Change in ...osmo-msc[master]: add separate vty cfg for Iu encryption / fix ttcn3 iu tests

neels gerrit-no-reply at lists.osmocom.org
Tue Aug 13 14:56:42 UTC 2019


neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-msc/+/15175


Change subject: add separate vty cfg for Iu encryption / fix ttcn3 iu tests
......................................................................

add separate vty cfg for Iu encryption / fix ttcn3 iu tests

Recently, the ability to run Iu without encryption was added, but the config
for it was tied to the A5 GERAN encryption configuration. This affected
osmo-msc's default behavior of Iu, breaking osmo-msc ttcn3 Iu tests: the ttcn3
test suite sets A5 to 0 (no encryption) but still expects Iu encryption. Fix
this "regression".

Add a separate vty config option for Iu encryption, even if it does not provide
full granularity to select individual UEA algorithms yet.

As a result, Iu default behavior remains to use encryption regardless of the A5
config. Iu encryption can be disabled by the new cfg option "no encryption iu"
alone.

Revert most changes to the msc_vlr test suite in commit "do not force
encryption on UTRAN" (I04ecd7a3b1cc603b2e3feb630e8c7c93fc36ccd7): use new
net->iu_encryption instead of net->a5_encryption_mask.

Adjust/add test_nodes.vty transcript tests.

Related: OS#4144
Change-Id: Ie138f2fcb105533f7bc06a6d2e6deccf6faccc5b
---
M doc/manuals/chapters/net.adoc
M include/osmocom/msc/gsm_data.h
M src/libmsc/gsm_04_08.c
M src/libmsc/msc_net_init.c
M src/libmsc/msc_vty.c
M tests/msc_vlr/msc_vlr_test_authen_reuse.c
M tests/msc_vlr/msc_vlr_test_call.c
M tests/msc_vlr/msc_vlr_test_umts_authen.c
M tests/msc_vlr/msc_vlr_tests.h
M tests/test_nodes.vty
10 files changed, 129 insertions(+), 62 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/75/15175/1

diff --git a/doc/manuals/chapters/net.adoc b/doc/manuals/chapters/net.adoc
index 4bf34a3..6cb31d1 100644
--- a/doc/manuals/chapters/net.adoc
+++ b/doc/manuals/chapters/net.adoc
@@ -188,11 +188,22 @@
 
 While authentication is always required on 3G, ciphering is optional.
 
-So far OsmoMSC lacks explicit configuration for ciphering on 3G. As an interim
-solution, ciphering is enabled on 3G exactly when ciphering is enabled on 2G,
-i.e. when any cipher other than A5/0 is enabled in the configuration. If only
-A5/0 is configured, ciphering will be disabled on both 2G and 3G. The future
-aim is to add comprehensive configuration for 3G ciphering that is independent
-from the 2G setting.
+So far OsmoMSC allows switching ciphering on 3G either on or off -- the default
+behavior is to enable ciphering. (Individual choice of algorithms may be added
+in the future.)
+
+Disable 3G ciphering:
+
+----
+network
+ no encryption iu
+----
+
+Enable 3G ciphering (default):
+
+----
+network
+ encryption iu
+----
 
 OsmoMSC indicates UEA1 and UEA2 as permitted encryption algorithms on 3G.
diff --git a/include/osmocom/msc/gsm_data.h b/include/osmocom/msc/gsm_data.h
index e926b3f..b2b9e70 100644
--- a/include/osmocom/msc/gsm_data.h
+++ b/include/osmocom/msc/gsm_data.h
@@ -149,6 +149,11 @@
 	bool authentication_required;
 	int send_mm_info;
 
+	/* Whether to use encryption on Iu.
+	 * TODO: we should offer a choice of UEA1 and/or UEA2, and probably replace this bool with a bit-mask of
+	 * permitted Iu encryption algorithms. See also OS#4143 */
+	bool iu_encryption;
+
 	struct rate_ctr_group *msc_ctrs;
 	struct osmo_stat_item_group *statg;
 
