1. 02 Aug, 2019 1 commit
  2. 31 Jul, 2019 1 commit
  3. 30 Jul, 2019 2 commits
    • Fabrice Bellet's avatar
      conncheck: ignore selected pairs for nomination that failed · ae2fb900
      Fabrice Bellet authored
      When evaluating the stopping criterion, failed pairs from other streams
      having the "use_candidate_on_next_check" flag set should be
      ignored.
      
      This should normally not happen, because a pair selected for nomination
      has no reason to fail when being rechecked, since it previously
      worked... but it may happen with Skype for Business, when libnice
      selects a tcp pair for component 1, the peer seems to have no interest
      in the second component and lets it fail in the middle of the conncheck.
      ae2fb900
    • Fabrice Bellet's avatar
      conncheck: make the stopping criterion a bit more clear · 0176c2fa
      Fabrice Bellet authored
      This patch doesn't change the logic of the selection of the pair for
      nomination, it makes the code a bit more simple to read.
      0176c2fa
  4. 29 Jul, 2019 2 commits
    • Fabrice Bellet's avatar
      agent: fix a regression when updating foundations · acda4a08
      Fabrice Bellet authored
      A previous commit c1fb6f28 introduced a regression in the way the
      foundation of a selected pair is updated and signaled, when the
      foundation of its remote candidate changes. The previous comparison was
      made on *always* identical strings, so the update of the selected pair
      was *never* signaled.
      acda4a08
    • Fabrice Bellet's avatar
      conncheck: update a misleading debug statement · 1607f920
      Fabrice Bellet authored
      We may not have received remote candidates yet, but we may have
      discovered remote candidates from the early incoming checks. Only
      having stream credentials is required to react to these checks.
      1607f920
  5. 22 Jul, 2019 1 commit
    • Jakub Adam's avatar
      discovery: Don't start STUN/TURN disco on errorneous socket · 702fcba9
      Jakub Adam authored
      If the initial attempt at sending discovery message returns a socket
      error, don't start the retransmit timer and immediately mark such
      discovery item as done. This is to quickly eliminate clearly
      non-functioning items from the discovery process.
      
      Particularly improves times to finish discovery on Windows, where
      sending data from a link-local (169.254.0.0/16) IP to a destination not
      on the same subnet leads to "A socket operation was attempted to an
      unreachable network" error. Pointless retransmissions on those sockets
      prolonged discovery in the order of seconds.
      702fcba9
  6. 19 Jul, 2019 1 commit
    • Fabrice Bellet's avatar
      agent: fix server-reflexive candidates with oc2007r2 · c2ace8ea
      Fabrice Bellet authored
      The nomination of a pair having such a local candidate breaks SfB when
      the libnice agent is behind a nat that does not do port mapping
      randomization. In that case a server reflexive local candidate usually
      lead to a nominated pair.
      
      The guess made here from observing this behavior is that, it is valid to
      discover and signal these local server reflexive candidates to our peer,
      but they should be removed from our local candidates list thereafter, so
      they do not contribute to build a valid and *even worse* a nominated
      pair with the type server-reflexive. They do not appear in the conncheck
      list per design anyway.
      
      Instead, the same candidate is discovered again later during the
      conncheck, with a peer-reflexive type this time, and with that type, it
      just works.
      
      Closes #90
      c2ace8ea
  7. 12 Jul, 2019 4 commits
    • Fabrice Bellet's avatar
      conncheck: avoid transport association mismatch · 85a5c0a0
      Fabrice Bellet authored
      In some rare cases, the same address and port number may match two
      remotes candidates, a tcp and an udp one, and lead to buggy pair
      construction with incompatible transport. This supplementary check
      prevents this problem. The matching test is not aimed to be exhaustive
      but just a way to discard obviously broken associations, and fallback to
      accept everything else (because socket type has a great diversity, with
      socket types based on other sockets types).
      
      It should fix #81, where such bogus transport association has been
      reported (tcp-pass:udp).
      85a5c0a0
    • Jakub Adam's avatar
      interfaces: ignore only interfaces we really want to · bd4b4781
      Jakub Adam authored
      Once an interface got ignored, ALL interfaces coming after it were
      dropped too.
      bd4b4781
    • Jakub Adam's avatar
      candidate: replace uint8_t -> guint8 · 8e6b8446
      Jakub Adam authored
      Fixes MSVC build.
      8e6b8446
    • Jakub Adam's avatar
      debug: fix verbose mode · e7237a6e
      Jakub Adam authored
      Since g_parse_debug_string() was looking only at the first 4 items in
      GDebugKey arrays, "libnice-verbose" couldn't get activated.
      e7237a6e
  8. 11 Jul, 2019 4 commits
    • Fabrice Bellet's avatar
      agent: fix condition for turn-tcp discovery creation · d8d2c041
      Fabrice Bellet authored
      We support turn-tcp in oc2007 compatibility only and when the
      host candidate transport is compatible, ie when reliable_tcp is true.
      d8d2c041
    • Fabrice Bellet's avatar
      conncheck: test inbound stun address on the candidate base address · 0b70e024
      Fabrice Bellet authored
      When receiving an stun packet on a socket, and looking for the matching
      local candidate, normally it doesn't make a difference to test the
      address or the base address. Because a pair cannot have a local candidate
      of type srv-rflx, where there would be a difference, the local candidate
      obtained will be part of a pair of the conncheck list.
      
