add 'encryption uea 1 2' cfg / fix ttcn3 iu tests

Recently, the ability to run UTRAN without encryption was added, but the config
for it was tied to the A5 GERAN encryption configuration. This affected
osmo-msc's default behavior of Iu, breaking osmo-msc ttcn3 Iu tests: the ttcn3
test suite sets A5 to 0 (no encryption) but still expects Iu to enable air
encryption. Fix this "regression".

Add a separate vty config option for UEA encryption, even if it does not
provide full granularity to select individual UEA algorithms yet.

As a result, Iu default behavior remains to enable encryption regardless of the
A5 config. UTRAN encryption can be disabled by the new cfg option
"encryption uea 0" alone.

Even though the new vty command already allows passing various combinations of
the UEA algorithm numbers, only '0' and '1 2' are accepted as valid
combinations, to reflect current osmo-msc capabilities.

Revert most changes to the msc_vlr test suite in commit "do not force
encryption on UTRAN" (I04ecd7a3b1cc603b2e3feb630e8c7c93fc36ccd7): use new
net->iu_encryption instead of net->a5_encryption_mask.

Adjust/add to test_nodes.vty transcript tests.

Related: OS#4144
Change-Id: Ie138f2fcb105533f7bc06a6d2e6deccf6faccc5b
This commit is contained in:
Neels Hofmeyr 2019-08-13 16:00:37 +02:00
parent cd64af7cd4
commit 4dfb2babf2
10 changed files with 153 additions and 62 deletions

View File

@ -188,11 +188,22 @@ network
While authentication is always required on 3G, ciphering is optional.
So far OsmoMSC lacks explicit configuration for ciphering on 3G. As an interim
solution, ciphering is enabled on 3G exactly when ciphering is enabled on 2G,
i.e. when any cipher other than A5/0 is enabled in the configuration. If only
A5/0 is configured, ciphering will be disabled on both 2G and 3G. The future
aim is to add comprehensive configuration for 3G ciphering that is independent
from the 2G setting.
So far OsmoMSC allows switching ciphering on 3G either on or off -- the default
behavior is to enable ciphering. (Individual choice of algorithms may be added
in the future.)
Disable 3G ciphering:
----
network
encryption uea 0
----
Enable 3G ciphering (default):
----
network
encryption uea 1 2
----
OsmoMSC indicates UEA1 and UEA2 as permitted encryption algorithms on 3G.

View File

@ -149,6 +149,11 @@ struct gsm_network {
bool authentication_required;
int send_mm_info;
/* Whether to use encryption on UTRAN.
* TODO: we should offer a choice of UEA1 and/or UEA2, and probably replace this bool with a bit-mask of
* permitted Iu encryption algorithms. See also OS#4143 and the 'encryption uea' vty command. */
bool uea_encryption;
struct rate_ctr_group *msc_ctrs;
struct osmo_stat_item_group *statg;

View File

@ -375,7 +375,7 @@ static int mm_rx_loc_upd_req(struct msc_a *msc_a, struct msgb *msg)
net->vlr, msc_a, vlr_lu_type, tmsi, imsi,
&old_lai, &msc_a->via_cell.lai,
is_utran || net->authentication_required,
net->a5_encryption_mask > 0x01,
is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
lu->key_seq,
osmo_gsm48_classmark1_is_r99(&lu->classmark1),
is_utran,
@ -780,7 +780,7 @@ int gsm48_rx_mm_serv_req(struct msc_a *msc_a, struct msgb *msg)
req->cm_service_type,
mi-1, &msc_a->via_cell.lai,
is_utran || net->authentication_required,
net->a5_encryption_mask > 0x01,
is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
req->cipher_key_seq,
osmo_gsm48_classmark2_is_r99(cm2, cm2_len),
is_utran);
@ -1152,7 +1152,7 @@ static int gsm48_rx_rr_pag_resp(struct msc_a *msc_a, struct msgb *msg)
net->vlr, msc_a,
VLR_PR_ARQ_T_PAGING_RESP, 0, mi_lv, &msc_a->via_cell.lai,
is_utran || net->authentication_required,
net->a5_encryption_mask > 0x01,
is_utran ? net->uea_encryption : net->a5_encryption_mask > 0x01,
pr->key_seq,
osmo_gsm48_classmark2_is_r99(cm2, classmark2_len),
is_utran);

View File

@ -49,6 +49,7 @@ struct gsm_network *gsm_network_init(void *ctx, mncc_recv_cb_t mncc_recv)
/* Permit a compile-time default of A5/3 and A5/1 */
net->a5_encryption_mask = (1 << 3) | (1 << 1);
net->uea_encryption = true;
/* Use 30 min periodic update interval as sane default */
net->t3212 = 5;

