mirror of
https://gitlab.eurecom.fr/oai/openairinterface5g.git
synced 2026-07-13 04:30:28 +00:00
Extend UICC configuration parsing to provide: routing_indicator, protection_scheme, home_network_public_key, and home_network_public_key_id. Use the protection_scheme value to decide what SUCI Profile Scheme to apply during SUCI generation. Add support for Profile Scheme A which provides ECIES-based encryption using Curve25519 and X9.63 KDF as outlined in TS 33.501 Section C.3.4.1 Profile A. When a configuration file specifies an unsupported Profile Scheme, the NAS layer triggers a fatal error. This occurs either because Profile Scheme B is unimplemented or the build uses OpenSSL < 3.0, which lacks Curve25519 and X9.63 KDF support, ensuring users are informed of the incompatibility.
2331 lines
86 KiB
C
2331 lines
86 KiB
C
/*
|
|
* SPDX-License-Identifier: LicenseRef-CSSL-1.0
|
|
*/
|
|
|
|
/*!
|
|
* \brief Definitions of handlers and callbacks for NR NAS UE task
|
|
*/
|
|
|
|
#include "nr_nas_msg.h"
|
|
#include <netinet/in.h>
|
|
#include "NR_NAS_defs.h"
|
|
#include <openssl/opensslv.h>
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include "common/utils/ds/byte_array.h"
|
|
#include "common/utils/nr/nr_common.h"
|
|
#include "AuthenticationResponseParameter.h"
|
|
#include "FGCNasMessageContainer.h"
|
|
#include "FGSDeregistrationRequestUEOriginating.h"
|
|
#include "FGSDeregistrationType.h"
|
|
#include "NasKeySetIdentifier.h"
|
|
#include "NrUESecurityCapability.h"
|
|
#include "OctetString.h"
|
|
#include "PduSessionEstablishRequest.h"
|
|
#include "PduSessionEstablishmentAccept.h"
|
|
#include "RegistrationAccept.h"
|
|
#include "SORTransparentContainer.h"
|
|
#include "FGSIdentityResponse.h"
|
|
#include "fgmm_authentication_request.h"
|
|
#include "fgmm_identity_request.h"
|
|
#include "T.h"
|
|
#include "aka_functions.h"
|
|
#include "assertions.h"
|
|
#include "common/utils/ds/byte_array.h"
|
|
#include "commonDef.h"
|
|
#include "intertask_interface.h"
|
|
#include "kdf.h"
|
|
#include "key_nas_deriver.h"
|
|
#include "nas_log.h"
|
|
#include "openair3/UICC/usim_interface.h"
|
|
#include "openair3/UTILS/conversions.h"
|
|
#include "secu_defs.h"
|
|
#include "utils.h"
|
|
#include "openair2/SDAP/nr_sdap/nr_sdap.h"
|
|
#include "openair2/SDAP/nr_sdap/nr_sdap_entity.h"
|
|
#include "fgs_nas_utils.h"
|
|
#include "fgmm_service_accept.h"
|
|
#include "fgmm_service_reject.h"
|
|
#include "fgmm_authentication_reject.h"
|
|
#include "ds/byte_array.h"
|
|
#include "key_nas_deriver.h"
|
|
#include "nr-uesoftmodem.h"
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
#include "curve_25519.h"
|
|
#include "aes_128_ctr.h"
|
|
#include "x963_kdf.h"
|
|
#include "sha_256_hmac.h"
|
|
static const char hex[] = "0123456789abcdef";
|
|
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
#define MY_OPENSSL_VERSION_STR OpenSSL_version(OPENSSL_VERSION)
|
|
#else
|
|
#define MY_OPENSSL_VERSION_STR SSLeay_version(SSLEAY_VERSION)
|
|
#endif
|
|
|
|
static nr_ue_nas_t nr_ue_nas[MAX_NUM_NR_UE_INST] = {0};
|
|
|
|
nr_ue_nas_t *get_nr_ue_nas_info(uint8_t ue_inst)
|
|
{
|
|
AssertFatal(ue_inst >= 0 && ue_inst < MAX_NUM_NR_UE_INST, "Invalid UE instance\n");
|
|
return &nr_ue_nas[ue_inst];
|
|
}
|
|
|
|
#define FOREACH_STATE(TYPE_DEF) \
|
|
TYPE_DEF(NAS_SECURITY_NO_SECURITY_CONTEXT, 0) \
|
|
TYPE_DEF(NAS_SECURITY_UNPROTECTED, 1) \
|
|
TYPE_DEF(NAS_SECURITY_INTEGRITY_PASSED, 2) \
|
|
TYPE_DEF(NAS_SECURITY_NEW_SECURITY_CONTEXT, 3) \
|
|
TYPE_DEF(NAS_SECURITY_INTEGRITY_FAILED, 4) \
|
|
TYPE_DEF(NAS_SECURITY_BAD_INPUT, 5)
|
|
|
|
const char *nr_release_cause_desc[] = {"RRC_CONNECTION_FAILURE", "RRC_RESUME_FAILURE", "OTHER"};
|
|
|
|
typedef enum { FOREACH_STATE(TO_ENUM) } security_state_t;
|
|
|
|
static const text_info_t security_state_info[] = {FOREACH_STATE(TO_TEXT)};
|
|
|
|
static fgmm_msg_header_t set_mm_header(fgs_nas_msg_t type, Security_header_t security)
|
|
{
|
|
fgmm_msg_header_t mm_header = {0};
|
|
mm_header.ex_protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
mm_header.security_header_type = security;
|
|
mm_header.message_type = type;
|
|
return mm_header;
|
|
}
|
|
|
|
static void servingNetworkName(uint8_t *msg, plmn_id_t *plmn_id)
|
|
{
|
|
// SNN-network-identifier in TS 24.501
|
|
// TS 24.501: If the MNC of the serving PLMN has two digits, then a zero is added at the beginning.
|
|
int size = 64;
|
|
|
|
snprintf((char *)msg, size, "5G:mnc%03d.mcc%03d.3gppnetwork.org", plmn_id->mnc, plmn_id->mcc);
|
|
}
|
|
|
|
static const char *print_info(uint8_t id, const text_info_t *array, uint8_t array_size)
|
|
{
|
|
for (uint8_t i = 0; i < array_size; i++) {
|
|
if (array[i].id == id) {
|
|
return array[i].text;
|
|
}
|
|
}
|
|
return "N/A";
|
|
}
|
|
|
|
/** @brief Check whether a message belongs to the list of messages that
|
|
* are allowed to be integrity unprotected (4.4.4.2 3GPP TS 24.501) */
|
|
static bool unprotected_allowed(byte_array_t buffer, fgs_nas_msg_t msg_type)
|
|
{
|
|
switch (msg_type) {
|
|
case FGS_IDENTITY_REQUEST: // check on SUCI done in the handler
|
|
case FGS_AUTHENTICATION_REQUEST:
|
|
case FGS_AUTHENTICATION_RESULT:
|
|
case FGS_AUTHENTICATION_REJECT:
|
|
case FGS_DEREGISTRATION_ACCEPT_UE_ORIGINATING: // for non switch off: deregistration type IE set to NORMAL_DEREGISTRATION
|
|
return true;
|
|
case FGS_REGISTRATION_REJECT:
|
|
case FGS_SERVICE_REJECT:
|
|
// unprotected if the 5GMM cause is not #76
|
|
return buffer.buf[4] != Not_authorized_for_this_CAG_or_authorized_for_CAG_cells_only;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @brief Get the MAC of a Security Protected NAS message
|
|
* @param[in] pdu_buffer The buffer containing the NAS message
|
|
* @param[in] pdu_length The length of the NAS message
|
|
* @param[out] mac The MAC of the NAS message
|
|
* @return true if the MAC was successfully extracted, false otherwise
|
|
*/
|
|
bool nas_security_get_mac(uint8_t *pdu_buffer, int pdu_length, uint8_t *mac)
|
|
{
|
|
/* Check for Security Protected Header */
|
|
/* at least 8 bytes for Security Protected MM Message */
|
|
if (pdu_length < 8)
|
|
return false;
|
|
|
|
/* Only message type, that is not protected (c.f.
|
|
TS 24.501 9.3 Security Header Type) */
|
|
if ((Security_header_t)pdu_buffer[1] == PLAIN_5GS_MSG)
|
|
return false;
|
|
|
|
/* Get the MAC [EPD][SecHdr][MAC0]..[MAC3] - success */
|
|
for (int i = 0; i < 4; i++)
|
|
mac[i] = pdu_buffer[2 + i];
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* @brief Get the Security Header of a NAS message
|
|
* @param[in] msg The buffer containing the NAS message
|
|
* @param[in] msg_length The length of the NAS message
|
|
* @param[out] sec_hdr The Security Header of the NAS message
|
|
* @return true if the Security Header was successfully extracted, false otherwise
|
|
*/
|
|
bool nas_security_get_sec_hdr(uint8_t *msg, int msg_length, Security_header_t *sec_hdr)
|
|
{
|
|
/* Shortest message is [EPD][SecHdrType][Payl]*/
|
|
if (msg_length < 3) {
|
|
LOG_E(NAS, "Invalid NAS message length %d\n", msg_length);
|
|
return false;
|
|
}
|
|
|
|
/* Get the SecHdr and check for validity */
|
|
uint8_t sec_hdr_type = msg[1] & 0x0f;
|
|
if (sec_hdr_type > INTEGRITY_PROTECTED_AND_CIPHERED_WITH_NEW_SECU_CTX) {
|
|
LOG_E(NAS, "Invalid Security Header Type %d\n", sec_hdr_type);
|
|
return false;
|
|
}
|
|
|
|
/* Check ok. */
|
|
*sec_hdr = (Security_header_t)sec_hdr_type;
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* @brief Compute the MAC of a NAS message
|
|
* @param[in] nas The NAS context
|
|
* @param[in] pdu_buffer The buffer containing the NAS message
|
|
* @param[in] is_uplink True if the message is uplink, false Downlink
|
|
* @param[in] is3gpp_access True if the message is 3GPP access, false otherwise
|
|
* @param[in] pdu_length The length of the NAS message
|
|
* @param[out] mac The MAC of the NAS message
|
|
*/
|
|
static void nas_security_compute_mac(nr_ue_nas_t *nas,
|
|
byte_array_t buffer,
|
|
const bool is_uplink,
|
|
const bool is3gpp_access,
|
|
uint8_t *mac)
|
|
{
|
|
uint8_t *buf = buffer.buf + SECURITY_PROTECTED_5GS_NAS_MESSAGE_HEADER_LENGTH - 1;
|
|
int len = buffer.len - SECURITY_PROTECTED_5GS_NAS_MESSAGE_HEADER_LENGTH + 1;
|
|
|
|
/* Compute the MAC */
|
|
nas_stream_cipher_t stream_cipher;
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
|
|
/* Select the right count in the context */
|
|
if (is_uplink)
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
else
|
|
stream_cipher.count = nas->security.nas_count_dl;
|
|
|
|
/* 3GPP access is 1, non-3GPP access is 2 - see 3GPP TS 33.501 6.4.2.2 */
|
|
stream_cipher.bearer = is3gpp_access ? 1 : 2;
|
|
|
|
/* Configure Direction for MAC protection */
|
|
stream_cipher.direction = is_uplink ? 0 : 1;
|
|
|
|
/* Possibly encrypted message */
|
|
stream_cipher.message = buf;
|
|
|
|
/* length in bits */
|
|
stream_cipher.blength = len << 3;
|
|
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
}
|
|
|
|
/*
|
|
* @brief: Decrypt the payload of a NAS message. The buffer is modified in place
|
|
* @param[in] nas The NAS context
|
|
* @param[in] pdu_buffer The buffer containing the full (header + payload) NAS message
|
|
* @param[in] is_uplink True if the message is uplink, false Downlink
|
|
* @param[in] is3gpp_access True if the message is 3GPP access, false otherwise
|
|
* @param[in] pdu_length The length of the NAS message
|
|
*/
|
|
static void nas_security_decrypt_payload(nr_ue_nas_t *nas, byte_array_t buffer, const bool is_uplink, const bool is3gpp_access)
|
|
{
|
|
Security_header_t sec_hdr;
|
|
|
|
if (!nas_security_get_sec_hdr(buffer.buf, buffer.len, &sec_hdr)) {
|
|
LOG_E(NAS, "Failed to get Security Header\n");
|
|
return;
|
|
}
|
|
|
|
/* Nothing to do for unencrypted msgs */
|
|
