5g-team
/
srsRAN_4G
mirror of https://github.com/pvnis/srsRAN_4G.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

epc,s1ap,nas: reduce the logging level of MAC failures on identity response and authentication response

Browse Source
master
Pedro Alvarez 3 years ago
parent 8a5ecfea40
commit 2d42766b2e
3 changed files with 46 additions and 34 deletions
Show Stats Download Patch File Download Diff File

2
srsepc/hdr/mme/nas.h
Unescape Escape View File

@ -238,7 +238,7 @@ public:
bool pack_attach_accept(srsran::byte_buffer_t* nas_buffer); bool pack_attach_accept(srsran::byte_buffer_t* nas_buffer);
/* Security functions */ /* Security functions */
bool integrity_check(srsran::byte_buffer_t* pdu); bool integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure = true);
bool short_integrity_check(srsran::byte_buffer_t* pdu); bool short_integrity_check(srsran::byte_buffer_t* pdu);
void integrity_generate(srsran::byte_buffer_t* pdu, uint8_t* mac); void integrity_generate(srsran::byte_buffer_t* pdu, uint8_t* mac);
void cipher_decrypt(srsran::byte_buffer_t* pdu); void cipher_decrypt(srsran::byte_buffer_t* pdu);

35
srsepc/src/mme/nas.cc
Unescape Escape View File

@ -1427,8 +1427,8 @@ bool nas::pack_security_mode_command(srsran::byte_buffer_t* nas_buffer)
sm_cmd.imeisv_req = LIBLTE_MME_IMEISV_REQUESTED; sm_cmd.imeisv_req = LIBLTE_MME_IMEISV_REQUESTED;
} }
sm_cmd.nonce_ue_present = false; sm_cmd.nonce_ue_present = false;
sm_cmd.nonce_mme_present = false; sm_cmd.nonce_mme_present = false;
uint8_t sec_hdr_type = 3; uint8_t sec_hdr_type = 3;
LIBLTE_ERROR_ENUM err = liblte_mme_pack_security_mode_command_msg( LIBLTE_ERROR_ENUM err = liblte_mme_pack_security_mode_command_msg(
@ -1805,7 +1805,7 @@ bool nas::short_integrity_check(srsran::byte_buffer_t* pdu)
return true; return true;
} }
bool nas::integrity_check(srsran::byte_buffer_t* pdu) bool nas::integrity_check(srsran::byte_buffer_t* pdu, bool warn_failure)
{ {
uint8_t exp_mac[4] = {}; uint8_t exp_mac[4] = {};
const uint8_t* mac = &pdu->msg[1]; const uint8_t* mac = &pdu->msg[1];
@ -1848,20 +1848,21 @@ bool nas::integrity_check(srsran::byte_buffer_t* pdu)
// Check if expected mac equals the sent mac // Check if expected mac equals the sent mac
for (int i = 0; i < 4; i++) { for (int i = 0; i < 4; i++) {
if (exp_mac[i] != mac[i]) { if (exp_mac[i] != mac[i]) {
m_logger.warning("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo); srslog::log_channel& channel = warn_failure ? m_logger.warning : m_logger.info;
m_logger.warning("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], " channel("Integrity check failure. Algorithm=EIA%d", (int)m_sec_ctx.integ_algo);
"Received: UL count=%d, MAC=[%02x %02x %02x %02x]", channel("UL Local: est_count=%d, old_count=%d, MAC=[%02x %02x %02x %02x], "
estimated_count, "Received: UL count=%d, MAC=[%02x %02x %02x %02x]",
m_sec_ctx.ul_nas_count, estimated_count,
exp_mac[0], m_sec_ctx.ul_nas_count,
exp_mac[1], exp_mac[0],
exp_mac[2], exp_mac[1],
exp_mac[3], exp_mac[2],
pdu->msg[5], exp_mac[3],
mac[0], pdu->msg[5],
mac[1], mac[0],
mac[2], mac[1],
mac[3]); mac[2],
mac[3]);
return false; return false;
} }
} }

