_missing_attributes() {
2123 let _init = crate::tests::test_init_log();
2124 let now = Instant::ZERO;
2125 let attributes = [
2126 Nonce::TYPE,
2127 Realm::TYPE,
2128 Username::TYPE,
2129 RequestedTransport::TYPE,
2130 ];
2131 for attr in attributes {
2132 let mut server = new_server(TransportType::Udp);
2133 let (realm, nonce) = initial_allocate(&mut server, now);
2134 let creds = credentials().into_long_term_credentials(&realm);
2135 let mut allocate = Message::builder_request(ALLOCATE, MessageWriteVec::new());
2136 if attr != Nonce::TYPE {
2137 allocate
2138 .add_attribute(&Nonce::new(&nonce).unwrap())
2139 .unwrap();
2140 }
2141 if attr != Realm::TYPE {
2142 allocate
2143 .add_attribute(&Realm::new(&realm).unwrap())
2144 .unwrap();
2145 }
2146 if attr != Username::TYPE {
2147 allocate
2148 .add_attribute(&Username::new(creds.username()).unwrap())
2149 .unwrap();
2150 }
2151 if attr != RequestedTransport::TYPE {
2152 allocate
2153 .add_attribute(&RequestedTransport::new(RequestedTransport::UDP))
2154 .unwrap();
2155 }
2156 allocate
2157 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2158 .unwrap();
2159 let reply = server
2160 .recv(client_transmit(allocate.finish(), server.transport()), now)
2161 .unwrap();
2162 if attr != RequestedTransport::TYPE {
2163 validate_unsigned_error_reply(
2164 &reply.build().data,
2165 ALLOCATE,
2166 ErrorCode::BAD_REQUEST,
2167 );
2168 } else {
2169 validate_signed_error_reply(
2170 &reply.build().data,
2171 ALLOCATE,
2172 ErrorCode::BAD_REQUEST,
2173 creds,
2174 );
2175 }
2176 }
2177 }
2178
2179 fn add_authenticated_request_required_attributes(
2180 msg: &mut MessageWriteVec,
2181 credentials: LongTermCredentials,
2182 nonce: &str,
2183 ) {
2184 msg.add_attribute(&Nonce::new(nonce).unwrap()).unwrap();
2185 msg.add_attribute(&Realm::new(credentials.realm()).unwrap())
2186 .unwrap();
2187 msg.add_attribute(&Username::new(credentials.username()).unwrap())
2188 .unwrap();
2189 }
2190
2191 fn authenticated_allocate_msg(
2192 credentials: LongTermCredentials,
2193 nonce: &str,
2194 transport: u8,
2195 families: &[(AddressFamily, Result<SocketAddr, SocketAllocateError>)],
2196 ) -> Vec<u8> {
2197 let mut allocate = Message::builder_request(ALLOCATE, MessageWriteVec::new());
2198 add_authenticated_request_required_attributes(&mut allocate, credentials.clone(), nonce);
2199 allocate
2200 .add_attribute(&RequestedTransport::new(transport))
2201 .unwrap();
2202 if families.len() > 1 {
2203 for (family, _) in families {
2204 if *family != AddressFamily::IPV4 {
2205 allocate
2206 .add_attribute(&AdditionalAddressFamily::new(*family))
2207 .unwrap();
2208 }
2209 }
2210 } else if families[0].0 != AddressFamily::IPV4 {
2211 allocate
2212 .add_attribute(&RequestedAddressFamily::new(families[0].0))
2213 .unwrap();
2214 }
2215 allocate
2216 .add_message_integrity(&credentials.into(), IntegrityAlgorithm::Sha1)
2217 .unwrap();
2218 allocate.finish()
2219 }
2220
2221 fn authenticated_allocate_reply(
2222 server: &mut TurnServer,
2223 families: &[(AddressFamily, Result<SocketAddr, SocketAllocateError>)],
2224 now: Instant,
2225 ) -> Transmit<Vec<u8>> {
2226 for _ in 0..families.len() {
2227 let TurnServerPollRet::AllocateSocketUdp {
2228 transport,
2229 local_addr,
2230 remote_addr,
2231 family,
2232 } = server.poll(now)
2233 else {
2234 unreachable!();
2235 };
2236 let socket_addr = families
2237 .iter()
2238 .find_map(|(fam, socket_addr)| {
2239 if *fam == family {
2240 Some(*socket_addr)
2241 } else {
2242 None
2243 }
2244 })
2245 .unwrap();
2246 server.allocated_udp_socket(
2247 transport,
2248 local_addr,
2249 remote_addr,
2250 family,
2251 socket_addr,
2252 now,
2253 );
2254 }
2255 server.poll_transmit(now).unwrap()
2256 }
2257
2258 fn authenticated_allocate_with_credentials_transport_families(
2259 server: &mut TurnServer,
2260 credentials: LongTermCredentials,
2261 nonce: &str,
2262 from: SocketAddr,
2263 transport: u8,
2264 families: &[(AddressFamily, Result<SocketAddr, SocketAllocateError>)],
2265 now: Instant,
2266 ) -> Transmit<Vec<u8>> {
2267 let ret = server.recv(
2268 client_transmit_from(
2269 authenticated_allocate_msg(credentials.clone(), nonce, transport, families),
2270 server.transport(),
2271 from,
2272 ),
2273 now,
2274 );
2275 if let Some(transmit) = ret {
2276 return transmit.build();
2277 }
2278 authenticated_allocate_reply(server, families, now)
2279 }
2280
2281 fn authenticated_allocate_with_credentials_transport(
2282 server: &mut TurnServer,
2283 credentials: LongTermCredentials,
2284 nonce: &str,
2285 transport: u8,
2286 now: Instant,
2287 ) -> Transmit<Vec<u8>> {
2288 authenticated_allocate_with_credentials_transport_families(
2289 server,
2290 credentials,
2291 nonce,
2292 client_address(),
2293 transport,
2294 &[(AddressFamily::IPV4, Ok(relayed_address()))],
2295 now,
2296 )
2297 }
2298
2299 fn authenticated_allocate_with_credentials(
2300 server: &mut TurnServer,
2301 credentials: LongTermCredentials,
2302 nonce: &str,
2303 now: Instant,
2304 ) -> Transmit<Vec<u8>> {
2305 authenticated_allocate_with_credentials_transport(
2306 server,
2307 credentials,
2308 nonce,
2309 RequestedTransport::UDP,
2310 now,
2311 )
2312 }
2313
2314 #[test]
2315 fn test_server_authenticated_allocate_wrong_credentials() {
2316 let _init = crate::tests::test_init_log();
2317 let now = Instant::ZERO;
2318 let mut server = new_server(TransportType::Udp);
2319 let (realm, nonce) = initial_allocate(&mut server, now);
2320 let creds = credentials();
2321 let creds = TurnCredentials::new(creds.username(), "another-password")
2322 .into_long_term_credentials(&realm);
2323 let reply =
2324 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2325 validate_initial_allocate_reply(&reply.data);
2326
2327 let mut server = new_server(TransportType::Udp);
2328 let (realm, nonce) = initial_allocate(&mut server, now);
2329 let creds = credentials();
2330 let creds = TurnCredentials::new("another-user", creds.password())
2331 .into_long_term_credentials(&realm);
2332 let reply =
2333 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2334 validate_initial_allocate_reply(&reply.data);
2335
2336 let mut server = new_server(TransportType::Udp);
2337 let (_realm, nonce) = initial_allocate(&mut server, now);
2338 let creds = credentials();
2339 let creds = TurnCredentials::new(creds.username(), creds.password())
2340 .into_long_term_credentials("another-realm");
2341 let reply =
2342 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2343 validate_initial_allocate_reply(&reply.data);
2344 }
2345
2346 #[test]
2347 fn test_server_authenticated_allocate_without_initial() {
2348 let _init = crate::tests::test_init_log();
2349 let now = Instant::ZERO;
2350 let mut server = new_server(TransportType::Udp);
2351 let nonce = String::from("random");
2352 let creds = credentials();
2353 let creds = creds.into_long_term_credentials("realm");
2354 let reply =
2355 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2356 validate_unsigned_error_reply(&reply.data, ALLOCATE, ErrorCode::STALE_NONCE);
2357 }
2358
2359 #[test]
2360 fn test_server_authenticated_allocate_wrong_transport_type() {
2361 let _init = crate::tests::test_init_log();
