diff options
Diffstat (limited to 'testing/tools/iceserver')
| -rw-r--r-- | testing/tools/iceserver/iceserver.py | 1001 |
1 files changed, 1001 insertions, 0 deletions
diff --git a/testing/tools/iceserver/iceserver.py b/testing/tools/iceserver/iceserver.py new file mode 100644 index 0000000000..ae35bf0780 --- /dev/null +++ b/testing/tools/iceserver/iceserver.py @@ -0,0 +1,1001 @@ +# vim: set ts=4 et sw=4 tw=80 +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import ipaddr +import socket +import hmac +import hashlib +import passlib.utils # for saslprep +import copy +import random +import operator +import os +import platform +import six +import string +import time +from functools import reduce +from string import Template +from twisted.internet import reactor, protocol +from twisted.internet.task import LoopingCall +from twisted.internet.address import IPv4Address +from twisted.internet.address import IPv6Address + +MAGIC_COOKIE = 0x2112A442 + +REQUEST = 0 +INDICATION = 1 +SUCCESS_RESPONSE = 2 +ERROR_RESPONSE = 3 + +BINDING = 0x001 +ALLOCATE = 0x003 +REFRESH = 0x004 +SEND = 0x006 +DATA_MSG = 0x007 +CREATE_PERMISSION = 0x008 +CHANNEL_BIND = 0x009 + +# STUN spec chose silly values for these +STUN_IPV4 = 1 +STUN_IPV6 = 2 + +MAPPED_ADDRESS = 0x0001 +USERNAME = 0x0006 +MESSAGE_INTEGRITY = 0x0008 +ERROR_CODE = 0x0009 +UNKNOWN_ATTRIBUTES = 0x000A +LIFETIME = 0x000D +DATA_ATTR = 0x0013 +XOR_PEER_ADDRESS = 0x0012 +REALM = 0x0014 +NONCE = 0x0015 +XOR_RELAYED_ADDRESS = 0x0016 +REQUESTED_TRANSPORT = 0x0019 +DONT_FRAGMENT = 0x001A +XOR_MAPPED_ADDRESS = 0x0020 +SOFTWARE = 0x8022 +ALTERNATE_SERVER = 0x8023 +FINGERPRINT = 0x8028 + +STUN_PORT = 3478 +STUNS_PORT = 5349 + +TURN_REDIRECT_PORT = 3479 +TURNS_REDIRECT_PORT = 5350 + + +def unpack_uint(bytes_buf): + result = 0 + for byte in bytes_buf: + result = (result << 8) + byte + return result + + +def pack_uint(value, width): + if value < 0: + raise ValueError("Invalid value: {}".format(value)) + buf = bytearray([0] * width) + for i in range(0, width): + buf[i] = (value >> (8 * (width - i - 1))) & 0xFF + + return buf + + +def unpack(bytes_buf, format_array): + results = () + for width in format_array: + results = results + (unpack_uint(bytes_buf[0:width]),) + bytes_buf = bytes_buf[width:] + return results + + +def pack(values, format_array): + if len(values) != len(format_array): + raise ValueError() + buf = bytearray() + for i in range(0, len(values)): + buf.extend(pack_uint(values[i], format_array[i])) + return buf + + +def bitwise_pack(source, dest, start_bit, num_bits): + if num_bits <= 0 or num_bits > start_bit + 1: + raise ValueError( + "Invalid num_bits: {}, start_bit = {}".format(num_bits, start_bit) + ) + last_bit = start_bit - num_bits + 1 + source = source >> last_bit + dest = dest << num_bits + mask = (1 << num_bits) - 1 + dest += source & mask + return dest + + +def to_ipaddress(protocol, host, port): + if ":" not in host: + return IPv4Address(protocol, host, port) + + return IPv6Address(protocol, host, port) + + +class StunAttribute(object): + """ + Represents a STUN attribute in a raw format, according to the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | StunAttribute.attr_type | Length (derived as needed) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | StunAttribute.data (variable length) .... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + """ + + __attr_header_fmt = [2, 2] + __attr_header_size = reduce(operator.add, __attr_header_fmt) + + def __init__(self, attr_type=0, buf=bytearray()): + self.attr_type = attr_type + self.data = buf + + def build(self): + buf = pack((self.attr_type, len(self.data)), self.__attr_header_fmt) + buf.extend(self.data) + # add padding if necessary + if len(buf) % 4: + buf.extend([0] * (4 - (len(buf) % 4))) + return buf + + def parse(self, buf): + if self.__attr_header_size > len(buf): + raise Exception("truncated at attribute: incomplete header") + + self.attr_type, length = unpack(buf, self.__attr_header_fmt) + length += self.__attr_header_size + + if length > len(buf): + raise Exception("truncated at attribute: incomplete contents") + + self.data = buf[self.