sr-dev October 2013

sr-dev@lists.kamailio.org

33 participants
254 discussions

Re: [sr-dev] DMQ security
by Alex Hermann 31 Oct '13

31 Oct '13

On Thursday 31 October 2013, Charles Chance wrote: > On 31 Oct 2013 08:53, "Alex Hermann" <alex(a)speakup.nl> wrote: > > If not, then, imho, the admin already has plenty of possibilities > > (IP-based, > > > digest, TLS cert) to do authentication before calling that function. > > Why force one method if we can just leave it up to the admin to choose > > whatever fits best in his situation. > > But aren't we allowing the admin to potentially shoot themselves in the > foot, as Olle puts it? Of course, but there are plenty ways to shoot oneself. Kamailio is not an end- user application. I see it more like a compiler than a word-processor. Certain capabilities are required to make an application with it. I prefer the freedom to choose whatever method fits best in my situation/application. I like the current way in which the admin decides how INVITE, PUBLISH, XMLRPC, DMQ, etc are authenticated and/or authorized. None of the (C-)code handling those methods need special authentication routines implemented, it can all be done from within the script. Implementing additional authorization methods inside DMQ will limit choice and create a higher burden on maintenance of the module. There are already to much functions in Kamailio which had only 1 specific use case in mind, where everyone needing a little bit different behavior implemented it separately. Look for example at the many ways to get and/or format date-time values. Let's not add even more. -- Greetings, Alex Hermann

5 7

Re: [sr-dev] DMQ security
by Alex Hermann 31 Oct '13

31 Oct '13

On Thursday 31 October 2013, Charles Chance wrote: > The thing is, DMQ is like a communication channel, over which messages can > be sent by other modules or from within config. The channel itself is > established on startup from within DMQ, at code level, not by the 3rd-party > module or admin. When messages are sent/broadcast over that channel I would > expect that all nodes currently sat in that channel have previously been > verified and when I receive a message I don't have to perform my own checks > each time (in which case I would need to know in advance the list of known > IPs or perform my own authentication). Now as an admin, I can still choose > which transport security I use to secure messages over the wire - this is > outside of DMQ scope anyway - and I can still filter/act upon messages in > my own "topic" in whichever way I choose. But I don't need to also worry > about which nodes on that channel are friendly and which ones have been > allowed to join without being authenticated first. Thanks for the explanation. > So there are two layers to DMQ - the underlying channel or network of > "nodes" maintained dynamically by the DMQ module itself, and the "peers" > (other modules, config script) which communicate over that network within > their own discreet topics. My opinion is that the nodes MUST have some way > internally of confirming their identity when joining/forming the underlying > network. Is this very different from "normal" SIP traffic? With SIP over TCP it is also necessary to make a connection first. In this scenario the decision could be made in the script. Maybe via a new event-route on establishing an inbound (TCP-)connection. > The peers (the function of DMQ which is exposed to the > end-user/admin) are still then free to communicate in whichever way they > choose and perform whatever authentication they like - although it actually > wouldn't be necessary. I don't think this is limiting choice or creating a > higher maintenance burden. I was about to type a bit more on how i think about this issue, but meanwhile Peter Dunkley has sent an email a few minutes ago where the first paragraph is representing exactly what i was about to type here. (I agree with the rest of his email too). -- Greetings, Alex Hermann

