pespin has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/37891?usp=email ) Change subject: S1AP_Emulation: Fix building security headers for Integrity and Ciphering ...................................................................... S1AP_Emulation: Fix building security headers for Integrity and Ciphering The fact that the network instructs the UE to use EEA0 encryption (null algo) doesn't mean the UE should mark the NAS frames in the security header as non-ciphered. They need to be marked as IP+ciphered in the outer header, and as plain in the inner one. Now TTCN3 behaves like a UE recorded while executing a similar test case. Moreover, wireshark is now happy decoding the messages. Change-Id: Ifd4fe83e7b5aefdaafe7ce1c8b1ec6a67c65819c --- M library/S1AP_Emulation.ttcn M mme/LTE_CryptoFunctions.ttcn M mme/MME_Tests.ttcn 3 files changed, 41 insertions(+), 18 deletions(-) Approvals: Jenkins Builder: Verified laforge: Looks good to me, but someone else must approve pespin: Looks good to me, approved diff --git a/library/S1AP_Emulation.ttcn b/library/S1AP_Emulation.ttcn index bc117ac..f81441f 100644 --- a/library/S1AP_Emulation.ttcn +++ b/library/S1AP_Emulation.ttcn @@ -74,7 +74,8 @@ type union S1APEM_Config { NAS_Keys set_nas_keys, ResetNAScounts reset_nas_counts, - NAS_ALG_INT set_nas_alg_int + NAS_ALG_INT set_nas_alg_int, + NAS_ALG_ENC set_nas_alg_enc }; type enumerated S1APEM_EventUpDown { @@ -443,6 +444,15 @@ [] S1AP_CLIENT.receive(S1APEM_Config:{set_nas_alg_int:=?}) -> value s1cfg sender vc_conn { var integer assoc_id := f_assoc_id_by_comp(vc_conn); S1apAssociationTable[assoc_id].nus.alg_int := s1cfg.set_nas_alg_int; + /* Mark ciphering even if using EIA0: */ + S1apAssociationTable[assoc_id].nus.use_int := true; + } + /* Configuration primitive from client */ + [] S1AP_CLIENT.receive(S1APEM_Config:{set_nas_alg_enc:=?}) -> value s1cfg sender vc_conn { + var integer assoc_id := f_assoc_id_by_comp(vc_conn); + S1apAssociationTable[assoc_id].nus.alg_enc := s1cfg.set_nas_alg_enc; + /* Mark ciphering even if using EEA0: */ + S1apAssociationTable[assoc_id].nus.use_enc := true; } /* S1AP from client: InitialUE */ [] S1AP_CLIENT.receive(tr_S1AP_InitialUE) -> value msg sender vc_conn { diff --git a/mme/LTE_CryptoFunctions.ttcn b/mme/LTE_CryptoFunctions.ttcn index c223409..48b5a07 100644 --- a/mme/LTE_CryptoFunctions.ttcn +++ b/mme/LTE_CryptoFunctions.ttcn @@ -89,7 +89,9 @@ octetstring k_nas_enc, /* NAS Encryption Key */ integer rx_count, /* frame counter (ATS rx side) */ integer tx_count, /* frame counter (ATS tx side) */ - boolean new_ctx /* Use "New EPS Security Context" when building next sec_hdr_t */ + boolean new_ctx, /* Use "New EPS Security Context" when building next sec_hdr_t */ + boolean use_int, /* Whether to use "Integrity" in sec_hdr_t */ + boolean use_enc /* Whether to use "Ciphering" in sec_hdr_t */ }; template (value) NAS_UE_State t_NAS_UE_State(NAS_Role role) := { @@ -100,7 +102,9 @@ k_nas_enc := ''O, rx_count := 0, tx_count := 0, - new_ctx := false + new_ctx := false, + use_int := false, + use_enc := false }; type enumerated NAS_Role { @@ -245,16 +249,10 @@ function f_nas_encaps(inout NAS_UE_State nus, PDU_NAS_EPS nas_in) return PDU_NAS_EPS { - var boolean encrypt := false; - var boolean authenticate := false; - if (nus.alg_int != NAS_ALG_IP_EIA0) { - authenticate := true; - } - if (nus.alg_enc != NAS_ALG_ENC_EEA0) { - encrypt := true; - } + var BIT4 sec_hdr_t; + var PDU_NAS_EPS nas_out; - if (encrypt == false and authenticate == false) { + if (nus.use_enc == false and nus.use_int == false) { return nas_in; } @@ -262,15 +260,15 @@ nus.tx_count := 0; } - var BIT4 sec_hdr_t := f_nas_determine_sec_hdr_t(encrypt, authenticate, nus.new_ctx); var octetstring nas_enc := enc_PDU_NAS_EPS(nas_in); - if (encrypt) { + if (nus.use_enc) { f_nas_encrypt(nus.alg_enc, nus.k_nas_enc, nus.tx_count, 0, f_tx_is_downlink(nus), nas_enc); } - var PDU_NAS_EPS nas_out; + + sec_hdr_t := f_nas_determine_sec_hdr_t(nus.use_enc, nus.use_int, nus.new_ctx); nas_out := valueof(ts_NAS_EMM_SecurityProtected(sec_hdr_t, nus.tx_count, nas_enc)); - if (authenticate) { + if (nus.use_int) { var OCT4 mac := f_nas_mac_calc(nus.alg_int, nus.k_nas_int, nus.tx_count, 0, f_tx_is_downlink(nus), '00'O & nas_enc); nas_out.ePS_messages.ePS_MobilityManagement.pDU_NAS_EPS_SecurityProtectedNASMessage.messageAuthenticationCode := mac; diff --git a/mme/MME_Tests.ttcn b/mme/MME_Tests.ttcn index 7a6b34c..4edeb99 100644 --- a/mme/MME_Tests.ttcn +++ b/mme/MME_Tests.ttcn @@ -602,6 +602,7 @@ } private altstep as_s1ap_handle_sec_mode() runs on ConnHdlr { + var S1APEM_Config cfg; var PDU_NAS_EPS rx_nas; var NAS_SecurityAlgorithmsV alg := { typeOfIntegrityProtection := '001'B, @@ -614,6 +615,20 @@ tSC := '0'B }; [] S1AP.receive(tr_NAS_SecModeCmd(alg, kset_id, ?)) { + /* TODO: apply below integrity and ciphering based on + * Security Mode Command field "NAS security algorithms - Selected NAS security algorithms"*/ + + /* Configure integrity protection: */ + cfg := { + set_nas_alg_int := NAS_ALG_IP_EIA1 + }; + S1AP.send(cfg); + /* Configure Ciphering: */ + cfg := { + set_nas_alg_enc := NAS_ALG_ENC_EEA0 + }; + S1AP.send(cfg); + S1AP.send(ts_NAS_SecModeCmpl); } } @@ -682,8 +697,8 @@ S1AP.send(ts_S1AP_InitialCtxSetupResp(valueof(mme_ue_id), valueof(enb_ue_id), rab_setup_items)); /* 3GPP TS 23.401 D.3.6 step 23: */ - /* Integrity Protection: TS 24.301 Section 4.4.4.3*/ - S1AP.send(ts_PDU_NAS_EPS_TrackingAreaUpdateComplete(c_EPS_SEC_IP)); + /* Integrity Protection and Ciphering implemented by S1AP_Emulation: */ + S1AP.send(ts_PDU_NAS_EPS_TrackingAreaUpdateComplete(c_EPS_SEC_NONE)); } [] S1AP.receive(PDU_NAS_EPS:?) -> value rx_nas { Misc_Helpers.f_shutdown(__BFILE__, __LINE__, fail, log2str("Rx Unexpected NAS PDU msg: ", rx_nas)); -- To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/37891?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: osmo-ttcn3-hacks Gerrit-Branch: master Gerrit-Change-Id: Ifd4fe83e7b5aefdaafe7ce1c8b1ec6a67c65819c Gerrit-Change-Number: 37891 Gerrit-PatchSet: 3 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel <dwillmann(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: lynxis lazus <lynxis(a)fe80.eu> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>