This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHello Jenkins Builder,
I'd like you to reexamine a change. Please visit
https://gerrit.osmocom.org/5559
to look at the new patch set (#2).
Permit a set of multiple different A5 ciphers
So far, the administrator had to pick one particular cipher which
would then be used throughout all subscribers/phones. This is a bit
impractical, as e.g. not all phones support A5/3. Extend the VTY
command syntax in a backwards-compatible way to permit for multiple
ciphers.
NOTE: Like the previous code, OsmoMSC does *not yet check* whether
the configured cipher is compatible with the MS capabilities as
reported in CLASSMARK! The network hence might choose an algorithm
not supported by the phone. Fixing this is subject to another patch.
Closes: OS#2460
Change-Id: I79a4e2892eb5fbecc3d84e11dceffb7149db264b
---
M include/osmocom/msc/gsm_data.h
M src/libcommon-cs/common_cs.c
M src/libcommon-cs/common_cs_vty.c
M src/libmsc/gsm_04_08.c
M src/libmsc/msc_vty.c
M tests/msc_vlr/msc_vlr_test_gsm_ciph.c
M tests/msc_vlr/msc_vlr_test_gsm_ciph.err
M tests/msc_vlr/msc_vlr_tests.c
8 files changed, 49 insertions(+), 30 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/59/5559/2
diff --git a/include/osmocom/msc/gsm_data.h b/include/osmocom/msc/gsm_data.h
index 1b0bff9..cb6b3c0 100644
--- a/include/osmocom/msc/gsm_data.h
+++ b/include/osmocom/msc/gsm_data.h
@@ -369,7 +369,8 @@
regex_t authorized_regexp;
char *authorized_reg_str;
enum gsm48_reject_value reject_cause;
- int a5_encryption;
+ /* bit-mask of permitted encryption algorithms. LSB=A5/0, MSB=A5/7 */
+ uint8_t a5_encryption_mask;
bool authentication_required;
int neci;
int send_mm_info;
diff --git a/src/libcommon-cs/common_cs.c b/src/libcommon-cs/common_cs.c
index 4748865..9edf7c5 100644
--- a/src/libcommon-cs/common_cs.c
+++ b/src/libcommon-cs/common_cs.c
@@ -56,6 +56,8 @@
net->country_code = country_code;
net->network_code = network_code;
+ /* Permit a compile-time default of A5/3 and A5/1 */
+ net->a5_encryption_mask = (1 << 3) | (1 << 1);
/* Use 30 min periodic update interval as sane default */
net->t3212 = 5;
diff --git a/src/libcommon-cs/common_cs_vty.c b/src/libcommon-cs/common_cs_vty.c
index 4754531..8c9f127 100644
--- a/src/libcommon-cs/common_cs_vty.c
+++ b/src/libcommon-cs/common_cs_vty.c
@@ -155,15 +155,20 @@
DEFUN(cfg_net_encryption,
cfg_net_encryption_cmd,
- "encryption a5 (0|1|2|3)",
+ "encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]",
"Encryption options\n"
- "A5 encryption\n" "A5/0: No encryption\n"
- "A5/1: Encryption\n" "A5/2: Export-grade Encryption\n"
- "A5/3: 'New' Secure Encryption\n")
+ "GSM A5 Air Interface Encryption\n"
+ "A5/n Algorithm Number\n"
+ "A5/n Algorithm Number\n"
+ "A5/n Algorithm Number\n"
+ "A5/n Algorithm Number\n")
{
struct gsm_network *gsmnet = gsmnet_from_vty(vty);
+ unsigned int i;
- gsmnet->a5_encryption = atoi(argv[0]);
+ gsmnet->a5_encryption_mask = 0;
+ for (i = 0; i < argc; i++)
+ gsmnet->a5_encryption_mask |= (1 << atoi(argv[i]));
return CMD_SUCCESS;
}
diff --git a/src/libmsc/gsm_04_08.c b/src/libmsc/gsm_04_08.c
index d934db6..5fd1607 100644
--- a/src/libmsc/gsm_04_08.c
+++ b/src/libmsc/gsm_04_08.c
@@ -348,7 +348,7 @@
net->vlr, conn, vlr_lu_type, tmsi, imsi,
&old_lai, &new_lai,
