From b1cabf811787b3cda4b77948ec09f668f75f93b9 Mon Sep 17 00:00:00 2001 From: David Rupprecht Date: Sun, 21 Jan 2018 11:44:13 +0100 Subject: [PATCH 1/4] Made MCC and MNC in HSS configurable (not tested) --- srsepc/hdr/hss/hss.h | 6 +++++- srsepc/src/hss/hss.cc | 10 ++++------ srsepc/src/main.cc | 14 +++++++++++--- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/srsepc/hdr/hss/hss.h b/srsepc/hdr/hss/hss.h index 4074aeb9a..25863b7eb 100644 --- a/srsepc/hdr/hss/hss.h +++ b/srsepc/hdr/hss/hss.h @@ -46,6 +46,8 @@ namespace srsepc{ typedef struct{ std::string auth_algo; std::string db_file; + uint16_t mcc; + uint16_t mnc; }hss_args_t; typedef struct{ @@ -98,7 +100,9 @@ private: /*Logs*/ srslte::log_filter *m_hss_log; - + + uint16_t mcc; + uint16_t mnc; }; } // namespace srsepc diff --git a/srsepc/src/hss/hss.cc b/srsepc/src/hss/hss.cc index 5fc383078..7852cda6b 100644 --- a/srsepc/src/hss/hss.cc +++ b/srsepc/src/hss/hss.cc @@ -90,7 +90,10 @@ hss::init(hss_args_t *hss_args, srslte::log_filter *hss_log) return -1; } - m_hss_log->info("HSS Initialized. DB file %s, authentication algorithm %s\n", hss_args->db_file.c_str(),hss_args->auth_algo.c_str()); + mcc = hss_args->mcc; + mnc = hss_args->mnc; + + m_hss_log->info("HSS Initialized. DB file %s, authentication algorithm %s, MCC: %d, MNC: %d\n", hss_args->db_file.c_str(),hss_args->auth_algo.c_str(), mcc, mnc); m_hss_log->console("HSS Initialized\n"); return 0; } @@ -203,8 +206,6 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn uint8_t ak[6]; uint8_t mac[8]; - uint16_t mcc=61441; //001 - uint16_t mnc=65281; //01 if(!get_k_amf_op(imsi,k,amf,op)) { @@ -274,9 +275,6 @@ hss::gen_auth_info_answer_xor(uint64_t imsi, uint8_t *k_asme, uint8_t *autn, uin uint8_t ak[6]; uint8_t mac[8]; - uint16_t mcc=61441; //001 - uint16_t mnc=65281; //01 - int i = 0; if(!get_k_amf_op(imsi,k,amf,op)) diff --git a/srsepc/src/main.cc b/srsepc/src/main.cc index f70473505..8e9db9259 100644 --- a/srsepc/src/main.cc +++ b/srsepc/src/main.cc @@ -189,12 +189,20 @@ parse_args(all_args_t *args, int argc, char* argv[]) { } // Convert MCC/MNC strings if(!srslte::string_to_mcc(mcc, &args->mme_args.s1ap_args.mcc)) { - cout << "Error parsing enb.mcc:" << mcc << " - must be a 3-digit string." << endl; + cout << "Error parsing mme.mcc:" << mcc << " - must be a 3-digit string." << endl; } if(!srslte::string_to_mnc(mnc, &args->mme_args.s1ap_args.mnc)) { - cout << "Error parsing enb.mnc:" << mnc << " - must be a 2 or 3-digit string." << endl; + cout << "Error parsing mme.mnc:" << mnc << " - must be a 2 or 3-digit string." << endl; } + // Convert MCC/MNC strings + if(!srslte::string_to_mcc(mcc, &args->hss_args.mcc)) { + cout << "Error parsing