View File

@ -144,14 +144,13 @@ DEFUN(cfg_net_name_long,
return CMD_SUCCESS;
}
#define ENCRYPTION_STR "Encryption options\n"
DEFUN(cfg_net_encryption,
cfg_net_encryption_cmd,
"encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]",
"Encryption options\n"
"GSM A5 Air Interface Encryption."
" NOTE: as long as OsmoMSC lacks distinct configuration for 3G encryption,"
" 3G encryption is enabled exactly when any 2G encryption is enabled."
" Hence configuring only A5/0 here switches off 3G encryption.\n"
ENCRYPTION_STR
"GSM A5 Air Interface Encryption.\n"
"A5/n Algorithm Number\n"
"A5/n Algorithm Number\n"
"A5/n Algorithm Number\n"
@ -166,6 +165,45 @@ DEFUN(cfg_net_encryption,
return CMD_SUCCESS;
}
/* So far just a boolean switch, a future patch might add individual config for UEA1 and UEA2, see OS#4143 */
DEFUN(cfg_net_encryption_uea,
cfg_net_encryption_uea_cmd,
"encryption uea <0-2> [<0-2>] [<0-2>]",
ENCRYPTION_STR
"UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2."
" NOTE: the current implementation does not allow free choice of combining encryption algorithms yet."
" The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.\n"
"UEAn Algorithm Number\n"
"UEAn Algorithm Number\n"
"UEAn Algorithm Number\n"
)
{
unsigned int i;
uint8_t mask = 0;
for (i = 0; i < argc; i++)
mask |= (1 << atoi(argv[i]));
if (mask == (1 << 0)) {
/* UEA0. Disable encryption. */
gsmnet->uea_encryption = false;
} else if (mask == ((1 << 1) | (1 << 2))) {
/* UEA1 and UEA2. Enable encryption. */
gsmnet->uea_encryption = true;
} else {
vty_out(vty,
"%% Error: the current implementation does not allow free choice of combining%s"
"%% encryption algorithms yet. The only valid settings are either%s"
"%% encryption uea 0%s"
"%% or%s"
"%% encryption uea 1 2%s",
VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE, VTY_NEWLINE);
return CMD_WARNING;
}
return CMD_SUCCESS;
}
DEFUN(cfg_net_authentication,
cfg_net_authentication_cmd,
"authentication (optional|required)",
@ -308,6 +346,11 @@ static int config_write_net(struct vty *vty)
vty_out(vty, " %u", i);
}
vty_out(vty, "%s", VTY_NEWLINE);
if (!gsmnet->uea_encryption)
vty_out(vty, " encryption uea 0%s", VTY_NEWLINE);
else
vty_out(vty, " encryption uea 1 2%s", VTY_NEWLINE);
vty_out(vty, " authentication %s%s",
gsmnet->authentication_required ? "required" : "optional", VTY_NEWLINE);
vty_out(vty, " rrlp mode %s%s", msc_rrlp_mode_name(gsmnet->rrlp.mode),
@ -1894,6 +1937,7 @@ void msc_vty_init(struct gsm_network *msc_network)
install_element(GSMNET_NODE, &cfg_net_name_short_cmd);
install_element(GSMNET_NODE, &cfg_net_name_long_cmd);
install_element(GSMNET_NODE, &cfg_net_encryption_cmd);
install_element(GSMNET_NODE, &cfg_net_encryption_uea_cmd);
install_element(GSMNET_NODE, &cfg_net_authentication_cmd);
install_element(GSMNET_NODE, &cfg_net_rrlp_mode_cmd);
install_element(GSMNET_NODE, &cfg_net_mm_info_cmd);

View File

@ -266,8 +266,6 @@ static void _test_auth_reuse(enum osmo_rat_type via_ran,
static void test_auth_use_twice_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_auth_reuse(OSMO_RAT_GERAN_A, 1, 1, true);
comment_end();
}
@ -275,8 +273,6 @@ static void test_auth_use_twice_geran()
static void test_auth_use_twice_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_auth_reuse(OSMO_RAT_UTRAN_IU, 1, 1, true);
comment_end();
}
@ -284,8 +280,6 @@ static void test_auth_use_twice_utran()
static void test_auth_use_infinitely_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_auth_reuse(OSMO_RAT_GERAN_A, -1, 3, false);
comment_end();
}
@ -293,8 +287,6 @@ static void test_auth_use_infinitely_geran()
static void test_auth_use_infinitely_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_auth_reuse(OSMO_RAT_UTRAN_IU, -1, 3, false);
comment_end();
}
@ -302,8 +294,6 @@ static void test_auth_use_infinitely_utran()
static void test_no_auth_reuse_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_auth_reuse(OSMO_RAT_GERAN_A, 0, 0, true);
comment_end();
}
@ -311,8 +301,6 @@ static void test_no_auth_reuse_geran()
static void test_no_auth_reuse_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_auth_reuse(OSMO_RAT_UTRAN_IU, 0, 0, true);
comment_end();
}

