Cleanup PDU Session Handling in RRC/NGAP
Currently, NGAP and RRC share the same structures and responsibilities when
handling PDU Session information: this creates tight coupling, redundancy, and
makes the code harder to maintain.
- NGAP should be responsible only for: Protocol-specific encoding/decoding
(3GPP TS 38.413)
- RRC should own: PDU Session handling and storage in the UE context
This MR is the first step in a broader refactoring of the PDU Session handling
code across NGAP and RRC layers, with the goal of splitting responsibilities
cleanly between both modules.
- Unified gtpu_tunnel_t for tunnel endpoint config (formerly f1u_tunnel_t)
- Refactored and relocated PDU Session struct definitions for better separation
between NGAP and RRC
- Moved pdusession_t for PDU Session handling out of NGAP, now defined and
managed by RRC only
- Defined 3GPP TS 38.413 message-specific structs in NGAP module
- NGAP now decodes NGAP PDU Session Resource Setup/Modify IEs and transfers
decoded data to RRC via ITTI
- Add helper functions to copy from NGAP message to pdusession_t
- Introduced new encoders/decoders/helpers in NGAP for handling PDU Session
Resource Setup/Modify procedures (e.g. decode_pdusession_transfer)
- Migrated to NGAP and removed duplicated logic for QoS information decoding
(fill_qos)
- Improved logging of GTP tunnel info
- Merged redundant functions (f1u_dl_gtp_update and f1u_ul_gtp_update)
- Removed unused code and obsolete types
- do free_func in seq_arr_erase_it on the provided range and updated unit test
- Other fixes and simplifications (e.g. simplified and clarified naming of
tunnel/session parameters and structs)
This cleanup improves code readability, has a high code churn (the deletions are
~159.7% of the insertions) and prepares for better modularity before the
refactoring of PDU Session handling in RRC/NGAP.
Add NAS Authentication Reject enc/dec library and unit test
This MR introduces the library for encoding/decoding of NAS Authentication
Reject (8.2.5.1 of 3GPP TS 24.501) and relevant unit test.
The message is sent by the AMF to the UE to indicate that the authentication
procedure has failed. A NAS handler was also introduced.
Handle authentication not accepted by the network. The handler assumes the message
is not integrity protected, processes the received NAS message and logs whether a
EAP-failure is enclosed. The UE enters state: 5GMM-DEREGISTERED.
Not done in this commit: the UE shall performs actions as per 5.4.1.3.5 of
3GPP TS 24.501, including (1) Abort any ongoing 5GMM procedure
(2) Stop all active timers: T3510, T3516, T3517, T3519, T3520, T3521
(3) Delete stored SUCI. (4) handle EAP-failure message.
NAS Registration Reject: Add bounds and lengths checks
This change adds lengths checks to the received registration reject
message and also performs a bounds check for the received cause.
Since the cause is not checked, any string in the memory can be
dereferenced, possibly leading to DoS.
Signed-off-by: Eduard Vlad eduard.vlad@rwth-aachen.de
Motivation of the commit:
Previously, the RRC module on the NGAP interface directly handled ASN.1 decoding
of NGAP PDU Session Resource items, that was directly stored in pdusession_t, i.e.
in the UE context. Decode logic between Setup and Modify was also duplicated.,
e.g. fill_qos/fill_qos2. The idea behind this change is to achieve this flow:
(1) NGAP handler: decoding (2) ITTI to RRC: transfer decoded message (3) RRC
handler: process decoded message, e.g. store in UE context, etc..
The goal of this commit is to:
* improve the NGAP decoding library by adding decoding functions
* let RRC handle the already decoded data
* enhance error handling, with decode failures now consistently detected and rejected early
* have a cleaner, more maintainable code with fewer duplications and a clearer separation of modules
Changes:
* Moved all ASN.1 decode logic for PDU Session Resource items into the NGAP library
* Introduced decode functions for NGAP IEs whenever necessary, e.g. decode_TNLInformation
decode_pdusession_transfer
* Removed duplicate fill_qos functions and centralized QoS handling in NGAP
* Added function to copy from NGAP PDU Session Resource item to RRC pdusession_t: this actually
replaces decodePDUSessionResourceSetup in RRC, copying from the decoded NGAP struct to
the UE context pdusession_t
Rename the struct members:
`pdusession_param` to `pdusession` in NGAP Initial Context Setup Request
`pdusession_setup_params` in `ngap_pdusession_setup_req_t`
`pdusession_modify_params` and `ngap_pdusession_modify_req_t`
* Remove drb_is_active: function is unused and the logic will be later
added to another function to add DRBs if necessary
* Remove unused NGAP structs and empty TODO functions
* Remove unused pdusession_setup_req_t struct definition
DL NAS Transport: Fix Message Type retrieval on too short message
The change addresses the SM message type retrieval for DL NAS Transport
messages. The assumption of an offset 17 = 7 (MM Sec) + 3 (MM Plain) + 1
(IEI) + 2 (Len) + 4 (SM) is correct.
