Merge branch 'develop'

OpenLI-NZ · Jul 31, 2023 · 1a2bcb9 · 1a2bcb9
2 parents a6a9c38 + aa4e8d3
commit 1a2bcb9
Show file tree

Hide file tree

Showing 34 changed files with 1,973 additions and 1,084 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 OpenLI -- open source ETSI-compliant Lawful Intercept software
 
-Version: 1.1.0
+Version: 1.1.1
 
 ---------------------------------------------------------------------------
 

diff --git a/configure.ac b/configure.ac
@@ -1,6 +1,6 @@
 # Super primitive configure script
 
-AC_INIT([openli],[1.1.0],[[email protected]])
+AC_INIT([openli],[1.1.1],[[email protected]])
 
 AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_SRCDIR(src/collector/collector.c)
@@ -81,19 +81,24 @@ if test "x$enable_collector" != "xno"; then
         COLLECTOR_LIBS="$COLLECTOR_LIBS -losipparser2 -lb64"
 fi
 
-if test "x$enable_provisioner" != "xno"; then
+if test "x$enable_provisioner" != "xno" -o "x$enable_collector" != "xno"; then
         AC_CHECK_LIB([microhttpd], [MHD_destroy_post_processor],libmicrohttpd_found=1,libmicrohttpd_found=0)
         if test "$libmicrohttpd_found" = 0; then
                 AC_MSG_ERROR(Required library libmicrohttpd not found; use LDFLAGS to specify library location)
         fi
+
+        COLLECTOR_LIBS="$COLLECTOR_LIBS -lmicrohttpd"
+        PROVISIONER_LIBS="$PROVISIONER_LIBS -lmicrohttpd"
+fi
+
+if test "x$enable_provisioner" != "xno"; then
         AC_CHECK_LIB([json-c], [json_tokener_new],libjsonc_found=1,libjsonc_found=0)
 
         if test "$libjsonc_found" = 0; then
                 AC_MSG_ERROR(Required library libjson-c not found; use LDFLAGS to specify library location)
         fi
 
-        PROVISIONER_LIBS="$PROVISIONER_LIBS -lmicrohttpd -ljson-c"
-        COLLECTOR_LIBS="$COLLECTOR_LIBS -lmicrohttpd -ljson-c"
+        PROVISIONER_LIBS="$PROVISIONER_LIBS -ljson-c"
 
         if test "x$libssl11_found" = "x1"; then
                 AC_CHECK_LIB([sqlcipher], [sqlite3_key], sqlcipher_found=1, sqlcipher_found=0)

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,23 @@
+openli (1.1.1-1) unstable; urgency=medium
+
+  * Add ability to encrypt CC and IRI payload, as per Annex G of
+    ETSI TS 102 232-1 (AES-192-CBC encryption only thus far).
+  * Fix bug where certain intercept config changes were not always
+    passed on to collectors if the changes occurred while the
+    provisioner was down.
+  * Fix double free bug when halting the VOIP sync thread for a
+    collector.
+  * Fix bug where a RADIUS session could produce CCs but not IRIs,
+    if the Username AVP happened to match a target CSID.
+  * Fix linking failure if the collector is built on its own.
+  * Correct various problems with the IMAP parsing for FETCH replies.
+  * Fix segmentation faults when the email ingestion socket receives
+    an incomplete message.
+  * Fix memory errors in the REST API when a field is assigned an
+    empty string value.
+
+ -- Shane Alcock <[email protected]>  Mon, 31 Jul 2023 11:26:50 +1200
+
 openli (1.1.0-1) unstable; urgency=medium
 
   Changes since 1.0.15 release:

diff --git a/doc/ProvisionerDoc.md b/doc/ProvisionerDoc.md
@@ -536,19 +536,37 @@ An email target is a JSON object that contains just a single field:
 * `address`               -- the email address of the target
 
 
+---
+
 All intercept types also support the following optional key-value elements:
 
 * `starttime`             -- do not intercept any traffic observed before this
-                             unix timestamp
+                             unix timestamp. Default is 0, which will
+                             intercept all traffic from the moment the
+                             intercept is provisioned.
 * `endtime`               -- do not intercept any traffic observed after this
-                             unix timestamp
+                             unix timestamp. Default is 0, which will
+                             continue to intercept traffic until the intercept
+                             is explicitly halted.
 * `outputhandovers`       -- If set to "all", then both IRI and CCs will be
                              produced by OpenLI for this intercept.
                              If set to "irionly", then only IRIs will be
                              produced by OpenLI for this intercept.
                              If set to "cconly", then only CCs will be produced
                              by OpenLI for this intercept.
                              The default setting is "all".
+* `payloadencryption`     -- Specifies if the CC and IRI contents should be
+                             encrypted and, if so, which encryption method to
+                             use. If set to "none", no encryption is performed.
+                             The encryption method supported right now is
+                             "aes-192-cbc".
+                             The default setting is "none".
+* `encryptionkey`         -- The encryption key to use when encrypting CC and
+                             IRI contents. This option is mandatory if
+                             `payloadencryption` is NOT set to "none". The
+                             ideal key length is 24 characters. Shorter keys
+                             will be padded with null bytes, longer keys will be
+                             truncated to 24 characters.
 
