Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-mgw / f817814c686791c24092980657bec3732d17ae23 / . / tests / msc_vlr / msc_vlr_test_umts_authen.c
blob: 219be3ab78e545851936dacdf13bfff0bc9bbe4e [file] [log] [blame]
Neels Hofmeyrf8178142017-01-25 15:04:16 +0100[diff] [blame^]1/* Osmocom MSC+VLR end-to-end tests */
2
3/* (C) 2017 by sysmocom s.f.m.c. GmbH <info@sysmocom.de>
4 *
5 * All Rights Reserved
6 *
7 * Author: Neels Hofmeyr <nhofmeyr@sysmocom.de>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Affero General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Affero General Public License for more details.
18 *
19 * You should have received a copy of the GNU Affero General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>.
21 *
22 */
23
24#include "msc_vlr_tests.h"
25
26void _test_umts_authen(enum ran_type via_ran)
27{
28 struct vlr_subscr *vsub;
29 const char *imsi = "901700000010650";
30
31 net->authentication_required = true;
32 rx_from_ran = via_ran;
33
34 btw("Location Update request causes a GSUP Send Auth Info request to HLR");
35 lu_result_sent = RES_NONE;
36 gsup_expect_tx("080108" "09710000000156f0");
37 ms_sends_msg("0508" /* MM LU */
38 "7" /* ciph key seq: no key available */
39 "0" /* LU type: normal */
40 "ffffff" "0000" /* LAI, LAC */
41 "57" /* classmark 1: R99, early classmark, no power lvl */
42 "089910070000106005" /* IMSI */
43 "3303575886" /* classmark 2 */
44 );
45 OSMO_ASSERT(gsup_tx_confirmed);
46 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
47
48 btw("from HLR, rx _SEND_AUTH_INFO_RESULT; VLR sends Auth Req to MS");
49 /* based on auc_3g:
50 * K = 'EB215756028D60E3275E613320AEC880',
51 * OPC = 'FB2A3D1B360F599ABAB99DB8669F8308'
52 * SQN = 0
53 */
54 auth_request_sent = false;
55 auth_request_expect_rand = "39fa2f4e3d523d8619a73b4f65c3e14d";
56 auth_request_expect_autn = "8704f5ba55f30000d2ee44b22c8ea919";
57 gsup_rx("0a"
58 /* imsi */
59 "0108" "09710000000156f0"
60 /* 5 auth vectors... */
61 /* TL TL rand */
62 "0362" "2010" "39fa2f4e3d523d8619a73b4f65c3e14d"
63 /* TL sres TL kc */
64 "2104" "9b36efdf" "2208" "059a4f668f6fbe39"
65 /* TL 3G IK */
66 "2310" "27497388b6cb044648f396aa155b95ef"
67 /* TL 3G CK */
68 "2410" "f64735036e5871319c679f4742a75ea1"
69 /* TL AUTN */
70 "2510" "8704f5ba55f30000d2ee44b22c8ea919"
71 /* TL RES */
72 "2708" "e229c19e791f2e41"
73 /* TL TL rand */
74 "0362" "2010" "c187a53a5e6b9d573cac7c74451fd46d"
75 "2104" "85aa3130" "2208" "d3d50a000bf04f6e"
76 "2310" "1159ec926a50e98c034a6b7d7c9f418d"
77 "2410" "df3a03d9ca5335641efc8e36d76cd20b"
78 "2510" "1843a645b98d00005b2d666af46c45d9"
79 "2708" "7db47cf7f81e4dc7"
80 "0362" "2010" "efa9c29a9742148d5c9070348716e1bb"
81 "2104" "69d5f9fb" "2208" "3df176f0c29f1a3d"
82 "2310" "eb50e770ddcc3060101d2f43b6c2b884"
83 "2410" "76542abce5ff9345b0e8947f4c6e019c"
84 "2510" "f9375e6d41e1000096e7fe4ff1c27e39"
85 "2708" "706f996719ba609c"
86 "0362" "2010" "f023d5a3b24726e0631b64b3840f8253"
87 "2104" "d570c03f" "2208" "ec011be8919883d6"
88 "2310" "c4e58af4ba43f3bcd904e16984f086d7"
89 "2410" "0593f65e752e5cb7f473862bda05aa0a"
90 "2510" "541ff1f077270000c5ea00d658bc7e9a"
91 "2708" "3fd26072eaa2a04d"
92 "0362" "2010" "2f8f90c780d6a9c0c53da7ac57b6707e"
93 "2104" "b072446f220823f39f9f425ad6e6"
94 "2310" "65af0527fda95b0dc5ae4aa515cdf32f"
95 "2410" "537c3b35a3b13b08d08eeb28098f45cc"
96 "2510" "4bf4e564f75300009bc796706bc65744"
97 "2708" "0edb0eadbea94ac2",
98 NULL);
99 VERBOSE_ASSERT(auth_request_sent, == true, "%d");
100 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
101
102 btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
103 gsup_expect_tx("04010809710000000156f0");
104 ms_sends_msg("0554" "e229c19e" "2104" "791f2e41");
105 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
106
107 btw("HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT");
108 gsup_rx("10010809710000000156f00804032443f2",
109 "12010809710000000156f0");
110 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
111
112 btw("HLR also sends GSUP _UPDATE_LOCATION_RESULT");
113 gsup_rx("06010809710000000156f0", NULL);
114