However, if the DL NAS Transport is received in a plain header, the
lengths would not add up anymore. (This is not complying with the
standard, so not allowed, but possible). The check for the length is
necessary to not process arbitrary memory contents beyond the
pdu_buffer.
Add Security Mode Reject lib/unit test and adopt in stack
This MR is adding the library for the NAS Security Mode Reject, and
relevant unit test.
The UE shall send a SECURITY MODE REJECT containing a 5GMM cause that
typically indicates one of the following cause values: (23) UE security
capabilities mismatch. (24) security mode rejected, unspecified
- The message shall be protected if a security context is available.
- The message is adopted in the handling of Security Mode Command failure.
See 3GPP TS 24.501 5.4.2.5 "NAS security mode command not accepted by
the UE".
This MR includes changes from !3262:
> This patch series addresses a security issue where the UE improperly
> accepts a Security Mode Command (SMC) without an authentication header
> (Security Header 0). This behavior violates TS 24.501 and enables an
> attacker to bypass authentication, set integrity protection to NULL
> (NIA0), and reconfigure the UE without proper verification.
>
> We identified the following issues:
>
> 1. The UE currently accepts unauthenticated SMC messages, even
> allowing NIA0 and EIA0 to be set outside emergency mode.
> 2. When applying NIA0, the MAC field remains uninitialized,
> consistently containing the sequence 0xFF3F0000, making it feasible
> to bypass authentication and enforce insecure configurations.
> 3. The UE does not properly signal security mode failures to the Core
> Network.
>
> This patch series tries to address the above-mentioned issues:
>
> 1. Reject unauthenticated SMC messages, enforcing the requirement that
> they must be integrity-protected.
> 2. Validate MAC before applying security settings, ensuring that only
> authenticated messages are accepted.
> 3. Tear down the security context if an integrity check fails.
> 4. Introduce the Security Mode Reject message to inform the Core
> Network of failed SMC procedures, as required by TS 24.501.
This change performs the algorithm rejection in the corresponding NAS
handler for 5G, since the protocol definitions differ between LTE and
5G, regarding NIA0/EIA0 user plane traffic.
Therefore, for 5G NIA0 is rejected, since it is not allowed under normal
circumstances, while LTE user plane traffic can indeed have EIA0
selected.
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
It is not allowed to accept an unauthenticated SMC message,
as this effectively bypasses all security measures and
enables a malicioius attacker to compromise the confidentiality
and integrity of exchanged messages.
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
Retrieving the mac is necessary during the handling of the SMC, since the
context is generated from the specified keys therein. Therefore, it is
necessary to check the MAC right after generation and ensure the authenticity
of the message. If it is not given, the message must be rejected.
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
This is necessary to indicate to the Core network, that
the security mode command procedure has failed.
Check for the security context presence when generating the Security Mode
reject message: according to 3GPP TS 24.501 5.4.2.5 "NAS security mode command
not accepted by the UE" The UE shall send a SECURITY MODE REJECT containing
a 5GMM cause that typically indicates one of the following cause values:
(23) UE security capabilities mismatch
(24) security mode rejected, unspecified
The message shall be protected if a security context is available
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
This 5GMM message is required for an invalid security mode command,
e.g. when the MAC integrity fails, or the wrong Security Header is set.
* Add encode/decode functions for common IEs in fgmm_lib: this library
provides encoding/decoding helpers for IEs shared across multiple
NAS messages. The goal is to avoid the legacy approach of creating
separate files per IE
* add NAS Cause enc/dec lib
* Adopted byte_array_t to handle the buffer
Co-authored-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Fix various bugs and inconsistencies in config read, SCTP, ITTI, GTP
Fix bugs across various layers, mostly layer 3, including memory leaks.
See the commits for more details.
Fix AMF selection fallback by PLMN ID when no UE identity is present or matching
If a mask is present (i.e., not zero), AMF selection by PLMN ID may
still fail, causing the AMF selection process to skip the fallback
option, i.e. selection by PLMN ID, when no UE identity is available or
when no match is found.
This MR adds also warnings in case there's a match for the AMF is not
found.
