[sr-dev] git:pd/outbound: modules_k/outbound: decode_flow_token() returns different values when an error occurs and when the string obviously isn 't a flow-token
Peter Dunkley
peter.dunkley at crocodile-rcs.com
Mon Dec 31 18:11:20 CET 2012
Module: sip-router
Branch: pd/outbound
Commit: dccab57430d0014b386a8f97ca6c8506a81402e7
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=dccab57430d0014b386a8f97ca6c8506a81402e7
Author: Peter Dunkley <peter.dunkley at crocodile-rcs.com>
Committer: Peter Dunkley <peter.dunkley at crocodile-rcs.com>
Date: Mon Dec 31 13:43:15 2012 +0000
modules_k/outbound: decode_flow_token() returns different values when an error occurs and when the string obviously isn't a flow-token
---
modules_k/outbound/ob_mod.c | 49 +++++++++++++++++++++++++++++--------------
1 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/modules_k/outbound/ob_mod.c b/modules_k/outbound/ob_mod.c
index c9e55eb..6f16b59 100644
--- a/modules_k/outbound/ob_mod.c
+++ b/modules_k/outbound/ob_mod.c
@@ -92,7 +92,7 @@ static int mod_init(void)
return 0;
}
-/* Structure of flow token
+/* Structure of flow-token
<HMAC-SHA1-80><protocol><dst_ip><dst_port><src_ip><src_port>
10 + 1 + 4or16 + 2 + 16 + 2
@@ -143,16 +143,20 @@ int encode_flow_token(str *flow_token, struct receive_info rcv)
unenc_flow_token[pos++] = (rcv.dst_port >> 8) & 0xff;
unenc_flow_token[pos++] = rcv.dst_port & 0xff;
- /* HMAC-SHA1 the calculated flow token, truncate to 80 bits, and
- prepend onto the flow token */
- HMAC(EVP_sha1(), ob_key.s, ob_key.len,
+ /* HMAC-SHA1 the calculated flow-token, truncate to 80 bits, and
+ prepend onto the flow-token */
+ if (HMAC(EVP_sha1(), ob_key.s, ob_key.len,
&unenc_flow_token[FLOW_TOKEN_START_POS],
pos - FLOW_TOKEN_START_POS,
- hmac_sha1, NULL);
+ hmac_sha1, NULL) == NULL)
+ {
+ LM_ERR("HMAC-SHA1 failed\n");
+ return -1;
+ }
memcpy(unenc_flow_token, &hmac_sha1[SHA1_LENGTH - SHA1_80_LENGTH],
SHA1_80_LENGTH);
- /* base64 encode the entire flow token and store for the caller to
+ /* base64 encode the entire flow-token and store for the caller to
use */
flow_token->s = pkg_malloc(base64_enc_len(pos));
if (flow_token->s == NULL)
@@ -179,34 +183,47 @@ int decode_flow_token(struct receive_info *rcv, str flow_token)
if (flow_token.s == NULL)
{
- LM_INFO("no flow token provided\n");
- return -1;
+ LM_INFO("no flow-token provided\n");
+ return -2;
}
if (flow_token.len != base64_enc_len(UNENC_FLOW_TOKEN_MIN_LENGTH)
&& flow_token.len != base64_enc_len(UNENC_FLOW_TOKEN_MAX_LENGTH))
{
- LM_INFO("bad flow token length. Length is %d, expected %d"
+ LM_INFO("bad flow-token length. Length is %d, expected %d"
" or %d.\n", flow_token.len,
UNENC_FLOW_TOKEN_MIN_LENGTH,
UNENC_FLOW_TOKEN_MAX_LENGTH);
- return -1;
+ return -2;
}
- /* base64 decode the flow token */
+ /* base64 decode the flow-token */
flow_length = base64_dec((unsigned char *) flow_token.s, flow_token.len,
unenc_flow_token, UNENC_FLOW_TOKEN_MAX_LENGTH);
+ if (flow_length == 0)
+ {
+ LM_INFO("not a valid base64 encoded string\n");
+ return -2;
+ }
+
+ /* At this point the string is the correct length and a valid
+ base64 string. It is highly unlikely that this is not meant to be
+ a flow-token.
- /* HMAC-SHA1 the flow token (after the hash) and compare with the
- truncated hash at the start of the flow token. */
- HMAC(EVP_sha1(), ob_key.s, ob_key.len,
+ HMAC-SHA1 the flow-token (after the hash) and compare with the
+ truncated hash at the start of the flow-token. */
+ if (HMAC(EVP_sha1(), ob_key.s, ob_key.len,
&unenc_flow_token[FLOW_TOKEN_START_POS],
flow_length - FLOW_TOKEN_START_POS,
- hmac_sha1, NULL);
+ hmac_sha1, NULL) == NULL)
+ {
+ LM_ERR("HMAC-SHA1 failed\n");
+ return -1;
+ }
if (memcmp(unenc_flow_token, &hmac_sha1[SHA1_LENGTH - SHA1_80_LENGTH],
SHA1_80_LENGTH) != 0)
{
- LM_INFO("flow token failed validation\n");
+ LM_ERR("flow-token failed validation\n");
return -1;
}
More information about the sr-dev
mailing list