1 0

git:4.0: modules/rls: Fix memory leak in rls
by Hugh Waite 31 Oct '13

31 Oct '13

Module: sip-router Branch: 4.0 Commit: d17ff203507956f4ce37ee9c64c17b586cfcb437 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=d17ff20… Author: Hugh Waite <hugh.waite(a)crocodile-rcs.com> Committer: Hugh Waite <hugh.waite(a)crocodile-rcs.com> Date: Wed Oct 30 17:12:05 2013 +0000 modules/rls: Fix memory leak in rls - Leak would occur in two error cases - Also improved diagnostics to display uri on various failures (cherry picked from commit 52ac54133f70776a2dfe54e1789de8b1cae02a05) --- modules/rls/notify.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/rls/notify.c b/modules/rls/notify.c index 6738f91..eb6a0e1 100644 --- a/modules/rls/notify.c +++ b/modules/rls/notify.c @@ -1028,6 +1028,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, uri.len = strlen(uri.s); if (uri.len > MAX_URI_SIZE-1) { LM_ERR("XCAP URI is too long\n"); + xmlFree(uri.s); return -1; } LM_DBG("got resource-list uri <%.*s>\n", uri.len, uri.s); @@ -1036,6 +1037,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, unescaped_uri.len = 0; if (un_escape(&uri, &unescaped_uri) < 0) { LM_ERR("Error un-escaping XCAP URI\n"); + xmlFree(uri.s); return -1; } unescaped_uri.s[unescaped_uri.len] = 0; @@ -1047,7 +1049,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, && (hostname.len == 0 || check_self(&hostname, 0, PROTO_NONE) == 1)) { - LM_DBG("fetching local <resource-list/>\n"); + LM_DBG("fetching local <resource-list - %.*s>\n", uri.len, uri.s); if (rls_get_resource_list(&rl_uri, &username, &domain, &rl_node, &rl_doc)>0) { LM_DBG("calling myself for rl_node\n"); @@ -1057,7 +1059,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, } else { - LM_ERR("<resource-list/> not found\n"); + LM_ERR("<resource-list - %.*s> not found\n", uri.len, uri.s); xmlFree(uri.s); return -1; } @@ -1065,14 +1067,14 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, } else { - LM_ERR("<resource-list/> is not local - unsupported at this time\n"); + LM_ERR("<resource-list - %.*s> is not local - unsupported at this time\n", uri.len, uri.s); xmlFree(uri.s); return -1; } } else { - LM_ERR("unable to parse URI for <resource-list/>\n"); + LM_ERR("unable to parse URI for <resource-list - %.*s>\n", uri.len, uri.s); xmlFree(uri.s); return -1; }

1 0

DMQ security
by Charles Chance 31 Oct '13

31 Oct '13

Devs, I'm looking for some advice/opinions. Regarding security of the dmq messages between kamailios - currently it can be achieved by using a separate port (and/or ip) for dmq use and locking this down at firewall level. Of course, tls can be used to protect the content of the messages over the wire. So is this enough? Or should I look to implement some kind of authentication mechanism as well? Perhaps something as simple as a pre-shared key would suffice, assuming the messages are encrypted of course. Full digest authentication is way too heavy in my opinion. Any ideas? Or just leave it up to the user to secure it in network layer? Cheers, Charles -- www.sipcentric.com Follow us on twitter @sipcentric <http://twitter.com/sipcentric> Sipcentric Ltd. Company registered in England & Wales no. 7365592. Registered office: Unit 10 iBIC, Birmingham Science Park, Holt Court South, Birmingham B7 4EJ.

6 21

git:master: kamctl: updated dispatcher command to current db table fields
by Daniel-Constantin Mierla 30 Oct '13

