Hi!
I've just posted a domainkeys module on the tracker on sourceforge: http://sourceforge.net/tracker/index.php?func=detail&aid=1368417&gro...
This is a "proof-of-concept" and at the moment not a module for real usage. Further, this is something which not standardized or documented anywhere. It's just an experiment to use the domainkeys technology (invented as anti-SPAM technology for emails) also with SIP.
Following some snippets from the README file.
If you would like to discuss this idea with me, you'r welcome.
regards klaus
Chapter 1. User's Guide
1.1. Overview
This module is a proof-of-concept. It tries to use the domainkeys technologie, for signing SIP message. Domainkeys were developed as an anti-SPAM technology for emails. But as SIP is familiar with email, it might also be useful to use domainkeys for signing SIP messages. _________________________________________________________
1.1.1. Installation
Just copy the module into openser's module directory. This module needs the libdomainkeys library and the libcrypto library (from openssl). Thus make sure to have openssl installed. If the domainkeys library is not installed in the default directories, you have to modify the library path in the Makefile to point to the location of the domainkeys module and include this directory to /etc/ld.so.conf. Further you have to adopt the inlcude path of #include "/home/darilion/libdomainkeys-0.68/domainkeys.h" in the file domainkeys.c. Then compile and use the module as usual. _________________________________________________________
1.1.2. Known Limitations
* The current version signs only the From: and To: header, and the message body. * This module is far from stable and seriously contains several bugs. * Signing and validation takes time. On a 2GHz Athlon CPU, the signing off an INVITE message (From:, To: and body) took ~8ms. The validation of this message took ~9ms. Additionally, the validation takes time as at least one DNS lookup is necessary to fetch the public key of the signing domain. This can be reduced by a fast resolving name server and long TTLs for the public key. * This module uses the original received SIP message for calculating the message signatur. Thus, if you use function which modify the used headers (e.g. uac module) or which modify the body (e.g. nathelper module), then the added signature will be invalid.
1.3. Exported Parameters
1.3.1. privkey_file (string)
Path to the file containing the private key for the signing. (The public key for the validation will be fetched from DNS)
Default value is "".
Example 1-1. privkey_file example modparam("domainkeys", "privkey_file", "/etc/domainkeys/privkeys/2005") _________________________________________________________
1.4. Exported Functions
1.4.1. domainkeys_validate
Signs the SIP message.
This function can be used from REQUEST_ROUTE.
Example 1-2. domainkeys_validate usage ... if (is_method("INVITE")) { if (domainkeys_sign()) { xlog("L_INFO","domainkeys - signing: SUCCESS\n"); } else { xlog("L_INFO","domainkeys - signing: FAILURE\n"); } } ... _________________________________________________________
1.4.2. domainkeys_validate
Validates the Domainkeys-Signature in the received SIP message.
This function can be used from REQUEST_ROUTE.
Example 1-3. search_append usage ... if (is_present_hf("Domainkey-Signature")) { xlog("L_INFO","Domainkey-Signature found, start validating...\n"); if (domainkeys_validate()) { xlog("L_INFO","domainkeys - validate: SUCCESS\n"); } else { xlog("L_INFO","domainkeys - validate: FAILURE\n"); } } ...