Browse code
ims_ipsec_pcscf: ik and ck keys expansion fixes
- input ik,ck keys for add_sa() are not zero terminated.
- des3_ede encryption key expansion possible buffer overflow,
- sha1 authentication key expansion correction.
riccardv authored on 23/05/2022 15:55:49
Showing 1 changed files
| ... | ... |
@@ -183,42 +183,58 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con |
| 183 | 183 |
// Set the proper algorithm by r_alg str |
| 184 | 184 |
if(strncasecmp(r_alg.s, "hmac-md5-96", r_alg.len) == 0) {
|
| 185 | 185 |
strcpy(l_auth_algo->alg_name,"md5"); |
| 186 |
- } |
|
| 187 |
- else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
|
|
| 186 |
+ l_auth_algo->alg_key_len = ik.len * 4; |
|
| 187 |
+ string_to_key(l_auth_algo->alg_key, ik); |
|
| 188 |
+ } else if(strncasecmp(r_alg.s, "hmac-sha-1-96", r_alg.len) == 0) {
|
|
| 188 | 189 |
strcpy(l_auth_algo->alg_name,"sha1"); |
| 190 |
+ str ik1; |
|
| 191 |
+ ik1.len = ik.len+8; |
|
| 192 |
+ ik1.s = pkg_malloc (ik1.len+1); |
|
| 193 |
+ if (ik1.s == NULL) {
|
|
| 194 |
+ LM_ERR("Error allocating memory\n");
|
|
| 195 |
+ return -1; |
|
| 196 |
+ } |
|
| 197 |
+ memcpy (ik1.s,ik.s,ik.len); |
|
| 198 |
+ ik1.s[ik.len]=0; |
|
| 199 |
+ strcat (ik1.s,"00000000"); |
|
| 200 |
+ l_auth_algo->alg_key_len = ik1.len * 4; |
|
| 201 |
+ string_to_key(l_auth_algo->alg_key, ik1); |
|
| 202 |
+ pkg_free(ik1.s); |
|
| 189 | 203 |
} else {
|
| 190 |
- // set default algorithm to sha1 |
|
| 191 |
- strcpy(l_auth_algo->alg_name,"sha1"); |
|
| 204 |
+ LM_DBG("Creating security associations: UNKNOW Auth Algorithm\n");
|
|
| 205 |
+ return -1; |
|
| 192 | 206 |
} |
| 193 | 207 |
|
| 194 |
- l_auth_algo->alg_key_len = ik.len * 4; |
|
| 195 |
- string_to_key(l_auth_algo->alg_key, ik); |
|
| 196 | 208 |
|
| 197 | 209 |
mnl_attr_put(l_nlh, XFRMA_ALG_AUTH, sizeof(struct xfrm_algo) + l_auth_algo->alg_key_len, l_auth_algo); |
| 198 | 210 |
|
| 199 | 211 |
// add encription algorithm for this SA |
| 200 | 212 |
l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf; |
| 201 | 213 |
// cipher_null, des, des3_ede, aes |
| 202 |
- strcpy(l_enc_algo->alg_name,"cipher_null"); |
|
| 203 | 214 |
if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) {
|
| 204 |
- LM_DBG("Creating security associations: AES\n");
|
|
| 205 | 215 |
strcpy(l_enc_algo->alg_name,"aes"); |
| 206 | 216 |
l_enc_algo->alg_key_len = ck.len * 4; |
| 207 | 217 |
string_to_key(l_enc_algo->alg_key, ck); |
| 208 |
- } |
|
| 209 |
- else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
|
|
| 210 |
- LM_DBG("Creating security associations: DES, ck.len=%d\n",ck.len);
|
|
| 218 |
+ } else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
|
|
| 211 | 219 |
strcpy(l_enc_algo->alg_name,"des3_ede"); |
| 212 | 220 |
str ck1; |
| 213 |
- ck1.s = pkg_malloc (128); |
|
| 214 |
- strncpy(ck1.s,ck.s,32); |
|
| 215 |
- strncat(ck1.s,ck.s,16); |
|
| 216 |
- ck1.len=32+16; |
|
| 217 |
- |
|
| 221 |
+ ck1.len = ck.len+ck.len/2; |
|
| 222 |
+ ck1.s = pkg_malloc (ck1.len+1); |
|
| 223 |
+ if (ck1.s == NULL) {
|
|
| 224 |
+ LM_ERR("Error allocating memory\n");
|
|
| 225 |
+ return -1; |
|
| 226 |
+ } |
|
| 227 |
+ memcpy (ck1.s,ck.s,ck.len); |
|
| 228 |
+ memcpy (ck1.s+ck.len,ck.s,ck.len/2); |
|
| 218 | 229 |
l_enc_algo->alg_key_len = ck1.len * 4; |
| 219 | 230 |
string_to_key(l_enc_algo->alg_key, ck1); |
| 220 |
- |
|
| 221 | 231 |
pkg_free(ck1.s); |
| 232 |
+ } else if (strncasecmp(r_ealg.s,"null",r_ealg.len) == 0) {
|
|
| 233 |
+ strcpy(l_enc_algo->alg_name,"cipher_null"); |
|
| 234 |
+ l_enc_algo->alg_key_len = 0; |
|
| 235 |
+ } else {
|
|
| 236 |
+ LM_DBG("Creating security associations: UNKNOW Enc Algorithm\n");
|
|
| 237 |
+ return -1; |
|
| 222 | 238 |
} |
| 223 | 239 |
|
| 224 | 240 |
mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) + l_enc_algo->alg_key_len, l_enc_algo); |