30 Oct '13

Module: sip-router Branch: master Commit: 1cc0144e434fdcf76013e9424d31928c260d4377 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=1cc0144… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Wed Oct 30 22:11:04 2013 +0100 kamctl: updated dispatcher command to current db table fields - parameters flags, priority, attrs and description are optional --- utils/kamctl/kamctl | 41 ++++++++++++++++++++++++++++------------- utils/kamctl/kamctl.base | 12 +++++++----- 2 files changed, 35 insertions(+), 18 deletions(-) diff --git a/utils/kamctl/kamctl b/utils/kamctl/kamctl index b63b51e..2e25d2e 100755 --- a/utils/kamctl/kamctl +++ b/utils/kamctl/kamctl @@ -1564,27 +1564,44 @@ dispatcher() { QUERY="select * FROM $DISPATCHER_TABLE ORDER BY $DISPATCHER_SETID_COLUMN; " $DBROCMD "$QUERY" ;; - addgw) + addgw|add) shift - if [ $# -lt 3 ] ; then + if [ $# -lt 2 ] ; then merr "too few parameters" usage_dispatcher exit 1 fi + DISPATCHER_SETID=$1 + DISPATCHER_DESTINATION=$2 + + if [ $# -gt 2 ] ; then + DISPATCHER_FLAGS=$3 + else + DISPATCHER_FLAGS=0 + fi + if [ $# -gt 3 ] ; then - DISPATCHER_DESCRIPTION=$4 + DISPATCHER_PRIORITY=$4 else - DISPATCHER_DESCRIPTION="" - fi + DISPATCHER_PRIORITY=0 + fi - DISPATCHER_SETID=$1 - DISPATCHER_DESTINATION=$2 - DISPATCHER_FLAGS=$3 + if [ $# -gt 4 ] ; then + DISPATCHER_ATTRS=$5 + else + DISPATCHER_ATTRS="" + fi + + if [ $# -gt 5 ] ; then + DISPATCHER_DESCRIPTION=$6 + else + DISPATCHER_DESCRIPTION="" + fi QUERY="insert into $DISPATCHER_TABLE \ - ( $DISPATCHER_SETID_COLUMN, $DISPATCHER_DESTINATION_COLUMN, $DISPATCHER_FLAGS_COLUMN, $DISPATCHER_DESCRIPTION_COLUMN ) \ - VALUES ($DISPATCHER_SETID,'$DISPATCHER_DESTINATION',$DISPATCHER_FLAGS,'$DISPATCHER_DESCRIPTION');" + ( $DISPATCHER_SETID_COLUMN, $DISPATCHER_DESTINATION_COLUMN, $DISPATCHER_FLAGS_COLUMN, $DISPATCHER_PRIORITY_COLUMN, $DISPATCHER_ATTRS_COLUMN, $DISPATCHER_DESCRIPTION_COLUMN ) \ + VALUES ($DISPATCHER_SETID,'$DISPATCHER_DESTINATION',$DISPATCHER_FLAGS,$DISPATCHER_PRIORITY,'$DISPATCHER_ATTRS','$DISPATCHER_DESCRIPTION');" $DBCMD "$QUERY" if [ $? -ne 0 ] ; then @@ -1592,9 +1609,8 @@ dispatcher() { exit 1 fi - $CTLCMD ds_reload ;; - rmgw) + rmgw|rm) shift if [ $# -ne 1 ] ; then merr "missing gateway id to be removed" @@ -1609,7 +1625,6 @@ dispatcher() { exit 1 fi - $CTLCMD ds_reload ;; reload) $CTLCMD ds_reload diff --git a/utils/kamctl/kamctl.base b/utils/kamctl/kamctl.base index 94db676..a5e6211 100644 --- a/utils/kamctl/kamctl.base +++ b/utils/kamctl/kamctl.base @@ -310,6 +310,8 @@ DISPATCHER_ID_COLUMN=id DISPATCHER_SETID_COLUMN=setid DISPATCHER_DESTINATION_COLUMN=destination DISPATCHER_FLAGS_COLUMN=flags +DISPATCHER_PRIORITY_COLUMN=priority +DISPATCHER_ATTRS_COLUMN=attrs DISPATCHER_DESCRIPTION_COLUMN=description # dialplan tables @@ -468,15 +470,15 @@ usage_dispatcher() { mecho " -- command 'dispatcher' - manage dispatcher" echo cat <<EOF - * Examples: dispatcher addgw 1 sip:1.2.3.1:5050 1 'outbound gateway' - * dispatcher addgw 2 sip:1.2.3.4:5050 3 '' - * dispatcher rmgw 4 + * Examples: dispatcher add 1 sip:1.2.3.1:5050 1 5 'prefix=123' 'gw one' + * dispatcher add 2 sip:1.2.3.4:5050 3 0 + * dispatcher rm 4 dispatcher show ..................... show dispatcher gateways dispatcher reload ................... reload dispatcher gateways dispatcher dump ..................... show in memory dispatcher gateways - dispatcher addgw <setid> <destination> <flags> <description> + dispatcher add <setid> <destination> [flags] [priority] [attrs] [description] .......................... add gateway - dispatcher rmgw <id> ................ delete gateway + dispatcher rm <id> .................. delete gateway EOF } USAGE_FUNCTIONS="$USAGE_FUNCTIONS usage_dispatcher"

