From 2d42766b2ef0ad797d1ec7a81ab89f130471b9bb Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@softwareradiosystems.com>
Date: Thu, 2 Dec 2021 12:05:21 +0000
Subject: [PATCH] epc,s1ap,nas: reduce the logging level of MAC failures on
 identity response and authentication response

---
 srsepc/hdr/mme/nas.h                 |  2 +-
 srsepc/src/mme/nas.cc                | 35 +++++++++++-----------
 srsepc/src/mme/s1ap_nas_transport.cc | 43 +++++++++++++++++-----------
 3 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/srsepc/hdr/mme/nas.h b/srsepc/hdr/mme/nas.h
index 208f2ae3a..bd29e889f 100644
--- a/srsepc/hdr/mme/nas.h
+++ b/srsepc/hdr/mme/nas.h
@@ -238,7 +238,7 @@ public:
   bool pack_attach_accept(srsran::byte_buffer_t* nas_buffer);
 
   /* Security functions */
-  bool integrity_check(srsran::byte_buffer_t* pdu);
+  bool integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure = true);
   bool short_integrity_check(srsran::byte_buffer_t* pdu);
   void integrity_generate(srsran::byte_buffer_t* pdu, uint8_t* mac);
   void cipher_decrypt(srsran::byte_buffer_t* pdu);
diff --git a/srsepc/src/mme/nas.cc b/srsepc/src/mme/nas.cc
index 3c81aca41..62c33ec4c 100644
--- a/srsepc/src/mme/nas.cc
+++ b/srsepc/src/mme/nas.cc
@@ -1427,8 +1427,8 @@ bool nas::pack_security_mode_command(srsran::byte_buffer_t* nas_buffer)
     sm_cmd.imeisv_req = LIBLTE_MME_IMEISV_REQUESTED;
   }
 
-  sm_cmd.nonce_ue_present   = false;
-  sm_cmd.nonce_mme_present  = false;
+  sm_cmd.nonce_ue_present  = false;
+  sm_cmd.nonce_mme_present = false;
 
   uint8_t           sec_hdr_type = 3;
   LIBLTE_ERROR_ENUM err          = liblte_mme_pack_security_mode_command_msg(
@@ -1805,7 +1805,7 @@ bool nas::short_integrity_check(srsran::byte_buffer_t* pdu)
   return true;
 }
 
-bool nas::integrity_check(srsran::byte_buffer_t* pdu)
+bool nas::integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure)
 {
   uint8_t        exp_mac[4] = {};
   const uint8_t* mac        = &pdu->msg[1];
@@ -1848,20 +1848,21 @@ bool nas::integrity_check(srsran::byte_buffer_t* pdu)
   // Check if expected mac equals the sent mac
   for (int i = 0; i < 4; i++) {
     if (exp_mac[i] != mac[i]) {
-      m_logger.warning("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo);
-      m_logger.warning("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], "
-                       "Received: UL count=%d, MAC=[%02x %02x %02x %02x]",
-                       estimated_count,
-                       m_sec_ctx.ul_nas_count,
-                       exp_mac[0],
-                       exp_mac[1],
-                       exp_mac[2],
-                       exp_mac[3],
-                       pdu->msg[5],
-                       mac[0],
-                       mac[1],
-                       mac[2],
-                       mac[3]);
+      srslog::log_channel& channel = warn_failure ? m_logger.warning : m_logger.info;
+      channel("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo);
+      channel("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], "
+              "Received: UL count=%d, MAC=[%02x %02x %02x %02x]",
+              estimated_count,
+              m_sec_ctx.ul_nas_count,
+              exp_mac[0],
+              exp_mac[1],
+              exp_mac[2],
+              exp_mac[3],
+              pdu->msg[5],
+              mac[0],
+              mac[1],
+              mac[2],
+              mac[3]);
       return false;
     }
   }
diff --git a/srsepc/src/mme/s1ap_nas_transport.cc b/srsepc/src/mme/s1ap_nas_transport.cc
index 758caeb86..5c61313e7 100644
--- a/srsepc/src/mme/s1ap_nas_transport.cc
+++ b/srsepc/src/mme/s1ap_nas_transport.cc
@@ -59,18 +59,18 @@ void s1ap_nas_transport::init()
   m_s1ap = s1ap::get_instance();
 
