bugfix: use correct algorithm and derive keys accordingly

This was not a big problem, but we were advertising wrong algorithm and deriving keys using this wrong algorithm in case DRB ciphering and/or integrity was not active. (Say SRBs are configured with NIA2 but DRBs are configured without integrity, we would advertise NIA2 and send the integrity key derived for NIA2, instead of NIA0 for both.) It was not a problem because in the PDU Session Resource To Setup item, there is "securityIndication" which we use to effectively activate/deactivate the ciphering and/or integrity. But it did not look clean to see a SecurityInformation with incorrect data when inspecting the message in wireshark. So let's use the correct values. We could also not include the SecurityInformation if both ciphering and integrity are not used, and only include ciphering if integrity is not used (because integrity settings are optional). But then if only integrity is used, we still need to include ciphering, setting algorithm to NEA0 (no ciphering), because the ciphering settings are always included. This logic is too complex, let's use the simple one to always include SecurityInformation with NEA0 and/or NIA0 if ciphering and/or integrity is not activated.

bugfix: use correct algorithm and derive keys accordingly
This was not a big problem, but we were advertising wrong algorithm and deriving keys using this wrong algorithm in case DRB ciphering and/or integrity was not active. (Say SRBs are configured with NIA2 but DRBs are configured without integrity, we would advertise NIA2 and send the integrity key derived for NIA2, instead of NIA0 for both.) It was not a problem because in the PDU Session Resource To Setup item, there is "securityIndication" which we use to effectively activate/deactivate the ciphering and/or integrity. But it did not look clean to see a SecurityInformation with incorrect data when inspecting the message in wireshark. So let's use the correct values. We could also not include the SecurityInformation if both ciphering and integrity are not used, and only include ciphering if integrity is not used (because integrity settings are optional). But then if only integrity is used, we still need to include ciphering, setting algorithm to NEA0 (no ciphering), because the ciphering settings are always included. This logic is too complex, let's use the simple one to always include SecurityInformation with NEA0 and/or NIA0 if ciphering and/or integrity is not activated.
a1eb8f35 · Cedric Roux · Guido Casati · 627f8171 · a1eb8f35
Commit a1eb8f35 authored Jan 22, 2025 by Cedric Roux Committed by Guido Casati Feb 11, 2025
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

openair2/RRC/NR/rrc_gNB_NGAP.c openair2/RRC/NR/rrc_gNB_NGAP.c +4 -4

No files found.
--- a/openair2/RRC/NR/rrc_gNB_NGAP.c
+++ b/openair2/RRC/NR/rrc_gNB_NGAP.c
@@ -356,10 +356,10 @@ bool trigger_bearer_setup(gNB_RRC_INST *rrc, gNB_RRC_UE_t *UE, int n, pdusession
    decodePDUSessionResourceSetup(session);
    bearer_req.gNB_cu_cp_ue_id = UE->rrc_ue_id;
    security_information_t *secInfo = &bearer_req.secInfo;
-    secInfo->cipheringAlgorithm = UE->ciphering_algorithm;
-    secInfo->integrityProtectionAlgorithm = UE->integrity_algorithm;
-    nr_derive_key(UP_ENC_ALG, UE->ciphering_algorithm, UE->kgnb, (uint8_t *)secInfo->encryptionKey);
-    nr_derive_key(UP_INT_ALG, UE->integrity_algorithm, UE->kgnb, (uint8_t *)secInfo->integrityProtectionKey);
+    secInfo->cipheringAlgorithm = rrc->security.do_drb_ciphering ? UE->ciphering_algorithm : 0;
+    secInfo->integrityProtectionAlgorithm = rrc->security.do_drb_integrity ? UE->integrity_algorithm : 0;
+    nr_derive_key(UP_ENC_ALG, secInfo->cipheringAlgorithm, UE->kgnb, (uint8_t *)secInfo->encryptionKey);
+    nr_derive_key(UP_INT_ALG, secInfo->integrityProtectionAlgorithm, UE->kgnb, (uint8_t *)secInfo->integrityProtectionKey);
    bearer_req.ueDlAggMaxBitRate = ueAggMaxBitRateDownlink;
    pdu_session_to_setup_t *pdu = bearer_req.pduSession + bearer_req.numPDUSessions;
    bearer_req.numPDUSessions++;