Discard unauthenticated TURN responses to unauthenticated requests In StunRequestManager::CheckResponse, if a TURN request was sent without authentication (initial ALLOCATE), we now explicitly discard any success response. We also restrict allowed error responses to 401 Unauthorized and 300 Try Alternate. This prevents an authentication bypass (b/504572664) where an attacker could hijack a TURN session by forging a success response to the initial unauthenticated request. Add regression test for unauthenticated TURN ALLOCATE success. Bug: chromium:504572664 Change-Id: Ie5619e10b6b6dccac3221661632e9f1d6312f760 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/466100 Commit-Queue: Harald Alvestrand <hta@webrtc.org> Reviewed-by: Danil Chapovalov <danilchap@webrtc.org> Cr-Commit-Position: refs/heads/main@{#47529}
WebRTC is a free, open software project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs. The WebRTC components have been optimized to best serve this purpose.
Our mission: To enable rich, high-quality RTC applications to be developed for the browser, mobile platforms, and IoT devices, and allow them all to communicate via a common set of protocols.
The WebRTC initiative is a project supported by Google, Mozilla and Opera, amongst others.
See here for instructions on how to get started developing with the native code.
Authoritative list of directories that contain the native API header files.