mme.mcc:" << mcc << " - must be a 3-digit string." << endl; + } + if(!srslte::string_to_mnc(mnc, &args->hss_args.mnc)) { + cout << "Error parsing mme.mnc:" << mnc << " - must be a 2 or 3-digit string." << endl; + } + args->mme_args.s1ap_args.mme_bind_addr = mme_bind_addr; args->spgw_args.gtpu_bind_addr = spgw_bind_addr; args->spgw_args.sgi_if_addr = sgi_if_addr; @@ -302,7 +310,7 @@ main (int argc,char * argv[] ) cout << "Error initializing MME" << endl; exit(1); } - + hss *hss = hss::get_instance(); if (hss->init(&args.hss_args,&hss_log)) { cout << "Error initializing HSS" << endl; From ab2fe19704d389a1dad4b8031501cd3d262497fc Mon Sep 17 00:00:00 2001 From: David Rupprecht Date: Mon, 22 Jan 2018 10:31:46 +0100 Subject: [PATCH 2/4] Add more debug logging into hss --- srsepc/src/hss/hss.cc | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/srsepc/src/hss/hss.cc b/srsepc/src/hss/hss.cc index 7852cda6b..31f25e10e 100644 --- a/srsepc/src/hss/hss.cc +++ b/srsepc/src/hss/hss.cc @@ -213,7 +213,7 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn } gen_rand(rand); get_sqn(sqn); - + security_milenage_f2345( k, op, rand, @@ -222,6 +222,14 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn ik, ak); + m_hss_log->debug_hex(k, 16, "User Key : "); + m_hss_log->debug_hex(op, 16, "User OP : "); + m_hss_log->debug_hex(rand, 16, "User Rand : "); + m_hss_log->debug_hex(xres, 8, "User XRES: "); + m_hss_log->debug_hex(ck, 16, "User CK: "); + m_hss_log->debug_hex(ik, 16, "User IK: "); + m_hss_log->debug_hex(ak, 6, "User AK: "); + security_milenage_f1( k, op, rand, @@ -229,6 +237,9 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn amf, mac); + m_hss_log->debug_hex(sqn, 6, "User SQN : "); + m_hss_log->debug_hex(mac, 8, "User MAC : "); + // Generate K_asme security_generate_k_asme( ck, ik, @@ -238,6 +249,9 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn mnc, k_asme); + m_hss_log->debug("User MCC : %x MNC : %x \n", mcc, mnc); + m_hss_log->debug_hex(k_asme, 16, "User k_asme : "); + //Generate AUTN (autn = sqn ^ ak |+| amf |+| mac) for(int i=0;i<6;i++ ) { @@ -251,10 +265,8 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn { autn[8+i]=mac[i]; } - - m_hss_log->debug_hex(sqn, 6, "User SQN : "); - m_hss_log->debug_hex(autn, 8, "User AUTN: "); - m_hss_log->debug_hex(xres, 8, "User XRES: "); + + m_hss_log->debug_hex(autn, 16, "User AUTN: "); return true; } From 6fbe26d65361e5146608137db71a3d22148b6994 Mon Sep 17 00:00:00 2001 From: David Rupprecht Date: Mon, 22 Jan 2018 12:20:16 +0100 Subject: [PATCH 3/4] Add test cases for f funtions --- lib/test/common/CMakeLists.txt | 4 + lib/test/common/test_f12345.cc | 170 +++++++++++++++++++++++++++++++++ 2 