CRYPTO Module

Daniel-Constantin Mierla

Edited by

Daniel-Constantin Mierla


Table of Contents

1. Admin Guide
1. Overview
2. Dependencies
2.1. Kamailio Modules
2.2. External Libraries or Applications
3. Parameters
3.1. salt (str)
3.2. register_callid (int)
3.3. register_evcb (int)
3.4. kevcb_netio (str)
3.5. netio_key (str)
4. Functions
4.1. crypto_aes_encrypt(text, key, res)
4.2. crypto_aes_decrypt(text, key, res)
4.3. crypto_hmac_sha256(text, key, res)
4.4. crypto_netio_in)
4.5. crypto_netio_out()
4.6. crypto_netio_encrypt()
4.7. crypto_netio_decrypt()
5. Event Routes
5.1. event_route[crypto:netio]

List of Examples

1.1. Set salt parameter
1.2. Set register_callid parameter
1.3. Set register_evcb parameter
1.4. Set kevcb_netio parameter
1.5. Set netio_key parameter
1.6. crypto_aes_encrypt usage
1.7. crypto_aes_decrypt usage
1.8. crypto_hmac_sha256 usage
1.9. crypto_netio_in usage
1.10. crypto_netio_out usage
1.11. crypto_netio_encrypt usage
1.12. crypto_netio_decrypt usage
1.13. event_route[crypto:netio] usage

Chapter 1. Admin Guide

1. Overview

This module provides various cryptography tools for use in Kamailio configuration file.

It relies on OpenSSL libraries for cryptographic operations (libssl, libcrypto).

2. Dependencies

2.1. Kamailio Modules

The following modules must be loaded before this module:

  • none.

2.2. External Libraries or Applications

The following libraries or applications must be installed before running Kamailio with this module loaded:

  • libcrypto - part of OpenSSL project

3. Parameters

3.1. salt (str)

A keyword to generate salt for encryption. It must be at least 8 chars long. If set to empty, no salt is used for encryption.

The salt is a binary array that is appended to the encryption password for better protection against dictionary attacks. Same salt and password need to be when encrypting and decrypting.

Default value is "..." (see code).

Example 1.1. Set salt parameter

...
modparam("crypto", "salt", "l0Bh2M8a")
...

3.2. register_callid (int)

Set it to 1 in order to register a callback to core for generation of callid values for requests generated by Kamailio tm module.

This callid generator uses libssl random and hashing functions for generating RFC 4122 version 4 UUID with high quality entropy. It is useful when wanting to have new callids that cannot be predicted from previous values.

Default value is 0.

Example 1.2. Set register_callid parameter

...
modparam("crypto", "register_callid", 1)
...

3.3. register_evcb (int)

Set it to 1 in order to register the event route callbacks, in case AES encryption/decryption of SIP traffic is wanted. The event_route[crypto:netio] or corresponding KEMI callback are executed.

Default value is 0.

Example 1.3. Set register_evcb parameter

...
modparam("crypto", "register_evcb", 1)
...

3.4. kevcb_netio (str)

Name of the KEMI callbac functio for netio events. It receives a string parameter with event route name.

Default value is not set.

Example 1.4. Set kevcb_netio parameter

...
modparam("crypto", "kevcb_netio", "ksr_crypto_netio")
...
function ksr_crypto_netio(evname)
  ...
end
...

3.5. netio_key (str)

The shared secret used to encrypt/decrypt network traffic.

Default value is not set.

Example 1.5. Set netio_key parameter

...
modparam("crypto", "netio_key", "strong-password-here")
...

4. Functions

4.1.  crypto_aes_encrypt(text, key, res)

Encrypts the text with the key using AES encryption algorithm. The result is encoded in base64 format and stored in res. The parameter res must be a read-write variables. The parameters text and key can be static strings or strings with variables (dynamic strings).

This function can be used from ANY_ROUTE.

Example 1.6. crypto_aes_encrypt usage

...
crypto_aes_encrypt("$rb", "my-secret-key", "$var(encrypted)");
...

4.2.  crypto_aes_decrypt(text, key, res)

Decrypts the text with the key using AES encryption algorithm. The text has to be encoded in base64 format. The parameter res must be a read-write variables. The parameters text and key can be static strings or strings with variables (dynamic strings).

This function can be used from ANY_ROUTE.

Example 1.7. crypto_aes_decrypt usage

...
crypto_aes_decrypt("$var(encrypted)", "my-secret-key", "$var(text)");
...

4.3.  crypto_hmac_sha256(text, key, res)

Calculates HMAC (keyed-hash message authentication code) with SHA256 as a cryptographic hash function. The result is encoded in base64 url encoded format and stored in res. The parameter res must be a read-write variable. The parameters text and key can be static strings or strings with variables (dynamic strings).

This function can be used from ANY_ROUTE.

Example 1.8. crypto_hmac_sha256 usage

...
crypto_hmac_sha256("$var(text)", "my-secret-key", "$var(hmac)");
...

4.4.  crypto_netio_in)

Return 1 (true) if it is an incoming net message, or -1 (false) otherwise.

This function can be used from EVENT_ROUTE.

Example 1.9. crypto_netio_in usage

...
event_route[crypto:netio] {
  if(crypto_netio_in()) {
    crypto_netio_decrypt();
  }
...

4.5.  crypto_netio_out()

Return 1 (true) if it is an outgoing net message, or -1 (false) otherwise.

This function can be used from EVENT_ROUTE.

Example 1.10. crypto_netio_out usage

...
event_route[crypto:netio] {
  if(crypto_netio_out()) {
    crypto_netio_encrypt();
  }
...

4.6.  crypto_netio_encrypt()

Mark the network message for encryption.

This function can be used from EVENT_ROUTE.

Example 1.11. crypto_netio_encrypt usage

...
event_route[crypto:netio] {
  if(crypto_netio_out()) {
    crypto_netio_encrypt();
  }
...

4.7.  crypto_netio_decrypt()

Mark the network message for decryption.

This function can be used from EVENT_ROUTE.

Example 1.12. crypto_netio_decrypt usage

...
event_route[crypto:netio] {
  if(crypto_netio_in()) {
    crypto_netio_decrypt();
  }
...

5. Event Routes

5.1.  event_route[crypto:netio]

Example 1.13. event_route[crypto:netio] usage

...
# ----- crypto params -----
modparam("crypto", "register_evcb", 1)
modparam("crypto", "netio_key", "strong-password-here")
...
event_route[crypto:netio] {
	if(crypto_netio_in()) {
		if(src_port==5060) {
			crypto_netio_decrypt();
		}
	} else {
		if($sndto(port)==5060) {
			crypto_netio_encrypt();
		}
	}
}

# Main SIP request routing logic
request_route {
	sl_send_reply("200", "ok");
	if(src_port==5060) {
		$du = "sip:127.0.0.1:9";
		forward();
	} else {
		$du = "sip:127.0.0.1:5060";
		forward();
	}
	exit;
}
...