[sr-dev] git:master:cc32abd9: outbound: add flow_token_secret param

Tue Jul 27 15:54:38 CEST 2021

Module: kamailio
Branch: master
Commit: cc32abd91888f3978708eddc88c4409ef5a6b122
URL: https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409ef5a6b122

Author: Michael Furmur <m.furmur at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2021-07-27T15:54:34+02:00

outbound: add flow_token_secret param

- calculate ob_key as SHA1(flow_token_secret) if specified
- keep old behavior with randomly generated ob_key if not specified

---

Modified: src/modules/outbound/doc/outbound_admin.xml
Modified: src/modules/outbound/outbound_mod.c

---

Diff:  https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409ef5a6b122.diff
Patch: https://github.com/kamailio/kamailio/commit/cc32abd91888f3978708eddc88c4409ef5a6b122.patch

---

diff --git a/src/modules/outbound/doc/outbound_admin.xml b/src/modules/outbound/doc/outbound_admin.xml
index 7418cecfd9..0fe4e278b2 100644
--- a/src/modules/outbound/doc/outbound_admin.xml
+++ b/src/modules/outbound/doc/outbound_admin.xml
@@ -499,6 +499,28 @@ modparam("outbound", "force_no_outbound_flag", 2)
 		</example>
 	</section>
 
+	<section>
+		<title><varname>flow_token_secret</varname> (string)</title>
+		<para>
+			Secret phrase used to calculate the outbound key value
+			used for flow tokens validation.
+			Allows to set persistent outbound key.
+		</para>
+		<para>
+			If not specified, <emphasis>outbound</emphasis> will use randomly generated outbound key
+		</para>
+		<example>
+			<title>
+				Set <varname>flow_token_secret</varname> parameter
+			</title>
+			<programlisting format="linespecific">
+...
+modparam("outbound", "flow_token_secret", "johndoessecretphrase")
+...
+			</programlisting>
+		</example>
+	</section>
+
 	</section>
 
 </chapter>
diff --git a/src/modules/outbound/outbound_mod.c b/src/modules/outbound/outbound_mod.c
index 82d18a3eca..ada7062454 100644
--- a/src/modules/outbound/outbound_mod.c
+++ b/src/modules/outbound/outbound_mod.c
@@ -25,6 +25,7 @@
  */
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
+#include <openssl/sha.h>
 
 #include "../../core/basex.h"
 #include "../../core/dprint.h"
@@ -52,6 +53,7 @@ static void destroy(void);
 static unsigned int ob_force_flag = (unsigned int) -1;
 static unsigned int ob_force_no_flag = (unsigned int) -1;
 static str ob_key = {0, 0};
+static str flow_token_secret = {0, 0};
 
 static cmd_export_t cmds[]=
 {
@@ -63,8 +65,9 @@ static cmd_export_t cmds[]=
 
 static param_export_t params[]=
 {
-	{ "force_outbound_flag",	INT_PARAM, &ob_force_flag },
-	{ "force_no_outbound_flag",     INT_PARAM, &ob_force_no_flag },
+	{ "force_outbound_flag",    PARAM_INT, &ob_force_flag },
+	{ "force_no_outbound_flag", PARAM_INT, &ob_force_no_flag },
+	{ "flow_token_secret",      PARAM_STRING, &flow_token_secret},
 	{ 0, 0, 0 }
 };
 
@@ -102,10 +105,17 @@ static int mod_init(void)
 		return -1;
 	}
 	ob_key.len = OB_KEY_LEN;
-	if (RAND_bytes((unsigned char *) ob_key.s, ob_key.len) == 0)
-	{
-		LM_ERR("unable to get %d cryptographically strong pseudo-"
-		       "random bytes\n", ob_key.len);
+
+	if(flow_token_secret.s) {
+		assert(ob_key.len == SHA_DIGEST_LENGTH);
+		LM_DBG("flow_token_secret mod param set. use persistent ob_key");
+		SHA1(flow_token_secret.s, flow_token_secret.len, ob_key.s);
+	} else {
+		if (RAND_bytes((unsigned char *) ob_key.s, ob_key.len) == 0)
+		{
+			LM_ERR("unable to get %d cryptographically strong pseudo-"
+			       "random bytes\n", ob_key.len);
+		}
 	}
 
 	if (cfg_declare("outbound", outbound_cfg_def, &default_outbound_cfg,


