Browse code

Merge 7133cb20ad46aafc98e16a571ca641f88c444a09 into 5e3f7e1557d90a3e6f40eff41cc0b0bb317ab544

riccardv authored on 13/05/2021 22:49:27 • GitHub committed on 13/05/2021 22:49:27
Showing 3 changed files
... ...
@@ -435,29 +435,29 @@ static int create_ipsec_tunnel(const struct ip_addr *remote_addr, ipsec_t* s)
435 435
         return -1;
436 436
     }
437 437
 
438
-    LM_DBG("Creating security associations: Local IP: %.*s port_pc: %d port_ps: %d; UE IP: %s; port_uc %d port_us %d; spi_pc %u, spi_ps %u, spi_uc %u, spi_us %u\n",
438
+    LM_DBG("Creating security associations: Local IP: %.*s port_pc: %d port_ps: %d; UE IP: %s; port_uc %d port_us %d; spi_pc %u, spi_ps %u, spi_uc %u, spi_us %u, alg %.*s, ealg %.*s\n",
439 439
             remote_addr->af == AF_INET ? ipsec_listen_addr.len : ipsec_listen_addr6.len,
440 440
             remote_addr->af == AF_INET ? ipsec_listen_addr.s : ipsec_listen_addr6.s,
441
-            s->port_pc, s->port_ps, remote_addr_str, s->port_uc, s->port_us, s->spi_pc, s->spi_ps, s->spi_uc, s->spi_us);
441
+            s->port_pc, s->port_ps, remote_addr_str, s->port_uc, s->port_us, s->spi_pc, s->spi_ps, s->spi_uc, s->spi_us, s->r_alg.len, s->r_alg.s, s->r_ealg.len, s->r_ealg.s);
442 442
 
443 443
     // SA1 UE client to P-CSCF server
444 444
     //               src adrr     dst addr     src port    dst port
445
-    add_sa    (sock, remote_addr, ipsec_addr, s->port_uc, s->port_ps, s->spi_ps, s->ck, s->ik, s->r_alg);
445
+    add_sa    (sock, remote_addr, ipsec_addr, s->port_uc, s->port_ps, s->spi_ps, s->ck, s->ik, s->r_alg, s->r_ealg);
446 446
     add_policy(sock, remote_addr, ipsec_addr, s->port_uc, s->port_ps, s->spi_ps, IPSEC_POLICY_DIRECTION_IN);
447 447
 
448 448
     // SA2 P-CSCF client to UE server
449 449
     //               src adrr     dst addr     src port           dst port
450
-    add_sa    (sock, ipsec_addr, remote_addr, s->port_pc, s->port_us, s->spi_us, s->ck, s->ik, s->r_alg);
450
+    add_sa    (sock, ipsec_addr, remote_addr, s->port_pc, s->port_us, s->spi_us, s->ck, s->ik, s->r_alg, s->r_ealg);
451 451
     add_policy(sock, ipsec_addr, remote_addr, s->port_pc, s->port_us, s->spi_us, IPSEC_POLICY_DIRECTION_OUT);
452 452
 
453 453
     // SA3 P-CSCF server to UE client
454 454
     //               src adrr     dst addr     src port           dst port
455
-    add_sa    (sock, ipsec_addr, remote_addr, s->port_ps, s->port_uc, s->spi_uc, s->ck, s->ik, s->r_alg);
455
+    add_sa    (sock, ipsec_addr, remote_addr, s->port_ps, s->port_uc, s->spi_uc, s->ck, s->ik, s->r_alg, s->r_ealg);
456 456
     add_policy(sock, ipsec_addr, remote_addr, s->port_ps, s->port_uc, s->spi_uc, IPSEC_POLICY_DIRECTION_OUT);
457 457
 
458 458
     // SA4 UE server to P-CSCF client
459 459
     //               src adrr     dst addr     src port    dst port
460
-    add_sa    (sock, remote_addr, ipsec_addr, s->port_us, s->port_pc, s->spi_pc, s->ck, s->ik, s->r_alg);
460
+    add_sa    (sock, remote_addr, ipsec_addr, s->port_us, s->port_pc, s->spi_pc, s->ck, s->ik, s->r_alg, s->r_ealg);
461 461
     add_policy(sock, remote_addr, ipsec_addr, s->port_us, s->port_pc, s->spi_pc, IPSEC_POLICY_DIRECTION_IN);
462 462
 
463 463
     close_mnl_socket(sock);
... ...
@@ -846,11 +846,20 @@ int ipsec_forward(struct sip_msg* m, udomain_t* d, int _cflags)
846 846
         // for Reply get the dest proto from the received request
847 847
         dst_proto = req->rcv.proto;
848 848
 
849
-        // for Reply and TCP sends from P-CSCF server port, for Reply and UDP sends from P-CSCF client port
850
-        src_port = dst_proto == PROTO_TCP ? s->port_ps : s->port_pc;
849
+        // Check send socket
850
+        struct socket_info * client_sock = grep_sock_info(via_host.af == AF_INET ? &ipsec_listen_addr : &ipsec_listen_addr6, src_port, dst_proto);
851
+        if(client_sock) {
852
+            // for Reply and TCP sends from P-CSCF server port, for Reply and UDP sends from P-CSCF client port
853
+            src_port = dst_proto == PROTO_TCP ? s->port_ps : s->port_pc;
851 854
 