is_utran || conn->network->authentication_required,
- is_utran || conn->network->a5_encryption,
+ is_utran || conn->network->a5_encryption_mask > 0x01,
classmark_is_r99(&conn->classmark),
is_utran,
net->vlr->cfg.assign_tmsi);
@@ -715,7 +715,7 @@
net->vlr, conn,
VLR_PR_ARQ_T_CM_SERV_REQ, mi-1, &lai,
is_utran || conn->network->authentication_required,
- is_utran || conn->network->a5_encryption,
+ is_utran || conn->network->a5_encryption_mask > 0x01,
classmark_is_r99(&conn->classmark),
is_utran);
@@ -1099,7 +1099,7 @@
net->vlr, conn,
VLR_PR_ARQ_T_PAGING_RESP, mi_lv, &lai,
is_utran || conn->network->authentication_required,
- is_utran || conn->network->a5_encryption,
+ is_utran || conn->network->a5_encryption_mask > 0x01,
classmark_is_r99(&conn->classmark),
is_utran);
@@ -3416,10 +3416,15 @@
DEBUGP(DMM, "-> CIPHER MODE COMMAND %s\n",
vlr_subscr_name(conn->vsub));
{
+ struct gsm_network *net = conn->network;
struct gsm0808_encrypt_info ei;
+ int i, j = 0;
- ei.perm_algo[0] = vlr_ciph_to_gsm0808_alg_id(conn->network->a5_encryption);
- ei.perm_algo_len = 1;
+ for (i = 0; i < 8; i++) {
+ if (net->a5_encryption_mask & (1 << i))
+ ei.perm_algo[j++] = vlr_ciph_to_gsm0808_alg_id(i);
+ }
+ ei.perm_algo_len = j;
/* In case of UMTS AKA, the Kc for ciphering must be derived from the 3G auth
* tokens. tuple->vec.kc was calculated from the GSM algorithm and is not
diff --git a/src/libmsc/msc_vty.c b/src/libmsc/msc_vty.c
index c1c9f6b..44ea2e0 100644
--- a/src/libmsc/msc_vty.c
+++ b/src/libmsc/msc_vty.c
@@ -1,7 +1,7 @@
/* MSC interface to quagga VTY */
/* (C) 2016 by sysmocom s.m.f.c. GmbH <info at sysmocom.de>
* Based on OpenBSC interface to quagga VTY (libmsc/vty_interface_layer3.c)
- * (C) 2009 by Harald Welte <laforge at gnumonks.org>
+ * (C) 2009-2017 by Harald Welte <laforge at gnumonks.org>
* (C) 2009-2011 by Holger Hans Peter Freyther
* All Rights Reserved
*
@@ -160,6 +160,7 @@
static int config_write_net(struct vty *vty)
{
struct gsm_network *gsmnet = gsmnet_from_vty(vty);
+ int i;
vty_out(vty, "network%s", VTY_NEWLINE);
vty_out(vty, " network country code %u%s", gsmnet->country_code, VTY_NEWLINE);
@@ -169,7 +170,12 @@
vty_out(vty, " auth policy %s%s", gsm_auth_policy_name(gsmnet->auth_policy), VTY_NEWLINE);
vty_out(vty, " location updating reject cause %u%s",
gsmnet->reject_cause, VTY_NEWLINE);
- vty_out(vty, " encryption a5 %u%s", gsmnet->a5_encryption, VTY_NEWLINE);
+ vty_out(vty, " encryption a5");
+ for (i = 0; i < 8; i++) {
+ if (gsmnet->a5_encryption_mask & (1 << i))
+ vty_out(vty, " %u", i);
+ }
+ vty_out(vty, "%s", VTY_NEWLINE);
vty_out(vty, " authentication %s%s",
gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);
vty_out(vty, " rrlp mode %s%s", rrlp_mode_name(gsmnet->rrlp.mode),
diff --git a/tests/msc_vlr/msc_vlr_test_gsm_ciph.c b/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
index e0bd967..42e620a 100644
--- a/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
+++ b/tests/msc_vlr/msc_vlr_test_gsm_ciph.c
@@ -31,7 +31,7 @@
comment_start();
/* implicit: net->authentication_required = true; */
- net->a5_encryption = VLR_CIPH_A5_1;
+ net->a5_encryption_mask = (1 << 1);
btw("Location Update request causes a GSUP Send Auth Info request to HLR");
lu_result_sent = RES_NONE;
@@ -243,7 +243,7 @@
comment_start();