2362 let now = Instant::ZERO;
2363 let mut server = new_server(TransportType::Udp);
2364 let (realm, nonce) = initial_allocate(&mut server, now);
2365 let creds = credentials().into_long_term_credentials(&realm);
2366 let reply = authenticated_allocate_with_credentials_transport(
2367 &mut server,
2368 creds.clone(),
2369 &nonce,
2370 0x0,
2371 now,
2372 );
2373 validate_signed_error_reply(
2374 &reply.data,
2375 ALLOCATE,
2376 ErrorCode::UNSUPPORTED_TRANSPORT_PROTOCOL,
2377 creds,
2378 );
2379 }
2380
2381 fn validate_signed_success(
2382 msg: &[u8],
2383 method: Method,
2384 credentials: LongTermCredentials,
2385 ) -> Message<'_> {
2386 let msg = Message::from_bytes(msg).unwrap();
2387 assert!(msg.has_method(method));
2388 assert!(msg.has_class(MessageClass::Success));
2389 msg.validate_integrity(&credentials.into()).unwrap();
2390 msg
2391 }
2392
2393 fn validate_authenticated_allocate_reply(
2394 msg: &[u8],
2395 credentials: LongTermCredentials,
2396 ) -> (Message<'_>, u32) {
2397 let msg = validate_signed_success(msg, ALLOCATE, credentials);
2398 let lifetime = msg.attribute::<Lifetime>().unwrap();
2399 let _xor_relayed_address = msg.attribute::<XorRelayedAddress>().unwrap();
2400 let _xor_mapped_address = msg.attribute::<XorMappedAddress>().unwrap();
2401 (msg, lifetime.seconds())
2402 }
2403
2404 #[test]
2405 fn test_server_authenticated_allocate_ipv6() {
2406 let _init = crate::tests::test_init_log();
2407 let now = Instant::ZERO;
2408 let mut server = new_server(TransportType::Udp);
2409 let (realm, nonce) = initial_allocate(&mut server, now);
2410 let creds = credentials().into_long_term_credentials(&realm);
2411 let reply = authenticated_allocate_with_credentials_transport_families(
2412 &mut server,
2413 creds.clone(),
2414 &nonce,
2415 client_address(),
2416 RequestedTransport::UDP,
2417 &[(AddressFamily::IPV6, Ok(ipv6_relayed_address()))],
2418 now,
2419 );
2420 validate_authenticated_allocate_reply(&reply.data, creds);
2421 }
2422
2423 #[test]
2424 fn test_server_authenticated_allocate_ipv6_error() {
2425 let _init = crate::tests::test_init_log();
2426 let now = Instant::ZERO;
2427 let mut server = new_server(TransportType::Udp);
2428 let (realm, nonce) = initial_allocate(&mut server, now);
2429 let creds = credentials().into_long_term_credentials(&realm);
2430 let reply = authenticated_allocate_with_credentials_transport_families(
2431 &mut server,
2432 creds.clone(),
2433 &nonce,
2434 client_address(),
2435 RequestedTransport::UDP,
2436 &[(
2437 AddressFamily::IPV6,
2438 Err(SocketAllocateError::AddressFamilyNotSupported),
2439 )],
2440 now,
2441 );
2442 validate_signed_error_reply(
2443 &reply.data,
2444 ALLOCATE,
2445 ErrorCode::ADDRESS_FAMILY_NOT_SUPPORTED,
2446 creds,
2447 );
2448 }
2449
2450 #[test]
2451 fn test_server_authenticated_allocate_dual_ipv6_error() {
2452 let _init = crate::tests::test_init_log();
2453 let now = Instant::ZERO;
2454 let mut server = new_server(TransportType::Udp);
2455 let (realm, nonce) = initial_allocate(&mut server, now);
2456 let creds = credentials().into_long_term_credentials(&realm);
2457 let reply = authenticated_allocate_with_credentials_transport_families(
2458 &mut server,
2459 creds.clone(),
2460 &nonce,
2461 client_address(),
2462 RequestedTransport::UDP,
2463 &[
2464 (
2465 AddressFamily::IPV6,
2466 Err(SocketAllocateError::AddressFamilyNotSupported),
2467 ),
2468 (AddressFamily::IPV4, Ok(relayed_address())),
2469 ],
2470 now,
2471 );
2472 let (msg, _lifetime) = validate_authenticated_allocate_reply(&reply.data, creds);
2473 let address_error_code = msg.attribute::<AddressErrorCode>().unwrap();
2474 assert_eq!(address_error_code.family(), AddressFamily::IPV6);
2475 assert_eq!(
2476 address_error_code.error().code(),
2477 ErrorCode::ADDRESS_FAMILY_NOT_SUPPORTED
2478 );
2479 }
2480
2481 #[test]
2482 fn test_server_authenticated_allocate_dual_ipv4_error() {
2483 let _init = crate::tests::test_init_log();
2484 let now = Instant::ZERO;
2485 let mut server = new_server(TransportType::Udp);
2486 let (realm, nonce) = initial_allocate(&mut server, now);
2487 let creds = credentials().into_long_term_credentials(&realm);
2488 let reply = authenticated_allocate_with_credentials_transport_families(
2489 &mut server,
2490 creds.clone(),
2491 &nonce,
2492 client_address(),
2493 RequestedTransport::UDP,
2494 &[
2495 (AddressFamily::IPV6, Ok(ipv6_relayed_address())),
2496 (
2497 AddressFamily::IPV4,
2498 Err(SocketAllocateError::AddressFamilyNotSupported),
2499 ),
2500 ],
2501 now,
2502 );
2503 let (msg, _lifetime) = validate_authenticated_allocate_reply(&reply.data, creds);
2504 let address_error_code = msg.attribute::<AddressErrorCode>().unwrap();
2505 assert_eq!(address_error_code.family(), AddressFamily::IPV4);
2506 assert_eq!(
2507 address_error_code.error().code(),
2508 ErrorCode::ADDRESS_FAMILY_NOT_SUPPORTED
2509 );
2510 }
2511
2512 #[test]
2513 fn test_server_allocation_expire() {
2514 let _init = crate::tests::test_init_log();
2515 let now = Instant::ZERO;
2516 let mut server = new_server(TransportType::Udp);
2517 let (realm, nonce) = initial_allocate(&mut server, now);
2518 let creds = credentials().into_long_term_credentials(&realm);
2519 let reply =
2520 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2521 let (_msg, lifetime) = validate_authenticated_allocate_reply(&reply.data, creds.clone());
2522 let TurnServerPollRet::WaitUntil(wait) = server.poll(now) else {
2523 unreachable!();
2524 };
2525 assert_eq!(wait, now + Duration::from_secs(lifetime as u64));
2526 }
2527
2528 fn create_permission_request(
2529 credentials: LongTermCredentials,
2530 nonce: &str,
2531 peer: SocketAddr,
2532 ) -> Vec<u8> {
2533 let mut request = Message::builder_request(CREATE_PERMISSION, MessageWriteVec::new());
2534 request
2535 .add_attribute(&XorPeerAddress::new(peer, request.transaction_id()))
2536 .unwrap();
2537 add_authenticated_request_required_attributes(&mut request, credentials.clone(), nonce);
2538 request
2539 .add_message_integrity(&credentials.into(), IntegrityAlgorithm::Sha1)
2540 .unwrap();
2541 request.finish()
2542 }
2543
2544 #[test]
2545 fn test_server_create_permission_without_allocation() {
2546 let _init = crate::tests::test_init_log();
2547 let now = Instant::ZERO;
2548 let mut server = new_server(TransportType::Udp);
2549 let (realm, nonce) = initial_allocate(&mut server, now);
2550 let creds = credentials().into_long_term_credentials(&realm);
2551 let reply = server
2552 .recv(
2553 client_transmit(
2554 create_permission_request(creds.clone(), &nonce, peer_address()),
2555 server.transport(),
2556 ),
2557 now,
2558 )
2559 .unwrap();
2560 validate_signed_error_reply(
2561 &reply.build().data,
2562 CREATE_PERMISSION,
2563 ErrorCode::ALLOCATION_MISMATCH,
2564 creds,
2565 );
2566 }
2567
2568 #[test]
2569 fn test_server_create_permission_without_peer_address() {
2570 let _init = crate::tests::test_init_log();
2571 let now = Instant::ZERO;
2572 let mut server = new_server(TransportType::Udp);
2573 let (realm, nonce) = initial_allocate(&mut server, now);
2574 let creds = credentials().into_long_term_credentials(&realm);
2575 let reply =
