tor-browser

iceserver.py (36096B)

---

# vim: set ts=4 et sw=4 tw=80
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

import ipaddr
import socket
import hmac
import hashlib
import passlib.utils  # for saslprep
import copy
import random
import operator
import os
import platform
import six
import string
import time
from functools import reduce
from string import Template
from twisted.internet import reactor, protocol
from twisted.internet.task import LoopingCall
from twisted.internet.address import IPv4Address
from twisted.internet.address import IPv6Address

MAGIC_COOKIE = 0x2112A442

REQUEST = 0
INDICATION = 1
SUCCESS_RESPONSE = 2
ERROR_RESPONSE = 3

BINDING = 0x001
ALLOCATE = 0x003
REFRESH = 0x004
SEND = 0x006
DATA_MSG = 0x007
CREATE_PERMISSION = 0x008
CHANNEL_BIND = 0x009

# STUN spec chose silly values for these
STUN_IPV4 = 1
STUN_IPV6 = 2

MAPPED_ADDRESS = 0x0001
USERNAME = 0x0006
MESSAGE_INTEGRITY = 0x0008
ERROR_CODE = 0x0009
UNKNOWN_ATTRIBUTES = 0x000A
LIFETIME = 0x000D
DATA_ATTR = 0x0013
XOR_PEER_ADDRESS = 0x0012
REALM = 0x0014
NONCE = 0x0015
XOR_RELAYED_ADDRESS = 0x0016
REQUESTED_TRANSPORT = 0x0019
DONT_FRAGMENT = 0x001A
XOR_MAPPED_ADDRESS = 0x0020
SOFTWARE = 0x8022
ALTERNATE_SERVER = 0x8023
FINGERPRINT = 0x8028

STUN_PORT = 3478
STUNS_PORT = 5349

TURN_REDIRECT_PORT = 3479
TURNS_REDIRECT_PORT = 5350


def unpack_uint(bytes_buf):
   result = 0
   for byte in bytes_buf:
       result = (result << 8) + byte
   return result


def pack_uint(value, width):
   if value < 0:
       raise ValueError("Invalid value: {}".format(value))
   buf = bytearray([0] * width)
   for i in range(0, width):
       buf[i] = (value >> (8 * (width - i - 1))) & 0xFF

   return buf


def unpack(bytes_buf, format_array):
   results = ()
   for width in format_array:
       results = results + (unpack_uint(bytes_buf[0:width]),)
       bytes_buf = bytes_buf[width:]
   return results


def pack(values, format_array):
   if len(values) != len(format_array):
       raise ValueError()
   buf = bytearray()
   for i in range(0, len(values)):
       buf.extend(pack_uint(values[i], format_array[i]))
   return buf


def bitwise_pack(source, dest, start_bit, num_bits):
   if num_bits <= 0 or num_bits > start_bit + 1:
       raise ValueError(
           "Invalid num_bits: {}, start_bit = {}".format(num_bits, start_bit)
       )
   last_bit = start_bit - num_bits + 1
   source = source >> last_bit
   dest = dest << num_bits
   mask = (1 << num_bits) - 1
   dest += source & mask
   return dest


def to_ipaddress(protocol, host, port):
   if ":" not in host:
       return IPv4Address(protocol, host, port)

   return IPv6Address(protocol, host, port)


class StunAttribute(object):
   """
   Represents a STUN attribute in a raw format, according to the following:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   StunAttribute.attr_type     |  Length (derived as needed)   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           StunAttribute.data (variable length)             ....
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   """

   __attr_header_fmt = [2, 2]
   __attr_header_size = reduce(operator.add, __attr_header_fmt)

   def __init__(self, attr_type=0, buf=bytearray()):
       self.attr_type = attr_type
       self.data = buf

   def build(self):
       buf = pack((self.attr_type, len(self.data)), self.__attr_header_fmt)
       buf.extend(self.data)
       # add padding if necessary
       if len(buf) % 4:
           buf.extend([0] * (4 - (len(buf) % 4)))
       return buf

   def parse(self, buf):
       if self.__attr_header_size > len(buf):
           raise Exception("truncated at attribute: incomplete header")

       self.attr_type, length = unpack(buf, self.__attr_header_fmt)
       length += self.__attr_header_size

       if length > len(buf):
           raise Exception("truncated at attribute: incomplete contents")

       self.data = buf[self.__attr_header_size : length]