1 0

git:master: Revert "modules/mtree: when loading data from db, load each tree separately"
by Juha Heinanen 30 Oct '13

30 Oct '13

Module: sip-router Branch: master Commit: bfc2215d71734b09a1d7acd4dbdbe919b234c30f URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=bfc2215… Author: Juha Heinanen <jh(a)tutpro.com> Committer: Juha Heinanen <jh(a)tutpro.com> Date: Wed Oct 30 20:49:26 2013 +0200 Revert "modules/mtree: when loading data from db, load each tree separately" This reverts commit 6fc84c2cf610791939ba73e38b8b5b3c0b5cd047. --- modules/mtree/mtree_mod.c | 13 +------------ 1 files changed, 1 insertions(+), 12 deletions(-) diff --git a/modules/mtree/mtree_mod.c b/modules/mtree/mtree_mod.c index eeec89c..0f4348c 100644 --- a/modules/mtree/mtree_mod.c +++ b/modules/mtree/mtree_mod.c @@ -291,9 +291,6 @@ static int mod_init(void) while(pt!=NULL) { - LM_DBG("loading from tree <%.*s>\n", - pt->tname.len, pt->tname.s); - /* loading all information from database */ if(mt_load_db(&pt->tname)!=0) { @@ -494,9 +491,6 @@ error: static int mt_load_db(str *tname) { db_key_t db_cols[3] = {&tprefix_column, &tvalue_column}; - db_key_t key_cols[1]; - db_op_t op[1] = {OP_EQ}; - db_val_t vals[1]; str tprefix, tvalue; db1_res_t* db_res = NULL; int i, ret; @@ -504,11 +498,6 @@ static int mt_load_db(str *tname) m_tree_t *old_tree = NULL; mt_node_t *bk_head = NULL; - key_cols[0] = &tname_column; - VAL_TYPE(vals) = DB1_STRING; - VAL_NULL(vals) = 0; - VAL_STRING(vals) = tname->s; - if(db_con==NULL) { LM_ERR("no db connection\n"); @@ -532,7 +521,7 @@ static int mt_load_db(str *tname) } if (DB_CAPABILITY(mt_dbf, DB_CAP_FETCH)) { - if(mt_dbf.query(db_con, key_cols, op, vals, db_cols, 1, 2, 0, 0) < 0) + if(mt_dbf.query(db_con, 0, 0, 0, db_cols, 0, 2, 0, 0) < 0) { LM_ERR("Error while querying db\n"); return -1;