2576 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2577 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2578 let reply = server
2579 .recv(
2580 client_transmit(
2581 {
2582 let mut request =
2583 Message::builder_request(CREATE_PERMISSION, MessageWriteVec::new());
2584 add_authenticated_request_required_attributes(
2585 &mut request,
2586 creds.clone(),
2587 &nonce,
2588 );
2589 request
2590 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2591 .unwrap();
2592 request.finish()
2593 },
2594 server.transport(),
2595 ),
2596 now,
2597 )
2598 .unwrap();
2599 validate_signed_error_reply(
2600 &reply.build().data,
2601 CREATE_PERMISSION,
2602 ErrorCode::BAD_REQUEST,
2603 creds,
2604 );
2605 }
2606
2607 #[test]
2608 fn test_server_create_permission_wrong_family() {
2609 let _init = crate::tests::test_init_log();
2610 let now = Instant::ZERO;
2611 let mut server = new_server(TransportType::Udp);
2612 let (realm, nonce) = initial_allocate(&mut server, now);
2613 let creds = credentials().into_long_term_credentials(&realm);
2614 let reply =
2615 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2616 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2617 let reply = server
2618 .recv(
2619 client_transmit(
2620 create_permission_request(creds.clone(), &nonce, ipv6_peer_address()),
2621 server.transport(),
2622 ),
2623 now,
2624 )
2625 .unwrap();
2626 validate_signed_error_reply(
2627 &reply.build().data,
2628 CREATE_PERMISSION,
2629 ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH,
2630 creds,
2631 );
2632 }
2633
2634 #[test]
2635 fn test_server_create_permission_ipv4_wrong_family() {
2636 let _init = crate::tests::test_init_log();
2637 let now = Instant::ZERO;
2638 let mut server = new_server(TransportType::Udp);
2639 let (realm, nonce) = initial_allocate(&mut server, now);
2640 let creds = credentials().into_long_term_credentials(&realm);
2641 let reply = authenticated_allocate_with_credentials_transport_families(
2642 &mut server,
2643 creds.clone(),
2644 &nonce,
2645 client_address(),
2646 RequestedTransport::UDP,
2647 &[(AddressFamily::IPV6, Ok(ipv6_relayed_address()))],
2648 now,
2649 );
2650 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2651 let reply = server
2652 .recv(
2653 client_transmit(
2654 create_permission_request(creds.clone(), &nonce, peer_address()),
2655 server.transport(),
2656 ),
2657 now,
2658 )
2659 .unwrap();
2660 validate_signed_error_reply(
2661 &reply.build().data,
2662 CREATE_PERMISSION,
2663 ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH,
2664 creds,
2665 );
2666 }
2667
2668 #[test]
2669 fn test_server_create_permission_wrong_username() {
2670 let _init = crate::tests::test_init_log();
2671 let now = Instant::ZERO;
2672 let mut server = new_server(TransportType::Udp);
2673 let (realm, nonce) = initial_allocate(&mut server, now);
2674 let creds = credentials().into_long_term_credentials(&realm);
2675 server.add_user("another-user".to_string(), creds.password().to_string());
2676 let reply =
2677 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2678 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2679 let creds = TurnCredentials::new("another-user", creds.password())
2680 .into_long_term_credentials(&realm);
2681 let reply = server
2682 .recv(
2683 client_transmit(
2684 create_permission_request(creds, &nonce, peer_address()),
2685 server.transport(),
2686 ),
2687 now,
2688 )
2689 .unwrap();
2690 validate_unsigned_error_reply(
2691 &reply.build().data,
2692 CREATE_PERMISSION,
2693 ErrorCode::WRONG_CREDENTIALS,
2694 );
2695 }
2696
2697 #[test]
2698 fn test_server_create_permission_malformed_peer_address() {
2699 let _init = crate::tests::test_init_log();
2700 let now = Instant::ZERO;
2701 let mut server = new_server(TransportType::Udp);
2702 let (realm, nonce) = initial_allocate(&mut server, now);
2703 let creds = credentials().into_long_term_credentials(&realm);
2704 let reply =
2705 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2706 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2707 let reply = server
2708 .recv(
2709 client_transmit(
2710 {
2711 let mut request =
2712 Message::builder_request(CREATE_PERMISSION, MessageWriteVec::new());
2713 request
2714 .add_attribute(&XorPeerAddress::new(
2715 peer_address(),
2716 request.transaction_id(),
2717 ))
2718 .unwrap();
2719 request[25] = 0x80;
2721 add_authenticated_request_required_attributes(
2722 &mut request,
2723 creds.clone(),
2724 &nonce,
2725 );
2726 request
2727 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2728 .unwrap();
2729 request.finish()
2730 },
2731 server.transport(),
2732 ),
2733 now,
2734 )
2735 .unwrap();
2736 validate_signed_error_reply(
2737 &reply.build().data,
2738 CREATE_PERMISSION,
2739 ErrorCode::BAD_REQUEST,
2740 creds,
2741 );
2742 }
2743
2744 fn channel_bind_request(credentials: LongTermCredentials, nonce: &str) -> Vec<u8> {
2745 let mut request = Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
2746 request.add_attribute(&ChannelNumber::new(0x4000)).unwrap();
2747 request
2748 .add_attribute(&XorPeerAddress::new(
2749 peer_address(),
2750 request.transaction_id(),
2751 ))
2752 .unwrap();
2753 add_authenticated_request_required_attributes(&mut request, credentials.clone(), nonce);
2754 request
2755 .add_message_integrity(&credentials.into(), IntegrityAlgorithm::Sha1)
2756 .unwrap();
2757 request.finish()
2758 }
2759
2760 #[test]
2761 fn test_server_channel_bind_without_allocation() {
2762 let _init = crate::tests::test_init_log();
2763 let now = Instant::ZERO;
2764 let mut server = new_server(TransportType::Udp);
2765 let (realm, nonce) = initial_allocate(&mut server, now);
2766 let creds = credentials().into_long_term_credentials(&realm);
2767 let reply = server
2768 .recv(
2769 client_transmit(
2770 channel_bind_request(creds.clone(), &nonce),
2771 server.transport(),
2772 ),
2773 now,
2774 )
2775 .unwrap();
2776 validate_signed_error_reply(
2777 &reply.build().data,
2778 CHANNEL_BIND,
2779 ErrorCode::ALLOCATION_MISMATCH,
2780 creds,
2781 );
2782 }
2783
2784 #[test]
2785 fn test_server_channel_bind_missing_attributes() {
2786 let _init = crate::tests::test_init_log();
2787 let now = Instant::ZERO;
2788 let mut server = new_server(TransportType::Udp);
2789 let (realm, nonce) = initial_allocate(&mut server, now);
2790 let creds = credentials().into_long_term_credentials(&realm);
2791 let reply =
2792 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2793 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2794 let reply = server
2795 .recv(
2796 client_transmit(
2797 {
2798 let mut request =
2799 Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
2800 request
2801 .add_attribute(&XorPeerAddress::new(
2802 peer_address(),
2803 request.transaction_id(),
2804 ))
2805 .unwrap();
2806 add_authenticated_request_required_attributes(
2807 &mut request,
2808 creds.clone(),
2809 &nonce,
2810 );
2811 request
2812 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2813 .unwrap();
2814 request.finish()
2815 },
2816 server.transport(),
2817 ),
2818 now,
2819 )
2820 .unwrap();
2821 validate_signed_error_reply(
2822 &reply.build().data,
2823 CHANNEL_BIND,
2824 ErrorCode::BAD_REQUEST,