if (sec_hdr == PLAIN_5GS_MSG || sec_hdr == INTEGRITY_PROTECTED) {
|
|
return;
|
|
}
|
|
|
|
/* Get integrity keys, and algorithms */
|
|
nas_stream_cipher_t stream_cipher;
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
|
|
/* Use the estimated count the right count in the context */
|
|
stream_cipher.count = nas->security.nas_count_dl;
|
|
/* 3GPP access is 1, non-3GPP access is 2 - see 3GPP TS 33.501 6.4.2.2 */
|
|
stream_cipher.bearer = is3gpp_access ? 1 : 2;
|
|
|
|
/* Decryption only in downlink direction */
|
|
stream_cipher.direction = 1;
|
|
|
|
/* [EPD][SHR][MAC0]..[MAC3][PDU...]*/
|
|
uint8_t *plain_payload = buffer.buf + SECURITY_PROTECTED_5GS_NAS_MESSAGE_HEADER_LENGTH;
|
|
stream_cipher.message = plain_payload;
|
|
|
|
/* length in bits */
|
|
int plain_length = buffer.len - SECURITY_PROTECTED_5GS_NAS_MESSAGE_HEADER_LENGTH;
|
|
stream_cipher.blength = plain_length << 3;
|
|
|
|
/* Allocate output buffer for body only */
|
|
uint8_t *decrypted = malloc_or_fail(plain_length);
|
|
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, decrypted);
|
|
|
|
/* Override and free the decrypted payload */
|
|
memcpy(plain_payload, decrypted, plain_length);
|
|
free(decrypted);
|
|
}
|
|
|
|
static fgs_nas_msg_t get_msg_type(uint8_t *pdu_buffer, uint32_t length)
|
|
{
|
|
if (pdu_buffer == NULL)
|
|
goto error;
|
|
|
|
/* get security header type */
|
|
if (length < 2)
|
|
goto error;
|
|
|
|
int security_header_type = pdu_buffer[1];
|
|
|
|
if (security_header_type == 0) {
|
|
/* plain NAS message */
|
|
if (length < 3)
|
|
goto error;
|
|
return pdu_buffer[2];
|
|
}
|
|
|
|
if (length < 10)
|
|
goto error;
|
|
|
|
int msg_type = pdu_buffer[9];
|
|
|
|
if (msg_type == FGS_DOWNLINK_NAS_TRANSPORT) {
|
|
if (length < 17)
|
|
goto error;
|
|
|
|
msg_type = pdu_buffer[16];
|
|
}
|
|
|
|
return msg_type;
|
|
|
|
error:
|
|
LOG_E(NAS, "[UE] Received invalid downlink message\n");
|
|
return 0;
|
|
}
|
|
|
|
static security_state_t nas_security_rx_process(nr_ue_nas_t *nas, byte_array_t buffer)
|
|
{
|
|
if (nas->security_container == NULL)
|
|
return NAS_SECURITY_NO_SECURITY_CONTEXT;
|
|
|
|
if (buffer.len < sizeof(fgmm_msg_header_t)) {
|
|
LOG_E(NAS, "Invalid buffer length = %ld: must hold at least a plain 5GMM header\n", buffer.len);
|
|
return NAS_SECURITY_BAD_INPUT;
|
|
}
|
|
int security_type = buffer.buf[1];
|
|
LOG_D(NAS, "Security type is: %s\n", print_info(security_type, security_header_type_s, sizeofArray(security_header_type_s)));
|
|
|
|
switch (security_type) {
|
|
case PLAIN_5GS_MSG: {
|
|
fgs_nas_msg_t msg_type = get_msg_type(buffer.buf, buffer.len);
|
|
return unprotected_allowed(buffer, msg_type) ? NAS_SECURITY_UNPROTECTED : NAS_SECURITY_BAD_INPUT;
|
|
break;
|
|
}
|
|
case INTEGRITY_PROTECTED_WITH_NEW_SECU_CTX:
|
|
stream_security_container_delete(nas->security_container);
|
|
nas->security_container = NULL;
|
|
nas->security.nas_count_dl = 0;
|
|
return NAS_SECURITY_NO_SECURITY_CONTEXT;
|
|
break;
|
|
case INTEGRITY_PROTECTED:
|
|
case INTEGRITY_PROTECTED_AND_CIPHERED_WITH_NEW_SECU_CTX:
|
|
/* only accept "integrity protected and ciphered" messages */
|
|
if (buffer.buf[6] == 0)
|
|
LOG_E(NAS, "Received nas_count_dl = %d\n", buffer.buf[6]);
|
|
LOG_E(NAS, "todo: unhandled security type %s (buffer.buf[1] = %d)\n", security_header_type_s[buffer.buf[1]].text, buffer.buf[1]);
|
|
return NAS_SECURITY_BAD_INPUT;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
/* header is 7 bytes, require at least one byte of payload */
|
|
if (buffer.len < 8) {
|
|
LOG_E(NAS, "Invalid buffer length = %ld\n", buffer.len);
|
|
return NAS_SECURITY_BAD_INPUT;
|
|
}
|
|
|
|
/* synchronize NAS SQN, based on 24.501 4.4.3.1 */
|
|
// Sequence number
|
|
int nas_sqn = buffer.buf[6];
|
|
int target_sqn = nas->security.nas_count_dl & 0xff;
|
|
if (nas_sqn != target_sqn) {
|
|
if (nas_sqn < target_sqn)
|
|
nas->security.nas_count_dl += 256;
|
|
nas->security.nas_count_dl &= ~255;
|
|
nas->security.nas_count_dl |= nas_sqn;
|
|
}
|
|
if (nas->security.nas_count_dl > 0x00ffffff) {
|
|
/* it's doubtful that this will happen, so let's simply exit for the time being */
|
|
/* to be refined if needed */
|
|
LOG_E(NAS, "max NAS COUNT DL reached\n");
|
|
exit(1);
|
|
}
|
|
|
|
/* check integrity */
|
|
/* [EPD][SHD][MAC0]...[MAC3][SEQNO][PAYL]*/
|
|
uint8_t *received_mac = buffer.buf + 2;
|
|
uint8_t computed_mac[NAS_INTEGRITY_SIZE];
|
|
nas_security_compute_mac(nas,
|
|
buffer,
|
|
false,
|
|
true,
|
|
computed_mac);
|
|
|
|
if (memcmp(received_mac, computed_mac, NAS_INTEGRITY_SIZE) != 0)
|
|
return NAS_SECURITY_INTEGRITY_FAILED;
|
|
|
|
/* decipher */
|
|
nas_security_decrypt_payload(nas, buffer, false, true);
|
|
|
|
/* update estimated DL Counter */
|
|
nas->security.nas_count_dl++;
|
|
|
|
return NAS_SECURITY_INTEGRITY_PASSED;
|
|
}
|
|
|
|
static void suci_profile_scheme_a_generate_output(const uint8_t home_network_public_key[32],
|
|
const char *msin,
|
|
const size_t msin_len,
|
|
char *schemeoutput)
|
|
{
|
|
/* 1> Eph. key pair generation */
|
|
uint8_t eph_priv[32] = {0};
|
|
uint8_t eph_pub[32] = {0};
|
|
x25519_generate_keypair(eph_priv, eph_pub);
|
|
|
|
/* 2> Key agreement */
|
|
uint8_t eph_shared_key[32] = {0};
|
|
x25519_shared_secret(eph_priv, home_network_public_key, eph_shared_key);
|
|
|
|
explicit_bzero(eph_priv, 32);
|
|
|
|
/* 3> Key derivation */
|
|
uint8_t kdf_output[64] = {0};
|
|
byte_array_t kdf_secret = {.buf = eph_shared_key, .len = 32};
|
|
byte_array_t kdf_info = {.buf = eph_pub, .len = 32};
|
|
x963_kdf(kdf_secret, kdf_info, 64, kdf_output);
|
|
|
|
explicit_bzero(eph_shared_key, 32);
|
|
|
|
aes_128_t aes_ctx;
|
|
aes_ctx.type = AES_INITIALIZATION_VECTOR_16;
|
|
memcpy(aes_ctx.key, kdf_output, 16);
|
|
memcpy(aes_ctx.iv16.iv, kdf_output + 16, 16);
|
|
|
|
uint8_t eph_mac_key[32] = {0};
|
|
memcpy(eph_mac_key, kdf_output + 32, 32);
|
|
|
|
explicit_bzero(kdf_output, 64);
|
|
|
|
/* 4> Symmetric encryption */
|
|
size_t msin_bcd_len = (msin_len + 1) / 2;
|
|
uint8_t msin_bcd[msin_bcd_len];
|
|
memset(msin_bcd, 0, msin_bcd_len);
|
|
|
|
int rc = digit_string_to_bcd_value(msin_bcd, msin, msin_bcd_len);
|
|
AssertFatal(rc == 0, "Encoding MSIN failed (rc=%d, input=\"%s\", len=%zu, out_len=%zu)", rc, msin, msin_len, msin_bcd_len);
|
|
|
|
byte_array_t payload = {.buf = msin_bcd, .len = msin_bcd_len};
|
|
uint8_t ciphertext[msin_bcd_len];
|
|
aes_128_ctr(&aes_ctx, payload, msin_bcd_len, ciphertext);
|
|
|
|
explicit_bzero(aes_ctx.key, 16);
|
|
explicit_bzero(aes_ctx.iv16.iv, 16);
|
|
explicit_bzero(msin_bcd, msin_bcd_len);
|
|
|
|
/* 5> MAC function */
|
|
uint8_t mac_full[32] = {0};
|
|
byte_array_t mac_input = {.buf = ciphertext, .len = msin_bcd_len};
|
|
sha_256_hmac(eph_mac_key, mac_input, 32, mac_full);
|
|
|
|
explicit_bzero(eph_mac_key, 32);
|
|
|
|
/* Build SUCI scheme output --- */
|
|
/* eph_pub (32 bytes -> 64 hex chars) */
|
|
for (int i = 0; i < 32; i++) {
|
|
*schemeoutput++ = hex[eph_pub[i] >> 4];
|
|
*schemeoutput++ = hex[eph_pub[i] & 0x0F];
|
|
}
|
|
|
|
/* ciphertext (~45 bytes -> ~90 hex chars) */
|
|
for (int i = 0; i < msin_bcd_len; i++) {
|
|
*schemeoutput++ = hex[ciphertext[i] >> 4];
|
|
*schemeoutput++ = hex[ciphertext[i] & 0x0F];
|
|
}
|
|
|
|
/* MAC (8 bytes -> 16 hex chars) */
|
|
for (int i = 0; i < 8; i++) {
|
|
*schemeoutput++ = hex[mac_full[i] >> 4];
|
|
*schemeoutput++ = hex[mac_full[i] & 0x0F];
|
|
}
|
|
}
|
|
|
|
static int fill_suci(FGSMobileIdentity *mi, const uicc_t *uicc)
|
|
{
|
|
mi->suci.typeofidentity = FGS_MOBILE_IDENTITY_SUCI;
|
|
mi->suci.mncdigit1 = uicc->nmc_size == 2 ? uicc->imsiStr[3] - '0' : uicc->imsiStr[4] - '0';
|
|
mi->suci.mncdigit2 = uicc->nmc_size == 2 ? uicc->imsiStr[4] - '0' : uicc->imsiStr[5] - '0';
|
|
mi->suci.mncdigit3 = uicc->nmc_size == 2 ? 0xF : uicc->imsiStr[3] - '0';
|
|
mi->suci.mccdigit1 = uicc->imsiStr[0] - '0';
|
|
mi->suci.mccdigit2 = uicc->imsiStr[1] - '0';
|
|
mi->suci.mccdigit3 = uicc->imsiStr[2] - '0';
|
|
|
|
mi->suci.routingindicatordigit1 = uicc->routing_indicatorStr[0] - '0';
|
|
mi->suci.routingindicatordigit2 = uicc->routing_indicatorStr[1] - '0';
|
|
mi->suci.routingindicatordigit3 = uicc->routing_indicatorStr[2] - '0';
|
|
mi->suci.routingindicatordigit4 = uicc->routing_indicatorStr[3] - '0';
|
|
|
|
char *msin = uicc->imsiStr + 3 + uicc->nmc_size;
|
|
uint8_t msin_len = strlen(msin);
|
|
|
|
mi->suci.protectionschemeId = uicc->protection_scheme;
|
|
switch (uicc->protection_scheme) {
|
|
case 0: /* Null scheme (TS 33.501 C.2) */
|
|
{
|
|
mi->suci.homenetworkpki = 0;
|
|
memcpy(mi->suci.schemeoutput, msin, msin_len);
|
|
break;
|
|
}
|
|
case 1: /* Profile A (TS 33.501 C.3.4.1) */
|
|
{
|
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
mi->suci.homenetworkpki = uicc->home_network_public_key_id;
|
|
suci_profile_scheme_a_generate_output(uicc->home_network_public_key, msin, msin_len, mi->suci.schemeoutput);
|
|
#else
|
|
AssertFatal(false,
|
|
"Protection Scheme not supported when using a version below OpenSSL 3.0 %d (OpenSSL version: %s)\n",
|
|
uicc->protection_scheme,
|
|
MY_OPENSSL_VERSION_STR);
|
|
#endif
|
|
break;
|
|
}
|
|
case 2: /* Profile B (TS 33.501 C.3.4.2) */
|
|
{
|
|
mi->suci.homenetworkpki = uicc->home_network_public_key_id;
|
|
|
|
AssertFatal(false, "Unsupported Protection Scheme in UICC %d\n", uicc->protection_scheme);
|
|
|
|
break;
|
|
}
|
|
default: // Unknown schemes
|
|
{
|
|
AssertFatal(false, "Unknown Protection Scheme in UICC %d\n", uicc->protection_scheme);
|
|
}
|
|
}
|
|
|
|
LOG_D(NAS,
|
|
"SUCI in registration request: SUPI type: %d Type of Identity: %u MCC: %u%u%u, MNC: %u%u%u, \
|
|
Routing Indicator %d%d%d%d Protection Scheme ID: %u, Home Network PKI: %u, Scheme Output: %s\n",
|
|
mi->suci.supiformat,
|
|
mi->suci.typeofidentity,
|
|
mi->suci.mccdigit1,
|
|
mi->suci.mccdigit2,
|
|
