[PATCH] osmo-msc[master]: vlr: fix GSM AKA in a UMTS AKA capable environment

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Sat Mar 10 03:31:50 UTC 2018 

Review at  https://gerrit.osmocom.org/7187

vlr: fix GSM AKA in a UMTS AKA capable environment

Switch by vsub->sec_ctx to use the proper Kc for ciphering.

Even on an R99 capable UE with a UMTS AKA capable USIM, the ME may still choose
to only perform GSM AKA, as long as the bearer is GERAN. The VLR already stores
whether the MS replied with a GSM AKA SRES or a UMTS AKA RES in vsub->sec_ctx.
So far, though, we were always using the UMTS AKA Kc just because the USIM and
core net are capable of it, ignoring the choice the MS might have made in the
Authentication Response.

In msc_vlr_test_gsm_ciph, fix the test expectations to the correct GSM AKA Kc
keys, showing that all of LU, CM Service Request and Paging Response now
support MS choosing GSM AKA in a UMTS capable environment.

Related: OS#2793
Change-Id: I42ce51ae979f42d173a45ae69273071c426bf97c
---
M src/libvlr/vlr_access_req_fsm.c
M src/libvlr/vlr_lu_fsm.c
M tests/msc_vlr/msc_vlr_test_gsm_ciph.c
M tests/msc_vlr/msc_vlr_test_gsm_ciph.err
4 files changed, 33 insertions(+), 14 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/87/7187/1

diff --git a/src/libvlr/vlr_access_req_fsm.c b/src/libvlr/vlr_access_req_fsm.c
index 556e694..95a618d 100644
--- a/src/libvlr/vlr_access_req_fsm.c
+++ b/src/libvlr/vlr_access_req_fsm.c
@@ -284,6 +284,7 @@
 {
 	struct proc_arq_priv *par = fi->priv;
 	struct vlr_subscr *vsub = par->vsub;
+	bool umts_aka;
 
 	LOGPFSM(fi, "%s()\n", __func__);
 
@@ -292,9 +293,22 @@
 		return;
 	}
 
+	switch (vsub->sec_ctx) {
+	case VLR_SEC_CTX_GSM:
+		umts_aka = false;
+		break;
+	case VLR_SEC_CTX_UMTS:
+		umts_aka = true;
+		break;
+	default:
+		LOGPFSML(fi, LOGL_ERROR, "Cannot start ciphering, security context is not established\n");
+		proc_arq_fsm_done(fi, VLR_PR_ARQ_RES_SYSTEM_FAILURE);
+		return;
+	}
+
 	if (vlr_set_ciph_mode(vsub->vlr, fi, par->msc_conn_ref,
 			      par->ciphering_required,
-			      vlr_use_umts_aka(&vsub->last_tuple->vec, par->is_r99),
+			      umts_aka,
 			      vsub->vlr->cfg.retrieve_imeisv_ciphered)) {
 		LOGPFSML(fi, LOGL_ERROR,
 			 "Failed to send Ciphering Mode Command\n");
diff --git a/src/libvlr/vlr_lu_fsm.c b/src/libvlr/vlr_lu_fsm.c
index b36e4e3..c6fd080 100644
--- a/src/libvlr/vlr_lu_fsm.c
+++ b/src/libvlr/vlr_lu_fsm.c
@@ -846,6 +846,7 @@
 {
 	struct lu_fsm_priv *lfp = lu_fsm_fi_priv(fi);
 	struct vlr_subscr *vsub = lfp->vsub;
+	bool umts_aka;
 
 	LOGPFSM(fi, "%s()\n", __func__);
 
