git:master:0a494043: ims_ipsec_pcscf: ik and ck keys expansion fixes (#3121) - sr-dev

30 May 2022

Module: kamailio
Branch: master
Commit: 0a494043b70b3c5e47397f03802fe8fa79ed1fb6
URL: https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa...
Author: riccardv 70984967+riccardv@users.noreply.github.com
Committer: GitHub noreply@github.com
Date: 2022-05-30T10:45:26+02:00
ims_ipsec_pcscf: ik and ck keys expansion fixes (#3121)
- input ik,ck keys for add_sa() are not zero terminated.
- des3_ede encryption key expansion possible buffer overflow,
- sha1 authentication key expansion correction.
Co-authored-by: riccardv tafkap@gmx.com
---
Modified: src/modules/ims_ipsec_pcscf/ipsec.c
---
Diff:  https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa...
Patch: https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa...
---

diff --git a/src/modules/ims_ipsec_pcscf/ipsec.c b/src/modules/ims_ipsec_pcscf/ipsec.c
index 309c47a180..76c851818b 100644
--- a/src/modules/ims_ipsec_pcscf/ipsec.c
+++ b/src/modules/ims_ipsec_pcscf/ipsec.c
@@ -182,34 +182,57 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con
     // Set the proper algorithm by r_alg str
     if(strncasecmp(r_alg.s, "hmac-md5-96", r_alg.len) == 0) {
         strcpy(l_auth_algo->alg_name,"md5");
-    }
-    else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
+        l_auth_algo->alg_key_len = ik.len * 4;
+        string_to_key(l_auth_algo->alg_key, ik);
+    } else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
         strcpy(l_auth_algo->alg_name,"sha1");
+        str ik1;
+        ik1.len = ik.len+8;
+        ik1.s = pkg_malloc (ik1.len+1);
+        if (ik1.s == NULL) {
+            LM_ERR("Error allocating memory\n");
+            return -1;
+        }
+        memcpy (ik1.s,ik.s,ik.len);
+        ik1.s[ik.len]=0;
+        strcat (ik1.s,"00000000");
+        l_auth_algo->alg_key_len = ik1.len * 4;
+        string_to_key(l_auth_algo->alg_key, ik1);
+        pkg_free(ik1.s);
     } else {
-        // set default algorithm to sha1
-        strcpy(l_auth_algo->alg_name,"sha1");
+        LM_DBG("Creating security associations: UNKNOW Auth Algorithm\n");
+        return -1;
     }
-    l_auth_algo->alg_key_len = ik.len * 4;
-    string_to_key(l_auth_algo->alg_key, ik);
-
     mnl_attr_put(l_nlh, XFRMA_ALG_AUTH, sizeof(struct xfrm_algo) + l_auth_algo->alg_key_len, l_auth_algo);
// add encription algorithm for this SA
     l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf;
+    // cipher_null, des,  des3_ede, aes
     if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) {
         strcpy(l_enc_algo->alg_name,"aes");
         l_enc_algo->alg_key_len = ck.len * 4;
         string_to_key(l_enc_algo->alg_key, ck);
-    }
-    else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
+    } else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
         strcpy(l_enc_algo->alg_name,"des3_ede");
-        l_enc_algo->alg_key_len = ck.len * 4;
-        string_to_key(l_enc_algo->alg_key, ck);
-    } else {
-        // set default algorithm to null
+        str ck1;
+        ck1.len = ck.len+ck.len/2;
+        ck1.s = pkg_malloc (ck1.len+1);
+        if (ck1.s == NULL) {
+            LM_ERR("Error allocating memory\n");
+            return -1;
+        }
+        memcpy (ck1.s,ck.s,ck.len);
+        memcpy (ck1.s+ck.len,ck.s,ck.len/2);
+        l_enc_algo->alg_key_len = ck1.len * 4;
+        string_to_key(l_enc_algo->alg_key, ck1);
+        pkg_free(ck1.s);
+    } else if (strncasecmp(r_ealg.s,"null",r_ealg.len) == 0) {
         strcpy(l_enc_algo->alg_name,"cipher_null");
-    	l_enc_algo->alg_key_len = 0;
+        l_enc_algo->alg_key_len = 0;
+    } else {
+        LM_DBG("Creating security associations: UNKNOW Enc Algorithm\n");
+        return -1;
     }
mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) + l_enc_algo->alg_key_len, l_enc_algo);

    