View File

@ -46,7 +46,6 @@ static void standard_lu()
struct vlr_subscr *vsub;
net->authentication_required = true;
net->a5_encryption_mask = A5_0_3;
net->vlr->cfg.assign_tmsi = true;
rx_from_ran = OSMO_RAT_UTRAN_IU;

View File

@ -49,6 +49,8 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
"5079da1e1ee7416937485e9ea7c965373d1d6683c270383b3d0e"
"d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
"0c7ac3e9e9b7db05";
bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);
net->authentication_required = true;
net->vlr->cfg.assign_tmsi = true;
@ -122,8 +124,7 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
VERBOSE_ASSERT(auth_request_sent, == true, "%d");
VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
if (net->a5_encryption_mask > 0x1) {
/* Encryption enabled */
if (encryption) {
if (via_ran == OSMO_RAT_GERAN_A) {
btw("Test code not implemented");
OSMO_ASSERT(false);
@ -197,8 +198,7 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
EXPECT_ACCEPTED(false);
thwart_rx_non_initial_requests();
if (net->a5_encryption_mask > 0x1) {
/* Encryption enabled */
if (encryption) {
if (via_ran == OSMO_RAT_GERAN_A) {
btw("Test code not implemented");
OSMO_ASSERT(false);
@ -265,8 +265,7 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
EXPECT_ACCEPTED(false);
thwart_rx_non_initial_requests();
if (net->a5_encryption_mask > 0x1) {
/* Encryption enabled */
if (encryption) {
if (via_ran == OSMO_RAT_GERAN_A) {
btw("Test code not implemented");
OSMO_ASSERT(false);
@ -327,8 +326,6 @@ static void _test_umts_authen(enum osmo_rat_type via_ran)
static void test_umts_authen_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_umts_authen(OSMO_RAT_GERAN_A);
comment_end();
}
@ -336,8 +333,7 @@ static void test_umts_authen_geran()
static void test_umts_authen_utran()
{
comment_start();
/* A5/0 = no encryption; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0;
net->uea_encryption = false;
_test_umts_authen(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -345,8 +341,7 @@ static void test_umts_authen_utran()
static void test_umts_auth_ciph_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
net->uea_encryption = true;
_test_umts_authen(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -365,6 +360,8 @@ static void _test_umts_authen_resync(enum osmo_rat_type via_ran)
{
struct vlr_subscr *vsub;
const char *imsi = "901700000010650";
bool encryption = (via_ran == OSMO_RAT_GERAN_A && net->a5_encryption_mask > 0x1)
|| (via_ran == OSMO_RAT_UTRAN_IU && net->uea_encryption);
net->authentication_required = true;
net->vlr->cfg.assign_tmsi = true;
@ -519,8 +516,7 @@ static void _test_umts_authen_resync(enum osmo_rat_type via_ran)
VERBOSE_ASSERT(auth_request_sent, == true, "%d");
VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
if (net->a5_encryption_mask > 0x1) {
/* Encryption enabled */
if (encryption) {
if (via_ran == OSMO_RAT_GERAN_A) {
btw("Test code not implemented");
OSMO_ASSERT(false);
@ -585,8 +581,6 @@ static void _test_umts_authen_resync(enum osmo_rat_type via_ran)
static void test_umts_authen_resync_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_umts_authen_resync(OSMO_RAT_GERAN_A);
comment_end();
}
@ -594,8 +588,7 @@ static void test_umts_authen_resync_geran()
static void test_umts_authen_resync_utran()
{
comment_start();
/* A5/0 = no encryption; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0;
net->uea_encryption = false;
_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -603,8 +596,7 @@ static void test_umts_authen_resync_utran()
static void test_umts_auth_ciph_resync_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
net->uea_encryption = true;
_test_umts_authen_resync(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -698,8 +690,6 @@ static void _test_umts_authen_too_short_res(enum osmo_rat_type via_ran)
static void test_umts_authen_too_short_res_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_umts_authen_too_short_res(OSMO_RAT_GERAN_A);
comment_end();
}
@ -707,8 +697,6 @@ static void test_umts_authen_too_short_res_geran()
static void test_umts_authen_too_short_res_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_umts_authen_too_short_res(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -802,8 +790,6 @@ static void _test_umts_authen_too_long_res(enum osmo_rat_type via_ran)
static void test_umts_authen_too_long_res_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_umts_authen_too_long_res(OSMO_RAT_GERAN_A);
comment_end();
}
@ -811,8 +797,6 @@ static void test_umts_authen_too_long_res_geran()
static void test_umts_authen_too_long_res_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_umts_authen_too_long_res(OSMO_RAT_UTRAN_IU);
comment_end();
}
@ -911,8 +895,6 @@ static void _test_umts_authen_only_sres(enum osmo_rat_type via_ran)
static void test_umts_authen_only_sres_geran()
{
comment_start();
/* A5/0 = no encryption */
net->a5_encryption_mask = A5_0;
_test_umts_authen_only_sres(OSMO_RAT_GERAN_A);
comment_end();
}
@ -920,8 +902,6 @@ static void test_umts_authen_only_sres_geran()
static void test_umts_authen_only_sres_utran()
{
comment_start();
/* A5/0 + A5/3 = encryption enabled; so far the A5 setting also triggers UTRAN encryption */
net->a5_encryption_mask = A5_0_3;
_test_umts_authen_only_sres(OSMO_RAT_UTRAN_IU);
comment_end();
}