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index cd37cff..f3e3d92 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -375,7 +375,7 @@
 				net->vlr, msc_a, vlr_lu_type, tmsi, imsi,
 				&old_lai, &msc_a->via_cell.lai,
 				is_utran || net->authentication_required,
-				net->a5_encryption_mask > 0x01,
+				is_utran ? net->iu_encryption : net->a5_encryption_mask > 0x01,
 				lu->key_seq,
 				osmo_gsm48_classmark1_is_r99(&lu->classmark1),
 				is_utran,
@@ -780,7 +780,7 @@
 			 req->cm_service_type,
 			 mi-1, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 net->a5_encryption_mask > 0x01,
+			 is_utran ? net->iu_encryption : net->a5_encryption_mask > 0x01,
 			 req->cipher_key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, cm2_len),
 			 is_utran);
@@ -1152,7 +1152,7 @@
 			 net->vlr, msc_a,
 			 VLR_PR_ARQ_T_PAGING_RESP, 0, mi_lv, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 net->a5_encryption_mask > 0x01,
+			 is_utran ? net->iu_encryption : net->a5_encryption_mask > 0x01,
 			 pr->key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, classmark2_len),
 			 is_utran);
diff --git a/src/libmsc/msc_net_init.c b/src/libmsc/msc_net_init.c
index 11920f3..305de15 100644
--- a/src/libmsc/msc_net_init.c
+++ b/src/libmsc/msc_net_init.c
@@ -49,6 +49,7 @@
 
 	/* Permit a compile-time default of A5/3 and A5/1 */
 	net->a5_encryption_mask = (1 << 3) | (1 << 1);
+	net->iu_encryption = true;
 
 	/* Use 30 min periodic update interval as sane default */
 	net->t3212 = 5;
diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c
index 5bf9701..d448f45 100644
--- a/src/libmsc/msc_vty.c
+++ b/src/libmsc/msc_vty.c
@@ -144,14 +144,13 @@
 	return CMD_SUCCESS;
 }
 
+#define ENCRYPTION_STR "Encryption options\n"
+
 DEFUN(cfg_net_encryption,
       cfg_net_encryption_cmd,
       "encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]",
-	"Encryption options\n"
-	"GSM A5 Air Interface Encryption."
-	  " NOTE: as long as OsmoMSC lacks distinct configuration for 3G encryption,"
-	  " 3G encryption is enabled exactly when any 2G encryption is enabled."
-	  " Hence configuring only A5/0 here switches off 3G encryption.\n"
+	ENCRYPTION_STR
+	"GSM A5 Air Interface Encryption.\n"
 	"A5/n Algorithm Number\n"
 	"A5/n Algorithm Number\n"
 	"A5/n Algorithm Number\n"
@@ -166,6 +165,30 @@
 	return CMD_SUCCESS;
 }
 
+/* So far just a boolean switch, a future patch might add individual config for UEA1 and UEA2, see OS#4143 */
+DEFUN(cfg_net_encryption_iu,
+      cfg_net_encryption_iu_cmd,
+      "encryption iu", /* " [(uea1|uea2)] [(uea1|uea2)]" */
+      ENCRYPTION_STR
+      "Iu (UTRAN, 3G): " /* "without arguments, " */ "enable all supported encryption algorithms on Iu (UEA1, UEA2).\n"
+     )
+{
+	gsmnet->iu_encryption = true;
+	return CMD_SUCCESS;
+}
+
+DEFUN(cfg_net_no_encryption_iu,
+      cfg_net_no_encryption_iu_cmd,
+      "no encryption iu",
+      NO_STR
+      "Disable encryption\n"
+      "Disable encryption on Iu (UTRAN, 3G)\n"
+     )
+{
+	gsmnet->iu_encryption = false;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_net_authentication,
       cfg_net_authentication_cmd,
       "authentication (optional|required)",
@@ -308,6 +331,9 @@
 			vty_out(vty, " %u", i);
 	}
 	vty_out(vty, "%s", VTY_NEWLINE);
+
+	if (!gsmnet->iu_encryption)
+		vty_out(vty, " no encryption iu%s", VTY_NEWLINE);
 	vty_out(vty, " authentication %s%s",
 		gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " rrlp mode %s%s", msc_rrlp_mode_name(gsmnet->rrlp.mode),
@@ -1894,6 +1920,8 @@
 	install_element(GSMNET_NODE, &cfg_net_name_short_cmd);
 	install_element(GSMNET_NODE, &cfg_net_name_long_cmd);
 	install_element(GSMNET_NODE, &cfg_net_encryption_cmd);
+	install_element(GSMNET_NODE, &cfg_net_encryption_iu_cmd);
+	install_element(GSMNET_NODE, &cfg_net_no_encryption_iu_cmd);
 	install_element(GSMNET_NODE, &cfg_net_authentication_cmd);
 	install_element(GSMNET_NODE, &cfg_net_rrlp_mode_cmd);
 	install_element(GSMNET_NODE, &cfg_net_mm_info_cmd);
diff --git a/tests/msc_vlr/msc_vlr_test_authen_reuse.c b/tests/msc_vlr/msc_vlr_test_authen_reuse.c
index 62ea6c7..d73a5f8 100644
--- a/tests/msc_vlr/msc_vlr_test_authen_reuse.c
+++ b/tests/msc_vlr/msc_vlr_test_authen_reuse.c
@@ -266,8 +266,6 @@
 static void test_auth_use_twice_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, 1, 1, true);
 	comment_end();
 }
@@ -275,8 +273,6 @@
 static void test_auth_use_twice_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, 1, 1, true);
 	comment_end();
 }
@@ -284,8 +280,6 @@
 static void test_auth_use_infinitely_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, -1, 3, false);
 	comment_end();
 }
@@ -293,8 +287,6 @@
 static void test_auth_use_infinitely_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, -1, 3, false);
 	comment_end();
 }
@@ -302,8 +294,6 @@
 static void test_no_auth_reuse_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_auth_reuse(OSMO_RAT_GERAN_A, 0, 0, true);
 	comment_end();
 }
@@ -311,8 +301,6 @@
 static void test_no_auth_reuse_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_auth_reuse(OSMO_RAT_UTRAN_IU, 0, 0, true);
 	comment_end();
 }
diff --git a/tests/msc_vlr/msc_vlr_test_call.c b/tests/msc_vlr/msc_vlr_test_call.c
index cec2f8d..065af25 100644
--- a/tests/msc_vlr/msc_vlr_test_call.c
+++ b/tests/msc_vlr/msc_vlr_test_call.c
@@ -46,7 +46,6 @@
 	struct vlr_subscr *vsub;
 
