Change in osmo-msc[master]: Make UTRAN encryption algorithms configurable

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Sat Feb 6 16:18:56 UTC 2021 

laforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-msc/+/22766 )


Change subject: Make UTRAN encryption algorithms configurable
......................................................................

Make UTRAN encryption algorithms configurable

Allow the user fine-grained control over which UMTS encryption
algorithms are permitted, rather than always permitting UEA1 and UEA2
or neither.

This brings the handling of UEA in line with the handling of A5 for
GERAN.

Change-Id: I91f9e50f9c1439aa19528f887b83ae9de628fcfd
Closes: OS#4144
Depends: osmo-iuh.git I6d2d033b0427bdc84fee61e0f3cb7b29935214bf
---
M include/osmocom/msc/gsm_data.h
M include/osmocom/msc/ran_msg.h
M src/libmsc/gsm_04_08.c
M src/libmsc/msc_a.c
M src/libmsc/msc_net_init.c
M src/libmsc/msc_vty.c
M src/libmsc/ran_msg_iu.c
M tests/msc_vlr/msc_vlr_test_umts_authen.c
M tests/test_nodes.vty
9 files changed, 37 insertions(+), 62 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/66/22766/1

diff --git a/include/osmocom/msc/gsm_data.h b/include/osmocom/msc/gsm_data.h
index 438ee08..be25b92 100644
--- a/include/osmocom/msc/gsm_data.h
+++ b/include/osmocom/msc/gsm_data.h
@@ -151,10 +151,8 @@
 	bool authentication_required;
 	int send_mm_info;
 
-	/* Whether to use encryption on UTRAN.
-	 * TODO: we should offer a choice of UEA1 and/or UEA2, and probably replace this bool with a bit-mask of
-	 * permitted Iu encryption algorithms. See also OS#4143 and the 'encryption uea' vty command. */
-	bool uea_encryption;
+	/* bit-mask of permitted encryption algorithms. LSB=UEA0, MSB=UEA7 */
+	uint8_t uea_encryption_mask;
 
 	struct rate_ctr_group *msc_ctrs;
 	struct osmo_stat_item_group *statg;
diff --git a/include/osmocom/msc/ran_msg.h b/include/osmocom/msc/ran_msg.h
index 232e284..b474381 100644
--- a/include/osmocom/msc/ran_msg.h
+++ b/include/osmocom/msc/ran_msg.h
@@ -102,7 +102,7 @@
 		struct geran_encr *chosen_key;
 	} geran;
 	struct {
-		bool uea_encryption;
+		uint8_t uea_encryption_mask;
 	} utran;
 };
 
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index 6379059..d21db3f 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -412,7 +412,7 @@
 				net->vlr, msc_a, vlr_lu_type, tmsi, imsi,
 				&old_lai, &msc_a->via_cell.lai,
 				is_utran || net->authentication_required,
-				is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
+				is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,
 				lu->key_seq,
 				osmo_gsm48_classmark1_is_r99(&lu->classmark1),
 				is_utran,
@@ -803,7 +803,7 @@
 			 req->cm_service_type,
 			 &mi, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
+			 is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,
 			 req->cipher_key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, cm2_len),
 			 is_utran);
@@ -1180,7 +1180,7 @@
 			 net->vlr, msc_a,
 			 VLR_PR_ARQ_T_PAGING_RESP, 0, &mi, &msc_a->via_cell.lai,
 			 is_utran || net->authentication_required,
-			 is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
+			 is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,
 			 pr->key_seq,
 			 osmo_gsm48_classmark2_is_r99(cm2, classmark2_len),
 			 is_utran);
diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c
index cfdb774..abfa247 100644
--- a/src/libmsc/msc_a.c
+++ b/src/libmsc/msc_a.c
@@ -333,8 +333,8 @@
 				.chosen_key = &msc_a->geran_encr,
 			},
 			.utran = {
-				.uea_encryption = net->uea_encryption
-			}
+				.uea_encryption_mask = net->uea_encryption_mask,
+			},
 		},
 	};
 
diff --git a/src/libmsc/msc_net_init.c b/src/libmsc/msc_net_init.c
index 9e3e8b3..d53156b 100644
--- a/src/libmsc/msc_net_init.c
+++ b/src/libmsc/msc_net_init.c
@@ -67,7 +67,8 @@
 
