Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
U
UERANSIM
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Libraries
UERANSIM
Commits
68448016
Commit
68448016
authored
Apr 26, 2021
by
aligungr
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
UE authentication procedure improvements
parent
f47f7c4b
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
50 additions
and
12 deletions
+50
-12
src/ue/nas/mm/auth.cpp
src/ue/nas/mm/auth.cpp
+50
-12
No files found.
src/ue/nas/mm/auth.cpp
View file @
68448016
...
...
@@ -224,11 +224,21 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
{
auto
sendFailure
=
[
this
](
nas
::
EMmCause
cause
)
{
m_logger
->
err
(
"Sending Authentication Failure with cause [%s]"
,
nas
::
utils
::
EnumToString
(
cause
));
m_usim
->
m_rand
=
{};
m_usim
->
m_res
=
{};
m_usim
->
m_resStar
=
{};
m_timers
->
t3516
.
stop
();
nas
::
AuthenticationFailure
resp
{};
resp
.
mmCause
.
value
=
cause
;
sendNasMessage
(
resp
);
};
// ========================== Check the received parameters syntactically ==========================
if
(
!
msg
.
authParamRAND
.
has_value
()
||
!
msg
.
authParamAUTN
.
has_value
())
{
sendFailure
(
nas
::
EMmCause
::
SEMANTICALLY_INCORRECT_MESSAGE
);
...
...
@@ -241,6 +251,31 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
return
;
}
// =================================== Check the received ngKSI ===================================
if
(
msg
.
ngKSI
.
tsc
==
nas
::
ETypeOfSecurityContext
::
MAPPED_SECURITY_CONTEXT
)
{
m_logger
->
err
(
"Mapped security context not supported"
);
sendFailure
(
nas
::
EMmCause
::
UNSPECIFIED_PROTOCOL_ERROR
);
return
;
}
if
(
msg
.
ngKSI
.
ksi
==
nas
::
IENasKeySetIdentifier
::
NOT_AVAILABLE_OR_RESERVED
)
{
m_logger
->
err
(
"Invalid ngKSI value received"
);
sendFailure
(
nas
::
EMmCause
::
UNSPECIFIED_PROTOCOL_ERROR
);
return
;
}
if
((
m_usim
->
m_currentNsCtx
&&
m_usim
->
m_currentNsCtx
->
ngKsi
==
msg
.
ngKSI
.
ksi
)
||
(
m_usim
->
m_nonCurrentNsCtx
&&
m_usim
->
m_nonCurrentNsCtx
->
ngKsi
==
msg
.
ngKSI
.
ksi
))
{
sendFailure
(
nas
::
EMmCause
::
NGKSI_ALREADY_IN_USE
);
return
;
}
// ============================================ Others ============================================
auto
&
rand
=
msg
.
authParamRAND
->
value
;
auto
&
autn
=
msg
.
authParamAUTN
->
value
;
...
...
@@ -264,13 +299,15 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
if
(
autnCheck
==
EAutnValidationRes
::
OK
)
{
// Store the relevant parameters
m_usim
->
m_rand
=
rand
.
copy
();
m_usim
->
m_resStar
=
keys
::
CalculateResStar
(
ckIk
,
snn
,
rand
,
res
);
m_usim
->
m_res
=
std
::
move
(
res
);
// Create new partial native NAS security context and continue with key derivation
m_usim
->
m_nonCurrentNsCtx
=
std
::
make_unique
<
NasSecurityContext
>
();
m_usim
->
m_nonCurrentNsCtx
->
tsc
=
msg
.
ngKSI
.
tsc
;
m_usim
->
m_nonCurrentNsCtx
->
ngKsi
=
msg
.
ngKSI
.
ksi
;
m_usim
->
m_rand
=
rand
.
copy
();
m_usim
->
m_resStar
=
keys
::
CalculateResStar
(
ckIk
,
snn
,
rand
,
res
);
m_usim
->
m_res
=
std
::
move
(
res
);
m_usim
->
m_nonCurrentNsCtx
->
keys
.
kAusf
=
keys
::
CalculateKAusfFor5gAka
(
ck
,
ik
,
snn
,
sqnXorAk
);
m_usim
->
m_nonCurrentNsCtx
->
keys
.
abba
=
msg
.
abba
.
rawData
.
copy
();
...
...
@@ -294,7 +331,8 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
}
else
{
sendFailure
(
nas
::
EMmCause
::
UNSPECIFIED_PROTOCOL_ERROR
);
// the other case, separation bit mismatched
sendFailure
(
nas
::
EMmCause
::
NON_5G_AUTHENTICATION_UNACCEPTABLE
);
}
}
...
...
@@ -384,6 +422,14 @@ EAutnValidationRes NasMm::validateAutn(const OctetString &ak, const OctetString
OctetString
receivedAMF
=
autn
.
subCopy
(
6
,
2
);
OctetString
receivedMAC
=
autn
.
subCopy
(
8
,
8
);
// TS 33.501: An ME accessing 5G shall check during authentication that the "separation bit" in the AMF field
// of AUTN is set to 1. The "separation bit" is bit 0 of the AMF field of AUTN.
if
(
receivedAMF
.
get
(
0
).
bit
(
7
)
!=
1
)
{
m_logger
->
err
(
"AUTN validation SEP-BIT failure. expected: 1, received: 0"
);
return
EAutnValidationRes
::
AMF_SEPARATION_BIT_FAILURE
;
}
// Verify that the received sequence number SQN is in the correct range
if
(
!
checkSqn
(
receivedSQN
))
{
...
...
@@ -399,14 +445,6 @@ EAutnValidationRes NasMm::validateAutn(const OctetString &ak, const OctetString
return
EAutnValidationRes
::
MAC_FAILURE
;
}
// TS 33.501: An ME accessing 5G shall check during authentication that the "separation bit" in the AMF field
// of AUTN is set to 1. The "separation bit" is bit 0 of the AMF field of AUTN.
if
(
receivedAMF
.
get
(
0
).
bit
(
7
)
!=
1
)
{
m_logger
->
err
(
"AUTN validation SEP-BIT failure. expected: 1, received: 0"
);
return
EAutnValidationRes
::
AMF_SEPARATION_BIT_FAILURE
;
}
return
EAutnValidationRes
::
OK
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
