Module: kamailio
Branch: master
Commit: 0a494043b70b3c5e47397f03802fe8fa79ed1fb6
URL:
https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8f…
Author: riccardv <70984967+riccardv(a)users.noreply.github.com>
Committer: GitHub <noreply(a)github.com>
Date: 2022-05-30T10:45:26+02:00
ims_ipsec_pcscf: ik and ck keys expansion fixes (#3121)
- input ik,ck keys for add_sa() are not zero terminated.
- des3_ede encryption key expansion possible buffer overflow,
- sha1 authentication key expansion correction.
Co-authored-by: riccardv <tafkap(a)gmx.com>
---
Modified: src/modules/ims_ipsec_pcscf/ipsec.c
---
Diff:
https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8f…
Patch:
https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8f…
---
diff --git a/src/modules/ims_ipsec_pcscf/ipsec.c b/src/modules/ims_ipsec_pcscf/ipsec.c
index 309c47a180..76c851818b 100644
--- a/src/modules/ims_ipsec_pcscf/ipsec.c
+++ b/src/modules/ims_ipsec_pcscf/ipsec.c
@@ -182,34 +182,57 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr
*src_addr_param, con
// Set the proper algorithm by r_alg str
if(strncasecmp(r_alg.s, "hmac-md5-96", r_alg.len) == 0) {
strcpy(l_auth_algo->alg_name,"md5");
- }
- else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
+ l_auth_algo->alg_key_len = ik.len * 4;
+ string_to_key(l_auth_algo->alg_key, ik);
+ } else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
strcpy(l_auth_algo->alg_name,"sha1");
+ str ik1;
+ ik1.len = ik.len+8;
+ ik1.s = pkg_malloc (ik1.len+1);
+ if (ik1.s == NULL) {
+ LM_ERR("Error allocating memory\n");
+ return -1;
+ }
+ memcpy (ik1.s,ik.s,ik.len);
+ ik1.s[ik.len]=0;
+ strcat (ik1.s,"00000000");
+ l_auth_algo->alg_key_len = ik1.len * 4;
+ string_to_key(l_auth_algo->alg_key, ik1);
+ pkg_free(ik1.s);
} else {
- // set default algorithm to sha1
- strcpy(l_auth_algo->alg_name,"sha1");
+ LM_DBG("Creating security associations: UNKNOW Auth Algorithm\n");
+ return -1;
}
- l_auth_algo->alg_key_len = ik.len * 4;
- string_to_key(l_auth_algo->alg_key, ik);
-
mnl_attr_put(l_nlh, XFRMA_ALG_AUTH, sizeof(struct xfrm_algo) +
l_auth_algo->alg_key_len, l_auth_algo);
// add encription algorithm for this SA
l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf;
+ // cipher_null, des, des3_ede, aes
if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) {
strcpy(l_enc_algo->alg_name,"aes");
l_enc_algo->alg_key_len = ck.len * 4;
string_to_key(l_enc_algo->alg_key, ck);
- }
- else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
+ } else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
strcpy(l_enc_algo->alg_name,"des3_ede");
- l_enc_algo->alg_key_len = ck.len * 4;
- string_to_key(l_enc_algo->alg_key, ck);
- } else {
- // set default algorithm to null
+ str ck1;
+ ck1.len = ck.len+ck.len/2;
+ ck1.s = pkg_malloc (ck1.len+1);
+ if (ck1.s == NULL) {
+ LM_ERR("Error allocating memory\n");
+ return -1;
+ }
+ memcpy (ck1.s,ck.s,ck.len);
+ memcpy (ck1.s+ck.len,ck.s,ck.len/2);
+ l_enc_algo->alg_key_len = ck1.len * 4;
+ string_to_key(l_enc_algo->alg_key, ck1);
+ pkg_free(ck1.s);
+ } else if (strncasecmp(r_ealg.s,"null",r_ealg.len) == 0) {
strcpy(l_enc_algo->alg_name,"cipher_null");
- l_enc_algo->alg_key_len = 0;
+ l_enc_algo->alg_key_len = 0;
+ } else {
+ LM_DBG("Creating security associations: UNKNOW Enc Algorithm\n");
+ return -1;
}
mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) +
l_enc_algo->alg_key_len, l_enc_algo);