files changed, 174 insertions(+) create mode 100644 lib/test/common/test_f12345.cc diff --git a/lib/test/common/CMakeLists.txt b/lib/test/common/CMakeLists.txt index bbdc74613..9c8bece01 100644 --- a/lib/test/common/CMakeLists.txt +++ b/lib/test/common/CMakeLists.txt @@ -37,6 +37,10 @@ add_executable(test_eea2 test_eea2.cc) target_link_libraries(test_eea2 srslte_common ${CMAKE_THREAD_LIBS_INIT}) add_test(test_eea2 test_eea2) +add_executable(test_f12345 test_f12345.cc) +target_link_libraries(test_f12345 srslte_common ${CMAKE_THREAD_LIBS_INIT}) +add_test(test_f12345 test_f12345) + add_executable(log_filter_test log_filter_test.cc) target_link_libraries(log_filter_test srslte_phy srslte_common srslte_phy ${SEC_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT} ${Boost_LIBRARIES}) diff --git a/lib/test/common/test_f12345.cc b/lib/test/common/test_f12345.cc new file mode 100644 index 000000000..dbd76a2e1 --- /dev/null +++ b/lib/test/common/test_f12345.cc @@ -0,0 +1,170 @@ +/* + * Includes + */ + +#include +#include +#include + +#include "srslte/common/liblte_security.h" + + +/* + * Prototypes + */ + +int32 arrcmp(uint8_t const * const a, uint8_t const * const b, uint32 len) { + uint32 i = 0; + + for (i = 0; i < len; i++) { + if (a[i] != b[i]) { + return a[i] - b[i]; + } + } + return 0; +} + +void arrprint(uint8_t const * const a, uint32 len) { + uint32 i = 0; + + for (i = 0; i < len; i++) { + printf("0x%02x ", a[i]); + if ((i%16==0) && i) + printf("\n"); + } + printf("\n"); + return; +} + + + +/* + * Tests + * + * Document Reference: 35.208 e00 + */ + + + +/* + * Functions + */ + + +void test_set_2() +{ + LIBLTE_ERROR_ENUM err_lte = LIBLTE_ERROR_INVALID_INPUTS; + int32 err_cmp = 0; + + uint8_t k[] = {0x46, 0x5b, 0x5c, 0xe8, 0xb1, 0x99, 0xb4, 0x9f, 0xaa, 0x5f, 0x0a, 0x2e, 0xe2, 0x38, 0xa6, 0xbc}; + uint8_t rand[] = {0x23, 0x55, 0x3c, 0xbe, 0x96, 0x37, 0xa8, 0x9d, 0x21, 0x8a, 0xe6, 0x4d, 0xae, 0x47, 0xbf, 0x35}; + uint8_t sqn[] = {0xff, 0x9b, 0xb4, 0xd0, 0xb6, 0x07}; + uint8_t amf[] = {0xb9, 0xb9}; + uint8_t op[] = {0xcd, 0xc2, 0x02, 0xd5, 0x12, 0x3e, 0x20, 0xf6, 0x2b, 0x6d, 0x67, 0x6a, 0xc7, 0x2c, 0xb3, 0x18}; + // f1 + + uint8_t mac_o[8]; + err_lte = liblte_security_milenage_f1(k, + op, + rand, + sqn, + amf, + mac_o); + assert(err_lte == LIBLTE_SUCCESS); + + arrprint(mac_o, sizeof(mac_o)); + + uint8_t mac_a[] = {0x4a, 0x9f, 0xfa, 0xc3, 0x54, 0xdf, 0xaf, 0xb3}; + + // compare mac a + err_cmp = arrcmp(mac_o, mac_a, sizeof(mac_a)); + assert(err_cmp == 0); + + // f1 star + + uint8_t mac_so[8]; + err_lte = liblte_security_milenage_f1_star(k, + op, + rand, + sqn, + amf, + mac_so); + + assert(err_lte == LIBLTE_SUCCESS); + + uint8_t mac_s[] = {0x01, 