2825 creds.clone(),
2826 );
2827
2828 let mut server = new_server(TransportType::Udp);
2829 let (realm, nonce) = initial_allocate(&mut server, now);
2830 let creds = credentials().into_long_term_credentials(&realm);
2831 let reply =
2832 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2833 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2834 let reply = server
2835 .recv(
2836 client_transmit(
2837 {
2838 let mut request =
2839 Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
2840 request.add_attribute(&ChannelNumber::new(0x4000)).unwrap();
2841 add_authenticated_request_required_attributes(
2842 &mut request,
2843 creds.clone(),
2844 &nonce,
2845 );
2846 request
2847 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2848 .unwrap();
2849 request.finish()
2850 },
2851 server.transport(),
2852 ),
2853 now,
2854 )
2855 .unwrap();
2856 validate_signed_error_reply(
2857 &reply.build().data,
2858 CHANNEL_BIND,
2859 ErrorCode::BAD_REQUEST,
2860 creds.clone(),
2861 );
2862 }
2863
2864 #[test]
2865 fn test_server_channel_bind_invalid_id() {
2866 let _init = crate::tests::test_init_log();
2867 let now = Instant::ZERO;
2868 let mut server = new_server(TransportType::Udp);
2869 let (realm, nonce) = initial_allocate(&mut server, now);
2870 let creds = credentials().into_long_term_credentials(&realm);
2871 let reply =
2872 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2873 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2874 let reply = server
2875 .recv(
2876 client_transmit(
2877 {
2878 let mut request =
2879 Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
2880 request.add_attribute(&ChannelNumber::new(0x0)).unwrap();
2881 request
2882 .add_attribute(&XorPeerAddress::new(
2883 peer_address(),
2884 request.transaction_id(),
2885 ))
2886 .unwrap();
2887 add_authenticated_request_required_attributes(
2888 &mut request,
2889 creds.clone(),
2890 &nonce,
2891 );
2892 request
2893 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2894 .unwrap();
2895 request.finish()
2896 },
2897 server.transport(),
2898 ),
2899 now,
2900 )
2901 .unwrap();
2902 validate_signed_error_reply(
2903 &reply.build().data,
2904 CHANNEL_BIND,
2905 ErrorCode::BAD_REQUEST,
2906 creds.clone(),
2907 );
2908 }
2909
2910 #[test]
2911 fn test_server_channel_bind_wrong_family() {
2912 let _init = crate::tests::test_init_log();
2913 let now = Instant::ZERO;
2914 let mut server = new_server(TransportType::Udp);
2915 let (realm, nonce) = initial_allocate(&mut server, now);
2916 let creds = credentials().into_long_term_credentials(&realm);
2917 let reply =
2918 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2919 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2920 let reply = server
2921 .recv(
2922 client_transmit(
2923 {
2924 let mut request =
2925 Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
2926 request.add_attribute(&ChannelNumber::new(0x4000)).unwrap();
2927 request
2928 .add_attribute(&XorPeerAddress::new(
2929 ipv6_peer_address(),
2930 request.transaction_id(),
2931 ))
2932 .unwrap();
2933 add_authenticated_request_required_attributes(
2934 &mut request,
2935 creds.clone(),
2936 &nonce,
2937 );
2938 request
2939 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
2940 .unwrap();
2941 request.finish()
2942 },
2943 server.transport(),
2944 ),
2945 now,
2946 )
2947 .unwrap();
2948 validate_signed_error_reply(
2949 &reply.build().data,
2950 CHANNEL_BIND,
2951 ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH,
2952 creds,
2953 );
2954 }
2955
2956 #[test]
2957 fn test_server_allocation_expire_channel_bind() {
2958 let _init = crate::tests::test_init_log();
2959 let now = Instant::ZERO;
2960 let mut server = new_server(TransportType::Udp);
2961 let (realm, nonce) = initial_allocate(&mut server, now);
2962 let creds = credentials().into_long_term_credentials(&realm);
2963 let reply =
2964 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2965 let (_msg, lifetime) = validate_authenticated_allocate_reply(&reply.data, creds.clone());
2966 let now = now + Duration::from_secs(lifetime as u64 + 1);
2967 let reply = server
2968 .recv(
2969 client_transmit(
2970 channel_bind_request(creds.clone(), &nonce),
2971 server.transport(),
2972 ),
2973 now,
2974 )
2975 .unwrap();
2976 validate_signed_error_reply(
2977 &reply.build().data,
2978 CHANNEL_BIND,
2979 ErrorCode::ALLOCATION_MISMATCH,
2980 creds,
2981 );
2982 }
2983
2984 #[test]
2985 fn test_server_duplicate_channel_bind() {
2986 let _init = crate::tests::test_init_log();
2987 let now = Instant::ZERO;
2988 let mut server = new_server(TransportType::Udp);
2989 let (realm, nonce) = initial_allocate(&mut server, now);
2990 let creds = credentials().into_long_term_credentials(&realm);
2991 let reply =
2992 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
2993 validate_authenticated_allocate_reply(&reply.data, creds.clone());
2994 channel_bind(&mut server, creds.clone(), &nonce, now);
2995 channel_bind(&mut server, creds.clone(), &nonce, now);
2996 }
2997
2998 fn channel_bind(
2999 server: &mut TurnServer,
3000 creds: LongTermCredentials,
3001 nonce: &str,
3002 now: Instant,
3003 ) {
3004 let reply = server
3005 .recv(
3006 client_transmit(
3007 channel_bind_request(creds.clone(), nonce),
3008 server.transport(),
3009 ),
3010 now,
3011 )
3012 .unwrap();
3013 validate_signed_success(&reply.build().data, CHANNEL_BIND, creds.clone());
3014 }
3015
3016 #[test]
3017 fn test_server_channel_bind_refresh_wrong_address() {
3018 let _init = crate::tests::test_init_log();
3019 let now = Instant::ZERO;
3020 let mut server = new_server(TransportType::Udp);
3021 let (realm, nonce) = initial_allocate(&mut server, now);
3022 let creds = credentials().into_long_term_credentials(&realm);
3023 let reply =
3024 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3025 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3026 channel_bind(&mut server, creds.clone(), &nonce, now);
3027 let reply = server
3028 .recv(
3029 client_transmit(
3030 {
3031 let mut request =
3032 Message::builder_request(CHANNEL_BIND, MessageWriteVec::new());
3033 request.add_attribute(&ChannelNumber::new(0x4100)).unwrap();
3034 request
3035 .add_attribute(&XorPeerAddress::new(
3036 peer_address(),
3037 request.transaction_id(),
3038 ))
3039 .unwrap();
3040 add_authenticated_request_required_attributes(
3041 &mut request,
3042 creds.clone(),
3043 &nonce,
3044 );
3045 request
3046 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
3047 .unwrap();
3048 request.finish()
3049 },
3050 server.transport(),
3051 ),
3052 now,
3053 )
3054 .unwrap();
3055 validate_signed_error_reply(
3056 &reply.build().data,
3057 CHANNEL_BIND,
3058 ErrorCode::BAD_REQUEST,
3059 creds,
3060 );
3061 }
3062
3063 #[test]
3064 fn test_server_channel_bind_send_data() {
3065 let _init = crate::tests::test_init_log();
3066 let now = Instant::ZERO;
3067 let mut server = new_server(TransportType::Udp);
3068 let (realm, nonce) = initial_allocate(&mut server, now);
3069 let creds = credentials().into_long_term_credentials(&realm);
3070 let reply =
3071 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3072 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3073 channel_bind(&mut server, creds.clone(), &nonce, now);