 
 ### SIP Target Specifics

diff --git a/doc/exampleconfigs/running-intercept-example.yaml b/doc/exampleconfigs/running-intercept-example.yaml
@@ -132,13 +132,20 @@ ipintercepts:
 # phone user, using GTPv2 packets to detect the start and end of the target's
 # sessions. Note that the accesstype must be set to "mobile". The user field
 # is set to the target's MSISDN (i.e. phone number).
+#
+# This intercept also wraps the intercepted traffic in an Encryption Container,
+# which may be required in some jurisdictions. Any intercept type can use
+# payload encryption.
  - liid: TH473NNOQ              # LIID, should be provided by requesting agency
    authcountrycode: NZ          # Authorisation country code
    deliverycountrycode: NZ      # Delivery country code
    user: 64211234567            # Phone number belonging to the target
    mediator: 6001               # ID of the mediator to send intercept via
    agencyid: "Police"           # ID of agency to send intercept to
    accesstype: "mobile"         # Must be "mobile" for UMTS intercepts
+   payloadencryption: "aes-192-cbc"     # Encrypt IP content using AES-192-CBC
+   encryptionkey: "alongencryptionkeyisgood"  # Key to use for encryption,
+                                              # should be provided by the agency
 
 # This intercept demonstrates how to configure an intercept for a target that
 # has static IP allocations. The target has both an IPv4 and IPv6 allocation

diff --git a/rpm/openli.spec b/rpm/openli.spec
@@ -1,5 +1,5 @@
 Name:           openli
-Version:        1.1.0
+Version:        1.1.1
 Release:        1%{?dist}
 Summary:        Software for performing ETSI-compliant lawful intercept
 
@@ -282,6 +282,9 @@ fi
 
 
 %changelog
+* Mon Jul 31 2023 Shane Alcock <[email protected]> - 1.1.1-1
+- Updated for 1.1.1 release
+
 * Fri May 26 2023 Shane Alcock <[email protected]> - 1.1.0-1
 - Updated for 1.1.0 release
 

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -65,6 +65,9 @@ openlicollector_SOURCES=collector/collector.c configparser.c configparser.h \
                 collector/emailprotocols/imap.c \
                 collector/emailprotocols/pop3.c \
                 collector/emailiri.c collector/emailiri.h collector/emailcc.c \
+                collector/etsiencoding/etsiencoding.h \
+                collector/etsiencoding/etsiencoding.c \
+                collector/etsiencoding/encryptcontainer.c \
                 $(PLUGIN_SRCS)
 
 openlicollector_LDADD = @ADD_LIBS@ -L$(abs_top_srcdir)/extlib/libpatricia/.libs 

diff --git a/src/collector/collector.c b/src/collector/collector.c
@@ -1988,7 +1988,11 @@ int main(int argc, char *argv[]) {
         glob->encoders[i].freegenerics = NULL;
         glob->encoders[i].saved_intercept_templates = NULL;
         glob->encoders[i].saved_global_templates = NULL;
+        glob->encoders[i].saved_encryption_templates = NULL;
 
+        glob->encoders[i].encrypt_byte_counter = 0;
+        glob->encoders[i].encrypt_byte_startts = 0;
+        glob->encoders[i].evp_ctx = NULL;
         glob->encoders[i].seqtrackers = glob->seqtracker_threads;
         glob->encoders[i].forwarders = glob->forwarding_threads;
 

diff --git a/src/collector/collector_base.h b/src/collector/collector_base.h
@@ -36,6 +36,7 @@
 #include <amqp.h>
 #include <uthash.h>
 #include <libtrace.h>
+#include <openssl/evp.h>
 
 #include "export_shared.h"
 #include "etsili_core.h"
@@ -252,6 +253,11 @@ typedef struct encoder_state {
 
     Pvoid_t saved_intercept_templates;
     Pvoid_t saved_global_templates;
+    Pvoid_t saved_encryption_templates;
+
+    uint32_t encrypt_byte_counter;
+    uint32_t encrypt_byte_startts;
+    EVP_CIPHER_CTX *evp_ctx;
 
     int seqtrackers;
     int forwarders;
@@ -266,6 +272,8 @@ typedef struct encoder_job {
     openli_export_recv_t *origreq;
     char *liid;
     uint8_t cept_version;
+    payload_encryption_method_t encryptmethod;
+    char *encryptkey;
 } PACKED openli_encoding_job_t;
 
 void destroy_encoder_worker(openli_encoder_t *enc);

diff --git a/src/collector/collector_publish.h b/src/collector/collector_publish.h
@@ -153,6 +153,8 @@ typedef struct published_intercept_msg {
     char *authcc;
     char *delivcc;
     int seqtrackerid;
+    payload_encryption_method_t encryptmethod;
+    char *encryptkey;
 } published_intercept_msg_t;
 
 typedef struct provisioner_msg {