forked from acouzens/open5gs
[NAS] Discard message if Integrity failed (#1848)
This commit is contained in:
parent
78359374ab
commit
243bf9850a
|
@ -797,29 +797,35 @@ void gmm_state_security_mode(ogs_fsm_t *s, amf_event_t *e)
|
||||||
case OGS_NAS_5GS_SECURITY_MODE_COMPLETE:
|
case OGS_NAS_5GS_SECURITY_MODE_COMPLETE:
|
||||||
ogs_debug("[%s] Security mode complete", amf_ue->supi);
|
ogs_debug("[%s] Security mode complete", amf_ue->supi);
|
||||||
|
|
||||||
CLEAR_AMF_UE_TIMER(amf_ue->t3560);
|
/*
|
||||||
|
* TS24.501
|
||||||
/* Now, We will check the MAC in the NAS message*/
|
* Section 4.4.4.3
|
||||||
|
* Integrity checking of NAS signalling messages in the AMF
|
||||||
|
*
|
||||||
|
* Once the secure exchange of NAS messages has been established
|
||||||
|
* for the NAS signalling connection, the receiving 5GMM entity
|
||||||
|
* in the AMF shall not process any NAS signalling messages
|
||||||
|
* unless they have been successfully integrity checked by the NAS.
|
||||||
|
* If any NAS signalling message, having not successfully passed
|
||||||
|
* the integrity check, is received, then the NAS in the AMF shall
|
||||||
|
* discard that message. If any NAS signalling message is received,
|
||||||
|
* as not integrity protected even though the secure exchange
|
||||||
|
* of NAS messages has been established, then the NAS shall discard
|
||||||
|
* this message.
|
||||||
|
*/
|
||||||
if (h.integrity_protected == 0) {
|
if (h.integrity_protected == 0) {
|
||||||
ogs_error("[%s] Security-mode : No Integrity Protected",
|
ogs_error("[%s] Security-mode : No Integrity Protected",
|
||||||
amf_ue->supi);
|
amf_ue->supi);
|
||||||
|
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_5gs_send_gmm_reject(amf_ue,
|
|
||||||
OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &gmm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SECURITY_CONTEXT_IS_VALID(amf_ue)) {
|
if (!SECURITY_CONTEXT_IS_VALID(amf_ue)) {
|
||||||
ogs_warn("[%s] No Security Context", amf_ue->supi);
|
ogs_warn("[%s] No Security Context", amf_ue->supi);
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_5gs_send_gmm_reject(amf_ue,
|
|
||||||
OGS_5GMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &gmm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CLEAR_AMF_UE_TIMER(amf_ue->t3560);
|
||||||
|
|
||||||
gmm_cause = gmm_handle_security_mode_complete(
|
gmm_cause = gmm_handle_security_mode_complete(
|
||||||
amf_ue, &nas_message->gmm.security_mode_complete);
|
amf_ue, &nas_message->gmm.security_mode_complete);
|
||||||
if (gmm_cause != OGS_5GMM_CAUSE_REQUEST_ACCEPTED) {
|
if (gmm_cause != OGS_5GMM_CAUSE_REQUEST_ACCEPTED) {
|
||||||
|
|
|
@ -870,26 +870,30 @@ void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e)
|
||||||
|
|
||||||
CLEAR_MME_UE_TIMER(mme_ue->t3460);
|
CLEAR_MME_UE_TIMER(mme_ue->t3460);
|
||||||
|
|
||||||
/* Now, We will check the MAC in the NAS message*/
|
/*
|
||||||
|
* TS24.301
|
||||||
|
* Section 4.4.4.3
|
||||||
|
* Integrity checking of NAS signalling messages in the MME:
|
||||||
|
*
|
||||||
|
* Once the secure exchange of NAS messages has been established
|
||||||
|
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||||
|
* in the MME shall not process any NAS signalling messages
|
||||||
|
* unless they have been successfully integrity checked by the NAS.
|
||||||
|
* If any NAS signalling message, having not successfully passed
|
||||||
|
* the integrity check, is received, then the NAS in the MME shall
|
||||||
|
* discard that message. If any NAS signalling message is received,
|
||||||
|
* as not integrity protected even though the secure exchange
|
||||||
|
* of NAS messages has been established, then the NAS shall discard
|
||||||
|
* this message.