mi->suci.mccdigit3,
|
|
mi->suci.mncdigit1,
|
|
mi->suci.mncdigit2,
|
|
uicc->nmc_size == 2 ? 0 : mi->suci.mncdigit3,
|
|
mi->suci.routingindicatordigit1,
|
|
mi->suci.routingindicatordigit2,
|
|
mi->suci.routingindicatordigit3,
|
|
mi->suci.routingindicatordigit4,
|
|
mi->suci.protectionschemeId,
|
|
mi->suci.homenetworkpki,
|
|
mi->suci.schemeoutput);
|
|
return sizeof(Suci5GSMobileIdentity_t);
|
|
}
|
|
|
|
static int fill_guti(FGSMobileIdentity *mi, const Guti5GSMobileIdentity_t *guti)
|
|
{
|
|
AssertFatal(guti != NULL, "UE has no GUTI\n");
|
|
mi->guti = *guti;
|
|
LOG_D(NAS,
|
|
"5G-GUTI in registration request: MCC: %u%u%u, MNC: %u%u, AMF Region ID: %u, AMF Set ID: %u, AMF Pointer: %u, 5G-TMSI: "
|
|
"%u\n",
|
|
mi->guti.mccdigit1,
|
|
mi->guti.mccdigit2,
|
|
mi->guti.mccdigit3,
|
|
mi->guti.mncdigit1,
|
|
mi->guti.mncdigit2,
|
|
mi->guti.amfregionid,
|
|
mi->guti.amfsetid,
|
|
mi->guti.amfpointer,
|
|
mi->guti.tmsi);
|
|
return 13;
|
|
}
|
|
|
|
static int fill_fgstmsi(Stmsi5GSMobileIdentity_t *stmsi, const Guti5GSMobileIdentity_t *guti)
|
|
{
|
|
AssertFatal(guti != NULL, "UE has no GUTI\n");
|
|
stmsi->amfpointer = guti->amfpointer;
|
|
stmsi->amfsetid = guti->amfsetid;
|
|
stmsi->tmsi = guti->tmsi;
|
|
stmsi->digit1 = DIGIT1;
|
|
stmsi->spare = 0;
|
|
stmsi->typeofidentity = FGS_MOBILE_IDENTITY_5GS_TMSI;
|
|
return 10;
|
|
}
|
|
|
|
static int fill_imeisv(FGSMobileIdentity *mi, const uicc_t *uicc)
|
|
{
|
|
int i = 0;
|
|
mi->imeisv.typeofidentity = FGS_MOBILE_IDENTITY_IMEISV;
|
|
mi->imeisv.digittac01 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac02 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac03 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac04 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac05 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac06 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac07 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digittac08 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit09 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit10 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit11 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit12 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit13 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digit14 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digitsv1 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.digitsv2 = getImeisvDigit(uicc, i++);
|
|
mi->imeisv.spare = 0x0f;
|
|
mi->imeisv.oddeven = 0;
|
|
return 19;
|
|
}
|
|
|
|
void transferRES(uint8_t ck[16], uint8_t ik[16], uint8_t *input, uint8_t rand[16], uint8_t *output, plmn_id_t *plmn_id)
|
|
{
|
|
uint8_t S[100] = {0};
|
|
S[0] = 0x6B;
|
|
servingNetworkName(S + 1, plmn_id);
|
|
int netNamesize = strlen((char *)S + 1);
|
|
S[1 + netNamesize] = (netNamesize & 0xff00) >> 8;
|
|
S[2 + netNamesize] = (netNamesize & 0x00ff);
|
|
for (int i = 0; i < 16; i++)
|
|
S[3 + netNamesize + i] = rand[i];
|
|
S[19 + netNamesize] = 0x00;
|
|
S[20 + netNamesize] = 0x10;
|
|
for (int i = 0; i < 8; i++)
|
|
S[21 + netNamesize + i] = input[i];
|
|
S[29 + netNamesize] = 0x00;
|
|
S[30 + netNamesize] = 0x08;
|
|
|
|
uint8_t plmn[3] = {0x02, 0xf8, 0x39};
|
|
uint8_t oldS[100];
|
|
oldS[0] = 0x6B;
|
|
memcpy(&oldS[1], plmn, 3);
|
|
oldS[4] = 0x00;
|
|
oldS[5] = 0x03;
|
|
for (int i = 0; i < 16; i++)
|
|
oldS[6 + i] = rand[i];
|
|
oldS[22] = 0x00;
|
|
oldS[23] = 0x10;
|
|
for (int i = 0; i < 8; i++)
|
|
oldS[24 + i] = input[i];
|
|
oldS[32] = 0x00;
|
|
oldS[33] = 0x08;
|
|
|
|
uint8_t key[32] = {0};
|
|
memcpy(&key[0], ck, 16);
|
|
memcpy(&key[16], ik, 16); // KEY
|
|
uint8_t out[32] = {0};
|
|
|
|
byte_array_t data = {.buf = S, .len = 31 + netNamesize};
|
|
kdf(key, data, 32, out);
|
|
|
|
memcpy(output, out + 16, 16);
|
|
}
|
|
|
|
void derive_kausf(uint8_t ck[16], uint8_t ik[16], uint8_t sqn[6], uint8_t kausf[32], plmn_id_t *plmn_id)
|
|
{
|
|
uint8_t S[100] = {0};
|
|
uint8_t key[32] = {0};
|
|
|
|
memcpy(&key[0], ck, 16);
|
|
memcpy(&key[16], ik, 16); // KEY
|
|
S[0] = 0x6A;
|
|
servingNetworkName(S + 1, plmn_id);
|
|
int netNamesize = strlen((char *)S + 1);
|
|
S[1 + netNamesize] = (uint8_t)((netNamesize & 0xff00) >> 8);
|
|
S[2 + netNamesize] = (uint8_t)(netNamesize & 0x00ff);
|
|
for (int i = 0; i < 6; i++) {
|
|
S[3 + netNamesize + i] = sqn[i];
|
|
}
|
|
S[9 + netNamesize] = 0x00;
|
|
S[10 + netNamesize] = 0x06;
|
|
|
|
byte_array_t data = {.buf = S, .len = 11 + netNamesize};
|
|
kdf(key, data, 32, kausf);
|
|
}
|
|
|
|
void derive_kseaf(uint8_t kausf[32], uint8_t kseaf[32], plmn_id_t *plmn_id)
|
|
{
|
|
uint8_t S[100] = {0};
|
|
S[0] = 0x6C; // FC
|
|
servingNetworkName(S + 1, plmn_id);
|
|
int netNamesize = strlen((char *)S + 1);
|
|
S[1 + netNamesize] = (uint8_t)((netNamesize & 0xff00) >> 8);
|
|
S[2 + netNamesize] = (uint8_t)(netNamesize & 0x00ff);
|
|
|
|
byte_array_t data = {.buf = S, .len = 3 + netNamesize};
|
|
kdf(kausf, data, 32, kseaf);
|
|
}
|
|
|
|
void derive_kamf(uint8_t *kseaf, uint8_t *kamf, uint16_t abba, uicc_t *uicc)
|
|
{
|
|
int imsiLen = strlen(uicc->imsiStr);
|
|
uint8_t S[100] = {0};
|
|
S[0] = 0x6D; // FC = 0x6D
|
|
memcpy(&S[1], uicc->imsiStr, imsiLen);
|
|
S[1 + imsiLen] = (uint8_t)((imsiLen & 0xff00) >> 8);
|
|
S[2 + imsiLen] = (uint8_t)(imsiLen & 0x00ff);
|
|
S[3 + imsiLen] = abba & 0x00ff;
|
|
S[4 + imsiLen] = (abba & 0xff00) >> 8;
|
|
S[5 + imsiLen] = 0x00;
|
|
S[6 + imsiLen] = 0x02;
|
|
|
|
byte_array_t data = {.buf = S, .len = 7 + imsiLen};
|
|
kdf(kseaf, data, 32, kamf);
|
|
}
|
|
|
|
//------------------------------------------------------------------------------
|
|
void derive_knas(algorithm_type_dist_t nas_alg_type, uint8_t nas_alg_id, uint8_t kamf[32], uint8_t *knas)
|
|
{
|
|
uint8_t S[20] = {0};
|
|
uint8_t out[32] = {0};
|
|
S[0] = 0x69; // FC
|
|
S[1] = (uint8_t)(nas_alg_type & 0xFF);
|
|
S[2] = 0x00;
|
|
S[3] = 0x01;
|
|
S[4] = nas_alg_id;
|
|
S[5] = 0x00;
|
|
S[6] = 0x01;
|
|
|
|
byte_array_t data = {.buf = S, .len = 7};
|
|
kdf(kamf, data, 32, out);
|
|
|
|
memcpy(knas, out + 16, 16);
|
|
}
|
|
|
|
static void derive_ue_keys(uint8_t *buf, nr_ue_nas_t *nas)
|
|
{
|
|
uint8_t ak[6];
|
|
uint8_t sqn[6];
|
|
|
|
DevAssert(nas != NULL);
|
|
uint8_t *kausf = nas->security.kausf;
|
|
uint8_t *kseaf = nas->security.kseaf;
|
|
uint8_t *kamf = nas->security.kamf;
|
|
uint8_t *output = nas->security.res;
|
|
uint8_t *rand = nas->security.rand;
|
|
uint8_t *kgnb = nas->security.kgnb;
|
|
|
|
// get RAND for authentication request
|
|
for (int index = 0; index < 16; index++) {
|
|
rand[index] = buf[8 + index];
|
|
}
|
|
|
|
uint8_t resTemp[16];
|
|
uint8_t ck[16], ik[16];
|
|
f2345(nas->uicc->key, rand, resTemp, ck, ik, ak, nas->uicc->opc);
|
|
|
|
transferRES(ck, ik, resTemp, rand, output, nas->sn_id);
|
|
|
|
for (int index = 0; index < 6; index++) {
|
|
sqn[index] = buf[26 + index];
|
|
}
|
|
|
|
derive_kausf(ck, ik, sqn, kausf, nas->sn_id);
|
|
derive_kseaf(kausf, kseaf, nas->sn_id);
|
|
derive_kamf(kseaf, kamf, 0x0000, nas->uicc);
|
|
derive_kgnb(kamf, nas->security.nas_count_ul, kgnb);
|
|
|
|
printf("kausf:");
|
|
for (int i = 0; i < 32; i++) {
|
|
printf("%x ", kausf[i]);
|
|
}
|
|
printf("\n");
|
|
|
|
printf("kseaf:");
|
|
for (int i = 0; i < 32; i++) {
|
|
printf("%x ", kseaf[i]);
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
printf("kamf:");
|
|
for (int i = 0; i < 32; i++) {
|
|
printf("%x ", kamf[i]);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
nr_ue_nas_t *get_ue_nas_info(module_id_t module_id)
|
|
{
|
|
AssertFatal(module_id < MAX_NUM_NR_UE_INST, "Invalid module_id %d\n", module_id);
|
|
if (!nr_ue_nas[module_id].uicc) {
|
|
nr_ue_nas[module_id].uicc = checkUicc(module_id);
|
|
nr_ue_nas[module_id].UE_id = module_id;
|
|
}
|
|
return &nr_ue_nas[module_id];
|
|
}
|
|
|
|
static FGSRegistrationType set_fgs_ksi(nr_ue_nas_t *nas)
|
|
{
|
|
if (nas->fiveGMM_mode == FGS_IDLE) {
|
|
/**
|
|
* the UE is IDLE, therefore ngKSI was deleted, along all K_AMF, ciphering key, integrity key
|
|
* (i.e. the 5G NAS security context associated with the ngKSI is no longer valid)
|
|
* see 4.4.2 of 3GPP TS 24.501
|
|
*/
|
|
return NAS_KEY_SET_IDENTIFIER_NOT_AVAILABLE;
|
|
}
|
|
return 0x0;
|
|
}
|
|
|
|
/**
|
|
* @brief Set contents of 5GMM capability
|
|
* @note Currently hardcoded, sending min length only (1 octet)
|
|
*/
|
|
static FGMMCapability set_fgmm_capability(nr_ue_nas_t *nas)
|
|
{
|
|
FGMMCapability cap = {0};
|
|
cap.iei = REGISTRATION_REQUEST_5GMM_CAPABILITY_IEI;
|
|
cap.length = 1;
|
|
|
|
cap.sgc = 0;
|
|
cap.iphc_cp_cIoT = 0;
|
|
cap.n3_data = 0;
|
|
cap.cp_cIoT = 0;
|
|
cap.restrict_ec = 0;
|
|
cap.lpp = 1;
|
|
cap.ho_attach = 1;
|
|
cap.s1_mode = 0;
|
|
|
|
if (cap.length == 1)
|
|
return cap; // Send minimum length only, 1 octet
|
|
|
|
cap.racs = 0;
|
|
cap.nssaa = 0;
|
|
cap.lcs = 0;
|
|
cap.v2x_cnpc5 = 0;
|
|
cap.v2x_cepc5 = 0;
|
|
cap.v2x = 0;
|
|
cap.up_cIoT = 0;
|
|
cap.srvcc = 0;
|
|
cap.ehc_CP_ciot = 0;
|
|
cap.multiple_eUP = 0;
|
|
cap.wusa = 0;
|
|
cap.cag = 0;
|
|
|
|
return cap;
|
|
}
|
|
|
|
static FGSRegistrationType set_fgs_registration_type(nr_ue_nas_t *nas)
|
|
{
|
|
if (nas->fiveGMM_state == FGS_REGISTERED && nas->fiveGMM_mode == FGS_IDLE && nas->t3512) {
|
|
// TODO: if the timer expires, do PERIODIC_REGISTRATION_UPDATING
|
|
/** The UE shall initiate the registration procedure for
|
|
* mobility and periodic registration update according to
|
|
* 5.5.1.3.2 of 3GPP TS 24.501: Mobility and periodic
|
|
* registration update initiation */
|
|
LOG_E(NAS, "Registration type periodic registration updating is not handled\n");
|
|
return REG_TYPE_RESERVED;
|
|
} else if (nas->fiveGMM_state == FGS_REGISTERED) {
|
|
// in any other case, The UE in state 5GMM-REGISTERED shall indicate "mobility registration updating".