Avoid leaking memory upon failed socket binding by calling
freeaddrinfo() before exiting in error cases.
Fixes leak:
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x0000004ac038 in malloc (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x4ac038) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
#1 0x7f0fdd92e2a6 in getaddrinfo (/lib64/libc.so.6+0x1202a6) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
#2 0x00000043d7ad in getaddrinfo (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x43d7ad) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
#3 0x000000700c73 in udpServerSocket(openAddr_s) /home/richie/oai/openair3/ocp-gtpu/gtp_itf.cpp:486:17
#4 0x000000700c73 in gtpv1Init /home/richie/oai/openair3/ocp-gtpu/gtp_itf.cpp:546:10
#5 0x000000c692b8 in cuup_init_n3 /home/richie/oai/openair2/E1AP/e1ap.c:744:61
#6 0x000000549ea1 in create_gNB_tasks /home/richie/oai/executables/nr-softmodem.c:320:7
#7 0x000000549ea1 in main /home/richie/oai/executables/nr-softmodem.c:619:15
#8 0x7f0fdd8115f4 in __libc_start_call_main (/lib64/libc.so.6+0x35f4) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
#9 0x7f0fdd8116a7 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x36a7) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
#10 0x000000408524 in _start (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x408524) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
The mask could be present, .e.g not zero, but the selection of the AMF could
fail. This would lead to a skipping the selection of the AMF by PLMN ID,
which is the last option when no UE identity is present and/or matching.
Free memory allocated in NGAP after use in RRC.
Direct leak of 29 byte(s) in 1 object(s) allocated from:
> #0 0x7f11200b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
> #1 0x558b7fcd0137 in malloc_or_fail /n2-handover-preparation/common/utils/utils.h:86
> #2 0x558b7fcd0137 in create_byte_array /n2-handover-preparation/common/utils/ds/byte_array.c:32
> #3 0x558b7fdb7a5c in rrc_gNB_send_NGAP_NAS_FIRST_REQ /n2-handover-preparation/openair2/RRC/NR/rrc_gNB_NGAP.c:183
> #4 0x558b7fd2ab30 in rrc_gNB_process_RRCSetupComplete /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:439
> #5 0x558b7fd2ab30 in handle_rrcSetupComplete /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:1715
> #6 0x558b7fd63e23 in rrc_gNB_decode_dcch /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:1851
> #7 0x558b7fd8b4c3 in rrc_gnb_task /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:2718
> #8 0x7f111ea94ac2 in start_thread nptl/pthread_create.c:442
this commit is refactoring the function ngap_gNB_handle_nas_first_req
to (1) fill first a local instance of ngap_gNB_ue_context_t and then
(2) pass it to ngap_store_ue_context which will allocate memory
for the instance to store in ngap
Upon failure, the error message was saying that something failed (i.e.,
the reason), but not parameters of the getaddrinfo(). Simplify root
cause analysis by providing the parameters for the attempted
getaddrinfo() call.
This function is needed also in upcoming NGAP
libraries (i.e. N2 Handover) and therefore is moved
to the NGAP utilities file. The function converts
transport_layer_addr_t data struct to BIT_STRING_t
by copying the content of its members. The naming
is also updated to tnl_to_bitstring.
* Functions added:
decode_ngap_guami
decode_ngap_UEAggregateMaximumBitRate
decode_ngap_nssai
decode_ngap_security_capabilities
decode_ngap_mobility_restriction
* Adopt these functions in the common NGAP library
Enhance UE identity management in Initial UE Message and other NGAP improvements
This MR improves the Initial UE Message procedures by supporting simultaneous
presence of both 5G-S-TMSI and GUAMI. Previously, only one identity could be
used, leading to potential AMF selection failures. Now the presenceMask allows
both identities. The AMF selection is prioritizing GUAMI first, then falling
back to 5G-S-TMSI, and finally using PLMN or highest capacity.
Also, fix handling of selected PLMN identity in NGAP.
Refactoring:
- Select the AMF based on (1) absence of UE Identity (2) Presence of GUAMI
(3) Presence of 5G-S-TMSI
- Also refactored the AMF selection logic for better readability and reliability.
- Refactor and cleanup rrc_gNB_send_NGAP_NAS_FIRST_REQ
- Replace ngap_pdu_t with byte_array_t
- Add guami_t to ngran_types.h: refactor NGAP and RRC code to use one common
GUAMI type instead of two identical ones
Also:
- Bugfix in ngap_gNB_handle_ng_setup_response: use correct count for PLMNSupportList
Closes issue #801
GUAMI fields (Set ID, Pointer and Region ID) were decoded as Octet String,
however they are encoded as BIT STRING. Therefore, the GUAMI value was wrongly decoded.
