From d6c0c7b03cda1cab9c97433f7add0a6863747d32 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Wed, 26 Sep 2018 10:10:00 +0200 Subject: [PATCH 1/2] drop all integrity protected NAS messages whose check is failing - also enables integrity check for messages that are only integrity protected but not ciphered --- srsue/src/upper/nas.cc | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/srsue/src/upper/nas.cc b/srsue/src/upper/nas.cc index c0c263368..9655ffd81 100644 --- a/srsue/src/upper/nas.cc +++ b/srsue/src/upper/nas.cc @@ -287,30 +287,31 @@ void nas::write_pdu(uint32_t lcid, byte_buffer_t *pdu) { uint8 pd = 0; uint8 msg_type = 0; uint8 sec_hdr_type = 0; - bool mac_valid = false; nas_log->info_hex(pdu->msg, pdu->N_bytes, "DL %s PDU", rrc->get_rb_name(lcid).c_str()); // Parse the message security header liblte_mme_parse_msg_sec_header((LIBLTE_BYTE_MSG_STRUCT*)pdu, &pd, &sec_hdr_type); - switch(sec_hdr_type) + switch (sec_hdr_type) { case LIBLTE_MME_SECURITY_HDR_TYPE_PLAIN_NAS: case LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_WITH_NEW_EPS_SECURITY_CONTEXT: case LIBLTE_MME_SECURITY_HDR_TYPE_SERVICE_REQUEST: + break; case LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY: - break; case LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED: - if((mac_valid = integrity_check(pdu))) { + if((integrity_check(pdu))) { + if (sec_hdr_type == LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED) { cipher_decrypt(pdu); - break; - } else { - nas_log->error("Not handling NAS message with integrity check error\n"); - pool->deallocate(pdu); - return; } - case LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT: break; + } else { + nas_log->error("Not handling NAS message with integrity check error\n"); + pool->deallocate(pdu); + return; + } + case LIBLTE_MME_SECURITY_HDR_TYPE_INTEGRITY_AND_CIPHERED_WITH_NEW_EPS_SECURITY_CONTEXT: + break; default: nas_log->error("Not handling NAS message with SEC_HDR_TYPE=%02X\n", sec_hdr_type); pool->deallocate(pdu); From b27c68abdde0c59e80ca961da07ffdd1f8094e11 Mon Sep 17 00:00:00 2001 From: Andre Puschmann Date: Wed, 26 Sep 2018 10:11:57 +0200 Subject: [PATCH 2/2] fix NAS tests - Modifications needed after only accepting NAS messages whose integrity check passes - Turns off loading a (possibly) existing NAS ctxt - Modifies some test vectors such that they have a zero MAC and counter 0 --- srsue/test/upper/nas_test.cc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/srsue/test/upper/nas_test.cc b/srsue/test/upper/nas_test.cc index 38a7f6ca3..101d403fc 100644 --- a/srsue/test/upper/nas_test.cc +++ b/srsue/test/upper/nas_test.cc @@ -51,7 +51,7 @@ uint8_t auth_request_pdu[] = { 0x07, 0x52, 0x01, 0x0c, 0x63, 0xa8, 0x54, 0x13, 0 uint8_t sec_mode_command_pdu[] = { 0x37, 0x37, 0xc7, 0x67, 0xae, 0x00, 0x07, 0x5d, 0x02, 0x01, 0x02, 0xe0, 0x60, 0xc1 }; -uint8_t attach_accept_pdu[] = { 0x27, 0x0f, 0x4f, 0xb3, 0xef, 0x01, 0x07, 0x42, 0x01, 0x3e, +uint8_t attach_accept_pdu[] = { 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x42, 0x01, 0x3e, 0x06, 0x00, 0x00, 0xf1, 0x10, 0x00, 0x01, 0x00, 0x2a, 0x52, 0x01, 0xc1, 0x01, 0x04, 0x1b, 0x07, 0x74, 0x65, 0x73, 0x74, 0x31, 0x32, 0x33, 0x06, 0x6d, 0x6e, 0x63, 0x30, 0x30, 0x31, @@ -60,7 +60,7 @@ uint8_t attach_accept_pdu[] = { 0x27, 0x0f, 0x4f, 0xb3, 0xef, 0x01, 0x07, 0x42, 0x80, 0x50, 0x0b, 0xf6, 0x00, 0xf1, 0x10, 0x80, 0x01, 0x01, 0x35, 0x16, 0x6d, 0xbc, 0x64, 0x01, 0x00 }; -uint8_t esm_info_req_pdu[] = { 0x27, 0x1d, 0xbf, 0x7e, 0x05, 0x01, 0x02, 0x5a, 0xd9 }; +uint8_t esm_info_req_pdu[] = { 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x5a, 0xd9 }; uint16 mcc = 61441; uint16 mnc = 65281; @@ -98,6 +98,7 @@ public: } std::string get_rb_name(uint32_t lcid) { return std::string("lcid"); } uint32_t get_last_sdu_len() { return last_sdu_len; } + void reset() { last_sdu_len = 0; } int plmn_search(srsue::rrc_interface_nas::found_plmn_t* found) { memcpy(found, &plmns, sizeof(found_plmn_t)); @@ -164,6 +165,7 @@ int security_command_test() srsue::nas nas; srslte_nas_config_t cfg; + ZERO_OBJECT(cfg); nas.init(&usim, &rrc_dummy, &gw, &nas_log, cfg); // push auth request PDU to NAS to generate security context @@ -218,6 +220,8 @@ int mme_attach_request_test() usim.init(&args, &usim_log); srslte_nas_config_t nas_cfg; + ZERO_OBJECT(nas_cfg); + nas_cfg.force_imsi_attach = true; nas_cfg.apn = "test123"; srsue::nas nas; nas.init(&usim, &rrc_dummy, &gw, &nas_log, nas_cfg); @@ -226,6 +230,9 @@ int mme_attach_request_test() // this will time out in the first place + // reset length of last received NAS PDU + rrc_dummy.reset(); + // finally push attach accept byte_buffer_t* tmp = byte_buffer_pool::get_instance()->allocate(); memcpy(tmp->msg, attach_accept_pdu, sizeof(attach_accept_pdu)); @@ -278,9 +285,11 @@ int esm_info_request_test() srsue::nas nas; srslte_nas_config_t cfg; + ZERO_OBJECT(cfg); cfg.apn = "srslte"; cfg.user = "srsuser"; cfg.pass = "srspass"; + cfg.force_imsi_attach = true; nas.init(&usim, &rrc_dummy, &gw, &nas_log, cfg); // push ESM info request PDU to NAS to generate response