From 70fc634d11a45166cd0c0cc6390ee8fd1340152e Mon Sep 17 00:00:00 2001 From: VissaMoutafis Date: Wed, 8 Apr 2026 17:22:50 +0200 Subject: [PATCH] [FIX] Fixing couple of issues and a security bug --- src/core/crypto.c | 2 ++ src/core/crypto_key_mgmt.c | 5 ++++- .../internal/sa_interface_inmemory.template.c | 18 +++++++++++++++--- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/src/core/crypto.c b/src/core/crypto.c index 4faba0ed..6e8bec54 100644 --- a/src/core/crypto.c +++ b/src/core/crypto.c @@ -1225,6 +1225,8 @@ int32_t Crypto_Process_Extended_Procedure_Pdu(TC_t *tc_sdls_processed_frame, uin sdls_frame.tlv_pdu.hdr.pid = (tc_sdls_processed_frame->tc_pdu[0] & 0x0F); sdls_frame.tlv_pdu.hdr.pdu_len = (tc_sdls_processed_frame->tc_pdu[1] << 8) | tc_sdls_processed_frame->tc_pdu[2]; + sdls_frame.hdr.pkt_length = + (tc_sdls_processed_frame->tc_pdu[4] << 8) | tc_sdls_processed_frame->tc_pdu[5]; for (int x = 3; x < (3 + tc_sdls_processed_frame->tc_header.fl); x++) { // Todo - Consider how this behaves with large OTAR PDUs that are larger than 1 TC in size. Most diff --git a/src/core/crypto_key_mgmt.c b/src/core/crypto_key_mgmt.c index 139fd547..fbb51bb1 100644 --- a/src/core/crypto_key_mgmt.c +++ b/src/core/crypto_key_mgmt.c @@ -193,7 +193,8 @@ int32_t Crypto_Key_OTAR(void) count = count + 2; #ifdef DEBUG printf("\t Key %d = %d\n", x, packet.EKB[x].ekid); -#endif +#endif + ekp->key_len = 0; for (y = count; y < (SDLS_KEY_LEN + count); y++) { // Encrypted Key @@ -203,6 +204,8 @@ int32_t Crypto_Key_OTAR(void) #endif // Setup Key Ring ekp->value[y - count] = sdls_frame.tlv_pdu.data[y]; + + ekp->key_len++; } count = count + SDLS_KEY_LEN; diff --git a/src/sa/internal/sa_interface_inmemory.template.c b/src/sa/internal/sa_interface_inmemory.template.c index 912de8b4..f30eb202 100644 --- a/src/sa/internal/sa_interface_inmemory.template.c +++ b/src/sa/internal/sa_interface_inmemory.template.c @@ -1297,8 +1297,11 @@ static int32_t sa_rekey(TC_t *tc_frame) { // Encryption Key sa[spi].ekid = ((uint8_t)sdls_frame.tlv_pdu.data[count] << BYTE_LEN) | (uint8_t)sdls_frame.tlv_pdu.data[count + 1]; - count = count + 2; + count = count + 2; + sa[spi].akid = + ((uint8_t)sdls_frame.tlv_pdu.data[count] << BYTE_LEN) | (uint8_t)sdls_frame.tlv_pdu.data[count + 1]; + count = count + 2; // Anti-Replay Seq Num #ifdef PDU_DEBUG printf("SPI %d IV updated to: 0x", spi); @@ -1453,6 +1456,15 @@ static int32_t sa_create(TC_t *tc_frame) // 5-8 : Procedure Identification Field (pid) temp_sa->lpid = (sdls_frame.tlv_pdu.hdr.type << 7) | (sdls_frame.tlv_pdu.hdr.uf << 6) | (sdls_frame.tlv_pdu.hdr.sg << 4) | sdls_frame.tlv_pdu.hdr.pid; + + // check that the sa state is NONE + if (temp_sa->sa_state != SA_NONE) + { +#ifdef DEBUG + printf(KRED "ERROR: SPI %d is not in the NONE state.\n" RESET, spi); +#endif + return CRYPTO_LIB_ERROR_SA; + } // Write SA Configuration temp_sa->est = ((uint8_t)sdls_frame.tlv_pdu.data[2] & 0x80) >> 7; @@ -1466,8 +1478,8 @@ static int32_t sa_create(TC_t *tc_frame) { temp_sa->ecs = ((uint8_t)sdls_frame.tlv_pdu.data[count++]); } - temp_sa->shivf_len = ((uint8_t)sdls_frame.tlv_pdu.data[count++]); - for (x = 0; x < temp_sa->shivf_len; x++) + temp_sa->iv_len = ((uint8_t)sdls_frame.tlv_pdu.data[count++]); + for (x = 0; x < temp_sa->iv_len; x++) { temp_sa->iv[x] = ((uint8_t)sdls_frame.tlv_pdu.data[count++]); }