[sr-dev] git:master:0a494043: ims_ipsec_pcscf: ik and ck keys expansion fixes (#3121)

Module: kamailio Branch: master Commit: 0a494043b70b3c5e47397f03802fe8fa79ed1fb6 URL: https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa...

Author: riccardv 70984967+riccardv@users.noreply.github.com Committer: GitHub noreply@github.com Date: 2022-05-30T10:45:26+02:00

ims_ipsec_pcscf: ik and ck keys expansion fixes (#3121)

- input ik,ck keys for add_sa() are not zero terminated. - des3_ede encryption key expansion possible buffer overflow, - sha1 authentication key expansion correction.

Co-authored-by: riccardv tafkap@gmx.com

---

Modified: src/modules/ims_ipsec_pcscf/ipsec.c

---

Diff: https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa... Patch: https://github.com/kamailio/kamailio/commit/0a494043b70b3c5e47397f03802fe8fa...

---

diff --git a/src/modules/ims_ipsec_pcscf/ipsec.c b/src/modules/ims_ipsec_pcscf/ipsec.c index 309c47a180..76c851818b 100644 --- a/src/modules/ims_ipsec_pcscf/ipsec.c +++ b/src/modules/ims_ipsec_pcscf/ipsec.c @@ -182,34 +182,57 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con // Set the proper algorithm by r_alg str if(strncasecmp(r_alg.s, "hmac-md5-96", r_alg.len) == 0) { strcpy(l_auth_algo->alg_name,"md5"); - } - else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) { + l_auth_algo->alg_key_len = ik.len * 4; + string_to_key(l_auth_algo->alg_key, ik); + } else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) { strcpy(l_auth_algo->alg_name,"sha1"); + str ik1; + ik1.len = ik.len+8; + ik1.s = pkg_malloc (ik1.len+1); + if (ik1.s == NULL) { + LM_ERR("Error allocating memory\n"); + return -1; + } + memcpy (ik1.s,ik.s,ik.len); + ik1.s[ik.len]=0; + strcat (ik1.s,"00000000"); + l_auth_algo->alg_key_len = ik1.len * 4; + string_to_key(l_auth_algo->alg_key, ik1); + pkg_free(ik1.s); } else { - // set default algorithm to sha1 - strcpy(l_auth_algo->alg_name,"sha1"); + LM_DBG("Creating security associations: UNKNOW Auth Algorithm\n"); + return -1; }

- l_auth_algo->alg_key_len = ik.len * 4; - string_to_key(l_auth_algo->alg_key, ik); - mnl_attr_put(l_nlh, XFRMA_ALG_AUTH, sizeof(struct xfrm_algo) + l_auth_algo->alg_key_len, l_auth_algo);

// add encription algorithm for this SA l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf; + // cipher_null, des, des3_ede, aes if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) { strcpy(l_enc_algo->alg_name,"aes"); l_enc_algo->alg_key_len = ck.len * 4; string_to_key(l_enc_algo->alg_key, ck); - } - else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) { + } else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) { strcpy(l_enc_algo->alg_name,"des3_ede"); - l_enc_algo->alg_key_len = ck.len * 4; - string_to_key(l_enc_algo->alg_key, ck); - } else { - // set default algorithm to null + str ck1; + ck1.len = ck.len+ck.len/2; + ck1.s = pkg_malloc (ck1.len+1); + if (ck1.s == NULL) { + LM_ERR("Error allocating memory\n"); + return -1; + } + memcpy (ck1.s,ck.s,ck.len); + memcpy (ck1.s+ck.len,ck.s,ck.len/2); + l_enc_algo->alg_key_len = ck1.len * 4; + string_to_key(l_enc_algo->alg_key, ck1); + pkg_free(ck1.s); + } else if (strncasecmp(r_ealg.s,"null",r_ealg.len) == 0) { strcpy(l_enc_algo->alg_name,"cipher_null"); - l_enc_algo->alg_key_len = 0; + l_enc_algo->alg_key_len = 0; + } else { + LM_DBG("Creating security associations: UNKNOW Enc Algorithm\n"); + return -1; }

mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) + l_enc_algo->alg_key_len, l_enc_algo);