1 0

git:master: modules/rls: Fix memory leak in rls
by Hugh Waite 30 Oct '13

30 Oct '13

Module: sip-router Branch: master Commit: f0751ffa2d1d99c0a54707cfe22926bea9c07123 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f0751ff… Author: Hugh Waite <hugh.waite(a)crocodile-rcs.com> Committer: Hugh Waite <hugh.waite(a)crocodile-rcs.com> Date: Wed Oct 30 17:12:05 2013 +0000 modules/rls: Fix memory leak in rls - Leak would occur in two error cases - Also improved diagnostics to display uri on various failures --- modules/rls/notify.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/rls/notify.c b/modules/rls/notify.c index 6738f91..eb6a0e1 100644 --- a/modules/rls/notify.c +++ b/modules/rls/notify.c @@ -1028,6 +1028,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, uri.len = strlen(uri.s); if (uri.len > MAX_URI_SIZE-1) { LM_ERR("XCAP URI is too long\n"); + xmlFree(uri.s); return -1; } LM_DBG("got resource-list uri <%.*s>\n", uri.len, uri.s); @@ -1036,6 +1037,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, unescaped_uri.len = 0; if (un_escape(&uri, &unescaped_uri) < 0) { LM_ERR("Error un-escaping XCAP URI\n"); + xmlFree(uri.s); return -1; } unescaped_uri.s[unescaped_uri.len] = 0; @@ -1047,7 +1049,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, && (hostname.len == 0 || check_self(&hostname, 0, PROTO_NONE) == 1)) { - LM_DBG("fetching local <resource-list/>\n"); + LM_DBG("fetching local <resource-list - %.*s>\n", uri.len, uri.s); if (rls_get_resource_list(&rl_uri, &username, &domain, &rl_node, &rl_doc)>0) { LM_DBG("calling myself for rl_node\n"); @@ -1057,7 +1059,7 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, } else { - LM_ERR("<resource-list/> not found\n"); + LM_ERR("<resource-list - %.*s> not found\n", uri.len, uri.s); xmlFree(uri.s); return -1; } @@ -1065,14 +1067,14 @@ int process_list_and_exec(xmlNodePtr list_node, str username, str domain, } else { - LM_ERR("<resource-list/> is not local - unsupported at this time\n"); + LM_ERR("<resource-list - %.*s> is not local - unsupported at this time\n", uri.len, uri.s); xmlFree(uri.s); return -1; } } else { - LM_ERR("unable to parse URI for <resource-list/>\n"); + LM_ERR("unable to parse URI for <resource-list - %.*s>\n", uri.len, uri.s); xmlFree(uri.s); return -1; }

1 0

mtree module loads only to one tree
by Juha Heinanen 30 Oct '13

30 Oct '13

i have in mtrees table rows with two different tname values. when i start my sip proxy, mtree module complains about not being able to convert string to integer: Oct 30 16:12:07 rautu /usr/sbin/sip-proxy[4092]: ERROR: mtree [mtree.c:163]: mt_add_to_tree(): bad integer string <test> i added some debug and found out that mtree module does not change the tree where it adds nodes even when tname value in mtrees records changes from one record to the next. the above error was generated from the second record that belongs to tree2 when first record belonged to tree1: modparam("mtree", "mtree", "name=tree1;type=2;dbtable=mtrees;") modparam("mtree", "mtree", "name=tree2;type=0;dbtable=mtrees;") debug output showed that mtree module tried to load also the second record to tree1. -- juha

1 1

git:master: kamailio.cfg: removed modules_k from path for modules
by Daniel-Constantin Mierla 30 Oct '13

30 Oct '13

Module: sip-router Branch: master Commit: 76536ec5332d7897cd4259b271508cc9d4e2bc2e URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=76536ec… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: Wed Oct 30 16:08:47 2013 +0100 kamailio.cfg: removed modules_k from path for modules --- etc/kamailio.cfg | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/kamailio.cfg b/etc/kamailio.cfg index b800e4b..d0f0ef3 100644 --- a/etc/kamailio.cfg +++ b/etc/kamailio.cfg @@ -207,9 +207,9 @@ voicemail.srv_port = "5060" desc "VoiceMail Port" # set paths to location of modules (to sources or installation folders) #!ifdef WITH_SRCPATH -mpath="modules_k:modules" +mpath="modules/" #!else -mpath="/usr/local/lib/kamailio/modules_k/:/usr/local/lib/kamailio/modules/" +mpath="/usr/local/lib/kamailio/modules/" #!endif #!ifdef WITH_MYSQL

1 0

[tracker] Task changed: registrar: memory and db get not synced
by sip-router 30 Oct '13

30 Oct '13

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has been changed. The changes are listed below. For full information about what has changed, visit the URL and click the History tab. FS#351 - registrar: memory and db get not synced User who did this: Víctor Seva (linuxmaniac) Summary: registrar: process expired contacts first -> registrar: memory and db get not synced More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=351 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev October 2013