[PATCH] osmo-ttcn3-hacks[master]: sgsn: test umts aka with gsm sres response

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Mon Apr 30 23:31:37 UTC 2018


Review at  https://gerrit.osmocom.org/7956

sgsn: test umts aka with gsm sres response

Add ability to test UMTS AKA, by f_gmm_attach() with flags to select UMTS AKA
and to respond to it with GSM AKA SRES.

Add TC_attach_umts_aka_umts_res and TC_attach_umts_aka_gsm_sres.

Change existing TC_attach_* to also call f_gmm_attach(). (Actually,
f_gmm_attach() is almost exactly the previous TC_attach function body.)

osmo-sgsn change I36807bad3bc55c0030d4f09cb2c369714f24bec7 will implement
proper handling of GSM AKA response and make TC_attach_umts_aka_gsm_sres pass.

Related: OS#3193 OS#3224
Change-Id: I201ffeaee4439a413ab8289aceeccca9aba40a7a
---
M library/L3_Common.ttcn
M sgsn/SGSN_Tests.ttcn
M sgsn/expected-results.xml
3 files changed, 114 insertions(+), 13 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks refs/changes/56/7956/1

diff --git a/library/L3_Common.ttcn b/library/L3_Common.ttcn
index 5b36056..2b39621 100644
--- a/library/L3_Common.ttcn
+++ b/library/L3_Common.ttcn
@@ -7,8 +7,11 @@
 type record AuthVector {
 	OCT16 rand,
 	OCT4 sres,
-	OCT8 kc
-	/* FIXME: 3G elements */
+	OCT8 kc,
+	OCT16 ik,
+	OCT16 ck,
+	OCT16 autn,
+	OCT8 res
 }
 
 private function f_rnd_oct(integer len) return octetstring {
@@ -28,6 +31,15 @@
 	return vec;
 }
 
+function f_gen_auth_vec_3g() return AuthVector {
+	var AuthVector vec := f_gen_auth_vec_2g();
+	vec.ik := f_rnd_oct(16);
+	vec.ck := f_rnd_oct(16);
+	vec.autn := f_rnd_oct(16);
+	vec.res := f_rnd_oct(8);
+	return vec;
+}
+
 /* 3GPP TS 23.003 2.6 */
 type enumerated TlliType {
 	TLLI_LOCAL,
diff --git a/sgsn/SGSN_Tests.ttcn b/sgsn/SGSN_Tests.ttcn
index 79aa166..7d3a5d9 100644
--- a/sgsn/SGSN_Tests.ttcn
+++ b/sgsn/SGSN_Tests.ttcn
@@ -35,6 +35,8 @@
 
 import from GSM_RR_Types all;
 
+import from MobileL3_MM_Types all;
+
 
 modulepar {
 	/* IP/port on which we run our internal GSUP/HLR emulation */
@@ -286,23 +288,65 @@
 	}
 }
 
-/* perform GMM authentication (if expected) */
-function f_gmm_auth () runs on BSSGP_ConnHdlr {
+/* perform GMM authentication (if expected).
+ * Note, for umts_aka_challenge to work, the revisionLevelIndicatior needs to
+ * be 1 to mark R99 capability, in the GMM Attach Request, see f_gmm_attach(). */
+function f_gmm_auth (boolean umts_aka_challenge := false, boolean force_gsm_sres := false) runs on BSSGP_ConnHdlr {
 	var BssgpDecoded bd;
 	var PDU_L3_MS_SGSN l3_mo;
 	var PDU_L3_SGSN_MS l3_mt;
 	var default di := activate(as_mm_identity());
 	if (g_pars.net.expect_auth) {
-		g_pars.vec := f_gen_auth_vec_2g();
-		var GSUP_IE auth_tuple := valueof(ts_GSUP_IE_AuthTuple2G(g_pars.vec.rand,
-									 g_pars.vec.sres,
-									 g_pars.vec.kc));
+		var GSUP_IE auth_tuple;
+		var template AuthenticationParameterAUTNTLV autn;
+
+		if (umts_aka_challenge) {
+			g_pars.vec := f_gen_auth_vec_3g();
+			autn := {
+				elementIdentifier := '28'O,
+				lengthIndicator := lengthof(g_pars.vec.autn),
+				autnValue := g_pars.vec.autn
+				};
+
+			auth_tuple := valueof(ts_GSUP_IE_AuthTuple2G3G(g_pars.vec.rand,
+								       g_pars.vec.sres,
+								       g_pars.vec.kc,
+								       g_pars.vec.ik,
+								       g_pars.vec.ck,
+								       g_pars.vec.autn,
+								       g_pars.vec.res));
+			log("GSUP sends 2G and 3G auth tuples", auth_tuple);
+		} else {
+			g_pars.vec := f_gen_auth_vec_2g();
+			autn := omit;
+			auth_tuple := valueof(ts_GSUP_IE_AuthTuple2G(g_pars.vec.rand,
+								     g_pars.vec.sres,
+								     g_pars.vec.kc));
+			log("GSUP sends only 2G auth tuple", auth_tuple);
+		}
 		GSUP.receive(tr_GSUP_SAI_REQ(g_pars.imsi));
 		GSUP.send(ts_GSUP_SAI_RES(g_pars.imsi, auth_tuple));
-		BSSGP.receive(tr_BD_L3_MT(tr_GMM_AUTH_REQ(g_pars.vec.rand))) -> value bd;
+		
+		var template PDU_L3_SGSN_MS auth_ciph_req := tr_GMM_AUTH_REQ(g_pars.vec.rand);
+		auth_ciph_req.msgs.gprs_mm.authenticationAndCipheringRequest.authenticationParameterAUTN := autn;
+		BSSGP.receive(tr_BD_L3_MT(auth_ciph_req)) -> value bd;
 		l3_mt := bd.l3_mt;
 		var BIT4 ac_ref := l3_mt.msgs.gprs_mm.authenticationAndCipheringRequest.acReferenceNumber.valueField;
-		l3_mo := valueof(ts_GMM_AUTH_RESP_2G(ac_ref, g_pars.vec.sres));
+		var template PDU_L3_MS_SGSN auth_ciph_resp := ts_GMM_AUTH_RESP_2G(ac_ref, g_pars.vec.sres);
+
+		if (umts_aka_challenge and not force_gsm_sres) {
+			/* set UMTS response instead */
+			auth_ciph_resp.msgs.gprs_mm.authenticationAndCipheringResponse.authenticationParResp := {
+				valueField := substr(g_pars.vec.res, 0, 4)
+			};
+			auth_ciph_resp.msgs.gprs_mm.authenticationAndCipheringResponse.authenticationRespParExt := {
+				elementIdentifier := '21'O,
+				lengthIndicator := lengthof(g_pars.vec.res) - 4,
+				valueField := substr(g_pars.vec.res, 4, lengthof(g_pars.vec.res) - 4)
+			};
+		}
+
+		l3_mo := valueof(auth_ciph_resp);
 		if (ispresent(l3_mt.msgs.gprs_mm.authenticationAndCipheringRequest.imeisvRequest) and
 		    l3_mt.msgs.gprs_mm.authenticationAndCipheringRequest.imeisvRequest.valueField == '001'B) {
 			l3_mo.msgs.gprs_mm.authenticationAndCipheringResponse.imeisv :=
@@ -402,12 +446,20 @@
 	GSUP.send(ts_GSUP_UL_RES(g_pars.imsi));
 }
 
-private function f_TC_attach(charstring id) runs on BSSGP_ConnHdlr {
+private function f_gmm_attach(boolean umts_aka_challenge, boolean force_gsm_sres) runs on BSSGP_ConnHdlr {
 	var BssgpDecoded bd;
 	var RoutingAreaIdentificationV old_ra := f_random_RAI();
+	var template PDU_L3_MS_SGSN attach_req := ts_GMM_ATTACH_REQ(f_mi_get_lv(), old_ra, false, false, omit, omit);
 
-	BSSGP.send(ts_GMM_ATTACH_REQ(f_mi_get_lv(), old_ra, false, false, omit, omit));
-	f_gmm_auth();
+	/* indicate R99 capability of the MS to enable UMTS AKA in presence of
+	 * 3G auth vectors */
+	attach_req.msgs.gprs_mm.attachRequest.msNetworkCapability.msNetworkCapabilityV.revisionLevelIndicatior := '1'B;
+	/* The thing is, if the solSACapability is 'omit', then the
+	 * revisionLevelIndicatior is at the wrong place! */
+	attach_req.msgs.gprs_mm.attachRequest.msNetworkCapability.msNetworkCapabilityV.solSACapability := '0'B;
+
+	BSSGP.send(attach_req);
+	f_gmm_auth(umts_aka_challenge, force_gsm_sres);
 	/* Expect MSC to perform LU with HLR */
 	f_gmm_gsup_lu_isd();
 
@@ -416,6 +468,10 @@
 	}
 	/* FIXME: Extract P-TMSI, if any. Only send Complete if necessary */
 	BSSGP.send(ts_GMM_ATTACH_COMPL);
+}
+
+private function f_TC_attach(charstring id) runs on BSSGP_ConnHdlr {
+	f_gmm_attach(false, false);
 	setverdict(pass);
 }
 
@@ -432,6 +488,30 @@
 	f_init('023042'H);
 	f_sleep(1.0);
 	vc_conn := f_start_handler(refers(f_TC_attach), testcasename(), g_gb[0], 1001);
+	vc_conn.done;
+}
+
+private function f_TC_attach_umts_aka_umts_res(charstring id) runs on BSSGP_ConnHdlr {
+	f_gmm_attach(true, false);
+	setverdict(pass);
+}
+testcase TC_attach_umts_aka_umts_res() runs on test_CT {
+	var BSSGP_ConnHdlr vc_conn;
+	f_init();
+	f_sleep(1.0);
+	vc_conn := f_start_handler(refers(f_TC_attach_umts_aka_umts_res), testcasename(), g_gb[0], 1002);
+	vc_conn.done;
+}
+
+private function f_TC_attach_umts_aka_gsm_sres(charstring id) runs on BSSGP_ConnHdlr {
+	f_gmm_attach(true, true);
+	setverdict(pass);
+}
+testcase TC_attach_umts_aka_gsm_sres() runs on test_CT {
+	var BSSGP_ConnHdlr vc_conn;
+	f_init();
+	f_sleep(1.0);
+	vc_conn := f_start_handler(refers(f_TC_attach_umts_aka_gsm_sres), testcasename(), g_gb[0], 1003);
 	vc_conn.done;
 }
 
@@ -1153,6 +1233,8 @@
 control {
 	execute( TC_attach() );
 	execute( TC_attach_mnc3() );
+	execute( TC_attach_umts_aka_umts_res() );
+	execute( TC_attach_umts_aka_gsm_sres() );
 	execute( TC_attach_auth_id_timeout() );
 	execute( TC_attach_auth_sai_timeout() );
 	execute( TC_attach_auth_sai_reject() );
diff --git a/sgsn/expected-results.xml b/sgsn/expected-results.xml
index 49ab60c..688e35e 100644
--- a/sgsn/expected-results.xml
+++ b/sgsn/expected-results.xml
@@ -2,6 +2,13 @@
 <testsuite name='Titan' tests='22' failures='5' errors='2' skipped='0' inconc='0' time='MASKED'>
   <testcase classname='SGSN_Tests' name='TC_attach' time='MASKED'/>
   <testcase classname='SGSN_Tests' name='TC_attach_mnc3' time='MASKED'/>
+  <testcase classname='SGSN_Tests' name='TC_attach_umts_aka_umts_res' time='MASKED'/>
+  <testcase classname='SGSN_Tests' name='TC_attach_umts_aka_gsm_sres' time='MASKED'>
+    <failure type='fail-verdict'>Tguard timeout
+      SGSN_Tests.ttcn:MASKED SGSN_Tests control part
+      SGSN_Tests.ttcn:MASKED TC_attach_umts_aka_gsm_sres testcase
+    </failure>
+  </testcase>
   <testcase classname='SGSN_Tests' name='TC_attach_auth_id_timeout' time='MASKED'/>
   <testcase classname='SGSN_Tests' name='TC_attach_auth_sai_timeout' time='MASKED'>
     <failure type='fail-verdict'>Tguard timeout

-- 
To view, visit https://gerrit.osmocom.org/7956
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I201ffeaee4439a413ab8289aceeccca9aba40a7a
Gerrit-PatchSet: 1
Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>



More information about the gerrit-log mailing list