|
|
return MOBILITY_REGISTRATION_UPDATING;
|
|
}
|
|
|
|
if (nas->fiveGMM_mode == FGS_CONNECTED && nas->is_rrc_inactive) {
|
|
/** the UE shall do the registration procedure for mobility
|
|
* and/or periodic registration update depending on the
|
|
* indication received from the lower layers according to
|
|
* 5.3.1.4 of 3GPP TS 24.501: 5GMM-CONNECTED mode with RRC inactive indication */
|
|
LOG_E(NAS, "RRC inactive indication not handled by NAS\n");
|
|
return REG_TYPE_RESERVED;
|
|
}
|
|
|
|
return INITIAL_REGISTRATION;
|
|
}
|
|
|
|
/**
|
|
* @brief Generate 5GS Registration Request (8.2.6 of 3GPP TS 24.501)
|
|
*/
|
|
void generateRegistrationRequest(as_nas_info_t *initialNasMsg, nr_ue_nas_t *nas, bool is_security_mode)
|
|
{
|
|
LOG_I(NAS, "Generate Initial NAS Message: Registration Request\n");
|
|
int size = sizeof(fgmm_msg_header_t); // cleartext size
|
|
fgmm_nas_msg_security_protected_t sp = {0};
|
|
|
|
/** Check whether the UE has a valid current 5G NAS security context
|
|
and set security protected 5GS NAS message header (see 9.1.1 of 3GPP TS 24.501) */
|
|
bool has_security_context = nas->security_container && nas->security_container->integrity_context;
|
|
if (has_security_context) {
|
|
sp.header.protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp.header.security_header_type = INTEGRITY_PROTECTED;
|
|
sp.header.sequence_number = nas->security.nas_count_ul & 0xff;
|
|
size += 7;
|
|
}
|
|
|
|
// Plain 5GMM message
|
|
sp.plain.header = set_mm_header(FGS_REGISTRATION_REQUEST, PLAIN_5GS_MSG);
|
|
size += sizeof(sp.plain.header);
|
|
registration_request_msg *rr = &sp.plain.mm_msg.registration_request;
|
|
|
|
// 5GMM Registration Type
|
|
rr->fgsregistrationtype = set_fgs_registration_type(nas);
|
|
size += 1;
|
|
if (rr->fgsregistrationtype == REG_TYPE_RESERVED) {
|
|
// currently only REG_TYPE_RESERVED is supported
|
|
LOG_E(NAS, "Initial NAS Message: Registration Request failed\n");
|
|
return;
|
|
}
|
|
// NAS Key Set Identifier
|
|
rr->naskeysetidentifier.tsc = NAS_KEY_SET_IDENTIFIER_NATIVE;
|
|
rr->naskeysetidentifier.naskeysetidentifier = set_fgs_ksi(nas);
|
|
size += 1;
|
|
|
|
// 5GMM Mobile Identity
|
|
if(nas->guti){
|
|
size += fill_guti(&rr->fgsmobileidentity, nas->guti);
|
|
} else {
|
|
size += fill_suci(&rr->fgsmobileidentity, nas->uicc);
|
|
}
|
|
|
|
// Security Capability
|
|
rr->presencemask |= REGISTRATION_REQUEST_UE_SECURITY_CAPABILITY_PRESENT;
|
|
rr->nruesecuritycapability.iei = REGISTRATION_REQUEST_UE_SECURITY_CAPABILITY_IEI;
|
|
rr->nruesecuritycapability.length = 8;
|
|
rr->nruesecuritycapability.fg_EA = 0xe0;
|
|
rr->nruesecuritycapability.fg_IA = 0x60;
|
|
rr->nruesecuritycapability.EEA = 0;
|
|
rr->nruesecuritycapability.EIA = 0;
|
|
size += 10;
|
|
|
|
/* Create a copy of the cleartext 5GMM message, add non-cleartext IEs if necessary */
|
|
fgmm_nas_message_plain_t full_mm = sp.plain;
|
|
registration_request_msg *full_rr = &full_mm.mm_msg.registration_request;
|
|
int size_nct = size; // non-cleartext size
|
|
bool cleartext_only = true;
|
|
/* 5GMM Capability (non-cleartext IE) - 24.501 8.2.6.3
|
|
The UE shall include this IE, unless the UE performs a periodic registration updating procedure. */
|
|
if (full_rr->fgsregistrationtype != PERIODIC_REGISTRATION_UPDATING) {
|
|
cleartext_only = false; // The UE needs to send non-cleartext IE
|
|
full_rr->presencemask |= REGISTRATION_REQUEST_5GMM_CAPABILITY_PRESENT;
|
|
full_rr->fgmmcapability = set_fgmm_capability(nas);
|
|
FGMMCapability *cap = &full_rr->fgmmcapability;
|
|
size_nct += sizeof(cap->length) + sizeof(cap->iei) + cap->length;
|
|
}
|
|
|
|
if (is_security_mode) {
|
|
/* Encode both cleartext IEs and non-cleartext IEs Registration Request message in Security Mode Complete.
|
|
The UE includes the full Registration Request in the NAS container IE
|
|
and sends it within the Security Mode Complete message. (24.501 4.4.6, 23.502 4.2.2.2.2) */
|
|
LOG_D(NAS, "Full Initial NAS Message: Registration Request in the NAS container of Security Mode Complete\n");
|
|
initialNasMsg->nas_data = malloc_or_fail(size_nct * sizeof(*initialNasMsg->nas_data));
|
|
initialNasMsg->length = mm_msg_encode(&full_mm, initialNasMsg->nas_data, size_nct);
|
|
} else if (!has_security_context) {
|
|
/* If no valid 5G NAS security context exists, the UE sends a plain Registration Request including cleartext IEs only. */
|
|
LOG_D(NAS, "Plain Initial NAS Message: Registration Request\n");
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
initialNasMsg->length = mm_msg_encode(&sp.plain, initialNasMsg->nas_data, size);
|
|
} else {
|
|
/* If the UE has a valid current 5G NAS security context, then it includes the entire 5GMM NAS Registration Request
|
|
(with both cleartext and non-cleartext IEs) in the NAS message container IE. The value of the NAS message container IE is
|
|
then ciphered. The UE sends a 5GMM NAS Registration Request message containing cleartext IEs along with the NAS message
|
|
container IE. */
|
|
LOG_D(NAS, "Initial NAS Message: Registration Request with ciphered NAS container\n");
|
|
|
|
// NAS message container
|
|
if (!cleartext_only) {
|
|
OctetString *nasmessagecontainercontents = &rr->fgsnasmessagecontainer.nasmessagecontainercontents;
|
|
nasmessagecontainercontents->value = calloc_or_fail(size_nct, sizeof(*nasmessagecontainercontents->value));
|
|
nasmessagecontainercontents->length = mm_msg_encode(&full_mm, nasmessagecontainercontents->value, size_nct);
|
|
size += (nasmessagecontainercontents->length + 2);
|
|
rr->presencemask |= REGISTRATION_REQUEST_NAS_MESSAGE_CONTAINER_PRESENT;
|
|
// Workaround to pass integrity in RRC_IDLE
|
|
uint8_t *kamf = nas->security.kamf;
|
|
uint8_t *kgnb = nas->security.kgnb;
|
|
derive_kgnb(kamf, nas->security.nas_count_ul, kgnb);
|
|
int nas_itti_kgnb_refresh_req(instance_t instance, const uint8_t kgnb[32]);
|
|
nas_itti_kgnb_refresh_req(nas->UE_id, nas->security.kgnb);
|
|
}
|
|
// Allocate buffer (including NAS message container size)
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
|
|
// Security protected header encoding
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, &sp.header, size);
|
|
initialNasMsg->length =
|
|
security_header_len
|
|
+ mm_msg_encode(&sp.plain, initialNasMsg->nas_data + security_header_len, size - security_header_len);
|
|
/* integrity protection */
|
|
nas_stream_cipher_t stream_cipher;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
uint8_t mac[4];
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
// Security protected header is cleartext except the SN field
|
|
uint8_t cleartext_len = sizeof(sp.header) - 1;
|
|
// Message to be integrity protected
|
|
stream_cipher.message = initialNasMsg->nas_data + cleartext_len;
|
|
// Length of integrity protected message in bits
|
|
stream_cipher.blength = (initialNasMsg->length - cleartext_len) << 3;
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
uint8_t mac_len = sizeof(sp.header.message_authentication_code);
|
|
uint8_t mac_start_octet = 2;
|
|
LOG_D(NAS, "Integrity protected initial NAS message: mac = %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < mac_len; i++) {
|
|
initialNasMsg->nas_data[mac_start_octet + i] = mac[i];
|
|
}
|
|
}
|
|
}
|
|
|
|
void generateServiceRequest(as_nas_info_t *initialNasMsg, nr_ue_nas_t *nas)
|
|
{
|
|
LOG_I(NAS, "Generate initial NAS message: Service Request\n");
|
|
int size = 0;
|
|
|
|
// NAS is security protected if has valid security contexts
|
|
bool security_protected = nas->security_container->ciphering_context && nas->security_container->integrity_context;
|
|
|
|
// Set 5GMM plain header
|
|
fgmm_nas_message_plain_t plain = {0};
|
|
plain.header = set_mm_header(FGS_SERVICE_REQUEST, PLAIN_5GS_MSG);
|
|
size += sizeof(plain.header);
|
|
// Set plain FGMM Service Request
|
|
fgs_service_request_msg_t *mm_msg = &plain.mm_msg.service_request;
|
|
// Service Type
|
|
mm_msg->serviceType = SERVICE_TYPE_DATA;
|
|
// NAS key set identifier
|
|
mm_msg->naskeysetidentifier.naskeysetidentifier = NAS_KEY_SET_IDENTIFIER_NOT_AVAILABLE;
|
|
mm_msg->naskeysetidentifier.tsc = NAS_KEY_SET_IDENTIFIER_NATIVE;
|
|
size += 1;
|
|
// 5G-S-TMSI
|
|
size += fill_fgstmsi(&mm_msg->fiveg_s_tmsi, nas->guti);
|
|
|
|
/* message encoding */
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
if (security_protected) {
|
|
fgmm_nas_msg_security_protected_t sp = {0};
|
|
|
|
// Set security protected 5GS NAS message header (see 9.1.1 of 3GPP TS 24.501)
|
|
sp.header.protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp.header.security_header_type = INTEGRITY_PROTECTED;
|
|
sp.header.sequence_number = nas->security.nas_count_ul & 0xff;
|
|
size += sizeof(sp.header);
|
|
|
|
// Payload: plain message
|
|
sp.plain = plain;
|
|
|
|
// security protected encoding
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, &sp.header, size);
|
|
initialNasMsg->length =
|
|
security_header_len
|
|
+ mm_msg_encode(&sp.plain, (uint8_t *)(initialNasMsg->nas_data + security_header_len), size - security_header_len);
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
nas_stream_cipher_t stream_cipher;
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
/* integrity protection */
|
|
uint8_t mac[4];
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
LOG_D(NAS, "Integrity protected initial NAS message: mac = %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++)
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
} else {
|
|
// plain encoding
|
|
initialNasMsg->length = mm_msg_encode(&plain, initialNasMsg->nas_data, size);
|
|
LOG_I(NAS, "PLAIN_5GS_MSG initial NAS message: Service Request with length %d \n", initialNasMsg->length);
|
|
}
|
|
}
|
|
|
|
static void generateIdentityResponse(as_nas_info_t *initialNasMsg, const uint8_t identitytype, uicc_t *uicc)
|
|
{
|
|
int size = sizeof(fgmm_msg_header_t);
|
|
fgmm_nas_message_plain_t plain = {0};
|
|
|
|
// Plain 5GMM header
|
|
plain.header = set_mm_header(FGS_IDENTITY_RESPONSE, PLAIN_5GS_MSG);
|
|
size += sizeof(plain.header);
|
|
|
|
// set identity response
|
|
fgmm_identity_response_msg *mm_msg = &plain.mm_msg.fgs_identity_response;
|
|
if (identitytype == FGS_MOBILE_IDENTITY_SUCI) {
|
|
size += fill_suci(&mm_msg->fgsmobileidentity, uicc);
|
|
}
|
|
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
|
|
initialNasMsg->length = mm_msg_encode(&plain, initialNasMsg->nas_data, size);
|
|
}
|
|
|
|
static void handle_identity_request(as_nas_info_t *initialNasMsg, nr_ue_nas_t *nas, const byte_array_t buffer)
|
|
{
|
|
fgmm_msg_header_t mm_header = {0};
|
|
fgs_identity_request_msg_t msg = {0};
|
|
|
|
// Decode plain NAS header
|
|
int decoded = decode_5gmm_msg_header(&mm_header, buffer.buf, buffer.len);
|
|
if (decoded < 0) {
|
|
LOG_E(NAS, "Failed to decode NAS Identity Request header\n");
|
|
return;
|
|
}
|
|
|
|
byte_array_t payload = {.buf = &buffer.buf[decoded], .len = buffer.len - decoded};
|
|
|
|
// Decode identity request payload
|
|
if (decode_fgs_identity_request(&msg, &payload) < 0) {
|
|
LOG_E(NAS, "Failed to decode Identity Request message\n");
|
|
return;
|
|
}
|
|
|
|
LOG_I(NAS,
|
|
"Received IDENTITY REQUEST for identity type: %s\n",
|
|
print_info(msg.fgsmobileidentity, fgs_identity_type_text, sizeofArray(fgs_identity_type_text)));
|
|
|
|
if (mm_header.message_type == NAS_SECURITY_UNPROTECTED && msg.fgsmobileidentity != FGS_MOBILE_IDENTITY_SUCI) {
|
|
// see 3GPP TS 24.501 4.4.4.2
|
|
LOG_E(NAS, "Only SUCI mobile identity is expected in a security-unprotected request\n");
|
|
return;
|
|
}
|
|
|
|
generateIdentityResponse(initialNasMsg, msg.fgsmobileidentity, nas->uicc);
|
|
}
|
|
|
|
static void generateAuthenticationResp(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, uint8_t *buf)
|
|
{
|
|
derive_ue_keys(buf, nas);
|
|
OctetString res;
|
|
res.length = 16;
|
|
res.value = calloc(1, 16);
|
|
memcpy(res.value, nas->security.res, 16);
|
|
|
|
int size = sizeof(fgmm_msg_header_t);
|
|
fgmm_nas_message_plain_t plain = {0};
|
|
|
|
// Plain 5GMM header
|
|
plain.header = set_mm_header(FGS_AUTHENTICATION_RESPONSE, PLAIN_5GS_MSG);
|
|
size += sizeof(plain.header);
|
|
|
|
// set response parameter
|
|
fgs_authentication_response_msg *mm_msg = &plain.mm_msg.fgs_auth_response;
|
|
mm_msg->authenticationresponseparameter.res = res;
|
|
size += 18;
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
|
|
initialNasMsg->length = mm_msg_encode(&plain, initialNasMsg->nas_data, size);
|
|
// Free res value after encode
|
|
free(res.value);
|
|
}
|
|
|
|
/** @brief Send Authentication Failure message from the UE to the AMF to
|
|
* indicate that authentication of the network has failed */
|
|
static void generateAuthenticationFailure(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, cause_id_t cause)
|
|
{
|
|
int size = sizeof(fgmm_msg_header_t);
|
|
fgmm_nas_message_plain_t plain = {0};
|
|
|
|
// Plain 5GMM header
|
|
plain.header = set_mm_header(FGS_AUTHENTICATION_FAILURE, PLAIN_5GS_MSG);
|
|
size += sizeof(plain.header);
|
|
// 5GMM Cause (Mandatory)
|
|
fgmm_auth_failure_t *mm_msg = &plain.mm_msg.fgmm_auth_failure;
|
|
mm_msg->cause = cause;
|
|
size += 1;
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
initialNasMsg->length = mm_msg_encode(&plain, initialNasMsg->nas_data, size);
|
|
}
|
|
|
|
static void handle_fgmm_authentication_request(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, byte_array_t *buffer)
|
|
{
|
|
LOG_D(NAS, "Received NAS Authentication Request\n");
|
|
fgs_authentication_request_t msg = {0};
|
|
int size = 0;
|
|
int decoded = 0;
|
|
|
|
// decode plain 5GMM message header
|
|
fgmm_msg_header_t mm_header = {0};
|
|
if ((decoded = decode_5gmm_msg_header(&mm_header, buffer->buf + size, buffer->len - size)) < 0) {
|
|
LOG_E(NAS, "decode_5gmm_msg_header failure in NAS Authentication Request handling\n");
|
|
return;
|
|
}
|
|
size += decoded;
|
|
// NAS key set identifier (Mandatory)
|
|
if ((decoded = decode_nas_key_set_identifier(&msg.ngKSI, 0, buffer->buf[decoded])) < 0) {
|
|
LOG_E(NAS, "decode_nas_key_set_identifier failure in NAS Authentication Request handling\n");
|
|
return;
|
|
}
|
|
size += decoded;
|
|
if (!nas->ksi) {
|
|
nas->ksi = malloc_or_fail(sizeof(*nas->ksi));
|
|
*nas->ksi = msg.ngKSI.naskeysetidentifier;
|
|
LOG_D(NAS, "Stored NAS Key Set Identifier %d\n", *nas->ksi);
|
|
} else if (*nas->ksi == msg.ngKSI.naskeysetidentifier) {
|
|
/* If the ngKSI value received is already associated with one
|
|
of the 5G security contexts stored in the UE, send failure message */
|
|
LOG_E(NAS, "Invalid NAS Key Set Identifier: send Authentication Failure\n");
|
|
generateAuthenticationFailure(nas, initialNasMsg, ngKSI_already_in_use);
|
|
return;
|
|
}
|
|
generateAuthenticationResp(nas, initialNasMsg, buffer->buf);
|
|
}
|
|
|
|
/** @brief Handle authentication not accepted by the network
|
|
* This function assumes the message is not integrity protected, processes the received
|
|
* NAS message and logs whether a EAP-failure is enclosed. The UE enters state: 5GMM-DEREGISTERED.