In the AMF logs the AMF IDs are 1,1,1, however in gNB logs we had 1,64,4
Quick local test confirmed that:
---- TESTING AMF IDs = 1 ----
Region ID (OCTET STRING): 1
Region ID (BIT STRING): 1
Set ID (OCTET STRING): 64
Set ID (BIT STRING): 1
Pointer (OCTET STRING): 4
Pointer (BIT STRING): 1
The difference arises because:
- OCTET STRING treats the buffer as raw bytes, with all bits used.
- BIT STRING includes a `bits_unused` field, which tells how many padding bits
are present in the least significant end. This is especially important in
3GPP ASN.1 definitions like AMF Set ID (10 bits), AMF Region ID (8 bits),
AMF Pointer (6 bits), where the full byte(s) may contain unused bits that
must be masked out.
selectedPLMN-Identity IE in RRCSetupComplete is an Index (long) of the PLMN selected
by the UE from the plmn-IdentityInfoList (SIB1) (see 3GPP TS 38.331)
while
Selected PLMN Identity in NGAP INITIAL UE MESSAGE Indicates the selected PLMN
id for the non-3GPP access (PLMN Identity ID carrying MNC, MCC and MNC size,
9.2.5.1 3GPP TS 38.413)
The legacy code was setting Selected PLMN Identity in the latter to an ID
value as the former, however in NGAP the IE to be encoded is PLMN Identity 9.3.3.5
therefore:
* set plmn type plmn_id_t in ngap_nas_first_req_t
* check whether received selectedPLMN-Identity is within bounds
* select PLMN from gNB_RrcConfigurationReq by selectedPLMN-Identity ID
note: this commit is assuming that the plmn-IdentityInfoList in SIB1
is matching the PLMN list in gNB_RrcConfigurationReq
* in NGAP: store the PLMN in the NGAP UE context, no need to fetch the PLMN
in the NGAP instance since the UE context already tells what PLMN
was selected
Closes#801
* use bitmask to select presence of either 5G-S-TMSI or GUAMI
* select the AMF based on
(1) absence of UE Identity (2) Presence of GUAMI (3) Presence of 5G-S-TMSI
Related to #801
* add function to process AMF Identifier
* add function to select AMF
* set const parameters in utility nnsf functions
* adopt utilities for memory allocation
* improve readability and maintainability
* improve logging
ngap_pdu_t has the same definition as byte_array_t, so it is
replaced by the latter. This simplify the stack and reduces
duplicated code.
Also, add function create_byte_array to copy from an
existing buffer to a new byte_array_t and replaced
allocCopy with create_byte_array, and adopted
OCTET_STRING_fromBuf whenever possible.
The UE shall use the currently stored UL NAS count to derive the
KgNB. Hardcoding the UL count to 0 is wrong, if there is a reset
to be done it should be explicitly done elsewhere.
Closes#832
The Security Mode Command is the only NAS message sending a security header
type "integrity protected with new 5G NAS security context". Such header
type is indicating that there is no valid security context and it is
indicating the current one configured by the AMF.
When receiving a Security Mode Command the "AMF shall reset the downlink NAS COUNT"
and use it to integrity protect the initial Security Mode Command. "The AMF shall
send the SECURITY MODE COMMAND message unciphered, but shall integrity protect [...]
The AMF shall set the security header type of the message to
"integrity protected with new 5G NAS security context".
See 5.4.2.2 3GPP TS 24.501.
This commit is ensuring the NAS DL count is reset when the relevant security header
is received. Also, the security container is deleted since no more valid and
NAS_SECURITY_NO_SECURITY_CONTEXT is returned. The setup of the new security context
is done by "handle_security_mode_command",
NAS 3GPP TS 24.501 clause 4.4.4.2 specify which NAS messages
are an exception to the integrity protection. All the other
scenarios are expected to be integrity protected. The
nas_security_rx_process function is returning:
1) NAS_SECURITY_NO_SECURITY_CONTEXT if no security context is established
2) NAS_SECURITY_UNPROTECTED for the messages listed in 4.4.4.2
3) NAS_SECURITY_INTEGRITY_PASSED if the integrity check is successful
These 3 results can be all considered successful. The other not.
Also, add a function to check whether a message is allowed to be
integrity unprotected, as per clause 4.2.2.2.
* trigger Identity Response callback from the handler
* process decoded message
According to 4.4.4.2 3GPP TS 24.501, Identity Request
with Identity Type SUCI is not expected to be
integrity protected.