      Except for the case of a pairs with tcp-act local candidate, where the
      addr has a port number of zero (tcp-act socket before connect), and the
      socket of the stun packet has a non-null port number (tcp-act socket
      after connect), corresponding to the base address of another
      peer-reflexive tcp-act local candidate, previously discoverd.
      
      The selection of the local candidate concerned by an inbound stun
      request happens when early incoming checks are processed, and when
      inbound stun packets are normally received during the conncheck.
      
      This commit complete commit e6a19418 (for early incoming checks)
      in the normal inbound stun packets code path, where is similar
      modification is needed.
      0b70e024
    • Fabrice Bellet's avatar
      conncheck: improve comment on local peer-reflexive selection · e4d65ba7
      Fabrice Bellet authored
      This patch rewrites the comment surrounding this code snippet, to make it
      clear, that this pair selection is not specific to the tcp transport.
      e4d65ba7
    • Fabrice Bellet's avatar
      conncheck: nominate matching pairs across components and streams · 1e40ee6d
      Fabrice Bellet authored
      The current valid pair nomination makes no effort to select pairs that
      could have some similarities across different components and different
      streams. This is normally not required by the RFC8445, but some well
      known applications will misbehave when the libnice agent is in this
      position to choose the nominated pairs (regular nomination mode, and
      controlling mode) and if it makes an unexpected choice from the peer
      point-of-view.
      
      This patch improves the stopping criterion and the selection of the
      preferred pair to nominate in that case.
      
      When no other pair has been nominated yet (across all streams), the
      previous stopping criterion still applies, and the best ranked pair of
      the checklist is selected.
      
      When a nominated pair exists from another component, we try to nominate
      a pair of the same kind (same local and remote addresses and same
      transport) if we have one, and possibly the best pair we have in the
      checklist, and else we look for a nominated pair from another stream.
      1e40ee6d
  9. 04 Jul, 2019 19 commits
    • Fabrice Bellet's avatar
      agent: fix agent reference count · a59f4416
      Fabrice Bellet authored
      a59f4416
    • Fabrice Bellet's avatar
      component: don't detach the socket source twice · 13378275
      Fabrice Bellet authored
      The source is also detached in socket_source_free()
      13378275
    • Fabrice Bellet's avatar
      conncheck: define a property for a final idle timeout · 0512ecaa
      Fabrice Bellet authored
      This final idle timeout is renamed from the
      NICE_AGENT_MAX_TIMER_GRACE_PERIOD macro, and keeps its semantic.
      
      We also increase the default value of this timeout from 1 second to 5
      seconds.  This is useful for the sipe pidgin plugin that has to deal
      with SfB agents, that may take some time in controlling mode before
      choosing and testing the nominated pair
      0512ecaa
    • Fabrice Bellet's avatar
      conncheck: fix pair priorities uniqueness · 2118cbae
      Fabrice Bellet authored
      This patch fixes the priority assigned to a peer reflexive discovered
      local candidate, when the agent has the stun client role and receives an
      stun reply. This priority must be the value put in the stun request, ie
      the pair->rflx_priority from the parent pair. This ensures two similar
      ordered pairs, will generate discovered pairs ordered in the same way
      for the stun client, and also for the stun server on the other side.
      Without this identical ordered on both sides of the connections, the two
      agents may nominate a different pair with the aggresive nomination
      scenario, since both are valid.
      