0xcf, 0xaf, 0x9e, 0xc4, 0xe8, 0x71, 0xe9}; + + arrprint(mac_so, sizeof(mac_so)); + + err_cmp = arrcmp(mac_so, mac_s, sizeof(mac_s)); + assert(err_cmp == 0); + + // f2345 + uint8_t res_o[8]; + uint8_t ck_o[16]; + uint8_t ik_o[16]; + uint8_t ak_o[6]; + + err_lte = liblte_security_milenage_f2345(k, + op, + rand, + res_o, + ck_o, + ik_o, + ak_o); + + assert(err_lte == LIBLTE_SUCCESS); + + uint8_t res[] = {0xa5, 0x42, 0x11, 0xd5, 0xe3, 0xba, 0x50, 0xbf}; + uint8_t ck[] = {0xb4, 0x0b, 0xa9, 0xa3, 0xc5, 0x8b, 0x2a, 0x05, 0xbb, 0xf0, 0xd9, 0x87, 0xb2, 0x1b, 0xf8, 0xcb}; + uint8_t ik[] = {0xf7, 0x69, 0xbc, 0xd7, 0x51, 0x04, 0x46, 0x04, 0x12, 0x76, 0x72, 0x71, 0x1c, 0x6d, 0x34, 0x41}; + uint8_t ak[] = {0xaa, 0x68, 0x9c, 0x64, 0x83, 0x70}; + + // RESPONSE + arrprint(res_o, sizeof(res_o)); + + err_cmp = arrcmp(res_o, res, sizeof(res)); + assert(err_cmp == 0); + + // CK + arrprint(ck_o, sizeof(ck_o)); + + err_cmp = arrcmp(ck_o, ck, sizeof(ck)); + assert(err_cmp == 0); + + // IK + arrprint(ik_o, sizeof(ik_o)); + err_cmp = arrcmp(ik_o, ik, sizeof(ik)); + assert(err_cmp == 0); + + // AK + arrprint(ak_o, sizeof(ak_o)); + err_cmp = arrcmp(ak_o, ak, sizeof(ak)); + assert(err_cmp == 0); + + // f star + uint8_t ak_star_o[6]; + + err_lte = liblte_security_milenage_f5_star(k, op, rand, ak_star_o); + assert(err_lte == LIBLTE_SUCCESS); + + arrprint(ak_star_o, sizeof(ak_star_o)); + uint8_t ak_star[] = {0x45, 0x1e, 0x8b, 0xec, 0xa4, 0x3b}; + err_cmp = arrcmp(ak_star_o, ak_star, sizeof(ak_star)); + assert(err_cmp == 0); + return; +} + +/* + Own test sets +*/ + +int main(int argc, char * argv[]) { + test_set_2(); + /* + test_set_3(); + test_set_4(); + test_set_5(); + test_set_6(); + */ +} From 9f4e8c06328a0aa3bc9409aa321d5a0b4a6892a5 Mon Sep 17 00:00:00 2001 From: David Rupprecht Date: Mon, 22 Jan 2018 14:35:38 +0100 Subject: [PATCH 4/4] Fixed MAC failure due to wrong size and xor debug prints --- srsepc/src/hss/hss.cc | 18 +++++++++++++++--- srsepc/src/mme/s1ap_nas_transport.cc | 8 ++++---- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/srsepc/src/hss/hss.cc b/srsepc/src/hss/hss.cc index 31f25e10e..debd6bd50 100644 --- a/srsepc/src/hss/hss.cc +++ b/srsepc/src/hss/hss.cc @@ -250,7 +250,7 @@ hss::gen_auth_info_answer_milenage(uint64_t imsi, uint8_t *k_asme, uint8_t *autn k_asme); m_hss_log->debug("User MCC : %x MNC : %x \n", mcc, mnc); - m_hss_log->debug_hex(k_asme, 16, "User k_asme : "); + m_hss_log->debug_hex(k_asme, 32, "User k_asme : "); //Generate AUTN (autn = sqn ^ ak |+| amf |+| mac) for(int i=0;i<6;i++ ) @@ -310,6 +310,14 @@ hss::gen_auth_info_answer_xor(uint64_t imsi, uint8_t *k_asme, uint8_t *autn, uin ak[i] = xdout[i+3]; } + m_hss_log->debug_hex(k, 16, "User