|
|
* @todo The UE shall performs actions as per 5.4.1.3.5 of 3GPP TS 24.501, including
|
|
* (1) Abort any ongoing 5GMM procedure (2) Stop all active timers: T3510, T3516, T3517,
|
|
* T3519, T3520, T3521 (3) Delete stored SUCI. (4) handle EAP-failure message. */
|
|
static void handle_authentication_reject(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, uint8_t *pdu, int pdu_length)
|
|
{
|
|
LOG_E(NAS, "Received Authentication Reject message from the network\n");
|
|
uint8_t eap_msg[MAX_EAP_CONTENTS_LEN] = {0};
|
|
fgmm_auth_reject_msg_t msg = {.eap_msg.buf = eap_msg};
|
|
|
|
byte_array_t ba = {.buf = pdu + 3 /* skip header */, .len = pdu_length};
|
|
if (decode_fgmm_auth_reject(&msg, &ba) < 0) {
|
|
LOG_E(NAS, "Could not decode Authentication Reject\n");
|
|
return;
|
|
}
|
|
|
|
if (msg.eap_msg.len > 0) {
|
|
/** @todo UE handling EAP-failure message (5.4.1.2.2.11 of 3GPP TS 24.501) */
|
|
LOG_W(NAS, "NAS Authentication Reject contains an EAP message: handling is not implemented\n");
|
|
log_hex_buffer("EAP-Failure", msg.eap_msg.buf, msg.eap_msg.len);
|
|
}
|
|
|
|
nas->fiveGMM_state = FGS_DEREGISTERED;
|
|
}
|
|
|
|
int nas_itti_kgnb_refresh_req(instance_t instance, const uint8_t kgnb[32])
|
|
{
|
|
MessageDef *message_p;
|
|
message_p = itti_alloc_new_message(TASK_NAS_NRUE, instance, NAS_KENB_REFRESH_REQ);
|
|
memcpy(NAS_KENB_REFRESH_REQ(message_p).kenb, kgnb, sizeof(NAS_KENB_REFRESH_REQ(message_p).kenb));
|
|
return itti_send_msg_to_task(TASK_RRC_NRUE, instance, message_p);
|
|
}
|
|
|
|
static void generateSecurityModeComplete(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg)
|
|
{
|
|
int size = sizeof(fgmm_msg_header_t);
|
|
fgmm_nas_msg_security_protected_t nas_msg = {0};
|
|
nas_stream_cipher_t stream_cipher;
|
|
uint8_t mac[NAS_INTEGRITY_SIZE];
|
|
// set security protected header
|
|
fgs_nas_message_security_header_t *sp = &nas_msg.header;
|
|
sp->protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp->security_header_type = INTEGRITY_PROTECTED_AND_CIPHERED_WITH_NEW_SECU_CTX;
|
|
sp->sequence_number = nas->security.nas_count_ul & 0xff;
|
|
size += 7;
|
|
|
|
// Plain 5GMM Security Mode Complete msg
|
|
fgmm_nas_message_plain_t *plain = &nas_msg.plain;
|
|
|
|
// Plain 5GMM header
|
|
plain->header = set_mm_header(FGS_SECURITY_MODE_COMPLETE, PLAIN_5GS_MSG);
|
|
size += sizeof(plain->header);
|
|
|
|
// Plain 5GMM payload
|
|
fgs_security_mode_complete_msg *mm_msg = &plain->mm_msg.fgs_security_mode_complete;
|
|
size += fill_imeisv(&mm_msg->fgsmobileidentity, nas->uicc);
|
|
|
|
/* After activating a 5G NAS security context resulting from a security mode control send the full
|
|
NAS Registration Request in the message container IE of the SECURITY MODE COMPLETE message (24.501 4.4.6) */
|
|
as_nas_info_t rr;
|
|
generateRegistrationRequest(&rr, nas, true);
|
|
FGCNasMessageContainer *container = &mm_msg->fgsnasmessagecontainer;
|
|
container->nasmessagecontainercontents.value = rr.nas_data;
|
|
container->nasmessagecontainercontents.length = rr.length;
|
|
size += (rr.length + 2);
|
|
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, sp, size);
|
|
|
|
initialNasMsg->length =
|
|
security_header_len
|
|
+ mm_msg_encode(plain, (uint8_t *)(initialNasMsg->nas_data + security_header_len), size - security_header_len);
|
|
|
|
if (rr.nas_data) {
|
|
free(rr.nas_data);
|
|
}
|
|
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
|
|
/* integrity protection */
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
|
|
printf("mac %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++) {
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
}
|
|
}
|
|
|
|
/** @brief Generates the Security Mode Reject message to be sent by the UE to the AMF
|
|
* to indicate that the corresponding security mode command has been rejected */
|
|
static void generateSecurityModeReject(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, cause_id_t cause)
|
|
{
|
|
LOG_I(NAS, "Send Security Mode Reject\n");
|
|
fgmm_msg_header_t plain_header = set_mm_header(FGS_SECURITY_MODE_REJECT, PLAIN_5GS_MSG);
|
|
int size = sizeof(plain_header);
|
|
fgs_security_mode_reject_msg msg = {.cause = cause};
|
|
size += 1;
|
|
|
|
/** The UE shall apply the 5G NAS security context in use
|
|
* before the initiation of the security mode control procedure,
|
|
* if any, to protect the SECURITY MODE REJECT message */
|
|
bool has_security_context = nas->security_container && nas->security_container->integrity_context;
|
|
if (has_security_context) {
|
|
fgmm_nas_msg_security_protected_t sp = {0};
|
|
sp.header.protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp.header.security_header_type = INTEGRITY_PROTECTED;
|
|
sp.header.sequence_number = nas->security.nas_count_ul & 0xff;
|
|
size += sizeof(sp.header);
|
|
sp.plain.header = plain_header;
|
|
sp.plain.mm_msg.fgs_security_mode_reject = msg;
|
|
// Security protected header encoding
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, &sp.header, size);
|
|
initialNasMsg->length =
|
|
security_header_len + mm_msg_encode(&sp.plain, initialNasMsg->nas_data + security_header_len, size - security_header_len);
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
nas_stream_cipher_t stream_cipher;
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
/* integrity protection */
|
|
uint8_t mac[4];
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
LOG_D(NAS, "Integrity protected initial NAS message: mac = %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++)
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
} else {
|
|
fgmm_nas_message_plain_t plain = {0};
|
|
plain.header = plain_header;
|
|
plain.mm_msg.fgs_security_mode_reject = msg;
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(size);
|
|
initialNasMsg->length = mm_msg_encode(&plain, initialNasMsg->nas_data, size);
|
|
}
|
|
}
|
|
|
|
static void handle_security_mode_command(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, uint8_t *pdu, int pdu_length)
|
|
{
|
|
/* Handle security mode command: must be authenticated, especially if no security
|
|
context has been previously established. */
|
|
uint8_t recv_mac[4];
|
|
Security_header_t sec_hdr;
|
|
|
|
/* Must have valid security header*/
|
|
if(!nas_security_get_sec_hdr(pdu, pdu_length, &sec_hdr)) {
|
|
LOG_E(NAS, "Received Security Mode Command without integrity protection.\n");
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
return;
|
|
}
|
|
|
|
/* Must be integrity protected with new context (=3), see 3GPP TS 24.501 5.4.2.2 */
|
|
if(sec_hdr != INTEGRITY_PROTECTED_WITH_NEW_SECU_CTX) {
|
|
LOG_E(NAS, "Received Security Mode Command with invalid security header type %d.\n", sec_hdr);
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
return;
|
|
}
|
|
|
|
/* Must have a MAC - checked after deriving keys */
|
|
if(!nas_security_get_mac(pdu, pdu_length, recv_mac)) {
|
|
LOG_E(NAS, "Received Security Mode Command with invalid MAC.\n");
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
return;
|
|
}
|
|
|
|
/* retrieve integrity and ciphering algorithms */
|
|
if (pdu_length < 10) {
|
|
LOG_E(NAS, "Invalid pdu_length=%d : send Security Mode Reject\n", pdu_length);
|
|
// 3GPP TS 24.501 5.4.2.5 NAS security mode command not accepted by the UE
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
}
|
|
|
|
int ciphering_algorithm = (pdu[10] >> 4) & 0x0f;
|
|
int integrity_algorithm = pdu[10] & 0x0f;
|
|
|
|
uint8_t *kamf = nas->security.kamf;
|
|
uint8_t *knas_enc = nas->security.knas_enc;
|
|
uint8_t *knas_int = nas->security.knas_int;
|
|
|
|
/* derive keys */
|
|
derive_knas(0x01, ciphering_algorithm, kamf, knas_enc);
|
|
derive_knas(0x02, integrity_algorithm, kamf, knas_int);
|
|
|
|
printf("knas_int: ");
|
|
for (int i = 0; i < 16; i++) {
|
|
printf("%x ", knas_int[i]);
|
|
}
|
|
printf("\n");
|
|
|
|
printf("knas_enc: ");
|
|
for (int i = 0; i < 16; i++) {
|
|
printf("%x ", knas_enc[i]);
|
|
}
|
|
printf("\n");
|
|
|
|
if (integrity_algorithm != EIA0_ALG_ID) {
|
|
nas->security_container = stream_security_container_init(ciphering_algorithm, integrity_algorithm, knas_enc, knas_int);
|
|
} else {
|
|
LOG_E(NAS, "Rejecting Invalid NULL integrity %d for 5G!\n",
|
|
integrity_algorithm);
|
|
nas->security_container = NULL;
|
|
}
|
|
|
|
/* Handle the invalid container with a reject message */
|
|
if(nas->security_container == NULL) {
|
|
LOG_W(NAS, "Could not create security container!\n");
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
return;
|
|
}
|
|
|
|
/* Check MAC and delete context if it does not match */
|
|
uint8_t computed_mac[NAS_INTEGRITY_SIZE];
|
|
byte_array_t ba = {.buf = pdu, .len = pdu_length};
|
|
nas_security_compute_mac(nas, ba, false, true, computed_mac);
|
|
|
|
/* Teardown security container if mismatch. */
|
|
if(memcmp(computed_mac, recv_mac, NAS_INTEGRITY_SIZE) != 0) {
|
|
LOG_W(NAS, "MAC does not match\n");
|
|
LOG_W(NAS, "Expected: %x %x %x %x\n", computed_mac[0], computed_mac[1], computed_mac[2], computed_mac[3]);
|
|
LOG_W(NAS, "Received: %x %x %x %x\n", recv_mac[0], recv_mac[1], recv_mac[2], recv_mac[3]);
|
|
stream_security_container_delete(nas->security_container);
|
|
nas->security_container = NULL;
|
|
|
|
/* Signal rejection */
|
|
generateSecurityModeReject(nas, initialNasMsg, Security_mode_rejected_unspecified);
|
|
return;
|
|
}
|
|
|
|
nas_itti_kgnb_refresh_req(nas->UE_id, nas->security.kgnb);
|
|
generateSecurityModeComplete(nas, initialNasMsg);
|
|
}
|
|
|
|
static void generateRegistrationComplete(nr_ue_nas_t *nas,
|
|
as_nas_info_t *initialNasMsg,
|
|
SORTransparentContainer *sortransparentcontainer)
|
|
{
|
|
int length = 0;
|
|
nas_stream_cipher_t stream_cipher;
|
|
uint8_t mac[NAS_INTEGRITY_SIZE];
|
|
fgmm_nas_msg_security_protected_t sp = {0};
|
|
|
|
// set security protected header
|
|
sp.header.protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp.header.security_header_type = INTEGRITY_PROTECTED_AND_CIPHERED;
|
|
sp.header.message_authentication_code = 0;
|
|