   // Init NAS args
-  m_nas_init.mcc          = m_s1ap->m_s1ap_args.mcc;
-  m_nas_init.mnc          = m_s1ap->m_s1ap_args.mnc;
-  m_nas_init.mme_code     = m_s1ap->m_s1ap_args.mme_code;
-  m_nas_init.mme_group    = m_s1ap->m_s1ap_args.mme_group;
-  m_nas_init.tac          = m_s1ap->m_s1ap_args.tac;
-  m_nas_init.apn          = m_s1ap->m_s1ap_args.mme_apn;
-  m_nas_init.dns          = m_s1ap->m_s1ap_args.dns_addr;
+  m_nas_init.mcc            = m_s1ap->m_s1ap_args.mcc;
+  m_nas_init.mnc            = m_s1ap->m_s1ap_args.mnc;
+  m_nas_init.mme_code       = m_s1ap->m_s1ap_args.mme_code;
+  m_nas_init.mme_group      = m_s1ap->m_s1ap_args.mme_group;
+  m_nas_init.tac            = m_s1ap->m_s1ap_args.tac;
+  m_nas_init.apn            = m_s1ap->m_s1ap_args.mme_apn;
+  m_nas_init.dns            = m_s1ap->m_s1ap_args.dns_addr;
   m_nas_init.full_net_name  = m_s1ap->m_s1ap_args.full_net_name;
   m_nas_init.short_net_name = m_s1ap->m_s1ap_args.short_net_name;
-  m_nas_init.paging_timer = m_s1ap->m_s1ap_args.paging_timer;
-  m_nas_init.integ_algo   = m_s1ap->m_s1ap_args.integrity_algo;
-  m_nas_init.cipher_algo  = m_s1ap->m_s1ap_args.encryption_algo;
+  m_nas_init.paging_timer   = m_s1ap->m_s1ap_args.paging_timer;
+  m_nas_init.integ_algo     = m_s1ap->m_s1ap_args.integrity_algo;
+  m_nas_init.cipher_algo    = m_s1ap->m_s1ap_args.encryption_algo;
   m_nas_init.request_imeisv = m_s1ap->m_s1ap_args.request_imeisv;
 
   // Init NAS interface
@@ -170,17 +170,28 @@ bool s1ap_nas_transport::handle_uplink_nas_transport(const asn1::s1ap::ul_nas_tr
     m_logger.error("Unhandled security header type in Uplink NAS Transport: %d", sec_hdr_type);
     return false;
   }
-  // Todo: Check on count mismatch of uplink count and do resync nas counter...
+
+  // Some messages may have invalid MAC. Check wether we need to warn about MAC failures.
+  bool warn_integrity_fail = true;
+  if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
+      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT) {
+    // Avoid unecessary warnings for identity response and authentication response.
+    liblte_mme_parse_msg_header((LIBLTE_BYTE_MSG_STRUCT*)nas_msg.get(), &pd, &msg_type);
+    if (msg_type == LIBLTE_MME_MSG_TYPE_IDENTITY_RESPONSE || msg_type == LIBLTE_MME_MSG_TYPE_AUTHENTICATION_RESPONSE) {
+      warn_integrity_fail = false;
+    }
+  }
 
   // Check MAC if message is integrity protected
   if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
-      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
       sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT ||
+      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
       sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT) {
-    mac_valid = nas_ctx->integrity_check(nas_msg.get());
-    if (mac_valid == false) {
-      m_logger.warning("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
-                       "Identity Response or Authentication Response)");
+    mac_valid = nas_ctx->integrity_check(nas_msg.get(), warn_integrity_fail);
+    if (not mac_valid) {
+      srslog::log_channel& channel = warn_integrity_fail ? m_logger.warning : m_logger.info;
+      channel("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
+              "Identity Response or Authentication Response)");
     }
   }