Key : "); + m_hss_log->debug_hex(op, 16, "User OP : "); + m_hss_log->debug_hex(rand, 16, "User Rand : "); + m_hss_log->debug_hex(xres, 8, "User XRES: "); + m_hss_log->debug_hex(ck, 16, "User CK: "); + m_hss_log->debug_hex(ik, 16, "User IK: "); + m_hss_log->debug_hex(ak, 6, "User AK: "); + // Generate cdout for(i=0; i<6; i++) { cdout[i] = sqn[i]; @@ -323,6 +331,9 @@ hss::gen_auth_info_answer_xor(uint64_t imsi, uint8_t *k_asme, uint8_t *autn, uin mac[i] = xdout[i] ^ cdout[i]; } + m_hss_log->debug_hex(sqn, 6, "User SQN : "); + m_hss_log->debug_hex(mac, 8, "User MAC : "); + //Generate AUTN (autn = sqn ^ ak |+| amf |+| mac) for(int i=0;i<6;i++ ) { @@ -345,6 +356,9 @@ hss::gen_auth_info_answer_xor(uint64_t imsi, uint8_t *k_asme, uint8_t *autn, uin mcc, mnc, k_asme); + + m_hss_log->debug("User MCC : %x MNC : %x \n", mcc, mnc); + m_hss_log->debug_hex(k_asme, 32, "User k_asme : "); //Generate AUTN (autn = sqn ^ ak |+| amf |+| mac) for(int i=0;i<6;i++ ) @@ -360,9 +374,7 @@ hss::gen_auth_info_answer_xor(uint64_t imsi, uint8_t *k_asme, uint8_t *autn, uin autn[8+i]=mac[i]; } - m_hss_log->debug_hex(sqn, 6, "User SQN : "); m_hss_log->debug_hex(autn, 8, "User AUTN: "); - m_hss_log->debug_hex(xres, 8, "User XRES: "); return true; } diff --git a/srsepc/src/mme/s1ap_nas_transport.cc b/srsepc/src/mme/s1ap_nas_transport.cc index 8eb0f21ea..87d54b4e0 100644 --- a/srsepc/src/mme/s1ap_nas_transport.cc +++ b/srsepc/src/mme/s1ap_nas_transport.cc @@ -241,7 +241,7 @@ s1ap_nas_transport::handle_nas_imsi_attach_request(uint32_t enb_ue_s1ap_id, { uint8_t k_asme[32]; uint8_t autn[16]; - uint8_t rand[6]; + uint8_t rand[16]; uint8_t xres[8]; ue_ctx_t ue_ctx; @@ -317,7 +317,7 @@ s1ap_nas_transport::handle_nas_imsi_attach_request(uint32_t enb_ue_s1ap_id, m_s1ap->add_new_ue_ctx(ue_ctx); //Pack NAS Authentication Request in Downlink NAS Transport msg pack_authentication_request(reply_buffer, ue_ctx.enb_ue_s1ap_id, ue_ctx.mme_ue_s1ap_id, autn, rand); - + //Send reply to eNB *reply_flag = true; m_s1ap_log->info("Downlink NAS: Sending Athentication Request\n"); @@ -584,7 +584,7 @@ bool s1ap_nas_transport::handle_identity_response(srslte::byte_buffer_t *nas_msg, ue_ctx_t* ue_ctx, srslte::byte_buffer_t *reply_msg, bool *reply_flag) { uint8_t autn[16]; - uint8_t rand[6]; + uint8_t rand[16]; uint8_t xres[8]; LIBLTE_MME_ID_RESPONSE_MSG_STRUCT id_resp; @@ -609,7 +609,7 @@ s1ap_nas_transport::handle_identity_response(srslte::byte_buffer_t *nas_msg, ue_ m_s1ap_log->info("User not found. IMSI %015lu\n",imsi); return false; } - + //Pack NAS Authentication Request in Downlink NAS Transport msg pack_authentication_request(reply_msg, ue_ctx->enb_ue_s1ap_id, ue_ctx->mme_ue_s1ap_id, autn, rand);