__attr_header_size : length] + + # verify padding + while length % 4: + if buf[length]: + raise ValueError("Non-zero padding") + length += 1 + + return length + + +class StunMessage(object): + """ + Represents a STUN message. Contains a method, msg_class, cookie, + transaction_id, and attributes (as an array of StunAttribute). + + Has various functions for getting/adding attributes. + """ + + def __init__(self): + self.method = 0 + self.msg_class = 0 + self.cookie = MAGIC_COOKIE + self.transaction_id = 0 + self.attributes = [] + + # 0 1 2 3 + # 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # |0 0|M M M M M|C|M M M|C|M M M M| Message Length | + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # | Magic Cookie | + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # | | + # | Transaction ID (96 bits) | + # | | + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + __header_fmt = [2, 2, 4, 12] + __header_size = reduce(operator.add, __header_fmt) + + # Returns how many bytes were parsed if buf was large enough, or how many + # bytes we would have needed if not. Throws if buf is malformed. + def parse(self, buf): + min_buf_size = self.__header_size + if len(buf) < min_buf_size: + return min_buf_size + + message_type, length, cookie, self.transaction_id = unpack( + buf, self.__header_fmt + ) + min_buf_size += length + if len(buf) < min_buf_size: + return min_buf_size + + # Avert your eyes... + self.method = bitwise_pack(message_type, 0, 13, 5) + self.msg_class = bitwise_pack(message_type, 0, 8, 1) + self.method = bitwise_pack(message_type, self.method, 7, 3) + self.msg_class = bitwise_pack(message_type, self.msg_class, 4, 1) + self.method = bitwise_pack(message_type, self.method, 3, 4) + + if cookie != self.cookie: + raise Exception("Invalid cookie: {}".format(cookie)) + + buf = buf[self.__header_size : min_buf_size] + while len(buf): + attr = StunAttribute() + length = attr.parse(buf) + buf = buf[length:] + self.attributes.append(attr) + + return min_buf_size + + # stop_after_attr_type is useful for calculating MESSAGE-DIGEST + def build(self, stop_after_attr_type=0): + attrs = bytearray() + for attr in self.attributes: + attrs.extend(attr.build()) + if attr.attr_type == stop_after_attr_type: + break + + message_type = bitwise_pack(self.method, 0, 11, 5) + message_type = bitwise_pack(self.msg_class, message_type, 1, 1) + message_type = bitwise_pack(self.method, message_type, 6, 3) + message_type = bitwise_pack(self.msg_class, message_type, 0, 1) + message_type = bitwise_pack(self.method, message_type, 3, 4) + + message = pack( + (message_type, len(attrs), self.cookie, self.transaction_id), + self.__header_fmt, + ) + message.extend(attrs) + + return message + + def add_error_code(self, code, phrase=None): + # 0 1 2 3 + # 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # | Reserved, should be 0 |Class| Number | + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # | Reason Phrase (variable) .. + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + error_code_fmt = [3, 1] + error_code = pack((code // 100, code % 100), error_code_fmt) + if phrase != None: + error_code.extend(bytearray(phrase, "utf-8")) + self.attributes.append(StunAttribute(ERROR_CODE, error_code)) + + # 0 1 2 3 + # 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # |x x x x x x x x| Family | X-Port | + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + # | X-Address (Variable) + # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + __v4addr_fmt = [1, 1, 2, 4] + __v6addr_fmt = [1, 1, 2, 16] + __v4addr_size = reduce(operator.add, __v4addr_fmt) + __v6addr_size = reduce(operator.add, __v6addr_fmt) + + def add_address(self, ip_address, version, port, attr_type): + if version == STUN_IPV4: + address = pack((0, STUN_IPV4, port, ip_address), self.__v4addr_fmt) + elif version == STUN_IPV6: + address = pack((0, STUN_IPV6, port, ip_address), self.