|
||||||
|
*/
|
||||||
h.type = e->nas_type;
|
h.type = e->nas_type;
|
||||||
if (h.integrity_protected == 0) {
|
if (h.integrity_protected == 0) {
|
||||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||||
|
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1038,30 +1042,35 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
||||||
case OGS_NAS_EPS_ATTACH_COMPLETE:
|
case OGS_NAS_EPS_ATTACH_COMPLETE:
|
||||||
ogs_info("[%s] Attach complete", mme_ue->imsi_bcd);
|
ogs_info("[%s] Attach complete", mme_ue->imsi_bcd);
|
||||||
|
|
||||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
/*
|
||||||
|
* TS24.301
|
||||||
|
* Section 4.4.4.3
|
||||||
|
* Integrity checking of NAS signalling messages in the MME:
|
||||||
|
*
|
||||||
|
* Once the secure exchange of NAS messages has been established
|
||||||
|
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||||
|
* in the MME shall not process any NAS signalling messages
|
||||||
|
* unless they have been successfully integrity checked by the NAS.
|
||||||
|
* If any NAS signalling message, having not successfully passed
|
||||||
|
* the integrity check, is received, then the NAS in the MME shall
|
||||||
|
* discard that message. If any NAS signalling message is received,
|
||||||
|
* as not integrity protected even though the secure exchange
|
||||||
|
* of NAS messages has been established, then the NAS shall discard
|
||||||
|
* this message.
|
||||||
|
*/
|
||||||
h.type = e->nas_type;
|
h.type = e->nas_type;
|
||||||
if (h.integrity_protected == 0) {
|
if (h.integrity_protected == 0) {
|
||||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||||
|
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||||
|
|
||||||
rv = emm_handle_attach_complete(
|
rv = emm_handle_attach_complete(
|
||||||
mme_ue, &message->emm.attach_complete);
|
mme_ue, &message->emm.attach_complete);
|
||||||
if (rv != OGS_OK) {
|
if (rv != OGS_OK) {
|
||||||
|
@ -1085,30 +1094,35 @@ void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e)
|
||||||
case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE:
|
case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE:
|
||||||
ogs_debug("[%s] Tracking area update complete", mme_ue->imsi_bcd);
|
ogs_debug("[%s] Tracking area update complete", mme_ue->imsi_bcd);
|
||||||
|
|
||||||
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
/*
|
||||||
|
* TS24.301
|
||||||
|
* Section 4.4.4.3
|
||||||
|
* Integrity checking of NAS signalling messages in the MME:
|
||||||
|
*
|
||||||
|
* Once the secure exchange of NAS messages has been established
|
||||||
|
* for the NAS signalling connection, the receiving EMM or ESM entity
|
||||||
|
* in the MME shall not process any NAS signalling messages
|
||||||
|
* unless they have been successfully integrity checked by the NAS.
|
||||||
|
* If any NAS signalling message, having not successfully passed
|
||||||
|
* the integrity check, is received, then the NAS in the MME shall
|
||||||
|
* discard that message. If any NAS signalling message is received,
|
||||||
|
* as not integrity protected even though the secure exchange
|
||||||
|
* of NAS messages has been established, then the NAS shall discard
|
||||||
|
* this message.
|
||||||
|
*/
|
||||||
h.type = e->nas_type;
|
h.type = e->nas_type;
|
||||||
if (h.integrity_protected == 0) {
|
if (h.integrity_protected == 0) {
|
||||||
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd);
|
||||||
|
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) {
|
||||||
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
ogs_warn("[%s] No Security Context", mme_ue->imsi_bcd);
|
||||||
ogs_assert(OGS_OK ==
|
|
||||||
nas_eps_send_attach_reject(mme_ue,
|
|
||||||
OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED,
|
|
||||||
OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED));
|
|
||||||
OGS_FSM_TRAN(s, &emm_state_exception);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CLEAR_MME_UE_TIMER(mme_ue->t3450);
|
||||||
|
|
||||||
/* Confirm GUTI */
|
/* Confirm GUTI */
|
||||||
if (mme_ue->next.m_tmsi)
|
if (mme_ue->next.m_tmsi)
|
||||||
mme_ue_confirm_guti(mme_ue);
|
mme_ue_confirm_guti(mme_ue);
|
||||||
|
|
Loading…
Reference in New Issue