 	net->authentication_required = true;
-	net->a5_encryption_mask = A5_0_3;
 	net->vlr->cfg.assign_tmsi = true;
 	rx_from_ran = OSMO_RAT_UTRAN_IU;
 
diff --git a/tests/msc_vlr/msc_vlr_test_umts_authen.c b/tests/msc_vlr/msc_vlr_test_umts_authen.c
index 1bf6cd2..4e28f05 100644
--- a/tests/msc_vlr/msc_vlr_test_umts_authen.c
+++ b/tests/msc_vlr/msc_vlr_test_umts_authen.c
@@ -49,6 +49,8 @@
 		"5079da1e1ee7416937485e9ea7c965373d1d6683c270383b3d0e"
 		"d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
 		"0c7ac3e9e9b7db05";
+	bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
+		|| (via_ran == OSMO_RAT_UTRAN_IU && net->iu_encryption);
 
 	net->authentication_required = true;
 	net->vlr->cfg.assign_tmsi = true;
@@ -122,8 +124,7 @@
 	VERBOSE_ASSERT(auth_request_sent, == true, "%d");
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
 
-	if (net->a5_encryption_mask > 0x1) {
-		/* Encryption enabled */
+	if (encryption) {
 		if (via_ran == OSMO_RAT_GERAN_A) {
 			btw("Test code not implemented");
 			OSMO_ASSERT(false);
@@ -197,8 +198,7 @@
 	EXPECT_ACCEPTED(false);
 	thwart_rx_non_initial_requests();
 
-	if (net->a5_encryption_mask > 0x1) {
-		/* Encryption enabled */
+	if (encryption) {
 		if (via_ran == OSMO_RAT_GERAN_A) {
 			btw("Test code not implemented");
 			OSMO_ASSERT(false);
@@ -265,8 +265,7 @@
 	EXPECT_ACCEPTED(false);
 	thwart_rx_non_initial_requests();
 
-	if (net->a5_encryption_mask > 0x1) {
-		/* Encryption enabled */
+	if (encryption) {
 		if (via_ran == OSMO_RAT_GERAN_A) {
 			btw("Test code not implemented");
 			OSMO_ASSERT(false);
@@ -327,8 +326,6 @@
 static void test_umts_authen_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_umts_authen(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -336,8 +333,7 @@
 static void test_umts_authen_utran()
 {
 	comment_start();
-	/* A5/0 = no encryption; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0;
+	net->iu_encryption = false;
 	_test_umts_authen(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -345,8 +341,7 @@
 static void test_umts_auth_ciph_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
+	net->iu_encryption = true;
 	_test_umts_authen(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -365,6 +360,8 @@
 {
 	struct vlr_subscr *vsub;
 	const char *imsi = "901700000010650";
+	bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
+		|| (via_ran == OSMO_RAT_UTRAN_IU && net->iu_encryption);
 
 	net->authentication_required = true;
 	net->vlr->cfg.assign_tmsi = true;
@@ -519,8 +516,7 @@
 	VERBOSE_ASSERT(auth_request_sent, == true, "%d");
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
 