43
srsepc/src/mme/s1ap_nas_transport.cc
Unescape Escape View File

@ -59,18 +59,18 @@ void s1ap_nas_transport::init()
m_s1ap = s1ap::get_instance(); m_s1ap = s1ap::get_instance();
// Init NAS args // Init NAS args
m_nas_init.mcc = m_s1ap->m_s1ap_args.mcc; m_nas_init.mcc = m_s1ap->m_s1ap_args.mcc;
m_nas_init.mnc = m_s1ap->m_s1ap_args.mnc; m_nas_init.mnc = m_s1ap->m_s1ap_args.mnc;
m_nas_init.mme_code = m_s1ap->m_s1ap_args.mme_code; m_nas_init.mme_code = m_s1ap->m_s1ap_args.mme_code;
m_nas_init.mme_group = m_s1ap->m_s1ap_args.mme_group; m_nas_init.mme_group = m_s1ap->m_s1ap_args.mme_group;
m_nas_init.tac = m_s1ap->m_s1ap_args.tac; m_nas_init.tac = m_s1ap->m_s1ap_args.tac;
m_nas_init.apn = m_s1ap->m_s1ap_args.mme_apn; m_nas_init.apn = m_s1ap->m_s1ap_args.mme_apn;
m_nas_init.dns = m_s1ap->m_s1ap_args.dns_addr; m_nas_init.dns = m_s1ap->m_s1ap_args.dns_addr;
m_nas_init.full_net_name = m_s1ap->m_s1ap_args.full_net_name; m_nas_init.full_net_name = m_s1ap->m_s1ap_args.full_net_name;
m_nas_init.short_net_name = m_s1ap->m_s1ap_args.short_net_name; m_nas_init.short_net_name = m_s1ap->m_s1ap_args.short_net_name;
m_nas_init.paging_timer = m_s1ap->m_s1ap_args.paging_timer; m_nas_init.paging_timer = m_s1ap->m_s1ap_args.paging_timer;
m_nas_init.integ_algo = m_s1ap->m_s1ap_args.integrity_algo; m_nas_init.integ_algo = m_s1ap->m_s1ap_args.integrity_algo;
m_nas_init.cipher_algo = m_s1ap->m_s1ap_args.encryption_algo; m_nas_init.cipher_algo = m_s1ap->m_s1ap_args.encryption_algo;
m_nas_init.request_imeisv = m_s1ap->m_s1ap_args.request_imeisv; m_nas_init.request_imeisv = m_s1ap->m_s1ap_args.request_imeisv;
// Init NAS interface // Init NAS interface
@ -170,17 +170,28 @@ bool s1ap_nas_transport::handle_uplink_nas_transport(const asn1::s1ap::ul_nas_tr
m_logger.error("Unhandled security header type in Uplink NAS Transport: %d", sec_hdr_type); m_logger.error("Unhandled security header type in Uplink NAS Transport: %d", sec_hdr_type);
return false; return false;
} }
// Todo: Check on count mismatch of uplink count and do resync nas counter...
// Some messages may have invalid MAC. Check wether we need to warn about MAC failures.
bool warn_integrity_fail = true;
if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT) {
// Avoid unecessary warnings for identity response and authentication response.
liblte_mme_parse_msg_header((LIBLTE_BYTE_MSG_STRUCT*)nas_msg.get(), &pd, &msg_type);
if (msg_type == LIBLTE_MME_MSG_TYPE_IDENTITY_RESPONSE || msg_type == LIBLTE_MME_MSG_TYPE_AUTHENTICATION_RESPONSE) {
warn_integrity_fail = false;
}
}
// Check MAC if message is integrity protected // Check MAC if message is integrity protected
if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY || if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT || sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT ||
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT) { sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT) {
mac_valid = nas_ctx->integrity_check(nas_msg.get()); mac_valid = nas_ctx->integrity_check(nas_msg.get(), warn_integrity_fail);
if (mac_valid == false) { if (not mac_valid) {
m_logger.warning("Invalid MAC message. Even if security header indicates integrity protection (Maybe: " srslog::log_channel& channel = warn_integrity_fail ? m_logger.warning : m_logger.info;
"Identity Response or Authentication Response)"); channel("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
"Identity Response or Authentication Response)");
} }
} }

Write Preview
Loading…
Cancel
Save