ms-ice: calculate FINGERPRINT according to [MS-ICE2]

Connectivity checks that are fully conforming to [MS-ICE2] should
contain IMPLEMENTATION-VERSION attribute ([MS-ICE2] 2.2.2.2) equal to 2
and their FINGERPRINT should be calculated as described in RFC5389
section 15.5 (i.e. using standard CRC lookup table).

We need this because some Skype for Business clients no longer accept
messages whose FINGERPRINT contains a value calculated using Microsoft's
old custom CRC table (specified verbatim in [MS-ICE2] 3.1.4.8.2).

The change creates a compatibility breakage with legacy Lync clients
which will be fixed in following commits.

Differential Revision: https://phabricator.freedesktop.org/D1136

diff --git a/stun/stunagent.c b/stun/stunagent.c
index bd243cb..76984ce 100644 (file)
--- a/stun/stunagent.c
+++ b/stun/stunagent.c
@@ -155,8 +155,7 @@ StunValidationStatus stun_agent_validate (StunAgent *agent, StunMessage *msg,
       return STUN_VALIDATION_BAD_REQUEST;
     }
     /* Checks FINGERPRINT */
-    crc32 = stun_fingerprint (msg->buffer, stun_message_length (msg),
-        agent->compatibility == STUN_COMPATIBILITY_WLM2009);
+    crc32 = stun_fingerprint (msg->buffer, stun_message_length (msg), FALSE);
     fpr = ntohl (fpr);
     if (fpr != crc32) {
       stun_debug ("STUN demux error: bad fingerprint: 0x%08x,"
@@ -624,8 +623,7 @@ size_t stun_agent_finish_message (StunAgent *agent, StunMessage *msg,
       return 0;
     }
 
-    fpr = stun_fingerprint (msg->buffer, stun_message_length (msg),
-        agent->compatibility == STUN_COMPATIBILITY_WLM2009);
+    fpr = stun_fingerprint (msg->buffer, stun_message_length (msg), FALSE);
     memcpy (ptr, &fpr, sizeof (fpr));
 
     stun_debug_bytes (" Message HMAC-SHA1 fingerprint: ", ptr, 4);

diff --git a/stun/stunmessage.h b/stun/stunmessage.h
index 24609ed..26ee12d 100644 (file)
--- a/stun/stunmessage.h
+++ b/stun/stunmessage.h
@@ -228,6 +228,8 @@ typedef enum
  * as defined by [MS-TURN]
  * @STUN_ATTRIBUTE_CANDIDATE_IDENTIFIER: The CANDIDATE-IDENTIFIER optional
  * attribute as defined by [MS-ICE2]
+ * @STUN_ATTRIBUTE_MS_IMPLEMENTATION_VERSION: The IMPLEMENTATION-VERSION
+ * optional attribute as defined by [MS-ICE2]
  *
  * Known STUN attribute types as defined by various RFCs and drafts
  */
@@ -305,8 +307,10 @@ typedef enum
   /* 0x802B-0x804F */      /* reserved */
   STUN_ATTRIBUTE_MS_SEQUENCE_NUMBER=0x8050,     /* MS-TURN */
   /* 0x8051-0x8053 */      /* reserved */
-  STUN_ATTRIBUTE_CANDIDATE_IDENTIFIER=0x8054    /* MS-ICE2 */
-  /* 0x8055-0xFFFF */      /* reserved */
+  STUN_ATTRIBUTE_CANDIDATE_IDENTIFIER=0x8054,     /* MS-ICE2 */
+  /* 0x8055-0x806F */      /* reserved */
+  STUN_ATTRIBUTE_MS_IMPLEMENTATION_VERSION=0x8070 /* MS-ICE2 */
+  /* 0x8071-0xFFFF */      /* reserved */
 } StunAttribute;
 
 

diff --git a/stun/usages/ice.c b/stun/usages/ice.c
index e6c7aa0..47d998b 100644 (file)
--- a/stun/usages/ice.c
+++ b/stun/usages/ice.c
@@ -122,6 +122,12 @@ stun_usage_ice_conncheck_create (StunAgent *agent, StunMessage *msg,
 
     if (val != STUN_MESSAGE_RETURN_SUCCESS)
                return 0;
+
+    val = stun_message_append32 (msg,
+        STUN_ATTRIBUTE_MS_IMPLEMENTATION_VERSION, 2);
+
+    if (val != STUN_MESSAGE_RETURN_SUCCESS)
+      return 0;
   }
 
   return stun_agent_finish_message (agent, msg, password, password_len);
@@ -344,7 +350,15 @@ stun_usage_ice_conncheck_create_reply (StunAgent *agent, StunMessage *req,
     goto failure;
   }
 
+  if (compatibility == STUN_USAGE_ICE_COMPATIBILITY_MSICE2) {
+    val = stun_message_append32 (msg,
+        STUN_ATTRIBUTE_MS_IMPLEMENTATION_VERSION, 2);
 
+    if (val != STUN_MESSAGE_RETURN_SUCCESS) {
+      stun_debug ("Error appending implementation version: %d", val);
+      goto failure;
+    }
+  }
 
   /* the stun agent will automatically use the password of the request */
   len = stun_agent_finish_message (agent, msg, NULL, 0);