sp.header.sequence_number = nas->security.nas_count_ul & 0xff;
|
|
length = 7;
|
|
// set plain 5GMM header
|
|
sp.plain.header = set_mm_header(FGS_REGISTRATION_COMPLETE, PLAIN_5GS_MSG);
|
|
length += sizeof(sp.plain.header);
|
|
|
|
registration_complete_msg *mm_msg = &sp.plain.mm_msg.registration_complete;
|
|
if (sortransparentcontainer) {
|
|
mm_msg->sortransparentcontainer = sortransparentcontainer;
|
|
length += sortransparentcontainer->sortransparentcontainercontents.length;
|
|
}
|
|
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(length * sizeof(*initialNasMsg->nas_data));
|
|
initialNasMsg->length = length;
|
|
// encode security protected header
|
|
int encoded = nas_protected_security_header_encode(initialNasMsg->nas_data, &sp.header, length);
|
|
if (encoded < 0) {
|
|
LOG_E(NAS, "generateRegistrationComplete: failed to encode security protected header\n");
|
|
return;
|
|
}
|
|
// encode 5GMM plain header
|
|
encoded = _nas_mm_msg_encode_header(&sp.plain.header, initialNasMsg->nas_data + encoded, length - encoded);
|
|
if (encoded < 0) {
|
|
LOG_E(NAS, "generateRegistrationComplete: failed to encode 5GMM plain header\n");
|
|
return;
|
|
}
|
|
|
|
encode_registration_complete(mm_msg, initialNasMsg->nas_data + encoded, length - encoded);
|
|
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
|
|
/* integrity protection */
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
|
|
printf("mac %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++) {
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
}
|
|
/* Set NAS 5GMM state */
|
|
nas->fiveGMM_state = FGS_REGISTERED;
|
|
}
|
|
|
|
/**
|
|
* @brief Capture IPv4 PDU Session Address
|
|
*/
|
|
static int capture_ipv4_addr(const uint8_t *addr, char *ip, size_t len)
|
|
{
|
|
return snprintf(ip, len, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
|
|
}
|
|
|
|
/**
|
|
* @brief Capture IPv6 PDU Session Address
|
|
*/
|
|
static int capture_ipv6_addr(const uint8_t *addr, char *ip, size_t len)
|
|
{
|
|
// 24.501 Sec 9.11.4.10: "an interface identifier for the IPv6 link local
|
|
// address": link local starts with fe80::, and only the last 64bits are
|
|
// given (middle is zero)
|
|
return snprintf(ip,
|
|
len,
|
|
"fe80::%02x%02x:%02x%02x:%02x%02x:%02x%02x",
|
|
addr[0],
|
|
addr[1],
|
|
addr[2],
|
|
addr[3],
|
|
addr[4],
|
|
addr[5],
|
|
addr[6],
|
|
addr[7]);
|
|
}
|
|
|
|
/**
|
|
* @brief Process PDU Session Address in PDU Session Establishment Accept message
|
|
* and configure the tun interface
|
|
*/
|
|
static void process_pdu_session_addr(pdu_session_establishment_accept_msg_t *msg,
|
|
int instance_id,
|
|
int pdu_session_id,
|
|
bool is_default)
|
|
{
|
|
uint8_t *addr = msg->pdu_addr_ie.pdu_addr_oct;
|
|
|
|
switch (msg->pdu_addr_ie.pdu_type) {
|
|
case PDU_SESSION_TYPE_IPV4: {
|
|
char ip[20];
|
|
capture_ipv4_addr(&addr[0], ip, sizeof(ip));
|
|
create_ue_ip_if(ip, NULL, instance_id, pdu_session_id, is_default);
|
|
} break;
|
|
|
|
case PDU_SESSION_TYPE_IPV6: {
|
|
char ipv6[40];
|
|
capture_ipv6_addr(addr, ipv6, sizeof(ipv6));
|
|
create_ue_ip_if(NULL, ipv6, instance_id, pdu_session_id, is_default);
|
|
} break;
|
|
|
|
case PDU_SESSION_TYPE_IPV4V6: {
|
|
char ipv6[40];
|
|
capture_ipv6_addr(addr, ipv6, sizeof(ipv6));
|
|
char ipv4[20];
|
|
capture_ipv4_addr(&addr[IPv6_INTERFACE_ID_LENGTH], ipv4, sizeof(ipv4));
|
|
create_ue_ip_if(ipv4, ipv6, instance_id, pdu_session_id, is_default);
|
|
} break;
|
|
|
|
default:
|
|
LOG_E(NAS, "Unknown PDU Session Address type %d\n", msg->pdu_addr_ie.pdu_type);
|
|
break;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @brief Handle PDU Session Establishment Accept and process decoded message
|
|
*/
|
|
static void handle_pdu_session_accept(const nr_ue_nas_t *nas, uint8_t *pdu_buffer, uint32_t msg_length, int instance)
|
|
{
|
|
pdu_session_establishment_accept_msg_t msg = {0};
|
|
int size = 0;
|
|
int decoded = 0;
|
|
|
|
// Security protected NAS header (7 bytes)
|
|
fgs_nas_message_security_header_t sec_nas_hdr = {0};
|
|
if ((decoded = decode_5gs_security_protected_header(&sec_nas_hdr, pdu_buffer, msg_length)) < 0) {
|
|
LOG_E(NAS, "decode_5gs_security_protected_header failure in PDU Session Establishment Accept decoding\n");
|
|
return;
|
|
}
|
|
size += decoded;
|
|
|
|
// decode plain 5GMM message header
|
|
fgmm_msg_header_t mm_header = {0};
|
|
if ((decoded = decode_5gmm_msg_header(&mm_header, pdu_buffer + size, msg_length - size)) < 0) {
|
|
LOG_E(NAS, "decode_5gmm_msg_header failure in PDU Session Establishment Accept decoding\n");
|
|
return;
|
|
}
|
|
size += decoded;
|
|
|
|
/* Process container (5GSM message) */
|
|
// Payload container type and spare (1 octet)
|
|
size++;
|
|
// Payload container length
|
|
uint16_t iei_len = 0;
|
|
GET_SHORT(pdu_buffer + size, iei_len);
|
|
size += sizeof(iei_len);
|
|
// decode plain 5GSM message header
|
|
fgsm_msg_header_t sm_header = {0};
|
|
if ((decoded = decode_5gsm_msg_header(&sm_header, pdu_buffer + size, msg_length - size)) < 0) {
|
|
LOG_E(NAS, "decode_5gsm_msg_header failure in PDU Session Establishment Accept decoding\n");
|
|
return;
|
|
}
|
|
size += decoded;
|
|
|
|
// decode PDU Session Establishment Accept
|
|
if (!decode_pdu_session_establishment_accept_msg(&msg, pdu_buffer + size, msg_length)) {
|
|
LOG_E(NAS, "decode_pdu_session_establishment_accept_msg failure\n");
|
|
return;
|
|
}
|
|
|
|
int idx;
|
|
for (idx = 0; idx < nas->uicc->n_pdu_sessions; ++idx) {
|
|
const pdu_session_config_t *pdu = &nas->uicc->pdu_sessions[idx];
|
|
bool msg_ipv4or6 = msg.pdu_type == PDU_SESSION_TYPE_IPV4 || msg.pdu_type == PDU_SESSION_TYPE_IPV6;
|
|
bool correct_type = pdu->type == msg.pdu_type || (pdu->type == PDU_SESSION_TYPE_IPV4V6 && msg_ipv4or6);
|
|
if (pdu->id == sm_header.pdu_session_id && correct_type)
|
|
break;
|
|
}
|
|
if (idx == nas->uicc->n_pdu_sessions) {
|
|
LOG_E(NAS,
|
|
"PDU session establishment accept for ID %d type %d not in list of configured PDU sessions, abort transaction\n",
|
|
sm_header.pdu_session_id,
|
|
msg.pdu_type);
|
|
return;
|
|
}
|
|
|
|
// process PDU Session: pass ID -1 to not append PDU ID to interface
|
|
bool is_default = idx == 0;
|
|
if (msg.pdu_type == PDU_SESSION_TYPE_ETHER) {
|
|
create_ue_eth_if(instance, sm_header.pdu_session_id, is_default);
|
|
} else if (msg.pdu_addr_ie.pdu_length) {
|
|
process_pdu_session_addr(&msg, instance, sm_header.pdu_session_id, is_default);
|
|
} else {
|
|
LOG_W(NAS, "Unhandled PDU session type %d, ignoring PDU session ID %d\n", msg.pdu_type, sm_header.pdu_session_id);
|
|
}
|
|
|
|
set_qfi(msg.qos_rules.rule->qfi, sm_header.pdu_session_id, instance);
|
|
}
|
|
|
|
/**
|
|
* @brief Handle DL NAS Transport and process piggybacked 5GSM messages
|
|
*/
|
|
void handleDownlinkNASTransport(const nr_ue_nas_t *nas, uint8_t * pdu_buffer, int pdu_length, int instance)
|
|
{
|
|
if (pdu_length < 17) {
|
|
LOG_E(NAS, "Received DL NAS Transport message too short (%d)\n", pdu_length);
|
|
return;
|
|
}
|
|
uint8_t msg_type = *(pdu_buffer + 16);
|
|
if (msg_type == FGS_PDU_SESSION_ESTABLISHMENT_ACC) {
|
|
LOG_A(NAS, "Received PDU Session Establishment Accept in DL NAS Transport\n");
|
|
handle_pdu_session_accept(nas, pdu_buffer, pdu_length, instance);
|
|
} else {
|
|
LOG_E(NAS, "Received unexpected message in DLinformationTransfer %d\n", msg_type);
|
|
}
|
|
}
|
|
|
|
static void generateDeregistrationRequest(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, const nas_deregistration_req_t *req)
|
|
{
|
|
fgmm_nas_msg_security_protected_t sp_msg = {0};
|
|
fgs_nas_message_security_header_t *sp_header = &sp_msg.header;
|
|
sp_header->protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp_header->security_header_type = INTEGRITY_PROTECTED_AND_CIPHERED;
|
|
sp_header->message_authentication_code = 0;
|
|
sp_header->sequence_number = nas->security.nas_count_ul & 0xff;
|
|
int size = sizeof(sp_msg.header);
|
|
|
|
// Plain 5GMM header
|
|
sp_msg.plain.header = set_mm_header(FGS_DEREGISTRATION_REQUEST_UE_ORIGINATING, INTEGRITY_PROTECTED_AND_CIPHERED_WITH_NEW_SECU_CTX);
|
|
size += sizeof(sp_msg.plain.header);
|
|
|
|
// Plain 5GMM
|
|
fgs_deregistration_request_ue_originating_msg *mm_msg = &sp_msg.plain.mm_msg.fgs_deregistration_request_ue_originating;
|
|
mm_msg->deregistrationtype.switchoff = NORMAL_DEREGISTRATION; // note: in case this is changed to SWITCH_OFF, handle in unprotected_allowed
|
|
mm_msg->deregistrationtype.reregistration_required = REREGISTRATION_NOT_REQUIRED;
|
|
mm_msg->deregistrationtype.access_type = TGPP_ACCESS;
|
|
mm_msg->naskeysetidentifier.naskeysetidentifier = 1;
|
|
size += 1;
|
|
size += fill_guti(&mm_msg->fgsmobileidentity, nas->guti);
|
|
|
|
// encode the message
|
|
initialNasMsg->nas_data = calloc_or_fail(size, sizeof(*initialNasMsg->nas_data));
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, sp_header, size);
|
|
|
|
initialNasMsg->length =
|
|
security_header_len
|
|
+ mm_msg_encode(&sp_msg.plain, (uint8_t *)(initialNasMsg->nas_data + security_header_len), size - security_header_len);
|
|
|
|
nas_stream_cipher_t stream_cipher;
|
|
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
|
|
/* integrity protection */
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
uint8_t mac[NAS_INTEGRITY_SIZE];
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
|
|
printf("mac %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++) {
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
}
|
|
/* Set NAS 5GMM state */
|
|
nas->fiveGMM_state = FGS_DEREGISTERED_INITIATED;
|
|
}
|
|
|
|
static void generatePduSessionEstablishRequest(nr_ue_nas_t *nas, as_nas_info_t *initialNasMsg, nas_pdu_session_req_t *pdu_req)
|
|
{
|
|
int size = 0;
|
|
|
|
// setup pdu session establishment request
|
|
uint16_t req_length = 7;
|
|
uint8_t *req_buffer = malloc(req_length);
|
|
pdu_session_establishment_request_msg pdu_session_establish;
|
|
pdu_session_establish.protocoldiscriminator = FGS_SESSION_MANAGEMENT_MESSAGE;
|
|
pdu_session_establish.pdusessionid = pdu_req->pdusession_id;
|
|