/* implicit: net->authentication_required = true; */
- net->a5_encryption = VLR_CIPH_A5_1;
+ net->a5_encryption_mask = (1 << 1);
net->vlr->cfg.assign_tmsi = true;
btw("Location Update request causes a GSUP Send Auth Info request to HLR");
@@ -482,7 +482,7 @@
comment_start();
/* implicit: net->authentication_required = true; */
- net->a5_encryption = VLR_CIPH_A5_1;
+ net->a5_encryption_mask = (1 << 1);
net->vlr->cfg.check_imei_rqd = true;
btw("Location Update request causes a GSUP Send Auth Info request to HLR");
@@ -584,7 +584,7 @@
comment_start();
/* implicit: net->authentication_required = true; */
- net->a5_encryption = VLR_CIPH_A5_1;
+ net->a5_encryption_mask = (1 << 1);
net->vlr->cfg.retrieve_imeisv_ciphered = true;
btw("Location Update request causes a GSUP Send Auth Info request to HLR");
@@ -682,7 +682,7 @@
comment_start();
/* implicit: net->authentication_required = true; */
- net->a5_encryption = VLR_CIPH_A5_1;
+ net->a5_encryption_mask = (1 << 1);
net->vlr->cfg.assign_tmsi = true;
net->vlr->cfg.check_imei_rqd = true;
diff --git a/tests/msc_vlr/msc_vlr_test_gsm_ciph.err b/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
index e016ab6..647b25c 100644
--- a/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
+++ b/tests/msc_vlr/msc_vlr_test_gsm_ciph.err
@@ -62,7 +62,7 @@
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for IMSI:901700000004620: cipher=VLR_CIPH_A5_1 kc=61855fb81fc2a800 retrieve_imeisv=0
+- sending Ciphering Mode Command for IMSI:901700000004620: ciphers=0x02 kc=61855fb81fc2a800 retrieve_imeisv=0
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
DMM IMSI:901700000004620: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF IMSI:901700000004620: MSC conn use - dtap == 1 (0x4)
@@ -224,7 +224,7 @@
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for MSISDN:46071: cipher=VLR_CIPH_A5_1 kc=07fa7502e07e1c00 retrieve_imeisv=0
+- sending Ciphering Mode Command for MSISDN:46071: ciphers=0x02 kc=07fa7502e07e1c00 retrieve_imeisv=0
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
DMM MSISDN:46071: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF MSISDN:46071: MSC conn use - dtap == 1 (0x4)
@@ -369,7 +369,7 @@
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for MSISDN:46071: cipher=VLR_CIPH_A5_1 kc=e2b234f807886400 retrieve_imeisv=0
+- sending Ciphering Mode Command for MSISDN:46071: ciphers=0x02 kc=e2b234f807886400 retrieve_imeisv=0
DVLR Process_Access_Request_VLR(901700000004620){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
DMM MSISDN:46071: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF MSISDN:46071: MSC conn use - dtap == 1 (0x4)
@@ -546,7 +546,7 @@
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for IMSI:901700000004620: cipher=VLR_CIPH_A5_1 kc=61855fb81fc2a800 retrieve_imeisv=0
+- sending Ciphering Mode Command for IMSI:901700000004620: ciphers=0x02 kc=61855fb81fc2a800 retrieve_imeisv=0
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
DMM IMSI:901700000004620: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF IMSI:901700000004620: MSC conn use - dtap == 1 (0x4)
@@ -745,7 +745,7 @@
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for MSISDN:46071: cipher=VLR_CIPH_A5_1 kc=07fa7502e07e1c00 retrieve_imeisv=0