852
-        // for Reply and TCP sends to UE client port, for Reply and UDP sends to UE server port
853
-        dst_port = dst_proto == PROTO_TCP ? s->port_uc : s->port_us;
855
+            // for Reply and TCP sends to UE client port, for Reply and UDP sends to UE server port
856
+            dst_port = dst_proto == PROTO_TCP ? s->port_uc : s->port_us;
857
+        }
858
+        else
859
+        {
860
+            src_port = s->port_pc;
861
+            dst_port = s->port_us;
862
+        }
854 863
     }else{
855 864
         // for Request get the dest proto from the saved contact
856 865
         dst_proto = pcontact->received_proto;
... ...
@@ -100,8 +100,15 @@ static void string_to_key(char* dst, const str key_string)
100 100
     }
101 101
 }
102 102
 
103
+static uint choose_nlmsg_seq (void)
104
+{
105
+    static double Tini=0;
106
+    struct timespec ts;
107
+    clock_gettime(CLOCK_REALTIME, &ts);
108
+    return(1000*(ts.tv_sec - Tini + (ts.tv_nsec * 1E-9))); // us
109
+}
103 110
 
104
-int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, const struct ip_addr *dest_addr_param, int s_port, int d_port, int long id, str ck, str ik, str r_alg)
111
+int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, const struct ip_addr *dest_addr_param, int s_port, int d_port, int long id, str ck, str ik, str r_alg, str r_ealg)
105 112
 {
106 113
     char l_msg_buf[MNL_SOCKET_BUFFER_SIZE];
107 114
     char l_auth_algo_buf[XFRM_TMPLS_BUF_SIZE];
... ...
@@ -121,7 +128,7 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con
121 128
     l_nlh = mnl_nlmsg_put_header(l_msg_buf);
122 129
     l_nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
123 130
     l_nlh->nlmsg_type = XFRM_MSG_NEWSA;
124
-    l_nlh->nlmsg_seq = time(NULL);
131
+    l_nlh->nlmsg_seq = choose_nlmsg_seq();
125 132
     l_nlh->nlmsg_pid = id;
126 133
 
127 134
     // add Security association
... ...
@@ -166,6 +173,8 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con
166 173
     l_xsainfo->replay_window            = 32;
167 174
 
168 175
     // Add authentication algorithm for this SA
176
+    // 3GPP TS 33.203 Annex I
177
+    // NOTE: hmac-md5-96 and des-ede3-cbc has been deprecated in Rel12+
169 178
 
170 179
     // The cast below is performed because alg_key from struct xfrm_algo is char[0]
171 180
     // The point is to provide a continuous chunk of memory with the key in it
... ...
@@ -189,7 +198,28 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con
189 198
 
190 199
     // add encription algorithm for this SA
191 200
     l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf;
201
+    // cipher_null, des,  des3_ede, aes
192 202
     strcpy(l_enc_algo->alg_name,"cipher_null");
203
+    if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) {
204
+        LM_DBG("Creating security associations: AES\n");
205
+        strcpy(l_enc_algo->alg_name,"aes");
206
+        l_enc_algo->alg_key_len = ck.len * 4;
207
+        string_to_key(l_enc_algo->alg_key, ck);
208
+    }
209
+    else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {
210
+        LM_DBG("Creating security associations: DES, ck.len=%d\n",ck.len);
211
+        strcpy(l_enc_algo->alg_name,"des3_ede");
212
+        str ck1;
213
+        ck1.s = pkg_malloc (128);
214
+        strncpy(ck1.s,ck.s,32);
215
+        strncat(ck1.s,ck.s,16);
216
+        ck1.len=32+16;
217
+
218
+        l_enc_algo->alg_key_len = ck1.len * 4;
219
+        string_to_key(l_enc_algo->alg_key, ck1);
220
+
221
+        pkg_free(ck1.s);
222
+    }
193 223
 
194 224
     mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) + l_enc_algo->alg_key_len, l_enc_algo);
195 225
 
... ...
@@ -40,7 +40,7 @@ enum ipsec_policy_direction {
40 40
 struct mnl_socket* init_mnl_socket();
41 41
 void close_mnl_socket(struct mnl_socket* sock);
42 42
 
43
-int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, const struct ip_addr *dest_addr_param, int s_port, int d_port, int long id, str ck, str ik, str r_alg);
43
+int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, const struct ip_addr *dest_addr_param, int s_port, int d_port, int long id, str ck, str ik, str r_alg, str r_ealg);
44 44
 int remove_sa(struct mnl_socket* nl_sock, str src_addr_param, str dest_addr_param, int s_port, int d_port, int long id, unsigned int af);
45 45
 
46 46
 int add_policy(struct mnl_socket* mnl_socket, const struct ip_addr *src_addr_param, const struct ip_addr *dest_addr_param, int src_port, int dst_port, int long p_id, enum ipsec_policy_direction dir);