forked from acouzens/open5gs
[NAS] Discard message if Integrity failed (#1848)
This commit is contained in:
parent
78359374ab
commit
243bf9850a
|
@ -797,29 +797,35 @@ void gmm_state_security_mode(ogs_fsm_t *s, amf_event_t *e)
|
|||
case OGS_NAS_5GS_SECURITY_MODE_COMPLETE:
|
||||
ogs_debug("[%s] Security mode complete", amf_ue->supi);
|
||||
|
||||
CLEAR_AMF_UE_TIMER(amf_ue->t3560);
|
||||
|
||||
/* Now, We will check the MAC in the NAS message*/
|
||||
/*
|
||||
* TS24.501
|
||||
* Section 4.4.4.3
|
||||
* Integrity checking of NAS signalling messages in the AMF
|
||||
*
|
||||
* Once the secure exchange of NAS messages has been established
|
||||
* for the NAS signalling connection, the receiving 5GMM entity
|
||||
* in the AMF shall not process any NAS signalling messages
|
||||
* unless they have been successfully integrity checked by the NAS.
|
||||
* If any NAS signalling message, having not successfully passed
|
||||
* the integrity check, is received, then the NAS in the AMF shall
|
||||
* discard that message. If any NAS signalling message is received,
|
||||
* as not integrity protected even though the secure exchange
|
||||
* of NAS messages has been established, then the NAS shall discard
|
||||
* this message.
|
||||
*/
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] Security-mode : No Integrity Protected",
|
||||
amf_ue->supi);
|
||||
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_5gs_send_gmm_reject(amf_ue,
|
||||
OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &gmm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(amf_ue)) {
|
||||
ogs_warn("[%s] No Security Context", amf_ue->supi);
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_5gs_send_gmm_reject(amf_ue,
|
||||
OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &gmm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
CLEAR_AMF_UE_TIMER(amf_ue->t3560);
|
||||
|
||||
gmm_cause = gmm_handle_security_mode_complete(
|
||||
amf_ue, &nas_message->gmm.security_mode_complete);
|
||||
if (gmm_cause != OGS_5GMM_CAUSE_REQUEST_ACCEPTED) {
|
||||
|
|
|
@ -870,26 +870,30 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
|
|||
|
||||
CLEAR_MME_UE_TIMER(mme_ue->t3460);
|
||||
|
||||
/* Now, We will check the MAC in the NAS message*/
|
||||
/*
|
||||
* TS24.301
|
||||
* Section 4.4.4.3
|
||||
* Integrity checking of NAS signalling messages in the MME:
|
||||
*
|
||||
* Once the secure exchange of NAS messages has been established
|
||||
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||
* in the MME shall not process any NAS signalling messages
|
||||
* unless they have been successfully integrity checked by the NAS.
|
||||
* If any NAS signalling message, having not successfully passed
|
||||
* the integrity check, is received, then the NAS in the MME shall
|
||||
* discard that message. If any NAS signalling message is received,
|
||||
* as not integrity protected even though the secure exchange
|
||||
* of NAS messages has been established, then the NAS shall discard
|
||||
* this message.
|
||||
*/
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -1038,30 +1042,35 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
|||
case OGS_NAS_EPS_ATTACH_COMPLETE:
|
||||
ogs_info("[%s] Attach complete", mme_ue->imsi_bcd);
|
||||
|
||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||
|
||||
/*
|
||||
* TS24.301
|
||||
* Section 4.4.4.3
|
||||
* Integrity checking of NAS signalling messages in the MME:
|
||||
*
|
||||
* Once the secure exchange of NAS messages has been established
|
||||
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||
* in the MME shall not process any NAS signalling messages
|
||||
* unless they have been successfully integrity checked by the NAS.
|
||||
* If any NAS signalling message, having not successfully passed
|
||||
* the integrity check, is received, then the NAS in the MME shall
|
||||
* discard that message. If any NAS signalling message is received,
|
||||
* as not integrity protected even though the secure exchange
|
||||
* of NAS messages has been established, then the NAS shall discard
|
||||
* this message.
|
||||
*/
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||
|
||||
rv = emm_handle_attach_complete(
|
||||
mme_ue, &message->emm.attach_complete);
|
||||
if (rv != OGS_OK) {
|
||||
|
@ -1085,30 +1094,35 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
|||
case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE:
|
||||
ogs_debug("[%s] Tracking area update complete", mme_ue->imsi_bcd);
|
||||
|
||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||
|
||||
/*
|
||||
* TS24.301
|
||||
* Section 4.4.4.3
|
||||
* Integrity checking of NAS signalling messages in the MME:
|
||||
*
|
||||
* Once the secure exchange of NAS messages has been established
|
||||
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||
* in the MME shall not process any NAS signalling messages
|
||||
* unless they have been successfully integrity checked by the NAS.
|
||||
* If any NAS signalling message, having not successfully passed
|
||||
* the integrity check, is received, then the NAS in the MME shall
|
||||
* discard that message. If any NAS signalling message is received,
|
||||
* as not integrity protected even though the secure exchange
|
||||
* of NAS messages has been established, then the NAS shall discard
|
||||
* this message.
|
||||
*/
|
||||
h.type = e->nas_type;
|
||||
if (h.integrity_protected == 0) {
|
||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||
ogs_assert(OGS_OK ==
|
||||
nas_eps_send_attach_reject(mme_ue,
|
||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
||||
break;
|
||||
}
|
||||
|
||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||
|
||||
/* Confirm GUTI */
|
||||
if (mme_ue->next.m_tmsi)
|
||||
mme_ue_confirm_guti(mme_ue);
|
||||
|
|
Loading…
Reference in New Issue