<p>lynxis lazus has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-msc/+/25832">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">Validate the choosen UTRAN encryption algorithm<br><br>RANAP Security Command can include an encryption IE. If it includes<br>it the RNC can still ignore it (e.g. unsupported encryption) and<br>return the Security Command Complete with an choosen encryption IE:<br>"no encryption".<br>Validate the encryption element and ensure the encryption is included in<br>the encryption mask.<br><br>Closes: OS#4144<br>Change-Id: Icfc135c8b8ae862defe7114db492af600c26407f<br>---<br>M include/osmocom/msc/ran_msg.h<br>M src/libmsc/msc_a.c<br>M src/libmsc/ran_msg_iu.c<br>M tests/msc_vlr/msc_vlr_test_authen_reuse.c<br>M tests/msc_vlr/msc_vlr_test_call.c<br>M tests/msc_vlr/msc_vlr_test_umts_authen.c<br>M tests/msc_vlr/msc_vlr_tests.c<br>M tests/msc_vlr/msc_vlr_tests.h<br>8 files changed, 53 insertions(+), 18 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/32/25832/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/osmocom/msc/ran_msg.h b/include/osmocom/msc/ran_msg.h</span><br><span>index 363a299..55b88ea 100644</span><br><span>--- a/include/osmocom/msc/ran_msg.h</span><br><span>+++ b/include/osmocom/msc/ran_msg.h</span><br><span>@@ -215,6 +215,12 @@</span><br><span> * alg_id == 1 means A5/0 i.e. no encryption, alg_id == 4 means A5/3.</span><br><span> * alg_id == 0 means no such IE was present. */</span><br><span> uint8_t alg_id;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! utran integrity protection. 0..15 */</span><br><span style="color: hsl(120, 100%, 40%);">+ int16_t utran_integrity;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! utran_integrity is in encoded format:</span><br><span style="color: hsl(120, 100%, 40%);">+ * utran_integrity == -1 means no such IE was present</span><br><span style="color: hsl(120, 100%, 40%);">+ * utran_integrity == 0 means no encryption. */</span><br><span style="color: hsl(120, 100%, 40%);">+ int16_t utran_encryption;</span><br><span> const char *imeisv;</span><br><span> const struct tlv_p_entry *l3_msg;</span><br><span> } cipher_mode_complete;</span><br><span>diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c</span><br><span>index a8fa7e0..4104ea7 100644</span><br><span>--- a/src/libmsc/msc_a.c</span><br><span>+++ b/src/libmsc/msc_a.c</span><br><span>@@ -1403,6 +1403,7 @@</span><br><span> int msc_a_ran_dec_from_msc_i(struct msc_a *msc_a, struct msc_a_ran_dec_data *d)</span><br><span> {</span><br><span> struct vlr_subscr *vsub = msc_a_vsub(msc_a);</span><br><span style="color: hsl(120, 100%, 40%);">+ struct gsm_network *net = msc_a_net(msc_a);</span><br><span> const struct ran_msg *msg = d->ran_dec;</span><br><span> int rc = -99;</span><br><span> </span><br><span>@@ -1458,7 +1459,25 @@</span><br><span> msc_a->geran_encr.alg_id = msg->cipher_mode_complete.alg_id;</span><br><span> LOG_MSC_A(msc_a, LOGL_DEBUG, "Cipher Mode Complete: chosen encryption algorithm: A5/%u\n",</span><br><span> msc_a->geran_encr.alg_id - 1);</span><br><span style="color: hsl(0, 100%, 40%);">- };</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (msc_a->c.ran->type == OSMO_RAT_UTRAN_IU) {</span><br><span style="color: hsl(120, 100%, 40%);">+ int16_t utran_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* utran: ensure choosen ciphering mode is allowed</span><br><span style="color: hsl(120, 100%, 40%);">+ * If the IE is missing (utran_encryption == -1), parse it as no encryption */</span><br><span style="color: hsl(120, 100%, 40%);">+ utran_encryption = msg->cipher_mode_complete.utran_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ if (utran_encryption == -1)</span><br><span style="color: hsl(120, 100%, 40%);">+ utran_encryption = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((net->uea_encryption_mask & (1 << utran_encryption)) == 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* cipher disallowed */</span><br><span style="color: hsl(120, 100%, 40%);">+ LOG_MSC_A(msc_a, LOGL_ERROR, "Cipher Mode Complete: RNC choosen forbidden ciphering UEA%d\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ msg->cipher_mode_complete.utran_encryption);</span><br><span style="color: hsl(120, 100%, 40%);">+ vlr_subscr_rx_ciph_res(vsub, VLR_CIPH_REJECT);</span><br><span