3074 let data = [8; 9];
3075 let reply = server
3076 .recv(
3077 client_transmit(
3078 {
3079 let mut out = [0; 13];
3080 ChannelData::new(0x4000, data.as_slice()).write_into_unchecked(&mut out);
3081 out
3082 },
3083 server.transport(),
3084 ),
3085 now,
3086 )
3087 .unwrap();
3088 assert_eq!(reply.transport, TransportType::Udp);
3089 assert_eq!(reply.from, relayed_address());
3090 assert_eq!(reply.to, peer_address());
3091 assert_eq!(reply.data.build(), data);
3092 }
3093
3094 fn refresh_request_with_lifetime(
3095 credentials: LongTermCredentials,
3096 nonce: &str,
3097 lifetime: u32,
3098 requested_address: Option<AddressFamily>,
3099 ) -> Vec<u8> {
3100 let mut request = Message::builder_request(REFRESH, MessageWriteVec::new());
3101 request.add_attribute(&Lifetime::new(lifetime)).unwrap();
3102 add_authenticated_request_required_attributes(&mut request, credentials.clone(), nonce);
3103 if let Some(family) = requested_address {
3104 request
3105 .add_attribute(&RequestedAddressFamily::new(family))
3106 .unwrap();
3107 }
3108 request
3109 .add_message_integrity(&credentials.into(), IntegrityAlgorithm::Sha1)
3110 .unwrap();
3111 request.finish()
3112 }
3113
3114 fn refresh_request(
3115 credentials: LongTermCredentials,
3116 nonce: &str,
3117 requested_address: Option<AddressFamily>,
3118 ) -> Vec<u8> {
3119 refresh_request_with_lifetime(credentials, nonce, 1800, requested_address)
3120 }
3121
3122 #[test]
3123 fn test_server_refresh_without_allocation() {
3124 let _init = crate::tests::test_init_log();
3125 let now = Instant::ZERO;
3126 let mut server = new_server(TransportType::Udp);
3127 let (realm, nonce) = initial_allocate(&mut server, now);
3128 let creds = credentials().into_long_term_credentials(&realm);
3129 let reply = server
3130 .recv(
3131 client_transmit(
3132 refresh_request(creds.clone(), &nonce, None),
3133 server.transport(),
3134 ),
3135 now,
3136 )
3137 .unwrap();
3138 validate_signed_error_reply(
3139 &reply.build().data,
3140 REFRESH,
3141 ErrorCode::ALLOCATION_MISMATCH,
3142 creds,
3143 );
3144 }
3145
3146 #[test]
3147 fn test_server_refresh_dual_allocation() {
3148 let _init = crate::tests::test_init_log();
3149 let now = Instant::ZERO;
3150 let mut server = new_server(TransportType::Udp);
3151 let (realm, nonce) = initial_allocate(&mut server, now);
3152 let creds = credentials().into_long_term_credentials(&realm);
3153 authenticated_allocate_with_credentials_transport_families(
3154 &mut server,
3155 creds.clone(),
3156 &nonce,
3157 client_address(),
3158 RequestedTransport::UDP,
3159 &[
3160 (AddressFamily::IPV4, Ok(relayed_address())),
3161 (AddressFamily::IPV6, Ok(ipv6_relayed_address())),
3162 ],
3163 now,
3164 );
3165 let TurnServerPollRet::WaitUntil(now) = server.poll(now) else {
3166 unreachable!();
3167 };
3168 let reply = server
3169 .recv(
3170 client_transmit(
3171 refresh_request(creds.clone(), &nonce, None),
3172 server.transport(),
3173 ),
3174 now,
3175 )
3176 .unwrap();
3177 validate_signed_success(&reply.build().data, REFRESH, creds);
3178 }
3179
3180 fn delete_request(
3181 credentials: LongTermCredentials,
3182 nonce: &str,
3183 requested_address: Option<AddressFamily>,
3184 ) -> Vec<u8> {
3185 refresh_request_with_lifetime(credentials, nonce, 0, requested_address)
3186 }
3187
3188 #[test]
3189 fn test_server_dual_allocation_delete_single() {
3190 let _init = crate::tests::test_init_log();
3191 let now = Instant::ZERO;
3192 let mut server = new_server(TransportType::Udp);
3193 let (realm, nonce) = initial_allocate(&mut server, now);
3194 let creds = credentials().into_long_term_credentials(&realm);
3195 authenticated_allocate_with_credentials_transport_families(
3196 &mut server,
3197 creds.clone(),
3198 &nonce,
3199 client_address(),
3200 RequestedTransport::UDP,
3201 &[
3202 (AddressFamily::IPV4, Ok(relayed_address())),
3203 (AddressFamily::IPV6, Ok(ipv6_relayed_address())),
3204 ],
3205 now,
3206 );
3207 let reply = server
3208 .recv(
3209 client_transmit(
3210 delete_request(creds.clone(), &nonce, Some(AddressFamily::IPV4)),
3211 server.transport(),
3212 ),
3213 now,
3214 )
3215 .unwrap();
3216 validate_signed_success(&reply.build().data, REFRESH, creds.clone());
3217 let reply = server
3219 .recv(
3220 client_transmit(
3221 refresh_request(creds.clone(), &nonce, Some(AddressFamily::IPV4)),
3222 server.transport(),
3223 ),
3224 now,
3225 )
3226 .unwrap();
3227 validate_signed_error_reply(
3228 &reply.build().data,
3229 REFRESH,
3230 ErrorCode::PEER_ADDRESS_FAMILY_MISMATCH,
3231 creds.clone(),
3232 );
3233
3234 let reply = server
3236 .recv(
3237 client_transmit(
3238 delete_request(creds.clone(), &nonce, Some(AddressFamily::IPV6)),
3239 server.transport(),
3240 ),
3241 now,
3242 )
3243 .unwrap();
3244 validate_signed_success(&reply.build().data, REFRESH, creds.clone());
3245 let reply = server
3247 .recv(
3248 client_transmit(
3249 refresh_request(creds.clone(), &nonce, Some(AddressFamily::IPV6)),
3250 server.transport(),
3251 ),
3252 now,
3253 )
3254 .unwrap();
3255 validate_signed_error_reply(
3256 &reply.build().data,
3257 REFRESH,
3258 ErrorCode::ALLOCATION_MISMATCH,
3259 creds.clone(),
3260 );
3261 let reply = server
3262 .recv(
3263 client_transmit(
3264 refresh_request(creds.clone(), &nonce, None),
3265 server.transport(),
3266 ),
3267 now,
3268 )
3269 .unwrap();
3270 validate_signed_error_reply(
3271 &reply.build().data,
3272 REFRESH,
3273 ErrorCode::ALLOCATION_MISMATCH,
3274 creds,
3275 );
3276 }
3277
3278 fn send_indication(peer_addr: SocketAddr, data: &[u8]) -> Vec<u8> {
3279 let mut msg = Message::builder(
3280 MessageType::from_class_method(MessageClass::Indication, SEND),
3281 TransactionId::generate(),
3282 MessageWriteVec::new(),
3283 );
3284 msg.add_attribute(&XorPeerAddress::new(peer_addr, msg.transaction_id()))
3285 .unwrap();
3286 msg.add_attribute(&AData::new(data)).unwrap();
3287 msg.finish()
3288 }
3289
3290 #[test]
3291 fn test_server_send_without_allocation() {
3292 let _init = crate::tests::test_init_log();
3293 let now = Instant::ZERO;
3294 let mut server = new_server(TransportType::Udp);
3295 assert!(server
3296 .recv(
3297 client_transmit(
3298 send_indication(peer_address(), [8; 9].as_slice()),
3299 server.transport()
3300 ),
3301 now,
3302 )
3303 .is_none());
3304 }
3305
3306 #[test]
3307 fn test_server_send_allocation_expired() {
3308 let _init = crate::tests::test_init_log();
3309 let now = Instant::ZERO;
3310 let mut server = new_server(TransportType::Udp);
3311 let (realm, nonce) = initial_allocate(&mut server, now);
3312 let creds = credentials().into_long_term_credentials(&realm);
3313 let reply =
3314 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3315 let (_msg, lifetime) = validate_authenticated_allocate_reply(&reply.data, creds.clone());
3316 let now = now + Duration::from_secs(lifetime as u64 + 1);
3317 assert!(server
3318 .recv(
3319 client_transmit(
3320 send_indication(peer_address(), [8; 9].as_slice()),
3321 server.transport()
3322 ),
3323 now,
3324 )
3325 .is_none());
3326 }
3327
3328 #[test]
3329 fn test_server_send_no_allocation() {
