shadysim.py: fix: do not apply redundant 8 * '00' padding

When the application message payload is encrypted with any variant
of DES, the length of the ciphertext has to be a multiple of 8 bytes
- hence if the plaintext length is not a multiple of 8 bytes, the
plaintext needs to be padded.

If the ciphertext is already aligned, the current logic would append
8 redundant padding octets.  The resulting encrypted message should
be considered malformed per standard specs, but sysmoUSIM-SJS1 cards
are liberal in what they accept in this instance thus the bug went
unnoticed.  The newer sysmoISIM-SJA2 cards do not accept such
malformed messages with invalid padding.

This bug was discovered and reported by the Mother Mychaela, see:
https://lists.osmocom.org/pipermail/openbsc/2021-February/013414.html
This commit is contained in:
Vadim Yanitskiy 2021-02-22 22:24:22 +01:00
parent 8ac76661ce
commit f6a806494c
1 changed files with 4 additions and 2 deletions

View File

@ -114,8 +114,10 @@ class AppLoaderCommands(object):
# Padding if Ciphering is used
if ((spi_1 & 0x04) != 0): # check ciphering bit
len_cipher = 6 + len_sig + (len(data) / 2)
pad_cnt = 8 - (len_cipher % 8) # 8 Byte blocksize for DES-CBC (TODO: different padding)
data += '00' * pad_cnt
# 8 Byte blocksize for DES-CBC (TODO: different padding)
if len_cipher % 8 > 0:
pad_cnt = 8 - (len_cipher % 8)
data += '00' * pad_cnt
# CHL + SPI first octet
part_head = ('%02x' % (0x0D + len_sig)) + ('%02x' % (spi_1))