1625 Commits

Author SHA1 Message Date
Cedric Roux
319f5961a1 bugfix: read msg_type only after deciphering 2025-06-24 13:42:06 +02:00
Jaroslava Fiedlerova
8db35e468d Merge remote-tracking branch 'origin/cleanup-pdu-session' into integration_2025_w26 (!3435)
Cleanup PDU Session Handling in RRC/NGAP

Currently, NGAP and RRC share the same structures and responsibilities when
handling PDU Session information: this creates tight coupling, redundancy, and
makes the code harder to maintain.

- NGAP should be responsible only for: Protocol-specific encoding/decoding
(3GPP TS 38.413)
- RRC should own: PDU Session handling and storage in the UE context

This MR is the first step in a broader refactoring of the PDU Session handling
code across NGAP and RRC layers, with the goal of splitting responsibilities
cleanly between both modules.

- Unified gtpu_tunnel_t for tunnel endpoint config (formerly f1u_tunnel_t)
- Refactored and relocated PDU Session struct definitions for better separation
  between NGAP and RRC
  - Moved pdusession_t for PDU Session handling out of NGAP, now defined and
    managed by RRC only
  - Defined 3GPP TS 38.413 message-specific structs in NGAP module
  - NGAP now decodes NGAP PDU Session Resource Setup/Modify IEs and transfers
    decoded data to RRC via ITTI
  - Add helper functions to copy from NGAP message to pdusession_t
- Introduced new encoders/decoders/helpers in NGAP for handling PDU Session
  Resource Setup/Modify procedures (e.g. decode_pdusession_transfer)
  - Migrated to NGAP and removed duplicated logic for QoS information decoding
    (fill_qos)
- Improved logging of GTP tunnel info
- Merged redundant functions (f1u_dl_gtp_update and f1u_ul_gtp_update)
- Removed unused code and obsolete types
- do free_func in seq_arr_erase_it on the provided range and updated unit test
- Other fixes and simplifications (e.g. simplified and clarified naming of
  tunnel/session parameters and structs)

This cleanup improves code readability, has a high code churn (the deletions are
~159.7% of the insertions) and prepares for better modularity before the
refactoring of PDU Session handling in RRC/NGAP.
2025-06-23 15:55:57 +02:00
Jaroslava Fiedlerova
673024f587 Merge remote-tracking branch 'origin/nr-ue-nas-auth-reject' into integration_2025_w26 (!3371)
Add NAS Authentication Reject enc/dec library and unit test

This MR introduces the library for encoding/decoding of NAS Authentication
Reject (8.2.5.1 of 3GPP TS 24.501) and relevant unit test.

The message is sent by the AMF to the UE to indicate that the authentication
procedure has failed. A NAS handler was also introduced.
2025-06-23 15:36:23 +02:00
Guido Casati
88f294bed1 Handle NAS Authentication Reject in stack
Handle authentication not accepted by the network. The handler assumes the message
is not integrity protected, processes the received NAS message and logs whether a
EAP-failure is enclosed. The UE enters state: 5GMM-DEREGISTERED.

Not done in this commit: the UE shall performs actions as per 5.4.1.3.5 of
3GPP TS 24.501, including (1) Abort any ongoing 5GMM procedure
(2) Stop all active timers: T3510, T3516, T3517, T3519, T3520, T3521
(3) Delete stored SUCI. (4) handle EAP-failure message.
2025-06-18 16:29:00 +02:00
Guido Casati
299ce4a9bd Add enc/dec lib for NAS Authentication Reject and unit test 2025-06-18 15:27:35 +02:00
Guido Casati
5445b12c32 Add enc/dec function for EAP Message
Also, add EAP message (optional) enc-dec to Service Reject lib
2025-06-18 15:26:44 +02:00
Jaroslava Fiedlerova
b03619ea51 Merge remote-tracking branch 'origin/reg-reject-len-check' into integration_2025_w25 (!3447)
NAS Registration Reject: Add bounds and lengths checks

This change adds lengths checks to the received registration reject
message and also performs a bounds check for the received cause.
Since the cause is not checked, any string in the memory can be
dereferenced, possibly leading to DoS.

