Authentication abnormal case handling

91c7fec8 · aligungr · 8755c10c · 91c7fec8 · 91c7fec8 · 91c7fec8
Commit 91c7fec8 authored Apr 26, 2021 by aligungr
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 7 deletions

src/ue/nas/mm/auth.cpp src/ue/nas/mm/auth.cpp +13 -6

src/ue/nas/mm/mm.hpp src/ue/nas/mm/mm.hpp +1 -1

src/ue/nas/mm/timer.cpp src/ue/nas/mm/timer.cpp +5 -0

No files found.
--- a/src/ue/nas/mm/auth.cpp
+++ b/src/ue/nas/mm/auth.cpp
@@ -281,7 +281,7 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
    if ((m_usim->m_currentNsCtx && m_usim->m_currentNsCtx->ngKsi == msg.ngKSI.ksi) ||
        (m_usim->m_nonCurrentNsCtx && m_usim->m_nonCurrentNsCtx->ngKsi == msg.ngKSI.ksi))
    {
-        if (networkFailingTheAuthCheck())
+        if (networkFailingTheAuthCheck(true))
            return;

        m_timers->t3520.start();
@@ -338,14 +338,14 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
    }
    else if (autnCheck == EAutnValidationRes::MAC_FAILURE)
    {
-        if (networkFailingTheAuthCheck())
+        if (networkFailingTheAuthCheck(true))
            return;
        m_timers->t3520.start();
        sendFailure(nas::EMmCause::MAC_FAILURE);
    }
    else if (autnCheck == EAutnValidationRes::SYNCHRONISATION_FAILURE)
    {
-        if (networkFailingTheAuthCheck())
+        if (networkFailingTheAuthCheck(true))
            return;

        m_timers->t3520.start();
@@ -356,7 +356,7 @@ void NasMm::receiveAuthenticationRequest5gAka(const nas::AuthenticationRequest &
    }
    else // the other case, separation bit mismatched
    {
-        if (networkFailingTheAuthCheck())
+        if (networkFailingTheAuthCheck(true))
            return;
        m_timers->t3520.start();
        sendFailure(nas::EMmCause::NON_5G_AUTHENTICATION_UNACCEPTABLE);
@@ -493,11 +493,18 @@ crypto::milenage::Milenage NasMm::calculateMilenage(const OctetString &sqn, cons
    return crypto::milenage::Calculate(opc, m_base->config->key, rand, sqn, amf);
 }

-bool NasMm::networkFailingTheAuthCheck()
+bool NasMm::networkFailingTheAuthCheck(bool hasChance)
 {
-    if (m_nwConsecutiveAuthFailure++ < 3)
+    if (hasChance && m_nwConsecutiveAuthFailure++ < 3)
        return false;

+    // NOTE: Normally if we should check if the UE has an emergency. If it has, it should consider as network passed the
+    //  auth check, instead of performing the actions in the following lines. But it's difficult to maintain and
+    //  implement this behaviour. Therefore we would expect other solutions for an emergency case. Such as
+    //  - Network initiates a Security Mode Command with IA0 and EA0
+    //  - UE performs emergency registration after releasing the connection
+    // END
+
    m_logger->err("Network failing the authentication check");
    localReleaseConnection();
    // TODO: treat the active cell as barred

--- a/src/ue/nas/mm/mm.hpp
+++ b/src/ue/nas/mm/mm.hpp
@@ -118,7 +118,7 @@ class NasMm
    void receiveEapResponseMessage(const eap::Eap &eap);
    EAutnValidationRes validateAutn(const OctetString &rand, const OctetString &autn);
    crypto::milenage::Milenage calculateMilenage(const OctetString &sqn, const OctetString &rand, bool dummyAmf);
-    bool networkFailingTheAuthCheck();
+    bool networkFailingTheAuthCheck(bool hasChance);

  private: /* Security */
    void receiveSecurityModeCommand(const nas::SecurityModeCommand &msg);

--- a/src/ue/nas/mm/timer.cpp
+++ b/src/ue/nas/mm/timer.cpp
@@ -114,6 +114,11 @@ void NasMm::onTimerExpire(nas::NasTimer &timer)
        m_usim->m_storedSuci = {};
        break;
    }
+    case 3520: {
+        logExpired();
+        networkFailingTheAuthCheck(false);
+        break;
+    }
    case 3521: {
        if (timer.getExpiryCount() == 5)
        {