      The other fix concerns the function that ensures local candidates
      priority uniqueness, that breaks the assumption that "two local
      candidates having the same priority should generate the same
      prflx_priority in the pairs they contribute". Respecting this assumption
      is important to stay coherent with the behavior of the other agent, that
      considers that two stun requests coming from the same peer-reflexive
      remote candidate will have the same remote priority (once a remote
      candidate is added to the component remote_candidates list, its priority
      is not supposed to change).
      2118cbae
    • Fabrice Bellet's avatar
      conncheck: create the valid pair on early tcp stun requests · 628fc393
      Fabrice Bellet authored
      When replaying the incoming checks, we have to create the succeeded
      valid pair matching this tcp connection the same way we do it
      in conn_check_handle_inbound_stun().
      628fc393
    • Fabrice Bellet's avatar
      agent: discard sockptr on updated remote candidates · d2254766
      Fabrice Bellet authored
      These candidates type is updated from peer-reflexive, discovered during
      early incoming checks, to the type of the matching regularly transmitted
      candidate, so the previous sockptr value is no longer of interest here.
      The same socket is already associated to the initial local candidate
      anyway, source of the early discovery.
      d2254766
    • Fabrice Bellet's avatar
      component: remove socket also from remote candidates · 6303ed6f
      Fabrice Bellet authored
      A socket to be removed may also come from a peer-reflexive remote
      candidate, and some cleanup also needs to be done in this case. This
      reference in a remote peer-reflexive tcp-active candidate caused a
      heap-use-after-free asan error in some custom debugging dump of the list
      of sockets of a component, after a read error in component_io_cb():
      
      agent_recv_message_unlocked returned -1, errno (25) :
      Inappropriate ioctl for device
      6303ed6f
    • Fabrice Bellet's avatar
      debug: fix verbose debug enable · b3c347bd
      Fabrice Bellet authored
      b3c347bd
    • Fabrice Bellet's avatar
      d7bf3d25
    • Fabrice Bellet's avatar
      conncheck: test incoming checks on candidate base address · e6a19418
      Fabrice Bellet authored
      The candidate may be a newly discovered peer reflexive one,
      or a server reflexive initial candidate, where address and
      base address differ. Early incoming checks are received on
      the base address. These incoming checks may accumulate if remote
      credentials arrive with a delay.
      e6a19418
    • Fabrice Bellet's avatar
      conncheck: increase dumped information in debug · a383faa4
      Fabrice Bellet authored
      In complement to the conncheck list, we dump the pair transport type,
      the socket type, and the incoming checks list.
      a383faa4
    • Fabrice Bellet's avatar
      3e25df77
    • Fabrice Bellet's avatar
      agent: more debug when remote credential are received · 43f3d70e
      Fabrice Bellet authored
      This complete the similar debug trace when remote candidates are
      received, and help to debug our tests with the patched farstream
      library, where candidates and credentials are transmitted with a
      random delay.
      43f3d70e
    • Fabrice Bellet's avatar
      agent: signal when a selected pair foundation is updated · c1fb6f28
      Fabrice Bellet authored
      This foundation update may be needed when a selected pair contains a remote
      candidate that has been found by an inbound stun request, but has not
      been received by nice_agent_set_remote_candidates()
      c1fb6f28
    • Fabrice Bellet's avatar
      Revert "conncheck: Don't lookup prflx pair for UDP candidates" · 07d3caa5
      Fabrice Bellet authored
      This reverts commit ca47519f.
      07d3caa5
    • Fabrice Bellet's avatar
      component: Fix use-after-free and resolve regression · 71a8a9e2
      Fabrice Bellet authored
      conn_check_prune_socket() on nsocket must be called before removing the
      candidate with this socket inside the loop, to prevent the
      use-after-free reported initially in issue #73.
      
      But commit 541801d4 introduced a regression during discovery when an udp
      turn over tcp socket is immediately closed by a HUP condition for
      example. In this case, discovery_prune_socket() is never called, because
      we don't have a candidate with this socket inside the loop. So the
      nsocket is freed by the final nice_component_detach_socket() but is
      still used by the discovery timer callback.
      
      This commit moves the discovery_prune_socket() and
      conn_check_prune_socket() actions before the loop instead of after, or
      inside.
      
      Closes #73
      71a8a9e2
    • Fabrice Bellet's avatar
      agent: fix a memory leak · cceaffeb
      Fabrice Bellet authored
      cceaffeb
    • Fabrice Bellet's avatar
      agent: keep a ref on the agent while removal of TURN refreshes · 6f0c7e82
      Fabrice Bellet authored
      The patch makes the agent alive at least until the last callback of
      the removal of turn refreshes when a stream is deleted from the agent.
      
      Closes #84
      6f0c7e82
    • Fabrice Bellet's avatar
      discovery: fix an use-after-free in SFB user credentials · 8e5809b7
      Fabrice Bellet authored
      The base64 decoded username and password strings given to
      stun_usage_turn_create() should not freed immediately, since they remain
      used when handling the following related inbound stun replies.
      8e5809b7
  10. 03 Jul, 2019 1 commit
  11. 02 Jul, 2019 1 commit
    • Olivier Crête's avatar
      agent: add nice_agent_get_sockets API · 875a23a7
      Olivier Crête authored
      This API makes it possible to get an array of all of the sockets used
      by a specific component, this is useful to set options on the socket.
      
      Also bump GLib requirement to 2.54, which is the version in RHEL 7
      875a23a7
  12. 27 Jun, 2019 3 commits