__v6addr_fmt) + else: + raise ValueError("Invalid ip version: {}".format(version)) + self.attributes.append(StunAttribute(attr_type, address)) + + def get_xaddr(self, ip_addr, version): + if version == STUN_IPV4: + return self.cookie ^ ip_addr + elif version == STUN_IPV6: + return ((self.cookie << 96) + self.transaction_id) ^ ip_addr + else: + raise ValueError("Invalid family: {}".format(version)) + + def get_xport(self, port): + return (self.cookie >> 16) ^ port + + def add_xor_address(self, addr_port, attr_type): + ip_address = ipaddr.IPAddress(addr_port.host) + version = STUN_IPV6 if ip_address.version == 6 else STUN_IPV4 + xaddr = self.get_xaddr(int(ip_address), version) + xport = self.get_xport(addr_port.port) + self.add_address(xaddr, version, xport, attr_type) + + def add_data(self, buf): + self.attributes.append(StunAttribute(DATA_ATTR, buf)) + + def find(self, attr_type): + for attr in self.attributes: + if attr.attr_type == attr_type: + return attr + return None + + def get_xor_address(self, attr_type): + addr_attr = self.find(attr_type) + if not addr_attr: + return None + + padding, family, xport, xaddr = unpack(addr_attr.data, self.__v4addr_fmt) + addr_ctor = IPv4Address + if family == STUN_IPV6: + padding, family, xport, xaddr = unpack(addr_attr.data, self.__v6addr_fmt) + addr_ctor = IPv6Address + elif family != STUN_IPV4: + raise ValueError("Invalid family: {}".format(family)) + + return addr_ctor( + "UDP", + str(ipaddr.IPAddress(self.get_xaddr(xaddr, family))), + self.get_xport(xport), + ) + + def add_nonce(self, nonce): + self.attributes.append(StunAttribute(NONCE, bytearray(nonce, "utf-8"))) + + def add_realm(self, realm): + self.attributes.append(StunAttribute(REALM, bytearray(realm, "utf-8"))) + + def calculate_message_digest(self, username, realm, password): + digest_buf = self.build(MESSAGE_INTEGRITY) + # Trim off the MESSAGE-INTEGRITY attr + digest_buf = digest_buf[: len(digest_buf) - 24] + password = passlib.utils.saslprep(six.text_type(password)) + key_string = "{}:{}:{}".format(username, realm, password) + md5 = hashlib.md5() + md5.update(bytearray(key_string, "utf-8")) + key = md5.digest() + return bytearray(hmac.new(key, digest_buf, hashlib.sha1).digest()) + + def add_lifetime(self, lifetime): + self.attributes.append(StunAttribute(LIFETIME, pack_uint(lifetime, 4))) + + def get_lifetime(self): + lifetime_attr = self.find(LIFETIME) + if not lifetime_attr: + return None + return unpack_uint(lifetime_attr.data[0:4]) + + def get_username(self): + username = self.find(USERNAME) + if not username: + return None + return str(username.data) + + def add_message_integrity(self, username, realm, password): + dummy_value = bytearray([0] * 20) + self.attributes.append(StunAttribute(MESSAGE_INTEGRITY, dummy_value)) + digest = self.calculate_message_digest(username, realm, password) + self.find(MESSAGE_INTEGRITY).data = digest + + def add_alternate_server(self, host, port): + address = ipaddr.IPAddress(host) + version = STUN_IPV6 if address.version == 6 else STUN_IPV4 + self.add_address(int(address), version, port, ALTERNATE_SERVER) + + +class Allocation(protocol.DatagramProtocol): + """ + Comprises the socket for a TURN allocation, a back-reference to the + transport we will forward received traffic on, the allocator's address and + username, the set of permissions for the allocation, and the allocation's + expiry. + """ + + def __init__(self, other_transport_handler, allocator_address, username): + self.permissions = set() # str, int tuples + # Handler to use when sending stuff that arrives on the allocation + self.other_transport_handler = other_transport_handler + self.allocator_address = allocator_address + self.username = username + self.expiry = time.time() + self.port = reactor.listenUDP(0, self, interface=v4_address) + + def datagramReceived(self, data, address): + host = address[0] + port = address[1] + if not host in self.permissions: + print( + "Dropping packet from {}:{}, no permission on allocation {}".format( + host, port, self.transport.getHost() + ) + ) + return + + data_indication = StunMessage() + data_indication.method = DATA_MSG + data_indication.msg_class = INDICATION + data_indication.transaction_id = random.getrandbits(96) + + # Only handles UDP allocations. Doubtful that we need more than this. + data_indication.add_xor_address( + to_ipaddress("UDP", host, port), XOR_PEER_ADDRESS + ) + data_indication.add_data(data) + + self.other_transport_handler.write( + data_indication.build(), self.allocator_address + ) + + def close(self): + self.port.stopListening() + self.port = None + + +class StunHandler(object): + """ + Frames and handles STUN messages. This is the core logic of the TURN + server, along with Allocation. + """ + + def __init__(self, transport_handler): + self.client_address = None + self.data = bytearray() + self.transport_handler = transport_handler + + def data_received(self, data, address): + self.data += data + while True: + stun_message = StunMessage() + parsed_len = stun_message.parse(self.data) + if parsed_len > len(self.data): + break + self.data = self.data[parsed_len:] + + response = self.handle_stun(stun_message, address) + if response: + self.transport_handler.write(response, address) + + def handle_stun(self, stun_message, address): + self.client_address = address + if stun_message.msg_class == INDICATION: + if stun_message.method == SEND: + self.handle_send_indication(stun_message) + else: + print( + "Dropping unknown indication method: {}".format(stun_message.method) + ) + return None + + if stun_message.msg_class != REQUEST: + print("Dropping STUN response, method: {}".format(stun_message.method)) + return None + + if stun_message.method == BINDING: + return self.make_success_response(stun_message).build() + elif stun_message.method == ALLOCATE: + return self.handle_allocation(stun_message).build() + elif stun_message.method == REFRESH: + return self.handle_refresh(stun_message).build() + elif stun_message.method == CREATE_PERMISSION: + return self.handle_permission(stun_message).build() + else: + return self.make_error_response( + stun_message, + 400, + ("Unsupported STUN request, method: {}".format(stun_message.method)), + ).build() + + def get_allocation_tuple(self): + return ( + self.client_address.host, + self.client_address.port, + self.transport_handler.transport.getHost().type, + self.transport_handler.transport.getHost().host, + self.transport_handler.transport.getHost().port, + ) + + def handle_allocation(self, request): + allocate_response = self.check_long_term_auth(request) + if allocate_response.msg_class == SUCCESS_RESPONSE: + if self.get_allocation_tuple() in allocations: + return self.make_error_response( + request, + 437, + ( + "Duplicate allocation request for tuple {}".format( + self.get_allocation_tuple() + ) + ), + ) + + allocation = Allocation( + self.transport_handler, self.client_address, request.get_username() + ) + + allocate_response.add_xor_address( + allocation.transport.getHost(), XOR_RELAYED_ADDRESS + ) + + lifetime = request.get_lifetime() + if lifetime == None: + return self.make_error_response( + request, 400, "Missing lifetime attribute in allocation request" + ) + + lifetime = min(lifetime, 3600) + allocate_response.add_lifetime(lifetime) + allocation.expiry = time.time() + lifetime + + allocate_response.add_message_integrity(turn_user, turn_realm, turn_pass) + allocations[self.get_allocation_tuple()] = allocation + return allocate_response + + def handle_refresh(self, request): + refresh_response = self.check_long_term_auth(request) + if refresh_response.msg_class == SUCCESS_RESPONSE: + try: + allocation = allocations[self.get_allocation_tuple()] + except KeyError: + return self.make_error_response( + request, + 437, + ( + "Refresh request for non-existing allocation, tuple {}".format( + self.get_allocation_tuple() + ) + ), + ) + + if allocation.username != request.get_username(): + return self.make_error_response( + request, + 441, + ( + "Refresh request with wrong user, exp {}, got {}".format( + allocation.username, request.get_username() + ) + ), + ) + + lifetime = request.get_lifetime() + if lifetime == None: + return self.make_error_response( + request, 400, "Missing lifetime attribute in allocation request" + ) + + lifetime = min(lifetime, 3600) + refresh_response.add_lifetime(lifetime) + allocation.expiry = time.time() + lifetime + + refresh_response.add_message_integrity(turn_user, turn_realm, turn_pass) + return refresh_response + + def handle_permission(self, request): + permission_response = self.check_long_term_auth(request) + if permission_response.msg_class == SUCCESS_RESPONSE: + try: + allocation = allocations[self.get_allocation_tuple()] + except KeyError: + return self.make_error_response( + request, + 437, + ( + "No such allocation for permission request, tuple {}".format( + self.get_allocation_tuple() + ) + ), + ) + + if allocation.username != request.get_username(): + return self.make_error_response( + request, + 441, + ( + "Permission request with wrong user, exp {}, got {}".format( + allocation.username, request.get_username() + ) + ), + ) + + # TODO: Handle multiple XOR-PEER-ADDRESS + peer_address = request.get_xor_address(XOR_PEER_ADDRESS) + if not peer_address: + return self.make_error_response( + request, 400, "Missing XOR-PEER-ADDRESS on permission request" + ) + + permission_response.add_message_integrity(turn_user, turn_realm, turn_pass) + allocation.permissions.add(peer_address.host) + + return permission_response + + def handle_send_indication(self, indication): + try: + allocation = allocations[self.get_allocation_tuple()] + except KeyError: + print( + "Dropping send indication; no allocation for tuple {}".format( + self.get_allocation_tuple() + ) + ) + return + + peer_address = indication.get_xor_address(XOR_PEER_ADDRESS) + if not peer_address: + print("Dropping send indication, missing XOR-PEER-ADDRESS") + return + + data_attr = indication.find(DATA_ATTR) + if not data_attr: + print("Dropping send indication, missing DATA") + return + + if indication.find(DONT_FRAGMENT): + print("Dropping send indication, DONT-FRAGMENT set") + return + + if not peer_address.host in allocation.permissions: + print( + "Dropping send indication, no permission for {} on tuple {}".format( + peer_address.host, self.get_allocation_tuple() + ) + ) + return + + allocation.transport.write( + data_attr.data, (peer_address.host, peer_address.port) + ) + + def make_success_response(self, request): + response = copy.deepcopy(request) + response.attributes = [] + response.add_xor_address(self.client_address, XOR_MAPPED_ADDRESS) + response.msg_class = SUCCESS_RESPONSE + return response + + def make_error_response(self, request, code, reason=None): + if reason: + print("{}: rejecting with {}".format(reason, code)) + response = copy.deepcopy(request) + response.attributes = [] + response.add_error_code(code, reason) + response.msg_class = ERROR_RESPONSE + return response + + def make_challenge_response(self, request, reason=None): + response = self.make_error_response(request, 401, reason) + # 65 means the hex encoding will need padding half the time + response.add_nonce("{:x}".format(random.getrandbits(65))) + response.add_realm(turn_realm) + return response + + def check_long_term_auth(self, request): + message_integrity = request.find(MESSAGE_INTEGRITY) + if not message_integrity: + return self.make_challenge_response(request) + + username = request.find(USERNAME) + realm = request.find(REALM) + nonce = request.find(NONCE) + if not username or not realm or not nonce: + return self.make_error_response( + request, 400, "Missing either USERNAME, NONCE, or REALM" + ) + + if username.data.decode("utf-8") != turn_user: + return self.make_challenge_response( + request, "Wrong user {}, exp {}".format(username.data, turn_user) + ) + + expected_message_digest = request.calculate_message_digest( + turn_user, turn_realm, turn_pass + ) + if message_integrity.data != expected_message_digest: + return self.make_challenge_response(request, "Incorrect message disgest") + + return self.make_success_response(request) + + +class StunRedirectHandler(StunHandler): + """ + Frames and handles STUN messages by redirecting to the "real" server port. + Performs the redirect with auth, so does a 401 to unauthed requests. + Can be used to test port-based redirect handling. + """ + + def __init__(self, transport_handler): + super(StunRedirectHandler, self).__init__(transport_handler) + + def handle_stun(self, stun_message, address): + self.client_address = address + if stun_message.msg_class == REQUEST: + challenge_response = self.check_long_term_auth(stun_message) + + if challenge_response.msg_class == SUCCESS_RESPONSE: + return self.make_redirect_response(stun_message).build() + + return challenge_response.build() + + def make_redirect_response(self, request): + response = self.make_error_response(request, 300, "Try alternate") + port = STUN_PORT + if self.transport_handler.transport.getHost().port == TURNS_REDIRECT_PORT: + port = STUNS_PORT + + response.add_alternate_server( + self.transport_handler.transport.getHost().host, port + ) + + response.add_message_integrity(turn_user, turn_realm, turn_pass) + return response + + +class UdpStunHandler(protocol.DatagramProtocol): + """ + Represents a UDP listen port for TURN. + """ + + def datagramReceived(self, data, address): + stun_handler = StunHandler(self) + stun_handler.data_received(data, to_ipaddress("UDP", address[0], address[1])) + + def write(self, data, address): + self.transport.write(bytes(data), (address.host, address.port)) + + +class UdpStunRedirectHandler(protocol.DatagramProtocol): + """ + Represents a UDP listen port for TURN that will redirect. + """ + + def datagramReceived(self, data, address): + stun_handler = StunRedirectHandler(self) + stun_handler.data_received(data, to_ipaddress("UDP", address[0], address[1])) + + def write(self, data, address): + self.transport.write(bytes(data), (address.host, address.port)) + + +class TcpStunHandlerFactory(protocol.Factory): + """ + Represents a TCP listen port for TURN. + """ + + def buildProtocol(self, addr): + return TcpStunHandler(addr) + + +class TcpStunHandler(protocol.Protocol): + """ + Represents a connected TCP port for TURN. + """ + + def __init__(self, addr): + self.address = addr + self.stun_handler = None + + def dataReceived(self, data): + # This needs to persist, since it handles framing + if not self.stun_handler: + self.stun_handler = StunHandler(self) + self.stun_handler.data_received(data, self.address) + + def connectionLost(self, reason): + print("Lost connection from {}".format(self.address)) + # Destroy allocations that this connection made + keys_to_delete = [] + for key, allocation in allocations.items(): + if allocation.other_transport_handler == self: + print("Closing allocation due to dropped connection: {}".format(key)) + keys_to_delete.append(key) + allocation.close() + + for key in keys_to_delete: + del allocations[key] + + def write(self, data, address): + self.transport.write(bytes(data)) + + +class TcpStunRedirectHandlerFactory(protocol.Factory): + """ + Represents a TCP listen port for TURN that will redirect. + """ + + def buildProtocol(self, addr): + return TcpStunRedirectHandler(addr) + + +class TcpStunRedirectHandler(protocol.DatagramProtocol): + def __init__(self, addr): + self.address = addr + self.stun_handler = None + + def dataReceived(self, data): + # This needs to persist, since it handles framing. Framing matters here + # because we do a round of auth before redirecting. + if not self.stun_handler: + self.stun_handler = StunRedirectHandler(self) + self.stun_handler.data_received(data, self.address) + + def write(self, data, address): + self.transport.write(bytes(data)) + + +def get_default_route(family): + dummy_socket = socket.socket(family, socket.SOCK_DGRAM) + if family is socket.AF_INET: + dummy_socket.connect(("8.8.8.8", 53)) + else: + dummy_socket.connect(("2001:4860:4860::8888", 53)) + + default_route = dummy_socket.getsockname()[0] + dummy_socket.close() + return default_route + + +turn_user = "foo" +turn_pass = "bar" +turn_realm = "mozilla.invalid" +allocations = {} +v4_address = get_default_route(socket.AF_INET) +try: + v6_address = get_default_route(socket.AF_INET6) +except: + v6_address = "" + + +def prune_allocations(): + now = time.time() + keys_to_delete = [] + for