Signed-off-by: Eduard Vlad eduard.vlad@rwth-aachen.de
2025-06-18 11:33:20 +02:00
Guido Casati
b5a717cc99 Add encoder for PDU Session Resource Setup Response Transfer IE in NGAP (Initial Context/PDU Session) Setup Response 2025-06-18 10:52:15 +02:00
Guido Casati
248cf7f155 Use gtpu_tunnel_t in pdusession_setup_t 2025-06-18 10:52:15 +02:00
Guido Casati
0c408875a3 Refactor NGAP decodePDUSessionResourceSetup/Modify to improve RRC/NGAP separation
Motivation of the commit:

Previously, the RRC module on the NGAP interface directly handled ASN.1 decoding
of NGAP PDU Session Resource items, that was directly stored in pdusession_t, i.e.
in the UE context. Decode logic between Setup and Modify was also duplicated.,
e.g. fill_qos/fill_qos2. The idea behind this change is to achieve this flow:
(1) NGAP handler: decoding (2) ITTI to RRC: transfer decoded message (3) RRC
handler: process decoded message, e.g. store in UE context, etc..

The goal of this commit is to:

* improve the NGAP decoding library by adding decoding functions
* let RRC handle the already decoded data
* enhance error handling, with decode failures now consistently detected and rejected early
* have a cleaner, more maintainable code with fewer duplications and a clearer separation of modules

Changes:
* Moved all ASN.1 decode logic for PDU Session Resource items into the NGAP library
* Introduced decode functions for NGAP IEs whenever necessary, e.g. decode_TNLInformation
decode_pdusession_transfer
* Removed duplicate fill_qos functions and centralized QoS handling in NGAP
* Added function to copy from NGAP PDU Session Resource item to RRC pdusession_t: this actually
  replaces decodePDUSessionResourceSetup in RRC, copying from the decoded NGAP struct to
  the UE context pdusession_t
2025-06-18 10:52:15 +02:00
Guido Casati
a36de80e6f Simplify pdu session structs members naming to pdusession
Rename the struct members:
`pdusession_param` to `pdusession` in NGAP Initial Context Setup Request
`pdusession_setup_params` in `ngap_pdusession_setup_req_t`
`pdusession_modify_params` and `ngap_pdusession_modify_req_t`
2025-06-18 10:52:15 +02:00
Guido Casati
00b18f2990 Cleanup unused and/or long time commented out code in RRC/NGAP
* Remove drb_is_active: function is unused and the logic will be later
  added to another function to add DRBs if necessary
* Remove unused NGAP structs and empty TODO functions
* Remove unused pdusession_setup_req_t struct definition
2025-06-17 23:53:07 +02:00
Guido Casati
786fada6e6 Change pdusession_id_t type to int and remove redundant definition for an ID type 2025-06-17 23:53:07 +02:00
Jaroslava Fiedlerova
d35270bfd0 Merge remote-tracking branch 'origin/dl-nas-transport-len-check' into integration_2025_w25 (!3446)
DL NAS Transport: Fix Message Type retrieval on too short message

The change addresses the SM message type retrieval for DL NAS Transport
messages. The assumption of an offset 17 = 7 (MM Sec) + 3 (MM Plain) + 1
(IEI) + 2 (Len) + 4 (SM) is correct.

However, if the DL NAS Transport is received in a plain header, the
lengths would not add up anymore. (This is not complying with the
standard, so not allowed, but possible). The check for the length is
necessary to not process arbitrary memory contents beyond the
pdu_buffer.
2025-06-17 23:39:02 +02:00
Robert Schmidt
f3802d77cc Merge remote-tracking branch 'origin/nr-ue-nas-sec-mode-reject' into integration_2025_w24 (!3369)
Add Security Mode Reject lib/unit test and adopt in stack

This MR is adding the library for the NAS Security Mode Reject, and
relevant unit test.

The UE shall send a SECURITY MODE REJECT containing a 5GMM cause that
typically indicates one of the following cause values: (23) UE security
capabilities mismatch. (24) security mode rejected, unspecified

- The message shall be protected if a security context is available.
- The message is adopted in the handling of Security Mode Command failure.

See 3GPP TS 24.501 5.4.2.5 "NAS security mode command not accepted by
the UE".