View File

@ -32,9 +32,6 @@
#include <osmocom/msc/msc_a.h>
#include <osmocom/msc/mncc.h>
#define A5_0 (1 << 0)
#define A5_0_3 ((1 << 0) | (1 << 3))
extern bool _log_lines;
#define _log(fmt, args...) do { \
if (_log_lines) \

View File

@ -17,6 +17,7 @@ OsmoMSC(config-net)# list
short name NAME
long name NAME
encryption a5 <0-3> [<0-3>] [<0-3>] [<0-3>]
encryption uea <0-2> [<0-2>] [<0-2>]
authentication (optional|required)
rrlp mode (none|ms-based|ms-preferred|ass-preferred)
mm info (0|1)
@ -26,6 +27,21 @@ OsmoMSC(config-net)# list
periodic location update <6-1530>
no periodic location update
OsmoMSC(config-net)# encryption?
encryption Encryption options
OsmoMSC(config-net)# encryption ?
a5 GSM A5 Air Interface Encryption.
uea UTRAN (3G) encryption algorithms to allow: 0 = UEA0 (no encryption), 1 = UEA1, 2 = UEA2. NOTE: the current implementation does not allow free choice of combining encryption algorithms yet. The only valid settings are either 'encryption uea 0' or 'encryption uea 1 2'.
OsmoMSC(config-net)# encryption uea ?
<0-2> UEAn Algorithm Number
OsmoMSC(config-net)# encryption uea 0 ?
[<0-2>] UEAn Algorithm Number
OsmoMSC(config-net)# encryption uea 0 1 ?
[<0-2>] UEAn Algorithm Number
OsmoMSC(config-net)# encryption uea 0 1 2 ?
<cr>
OsmoMSC(config-net)# exit
OsmoMSC(config)# msc
OsmoMSC(config-msc)# list
@ -130,6 +146,7 @@ network
short name OsmoMSC
long name OsmoMSC
encryption a5 0
encryption uea 1 2
authentication optional
rrlp mode none
mm info 1
@ -157,3 +174,52 @@ sgs
local-ip 0.0.0.0
vlr-name vlr.example.net
end
OsmoMSC# configure terminal
OsmoMSC(config)# network
OsmoMSC(config-net)# encryption uea 0
OsmoMSC(config-net)# show running-config
...
encryption uea 0
...
OsmoMSC(config-net)# encryption uea 1
% Error: the current implementation does not allow free choice of combining
% encryption algorithms yet. The only valid settings are either
% encryption uea 0
% or
% encryption uea 1 2
OsmoMSC(config-net)# show running-config
...
encryption uea 0
...
OsmoMSC(config-net)# encryption uea 2
% Error: the current implementation does not allow free choice of combining
...
OsmoMSC(config-net)# show running-config
...
encryption uea 0
...
OsmoMSC(config-net)# encryption uea 0 1
% Error: the current implementation does not allow free choice of combining
...
OsmoMSC(config-net)# show running-config
...
encryption uea 0
...
OsmoMSC(config-net)# encryption uea 0 2
% Error: the current implementation does not allow free choice of combining
...
OsmoMSC(config-net)# show running-config
...
encryption uea 0
...
OsmoMSC(config-net)# encryption uea 1 2
OsmoMSC(config-net)# show running-config
...
encryption uea 1 2
...