+- sending Ciphering Mode Command for MSISDN:46071: ciphers=0x02 kc=07fa7502e07e1c00 retrieve_imeisv=0
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
DMM MSISDN:46071: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF MSISDN:46071: MSC conn use - dtap == 1 (0x4)
@@ -890,7 +890,7 @@
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for MSISDN:46071: cipher=VLR_CIPH_A5_1 kc=e2b234f807886400 retrieve_imeisv=0
+- sending Ciphering Mode Command for MSISDN:46071: ciphers=0x02 kc=e2b234f807886400 retrieve_imeisv=0
DVLR Process_Access_Request_VLR(50462976){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
DMM MSISDN:46071: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF MSISDN:46071: MSC conn use - dtap == 1 (0x4)
@@ -1067,7 +1067,7 @@
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for IMSI:901700000004620: cipher=VLR_CIPH_A5_1 kc=61855fb81fc2a800 retrieve_imeisv=0
+- sending Ciphering Mode Command for IMSI:901700000004620: ciphers=0x02 kc=61855fb81fc2a800 retrieve_imeisv=0
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
DMM IMSI:901700000004620: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF IMSI:901700000004620: MSC conn use - dtap == 1 (0x4)
@@ -1287,7 +1287,7 @@
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for IMSI:901700000004620: cipher=VLR_CIPH_A5_1 kc=61855fb81fc2a800 retrieve_imeisv=1
+- sending Ciphering Mode Command for IMSI:901700000004620: ciphers=0x02 kc=61855fb81fc2a800 retrieve_imeisv=1
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
DMM IMSI:901700000004620: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF IMSI:901700000004620: MSC conn use - dtap == 1 (0x4)
@@ -1496,7 +1496,7 @@
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: Set Ciphering Mode
-- sending Ciphering Mode Command for IMSI:901700000004620: cipher=VLR_CIPH_A5_1 kc=61855fb81fc2a800 retrieve_imeisv=0
+- sending Ciphering Mode Command for IMSI:901700000004620: ciphers=0x02 kc=61855fb81fc2a800 retrieve_imeisv=0
DVLR vlr_lu_fsm(901700000004620){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
DMM IMSI:901700000004620: bump: conn still being established (SUBSCR_CONN_S_NEW)
DREF IMSI:901700000004620: MSC conn use - dtap == 1 (0x4)
diff --git a/tests/msc_vlr/msc_vlr_tests.c b/tests/msc_vlr/msc_vlr_tests.c
index 26fcd51..cf5c757 100644
--- a/tests/msc_vlr/msc_vlr_tests.c
+++ b/tests/msc_vlr/msc_vlr_tests.c
@@ -336,7 +336,7 @@
}
net->authentication_required = false;
- net->a5_encryption = VLR_CIPH_NONE;
+ net->a5_encryption_mask = (1 << 0);
net->vlr->cfg.check_imei_rqd = false;
net->vlr->cfg.assign_tmsi = false;
net->vlr->cfg.retrieve_imeisv_early = false;
@@ -673,10 +673,10 @@
struct gsm_subscriber_connection *conn = msc_conn_ref;
switch (conn->via_ran) {
case RAN_GERAN_A:
- btw("sending Ciphering Mode Command for %s: cipher=%s kc=%s"
+ btw("sending Ciphering Mode Command for %s: ciphers=0x%02x kc=%s"
" retrieve_imeisv=%d",
vlr_subscr_name(conn->vsub),
- vlr_ciph_name(conn->network->a5_encryption),
+ conn->network->a5_encryption_mask,
osmo_hexdump_nospc(conn->vsub->last_tuple->vec.kc, 8),
retrieve_imeisv);
break;
--
To view, visit https://gerrit.osmocom.org/5559
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I79a4e2892eb5fbecc3d84e11dceffb7149db264b
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder