<p>laforge has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-msc/+/22766">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">Make UTRAN encryption algorithms configurable<br><br>Allow the user fine-grained control over which UMTS encryption<br>algorithms are permitted, rather than always permitting UEA1 and UEA2<br>or neither.<br><br>This brings the handling of UEA in line with the handling of A5 for<br>GERAN.<br><br>Change-Id: I91f9e50f9c1439aa19528f887b83ae9de628fcfd<br>Closes: OS#4144<br>Depends: osmo-iuh.git I6d2d033b0427bdc84fee61e0f3cb7b29935214bf<br>---<br>M include/osmocom/msc/gsm_data.h<br>M include/osmocom/msc/ran_msg.h<br>M src/libmsc/gsm_04_08.c<br>M src/libmsc/msc_a.c<br>M src/libmsc/msc_net_init.c<br>M src/libmsc/msc_vty.c<br>M src/libmsc/ran_msg_iu.c<br>M tests/msc_vlr/msc_vlr_test_umts_authen.c<br>M tests/test_nodes.vty<br>9 files changed, 37 insertions(+), 62 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/66/22766/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/osmocom/msc/gsm_data.h b/include/osmocom/msc/gsm_data.h</span><br><span>index 438ee08..be25b92 100644</span><br><span>--- a/include/osmocom/msc/gsm_data.h</span><br><span>+++ b/include/osmocom/msc/gsm_data.h</span><br><span>@@ -151,10 +151,8 @@</span><br><span> bool authentication_required;</span><br><span> int send_mm_info;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* Whether to use encryption on UTRAN.</span><br><span style="color: hsl(0, 100%, 40%);">- * TODO: we should offer a choice of UEA1 and/or UEA2, and probably replace this bool with a bit-mask of</span><br><span style="color: hsl(0, 100%, 40%);">- * permitted Iu encryption algorithms. See also OS#4143 and the 'encryption uea' vty command. */</span><br><span style="color: hsl(0, 100%, 40%);">- bool uea_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* bit-mask of permitted encryption algorithms. LSB=UEA0, MSB=UEA7 */</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t uea_encryption_mask;</span><br><span> </span><br><span> struct rate_ctr_group *msc_ctrs;</span><br><span> struct osmo_stat_item_group *statg;</span><br><span>diff --git a/include/osmocom/msc/ran_msg.h b/include/osmocom/msc/ran_msg.h</span><br><span>index 232e284..b474381 100644</span><br><span>--- a/include/osmocom/msc/ran_msg.h</span><br><span>+++ b/include/osmocom/msc/ran_msg.h</span><br><span>@@ -102,7 +102,7 @@</span><br><span> struct geran_encr *chosen_key;</span><br><span> } geran;</span><br><span> struct {</span><br><span style="color: hsl(0, 100%, 40%);">- bool uea_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t uea_encryption_mask;</span><br><span> } utran;</span><br><span> };</span><br><span> </span><br><span>diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c</span><br><span>index 6379059..d21db3f 100644</span><br><span>--- a/src/libmsc/gsm_04_08.c</span><br><span>+++ b/src/libmsc/gsm_04_08.c</span><br><span>@@ -412,7 +412,7 @@</span><br><span> net->vlr, msc_a, vlr_lu_type, tmsi, imsi,</span><br><span> &old_lai, &msc_a->via_cell.lai,</span><br><span> is_utran || net->authentication_required,</span><br><span style="color: hsl(0, 100%, 40%);">- is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,</span><br><span style="color: hsl(120, 100%, 40%);">+ is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,</span><br><span> lu->key_seq,</span><br><span> osmo_gsm48_classmark1_is_r99(&lu->classmark1),</span><br><span> is_utran,</span><br><span>@@ -803,7 +803,7 @@</span><br><span> req->cm_service_type,</span><br><span> &mi, &msc_a->via_cell.lai,</span><br><span> is_utran || net->authentication_required,</span><br><span style="color: hsl(0, 100%, 40%);">- is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,</span><br><span style="color: hsl(120, 100%, 40%);">+ is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,</span><br><span> req->cipher_key_seq,</span><br><span> osmo_gsm48_classmark2_is_r99(cm2, cm2_len),</span><br><span> is_utran);</span><br><span>@@ -1180,7 +1180,7 @@</span><br><span> net->vlr, msc_a,</span><br><span> VLR_PR_ARQ_T_PAGING_RESP, 0, &mi, &msc_a->via_cell.lai,</span><br><span> is_utran || net->authentication_required,</span><br><span style="color: hsl(0, 100%, 40%);">- is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,</span><br><span style="color: hsl(120, 100%, 40%);">+ is_utran ? net->uea_encryption_mask > 0x01 : net->a5_encryption_mask > 0x01,</span><br><span> pr->key_seq,</span><br><span> osmo_gsm48_classmark2_is_r99(cm2, classmark2_len),</span><br><span> is_utran);</span><br><span>diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c</span><br><span>index cfdb774..abfa247 100644</span><br><span>--- a/src/libmsc/msc_a.c</span><br><span>+++ b/src/libmsc/msc_a.c</span><br><span>@@ -333,8 +333,8 @@</span><br><span> .chosen_key = &msc_a->geran_encr,</span><br><span> },</span><br><span> .utran = {</span><br><span style="color: hsl(0, 100%, 40%);">- .uea_encryption = net->uea_encryption</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(120, 100%, 40%);">+ .uea_encryption_mask = net->uea_encryption_mask,</span><br><span style="color: hsl(120, 100%, 40%);">+ },</span><br><span> },</span><br><span> };</span><br><span> </span><br><span>diff --git a/src/libmsc/msc_net_init.c b/src/libmsc/msc_net_init.c</span><br><span>index 9e3e8b3..d53156b 100644</span><br><span>--- a/src/libmsc/msc_net_init.c</span><br><span>+++ b/src/libmsc/msc_net_init.c</span><br><span>@@ -67,7 +67,8 @@</span><br><span> </span><br><span> /* Permit a compile-time default of A5/3 and A5/1 */</span><br><span> net->a5_encryption_mask = (1 << 3) | (1 << 1);</span><br><span style="color: hsl(0, 100%, 40%);">- net->uea_encryption = true;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Permit a compile-time default of UEA2 and UEA1 */</span><br><span style="color: hsl(120, 100%, 40%);">+ net->uea_encryption_mask = (1 << 2) | (1 << 1);</span><br><span> </span><br><span> net->mncc_guard_timeout = 180;</span><br><span> net->ncss_guard_timeout = 30;</span><br><span>diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c</span><br><span>index 79b4daa..402ec89 100644</span><br><span>--- a/src/libmsc/msc_vty.c</span><br><span>+++ b/src/libmsc/msc_vty.c</span><br><span>@@ -173,36 +173,17 @@</span><br><span> cfg_net_encryption_uea_cmd,</span><br><span> "encryption uea <0-2> [<0-2>] [<0-2>]",</span><br><span> ENCRYPTION_STR</span><br><span style="color: hsl(0, 100%, 40%);">- "UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2."</span><br><span style="color: hsl(0, 100%, 40%);">- " NOTE: the current implementation does not allow free choice of combining encryption algorithms yet."</span><br><span style="color: hsl(0, 100%, 40%);">- " The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.\n"</span><br><span style="color: hsl(120, 100%, 40%);">+ "UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2.\n"</span><br><span> "UEAn Algorithm Number\n"</span><br><span> "UEAn Algorithm Number\n"</span><br><span> "UEAn Algorithm Number\n"</span><br><span> )</span><br><span> {</span><br><span> unsigned int i;</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t mask = 0;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ gsmnet->uea_encryption_mask = 0;</span><br><span> for (i = 0; i < argc; i++)</span><br><span style="color: hsl(0, 100%, 40%);">- mask |= (1 << atoi(argv[i]));</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- if (mask == (1 << 0)) {</span><br><span style="color: hsl(0, 100%, 40%);">- /* UEA0. Disable encryption. */</span><br><span style="color: hsl(0, 100%, 40%);">- gsmnet->uea_encryption = false;</span><br><span style="color: hsl(0, 100%, 40%);">- } else if (mask == ((1 << 1) | (1 << 2))) {</span><br><span style="color: hsl(0, 100%, 40%);">- /* UEA1 and UEA2. Enable encryption. */</span><br><span style="color: hsl(0, 100%, 40%);">- gsmnet->uea_encryption = true;</span><br><span style="color: hsl(0, 100%, 40%);">- } else {</span><br><span style="color: hsl(0, 100%, 40%);">- vty_out(vty,</span><br><span style="color: hsl(0, 100%, 40%);">- "%% Error: the current implementation does not allow free choice of combining%s"</span><br><span style="color: hsl(0, 100%, 40%);">- "%% encryption algorithms yet. The only valid settings are either%s"</span><br><span style="color: hsl(0, 100%, 40%);">- "%% encryption uea 0%s"</span><br><span style="color: hsl(0, 100%, 40%);">- "%% or%s"</span><br><span style="color: hsl(0, 100%, 40%);">- "%% encryption uea 1 2%s",</span><br><span style="color: hsl(0, 100%, 40%);">- VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE);</span><br><span style="color: hsl(0, 100%, 40%);">- return CMD_WARNING;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(120, 100%, 40%);">+ gsmnet->uea_encryption_mask |= (1 << atoi(argv[i]));</span><br><span> </span><br><span> return CMD_SUCCESS;</span><br><span> }</span><br><span>@@ -385,10 +366,12 @@</span><br><span> }</span><br><span> vty_out(vty, "%s", VTY_NEWLINE);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (!gsmnet->uea_encryption)</span><br><span style="color: hsl(0, 100%, 40%);">- vty_out(vty, " encryption uea 0%s", VTY_NEWLINE);</span><br><span style="color: hsl(0, 100%, 40%);">- else</span><br><span style="color: hsl(0, 100%, 40%);">- vty_out(vty, " encryption uea 1 2%s", VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, " encryption uea");</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; i < 8; i++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (gsmnet->uea_encryption_mask & (1 << i))</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, " %u", i);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ vty_out(vty, "%s", VTY_NEWLINE);</span><br><span> vty_out(vty, " authentication %s%s",</span><br><span> gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);</span><br><span> vty_out(vty, " rrlp mode %s%s", msc_rrlp_mode_name(gsmnet->rrlp.mode),</span><br><span>diff --git a/src/libmsc/ran_msg_iu.c b/src/libmsc/ran_msg_iu.c</span><br><span>index 6120918..0c4868e 100644</span><br><span>--- a/src/libmsc/ran_msg_iu.c</span><br><span>+++ b/src/libmsc/ran_msg_iu.c</span><br><span>@@ -367,9 +367,13 @@</span><br><span> const struct ran_cipher_mode_command *cm)</span><br><span> {</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- LOG_RAN_IU_ENC(caller_fi, LOGL_DEBUG, "Tx RANAP SECURITY MODE COMMAND to RNC, ik %s\n",</span><br><span style="color: hsl(0, 100%, 40%);">- osmo_hexdump_nospc(cm->vec->ik, 16));</span><br><span style="color: hsl(0, 100%, 40%);">- return ranap_new_msg_sec_mod_cmd(cm->vec->ik, cm->utran.uea_encryption ? cm->vec->ck : NULL, RANAP_KeyStatus_new);</span><br><span style="color: hsl(120, 100%, 40%);">+ LOG_RAN_IU_ENC(caller_fi, LOGL_DEBUG, "Tx RANAP SECURITY MODE COMMAND to RNC, IK=%s, CK=%s\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ osmo_hexdump_nospc(cm->vec->ik, 16),</span><br><span style="color: hsl(120, 100%, 40%);">+ cm->utran.uea_encryption_mask > 0x01 ? osmo_hexdump_nospc(cm->vec->ck, 16) : "NONE");</span><br><span style="color: hsl(120, 100%, 40%);">+ /* TODO: Do we need to check if the UE supports all of the algorithms and build an intersection like</span><br><span style="color: hsl(120, 100%, 40%);">+ * in the case of A5? */</span><br><span style="color: hsl(120, 100%, 40%);">+ return ranap_new_msg_sec_mod_cmd2(cm->vec->ik, cm->utran.uea_encryption_mask > 0x01 ? cm->vec->ck : NULL,</span><br><span style="color: hsl(120, 100%, 40%);">+ 0x06, cm->utran.uea_encryption_mask, RANAP_KeyStatus_new);</span><br><span> }</span><br><span> </span><br><span> </span><br><span>diff --git a/tests/msc_vlr/msc_vlr_test_umts_authen.c b/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>index 46f8d98..e462ef4 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>+++ b/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>@@ -50,7 +50,7 @@</span><br><span> "d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"</span><br><span> "0c7ac3e9e9b7db05";</span><br><span> bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)</span><br><span style="color: hsl(0, 100%, 40%);">- || (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);</span><br><span style="color: hsl(120, 100%, 40%);">+ || (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption_mask > 0x1);</span><br><span> </span><br><span> net->authentication_required = true;</span><br><span> net->vlr->cfg.assign_tmsi = true;</span><br><span>@@ -333,7 +333,7 @@</span><br><span> static void test_umts_authen_utran()</span><br><span> {</span><br><span> comment_start();</span><br><span style="color: hsl(0, 100%, 40%);">- net->uea_encryption = false;</span><br><span style="color: hsl(120, 100%, 40%);">+ net->uea_encryption_mask = 0x01;</span><br><span> _test_umts_authen(OSMO_RAT_UTRAN_IU);</span><br><span> comment_end();</span><br><span> }</span><br><span>@@ -341,7 +341,7 @@</span><br><span> static void test_umts_auth_ciph_utran()</span><br><span> {</span><br><span> comment_start();</span><br><span style="color: hsl(0, 100%, 40%);">- net->uea_encryption = true;</span><br><span style="color: hsl(120, 100%, 40%);">+ net->uea_encryption_mask = 0x06;</span><br><span> _test_umts_authen(OSMO_RAT_UTRAN_IU);</span><br><span> comment_end();</span><br><span> }</span><br><span>@@ -361,7 +361,7 @@</span><br><span> struct vlr_subscr *vsub;</span><br><span> const char *imsi = "901700000010650";</span><br><span> bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)</span><br><span style="color: hsl(0, 100%, 40%);">- || (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);</span><br><span style="color: hsl(120, 100%, 40%);">+ || (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption_mask > 0x1);</span><br><span> </span><br><span> net->authentication_required = true;</span><br><span> net->vlr->cfg.assign_tmsi = true;</span><br><span>@@ -588,7 +588,7 @@</span><br><span> static void test_umts_authen_resync_utran()</span><br><span> {</span><br><span> comment_start();</span><br><span style="color: hsl(0, 100%, 40%);">- net->uea_encryption = false;</span><br><span style="color: hsl(120, 100%, 40%);">+ net->uea_encryption_mask = 0x01;</span><br><span> _test_umts_authen_resync(OSMO_RAT_UTRAN_IU);</span><br><span> comment_end();</span><br><span> }</span><br><span>@@ -596,7 +596,7 @@</span><br><span> static void test_umts_auth_ciph_resync_utran()</span><br><span> {</span><br><span> comment_start();</span><br><span style="color: hsl(0, 100%, 40%);">- net->uea_encryption = true;</span><br><span style="color: hsl(120, 100%, 40%);">+ net->uea_encryption_mask = 0x06;</span><br><span> _test_umts_authen_resync(OSMO_RAT_UTRAN_IU);</span><br><span> comment_end();</span><br><span> }</span><br><span>diff --git a/tests/test_nodes.vty b/tests/test_nodes.vty</span><br><span>index f956a12..8a530a8 100644</span><br><span>--- a/tests/test_nodes.vty</span><br><span>+++ b/tests/test_nodes.vty</span><br><span>@@ -31,7 +31,7 @@</span><br><span> encryption Encryption options</span><br><span> OsmoMSC(config-net)# encryption ?</span><br><span> a5 GSM A5 Air Interface Encryption.</span><br><span style="color: hsl(0, 100%, 40%);">- uea UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2. NOTE: the current implementation does not allow free choice of combining encryption algorithms yet. The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.</span><br><span style="color: hsl(120, 100%, 40%);">+ uea UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2.</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea ?</span><br><span> <0-2> UEAn Algorithm Number</span><br><span>@@ -187,38 +187,27 @@</span><br><span> ...</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea 1</span><br><span style="color: hsl(0, 100%, 40%);">-% Error: the current implementation does not allow free choice of combining</span><br><span style="color: hsl(0, 100%, 40%);">-% encryption algorithms yet. The only valid settings are either</span><br><span style="color: hsl(0, 100%, 40%);">-% encryption uea 0</span><br><span style="color: hsl(0, 100%, 40%);">-% or</span><br><span style="color: hsl(0, 100%, 40%);">-% encryption uea 1 2</span><br><span> OsmoMSC(config-net)# show running-config</span><br><span> ...</span><br><span style="color: hsl(0, 100%, 40%);">- encryption uea 0</span><br><span style="color: hsl(120, 100%, 40%);">+ encryption uea 1</span><br><span> ...</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea 2</span><br><span style="color: hsl(0, 100%, 40%);">-% Error: the current implementation does not allow free choice of combining</span><br><span style="color: hsl(0, 100%, 40%);">-...</span><br><span> OsmoMSC(config-net)# show running-config</span><br><span> ...</span><br><span style="color: hsl(0, 100%, 40%);">- encryption uea 0</span><br><span style="color: hsl(120, 100%, 40%);">+ encryption uea 2</span><br><span> ...</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea 0 1</span><br><span style="color: hsl(0, 100%, 40%);">-% Error: the current implementation does not allow free choice of combining</span><br><span style="color: hsl(0, 100%, 40%);">-...</span><br><span> OsmoMSC(config-net)# show running-config</span><br><span> ...</span><br><span style="color: hsl(0, 100%, 40%);">- encryption uea 0</span><br><span style="color: hsl(120, 100%, 40%);">+ encryption uea 0 1</span><br><span> ...</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea 0 2</span><br><span style="color: hsl(0, 100%, 40%);">-% Error: the current implementation does not allow free choice of combining</span><br><span style="color: hsl(0, 100%, 40%);">-...</span><br><span> OsmoMSC(config-net)# show running-config</span><br><span> ...</span><br><span style="color: hsl(0, 100%, 40%);">- encryption uea 0</span><br><span style="color: hsl(120, 100%, 40%);">+ encryption uea 0 2</span><br><span> ...</span><br><span> </span><br><span> OsmoMSC(config-net)# encryption uea 1 2</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-msc/+/22766">change 22766</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-msc/+/22766"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I91f9e50f9c1439aa19528f887b83ae9de628fcfd </div>
<div style="display:none"> Gerrit-Change-Number: 22766 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>