This MR includes changes from !3262:

> This patch series addresses a security issue where the UE improperly
> accepts a Security Mode Command (SMC) without an authentication header
> (Security Header 0). This behavior violates TS 24.501 and enables an
> attacker to bypass authentication, set integrity protection to NULL
> (NIA0), and reconfigure the UE without proper verification.
>
> We identified the following issues:
>
> 1. The UE currently accepts unauthenticated SMC messages, even
>    allowing NIA0 and EIA0 to be set outside emergency mode.
> 2. When applying NIA0, the MAC field remains uninitialized,
>    consistently containing the sequence 0xFF3F0000, making it feasible
>    to bypass authentication and enforce insecure configurations.
> 3. The UE does not properly signal security mode failures to the Core
>    Network.
>
> This patch series tries to address the above-mentioned issues:
>
> 1. Reject unauthenticated SMC messages, enforcing the requirement that
>    they must be integrity-protected.
> 2. Validate MAC before applying security settings, ensuring that only
>    authenticated messages are accepted.
> 3. Tear down the security context if an integrity check fails.
> 4. Introduce the Security Mode Reject message to inform the Core
>    Network of failed SMC procedures, as required by TS 24.501.
2025-06-12 14:44:17 +02:00
Eduard Vlad
5e45ecb123 Security Mode Command: Perform Algorithm Rejection in NAS Handler
This change performs the algorithm rejection in the corresponding NAS
handler for 5G, since the protocol definitions differ between LTE and
5G, regarding NIA0/EIA0 user plane traffic.

Therefore, for 5G NIA0 is rejected, since it is not allowed under normal
circumstances, while LTE user plane traffic can indeed have EIA0
selected.

Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
2025-06-12 09:49:34 +02:00
Eduard Vlad
a2a8e3ba6d Security Mode Command: Handle incorrect authentication
It is not allowed to accept an unauthenticated SMC message,
as this effectively bypasses all security measures and
enables a malicioius attacker to compromise the confidentiality
and integrity of exchanged messages.

Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
2025-06-12 09:49:33 +02:00
Eduard Vlad
6c8a3796ae nas security: Implement reusable procedures for Security Mode Command handling
Retrieving the mac is necessary during the handling of the SMC, since the
context is generated from the specified keys therein. Therefore, it is
necessary to check the MAC right after generation and ensure the authenticity
of the message. If it is not given, the message must be rejected.

Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
2025-06-12 09:49:33 +02:00
Eduard Vlad
896698dab5 SMC: reject NULL integrity for non emergency cases
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
2025-06-12 09:49:33 +02:00
Eduard Vlad
6399d93be8 Add callback for generation of NAS Security Mode Reject message
This is necessary to indicate to the Core network, that
the security mode command procedure has failed.

Check for the security context presence when generating the Security Mode
reject message: according to 3GPP TS 24.501 5.4.2.5 "NAS security mode command
not accepted by the UE" The UE shall send a SECURITY MODE REJECT containing
a 5GMM cause that typically indicates one of the following cause values:
(23) UE security capabilities mismatch
(24) security mode rejected, unspecified
The message shall be protected if a security context is available

Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
Co-authored-by: Guido Casati <hello@guidocasati.com>
2025-06-12 09:49:33 +02:00
Eduard Vlad
98c458fa2c FGS NAS lib: enable encoding of Security Mode Reject
Signed-off-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>

Co-authored-by: Guido Casati <hello@guidocasati.com>
2025-06-12 09:49:33 +02:00
Guido Casati
4262203e2d Add NAS Security Mode Reject enc/dec lib and unit test
This 5GMM message is required for an invalid security mode command,
e.g. when the MAC integrity fails, or the wrong Security Header is set.

* Add encode/decode functions for common IEs in fgmm_lib: this library
  provides encoding/decoding helpers for IEs shared across multiple
  NAS messages. The goal is to avoid the legacy approach of creating
  separate files per IE
* add NAS Cause enc/dec lib
* Adopted byte_array_t to handle the buffer

Co-authored-by: Eduard Vlad <eduard.vlad@rwth-aachen.de>
2025-06-12 09:49:32 +02:00
Robert Schmidt
a4b4fbe96b Merge remote-tracking branch 'origin/fixes-itti-gtp-config' into integration_2025_w24 (!3473)
Fix various bugs and inconsistencies in config read, SCTP, ITTI, GTP

Fix bugs across various layers, mostly layer 3, including memory leaks.
See the commits for more details.
2025-06-11 18:36:39 +02:00
Robert Schmidt
068983915e Merge remote-tracking branch 'origin/bugfix-ngap-amf-selection' into integration_2025_w24 (!3474)
Fix AMF selection fallback by PLMN ID when no UE identity is present or matching

If a mask is present (i.e., not zero), AMF selection by PLMN ID may
still fail, causing the AMF selection process to skip the fallback
option, i.e. selection by PLMN ID, when no UE identity is available or
when no match is found.

This MR adds also warnings in case there's a match for the AMF is not
found.
2025-06-11 07:55:11 +02:00
Robert Schmidt
986b212fe9 GTP: fix memory leak when socket binding fails
Avoid leaking memory upon failed socket binding by calling
freeaddrinfo() before exiting in error cases.