key, allocation in allocations.items(): + if allocation.expiry < now: + print("Allocation expired: {}".format(key)) + keys_to_delete.append(key) + allocation.close() + + for key in keys_to_delete: + del allocations[key] + + +CERT_FILE = "selfsigned.crt" +KEY_FILE = "private.key" + + +def create_self_signed_cert(name): + from OpenSSL import crypto + + if os.path.isfile(CERT_FILE) and os.path.isfile(KEY_FILE): + return + + # create a key pair + k = crypto.PKey() + k.generate_key(crypto.TYPE_RSA, 1024) + + # create a self-signed cert + cert = crypto.X509() + cert.get_subject().C = "US" + cert.get_subject().ST = "TX" + cert.get_subject().L = "Dallas" + cert.get_subject().O = "Mozilla test iceserver" + cert.get_subject().OU = "Mozilla test iceserver" + cert.get_subject().CN = name + cert.set_serial_number(1000) + cert.gmtime_adj_notBefore(0) + cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) + cert.set_issuer(cert.get_subject()) + cert.set_pubkey(k) + cert.add_extensions( + [crypto.X509Extension(b"subjectAltName", False, f"DNS:{name}".encode())] + ) + cert.sign(k, "sha1") + + open(CERT_FILE, "wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) + open(KEY_FILE, "wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) + + +if __name__ == "__main__": + random.seed() + + if platform.system() == "Windows": + # Windows is finicky about allowing real interfaces to talk to loopback. + interface_4 = v4_address + interface_6 = v6_address + hostname = socket.gethostname() + else: + # Our linux builders do not have a hostname that resolves to the real + # interface. + interface_4 = "127.0.0.1" + interface_6 = "::1" + hostname = "localhost" + + reactor.listenUDP(STUN_PORT, UdpStunHandler(), interface=interface_4) + reactor.listenTCP(STUN_PORT, TcpStunHandlerFactory(), interface=interface_4) + + reactor.listenUDP( + TURN_REDIRECT_PORT, UdpStunRedirectHandler(), interface=interface_4 + ) + reactor.listenTCP( + TURN_REDIRECT_PORT, TcpStunRedirectHandlerFactory(), interface=interface_4 + ) + + try: + reactor.listenUDP(STUN_PORT, UdpStunHandler(), interface=interface_6) + reactor.listenTCP(STUN_PORT, TcpStunHandlerFactory(), interface=interface_6) + + reactor.listenUDP( + TURN_REDIRECT_PORT, UdpStunRedirectHandler(), interface=interface_6 + ) + reactor.listenTCP( + TURN_REDIRECT_PORT, TcpStunRedirectHandlerFactory(), interface=interface_6 + ) + except: + pass + + try: + from twisted.internet import ssl + from OpenSSL import SSL + + create_self_signed_cert(hostname) + tls_context_factory = ssl.DefaultOpenSSLContextFactory( + KEY_FILE, CERT_FILE, SSL.TLSv1_2_METHOD + ) + reactor.listenSSL( + STUNS_PORT, + TcpStunHandlerFactory(), + tls_context_factory, + interface=interface_4, + ) + + try: + reactor.listenSSL( + STUNS_PORT, + TcpStunHandlerFactory(), + tls_context_factory, + interface=interface_6, + ) + + reactor.listenSSL( + TURNS_REDIRECT_PORT, + TcpStunRedirectHandlerFactory(), + tls_context_factory, + interface=interface_6, + ) + except: + pass + + f = open(CERT_FILE, "r") + lines = f.readlines() + lines.pop(0) # Remove BEGIN CERTIFICATE + lines.pop() # Remove END CERTIFICATE + # pylint --py3k: W1636 W1649 + lines = list(map(str.strip, lines)) + certbase64 = "".join(lines) # pylint --py3k: W1649 + + turns_url = ', "turns:' + hostname + '"' + cert_prop = ', "cert":"' + certbase64 + '"' + except: + turns_url = "" + cert_prop = "" + pass + + allocation_pruner = LoopingCall(prune_allocations) + allocation_pruner.start(1) + + template = Template( + '[\ +{"urls":["stun:$hostname", "stun:$hostname?transport=tcp"]}, \ +{"username":"$user","credential":"$pwd","turn_redirect_port":"$TURN_REDIRECT_PORT","turns_redirect_port":"$TURNS_REDIRECT_PORT","urls": \ +["turn:$hostname", "turn:$hostname?transport=tcp" $turns_url] \ +$cert_prop}]' # Hack to make it easier to override cert checks + ) + + print( + template.substitute( + user=turn_user, + pwd=turn_pass, + hostname=hostname, + turns_url=turns_url, + cert_prop=cert_prop, + TURN_REDIRECT_PORT=TURN_REDIRECT_PORT, + TURNS_REDIRECT_PORT=TURNS_REDIRECT_PORT, + ) + ) + + reactor.run() |