epc,s1ap,nas: reduce the logging level of MAC failures on identity response and authentication response

srsepc/hdr/mme/nas.h

@@ -238,7 +238,7 @@ public:
   bool pack_attach_accept(srsran::byte_buffer_t* nas_buffer);
 
   /* Security functions */
-  bool integrity_check(srsran::byte_buffer_t* pdu);
+  bool integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure = true);
   bool short_integrity_check(srsran::byte_buffer_t* pdu);
   void integrity_generate(srsran::byte_buffer_t* pdu, uint8_t* mac);
   void cipher_decrypt(srsran::byte_buffer_t* pdu);

srsepc/src/mme/nas.cc

@@ -1805,7 +1805,7 @@ bool nas::short_integrity_check(srsran::byte_buffer_t* pdu)
   return true;
 }
 
-bool nas::integrity_check(srsran::byte_buffer_t* pdu)
+bool nas::integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure)
 {
   uint8_t        exp_mac[4] = {};
   const uint8_t* mac        = &pdu->msg[1];
@@ -1848,8 +1848,9 @@ bool nas::integrity_check(srsran::byte_buffer_t* pdu)
   // Check if expected mac equals the sent mac
   for (int i = 0; i < 4; i++) {
     if (exp_mac[i] != mac[i]) {
-      m_logger.warning("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo);
+      srslog::log_channel& channel = warn_failure ? m_logger.warning : m_logger.info;
-      m_logger.warning("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], "
+      channel("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo);
+      channel("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], "
               "Received: UL count=%d, MAC=[%02x %02x %02x %02x]",
               estimated_count,
               m_sec_ctx.ul_nas_count,

srsepc/src/mme/s1ap_nas_transport.cc

@@ -170,16 +170,27 @@ bool s1ap_nas_transport::handle_uplink_nas_transport(const asn1::s1ap::ul_nas_tr
     m_logger.error("Unhandled security header type in Uplink NAS Transport: %d", sec_hdr_type);
     return false;
   }
-  // Todo: Check on count mismatch of uplink count and do resync nas counter...
+
+  // Some messages may have invalid MAC. Check wether we need to warn about MAC failures.
+  bool warn_integrity_fail = true;
+  if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
+      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT) {
+    // Avoid unecessary warnings for identity response and authentication response.
+    liblte_mme_parse_msg_header((LIBLTE_BYTE_MSG_STRUCT*)nas_msg.get(), &pd, &msg_type);
+    if (msg_type == LIBLTE_MME_MSG_TYPE_IDENTITY_RESPONSE || msg_type == LIBLTE_MME_MSG_TYPE_AUTHENTICATION_RESPONSE) {
+      warn_integrity_fail = false;
+    }
+  }
 
   // Check MAC if message is integrity protected
   if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
-      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
       sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT ||
+      sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
       sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT) {
-    mac_valid = nas_ctx->integrity_check(nas_msg.get());
+    mac_valid = nas_ctx->integrity_check(nas_msg.get(), warn_integrity_fail);
-    if (mac_valid == false) {
+    if (not mac_valid) {
-      m_logger.warning("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
+      srslog::log_channel& channel = warn_integrity_fail ? m_logger.warning : m_logger.info;
+      channel("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
               "Identity Response or Authentication Response)");
     }
   }