Fixes leak:

    Direct leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x0000004ac038 in malloc (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x4ac038) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
        #1 0x7f0fdd92e2a6 in getaddrinfo (/lib64/libc.so.6+0x1202a6) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
        #2 0x00000043d7ad in getaddrinfo (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x43d7ad) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
        #3 0x000000700c73 in udpServerSocket(openAddr_s) /home/richie/oai/openair3/ocp-gtpu/gtp_itf.cpp:486:17
        #4 0x000000700c73 in gtpv1Init /home/richie/oai/openair3/ocp-gtpu/gtp_itf.cpp:546:10
        #5 0x000000c692b8 in cuup_init_n3 /home/richie/oai/openair2/E1AP/e1ap.c:744:61
        #6 0x000000549ea1 in create_gNB_tasks /home/richie/oai/executables/nr-softmodem.c:320:7
        #7 0x000000549ea1 in main /home/richie/oai/executables/nr-softmodem.c:619:15
        #8 0x7f0fdd8115f4 in __libc_start_call_main (/lib64/libc.so.6+0x35f4) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
        #9 0x7f0fdd8116a7 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x36a7) (BuildId: 2b3c02fe7e4d3811767175b6f323692a10a4e116)
        #10 0x000000408524 in _start (/home/richie/oai/cmake_targets/ran_build/build/nr-softmodem+0x408524) (BuildId: 875d6e5bc54d7c89bdcf151452f12703cb6fd110)
2025-06-10 18:00:49 +02:00
Robert Schmidt
405d122937 GTP: check that packets are not larger than max UDP size 2025-06-10 18:00:49 +02:00
Guido Casati
f5f61162ff Add mismatch warning in AMF selection utility functions 2025-06-10 10:05:44 +02:00
Guido Casati
90230078b4 Select AMF by PLMN ID when no other ue_identity.presenceMask is present and/or matching
The mask could be present, .e.g not zero, but the selection of the AMF could
fail. This would lead to a skipping the selection of the AMF by PLMN ID,
which is the last option when no UE identity is present and/or matching.
2025-06-10 10:05:44 +02:00
Guido Casati
a06457bab6 Fix direct leak in rrc_gNB_send_NGAP_NAS_FIRST_REQ
Free memory allocated in NGAP after use in RRC.

 Direct leak of 29 byte(s) in 1 object(s) allocated from:
    > #0 0x7f11200b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    > #1 0x558b7fcd0137 in malloc_or_fail /n2-handover-preparation/common/utils/utils.h:86
    > #2 0x558b7fcd0137 in create_byte_array /n2-handover-preparation/common/utils/ds/byte_array.c:32
    > #3 0x558b7fdb7a5c in rrc_gNB_send_NGAP_NAS_FIRST_REQ /n2-handover-preparation/openair2/RRC/NR/rrc_gNB_NGAP.c:183
    > #4 0x558b7fd2ab30 in rrc_gNB_process_RRCSetupComplete /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:439
    > #5 0x558b7fd2ab30 in handle_rrcSetupComplete /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:1715
    > #6 0x558b7fd63e23 in rrc_gNB_decode_dcch /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:1851
    > #7 0x558b7fd8b4c3 in rrc_gnb_task /n2-handover-preparation/openair2/RRC/NR/rrc_gNB.c:2718
    > #8 0x7f111ea94ac2 in start_thread nptl/pthread_create.c:442
2025-06-09 20:43:44 +02:00
Guido Casati
eb4cd38577 Refactor handling of NGAP UE Context in ngap_gNB_handle_nas_first_req
this commit is refactoring the function ngap_gNB_handle_nas_first_req
to (1) fill first a local instance of ngap_gNB_ue_context_t and then
(2) pass it to ngap_store_ue_context which will allocate memory
for the instance to store in ngap
2025-06-09 20:12:12 +02:00
Guido Casati
70eb09dc09 Add NH derivation function (A.10 3GPP TS 33.501) 2025-06-09 20:10:01 +02:00
Guido Casati
bd1f266ab5 Add utility to log hex buffer with size len (LOG_D) and remove unused legacy hex_dump
* logging buffer is pretty useful for debugging purposes, e.g. derived key values
2025-06-09 20:10:01 +02:00
Guido Casati
d06790fcf2 Move derive_kgnb to key_nas_deriver lib 2025-06-09 20:10:01 +02:00
Guido Casati
1d2fb5af9d Fix FC value definition for NH (A.10 3GPP TS 33.501) 2025-06-09 20:10:01 +02:00
Robert Schmidt
b7f00aa240 SCTP: Provide more info on getaddrinfo() fail
Upon failure, the error message was saying that something failed (i.e.,
the reason), but not parameters of the getaddrinfo(). Simplify root
cause analysis by providing the parameters for the attempted
getaddrinfo() call.
2025-06-06 07:53:58 +02:00
Guido Casati
5e2d7638d1 Move allocAddrCopy to NGAP utilities
This function is needed also in upcoming NGAP
libraries (i.e. N2 Handover) and therefore is moved
to the NGAP utilities file. The function converts
transport_layer_addr_t data struct to BIT_STRING_t
by copying the content of its members. The naming
is also updated to tnl_to_bitstring.
2025-06-05 11:35:51 +02:00
Guido Casati
615f5ef663 Add decoding functions for common NGAP IEs and use in stack
* Functions added:
  decode_ngap_guami
  decode_ngap_UEAggregateMaximumBitRate
  decode_ngap_nssai
  decode_ngap_security_capabilities
  decode_ngap_mobility_restriction
* Adopt these functions in the common NGAP library
2025-06-05 11:35:45 +02:00
Guido Casati
4b2cd156bb Adopt existing ngap_ambr_t in NGAP PDU Session Setup Request 2025-06-05 11:30:59 +02:00
Jaroslava Fiedlerova
dda3b7e88d Merge remote-tracking branch 'origin/issue-801' into integration_2025_w23 (!3302)
Enhance UE identity management in Initial UE Message and other NGAP improvements

