Browse code
modules/outbound: The flow-token key is now automatically generated
- Uses OpenSSL RAND_bytes() to select 20 cryptographically strong pseudo-random
bytes for the key.
- Flow-token key can no longer be manually set.
Peter Dunkley authored on 15/03/2013 12:14:31
Showing 3 changed files
| ... | ... |
@@ -4,7 +4,7 @@ Peter Dunkley |
| 4 | 4 |
|
| 5 | 5 |
Crocodile RCS Ltd |
| 6 | 6 |
|
| 7 |
- Copyright � 2012 Crocodile RCS Ltd |
|
| 7 |
+ Copyright © 2012 Crocodile RCS Ltd |
|
| 8 | 8 |
__________________________________________________________________ |
| 9 | 9 |
|
| 10 | 10 |
Table of Contents |
| ... | ... |
@@ -24,7 +24,6 @@ Peter Dunkley |
| 24 | 24 |
3. Parameters |
| 25 | 25 |
|
| 26 | 26 |
3.1. force_outbound_flag (integer) |
| 27 |
- 3.2. flow_token_key (string) |
|
| 28 | 27 |
|
| 29 | 28 |
4. Functions |
| 30 | 29 |
5. MI Commands |
| ... | ... |
@@ -35,7 +34,6 @@ Peter Dunkley |
| 35 | 34 |
1.2. Edge Proxy Configuration |
| 36 | 35 |
1.3. Registrar Configuration |
| 37 | 36 |
1.4. Set force_outbound_flag parameter |
| 38 |
- 1.5. Set flow_token_key parameter |
|
| 39 | 37 |
|
| 40 | 38 |
Chapter 1. Admin Guide |
| 41 | 39 |
|
| ... | ... |
@@ -54,7 +52,6 @@ Chapter 1. Admin Guide |
| 54 | 52 |
3. Parameters |
| 55 | 53 |
|
| 56 | 54 |
3.1. force_outbound_flag (integer) |
| 57 |
- 3.2. flow_token_key (string) |
|
| 58 | 55 |
|
| 59 | 56 |
4. Functions |
| 60 | 57 |
5. MI Commands |
| ... | ... |
@@ -87,9 +84,9 @@ make all |
| 87 | 84 |
responses to REGISTERs. |
| 88 | 85 |
|
| 89 | 86 |
When using TCP or TLS as the SIP transport care should be taken to set |
| 90 |
- the "tcp_connection_lifetime" on the Edge Proxy to a value slightly |
|
| 87 |
+ the “tcp_connection_lifetime” on the Edge Proxy to a value slightly |
|
| 91 | 88 |
larger than the interval the Registrar is using for flow timer. Setting |
| 92 |
- "tcp_connection_lifetime" to less than the interval could cause |
|
| 89 |
+ “tcp_connection_lifetime” to less than the interval could cause |
|
| 93 | 90 |
connections to be lost, and setting it to a value much larger than the |
| 94 | 91 |
interval will keep connections open far longer than is required (which |
| 95 | 92 |
is wasteful). |
| ... | ... |
@@ -97,9 +94,9 @@ make all |
| 97 | 94 |
Application-layer keep-alives are optional when the underlying |
| 98 | 95 |
transport already has a keep-alive mechanism. The WebSocket transport |
| 99 | 96 |
has a transport-layer keep-alive. When using the WebSocket transport |
| 100 |
- the "keepalive_timeout" should be set to a value a little greater than |
|
| 97 |
+ the “keepalive_timeout” should be set to a value a little greater than |
|
| 101 | 98 |
the Registrar flow timer interval and a little less than the |
| 102 |
- "tcp_connection_lifetime". |
|
| 99 |
+ “tcp_connection_lifetime”. |
|
| 103 | 100 |
|
| 104 | 101 |
Example 1.2. Edge Proxy Configuration |
| 105 | 102 |
... |
| ... | ... |
@@ -114,8 +111,6 @@ loadmodule "path.so" |
| 114 | 111 |
... |
| 115 | 112 |
modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
|
| 116 | 113 |
... |
| 117 |
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
|
|
| 118 |
-... |
|
| 119 | 114 |
route {
|
| 120 | 115 |
route(REQINIT); |
| 121 | 116 |
... |
| ... | ... |
@@ -284,7 +279,6 @@ failure_route[FAIL_OUTBOUND] {
|
| 284 | 279 |
3. Parameters |
| 285 | 280 |
|
| 286 | 281 |
3.1. force_outbound_flag (integer) |
| 287 |
- 3.2. flow_token_key (string) |
|
| 288 | 282 |
|
| 289 | 283 |
3.1. force_outbound_flag (integer) |
| 290 | 284 |
|
| ... | ... |
@@ -299,23 +293,6 @@ failure_route[FAIL_OUTBOUND] {
|
| 299 | 293 |
modparam("outbound", "force_outbound_flag", 1)
|
| 300 | 294 |
... |
| 301 | 295 |
|
| 302 |
-3.2. flow_token_key (string) |
|
| 303 |
- |
|
| 304 |
- The outbound flow token is generated using the algorithm described in |
|
| 305 |
- RFC 5626 section 5.2. This algorithm requires a 20 octet crypto random |
|
| 306 |
- key that is unique for each Edge Proxy. |
|
| 307 |
- |
|
| 308 |
-Note |
|
| 309 |
- |
|
| 310 |
- If this 20 character string is not set Kamailio will not start. |
|
| 311 |
- |
|
| 312 |
- Default value is: "". |
|
| 313 |
- |
|
| 314 |
- Example 1.5. Set flow_token_key parameter |
|
| 315 |
-... |
|
| 316 |
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
|
|
| 317 |
-... |
|
| 318 |
- |
|
| 319 | 296 |
4. Functions |
| 320 | 297 |
|
| 321 | 298 |
None |
| ... | ... |
@@ -69,8 +69,6 @@ loadmodule "path.so" |
| 69 | 69 |
... |
| 70 | 70 |
modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
|
| 71 | 71 |
... |
| 72 |
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
|
|
| 73 |
-... |
|
| 74 | 72 |
route {
|
| 75 | 73 |
route(REQINIT); |
| 76 | 74 |
... |
| ... | ... |
@@ -271,25 +269,6 @@ failure_route[FAIL_OUTBOUND] {
|
| 271 | 269 |
... |
| 272 | 270 |
modparam("outbound", "force_outbound_flag", 1)
|
| 273 | 271 |
... |
| 274 |
-</programlisting> |
|
| 275 |
- </example> |
|
| 276 |
- </section> |
|
| 277 |
- <section> |
|
| 278 |
- <title><varname>flow_token_key</varname> (string)</title> |
|
| 279 |
- <para>The outbound flow token is generated using the algorithm |
|
| 280 |
- described in RFC 5626 section 5.2. This algorithm requires a 20 |
|
| 281 |
- octet crypto random key that is unique for each Edge Proxy. |
|
| 282 |
- </para> |
|
| 283 |
- <note><para>If this 20 character string is not set &kamailio; |
|
| 284 |
- will not start.</para></note> |
|
| 285 |
- <para><emphasis>Default value is: "".</emphasis></para> |
|
| 286 |
- <example> |
|
| 287 |
- <title>Set <varname>flow_token_key</varname> parameter |
|
| 288 |
- </title> |
|
| 289 |
- <programlisting format="linespecific"> |
|
| 290 |
-... |
|
| 291 |
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
|
|
| 292 |
-... |
|
| 293 | 272 |
</programlisting> |
| 294 | 273 |
</example> |
| 295 | 274 |
</section> |
| ... | ... |
@@ -21,6 +21,7 @@ |
| 21 | 21 |
* |
| 22 | 22 |
*/ |
| 23 | 23 |
#include <openssl/hmac.h> |
| 24 |
+#include <openssl/rand.h> |
|
| 24 | 25 |
|
| 25 | 26 |
#include "../../basex.h" |
| 26 | 27 |
#include "../../dprint.h" |
| ... | ... |
@@ -39,6 +40,8 @@ |
| 39 | 40 |
|
| 40 | 41 |
MODULE_VERSION |
| 41 | 42 |
|
| 43 |
+#define OB_KEY_LEN 20 |
|
| 44 |
+ |
|
| 42 | 45 |
static int mod_init(void); |
| 43 | 46 |
|
| 44 | 47 |
static unsigned int ob_force_flag = (unsigned int) -1; |
| ... | ... |
@@ -55,7 +58,6 @@ static cmd_export_t cmds[]= |
| 55 | 58 |
static param_export_t params[]= |
| 56 | 59 |
{
|
| 57 | 60 |
{ "force_outbound_flag", INT_PARAM, &ob_force_flag },
|
| 58 |
- { "flow_token_key", STR_PARAM, &ob_key.s},
|
|
| 59 | 61 |
{ 0, 0, 0 }
|
| 60 | 62 |
}; |
| 61 | 63 |
|
| ... | ... |
@@ -83,20 +85,12 @@ static int mod_init(void) |
| 83 | 85 |
return -1; |
| 84 | 86 |
} |
| 85 | 87 |
|
| 86 |
- if (ob_key.s == 0) |
|
| 88 |
+ if (RAND_bytes((unsigned char *) ob_key.s, OB_KEY_LEN) == 0) |
|
| 87 | 89 |
{
|
| 88 |
- LM_ERR("flow_token_key not set\n");
|
|
| 89 |
- return -1; |
|
| 90 |
- } |
|
| 91 |
- else |
|
| 92 |
- ob_key.len = strlen(ob_key.s); |
|
| 93 |
- |
|
| 94 |
- if (ob_key.len != 20) |
|
| 95 |
- {
|
|
| 96 |
- LM_ERR("flow_token_key wrong length. Expected 20 got %d\n",
|
|
| 97 |
- ob_key.len); |
|
| 98 |
- return -1; |
|
| 90 |
+ LM_ERR("unable to get %d cryptographically strong pseudo-"
|
|
| 91 |
+ "random bytes\n", OB_KEY_LEN); |
|
| 99 | 92 |
} |
| 93 |
+ ob_key.len = OB_KEY_LEN; |
|
| 100 | 94 |
|
| 101 | 95 |
return 0; |
| 102 | 96 |
} |