style="color: hsl(120, 100%, 40%);">+ rc = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> vlr_subscr_rx_ciph_res(vsub, VLR_CIPH_COMPL);</span><br><span> rc = 0;</span><br><span> </span><br><span>diff --git a/src/libmsc/ran_msg_iu.c b/src/libmsc/ran_msg_iu.c</span><br><span>index 7b3dd1c..77a2700 100644</span><br><span>--- a/src/libmsc/ran_msg_iu.c</span><br><span>+++ b/src/libmsc/ran_msg_iu.c</span><br><span>@@ -211,12 +211,21 @@</span><br><span> ranap_free_rab_setupormodifieditemies(&setup_ies);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static void ran_iu_decode_security_mode_complete(struct ran_dec *ran_iu_decode)</span><br><span style="color: hsl(120, 100%, 40%);">+static void ran_iu_decode_security_mode_complete(struct ran_dec *ran_iu_decode, const RANAP_SecurityModeCompleteIEs_t *ies)</span><br><span> {</span><br><span> struct ran_msg ran_dec_msg = {</span><br><span> .msg_type = RAN_MSG_CIPHER_MODE_COMPLETE,</span><br><span> .msg_name = "RANAP SecurityModeControl successfulOutcome",</span><br><span style="color: hsl(120, 100%, 40%);">+ .cipher_mode_complete = {</span><br><span style="color: hsl(120, 100%, 40%);">+ .utran_integrity = ies->chosenIntegrityProtectionAlgorithm,</span><br><span style="color: hsl(120, 100%, 40%);">+ .utran_encryption = -1,</span><br><span style="color: hsl(120, 100%, 40%);">+ },</span><br><span> };</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ies->presenceMask & SECURITYMODECOMPLETEIES_RANAP_CHOSENENCRYPTIONALGORITHM_PRESENT) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ran_dec_msg.cipher_mode_complete.utran_encryption = ies->chosenEncryptionAlgorithm;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> ran_decoded(ran_iu_decode, &ran_dec_msg);</span><br><span> }</span><br><span> </span><br><span>@@ -272,7 +281,7 @@</span><br><span> case RANAP_ProcedureCode_id_SecurityModeControl:</span><br><span> switch (message->direction) {</span><br><span> case RANAP_RANAP_PDU_PR_successfulOutcome:</span><br><span style="color: hsl(0, 100%, 40%);">- ran_iu_decode_security_mode_complete(ran_iu_decode);</span><br><span style="color: hsl(120, 100%, 40%);">+ ran_iu_decode_security_mode_complete(ran_iu_decode, &message->msg.securityModeCompleteIEs);</span><br><span> return;</span><br><span> case RANAP_RANAP_PDU_PR_unsuccessfulOutcome:</span><br><span> ran_iu_decode_security_mode_reject(ran_iu_decode);</span><br><span>diff --git a/tests/msc_vlr/msc_vlr_test_authen_reuse.c b/tests/msc_vlr/msc_vlr_test_authen_reuse.c</span><br><span>index f8f9383..870f993 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_test_authen_reuse.c</span><br><span>+++ b/tests/msc_vlr/msc_vlr_test_authen_reuse.c</span><br><span>@@ -99,7 +99,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");</span><br><span> gsup_expect_tx("04010809710000000156f0" CN_DOMAIN VLR_TO_HLR);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");</span><br><span> VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span>@@ -170,7 +170,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span> </span><br><span>@@ -239,7 +239,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span> </span><br><span>diff --git a/tests/msc_vlr/msc_vlr_test_call.c b/tests/msc_vlr/msc_vlr_test_call.c</span><br><span>index 9ab1066..a547935 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_test_call.c</span><br><span>+++ b/tests/msc_vlr/msc_vlr_test_call.c</span><br><span>@@ -128,7 +128,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");</span><br><span> gsup_expect_tx("04010809710000000156f0" CN_DOMAIN VLR_TO_HLR);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");</span><br><span> VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span>@@ -197,7 +197,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> BTW("a call is initiated");</span><br><span>@@ -317,7 +317,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts, sends CC Setup");</span><br><span> dtap_expect_tx("0305" /* CC: Setup */);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> </span><br><span> btw("MS confirms call, we create a RAN-side RTP and forward MNCC_CALL_CONF_IND");</span><br><span> expect_crcx(RTP_TO_RAN);</span><br><span>@@ -420,7 +420,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts, sends CC Setup");</span><br><span> dtap_expect_tx("0305" /* CC: Setup */);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> </span><br><span> btw("MS confirms call, we create a RAN-side RTP and forward MNCC_CALL_CONF_IND");</span><br><span> expect_crcx(RTP_TO_RAN);</span><br><span>@@ -509,7 +509,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> BTW("a call is initiated");</span><br><span>@@ -605,7 +605,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> BTW("a call is initiated");</span><br><span>diff --git a/tests/msc_vlr/msc_vlr_test_umts_authen.c b/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>index e462ef4..655183b 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>+++ b/tests/msc_vlr/msc_vlr_test_umts_authen.c</span><br><span>@@ -138,7 +138,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");</span><br><span> gsup_expect_tx("04010809710000000156f0" CN_DOMAIN VLR_TO_HLR);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");</span><br><span> VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span>@@ -211,7 +211,7 @@</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts; above Ciphering is an implicit CM Service Accept");</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span> } else {</span><br><span>@@ -278,7 +278,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts and sends SMS");</span><br><span> dtap_expect_tx(sms);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> }</span><br><span> } else {</span><br><span> /* Encryption disabled */</span><br><span>@@ -530,7 +530,7 @@</span><br><span> </span><br><span> btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");</span><br><span> gsup_expect_tx("04010809710000000156f0" CN_DOMAIN VLR_TO_HLR);</span><br><span style="color: hsl(0, 100%, 40%);">- ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+ ms_sends_security_mode_complete(1);</span><br><span> VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");</span><br><span> VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");</span><br><span> }</span><br><span>diff --git a/tests/msc_vlr/msc_vlr_tests.c b/tests/msc_vlr/msc_vlr_tests.c</span><br><span>index 102fba7..fbd2540 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_tests.c</span><br><span>+++ b/tests/msc_vlr/msc_vlr_tests.c</span><br><span>@@ -986,12 +986,13 @@</span><br><span> g_msub = NULL;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-void ms_sends_security_mode_complete()</span><br><span style="color: hsl(120, 100%, 40%);">+void ms_sends_security_mode_complete(uint8_t utran_encryption)</span><br><span> {</span><br><span> struct ran_msg ran_dec;</span><br><span> </span><br><span> ran_dec = (struct ran_msg){</span><br><span> .msg_type = RAN_MSG_CIPHER_MODE_COMPLETE,</span><br><span style="color: hsl(120, 100%, 40%);">+ .cipher_mode_complete.utran_encryption = utran_encryption,</span><br><span> };</span><br><span> fake_msc_a_ran_dec(&ran_dec);</span><br><span> </span><br><span>diff --git a/tests/msc_vlr/msc_vlr_tests.h b/tests/msc_vlr/msc_vlr_tests.h</span><br><span>index 23dc9da..a2b2f22 100644</span><br><span>--- a/tests/msc_vlr/msc_vlr_tests.h</span><br><span>+++ b/tests/msc_vlr/msc_vlr_tests.h</span><br><span>@@ -184,7 +184,7 @@</span><br><span> void ms_sends_msg(const char *hex);</span><br><span> void ms_sends_classmark_update(const struct osmo_gsm48_classmark *classmark);</span><br><span> void ms_sends_ciphering_mode_complete(const char *inner_nas_msg);</span><br><span style="color: hsl(0, 100%, 40%);">-void ms_sends_security_mode_complete();</span><br><span style="color: hsl(120, 100%, 40%);">+void ms_sends_security_mode_complete(uint8_t utran_encryption);</span><br><span> void ms_sends_assignment_complete(enum mgcp_codecs assigned_codec);</span><br><span> void gsup_rx(const char *rx_hex, const char *expect_tx_hex);</span><br><span> void send_sms(struct vlr_subscr *receiver,</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-msc/+/25832">change 25832</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-msc/+/25832"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-msc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Icfc135c8b8ae862defe7114db492af600c26407f </div>
<div style="display:none"> Gerrit-Change-Number: 25832 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: lynxis lazus <lynxis@fe80.eu> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>