       # verify padding
       while length % 4:
           if buf[length]:
               raise ValueError("Non-zero padding")
           length += 1

       return length


class StunMessage(object):
   """
   Represents a STUN message. Contains a method, msg_class, cookie,
   transaction_id, and attributes (as an array of StunAttribute).

   Has various functions for getting/adding attributes.
   """

   def __init__(self):
       self.method = 0
       self.msg_class = 0
       self.cookie = MAGIC_COOKIE
       self.transaction_id = 0
       self.attributes = []

   #      0                   1                   2                   3
   #      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   #     |0 0|M M M M M|C|M M M|C|M M M M|         Message Length        |
   #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   #     |                         Magic Cookie                          |
   #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   #     |                                                               |
   #     |                     Transaction ID (96 bits)                  |
   #     |                                                               |
   #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   __header_fmt = [2, 2, 4, 12]
   __header_size = reduce(operator.add, __header_fmt)

   # Returns how many bytes were parsed if buf was large enough, or how many
   # bytes we would have needed if not. Throws if buf is malformed.
   def parse(self, buf):
       min_buf_size = self.__header_size
       if len(buf) < min_buf_size:
           return min_buf_size

       message_type, length, cookie, self.transaction_id = unpack(
           buf, self.__header_fmt
       )
       min_buf_size += length
       if len(buf) < min_buf_size:
           return min_buf_size

       # Avert your eyes...
       self.method = bitwise_pack(message_type, 0, 13, 5)
       self.msg_class = bitwise_pack(message_type, 0, 8, 1)
       self.method = bitwise_pack(message_type, self.method, 7, 3)
       self.msg_class = bitwise_pack(message_type, self.msg_class, 4, 1)
       self.method = bitwise_pack(message_type, self.method, 3, 4)

       if cookie != self.cookie:
           raise Exception("Invalid cookie: {}".format(cookie))

       buf = buf[self.__header_size : min_buf_size]
       while len(buf):
           attr = StunAttribute()
           length = attr.parse(buf)
           buf = buf[length:]
           self.attributes.append(attr)

       return min_buf_size

   # stop_after_attr_type is useful for calculating MESSAGE-DIGEST
   def build(self, stop_after_attr_type=0):
       attrs = bytearray()
       for attr in self.attributes:
           attrs.extend(attr.build())
           if attr.attr_type == stop_after_attr_type:
               break

       message_type = bitwise_pack(self.method, 0, 11, 5)
       message_type = bitwise_pack(self.msg_class, message_type, 1, 1)
       message_type = bitwise_pack(self.method, message_type, 6, 3)
       message_type = bitwise_pack(self.msg_class, message_type, 0, 1)
       message_type = bitwise_pack(self.method, message_type, 3, 4)

       message = pack(
           (message_type, len(attrs), self.cookie, self.transaction_id),
           self.__header_fmt,
       )
       message.extend(attrs)

       return message

   def add_error_code(self, code, phrase=None):
       #      0                   1                   2                   3
       #      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       #     |           Reserved, should be 0         |Class|     Number    |
       #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       #     |      Reason Phrase (variable)                                ..
       #     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       error_code_fmt = [3, 1]
       error_code = pack((code // 100, code % 100), error_code_fmt)
       if phrase != None:
           error_code.extend(bytearray(phrase, "utf-8"))
       self.attributes.append(StunAttribute(ERROR_CODE, error_code))