 	/* Permit a compile-time default of A5/3 and A5/1 */
 	net->a5_encryption_mask = (1 << 3) | (1 << 1);
-	net->uea_encryption = true;
+	/* Permit a compile-time default of UEA2 and UEA1 */
+	net->uea_encryption_mask = (1 << 2) | (1 << 1);
 
 	net->mncc_guard_timeout = 180;
 	net->ncss_guard_timeout = 30;
diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c
index 79b4daa..402ec89 100644
--- a/src/libmsc/msc_vty.c
+++ b/src/libmsc/msc_vty.c
@@ -173,36 +173,17 @@
       cfg_net_encryption_uea_cmd,
       "encryption uea <0-2> [<0-2>] [<0-2>]",
       ENCRYPTION_STR
-      "UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2."
-        " NOTE: the current implementation does not allow free choice of combining encryption algorithms yet."
-	" The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.\n"
+      "UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2.\n"
       "UEAn Algorithm Number\n"
       "UEAn Algorithm Number\n"
       "UEAn Algorithm Number\n"
      )
 {
 	unsigned int i;
-	uint8_t mask = 0;
 
+	gsmnet->uea_encryption_mask = 0;
 	for (i = 0; i < argc; i++)
-		mask |= (1 << atoi(argv[i]));
-
-	if (mask == (1 << 0)) {
-		/* UEA0. Disable encryption. */
-		gsmnet->uea_encryption = false;
-	} else if (mask == ((1 << 1) | (1 << 2))) {
-		/* UEA1 and UEA2. Enable encryption. */
-		gsmnet->uea_encryption = true;
-	} else {
-		vty_out(vty,
-			"%% Error: the current implementation does not allow free choice of combining%s"
-			"%% encryption algorithms yet. The only valid settings are either%s"
-			"%%   encryption uea 0%s"
-			"%% or%s"
-			"%%   encryption uea 1 2%s",
-			VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE);
-		return CMD_WARNING;
-	}
+		gsmnet->uea_encryption_mask |= (1 << atoi(argv[i]));
 
 	return CMD_SUCCESS;
 }
@@ -385,10 +366,12 @@
 	}
 	vty_out(vty, "%s", VTY_NEWLINE);
 
-	if (!gsmnet->uea_encryption)
-		vty_out(vty, " encryption uea 0%s", VTY_NEWLINE);
-	else
-		vty_out(vty, " encryption uea 1 2%s", VTY_NEWLINE);
+	vty_out(vty, " encryption uea");
+	for (i = 0; i < 8; i++) {
+		if (gsmnet->uea_encryption_mask & (1 << i))
+			vty_out(vty, " %u", i);
+	}
+	vty_out(vty, "%s", VTY_NEWLINE);
 	vty_out(vty, " authentication %s%s",
 		gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " rrlp mode %s%s", msc_rrlp_mode_name(gsmnet->rrlp.mode),
diff --git a/src/libmsc/ran_msg_iu.c b/src/libmsc/ran_msg_iu.c
index 6120918..0c4868e 100644
--- a/src/libmsc/ran_msg_iu.c
+++ b/src/libmsc/ran_msg_iu.c
@@ -367,9 +367,13 @@
 						      const struct ran_cipher_mode_command *cm)
 {
 
-	LOG_RAN_IU_ENC(caller_fi, LOGL_DEBUG, "Tx RANAP SECURITY MODE COMMAND to RNC, ik %s\n",
-			osmo_hexdump_nospc(cm->vec->ik, 16));
-	return ranap_new_msg_sec_mod_cmd(cm->vec->ik, cm->utran.uea_encryption ? cm->vec->ck : NULL, RANAP_KeyStatus_new);
+	LOG_RAN_IU_ENC(caller_fi, LOGL_DEBUG, "Tx RANAP SECURITY MODE COMMAND to RNC, IK=%s, CK=%s\n",
+			osmo_hexdump_nospc(cm->vec->ik, 16),
+			cm->utran.uea_encryption_mask > 0x01 ? osmo_hexdump_nospc(cm->vec->ck, 16) : "NONE");
+	/* TODO: Do we need to check if the UE supports all of the algorithms and build an intersection like
+	 * in the case of A5? */
+	return ranap_new_msg_sec_mod_cmd2(cm->vec->ik, cm->utran.uea_encryption_mask > 0x01 ? cm->vec->ck : NULL,
+					  0x06, cm->utran.uea_encryption_mask, RANAP_KeyStatus_new);
 }
 
