MongooseICE
MongooseICE copied to clipboard
Sign responses with MESSAGE-INTEGRITY
Currently Fennec does not sign responses with MESSAGE-INTEGRITY. TURN clients do not require messages to be signed, but if they are, MESSAGE-INTEGRITY must be checked. It's just an extra security measure.
AFAICT we do this.
- encode for STUN: https://github.com/esl/MongooseICE/blob/master/lib/mongooseice/stun.ex#L23
- encode for TURN: https://github.com/esl/MongooseICE/blob/master/lib/mongooseice/udp/worker.ex#L105
- decode: https://github.com/esl/MongooseICE/blob/master/lib/mongooseice/stun.ex#L21
There's the following too:
$ grep -r -i --color verified lib/
lib//mongooseice/auth.ex: true <- params.verified? do
lib//mongooseice/auth.ex: false -> # Not verified
$ grep -r -i --color signed lib/
##
lib//mongooseice/auth.ex: signed? = params.signed?
lib//mongooseice/auth.ex: nil when not signed? ->
lib//mongooseice/auth.ex: _ when signed? ->
Looking at the Jerboa code, however, it seems like we don't support message integrity for the short-term credential mechanism. There are tests for the existing functionality.