3330 let _init = crate::tests::test_init_log();
3331 let now = Instant::ZERO;
3332 let mut server = new_server(TransportType::Udp);
3333 let (realm, nonce) = initial_allocate(&mut server, now);
3334 let creds = credentials().into_long_term_credentials(&realm);
3335 let reply =
3336 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3337 let (_msg, lifetime) = validate_authenticated_allocate_reply(&reply.data, creds.clone());
3338 let now = now + Duration::from_secs(lifetime as u64 + 1);
3339 assert!(server
3340 .recv(
3341 client_transmit(
3342 send_indication(ipv6_peer_address(), [8; 9].as_slice()),
3343 server.transport()
3344 ),
3345 now,
3346 )
3347 .is_none());
3348 }
3349
3350 #[test]
3351 fn test_server_send_without_permission() {
3352 let _init = crate::tests::test_init_log();
3353 let now = Instant::ZERO;
3354 let mut server = new_server(TransportType::Udp);
3355 let (realm, nonce) = initial_allocate(&mut server, now);
3356 let creds = credentials().into_long_term_credentials(&realm);
3357 let reply =
3358 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3359 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3360 assert!(server
3361 .recv(
3362 client_transmit(
3363 send_indication(peer_address(), [8; 9].as_slice()),
3364 server.transport()
3365 ),
3366 now,
3367 )
3368 .is_none());
3369 }
3370
3371 fn create_permission_with_address(
3372 server: &mut TurnServer,
3373 creds: LongTermCredentials,
3374 nonce: &str,
3375 peer_addr: SocketAddr,
3376 now: Instant,
3377 ) {
3378 let reply = server
3379 .recv(
3380 client_transmit(
3381 create_permission_request(creds.clone(), nonce, peer_addr),
3382 server.transport(),
3383 ),
3384 now,
3385 )
3386 .unwrap();
3387 validate_signed_success(&reply.build().data, CREATE_PERMISSION, creds);
3388 }
3389
3390 fn create_permission(
3391 server: &mut TurnServer,
3392 creds: LongTermCredentials,
3393 nonce: &str,
3394 now: Instant,
3395 ) {
3396 create_permission_with_address(server, creds, nonce, peer_address(), now);
3397 }
3398
3399 #[test]
3400 fn test_server_send_indication_with_permission() {
3401 let _init = crate::tests::test_init_log();
3402 let now = Instant::ZERO;
3403 let mut server = new_server(TransportType::Udp);
3404 let (realm, nonce) = initial_allocate(&mut server, now);
3405 let creds = credentials().into_long_term_credentials(&realm);
3406 let reply =
3407 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3408 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3409 create_permission(&mut server, creds.clone(), &nonce, now);
3410 let data = [8; 9];
3411 let reply = server
3412 .recv(
3413 client_transmit(
3414 send_indication(peer_address(), data.as_slice()),
3415 server.transport(),
3416 ),
3417 now,
3418 )
3419 .unwrap();
3420 assert_eq!(reply.transport, TransportType::Udp);
3421 assert_eq!(reply.from, relayed_address());
3422 assert_eq!(reply.to, peer_address());
3423 assert_eq!(reply.data.build(), data);
3424 }
3425
3426 #[test]
3427 fn test_server_unknown_request() {
3428 let _init = crate::tests::test_init_log();
3429 let now = Instant::ZERO;
3430 let mut server = new_server(TransportType::Udp);
3431 let (realm, nonce) = initial_allocate(&mut server, now);
3432 let creds = credentials().into_long_term_credentials(&realm);
3433 let reply =
3434 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3435 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3436 let reply = server
3437 .recv(
3438 client_transmit(
3439 {
3440 let mut request =
3441 Message::builder_request(Method::new(0x123), MessageWriteVec::new());
3442 add_authenticated_request_required_attributes(
3443 &mut request,
3444 creds.clone(),
3445 &nonce,
3446 );
3447 request
3448 .add_message_integrity(&creds.clone().into(), IntegrityAlgorithm::Sha1)
3449 .unwrap();
3450 request.finish()
3451 },
3452 server.transport(),
3453 ),
3454 now,
3455 )
3456 .unwrap();
3457 validate_signed_error_reply(
3458 &reply.build().data,
3459 Method::new(0x123),
3460 ErrorCode::BAD_REQUEST,
3461 creds,
3462 );
3463 }
3464
3465 #[test]
3466 fn test_server_unknown_indication() {
3467 let _init = crate::tests::test_init_log();
3468 let now = Instant::ZERO;
3469 let mut server = new_server(TransportType::Udp);
3470 let (realm, nonce) = initial_allocate(&mut server, now);
3471 let creds = credentials().into_long_term_credentials(&realm);
3472 let reply =
3473 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3474 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3475 assert!(server
3476 .recv(
3477 client_transmit(
3478 {
3479 let request = Message::builder(
3480 MessageType::from_class_method(
3481 MessageClass::Indication,
3482 Method::new(0x123),
3483 ),
3484 TransactionId::generate(),
3485 MessageWriteVec::new(),
3486 );
3487 request.finish()
3488 },
3489 server.transport(),
3490 ),
3491 now,
3492 )
3493 .is_none());
3494 }
3495
3496 #[test]
3497 fn test_server_unknown_source_address() {
3498 let _init = crate::tests::test_init_log();
3499 let now = Instant::ZERO;
3500 let mut server = new_server(TransportType::Udp);
3501 assert!(server
3502 .recv(client_transmit([4; 12], server.transport()), now)
3503 .is_none());
3504 }
3505
3506 #[test]
3507 fn test_server_invalid_client_data() {
3508 let _init = crate::tests::test_init_log();
3509 let now = Instant::ZERO;
3510 let mut server = new_server(TransportType::Udp);
3511 let (realm, nonce) = initial_allocate(&mut server, now);
3512 let creds = credentials().into_long_term_credentials(&realm);
3513 let reply =
3514 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3515 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3516 assert!(server
3517 .recv(client_transmit([4; 12], server.transport()), now)
3518 .is_none());
3519 }
3520
3521 #[test]
3522 fn test_server_recv_no_channel() {
3523 let _init = crate::tests::test_init_log();
3524 let now = Instant::ZERO;
3525 let mut server = new_server(TransportType::Udp);
3526 let (realm, nonce) = initial_allocate(&mut server, now);
3527 let creds = credentials().into_long_term_credentials(&realm);
3528 let reply =
3529 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3530 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3531 assert!(server
3532 .recv(
3533 client_transmit(
3534 {
3535 let channel = ChannelData::new(0x4000, [7; 3].as_slice());
3536 let mut out = vec![0; 7];
3537 channel.write_into_unchecked(&mut out);
3538 out
3539 },
3540 server.transport()
3541 ),
3542 now
3543 )
3544 .is_none());
3545 }
3546
3547 #[test]
3548 fn test_server_recv_channel_permission_expire() {
3549 let _init = crate::tests::test_init_log();
3550 let now = Instant::ZERO;
3551 let mut server = new_server(TransportType::Udp);
3552 let (realm, nonce) = initial_allocate(&mut server, now);
3553 let creds = credentials().into_long_term_credentials(&realm);
3554 let reply =
3555 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3556 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3557 channel_bind(&mut server, creds.clone(), &nonce, now);
3558 let now = now + PERMISSION_DURATION + Duration::from_secs(1);
3559 assert!(server
3560 .recv(
3561 client_transmit(
3562 {
3563 let channel = ChannelData::new(0x4000, [7; 3].as_slice());