@@ -862,9 +863,22 @@
 		return;
 	}
 
+	switch (vsub->sec_ctx) {
+	case VLR_SEC_CTX_GSM:
+		umts_aka = false;
+		break;
+	case VLR_SEC_CTX_UMTS:
+		umts_aka = true;
+		break;
+	default:
+		LOGPFSML(fi, LOGL_ERROR, "Cannot start ciphering, security context is not established\n");
+		lu_fsm_failure(fi, GSM48_REJECT_NETWORK_FAILURE);
+		return;
+	}
+
 	if (vlr_set_ciph_mode(vsub->vlr, fi, lfp->msc_conn_ref,
 			      lfp->ciphering_required,
-			      vlr_use_umts_aka(&vsub->last_tuple->vec, lfp->is_r99),
+			      umts_aka,
 			      vsub->vlr->cfg.retrieve_imeisv_ciphered)) {
 		LOGPFSML(fi, LOGL_ERROR,
 			 "Failed to send Ciphering Mode Command\n");
diff --git a/tests/msc_vlr/msc_vlr_test_gsm_ciph.c b/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
index d8c0441..57284a3 100644
--- a/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
+++ b/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
@@ -901,10 +901,7 @@
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
 
 	btw("MS sends *GSM AKA* Authen Response, VLR accepts and sends Ciphering Mode Command to MS");
-	/* EXPECTING ERROR: should be the GSM AKA kc:
 	expect_cipher_mode_cmd("7a75f0ac9b844400");
-	 * but instead is the UMTS AKA derived kc: */
-	expect_cipher_mode_cmd("85c985d6f980e18e");
 	ms_sends_msg("0554" "dacc4b26");
 	OSMO_ASSERT(cipher_mode_cmd_sent);
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
@@ -947,10 +944,7 @@
 	thwart_rx_non_initial_requests();
 
 	btw("MS sends *GSM AKA* Authen Response, VLR accepts and requests Ciphering");
-	/* EXPECTING ERROR: should be the GSM AKA kc:
 	expect_cipher_mode_cmd("da149b11d473f400");
-	 * but instead is the UMTS AKA derived kc: */
-	expect_cipher_mode_cmd("dec1351054200a58");
 	ms_sends_msg("0554" "2fb4cfad");
 	VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");
 	VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
@@ -1006,10 +1000,7 @@
 	thwart_rx_non_initial_requests();
 
 	btw("MS sends *GSM AKA* Authen Response, VLR accepts and requests Ciphering");
-	/* EXPECTING ERROR: should be the GSM AKA kc:
 	expect_cipher_mode_cmd("26ec67fad3073000");
-	 * but instead is the UMTS AKA derived kc: */
-	expect_cipher_mode_cmd("3721013ab07e55fb");
 	ms_sends_msg("0554" "0ff61e0f");
 	VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
 
diff --git a/tests/msc_vlr/msc_vlr_test_gsm_ciph.err b/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
index 196da8c..9ebb781 100644
--- a/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
+++ b/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
@@ -1787,7 +1787,7 @@
 DMM -> CIPHER MODE COMMAND IMSI:901700000010650
 - sending Ciphering Mode Command for IMSI:901700000010650: include_imeisv=0
 - ...perm algo: 2
-- ...key: 85c985d6f980e18e
+- ...key: 7a75f0ac9b844400
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
 DMM IMSI:901700000010650: bump: conn still being established (SUBSCR_CONN_S_NEW)
 DREF IMSI:901700000010650: MSC conn use - dtap == 1 (0x4)
@@ -1943,7 +1943,7 @@
 DMSC CLASSMARK 1 unknown, assuming MS supports A5/1
 - sending Ciphering Mode Command for MSISDN:42342: include_imeisv=0
 - ...perm algo: 2
-- ...key: dec1351054200a58
+- ...key: da149b11d473f400
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
 DMM MSISDN:42342: bump: conn still being established (SUBSCR_CONN_S_NEW)
 DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)
@@ -2082,7 +2082,7 @@
 DMSC CLASSMARK 1 unknown, assuming MS supports A5/1
 - sending Ciphering Mode Command for MSISDN:42342: include_imeisv=0
 - ...perm algo: 2
-- ...key: 3721013ab07e55fb
+- ...key: 26ec67fad3073000
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
 DMM MSISDN:42342: bump: conn still being established (SUBSCR_CONN_S_NEW)
 DREF MSISDN:42342: MSC conn use - dtap == 1 (0x4)

-- 
To view, visit https://gerrit.osmocom.org/7187
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I42ce51ae979f42d173a45ae69273071c426bf97c
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>

More information about the gerrit-log mailing list