 
diff --git a/tests/msc_vlr/msc_vlr_test_umts_authen.c b/tests/msc_vlr/msc_vlr_test_umts_authen.c
index 46f8d98..e462ef4 100644
--- a/tests/msc_vlr/msc_vlr_test_umts_authen.c
+++ b/tests/msc_vlr/msc_vlr_test_umts_authen.c
@@ -50,7 +50,7 @@
 		"d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
 		"0c7ac3e9e9b7db05";
 	bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
-		|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);
+		|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption_mask > 0x1);
 
 	net->authentication_required = true;
 	net->vlr->cfg.assign_tmsi = true;
@@ -333,7 +333,7 @@
 static void test_umts_authen_utran()
 {
 	comment_start();
-	net->uea_encryption = false;
+	net->uea_encryption_mask = 0x01;
 	_test_umts_authen(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -341,7 +341,7 @@
 static void test_umts_auth_ciph_utran()
 {
 	comment_start();
-	net->uea_encryption = true;
+	net->uea_encryption_mask = 0x06;
 	_test_umts_authen(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -361,7 +361,7 @@
 	struct vlr_subscr *vsub;
 	const char *imsi = "901700000010650";
 	bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
-		|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);
+		|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption_mask > 0x1);
 
 	net->authentication_required = true;
 	net->vlr->cfg.assign_tmsi = true;
@@ -588,7 +588,7 @@
 static void test_umts_authen_resync_utran()
 {
 	comment_start();
-	net->uea_encryption = false;
+	net->uea_encryption_mask = 0x01;
 	_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
@@ -596,7 +596,7 @@
 static void test_umts_auth_ciph_resync_utran()
 {
 	comment_start();
-	net->uea_encryption = true;
+	net->uea_encryption_mask = 0x06;
 	_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
 	comment_end();
 }
diff --git a/tests/test_nodes.vty b/tests/test_nodes.vty
index f956a12..8a530a8 100644
--- a/tests/test_nodes.vty
+++ b/tests/test_nodes.vty
@@ -31,7 +31,7 @@
   encryption  Encryption options
 OsmoMSC(config-net)# encryption ?
   a5   GSM A5 Air Interface Encryption.
-  uea  UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2. NOTE: the current implementation does not allow free choice of combining encryption algorithms yet. The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.
+  uea  UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2.
 
 OsmoMSC(config-net)# encryption uea ?
   <0-2>  UEAn Algorithm Number
@@ -187,38 +187,27 @@
 ...
 
 OsmoMSC(config-net)# encryption uea 1
-% Error: the current implementation does not allow free choice of combining
-% encryption algorithms yet. The only valid settings are either
-%   encryption uea 0
-% or
-%   encryption uea 1 2
 OsmoMSC(config-net)# show running-config
 ...
- encryption uea 0
+ encryption uea 1
 ...
 
 OsmoMSC(config-net)# encryption uea 2
-% Error: the current implementation does not allow free choice of combining
-...
 OsmoMSC(config-net)# show running-config
 ...
- encryption uea 0
+ encryption uea 2
 ...
 
 OsmoMSC(config-net)# encryption uea 0 1
-% Error: the current implementation does not allow free choice of combining
-...
 OsmoMSC(config-net)# show running-config
 ...
- encryption uea 0
+ encryption uea 0 1
 ...
 
 OsmoMSC(config-net)# encryption uea 0 2
-% Error: the current implementation does not allow free choice of combining
-...
 OsmoMSC(config-net)# show running-config
 ...
- encryption uea 0
+ encryption uea 0 2
 ...
 
 OsmoMSC(config-net)# encryption uea 1 2

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/22766
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: I91f9e50f9c1439aa19528f887b83ae9de628fcfd
Gerrit-Change-Number: 22766
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210206/10f0b9d4/attachment.htm>

More information about the gerrit-log mailing list