Module: sip-router Branch: 4.0 Commit: 6acbeef9ff574c079aaeeea72924905a0426c922 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6acbeef9...
Author: Peter Dunkley peter.dunkley@crocodile-rcs.com Committer: Peter Dunkley peter.dunkley@crocodile-rcs.com Date: Fri Mar 15 12:14:31 2013 +0000
modules/outbound: The flow-token key is now automatically generated
- Uses OpenSSL RAND_bytes() to select 20 cryptographically strong pseudo-random bytes for the key. - Flow-token key can no longer be manually set. (cherry picked from commit f474e85616f6f98a6ac193c7425f6c85af8efa20)
---
modules/outbound/README | 33 ++++-------------------------- modules/outbound/doc/outbound_admin.xml | 21 ------------------- modules/outbound/ob_mod.c | 20 ++++++------------ 3 files changed, 12 insertions(+), 62 deletions(-)
diff --git a/modules/outbound/README b/modules/outbound/README index 3e6aa97..08c6038 100644 --- a/modules/outbound/README +++ b/modules/outbound/README @@ -4,7 +4,7 @@ Peter Dunkley
Crocodile RCS Ltd
- Copyright � 2012 Crocodile RCS Ltd + Copyright © 2012 Crocodile RCS Ltd __________________________________________________________________
Table of Contents @@ -24,7 +24,6 @@ Peter Dunkley 3. Parameters
3.1. force_outbound_flag (integer) - 3.2. flow_token_key (string)
4. Functions 5. MI Commands @@ -35,7 +34,6 @@ Peter Dunkley 1.2. Edge Proxy Configuration 1.3. Registrar Configuration 1.4. Set force_outbound_flag parameter - 1.5. Set flow_token_key parameter
Chapter 1. Admin Guide
@@ -54,7 +52,6 @@ Chapter 1. Admin Guide 3. Parameters
3.1. force_outbound_flag (integer) - 3.2. flow_token_key (string)
4. Functions 5. MI Commands @@ -87,9 +84,9 @@ make all responses to REGISTERs.
When using TCP or TLS as the SIP transport care should be taken to set - the "tcp_connection_lifetime" on the Edge Proxy to a value slightly + the “tcp_connection_lifetime” on the Edge Proxy to a value slightly larger than the interval the Registrar is using for flow timer. Setting - "tcp_connection_lifetime" to less than the interval could cause + “tcp_connection_lifetime” to less than the interval could cause connections to be lost, and setting it to a value much larger than the interval will keep connections open far longer than is required (which is wasteful). @@ -97,9 +94,9 @@ make all Application-layer keep-alives are optional when the underlying transport already has a keep-alive mechanism. The WebSocket transport has a transport-layer keep-alive. When using the WebSocket transport - the "keepalive_timeout" should be set to a value a little greater than + the “keepalive_timeout” should be set to a value a little greater than the Registrar flow timer interval and a little less than the - "tcp_connection_lifetime". + “tcp_connection_lifetime”.
Example 1.2. Edge Proxy Configuration ... @@ -114,8 +111,6 @@ loadmodule "path.so" ... modparam("websocket", "keepalive_timeout", FLOW_TIMER+5) ... -modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!") -... route { route(REQINIT); ... @@ -284,7 +279,6 @@ failure_route[FAIL_OUTBOUND] { 3. Parameters
3.1. force_outbound_flag (integer) - 3.2. flow_token_key (string)
3.1. force_outbound_flag (integer)
@@ -299,23 +293,6 @@ failure_route[FAIL_OUTBOUND] { modparam("outbound", "force_outbound_flag", 1) ...
-3.2. flow_token_key (string) - - The outbound flow token is generated using the algorithm described in - RFC 5626 section 5.2. This algorithm requires a 20 octet crypto random - key that is unique for each Edge Proxy. - -Note - - If this 20 character string is not set Kamailio will not start. - - Default value is: "". - - Example 1.5. Set flow_token_key parameter -... -modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!") -... - 4. Functions
None diff --git a/modules/outbound/doc/outbound_admin.xml b/modules/outbound/doc/outbound_admin.xml index 837e0da..2e5d21e 100644 --- a/modules/outbound/doc/outbound_admin.xml +++ b/modules/outbound/doc/outbound_admin.xml @@ -69,8 +69,6 @@ loadmodule "path.so" ... modparam("websocket", "keepalive_timeout", FLOW_TIMER+5) ... -modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!") -... route { route(REQINIT); ... @@ -274,25 +272,6 @@ modparam("outbound", "force_outbound_flag", 1) </programlisting> </example> </section> - <section> - <title><varname>flow_token_key</varname> (string)</title> - <para>The outbound flow token is generated using the algorithm - described in RFC 5626 section 5.2. This algorithm requires a 20 - octet crypto random key that is unique for each Edge Proxy. - </para> - <note><para>If this 20 character string is not set &kamailio; - will not start.</para></note> - <para><emphasis>Default value is: "".</emphasis></para> - <example> - <title>Set <varname>flow_token_key</varname> parameter - </title> - <programlisting format="linespecific"> -... -modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!") -... -</programlisting> - </example> - </section> </section>
<section> diff --git a/modules/outbound/ob_mod.c b/modules/outbound/ob_mod.c index 775d0b6..37b0a60 100644 --- a/modules/outbound/ob_mod.c +++ b/modules/outbound/ob_mod.c @@ -21,6 +21,7 @@ * */ #include <openssl/hmac.h> +#include <openssl/rand.h>
#include "../../basex.h" #include "../../dprint.h" @@ -39,6 +40,8 @@
MODULE_VERSION
+#define OB_KEY_LEN 20 + static int mod_init(void);
static unsigned int ob_force_flag = (unsigned int) -1; @@ -55,7 +58,6 @@ static cmd_export_t cmds[]= static param_export_t params[]= { { "force_outbound_flag", INT_PARAM, &ob_force_flag }, - { "flow_token_key", STR_PARAM, &ob_key.s}, { 0, 0, 0 } };
@@ -83,20 +85,12 @@ static int mod_init(void) return -1; }
- if (ob_key.s == 0) + if (RAND_bytes((unsigned char *) ob_key.s, OB_KEY_LEN) == 0) { - LM_ERR("flow_token_key not set\n"); - return -1; - } - else - ob_key.len = strlen(ob_key.s); - - if (ob_key.len != 20) - { - LM_ERR("flow_token_key wrong length. Expected 20 got %d\n", - ob_key.len); - return -1; + LM_ERR("unable to get %d cryptographically strong pseudo-" + "random bytes\n", OB_KEY_LEN); } + ob_key.len = OB_KEY_LEN;
return 0; }