pdu_session_establish.pti = 1;
|
|
pdu_session_establish.pdusessionestblishmsgtype = FGS_PDU_SESSION_ESTABLISHMENT_REQ;
|
|
pdu_session_establish.maxdatarate = 0xffff;
|
|
pdu_session_establish.pdusessiontype = pdu_req->pdusession_type;
|
|
encode_pdu_session_establishment_request(&pdu_session_establish, req_buffer);
|
|
|
|
nas_stream_cipher_t stream_cipher;
|
|
uint8_t mac[NAS_INTEGRITY_SIZE];
|
|
|
|
// 5GMM security protected message
|
|
fgmm_nas_msg_security_protected_t sp_msg = {0};
|
|
// 5GMM security protected message header
|
|
fgs_nas_message_security_header_t *sp_header = &sp_msg.header;
|
|
sp_header->protocol_discriminator = FGS_MOBILITY_MANAGEMENT_MESSAGE;
|
|
sp_header->security_header_type = INTEGRITY_PROTECTED_AND_CIPHERED;
|
|
sp_header->sequence_number = nas->security.nas_count_ul & 0xff;
|
|
|
|
size += 7;
|
|
|
|
fgmm_nas_message_plain_t *plain = &sp_msg.plain;
|
|
|
|
// Plain 5GMM header
|
|
plain->header = set_mm_header(FGS_UPLINK_NAS_TRANSPORT, PLAIN_5GS_MSG);
|
|
size += sizeof(plain->header);
|
|
|
|
fgs_uplink_nas_transport_msg *mm_msg = &plain->mm_msg.uplink_nas_transport;
|
|
mm_msg->payloadcontainertype.iei = 0;
|
|
mm_msg->payloadcontainertype.type = 1;
|
|
size += 1;
|
|
mm_msg->fgspayloadcontainer.payloadcontainercontents.length = req_length;
|
|
mm_msg->fgspayloadcontainer.payloadcontainercontents.value = req_buffer;
|
|
size += (2 + req_length);
|
|
mm_msg->pdusessionid = pdu_req->pdusession_id;
|
|
mm_msg->requesttype = 1;
|
|
size += 3;
|
|
const bool has_nssai_sd = pdu_req->sd != 0xffffff; // 0xffffff means "no SD", TS 23.003
|
|
const size_t nssai_len = has_nssai_sd ? 4 : 1;
|
|
mm_msg->snssai.length = nssai_len;
|
|
mm_msg->snssai.value = calloc(1, nssai_len);
|
|
mm_msg->snssai.value[0] = pdu_req->sst;
|
|
if (has_nssai_sd)
|
|
INT24_TO_BUFFER(pdu_req->sd, &mm_msg->snssai.value[1]);
|
|
size += 1 + 1 + nssai_len;
|
|
int dnnSize = strlen(pdu_req->dnn);
|
|
mm_msg->dnn.value = calloc(1, dnnSize + 1);
|
|
mm_msg->dnn.length = dnnSize + 1;
|
|
mm_msg->dnn.value[0] = dnnSize;
|
|
memcpy(mm_msg->dnn.value + 1, pdu_req->dnn, dnnSize);
|
|
size += (1 + 1 + dnnSize + 1);
|
|
|
|
// encode the message
|
|
initialNasMsg->nas_data = malloc_or_fail(size * sizeof(*initialNasMsg->nas_data));
|
|
int security_header_len = nas_protected_security_header_encode(initialNasMsg->nas_data, sp_header, size);
|
|
|
|
initialNasMsg->length =
|
|
security_header_len
|
|
+ mm_msg_encode(plain, (uint8_t *)(initialNasMsg->nas_data + security_header_len), size - security_header_len);
|
|
|
|
// Free allocated memory after encode
|
|
free(req_buffer);
|
|
free(mm_msg->dnn.value);
|
|
free(mm_msg->snssai.value);
|
|
|
|
/* ciphering */
|
|
uint8_t buf[initialNasMsg->length - 7];
|
|
stream_cipher.context = nas->security_container->ciphering_context;
|
|
AssertFatal(nas->security.nas_count_ul <= 0xffffff, "fatal: NAS COUNT UL too big (todo: fix that)\n");
|
|
stream_cipher.count = nas->security.nas_count_ul;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 7);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 7) << 3;
|
|
stream_compute_encrypt(nas->security_container->ciphering_algorithm, &stream_cipher, buf);
|
|
memcpy(stream_cipher.message, buf, initialNasMsg->length - 7);
|
|
|
|
/* integrity protection */
|
|
stream_cipher.context = nas->security_container->integrity_context;
|
|
stream_cipher.count = nas->security.nas_count_ul++;
|
|
stream_cipher.bearer = 1;
|
|
stream_cipher.direction = 0;
|
|
stream_cipher.message = (unsigned char *)(initialNasMsg->nas_data + 6);
|
|
/* length in bits */
|
|
stream_cipher.blength = (initialNasMsg->length - 6) << 3;
|
|
stream_compute_integrity(nas->security_container->integrity_algorithm, &stream_cipher, mac);
|
|
|
|
printf("mac %x %x %x %x \n", mac[0], mac[1], mac[2], mac[3]);
|
|
for (int i = 0; i < 4; i++) {
|
|
initialNasMsg->nas_data[2 + i] = mac[i];
|
|
}
|
|
}
|
|
|
|
static void send_nas_uplink_data_req(nr_ue_nas_t *nas, const as_nas_info_t *initial_nas_msg)
|
|
{
|
|
MessageDef *msg = itti_alloc_new_message(TASK_NAS_NRUE, nas->UE_id, NAS_UPLINK_DATA_REQ);
|
|
ul_info_transfer_req_t *req = &NAS_UPLINK_DATA_REQ(msg);
|
|
req->UEid = nas->UE_id;
|
|
req->nasMsg.nas_data = (uint8_t *)initial_nas_msg->nas_data;
|
|
req->nasMsg.length = initial_nas_msg->length;
|
|
itti_send_msg_to_task(TASK_RRC_NRUE, nas->UE_id, msg);
|
|
}
|
|
|
|
static void send_nas_detach_req(nr_ue_nas_t *nas, bool wait_release)
|
|
{
|
|
MessageDef *msg = itti_alloc_new_message(TASK_NAS_NRUE, nas->UE_id, NAS_DETACH_REQ);
|
|
nas_detach_req_t *req = &NAS_DETACH_REQ(msg);
|
|
req->wait_release = wait_release;
|
|
itti_send_msg_to_task(TASK_RRC_NRUE, nas->UE_id, msg);
|
|
}
|
|
|
|
static void send_nas_5gmm_ind(instance_t instance, const Guti5GSMobileIdentity_t *guti)
|
|
{
|
|
MessageDef *msg = itti_alloc_new_message(TASK_NAS_NRUE, 0, NAS_5GMM_IND);
|
|
nas_5gmm_ind_t *ind = &NAS_5GMM_IND(msg);
|
|
LOG_I(NR_RRC, "5G-GUTI: AMF pointer %u, AMF Set ID %u, 5G-TMSI %u \n", guti->amfpointer, guti->amfsetid, guti->tmsi);
|
|
ind->fiveG_STMSI = nr_construct_5g_s_tmsi(guti->amfsetid, guti->amfpointer, guti->tmsi);
|
|
itti_send_msg_to_task(TASK_RRC_NRUE, instance, msg);
|
|
}
|
|
|
|
void request_pdusession(nr_ue_nas_t *nas, const pdu_session_config_t *pdu)
|
|
{
|
|
int t = pdu->type;
|
|
AssertFatal(t == PDU_SESSION_TYPE_IPV4 || t == PDU_SESSION_TYPE_IPV6 || t == PDU_SESSION_TYPE_IPV4V6
|
|
|| t == PDU_SESSION_TYPE_UNSTRUCT || t == PDU_SESSION_TYPE_ETHER,
|
|
"illegal PDU session type %d\n",
|
|
t);
|
|
AssertFatal(t != PDU_SESSION_TYPE_UNSTRUCT, "unstructured PDU sessions not handled yet\n");
|
|
MessageDef *message_p = itti_alloc_new_message(TASK_NAS_NRUE, nas->UE_id, NAS_PDU_SESSION_REQ);
|
|
nas_pdu_session_req_t *pdu_req = &NAS_PDU_SESSION_REQ(message_p);
|
|
pdu_req->pdusession_id = pdu->id;
|
|
// 24.501: joint PDU session type IEI (0x9-, Table 8.3.1.1.1) and type (9.11.4.11)
|
|
pdu_req->pdusession_type = 0x90 | t;
|
|
pdu_req->sst = pdu->nssai.sst;
|
|
pdu_req->sd = pdu->nssai.sd;
|
|
snprintf(pdu_req->dnn, sizeof(pdu_req->dnn), "%s", pdu->dnn);
|
|
itti_send_msg_to_task(TASK_NAS_NRUE, nas->UE_id, message_p);
|
|
}
|
|
|
|
static int get_user_nssai_idx(nssai_t ch_nssai, const nr_nas_msg_snssai_t allowed_nssai[NAS_MAX_NUMBER_SLICES])
|
|
{
|
|
for (int i = 0; i < NAS_MAX_NUMBER_SLICES; i++) {
|
|
const nr_nas_msg_snssai_t *nssai = allowed_nssai + i;
|
|
/* If it was received in Registration Accept, check the SD
|
|
in the stored Allowed N-SSAI, else, consider the SD valid */
|
|
bool sd_match = !nssai->sd || (ch_nssai.sd == *nssai->sd);
|
|
if ((ch_nssai.sst == nssai->sst) && sd_match)
|
|
return i;
|
|
}
|
|
return -1;
|
|
}
|
|
|
|
void *nas_nrue_task(void *args_p)
|
|
{
|
|
while (1) {
|
|
nas_nrue(NULL);
|
|
}
|
|
}
|
|
|
|
static void process_guti(Guti5GSMobileIdentity_t *guti, nr_ue_nas_t *nas)
|
|
{
|
|
AssertFatal(guti->typeofidentity == FGS_MOBILE_IDENTITY_5G_GUTI,
|
|
"registration accept 5GS Mobile Identity is not GUTI, but %d\n",
|
|
guti->typeofidentity);
|
|
nas->guti = malloc_or_fail(sizeof(*nas->guti));
|
|
*nas->guti = *guti;
|
|
}
|
|
|
|
static void handle_registration_accept(nr_ue_nas_t *nas, const uint8_t *pdu_buffer, uint32_t msg_length)
|
|
{
|
|
registration_accept_msg msg = {0};
|
|
fgs_nas_message_security_header_t sp_header = {0};
|
|
const uint8_t *end = pdu_buffer + msg_length;
|
|
// security protected header
|
|
int decoded = decode_5gs_security_protected_header(&sp_header, pdu_buffer, msg_length);
|
|
if (!decoded) {
|
|
LOG_E(NAS, "NAS Registration Accept: failed to decode security protected header\n");
|
|
return;
|
|
}
|
|
pdu_buffer += decoded;
|
|
// plain header
|
|
fgmm_msg_header_t mm_header = {0};
|
|
if ((decoded = decode_5gmm_msg_header(&mm_header, pdu_buffer, end - pdu_buffer)) < 0) {
|
|
LOG_E(NAS, "Failed to decode NAS Registration Accept\n");
|
|
return;
|
|
}
|
|
if (mm_header.message_type != FGS_REGISTRATION_ACCEPT) {
|
|
LOG_E(NAS, "Failed to process NAS Registration Accept: wrong message type\n");
|
|
return;
|
|
}
|
|
pdu_buffer += decoded;
|
|
// plain payload
|
|
const byte_array_t ba = {.buf = (uint8_t *)pdu_buffer, .len = end - pdu_buffer};
|
|
if ((decoded = decode_registration_accept(&msg, ba)) < 0) {
|
|
LOG_E(NAS, "Failed to decode NAS Registration Accept\n");
|
|
return;
|
|
}
|
|
LOG_I(NAS,
|
|
"Received Registration Accept with result %s\n",
|
|
msg.result == FGS_REGISTRATION_RESULT_3GPP ? "3GPP"
|
|
: msg.result == FGS_REGISTRATION_RESULT_NON_3GPP ? "non-3PP"
|
|
: "3GPP and non-3GPP");
|
|
LOG_I(NAS, "SMS %s in 5GS Registration Result\n", msg.sms_allowed ? "allowed" : "not allowed");
|
|
|
|
pdu_buffer += decoded;
|
|
// process GUTI
|
|
if (msg.guti) {
|
|
process_guti(&msg.guti->guti, nas);
|
|
} else {
|
|
LOG_W(NAS, "no GUTI in registration accept\n");
|
|
}
|
|
|
|
if(nas->guti)
|
|
send_nas_5gmm_ind(nas->UE_id, nas->guti);
|
|
|
|
as_nas_info_t initialNasMsg = {0};
|
|
generateRegistrationComplete(nas, &initialNasMsg, NULL);
|
|
if (initialNasMsg.length > 0) {
|
|
send_nas_uplink_data_req(nas, &initialNasMsg);
|
|
LOG_I(NAS, "Send NAS_UPLINK_DATA_REQ message(RegistrationComplete)\n");
|
|
}
|
|
if (nas->uicc->n_pdu_sessions == 0)
|
|
LOG_W(SIM, "no PDU sessions to request configured\n");
|
|
for (const pdu_session_config_t *pdu = nas->uicc->pdu_sessions; pdu < nas->uicc->pdu_sessions + nas->uicc->n_pdu_sessions; ++pdu) {
|
|
if (get_user_nssai_idx(pdu->nssai, msg.nas_allowed_nssai) < 0) {
|
|
LOG_E(NAS,
|
|
"PDU session ID %d NSSAI %d.%d: mismatch for allowed NSSAI. Couldn't request PDU session.\n",
|
|
pdu->id,
|
|
pdu->nssai.sst,
|
|
pdu->nssai.sd);
|
|
} else {
|
|
LOG_I(NAS, "requested PDU session ID %d type %d NSSAI %d.%d DNN %s\n", pdu->id, pdu->type, pdu->nssai.sst, pdu->nssai.sd, pdu->dnn);
|
|
request_pdusession(nas, pdu);
|
|
}
|
|
}
|
|
// Free local message after processing
|
|
free_fgmm_registration_accept(&msg);
|
|
}
|
|
|
|
/* 3GPP TS 24.008 10.5.7.3 GPRS Timer */
|
|
static int process_gprs_timer(gprs_timer_t *timer)
|
|
{
|
|