3564 let mut out = vec![0; 7];
3565 channel.write_into_unchecked(&mut out);
3566 out
3567 },
3568 server.transport()
3569 ),
3570 now
3571 )
3572 .is_none());
3573 }
3574
3575 #[test]
3576 fn test_server_peer_recv_permission_expire() {
3577 let _init = crate::tests::test_init_log();
3578 let now = Instant::ZERO;
3579 let mut server = new_server(TransportType::Udp);
3580 let (realm, nonce) = initial_allocate(&mut server, now);
3581 let creds = credentials().into_long_term_credentials(&realm);
3582 let reply =
3583 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3584 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3585 create_permission(&mut server, creds.clone(), &nonce, now);
3586 let now = now + PERMISSION_DURATION + Duration::from_secs(1);
3587 assert!(server
3588 .recv(
3589 Transmit::new(
3590 [6; 7],
3591 TransportType::Udp,
3592 peer_address(),
3593 relayed_address()
3594 ),
3595 now
3596 )
3597 .is_none());
3598 }
3599
3600 fn create_udp(source: SocketAddr, destination: SocketAddr) -> Vec<u8> {
3601 assert_eq!(source.is_ipv4(), destination.is_ipv4());
3602 assert_eq!(source.is_ipv6(), destination.is_ipv6());
3603 let mut udp = [0; pnet_packet::udp::UdpPacket::minimum_packet_size()];
3604 let mut udp_packet = pnet_packet::udp::MutableUdpPacket::new(&mut udp).unwrap();
3605 udp_packet.populate(&pnet_packet::udp::Udp {
3606 source: source.port(),
3607 destination: destination.port(),
3608 length: 0x10,
3609 checksum: 0x0000,
3610 payload: vec![],
3611 });
3612 match (source, destination) {
3613 (SocketAddr::V4(source), SocketAddr::V4(destination)) => {
3614 let mut ip = [0; pnet_packet::ipv4::Ipv4Packet::minimum_packet_size()
3615 + pnet_packet::udp::UdpPacket::minimum_packet_size()];
3616 let mut ip_packet = pnet_packet::ipv4::MutableIpv4Packet::new(&mut ip).unwrap();
3617 ip_packet.set_version(0x4);
3618 ip_packet.set_header_length(5);
3619 ip_packet.set_total_length(48);
3620 ip_packet.set_flags(pnet_packet::ipv4::Ipv4Flags::DontFragment);
3621 ip_packet.set_ttl(16);
3622 ip_packet.set_next_level_protocol(pnet_packet::ip::IpNextHeaderProtocols::Udp);
3623 ip_packet.set_source(source.ip().octets().into());
3624 ip_packet.set_destination(destination.ip().octets().into());
3625 ip_packet.set_payload(&udp);
3626 ip.to_vec()
3627 }
3628 (SocketAddr::V6(source), SocketAddr::V6(destination)) => {
3629 let mut ip = [0; pnet_packet::ipv6::Ipv6Packet::minimum_packet_size()
3630 + pnet_packet::udp::UdpPacket::minimum_packet_size()];
3631 let mut ip_packet = pnet_packet::ipv6::MutableIpv6Packet::new(&mut ip).unwrap();
3632 ip_packet.set_version(0x6);
3633 ip_packet.set_payload_length(48);
3634 ip_packet.set_hop_limit(16);
3635 ip_packet.set_next_header(pnet_packet::ip::IpNextHeaderProtocols::Udp);
3636 ip_packet.set_source(source.ip().segments().into());
3637 ip_packet.set_destination(destination.ip().segments().into());
3638 ip_packet.set_payload(&udp);
3639 ip.to_vec()
3640 }
3641 _ => unreachable!(),
3642 }
3643 }
3644
3645 fn create_icmpv4<'p, T: AsRef<[u8]>>(
3646 typ: pnet_packet::icmp::IcmpType,
3647 code: pnet_packet::icmp::IcmpCode,
3648 icmp_data: u32,
3649 other_packet: T,
3650 ) -> pnet_packet::icmp::IcmpPacket<'p> {
3651 let data = other_packet.as_ref();
3652 let ret = vec![0; data.len() + 8];
3653 let mut icmp = pnet_packet::icmp::MutableIcmpPacket::owned(ret).unwrap();
3654 icmp.set_icmp_type(typ);
3655 icmp.set_icmp_code(code);
3656 let mut payload = vec![0; 4];
3657 BigEndian::write_u32(&mut payload, icmp_data);
3658 payload.extend_from_slice(data);
3659 icmp.set_payload(&payload);
3660 icmp.consume_to_immutable()
3661 }
3662
3663 fn create_icmpv6<'p, T: AsRef<[u8]>>(
3664 typ: pnet_packet::icmpv6::Icmpv6Type,
3665 code: pnet_packet::icmpv6::Icmpv6Code,
3666 icmp_data: u32,
3667 other_packet: T,
3668 ) -> pnet_packet::icmpv6::Icmpv6Packet<'p> {
3669 let data = other_packet.as_ref();
3670 let ret = vec![0; data.len() + 8];
3671 let mut icmp = pnet_packet::icmpv6::MutableIcmpv6Packet::owned(ret).unwrap();
3672 icmp.set_icmpv6_type(typ);
3673 icmp.set_icmpv6_code(code);
3674 let mut payload = vec![0; 4];
3675 BigEndian::write_u32(&mut payload, icmp_data);
3676 payload.extend_from_slice(data);
3677 icmp.set_payload(&payload);
3678 icmp.consume_to_immutable()
3679 }
3680
3681 fn validate_icmp(msg: &[u8], peer_addr: SocketAddr, typ: u8, code: u8, data: u32) {
3682 let msg = Message::from_bytes(msg).unwrap();
3683 assert!(msg.has_method(DATA));
3684 let xor_peer_address = msg.attribute::<XorPeerAddress>().unwrap();
3685 assert_eq!(xor_peer_address.addr(msg.transaction_id()), peer_addr);
3686 let icmp = msg.attribute::<Icmp>().unwrap();
3687 assert_eq!(icmp.icmp_type(), typ);
3688 assert_eq!(icmp.code(), code);
3689 assert_eq!(icmp.data(), data);
3690 }
3691
3692 #[test]
3693 fn test_server_recv_icmpv4() {
3694 let _init = crate::tests::test_init_log();
3695 let now = Instant::ZERO;
3696 let mut server = new_server(TransportType::Udp);
3697 let (realm, nonce) = initial_allocate(&mut server, now);
3698 let creds = credentials().into_long_term_credentials(&realm);
3699 let reply =
3700 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3701 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3702 create_permission(&mut server, creds.clone(), &nonce, now);
3703 assert!(server
3705 .recv_icmp(
3706 AddressFamily::IPV6,
3707 create_icmpv6(
3708 pnet_packet::icmpv6::Icmpv6Types::DestinationUnreachable,
3709 pnet_packet::icmpv6::Icmpv6Code::new(0),
3710 0,
3711 create_udp(ipv6_peer_address(), ipv6_relayed_address())
3712 )
3713 .packet(),
3714 now
3715 )
3716 .is_none());
3717 let icmp_type = pnet_packet::icmp::IcmpTypes::DestinationUnreachable;
3718 let icmp_code =
3719 pnet_packet::icmp::destination_unreachable::IcmpCodes::DestinationHostUnreachable;
3720 let transmit = server
3721 .recv_icmp(
3722 AddressFamily::IPV4,
3723 create_icmpv4(
3724 icmp_type,
3725 icmp_code,
3726 0,
3727 create_udp(relayed_address(), peer_address()),
3728 )
3729 .packet(),
3730 now,
3731 )
3732 .unwrap();
3733 assert_eq!(transmit.transport, TransportType::Udp);
3734 assert_eq!(transmit.from, server.listen_address());
3735 assert_eq!(transmit.to, client_address());
3736 validate_icmp(&transmit.data, peer_address(), icmp_type.0, icmp_code.0, 0);
3737 }
3738
3739 #[test]
3740 fn test_server_recv_icmpv6() {
3741 let _init = crate::tests::test_init_log();
3742 let now = Instant::ZERO;
3743 let mut server = new_server(TransportType::Udp);
3744 let (realm, nonce) = initial_allocate(&mut server, now);
3745 let creds = credentials().into_long_term_credentials(&realm);
3746 let reply = authenticated_allocate_with_credentials_transport_families(
3747 &mut server,
3748 creds.clone(),
3749 &nonce,
3750 client_address(),
3751 RequestedTransport::UDP,
3752 &[(AddressFamily::IPV6, Ok(ipv6_relayed_address()))],
3753 now,
3754 );
3755 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3756 create_permission_with_address(
3757 &mut server,
3758 creds.clone(),
3759 &nonce,
3760 ipv6_peer_address(),
3761 now,
3762 );
3763 assert!(server
3765 .recv_icmp(
3766 AddressFamily::IPV4,
3767 create_icmpv4(
3768 pnet_packet::icmp::IcmpTypes::DestinationUnreachable,