-	if (net->a5_encryption_mask > 0x1) {
-		/* Encryption enabled */
+	if (encryption) {
 		if (via_ran == OSMO_RAT_GERAN_A) {
 			btw("Test code not implemented");
 			OSMO_ASSERT(false);
@@ -585,8 +581,6 @@
 static void test_umts_authen_resync_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_resync(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -594,8 +588,7 @@
 static void test_umts_authen_resync_utran()
 {
 	comment_start();
-	/* A5/0 = no encryption; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0;
+	net->iu_encryption = false;
 	_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -603,8 +596,7 @@
 static void test_umts_auth_ciph_resync_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
+	net->iu_encryption = true;
 	_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -698,8 +690,6 @@
 static void test_umts_authen_too_short_res_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_too_short_res(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -707,8 +697,6 @@
 static void test_umts_authen_too_short_res_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_too_short_res(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -802,8 +790,6 @@
 static void test_umts_authen_too_long_res_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_too_long_res(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -811,8 +797,6 @@
 static void test_umts_authen_too_long_res_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_too_long_res(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -911,8 +895,6 @@
 static void test_umts_authen_only_sres_geran()
 {
 	comment_start();
-	/* A5/0 = no encryption */
-	net->a5_encryption_mask = A5_0;
 	_test_umts_authen_only_sres(OSMO_RAT_GERAN_A);
 	comment_end();
 }
@@ -920,8 +902,6 @@
 static void test_umts_authen_only_sres_utran()
 {
 	comment_start();
-	/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
-	net->a5_encryption_mask = A5_0_3;
 	_test_umts_authen_only_sres(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
diff --git a/tests/msc_vlr/msc_vlr_tests.h b/tests/msc_vlr/msc_vlr_tests.h
index 4330ea8..9df9cf0 100644
--- a/tests/msc_vlr/msc_vlr_tests.h
+++ b/tests/msc_vlr/msc_vlr_tests.h
@@ -32,9 +32,6 @@
 #include <osmocom/msc/msc_a.h>
 #include <osmocom/msc/mncc.h>
 
-#define A5_0 (1 << 0)
-#define A5_0_3 ((1 << 0) | (1 << 3))
-
 extern bool _log_lines;
 #define _log(fmt, args...) do { \
 		if (_log_lines) \
diff --git a/tests/test_nodes.vty b/tests/test_nodes.vty
index fb7b1c5..6d97658 100644
--- a/tests/test_nodes.vty
+++ b/tests/test_nodes.vty
@@ -17,6 +17,8 @@
   short name NAME
   long name NAME
   encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]
+  encryption iu
+  no encryption iu
   authentication (optional|required)
   rrlp mode (none|ms-based|ms-preferred|ass-preferred)
   mm info (0|1)
@@ -26,6 +28,22 @@
   periodic location update <6-1530>
   no periodic location update
 
+OsmoMSC(config-net)# encryption?
+  encryption  Encryption options
+OsmoMSC(config-net)# encryption ?
+  a5  GSM A5 Air Interface Encryption.
+  iu  Iu (UTRAN, 3G): enable all supported encryption algorithms on Iu (UEA1, UEA2).
+OsmoMSC(config-net)# no?
+  no  Negate a command or set its defaults
+OsmoMSC(config-net)# no ?
+  encryption  Disable encryption
+  timezone    Disable network timezone override, use system tz
+  periodic    Periodic Location Updating Interval
+OsmoMSC(config-net)# no encryption?
+  encryption  Disable encryption
+OsmoMSC(config-net)# no encryption ?
+  iu  Disable encryption on Iu (UTRAN, 3G)
+
 OsmoMSC(config-net)# exit
 OsmoMSC(config)# msc
 OsmoMSC(config-msc)# list
@@ -157,3 +175,43 @@
  local-ip 0.0.0.0
  vlr-name vlr.example.net
 end
+
+OsmoMSC# configure terminal
+OsmoMSC(config)# network
+OsmoMSC(config-net)# no encryption iu
+OsmoMSC(config-net)# show running-config
+...
+network
+ network country code 001
+ mobile network code 01
+ short name OsmoMSC
+ long name OsmoMSC
+ encryption a5 0
+ no encryption iu
+ authentication optional
+ rrlp mode none
+ mm info 1
+ periodic location update 30
+msc
+ mncc guard-timeout 180
+ ncss guard-timeout 30
+ assign-tmsi
+ cs7-instance-a 0
+...
+ auth-tuple-max-reuse-count 3
+ auth-tuple-reuse-on-error 1
+ mgw local-port 2728
+ mgw remote-ip 10.23.24.1
+ mgw remote-port 2427
+mncc-int
+ default-codec tch-f fr
+ default-codec tch-h hr
+...
+hlr
+ remote-ip 127.0.0.1
+ remote-port 4222
+sgs
+ local-port 29118
+ local-ip 0.0.0.0
+ vlr-name vlr.example.net
+end

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/15175
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: Ie138f2fcb105533f7bc06a6d2e6deccf6faccc5b
Gerrit-Change-Number: 15175
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190813/e7af794c/attachment.html>


More information about the gerrit-log mailing list