|
|
|
@ -170,16 +170,27 @@ bool s1ap_nas_transport::handle_uplink_nas_transport(const asn1::s1ap::ul_nas_tr
|
|
|
|
|
m_logger.error("Unhandled security header type in Uplink NAS Transport: %d", sec_hdr_type);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
// Todo: Check on count mismatch of uplink count and do resync nas counter...
|
|
|
|
|
|
|
|
|
|
// Some messages may have invalid MAC. Check wether we need to warn about MAC failures.
|
|
|
|
|
bool warn_integrity_fail = true;
|
|
|
|
|
if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
|
|
|
|
|
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT) {
|
|
|
|
|
// Avoid unecessary warnings for identity response and authentication response.
|
|
|
|
|
liblte_mme_parse_msg_header((LIBLTE_BYTE_MSG_STRUCT*)nas_msg.get(), &pd, &msg_type);
|
|
|
|
|
if (msg_type == LIBLTE_MME_MSG_TYPE_IDENTITY_RESPONSE || msg_type == LIBLTE_MME_MSG_TYPE_AUTHENTICATION_RESPONSE) {
|
|
|
|
|
warn_integrity_fail = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check MAC if message is integrity protected
|
|
|
|
|
if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY ||
|
|
|
|
|
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
|
|
|
|
|
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT ||
|
|
|
|
|
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED ||
|
|
|
|
|
sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT) {
|
|
|
|
|
mac_valid = nas_ctx->integrity_check(nas_msg.get());
|
|
|
|
|
if (mac_valid == false) {
|
|
|
|
|
m_logger.warning("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
|
|
|
|
|
mac_valid = nas_ctx->integrity_check(nas_msg.get(), warn_integrity_fail);
|
|
|
|
|
if (not mac_valid) {
|
|
|
|
|
srslog::log_channel& channel = warn_integrity_fail ? m_logger.warning : m_logger.info;
|
|
|
|
|
channel("Invalid MAC message. Even if security header indicates integrity protection (Maybe: "
|
|
|
|
|
"Identity Response or Authentication Response)");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|