3769 pnet_packet::icmp::IcmpCode::new(0),
3770 0,
3771 create_udp(peer_address(), relayed_address())
3772 )
3773 .packet(),
3774 now
3775 )
3776 .is_none());
3777 let icmp_type = pnet_packet::icmpv6::Icmpv6Types::DestinationUnreachable;
3778 let icmp_code = pnet_packet::icmpv6::Icmpv6Code::new(3);
3779 let transmit = server
3780 .recv_icmp(
3781 AddressFamily::IPV6,
3782 create_icmpv6(
3783 icmp_type,
3784 icmp_code,
3785 0,
3786 create_udp(ipv6_relayed_address(), ipv6_peer_address()),
3787 )
3788 .packet(),
3789 now,
3790 )
3791 .unwrap();
3792 assert_eq!(transmit.transport, TransportType::Udp);
3793 assert_eq!(transmit.from, server.listen_address());
3794 assert_eq!(transmit.to, client_address());
3795 validate_icmp(
3796 &transmit.data,
3797 ipv6_peer_address(),
3798 icmp_type.0,
3799 icmp_code.0,
3800 0,
3801 );
3802 }
3803
3804 #[test]
3805 fn test_tcp_server_split_recv_channel() {
3806 let _init = crate::tests::test_init_log();
3807 let now = Instant::ZERO;
3808 let mut server = new_server(TransportType::Tcp);
3809 let (realm, nonce) = initial_allocate(&mut server, now);
3810 let creds = credentials().into_long_term_credentials(&realm);
3811 let reply =
3812 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3813 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3814 channel_bind(&mut server, creds.clone(), &nonce, now);
3815 let data = {
3816 let channel = ChannelData::new(0x4000, [7; 3].as_slice());
3817 let mut out = vec![0; 7];
3818 channel.write_into_unchecked(&mut out);
3819 out
3820 };
3821 for i in 1..data.len() - 1 {
3822 assert!(server
3823 .recv(client_transmit(&data[..i], server.transport()), now)
3824 .is_none());
3825 let ret = server
3826 .recv(client_transmit(&data[i..], server.transport()), now)
3827 .unwrap();
3828 assert_eq!(ret.transport, TransportType::Udp);
3829 assert_eq!(ret.from, relayed_address());
3830 assert_eq!(ret.to, peer_address());
3831 assert_eq!(&ret.data.build(), &data[4..]);
3832 }
3833 }
3834
3835 #[test]
3836 fn test_tcp_server_split_recv_indication() {
3837 let _init = crate::tests::test_init_log();
3838 let now = Instant::ZERO;
3839 let mut server = new_server(TransportType::Tcp);
3840 let (realm, nonce) = initial_allocate(&mut server, now);
3841 let creds = credentials().into_long_term_credentials(&realm);
3842 let reply =
3843 authenticated_allocate_with_credentials(&mut server, creds.clone(), &nonce, now);
3844 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3845 create_permission(&mut server, creds.clone(), &nonce, now);
3846 let mut msg = Message::builder_indication(SEND, MessageWriteVec::new());
3847 msg.add_attribute(&XorPeerAddress::new(peer_address(), msg.transaction_id()))
3848 .unwrap();
3849 let offset = msg.len() + 4;
3850 msg.add_attribute(&AData::new(&[7; 3])).unwrap();
3851 let data = msg.clone().build();
3852 for i in 1..data.len() - 1 {
3853 assert!(server
3854 .recv(client_transmit(&data[..i], server.transport()), now)
3855 .is_none());
3856 let ret = server
3857 .recv(client_transmit(&data[i..], server.transport()), now)
3858 .unwrap();
3859 assert_eq!(ret.transport, TransportType::Udp);
3860 assert_eq!(ret.from, relayed_address());
3861 assert_eq!(ret.to, peer_address());
3862 assert_eq!(&ret.data.build(), &data[offset..data.len() - 1]);
3863 }
3864 }
3865
3866 #[test]
3867 fn test_tcp_server_two_interleaved_clients() {
3868 let _init = crate::tests::test_init_log();
3869 let now = Instant::ZERO;
3870
3871 let client_address2 = {
3872 let mut addr = client_address();
3873 addr.set_port(1001);
3874 addr
3875 };
3876 let relayed_address2 = {
3877 let mut addr = relayed_address();
3878 addr.set_port(2223);
3879 addr
3880 };
3881 let peer_address2 = {
3882 let mut addr = peer_address();
3883 addr.set_port(44445);
3884 addr
3885 };
3886
3887 for split in [3, 9] {
3888 let mut server = new_server(TransportType::Tcp);
3889
3890 let initial_allocate1 = initial_allocate_msg();
3891 let initial_allocate2 = initial_allocate_msg();
3892 assert!(server
3893 .recv(
3894 client_transmit(&initial_allocate1[..split], TransportType::Tcp,),
3895 now
3896 )
3897 .is_none());
3898
3899 assert!(server
3900 .recv(
3901 client_transmit_from(
3902 &initial_allocate2[..split],
3903 TransportType::Tcp,
3904 client_address2,
3905 ),
3906 now
3907 )
3908 .is_none());
3909
3910 let reply = server
3911 .recv(
3912 client_transmit(&initial_allocate1[split..], TransportType::Tcp),
3913 now,
3914 )
3915 .unwrap();
3916 let (realm, nonce) = validate_initial_allocate_reply(&reply.build().data);
3917 let creds = credentials().into_long_term_credentials(&realm);
3918
3919 let reply = server
3920 .recv(
3921 client_transmit_from(
3922 &initial_allocate2[split..],
3923 TransportType::Tcp,
3924 client_address2,
3925 ),
3926 now,
3927 )
3928 .unwrap();
3929 let (realm2, nonce2) = validate_initial_allocate_reply(&reply.build().data);
3930 let creds2 = credentials().into_long_term_credentials(&realm2);
3931
3932 let families = [(AddressFamily::IPV4, Ok(relayed_address()))];
3933 let auth_alloc = authenticated_allocate_msg(
3934 creds.clone(),
3935 &nonce,
3936 RequestedTransport::UDP,
3937 &families,
3938 );
3939 let families2 = [(AddressFamily::IPV4, Ok(relayed_address2))];
3940 let auth_alloc2 = authenticated_allocate_msg(
3941 creds2.clone(),
3942 &nonce2,
3943 RequestedTransport::UDP,
3944 &families2,
3945 );
3946
3947 assert!(server
3948 .recv(
3949 client_transmit(&auth_alloc[..split], TransportType::Tcp,),
3950 now
3951 )
3952 .is_none());
3953
3954 assert!(server
3955 .recv(
3956 client_transmit_from(
3957 &auth_alloc2[..split],
3958 TransportType::Tcp,
3959 client_address2,
3960 ),
3961 now
3962 )
3963 .is_none());
3964
3965 assert!(server
3966 .recv(
3967 client_transmit(&auth_alloc[split..], TransportType::Tcp),
3968 now,
3969 )
3970 .is_none());
3971 let reply = authenticated_allocate_reply(&mut server, &families, now);
3972 validate_authenticated_allocate_reply(&reply.data, creds.clone());
3973
3974 assert!(server
3975 .recv(
3976 client_transmit_from(
3977 &auth_alloc2[split..],
3978 TransportType::Tcp,
3979 client_address2
3980 ),
3981 now,
3982 )
3983 .is_none());
3984 let reply = authenticated_allocate_reply(&mut server, &families2, now);
3985 validate_authenticated_allocate_reply(&reply.data, creds2.clone());
3986
3987 let perm = create_permission_request(creds.clone(), &nonce, peer_address());
3988 let perm2 = create_permission_request(creds.clone(), &nonce2, peer_address2);
3989
3990 assert!(server
3991 .recv(client_transmit(&perm[..split], TransportType::Tcp,), now)
3992 .is_none());
3993
3994 assert!(server
3995 .recv(
3996 client_transmit_from(&perm2[..split], TransportType::Tcp, client_address2,),
3997 now
3998 )
3999 .is_none());
4000
4001 let reply = server
4002 .recv(client_transmit(&perm[split..], TransportType::Tcp), now)
4003 .unwrap();
4004 validate_signed_success(&reply.build().data, CREATE_PERMISSION, creds);
4005
4006 let reply = server
4007 .recv(
4008 client_transmit_from(&perm2[split..], TransportType::Tcp, client_address2),
4009 now,
4010 )
4011 .unwrap();
4012 validate_signed_success(&reply.build().data, CREATE_PERMISSION, creds2);
4013 }
4014 }
4015}