   #     0                   1                   2                   3
   #     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   #    |x x x x x x x x|    Family     |         X-Port                |
   #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   #    |                X-Address (Variable)
   #    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   __v4addr_fmt = [1, 1, 2, 4]
   __v6addr_fmt = [1, 1, 2, 16]
   __v4addr_size = reduce(operator.add, __v4addr_fmt)
   __v6addr_size = reduce(operator.add, __v6addr_fmt)

   def add_address(self, ip_address, version, port, attr_type):
       if version == STUN_IPV4:
           address = pack((0, STUN_IPV4, port, ip_address), self.__v4addr_fmt)
       elif version == STUN_IPV6:
           address = pack((0, STUN_IPV6, port, ip_address), self.__v6addr_fmt)
       else:
           raise ValueError("Invalid ip version: {}".format(version))
       self.attributes.append(StunAttribute(attr_type, address))

   def get_xaddr(self, ip_addr, version):
       if version == STUN_IPV4:
           return self.cookie ^ ip_addr
       elif version == STUN_IPV6:
           return ((self.cookie << 96) + self.transaction_id) ^ ip_addr
       else:
           raise ValueError("Invalid family: {}".format(version))

   def get_xport(self, port):
       return (self.cookie >> 16) ^ port

   def add_xor_address(self, addr_port, attr_type):
       ip_address = ipaddr.IPAddress(addr_port.host)
       version = STUN_IPV6 if ip_address.version == 6 else STUN_IPV4
       xaddr = self.get_xaddr(int(ip_address), version)
       xport = self.get_xport(addr_port.port)
       self.add_address(xaddr, version, xport, attr_type)

   def add_data(self, buf):
       self.attributes.append(StunAttribute(DATA_ATTR, buf))

   def find(self, attr_type):
       for attr in self.attributes:
           if attr.attr_type == attr_type:
               return attr
       return None

   def get_xor_address(self, attr_type):
       addr_attr = self.find(attr_type)
       if not addr_attr:
           return None

       padding, family, xport, xaddr = unpack(addr_attr.data, self.__v4addr_fmt)
       addr_ctor = IPv4Address
       if family == STUN_IPV6:
           padding, family, xport, xaddr = unpack(addr_attr.data, self.__v6addr_fmt)
           addr_ctor = IPv6Address
       elif family != STUN_IPV4:
           raise ValueError("Invalid family: {}".format(family))

       return addr_ctor(
           "UDP",
           str(ipaddr.IPAddress(self.get_xaddr(xaddr, family))),
           self.get_xport(xport),
       )

   def add_nonce(self, nonce):
       self.attributes.append(StunAttribute(NONCE, bytearray(nonce, "utf-8")))

   def add_realm(self, realm):
       self.attributes.append(StunAttribute(REALM, bytearray(realm, "utf-8")))

   def calculate_message_digest(self, username, realm, password):
       digest_buf = self.build(MESSAGE_INTEGRITY)
       # Trim off the MESSAGE-INTEGRITY attr
       digest_buf = digest_buf[: len(digest_buf) - 24]
       password = passlib.utils.saslprep(six.text_type(password))
       key_string = "{}:{}:{}".format(username, realm, password)
       md5 = hashlib.md5()
       md5.update(bytearray(key_string, "utf-8"))
       key = md5.digest()
       return bytearray(hmac.new(key, digest_buf, hashlib.sha1).digest())

   def add_lifetime(self, lifetime):
       self.attributes.append(StunAttribute(LIFETIME, pack_uint(lifetime, 4)))

   def get_lifetime(self):
       lifetime_attr = self.find(LIFETIME)
       if not lifetime_attr:
           return None
       return unpack_uint(lifetime_attr.data[0:4])

   def get_username(self):
       username = self.find(USERNAME)
       if not username:
           return None
       return str(username.data)

   def add_message_integrity(self, username, realm, password):
       dummy_value = bytearray([0] * 20)
       self.attributes.append(StunAttribute(MESSAGE_INTEGRITY, dummy_value))
       digest = self.calculate_message_digest(username, realm, password)
       self.find(MESSAGE_INTEGRITY).data = digest