This MR improves the Initial UE Message procedures by supporting simultaneous
presence of both 5G-S-TMSI and GUAMI. Previously, only one identity could be
used, leading to potential AMF selection failures. Now the presenceMask allows
both identities. The AMF selection is prioritizing GUAMI first, then falling
back to 5G-S-TMSI, and finally using PLMN or highest capacity.

Also, fix handling of selected PLMN identity in NGAP.

Refactoring:
- Select the AMF based on (1) absence of UE Identity (2) Presence of GUAMI
  (3) Presence of 5G-S-TMSI
- Also refactored the AMF selection logic for better readability and reliability.
- Refactor and cleanup rrc_gNB_send_NGAP_NAS_FIRST_REQ
- Replace ngap_pdu_t with byte_array_t
- Add guami_t to ngran_types.h: refactor NGAP and RRC code to use one common
  GUAMI type instead of two identical ones

Also:
- Bugfix in ngap_gNB_handle_ng_setup_response: use correct count for PLMNSupportList

Closes issue #801
2025-06-02 16:20:24 +02:00
Guido Casati
4ad2a78706 Fix GUAMI decoding in NG Setup Response handler
GUAMI fields (Set ID, Pointer and Region ID) were decoded as Octet String,
however they are encoded as BIT STRING. Therefore, the GUAMI value was wrongly decoded.

In the AMF logs the AMF IDs are 1,1,1, however in gNB logs we had 1,64,4

Quick local test confirmed that:

---- TESTING AMF IDs = 1 ----
Region ID (OCTET STRING): 1
Region ID (BIT STRING):   1
Set ID (OCTET STRING): 64
Set ID (BIT STRING):   1
Pointer (OCTET STRING): 4
Pointer (BIT STRING):   1

The difference arises because:
- OCTET STRING treats the buffer as raw bytes, with all bits used.
- BIT STRING includes a `bits_unused` field, which tells how many padding bits
  are present in the least significant end. This is especially important in
  3GPP ASN.1 definitions like AMF Set ID (10 bits), AMF Region ID (8 bits),
  AMF Pointer (6 bits),  where the full byte(s) may contain unused bits that
  must be masked out.
2025-05-28 13:01:28 +02:00
Guido Casati
cc57bcc3a0 Log served GUAMIs, PLMNs and slices in NG Setup handler 2025-05-28 13:01:28 +02:00
Guido Casati
539d17203f Fix handling of selected PLMN in NGAP
selectedPLMN-Identity IE in RRCSetupComplete is an Index (long) of the PLMN selected
by the UE from the plmn-IdentityInfoList (SIB1) (see 3GPP TS 38.331)

while

Selected PLMN Identity in NGAP INITIAL UE MESSAGE Indicates the selected PLMN
id for the non-3GPP access (PLMN Identity ID carrying MNC, MCC and MNC size,
9.2.5.1 3GPP TS 38.413)

