[Asterisk-code-review] res_stir_shaken: Implemented signature verification. (asterisk[master])
George Joseph
asteriskteam at digium.com
Tue Apr 21 10:17:38 CDT 2020
George Joseph has posted comments on this change. ( https://gerrit.asterisk.org/c/asterisk/+/14220 )
Change subject: res_stir_shaken: Implemented signature verification.
......................................................................
Patch Set 3: Code-Review-1
(4 comments)
I'm somewhat confused by the need for astdb. We assemble the path to the key from ast_config_AST_DATA_DIR, STIR_SHAKEN_DIR_NAME and the URL when we save the key, why can't we do the same to retrieve the key instead of storing it in the astdb?
https://gerrit.asterisk.org/c/asterisk/+/14220/3/res/res_stir_shaken.c
File res/res_stir_shaken.c:
https://gerrit.asterisk.org/c/asterisk/+/14220/3/res/res_stir_shaken.c@130
PS3, Line 130: static size_t curl_header_callback(char *buffer, size_t size, size_t nitems, void *data)
Move curl stuff to it's own file in res/res_stir_shaken/ maybe?
https://gerrit.asterisk.org/c/asterisk/+/14220/3/res/res_stir_shaken.c@343
PS3, Line 343: static char *get_filename_from_url(const char *url)
basename() should work.
https://gerrit.asterisk.org/c/asterisk/+/14220/3/res/res_stir_shaken.c@531
PS3, Line 531: snprintf(stir_shaken_dir, sizeof(stir_shaken_dir), "%s/%s", ast_config_AST_DATA_DIR, STIR_SHAKEN_DIR_NAME);
We already have /var/lib/asterisk/keys. Should this be a subdirectory of that? We already create "keys" in the top-level Makefile. If you want to keep stir_shaken_keys a direct child of /var/lib/asterisk, then the creation should also be in the Makefile rather than code. Either way, an UPGRADE entry should also be created to notify packagers that a new directory has been created.
https://gerrit.asterisk.org/c/asterisk/+/14220/3/res/res_stir_shaken.c@532
PS3, Line 532: ast_mkdir(stir_shaken_dir, 0777);
This should at least disallow others from writing (775). Is there any sensitive data in there? private keys? If so, then it'd need to be 770.
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/14220
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I3ba4c63880493bf8c7d17a9cfca1af0e934d1a1c
Gerrit-Change-Number: 14220
Gerrit-PatchSet: 3
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-CC: Joshua Colp <jcolp at sangoma.com>
Gerrit-Comment-Date: Tue, 21 Apr 2020 15:17:38 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20200421/b5640ea7/attachment-0001.html>
More information about the asterisk-code-review
mailing list