[sr-dev] git:master: modules/outbound: The flow-token key is now automatically generated

Peter Dunkley peter.dunkley at crocodile-rcs.com
Fri Mar 15 13:15:49 CET 2013


Module: sip-router
Branch: master
Commit: f474e85616f6f98a6ac193c7425f6c85af8efa20
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f474e85616f6f98a6ac193c7425f6c85af8efa20

Author: Peter Dunkley <peter.dunkley at crocodile-rcs.com>
Committer: Peter Dunkley <peter.dunkley at crocodile-rcs.com>
Date:   Fri Mar 15 12:14:31 2013 +0000

modules/outbound: The flow-token key is now automatically generated

- Uses OpenSSL RAND_bytes() to select 20 cryptographically strong pseudo-random
  bytes for the key.
- Flow-token key can no longer be manually set.

---

 modules/outbound/README                 |   33 ++++--------------------------
 modules/outbound/doc/outbound_admin.xml |   21 -------------------
 modules/outbound/ob_mod.c               |   20 ++++++------------
 3 files changed, 12 insertions(+), 62 deletions(-)

diff --git a/modules/outbound/README b/modules/outbound/README
index 3e6aa97..08c6038 100644
--- a/modules/outbound/README
+++ b/modules/outbound/README
@@ -4,7 +4,7 @@ Peter Dunkley
 
    Crocodile RCS Ltd
 
-   Copyright © 2012 Crocodile RCS Ltd
+   Copyright © 2012 Crocodile RCS Ltd
      __________________________________________________________________
 
    Table of Contents
@@ -24,7 +24,6 @@ Peter Dunkley
         3. Parameters
 
               3.1. force_outbound_flag (integer)
-              3.2. flow_token_key (string)
 
         4. Functions
         5. MI Commands
@@ -35,7 +34,6 @@ Peter Dunkley
    1.2. Edge Proxy Configuration
    1.3. Registrar Configuration
    1.4. Set force_outbound_flag parameter
-   1.5. Set flow_token_key parameter
 
 Chapter 1. Admin Guide
 
@@ -54,7 +52,6 @@ Chapter 1. Admin Guide
    3. Parameters
 
         3.1. force_outbound_flag (integer)
-        3.2. flow_token_key (string)
 
    4. Functions
    5. MI Commands
@@ -87,9 +84,9 @@ make all
    responses to REGISTERs.
 
    When using TCP or TLS as the SIP transport care should be taken to set
-   the "tcp_connection_lifetime" on the Edge Proxy to a value slightly
+   the “tcp_connection_lifetime” on the Edge Proxy to a value slightly
    larger than the interval the Registrar is using for flow timer. Setting
-   "tcp_connection_lifetime" to less than the interval could cause
+   “tcp_connection_lifetime” to less than the interval could cause
    connections to be lost, and setting it to a value much larger than the
    interval will keep connections open far longer than is required (which
    is wasteful).
@@ -97,9 +94,9 @@ make all
    Application-layer keep-alives are optional when the underlying
    transport already has a keep-alive mechanism. The WebSocket transport
    has a transport-layer keep-alive. When using the WebSocket transport
-   the "keepalive_timeout" should be set to a value a little greater than
+   the “keepalive_timeout” should be set to a value a little greater than
    the Registrar flow timer interval and a little less than the
-   "tcp_connection_lifetime".
+   “tcp_connection_lifetime”.
 
    Example 1.2. Edge Proxy Configuration
 ...
@@ -114,8 +111,6 @@ loadmodule "path.so"
 ...
 modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
 ...
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
-...
 route {
         route(REQINIT);
         ...
@@ -284,7 +279,6 @@ failure_route[FAIL_OUTBOUND] {
 3. Parameters
 
    3.1. force_outbound_flag (integer)
-   3.2. flow_token_key (string)
 
 3.1. force_outbound_flag (integer)
 
@@ -299,23 +293,6 @@ failure_route[FAIL_OUTBOUND] {
 modparam("outbound", "force_outbound_flag", 1)
 ...
 
-3.2. flow_token_key (string)
-
-   The outbound flow token is generated using the algorithm described in
-   RFC 5626 section 5.2. This algorithm requires a 20 octet crypto random
-   key that is unique for each Edge Proxy.
-
-Note
-
-   If this 20 character string is not set Kamailio will not start.
-
-   Default value is: "".
-
-   Example 1.5. Set flow_token_key parameter
-...
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
-...
-
 4. Functions
 
    None
diff --git a/modules/outbound/doc/outbound_admin.xml b/modules/outbound/doc/outbound_admin.xml
index 837e0da..2e5d21e 100644
--- a/modules/outbound/doc/outbound_admin.xml
+++ b/modules/outbound/doc/outbound_admin.xml
@@ -69,8 +69,6 @@ loadmodule "path.so"
 ...
 modparam("websocket", "keepalive_timeout", FLOW_TIMER+5)
 ...
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
-...
 route {
 	route(REQINIT);
 	...
@@ -274,25 +272,6 @@ modparam("outbound", "force_outbound_flag", 1)
 </programlisting>
 		</example>
 	</section>
-	<section>
-		<title><varname>flow_token_key</varname> (string)</title>
-		<para>The outbound flow token is generated using the algorithm
-		described in RFC 5626 section 5.2. This algorithm requires a 20
-		octet crypto random key that is unique for each Edge Proxy.
-		</para>
-		<note><para>If this 20 character string is not set &kamailio;
-		will not start.</para></note>
-		<para><emphasis>Default value is: "".</emphasis></para>
-		<example>
-		<title>Set <varname>flow_token_key</varname> parameter
-		</title>
-		<programlisting format="linespecific">
-...
-modparam("outbound", "flow_token_key", "!!!Kamailio rocks!!!")
-...
-</programlisting>
-		</example>
-	</section>
 	</section>
 
 	<section>
diff --git a/modules/outbound/ob_mod.c b/modules/outbound/ob_mod.c
index 775d0b6..37b0a60 100644
--- a/modules/outbound/ob_mod.c
+++ b/modules/outbound/ob_mod.c
@@ -21,6 +21,7 @@
  *
  */
 #include <openssl/hmac.h>
+#include <openssl/rand.h>
 
 #include "../../basex.h"
 #include "../../dprint.h"
@@ -39,6 +40,8 @@
 
 MODULE_VERSION
 
+#define OB_KEY_LEN	20
+
 static int mod_init(void);
 
 static unsigned int ob_force_flag = (unsigned int) -1;
@@ -55,7 +58,6 @@ static cmd_export_t cmds[]=
 static param_export_t params[]=
 {
 	{ "force_outbound_flag",	INT_PARAM, &ob_force_flag },
-	{ "flow_token_key",		STR_PARAM, &ob_key.s},
 	{ 0, 0, 0 }
 };
 
@@ -83,20 +85,12 @@ static int mod_init(void)
 		return -1;
 	}
 
-	if (ob_key.s == 0)
+	if (RAND_bytes((unsigned char *) ob_key.s, OB_KEY_LEN) == 0)
 	{
-		LM_ERR("flow_token_key not set\n");
-		return -1;
-	}
-	else
-		ob_key.len = strlen(ob_key.s);
-
-	if (ob_key.len != 20)
-	{
-		LM_ERR("flow_token_key wrong length. Expected 20 got %d\n",
-			ob_key.len);
-		return -1;
+		LM_ERR("unable to get %d cryptographically strong pseudo-"
+		       "random bytes\n", OB_KEY_LEN);
 	}
+	ob_key.len = OB_KEY_LEN;
 
 	return 0;
 }




More information about the sr-dev mailing list