Browse code

modules/outbound: The flow-token key is now automatically generated

- Uses OpenSSL RAND_bytes() to select 20 cryptographically strong pseudo-random
bytes for the key.
- Flow-token key can no longer be manually set.

Peter Dunkley authored on 15/03/2013 12:14:31
Showing 3 changed files
... ...
@@ -4,7 +4,7 @@ Peter Dunkley
4 4
 
5 5
    Crocodile RCS Ltd
6 6
 
7
-   Copyright � 2012 Crocodile RCS Ltd
7
+   Copyright © 2012 Crocodile RCS Ltd
8 8
      __________________________________________________________________
9 9
 
10 10
    Table of Contents
... ...
@@ -24,7 +24,6 @@ Peter Dunkley
24 24
         3. Parameters
25 25
 
26 26
               3.1. force_outbound_flag (integer)
27
-              3.2. flow_token_key (string)
28 27
 
29 28
         4. Functions
30 29
         5. MI Commands
... ...
@@ -35,7 +34,6 @@ Peter Dunkley
35 34
    1.2. Edge Proxy Configuration
36 35
    1.3. Registrar Configuration
37 36
    1.4. Set force_outbound_flag parameter
38
-   1.5. Set flow_token_key parameter
39 37
 
40 38
 Chapter 1. Admin Guide
41 39
 
... ...
@@ -54,7 +52,6 @@ Chapter 1. Admin Guide
54 52
    3. Parameters
55 53
 
56 54
         3.1. force_outbound_flag (integer)
57
-        3.2. flow_token_key (string)
58 55
 
59 56
    4. Functions
60 57
    5. MI Commands
... ...
@@ -87,9 +84,9 @@ make all
87 84
    responses to REGISTERs.
88 85
 
89 86
    When using TCP or TLS as the SIP transport care should be taken to set
90
-   the "tcp_connection_lifetime" on the Edge Proxy to a value slightly
87
+   the “tcp_connection_lifetime” on the Edge Proxy to a value slightly
91 88
    larger than the interval the Registrar is using for flow timer. Setting
92
-   "tcp_connection_lifetime" to less than the interval could cause
89
+   “tcp_connection_lifetime” to less than the interval could cause
93 90
    connections to be lost, and setting it to a value much larger than the
94 91
    interval will keep connections open far longer than is required (which
95 92
    is wasteful).
... ...
@@ -97,9 +94,9 @@ make all
97 94
    Application-layer keep-alives are optional when the underlying
98 95
    transport already has a keep-alive mechanism. The WebSocket transport
99 96
    has a transport-layer keep-alive. When using the WebSocket transport
100
-   the "keepalive_timeout" should be set to a value a little greater than
97
+   the “keepalive_timeout” should be set to a value a little greater than
101 98
    the Registrar flow timer interval and a little less than the
102
-   "tcp_connection_lifetime".
99
+   “tcp_connection_lifetime”.
103 100
 
104 101
    Example 1.2. Edge Proxy Configuration
105 102
 ...
... ...
@@ -114,8 +111,6 @@ loadmodule "path.so"
114 111
 ...
115 112
 modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
116 113
 ...
117
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
118
-...
119 114
 route {
120 115
         route(REQINIT);
121 116
         ...
... ...
@@ -284,7 +279,6 @@ failure_route[FAIL_OUTBOUND] {
284 279
 3. Parameters
285 280
 
286 281
    3.1. force_outbound_flag (integer)
287
-   3.2. flow_token_key (string)
288 282
 
289 283
 3.1. force_outbound_flag (integer)
290 284
 
... ...
@@ -299,23 +293,6 @@ failure_route[FAIL_OUTBOUND] {
299 293
 modparam("outbound", "force_outbound_flag", 1)
300 294
 ...
301 295
 
302
-3.2. flow_token_key (string)
303
-
304
-   The outbound flow token is generated using the algorithm described in
305
-   RFC 5626 section 5.2. This algorithm requires a 20 octet crypto random
306
-   key that is unique for each Edge Proxy.
307
-
308
-Note
309
-
310
-   If this 20 character string is not set Kamailio will not start.
311
-
312
-   Default value is: "".
313
-
314
-   Example 1.5. Set flow_token_key parameter
315
-...
316
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
317
-...
318
-
319 296
 4. Functions
320 297
 
321 298
    None
... ...
@@ -69,8 +69,6 @@ loadmodule "path.so"
69 69
 ...
70 70
 modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
71 71
 ...
72
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
73
-...
74 72
 route {
75 73
 	route(REQINIT);
76 74
 	...
... ...
@@ -271,25 +269,6 @@ failure_route[FAIL_OUTBOUND] {
271 269
 ...
272 270
 modparam("outbound", "force_outbound_flag", 1)
273 271
 ...
274
-</programlisting>
275
-		</example>
276
-	</section>
277
-	<section>
278
-		<title><varname>flow_token_key</varname> (string)</title>
279
-		<para>The outbound flow token is generated using the algorithm
280
-		described in RFC 5626 section 5.2. This algorithm requires a 20
281
-		octet crypto random key that is unique for each Edge Proxy.
282
-		</para>
283
-		<note><para>If this 20 character string is not set &kamailio;
284
-		will not start.</para></note>
285
-		<para><emphasis>Default value is: "".</emphasis></para>
286
-		<example>
287
-		<title>Set <varname>flow_token_key</varname> parameter
288
-		</title>
289
-		<programlisting format="linespecific">
290
-...
291
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
292
-...
293 272
 </programlisting>
294 273
 		</example>
295 274
 	</section>
... ...
@@ -21,6 +21,7 @@
21 21
  *
22 22
  */
23 23
 #include <openssl/hmac.h>
24
+#include <openssl/rand.h>
24 25
 
25 26
 #include "../../basex.h"
26 27
 #include "../../dprint.h"
... ...
@@ -39,6 +40,8 @@
39 40
 
40 41
 MODULE_VERSION
41 42
 
43
+#define OB_KEY_LEN	20
44
+
42 45
 static int mod_init(void);
43 46
 
44 47
 static unsigned int ob_force_flag = (unsigned int) -1;
... ...
@@ -55,7 +58,6 @@ static cmd_export_t cmds[]=
55 58
 static param_export_t params[]=
56 59
 {
57 60
 	{ "force_outbound_flag",	INT_PARAM, &ob_force_flag },
58
-	{ "flow_token_key",		STR_PARAM, &ob_key.s},
59 61
 	{ 0, 0, 0 }
60 62
 };
61 63
 
... ...
@@ -83,20 +85,12 @@ static int mod_init(void)
83 85
 		return -1;
84 86
 	}
85 87
 
86
-	if (ob_key.s == 0)
88
+	if (RAND_bytes((unsigned char *) ob_key.s, OB_KEY_LEN) == 0)
87 89
 	{
88
-		LM_ERR("flow_token_key not set\n");
89
-		return -1;
90
-	}
91
-	else
92
-		ob_key.len = strlen(ob_key.s);
93
-
94
-	if (ob_key.len != 20)
95
-	{
96
-		LM_ERR("flow_token_key wrong length. Expected 20 got %d\n",
97
-			ob_key.len);
98
-		return -1;
90
+		LM_ERR("unable to get %d cryptographically strong pseudo-"
91
+		       "random bytes\n", OB_KEY_LEN);
99 92
 	}
93
+	ob_key.len = OB_KEY_LEN;
100 94
 
101 95
 	return 0;
102 96
 }