[sr-dev] git:master:cc32abd9: outbound: add flow_token_secret param

Module: kamailio Branch: master Commit: cc32abd91888f3978708eddc88c4409ef5a6b122 URL: https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409… Author: Michael Furmur &lt;m.furmur(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2021-07-27T15:54:34+02:00 outbound: add flow_token_secret param - calculate ob_key as SHA1(flow_token_secret) if specified - keep old behavior with randomly generated ob_key if not specified --- Modified: src/modules/outbound/doc/outbound_admin.xml Modified: src/modules/outbound/outbound_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409… Patch: https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409… --- diff --git a/src/modules/outbound/doc/outbound_admin.xml b/src/modules/outbound/doc/outbound_admin.xml index 7418cecfd9..0fe4e278b2 100644 --- a/src/modules/outbound/doc/outbound_admin.xml +++ b/src/modules/outbound/doc/outbound_admin.xml @@ -499,6 +499,28 @@ modparam("outbound", "force_no_outbound_flag", 2) </example> </section> + <section> + <title><varname>flow_token_secret</varname> (string)</title> + <para> + Secret phrase used to calculate the outbound key value + used for flow tokens validation. + Allows to set persistent outbound key. + </para> + <para> + If not specified, <emphasis>outbound</emphasis> will use randomly generated outbound key + </para> + <example> + <title> + Set <varname>flow_token_secret</varname> parameter + </title> + <programlisting format="linespecific"> +... +modparam("outbound", "flow_token_secret", "johndoessecretphrase") +... + </programlisting> + </example> + </section> + </section> </chapter> diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c index 82d18a3eca..ada7062454 100644 --- a/src/modules/outbound/outbound_mod.c +++ b/src/modules/outbound/outbound_mod.c @@ -25,6 +25,7 @@ */ #include <openssl/hmac.h> #include <openssl/rand.h> +#include <openssl/sha.h> #include "../../core/basex.h" #include "../../core/dprint.h" @@ -52,6 +53,7 @@ static void destroy(void); static unsigned int ob_force_flag = (unsigned int) -1; static unsigned int ob_force_no_flag = (unsigned int) -1; static str ob_key = {0, 0}; +static str flow_token_secret = {0, 0}; static cmd_export_t cmds[]= { @@ -63,8 +65,9 @@ static cmd_export_t cmds[]= static param_export_t params[]= { - { "force_outbound_flag", INT_PARAM, &ob_force_flag }, - { "force_no_outbound_flag", INT_PARAM, &ob_force_no_flag }, + { "force_outbound_flag", PARAM_INT, &ob_force_flag }, + { "force_no_outbound_flag", PARAM_INT, &ob_force_no_flag }, + { "flow_token_secret", PARAM_STRING, &flow_token_secret}, { 0, 0, 0 } }; @@ -102,10 +105,17 @@ static int mod_init(void) return -1; } ob_key.len = OB_KEY_LEN; - if (RAND_bytes((unsigned char *) ob_key.s, ob_key.len) == 0) - { - LM_ERR("unable to get %d cryptographically strong pseudo-" - "random bytes\n", ob_key.len); + + if(flow_token_secret.s) { + assert(ob_key.len == SHA_DIGEST_LENGTH); + LM_DBG("flow_token_secret mod param set. use persistent ob_key"); + SHA1(flow_token_secret.s, flow_token_secret.len, ob_key.s); + } else { + if (RAND_bytes((unsigned char *) ob_key.s, ob_key.len) == 0) + { + LM_ERR("unable to get %d cryptographically strong pseudo-" + "random bytes\n", ob_key.len); + } } if (cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg,