Authentication abnormal case handling

8755c10c · aligungr · 6a9f533b · 8755c10c · 8755c10c
Commit 8755c10c authored Apr 26, 2021 by aligungr
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 8 deletions

src/ue/nas/mm/auth.cpp src/ue/nas/mm/auth.cpp +19 -7

src/ue/nas/mm/mm.hpp src/ue/nas/mm/mm.hpp +3 -1

No files found.
--- a/src/ue/nas/mm/auth.cpp
+++ b/src/ue/nas/mm/auth.cpp
@@ -216,6 +216,8 @@ void NasMm::receiveAuthenticationRequestEap(const nas::AuthenticationRequest &ms

        sendNasMessage(response);
    }
+
+    // TODO (dont forget: m_nwConsecutiveAuthFailure = 0;)
 }

 void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &msg)
@@ -279,8 +281,10 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
    if ((m_usim->m_currentNsCtx && m_usim->m_currentNsCtx->ngKsi == msg.ngKSI.ksi) ||
        (m_usim->m_nonCurrentNsCtx && m_usim->m_nonCurrentNsCtx->ngKsi == msg.ngKSI.ksi))
    {
-        m_timers->t3520.start();
+        if (networkFailingTheAuthCheck())
+            return;

+        m_timers->t3520.start();
        sendFailure(nas::EMmCause::NGKSI_ALREADY_IN_USE);
        return;
    }
@@ -323,6 +327,7 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
        keys::DeriveKeysSeafAmf(*m_base->config, *m_usim->m_currentPlmn, *m_usim->m_nonCurrentNsCtx);

        // Send response
+        m_nwConsecutiveAuthFailure = 0;
        m_timers->t3520.stop();

        nas::AuthenticationResponse resp;
@@ -333,23 +338,27 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
    }
    else if (autnCheck == EAutnValidationRes::MAC_FAILURE)
    {
+        if (networkFailingTheAuthCheck())
+            return;
        m_timers->t3520.start();
-
        sendFailure(nas::EMmCause::MAC_FAILURE);
    }
    else if (autnCheck == EAutnValidationRes::SYNCHRONISATION_FAILURE)
    {
+        if (networkFailingTheAuthCheck())
+            return;
+
        m_timers->t3520.start();

        auto milenage = calculateMilenage(m_usim->m_sqnMng->getSqn(), rand, true);
        auto auts = keys::CalculateAuts(m_usim->m_sqnMng->getSqn(), milenage.ak_r, milenage.mac_s);
        sendFailure(nas::EMmCause::SYNCH_FAILURE, std::move(auts));
    }
-    else
+    else // the other case, separation bit mismatched
    {
+        if (networkFailingTheAuthCheck())
+            return;
        m_timers->t3520.start();
-
-        // the other case, separation bit mismatched
        sendFailure(nas::EMmCause::NON_5G_AUTHENTICATION_UNACCEPTABLE);
    }
 }
@@ -484,12 +493,15 @@ crypto::milenage::Milenage NasMm::calculateMilenage(const OctetString &sqn, cons
    return crypto::milenage::Calculate(opc, m_base->config->key, rand, sqn, amf);
 }

-void NasMm::networkFailingTheAuth()
+bool NasMm::networkFailingTheAuthCheck()
 {
+    if (m_nwConsecutiveAuthFailure++ < 3)
+        return false;
+
    m_logger->err("Network failing the authentication check");
    localReleaseConnection();
-
    // TODO: treat the active cell as barred
+    return true;
 }

 } // namespace nr::ue
\ No newline at end of file
--- a/src/ue/nas/mm/mm.hpp
+++ b/src/ue/nas/mm/mm.hpp
@@ -60,6 +60,8 @@ class NasMm
    nas::IE5gsNetworkFeatureSupport m_nwFeatureSupport{};
    // Last time Service Request needed indication for Data
    long m_lastTimeServiceReqNeededIndForData{};
+    // Number of times the network failing the authentication check
+    int m_nwConsecutiveAuthFailure{};

    friend class UeCmdHandler;

@@ -116,7 +118,7 @@ class NasMm
    void receiveEapResponseMessage(const eap::Eap &eap);
    EAutnValidationRes validateAutn(const OctetString &rand, const OctetString &autn);
    crypto::milenage::Milenage calculateMilenage(const OctetString &sqn, const OctetString &rand, bool dummyAmf);
-    void networkFailingTheAuth();
+    bool networkFailingTheAuthCheck();

  private: /* Security */
    void receiveSecurityModeCommand(const nas::SecurityModeCommand &msg);