   def add_alternate_server(self, host, port):
       address = ipaddr.IPAddress(host)
       version = STUN_IPV6 if address.version == 6 else STUN_IPV4
       self.add_address(int(address), version, port, ALTERNATE_SERVER)


class Allocation(protocol.DatagramProtocol):
   """
   Comprises the socket for a TURN allocation, a back-reference to the
   transport we will forward received traffic on, the allocator's address and
   username, the set of permissions for the allocation, and the allocation's
   expiry.
   """

   def __init__(self, other_transport_handler, allocator_address, username):
       self.permissions = set()  # str, int tuples
       # Handler to use when sending stuff that arrives on the allocation
       self.other_transport_handler = other_transport_handler
       self.allocator_address = allocator_address
       self.username = username
       self.expiry = time.time()
       self.port = reactor.listenUDP(0, self, interface=v4_address)

   def datagramReceived(self, data, address):
       host = address[0]
       port = address[1]
       if not host in self.permissions:
           print(
               "Dropping packet from {}:{}, no permission on allocation {}".format(
                   host, port, self.transport.getHost()
               )
           )
           return

       data_indication = StunMessage()
       data_indication.method = DATA_MSG
       data_indication.msg_class = INDICATION
       data_indication.transaction_id = random.getrandbits(96)

       # Only handles UDP allocations. Doubtful that we need more than this.
       data_indication.add_xor_address(
           to_ipaddress("UDP", host, port), XOR_PEER_ADDRESS
       )
       data_indication.add_data(data)

       self.other_transport_handler.write(
           data_indication.build(), self.allocator_address
       )

   def close(self):
       self.port.stopListening()
       self.port = None


class StunHandler(object):
   """
   Frames and handles STUN messages. This is the core logic of the TURN
   server, along with Allocation.
   """

   def __init__(self, transport_handler):
       self.client_address = None
       self.data = bytearray()
       self.transport_handler = transport_handler

   def data_received(self, data, address):
       self.data += data
       while True:
           stun_message = StunMessage()
           parsed_len = stun_message.parse(self.data)
           if parsed_len > len(self.data):
               break
           self.data = self.data[parsed_len:]

           response = self.handle_stun(stun_message, address)
           if response:
               self.transport_handler.write(response, address)

   def handle_stun(self, stun_message, address):
       self.client_address = address
       if stun_message.msg_class == INDICATION:
           if stun_message.method == SEND:
               self.handle_send_indication(stun_message)
           else:
               print(
                   "Dropping unknown indication method: {}".format(stun_message.method)
               )
           return None

       if stun_message.msg_class != REQUEST:
           print("Dropping STUN response, method: {}".format(stun_message.method))
           return None

       if stun_message.method == BINDING:
           return self.make_success_response(stun_message).build()
       elif stun_message.method == ALLOCATE:
           return self.handle_allocation(stun_message).build()
       elif stun_message.method == REFRESH:
           return self.handle_refresh(stun_message).build()
       elif stun_message.method == CREATE_PERMISSION:
           return self.handle_permission(stun_message).build()
       else:
           return self.make_error_response(
               stun_message,
               400,
               ("Unsupported STUN request, method: {}".format(stun_message.method)),
           ).build()

   def get_allocation_tuple(self):
       return (
           self.client_address.host,
           self.client_address.port,
           self.transport_handler.transport.getHost().type,
           self.transport_handler.transport.getHost().host,
           self.transport_handler.transport.getHost().port,
       )

   def handle_allocation(self, request):
       allocate_response = self.check_long_term_auth(request)
       if allocate_response.msg_class == SUCCESS_RESPONSE:
           if self.get_allocation_tuple() in allocations:
               return self.make_error_response(
                   request,
                   437,
                   (
                       "Duplicate allocation request for tuple {}".format(
                           self.get_allocation_tuple()
                       )
                   ),
               )

           allocation = Allocation(
               self.transport_handler, self.client_address, request.get_username()
           )

           allocate_response.add_xor_address(
               allocation.transport.getHost(), XOR_RELAYED_ADDRESS
           )

           lifetime = request.get_lifetime()
           if lifetime == None:
               return self.make_error_response(
                   request, 400, "Missing lifetime attribute in allocation request"
               )

           lifetime = min(lifetime, 3600)
           allocate_response.add_lifetime(lifetime)
           allocation.expiry = time.time() + lifetime

           allocate_response.add_message_integrity(turn_user, turn_realm, turn_pass)
           allocations[self.get_allocation_tuple()] = allocation
       return allocate_response

   def handle_refresh(self, request):
       refresh_response = self.check_long_term_auth(request)
       if refresh_response.msg_class == SUCCESS_RESPONSE:
           try:
               allocation = allocations[self.get_allocation_tuple()]
           except KeyError:
               return self.make_error_response(
                   request,
                   437,
                   (
                       "Refresh request for non-existing allocation, tuple {}".format(
                           self.get_allocation_tuple()
                       )
                   ),
               )

           if allocation.username != request.get_username():
               return self.make_error_response(
                   request,
                   441,
                   (
                       "Refresh request with wrong user, exp {}, got {}".format(
                           allocation.username, request.get_username()
                       )
                   ),
               )

           lifetime = request.get_lifetime()
           if lifetime == None:
               return self.make_error_response(
                   request, 400, "Missing lifetime attribute in allocation request"
               )

           lifetime = min(lifetime, 3600)
           refresh_response.add_lifetime(lifetime)
           allocation.expiry = time.time() + lifetime

           refresh_response.add_message_integrity(turn_user, turn_realm, turn_pass)
       return refresh_response

   def handle_permission(self, request):
       permission_response = self.check_long_term_auth(request)
       if permission_response.msg_class == SUCCESS_RESPONSE:
           try:
               allocation = allocations[self.get_allocation_tuple()]
           except KeyError:
               return self.make_error_response(
                   request,
                   437,
                   (
                       "No such allocation for permission request, tuple {}".format(
                           self.get_allocation_tuple()
                       )
                   ),
               )

           if allocation.username != request.get_username():
               return self.make_error_response(
                   request,
                   441,
                   (
                       "Permission request with wrong user, exp {}, got {}".format(
                           allocation.username, request.get_username()
                       )
                   ),
               )

           # TODO: Handle multiple XOR-PEER-ADDRESS
           peer_address = request.get_xor_address(XOR_PEER_ADDRESS)
           if not peer_address:
               return self.make_error_response(
                   request, 400, "Missing XOR-PEER-ADDRESS on permission request"
               )

           permission_response.add_message_integrity(turn_user, turn_realm, turn_pass)
           allocation.permissions.add(peer_address.host)

       return permission_response

   def handle_send_indication(self, indication):
       try:
           allocation = allocations[self.get_allocation_tuple()]
       except KeyError:
           print(
               "Dropping send indication; no allocation for tuple {}".format(
                   self.get_allocation_tuple()
               )
           )
           return

       peer_address = indication.get_xor_address(XOR_PEER_ADDRESS)
       if not peer_address:
           print("Dropping send indication, missing XOR-PEER-ADDRESS")
           return

       data_attr = indication.find(DATA_ATTR)
       if not data_attr:
           print("Dropping send indication, missing DATA")
           return

       if indication.find(DONT_FRAGMENT):
           print("Dropping send indication, DONT-FRAGMENT set")
           return

       if not peer_address.host in allocation.permissions:
           print(
               "Dropping send indication, no permission for {} on tuple {}".format(
                   peer_address.host, self.get_allocation_tuple()
               )
           )
           return

       allocation.transport.write(
           data_attr.data, (peer_address.host, peer_address.port)
       )

   def make_success_response(self, request):
       response = copy.deepcopy(request)
       response.attributes = []
       response.add_xor_address(self.client_address, XOR_MAPPED_ADDRESS)
       response.msg_class = SUCCESS_RESPONSE
       return response

   def make_error_response(self, request, code, reason=None):
       if reason:
           print("{}: rejecting with {}".format(reason, code))
       response = copy.deepcopy(request)
       response.attributes = []
       response.add_error_code(code, reason)
       response.msg_class = ERROR_RESPONSE
       return response

   def make_challenge_response(self, request, reason=None):
       response = self.make_error_response(request, 401, reason)
       # 65 means the hex encoding will need padding half the time
       response.add_nonce("{:x}".format(random.getrandbits(65)))
       response.add_realm(turn_realm)
       return response

   def check_long_term_auth(self, request):
       message_integrity = request.find(MESSAGE_INTEGRITY)
       if not message_integrity:
           return self.make_challenge_response(request)

       username = request.find(USERNAME)
       realm = request.find(REALM)
       nonce = request.find(NONCE)
       if not username or not realm or not nonce:
           return self.make_error_response(
               request, 400, "Missing either USERNAME, NONCE, or REALM"
           )

       if username.data.decode("utf-8") != turn_user:
           return self.make_challenge_response(
               request, "Wrong user {}, exp {}".format(username.data, turn_user)
           )

       expected_message_digest = request.calculate_message_digest(
           turn_user, turn_realm, turn_pass
       )
       if message_integrity.data != expected_message_digest:
           return self.make_challenge_response(request, "Incorrect message disgest")

       return self.make_success_response(request)


class StunRedirectHandler(StunHandler):
   """
   Frames and handles STUN messages by redirecting to the "real" server port.
   Performs the redirect with auth, so does a 401 to unauthed requests.
   Can be used to test port-based redirect handling.
   """

   def __init__(self, transport_handler):
       super(StunRedirectHandler, self).__init__(transport_handler)

   def handle_stun(self, stun_message, address):
       self.client_address = address
       if stun_message.msg_class == REQUEST:
           challenge_response = self.check_long_term_auth(stun_message)

           if challenge_response.msg_class == SUCCESS_RESPONSE:
               return self.make_redirect_response(stun_message).build()

           return challenge_response.build()

   def make_redirect_response(self, request):
       response = self.make_error_response(request, 300, "Try alternate")
       port = STUN_PORT
       if self.transport_handler.transport.getHost().port == TURNS_REDIRECT_PORT:
           port = STUNS_PORT

       response.add_alternate_server(
           self.transport_handler.transport.getHost().host, port
       )

       response.add_message_integrity(turn_user, turn_realm, turn_pass)
       return response


class UdpStunHandler(protocol.DatagramProtocol):
   """
   Represents a UDP listen port for TURN.
   """

   def datagramReceived(self, data, address):
       stun_handler = StunHandler(self)
       stun_handler.data_received(data, to_ipaddress("UDP", address[0], address[1]))

   def write(self, data, address):
       self.transport.write(bytes(data), (address.host, address.port))


class UdpStunRedirectHandler(protocol.DatagramProtocol):
   """
   Represents a UDP listen port for TURN that will redirect.
   """

   def datagramReceived(self, data, address):
       stun_handler = StunRedirectHandler(self)
       stun_handler.data_received(data, to_ipaddress("UDP", address[0], address[1]))

   def write(self, data, address):
       self.transport.write(bytes(data), (address.host, address.port))


class TcpStunHandlerFactory(protocol.Factory):
   """
   Represents a TCP listen port for TURN.
   """

   def buildProtocol(self, addr):
       return TcpStunHandler(addr)


class TcpStunHandler(protocol.Protocol):
   """
   Represents a connected TCP port for TURN.
   """

   def __init__(self, addr):
       self.address = addr
       self.stun_handler = None

   def dataReceived(self, data):
       # This needs to persist, since it handles framing
       if not self.stun_handler:
           self.stun_handler = StunHandler(self)
       self.stun_handler.data_received(data, self.address)

   def connectionLost(self, reason):
       print("Lost connection from {}".format(self.address))
       # Destroy allocations that this connection made
       keys_to_delete = []
       for key, allocation in allocations.items():
           if allocation.other_transport_handler == self:
               print("Closing allocation due to dropped connection: {}".format(key))
               keys_to_delete.append(key)
               allocation.close()

       for key in keys_to_delete:
           del allocations[key]

   def write(self, data, address):
       self.transport.write(bytes(data))


class TcpStunRedirectHandlerFactory(protocol.Factory):
   """
   Represents a TCP listen port for TURN that will redirect.
   """

   def buildProtocol(self, addr):
       return TcpStunRedirectHandler(addr)


class TcpStunRedirectHandler(protocol.DatagramProtocol):
   def __init__(self, addr):
       self.address = addr
       self.stun_handler = None

   def dataReceived(self, data):
       # This needs to persist, since it handles framing. Framing matters here
       # because we do a round of auth before redirecting.
       if not self.stun_handler:
           self.stun_handler = StunRedirectHandler(self)
       self.stun_handler.data_received(data, self.address)

   def write(self, data, address):
       self.transport.write(bytes(data))

   def connectionLost(self, reason):
       print("Lost connection from {}".format(self.address))


def get_default_route(family):
   dummy_socket = socket.socket(family, socket.SOCK_DGRAM)
   if family is socket.AF_INET:
       dummy_socket.connect(("8.8.8.8", 53))
   else:
       dummy_socket.connect(("2001:4860:4860::8888", 53))

   default_route = dummy_socket.getsockname()[0]
   dummy_socket.close()
   return default_route


turn_user = "foo"
turn_pass = "bar"
turn_realm = "mozilla.invalid"
allocations = {}
v4_address = get_default_route(socket.AF_INET)
try:
   v6_address = get_default_route(socket.AF_INET6)
except:
   v6_address = ""


def prune_allocations():
   now = time.time()
   keys_to_delete = []
   for key, allocation in allocations.items():
       if allocation.expiry < now:
           print("Allocation expired: {}".format(key))
           keys_to_delete.append(key)
           allocation.close()

   for key in keys_to_delete:
       del allocations[key]


CERT_FILE = "selfsigned.crt"
KEY_FILE = "private.key"


def create_self_signed_cert(name):
   # pyOpenSSL used to have some wrappers to help with this, but those have
   # been deprecated, and they have instructed users to use stuff from
   # cryptography.hazmat directly. This strikes me as a bad idea, but here we
   # go...

   from cryptography.hazmat.primitives.asymmetric import rsa
   from cryptography import x509
   from cryptography.x509.oid import NameOID
   from cryptography.hazmat.primitives import hashes
   import datetime
   from cryptography.hazmat.primitives import serialization

   # Not ideal, but in order to avoid generating certs with duplicate serial
   # numbers, we don't regenerate if there's one there already. If we wanted
   # to regenerate, we'd need to load the cert if it was there, determine its
   # serial number, and then make a new cert with a higher serial number.
   if os.path.isfile(CERT_FILE) and os.path.isfile(KEY_FILE):
       return

   # Key size does not need to be big, this is a self-signed cert for testing,
   # but I'm going to use something common to avoid warnings that might come
   # up in the future.
   # Why 65537? Because the documentation says so, citing a document written
   # by Colin Percival in 2009. Will this ever be out of date? Is it out of
   # date already? Who knows!
   key = rsa.generate_private_key(key_size=2048, public_exponent=65537)

   subject = x509.Name(
       [
           x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
           x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "TX"),
           x509.NameAttribute(NameOID.LOCALITY_NAME, "Dallas"),
           x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Mozilla test iceserver"),
           x509.NameAttribute(NameOID.COMMON_NAME, name),
       ]
   )