if (!timer)
|
|
return -1;
|
|
|
|
int factor = 0;
|
|
switch (timer->unit) {
|
|
case TWO_SECONDS:
|
|
factor = 2;
|
|
break;
|
|
case ONE_MINUTE:
|
|
factor = 60;
|
|
break;
|
|
case DECIHOURS:
|
|
factor = 360; // 6 minutes
|
|
break;
|
|
case DEACTIVATED:
|
|
return -1;
|
|
default:
|
|
factor = 60; // default is 60 seconds
|
|
break;
|
|
}
|
|
|
|
return timer->value * factor;
|
|
}
|
|
|
|
static void handle_service_accept(nr_ue_nas_t *nas, const byte_array_t *buffer)
|
|
{
|
|
LOG_I(NAS, "Received NAS Service Accept message\n");
|
|
fgs_service_accept_msg_t msg = {0};
|
|
decode_fgs_service_accept(&msg, buffer);
|
|
// Extract timer t3448 in seconds (optional IE)
|
|
nas->t3448 = process_gprs_timer(msg.t3448);
|
|
// Extract possible reactivation errors
|
|
for (int i = 0; i < msg.num_errors; i++)
|
|
LOG_E(NAS,
|
|
"Received PDU Session %d reactivation result error cause %s\n",
|
|
msg.cause->pdu_session_id,
|
|
print_info(msg.cause->cause, cause_text_info, sizeofArray(cause_text_info)));
|
|
}
|
|
|
|
static void handle_service_reject(nr_ue_nas_t *nas, const byte_array_t *buffer)
|
|
{
|
|
fgs_service_reject_msg_t msg = {0};
|
|
decode_fgs_service_reject(&msg, buffer);
|
|
// Extract timer t3448 in seconds (optional IE)
|
|
nas->t3448 = process_gprs_timer(msg.t3448);
|
|
// Extract timer t3446 in seconds (optional IE)
|
|
nas->t3446 = process_gprs_timer(msg.t3446);
|
|
LOG_E(NAS, "Received NAS Service Reject message with cause %s\n", fgmm_cause_s[msg.cause].text);
|
|
}
|
|
|
|
void *nas_nrue(void *args_p)
|
|
{
|
|
// Wait for a message or an event
|
|
MessageDef *msg_p;
|
|
itti_receive_msg(TASK_NAS_NRUE, &msg_p);
|
|
|
|
if (msg_p != NULL) {
|
|
nr_ue_nas_t *nas = get_ue_nas_info(msg_p->ittiMsgHeader.destinationInstance);
|
|
|
|
switch (ITTI_MSG_ID(msg_p)) {
|
|
case INITIALIZE_MESSAGE:
|
|
|
|
break;
|
|
|
|
case TERMINATE_MESSAGE:
|
|
itti_exit_task();
|
|
break;
|
|
|
|
case MESSAGE_TEST:
|
|
break;
|
|
|
|
case NAS_CELL_SELECTION_CNF:
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s: errCode %u, cellID %u, tac %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
NAS_CELL_SELECTION_CNF(msg_p).errCode,
|
|
NAS_CELL_SELECTION_CNF(msg_p).cellID,
|
|
NAS_CELL_SELECTION_CNF(msg_p).tac);
|
|
break;
|
|
|
|
case NAS_CELL_SELECTION_IND:
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s: cellID %u, tac %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
NAS_CELL_SELECTION_IND(msg_p).cellID,
|
|
NAS_CELL_SELECTION_IND(msg_p).tac);
|
|
|
|
/* TODO not processed by NAS currently */
|
|
break;
|
|
|
|
case NAS_PAGING_IND:
|
|
LOG_I(NAS, "[UE %ld] Received %s: cause %u\n", nas->UE_id, ITTI_MSG_NAME(msg_p), NAS_PAGING_IND(msg_p).cause);
|
|
|
|
/* TODO not processed by NAS currently */
|
|
break;
|
|
|
|
case NAS_PDU_SESSION_REQ: {
|
|
as_nas_info_t pduEstablishMsg = {0};
|
|
nas_pdu_session_req_t *pduReq = &NAS_PDU_SESSION_REQ(msg_p);
|
|
generatePduSessionEstablishRequest(nas, &pduEstablishMsg, pduReq);
|
|
if (pduEstablishMsg.length > 0) {
|
|
send_nas_uplink_data_req(nas, &pduEstablishMsg);
|
|
LOG_I(NAS, "Send NAS_UPLINK_DATA_REQ message(PduSessionEstablishRequest)\n");
|
|
}
|
|
break;
|
|
}
|
|
|
|
case NR_NAS_CONN_ESTABLISH_IND: {
|
|
nas->fiveGMM_mode = FGS_CONNECTED;
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s: asCause %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
NR_NAS_CONN_ESTABLISH_IND(msg_p).asCause);
|
|
break;
|
|
}
|
|
|
|
case NAS_CONN_ESTABLI_CNF: {
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s: errCode %u, length %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
NAS_CONN_ESTABLI_CNF(msg_p).errCode,
|
|
NAS_CONN_ESTABLI_CNF(msg_p).nasMsg.length);
|
|
|
|
byte_array_t ba = {.buf = NAS_CONN_ESTABLI_CNF(msg_p).nasMsg.nas_data, .len = NAS_CONN_ESTABLI_CNF(msg_p).nasMsg.length};
|
|
security_state_t security_state = nas_security_rx_process(nas, ba);
|
|
if (security_state > NAS_SECURITY_INTEGRITY_PASSED) {
|
|
LOG_E(NAS, "NAS integrity failed, discard incoming message: security state is %s\n", security_state_info[security_state].text);
|
|
break;
|
|
}
|
|
|
|
fgs_nas_msg_t msg_type = get_msg_type(ba.buf, ba.len);
|
|
if (msg_type == FGS_REGISTRATION_ACCEPT) {
|
|
handle_registration_accept(nas, ba.buf, ba.len);
|
|
} else if (msg_type == FGS_PDU_SESSION_ESTABLISHMENT_ACC) {
|
|
handle_pdu_session_accept(nas, ba.buf, ba.len, nas->UE_id);
|
|
}
|
|
|
|
// Free NAS buffer memory after use (coming from RRC)
|
|
free_byte_array(ba);
|
|
break;
|
|
}
|
|
|
|
case NR_NAS_CONN_RELEASE_IND: {
|
|
LOG_I(NAS, "[UE %ld] Received %s: cause %s\n",
|
|
nas->UE_id, ITTI_MSG_NAME (msg_p), nr_release_cause_desc[NR_NAS_CONN_RELEASE_IND (msg_p).cause]);
|
|
/* In N1 mode, upon indication from lower layers that the access stratum connection has been released,
|
|
the UE shall enter 5GMM-IDLE mode and consider the N1 NAS signalling connection released (3GPP TS 24.501) */
|
|
nas->fiveGMM_mode = FGS_IDLE;
|
|
// TODO handle connection release
|
|
if (nas->termination_procedure) {
|
|
/* the following is not clean, but probably necessary: we need to give
|
|
* time to RLC to Ack the SRB1 PDU which contained the RRC release
|
|
* message. Hence, we just below wait some time, before finally
|
|
* unblocking the nr-uesoftmodem, which will terminate the process. */
|
|
usleep(100000);
|
|
itti_wait_tasks_unblock(); /* will unblock ITTI to stop nr-uesoftmodem */
|
|
}
|
|
break;
|
|
}
|
|
case NAS_UPLINK_DATA_CNF:
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s: UEid %u, errCode %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
NAS_UPLINK_DATA_CNF(msg_p).UEid,
|
|
NAS_UPLINK_DATA_CNF(msg_p).errCode);
|
|
|
|
break;
|
|
|
|
case NAS_DEREGISTRATION_REQ: {
|
|
LOG_I(NAS, "[UE %ld] Received %s\n", nas->UE_id, ITTI_MSG_NAME(msg_p));
|
|
nas_deregistration_req_t *req = &NAS_DEREGISTRATION_REQ(msg_p);
|
|
if (nas->guti) {
|
|
if (req->cause == AS_DETACH) {
|
|
nas->termination_procedure = true;
|
|
send_nas_detach_req(nas, true);
|
|
}
|
|
as_nas_info_t initialNasMsg = {0};
|
|
generateDeregistrationRequest(nas, &initialNasMsg, req);
|
|
send_nas_uplink_data_req(nas, &initialNasMsg);
|
|
} else {
|
|
LOG_W(NAS, "No GUTI, cannot trigger deregistration request.\n");
|
|
if (req->cause == AS_DETACH)
|
|
send_nas_detach_req(nas, false);
|
|
}
|
|
} break;
|
|
|
|
case NAS_DOWNLINK_DATA_IND: {
|
|
as_nas_info_t initialNasMsg = {0};
|
|
uint8_t *pdu_buffer = NAS_DOWNLINK_DATA_IND(msg_p).nasMsg.nas_data;
|
|
int pdu_length = NAS_DOWNLINK_DATA_IND(msg_p).nasMsg.length;
|
|
byte_array_t buffer = {.buf = pdu_buffer, .len = pdu_length};
|
|
security_state_t security_state = nas_security_rx_process(nas, buffer);
|
|
if (security_state > NAS_SECURITY_INTEGRITY_PASSED) {
|
|
LOG_E(NAS, "NAS integrity failed, discard incoming message\n");
|
|
break;
|
|
}
|
|
|
|
fgs_nas_msg_t msg_type = get_msg_type(pdu_buffer, pdu_length);
|
|
LOG_I(NAS,
|
|
"[UE %ld] Received %s type %s with length %u\n",
|
|
nas->UE_id,
|
|
ITTI_MSG_NAME(msg_p),
|
|
print_info(msg_type, message_text_info, sizeofArray(message_text_info)),
|
|
NAS_DOWNLINK_DATA_IND(msg_p).nasMsg.length);
|
|
|
|
switch (msg_type) {
|
|
case FGS_IDENTITY_REQUEST:
|
|
handle_identity_request(&initialNasMsg, nas, buffer);
|
|
break;
|
|
case FGS_AUTHENTICATION_REQUEST:
|
|
handle_fgmm_authentication_request(nas, &initialNasMsg, &buffer);
|
|
break;
|
|
case FGS_AUTHENTICATION_REJECT:
|
|
handle_authentication_reject(nas, &initialNasMsg, pdu_buffer, pdu_length);
|
|
break;
|
|
case FGS_SECURITY_MODE_COMMAND:
|
|
handle_security_mode_command(nas, &initialNasMsg, pdu_buffer, pdu_length);
|
|
break;
|
|
case FGS_DOWNLINK_NAS_TRANSPORT:
|
|
handleDownlinkNASTransport(nas, pdu_buffer, pdu_length, nas->UE_id);
|
|
break;
|
|
case FGS_REGISTRATION_ACCEPT:
|
|
handle_registration_accept(nas, pdu_buffer, pdu_length);
|
|
break;
|
|
case FGS_DEREGISTRATION_ACCEPT_UE_ORIGINATING:
|
|
LOG_I(NAS, "received deregistration accept\n");
|
|
/* Set NAS 5GMM state */
|
|
nas->fiveGMM_state = FGS_DEREGISTERED;
|
|
break;
|
|
case FGS_PDU_SESSION_ESTABLISHMENT_ACC:
|
|
handle_pdu_session_accept(nas, pdu_buffer, pdu_length, nas->UE_id);
|
|
break;
|
|
case FGS_PDU_SESSION_ESTABLISHMENT_REJ:
|
|
LOG_E(NAS, "Received PDU Session Establishment reject\n");
|
|
break;
|
|
case FGS_REGISTRATION_REJECT: {
|
|
|
|
if (pdu_length < 18) {
|
|
LOG_E(NAS, "Received Registration reject message too short\n");
|
|
break;
|
|
}
|
|
|
|
uint8_t cause = pdu_buffer[17];
|
|
if (cause >= sizeof(cause_text_info) / sizeof(cause_text_info[0])) {
|
|
LOG_E(NAS, "Received Registration reject cause %d unknown\n", cause);
|
|
break;
|
|
}
|
|
|
|
LOG_E(NAS, "Received Registration reject cause: %s\n", cause_text_info[cause].text);
|
|
exit(1);
|
|
break;
|
|
}
|
|
case FGS_SERVICE_ACCEPT: {
|
|
handle_service_accept(nas, &buffer);
|
|
break;
|
|
}
|
|
|
|
case FGS_SERVICE_REJECT: {
|
|
byte_array_t buffer = {.buf = pdu_buffer, .len = pdu_length};
|
|
handle_service_reject(nas, &buffer);
|
|
break;
|
|
}
|
|
|
|
default:
|
|
LOG_W(NR_RRC, "unknown message type %d\n", msg_type);
|
|
break;
|
|
}
|
|
// Free NAS buffer memory after use (coming from RRC)
|
|
free(pdu_buffer);
|
|
|
|
if (initialNasMsg.length > 0)
|
|
send_nas_uplink_data_req(nas, &initialNasMsg);
|
|
} break;
|
|
|
|
case NAS_INIT_NOS1_IF: {
|
|
const int pdu_session_id = DEFAULT_NOS1_PDU_ID;
|
|
const char *ip = "10.0.1.2";
|
|
const int qfi = 7;
|
|
const bool is_default = true;
|
|
create_ue_ip_if(ip, NULL, nas->UE_id, pdu_session_id, is_default);
|
|
set_qfi(qfi, pdu_session_id, nas->UE_id);
|
|
break;
|
|
}
|
|
|
|
default:
|
|
LOG_E(NAS, "[UE %ld] Received unexpected message %s\n", nas->UE_id, ITTI_MSG_NAME(msg_p));
|
|
break;
|
|
}
|
|
|
|
int result = itti_free(ITTI_MSG_ORIGIN_ID(msg_p), msg_p);
|
|
AssertFatal(result == EXIT_SUCCESS, "Failed to free memory (%d)!\n", result);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
void nas_init_nrue(int num_ues) {
|
|
for (int i = 0; i < num_ues; i++) {
|
|
(void)get_ue_nas_info(i);
|
|
}
|
|
}
|