29 Mar
2013
29 Mar
'13
2:30 a.m.
Module: sip-router
Branch: 4.0
Commit: 6acbeef9ff574c079aaeeea72924905a0426c922
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=6acbeef…
Author: Peter Dunkley <peter.dunkley(a)crocodile-rcs.com>
Committer: Peter Dunkley <peter.dunkley(a)crocodile-rcs.com>
Date: Fri Mar 15 12:14:31 2013 +0000
modules/outbound: The flow-token key is now automatically generated
- Uses OpenSSL RAND_bytes() to select 20 cryptographically strong pseudo-random
bytes for the key.
- Flow-token key can no longer be manually set.
(cherry picked from commit f474e85616f6f98a6ac193c7425f6c85af8efa20)
---
modules/outbound/README | 33 ++++--------------------------
modules/outbound/doc/outbound_admin.xml | 21 -------------------
modules/outbound/ob_mod.c | 20 ++++++------------
3 files changed, 12 insertions(+), 62 deletions(-)
diff --git a/modules/outbound/README b/modules/outbound/README
index 3e6aa97..08c6038 100644
--- a/modules/outbound/README
+++ b/modules/outbound/README
@@ -4,7 +4,7 @@ Peter Dunkley
Crocodile RCS Ltd
- Copyright � 2012 Crocodile RCS Ltd
+ Copyright © 2012 Crocodile RCS Ltd
__________________________________________________________________
Table of Contents
@@ -24,7 +24,6 @@ Peter Dunkley
3. Parameters
3.1. force_outbound_flag (integer)
- 3.2. flow_token_key (string)
4. Functions
5. MI Commands
@@ -35,7 +34,6 @@ Peter Dunkley
1.2. Edge Proxy Configuration
1.3. Registrar Configuration
1.4. Set force_outbound_flag parameter
- 1.5. Set flow_token_key parameter
Chapter 1. Admin Guide
@@ -54,7 +52,6 @@ Chapter 1. Admin Guide
3. Parameters
3.1. force_outbound_flag (integer)
- 3.2. flow_token_key (string)
4. Functions
5. MI Commands
@@ -87,9 +84,9 @@ make all
responses to REGISTERs.
When using TCP or TLS as the SIP transport care should be taken to set
- the "tcp_connection_lifetime" on the Edge Proxy to a value slightly
+ the “tcp_connection_lifetime” on the Edge Proxy to a value slightly
larger than the interval the Registrar is using for flow timer. Setting
- "tcp_connection_lifetime" to less than the interval could cause
+ “tcp_connection_lifetime” to less than the interval could cause
connections to be lost, and setting it to a value much larger than the
interval will keep connections open far longer than is required (which
is wasteful).
@@ -97,9 +94,9 @@ make all
Application-layer keep-alives are optional when the underlying
transport already has a keep-alive mechanism. The WebSocket transport
has a transport-layer keep-alive. When using the WebSocket transport
- the "keepalive_timeout" should be set to a value a little greater than
+ the “keepalive_timeout” should be set to a value a little greater than
the Registrar flow timer interval and a little less than the
- "tcp_connection_lifetime".
+ “tcp_connection_lifetime”.
Example 1.2. Edge Proxy Configuration
...
@@ -114,8 +111,6 @@ loadmodule "path.so"
...
modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
...
-modparam("outbound", "flow_token_key", "!!!Kamailio
rocks!!!")
-...
route {
route(REQINIT);
...
@@ -284,7 +279,6 @@ failure_route[FAIL_OUTBOUND] {
3. Parameters
3.1. force_outbound_flag (integer)
- 3.2. flow_token_key (string)
3.1. force_outbound_flag (integer)
@@ -299,23 +293,6 @@ failure_route[FAIL_OUTBOUND] {
modparam("outbound", "force_outbound_flag", 1)
...
-3.2. flow_token_key (string)
-
- The outbound flow token is generated using the algorithm described in
- RFC 5626 section 5.2. This algorithm requires a 20 octet crypto random
- key that is unique for each Edge Proxy.
-
-Note
-
- If this 20 character string is not set Kamailio will not start.
-
- Default value is: "".
-
- Example 1.5. Set flow_token_key parameter
-...
-modparam("outbound", "flow_token_key", "!!!Kamailio
rocks!!!")
-...
-
4. Functions
None
diff --git a/modules/outbound/doc/outbound_admin.xml
b/modules/outbound/doc/outbound_admin.xml
index 837e0da..2e5d21e 100644
--- a/modules/outbound/doc/outbound_admin.xml
+++ b/modules/outbound/doc/outbound_admin.xml
@@ -69,8 +69,6 @@ loadmodule "path.so"
...
modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
...
-modparam("outbound", "flow_token_key", "!!!Kamailio
rocks!!!")
-...
route {
route(REQINIT);
...
@@ -274,25 +272,6 @@ modparam("outbound", "force_outbound_flag", 1)
</programlisting>
</example>
</section>
- <section>
- <title><varname>flow_token_key</varname> (string)</title>
- <para>The outbound flow token is generated using the algorithm
- described in RFC 5626 section 5.2. This algorithm requires a 20
- octet crypto random key that is unique for each Edge Proxy.
- </para>
- <note><para>If this 20 character string is not set &kamailio;
- will not start.</para></note>
- <para><emphasis>Default value is:
"".</emphasis></para>
- <example>
- <title>Set <varname>flow_token_key</varname> parameter
- </title>
- <programlisting format="linespecific">
-...
-modparam("outbound", "flow_token_key", "!!!Kamailio
rocks!!!")
-...
-</programlisting>
- </example>
- </section>
</section>
<section>
diff --git a/modules/outbound/ob_mod.c b/modules/outbound/ob_mod.c
index 775d0b6..37b0a60 100644
--- a/modules/outbound/ob_mod.c
+++ b/modules/outbound/ob_mod.c
@@ -21,6 +21,7 @@
*
*/
#include <openssl/hmac.h>
+#include <openssl/rand.h>
#include "../../basex.h"
#include "../../dprint.h"
@@ -39,6 +40,8 @@
MODULE_VERSION
+#define OB_KEY_LEN 20
+
static int mod_init(void);
static unsigned int ob_force_flag = (unsigned int) -1;
@@ -55,7 +58,6 @@ static cmd_export_t cmds[]=
static param_export_t params[]=
{
{ "force_outbound_flag", INT_PARAM, &ob_force_flag },
- { "flow_token_key", STR_PARAM, &ob_key.s},
{ 0, 0, 0 }
};
@@ -83,20 +85,12 @@ static int mod_init(void)
return -1;
}
- if (ob_key.s == 0)
+ if (RAND_bytes((unsigned char *) ob_key.s, OB_KEY_LEN) == 0)
{
- LM_ERR("flow_token_key not set\n");
- return -1;
- }
- else
- ob_key.len = strlen(ob_key.s);
-
- if (ob_key.len != 20)
- {
- LM_ERR("flow_token_key wrong length. Expected 20 got %d\n",
- ob_key.len);
- return -1;
+ LM_ERR("unable to get %d cryptographically strong pseudo-"
+ "random bytes\n", OB_KEY_LEN);
}
+ ob_key.len = OB_KEY_LEN;
return 0;
}