The legacy code was setting Selected PLMN Identity in the latter to an ID
value as the former, however in NGAP the IE to be encoded is PLMN Identity 9.3.3.5

therefore:

* set plmn type plmn_id_t in ngap_nas_first_req_t
* check whether received selectedPLMN-Identity is within bounds
* select PLMN from gNB_RrcConfigurationReq by selectedPLMN-Identity ID
  note: this commit is assuming that the plmn-IdentityInfoList in SIB1
  is matching the PLMN list in gNB_RrcConfigurationReq
* in NGAP: store the PLMN in the NGAP UE context, no need to fetch the PLMN
  in the NGAP instance since the UE context already tells what PLMN
  was selected

Closes #801
2025-05-28 13:01:28 +02:00
Guido Casati
8a0baed430 Handle both 5G-S-TMSI and GUAMI in the NGAP Initial UE Message procedures
* use bitmask to select presence of either 5G-S-TMSI or GUAMI
* select the AMF based on
  (1) absence of UE Identity (2) Presence of GUAMI (3) Presence of 5G-S-TMSI

Related to #801
2025-05-28 13:01:28 +02:00
Guido Casati
afe73820d6 Refactor and cleanup rrc_gNB_send_NGAP_NAS_FIRST_REQ
* add function to process AMF Identifier
* add function to select AMF
* set const parameters in utility nnsf functions
* adopt utilities for memory allocation
* improve readability and maintainability
* improve logging
2025-05-28 13:01:28 +02:00
Guido Casati
8fb8713023 Replace ngap_pdu_t with byte_array_t
ngap_pdu_t has the same definition as byte_array_t, so it is
replaced by the latter. This simplify the stack and reduces
duplicated code.

Also, add function create_byte_array to copy from an
existing buffer to a new byte_array_t and replaced
allocCopy with create_byte_array, and adopted
OCTET_STRING_fromBuf whenever possible.
2025-05-28 12:59:50 +02:00
Guido Casati
16740e5eb0 Use UL NAS Count to derive KgNB (6.8 of 3GPP TS 33.501)
The UE shall use the currently stored UL NAS count to derive the
KgNB. Hardcoding the UL count to 0 is wrong, if there is a reset
to be done it should be explicitly done elsewhere.

Closes #832
2025-05-26 17:05:00 +02:00
Guido Casati
d405cbb77f Handle security header type "integrity protected with new 5G NAS security context"
The Security Mode Command is the only NAS message sending a security header
type "integrity protected with new 5G NAS security context". Such header
type is indicating that there is no valid security context and it is
indicating the current one configured by the AMF.

When receiving a Security Mode Command the "AMF shall reset the downlink NAS COUNT"
and use it to integrity protect the initial Security Mode Command. "The AMF shall
send the SECURITY MODE COMMAND message unciphered, but shall integrity protect [...]
The AMF shall set the security header type of the message to
"integrity protected with new 5G NAS security context".

See 5.4.2.2 3GPP TS 24.501.

This commit is ensuring the NAS DL count is reset when the relevant security header
is received. Also, the security container is deleted since no more valid and
NAS_SECURITY_NO_SECURITY_CONTEXT is returned. The setup of the new security context
is done by "handle_security_mode_command",
2025-05-26 17:05:00 +02:00
Guido Casati
f672d9088c Simplify handling of security check of received NAS messages
NAS 3GPP TS 24.501 clause 4.4.4.2 specify which NAS messages
are an exception to the integrity protection. All the other
scenarios are expected to be integrity protected. The
nas_security_rx_process function is returning:

1) NAS_SECURITY_NO_SECURITY_CONTEXT if no security context is established
2) NAS_SECURITY_UNPROTECTED for the messages listed in 4.4.4.2
3) NAS_SECURITY_INTEGRITY_PASSED if the integrity check is successful

These 3 results can be all considered successful. The other not.

Also, add a function to check whether a message is allowed to be
integrity unprotected, as per clause 4.2.2.2.
2025-05-26 17:05:00 +02:00
Guido Casati
e651a29a2a Use byte_array_t in nas_security_rx_process 2025-05-26 17:05:00 +02:00
Guido Casati
7f96a04c1b Add handler for NAS Identity Request
* trigger Identity Response callback from the handler
* process decoded message

According to 4.4.4.2 3GPP TS 24.501, Identity Request
with Identity Type SUCI is not expected to be
integrity protected.
2025-05-26 17:05:00 +02:00