   # create a self-signed cert
   cert = (
       x509.CertificateBuilder()
       .subject_name(subject)
       .issuer_name(subject)
       .serial_number(1000)
       .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
       .not_valid_after(
           datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365)
       )
       .public_key(key.public_key())
       .add_extension(
           x509.SubjectAlternativeName([x509.DNSName(name)]),
           critical=False,
       )
       .sign(key, hashes.SHA256())
   )

   open(CERT_FILE, "wb").write(cert.public_bytes(encoding=serialization.Encoding.PEM))
   open(KEY_FILE, "wb").write(
       key.private_bytes(
           encoding=serialization.Encoding.PEM,
           format=serialization.PrivateFormat.PKCS8,
           encryption_algorithm=serialization.NoEncryption(),
       )
   )


if __name__ == "__main__":
   random.seed()

   if platform.system() == "Windows":
       # Windows is finicky about allowing real interfaces to talk to loopback.
       interface_4 = v4_address
       interface_6 = v6_address
       hostname = socket.gethostname()
   else:
       # Our linux builders do not have a hostname that resolves to the real
       # interface.
       interface_4 = "127.0.0.1"
       interface_6 = "::1"
       hostname = "localhost"

   reactor.listenUDP(STUN_PORT, UdpStunHandler(), interface=interface_4)
   reactor.listenTCP(STUN_PORT, TcpStunHandlerFactory(), interface=interface_4)

   reactor.listenUDP(
       TURN_REDIRECT_PORT, UdpStunRedirectHandler(), interface=interface_4
   )
   reactor.listenTCP(
       TURN_REDIRECT_PORT, TcpStunRedirectHandlerFactory(), interface=interface_4
   )

   try:
       reactor.listenUDP(STUN_PORT, UdpStunHandler(), interface=interface_6)
       reactor.listenTCP(STUN_PORT, TcpStunHandlerFactory(), interface=interface_6)

       reactor.listenUDP(
           TURN_REDIRECT_PORT, UdpStunRedirectHandler(), interface=interface_6
       )
       reactor.listenTCP(
           TURN_REDIRECT_PORT, TcpStunRedirectHandlerFactory(), interface=interface_6
       )
   except:
       pass

   try:
       from twisted.internet import ssl
       from OpenSSL import SSL

       create_self_signed_cert(hostname)
       tls_context_factory = ssl.DefaultOpenSSLContextFactory(
           KEY_FILE, CERT_FILE, SSL.TLSv1_2_METHOD
       )
       reactor.listenSSL(
           STUNS_PORT,
           TcpStunHandlerFactory(),
           tls_context_factory,
           interface=interface_4,
       )

       try:
           reactor.listenSSL(
               STUNS_PORT,
               TcpStunHandlerFactory(),
               tls_context_factory,
               interface=interface_6,
           )

           reactor.listenSSL(
               TURNS_REDIRECT_PORT,
               TcpStunRedirectHandlerFactory(),
               tls_context_factory,
               interface=interface_6,
           )
       except:
           pass

       f = open(CERT_FILE, "r")
       lines = f.readlines()
       lines.pop(0)  # Remove BEGIN CERTIFICATE
       lines.pop()  # Remove END CERTIFICATE
       # pylint --py3k: W1636 W1649
       lines = list(map(str.strip, lines))
       certbase64 = "".join(lines)  # pylint --py3k: W1649

       turns_url = ', "turns:' + hostname + '"'
       cert_prop = ', "cert":"' + certbase64 + '"'
   except:
       turns_url = ""
       cert_prop = ""
       pass

   allocation_pruner = LoopingCall(prune_allocations)
   allocation_pruner.start(1)

   template = Template(
       '[\
{"urls":["stun:$hostname", "stun:$hostname?transport=tcp"]}, \
{"username":"$user","credential":"$pwd","turn_redirect_port":"$TURN_REDIRECT_PORT","turns_redirect_port":"$TURNS_REDIRECT_PORT","urls": \
["turn:$hostname", "turn:$hostname?transport=tcp" $turns_url] \
$cert_prop}]'  # Hack to make it easier to override cert checks
   )

   print(
       template.substitute(
           user=turn_user,
           pwd=turn_pass,
           hostname=hostname,
           turns_url=turns_url,
           cert_prop=cert_prop,
           TURN_REDIRECT_PORT=TURN_REDIRECT_PORT,
           TURNS_REDIRECT_PORT=TURNS_REDIRECT_PORT,
       )
   )

   reactor.run()