115 btw("LU was successful, and the conn has already been closed");
116 VERBOSE_ASSERT(lu_result_sent, == RES_ACCEPT, "%d");
117 EXPECT_CONN_COUNT(0);
118
119 BTW("after a while, a new conn sends a CM Service Request. VLR responds with Auth Req, 2nd auth vector");
120 auth_request_sent = false;
121 auth_request_expect_rand = "c187a53a5e6b9d573cac7c74451fd46d";
122 auth_request_expect_autn = "1843a645b98d00005b2d666af46c45d9";
123 cm_service_result_sent = RES_NONE;
124 ms_sends_msg("052478"
125 "03575886" /* classmark 2 */
126 "089910070000106005" /* IMSI */);
127 OSMO_ASSERT(g_conn);
128 OSMO_ASSERT(g_conn->conn_fsm);
129 OSMO_ASSERT(g_conn->vsub);
130 VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");
131 VERBOSE_ASSERT(auth_request_sent, == true, "%d");
132
133 btw("needs auth, not yet accepted");
134 EXPECT_ACCEPTED(false);
135 thwart_rx_non_initial_requests();
136
137 btw("MS sends Authen Response, VLR accepts with a CM Service Accept");
138 gsup_expect_tx(NULL);
139 ms_sends_msg("0554" "7db47cf7" "2104" "f81e4dc7"); /* 2nd vector's res, s.a. */
140 VERBOSE_ASSERT(cm_service_result_sent, == RES_ACCEPT, "%d");
141
142 btw("a USSD request is serviced");
143 dtap_expect_tx_ussd("Your extension is 42342\r");
144 ms_sends_msg("0b3b1c15a11302010002013b300b04010f0406aa510c061b017f0100");
145 OSMO_ASSERT(dtap_tx_confirmed);
146
147 btw("all requests serviced, conn has been released");
148 EXPECT_CONN_COUNT(0);
149
150 BTW("an SMS is sent, MS is paged");
151 paging_expect_imsi(imsi);
152 paging_sent = false;
153 vsub = vlr_subscr_find_by_imsi(net->vlr, imsi);
154 OSMO_ASSERT(vsub);
155 VERBOSE_ASSERT(llist_count(&vsub->cs.requests), == 0, "%d");
156
157 send_sms(vsub, vsub,
158 "Privacy in residential applications is a desirable"
159 " marketing option.");
160
161 VERBOSE_ASSERT(llist_count(&vsub->cs.requests), == 1, "%d");
162 vlr_subscr_put(vsub);
163 vsub = NULL;
164 VERBOSE_ASSERT(paging_sent, == true, "%d");
165 VERBOSE_ASSERT(paging_stopped, == false, "%d");
166
167 btw("the subscriber and its pending request should remain");
168 vsub = vlr_subscr_find_by_imsi(net->vlr, imsi);
169 OSMO_ASSERT(vsub);
170 VERBOSE_ASSERT(llist_count(&vsub->cs.requests), == 1, "%d");
171 vlr_subscr_put(vsub);
172
173 btw("MS replies with Paging Response, and VLR sends Auth Request with third key");
174 auth_request_sent = false;
175 auth_request_expect_rand = "efa9c29a9742148d5c9070348716e1bb";
176 auth_request_expect_autn = "f9375e6d41e1000096e7fe4ff1c27e39";
177 ms_sends_msg("062707"
178 "03575886" /* classmark 2 */
179 "089910070000106005" /* IMSI */);
180 VERBOSE_ASSERT(auth_request_sent, == true, "%d");
181
182 btw("needs auth, not yet accepted");
183 EXPECT_ACCEPTED(false);
184 thwart_rx_non_initial_requests();
185
186 btw("MS sends Authen Response, VLR accepts and sends pending SMS");
187 dtap_expect_tx("09" /* SMS messages */
188 "01" /* CP-DATA */
189 "58" /* length */
190 "01" /* Network to MS */
191 "00" /* reference */
192 /* originator (gsm411_send_sms() hardcodes this weird nr) */
193 "0791" "447758100650" /* 447785016005 */
194 "00" /* dest */
195 /* SMS TPDU */
196 "4c" /* len */
197 "00" /* SMS deliver */
198 "05802443f2" /* originating address 42342 */
199 "00" /* TP-PID */
200 "00" /* GSM default alphabet */
201 "071010" /* Y-M-D (from wrapped gsm340_gen_scts())*/
202 "000000" /* H-M-S */
203 "00" /* GMT+0 */
204 "44" /* data length */
205 "5079da1e1ee7416937485e9ea7c965373d1d6683c270383b3d0e"
206 "d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
207 "0c7ac3e9e9b7db05");
208 ms_sends_msg("0554" "706f9967" "2104" "19ba609c"); /* 3nd vector's res, s.a. */
209 VERBOSE_ASSERT(dtap_tx_confirmed, == true, "%d");
210 VERBOSE_ASSERT(paging_stopped, == true, "%d");
211
212 btw("SMS was delivered, no requests pending for subscr");
213 vsub = vlr_subscr_find_by_imsi(net->vlr, imsi);
214 OSMO_ASSERT(vsub);
215 VERBOSE_ASSERT(llist_count(&vsub->cs.requests), == 0, "%d");
216 vlr_subscr_put(vsub);
217
218 btw("conn is still open to wait for SMS ack dance");
219 EXPECT_CONN_COUNT(1);
220
221 btw("MS replies with CP-ACK for received SMS");
222 ms_sends_msg("8904");
223 EXPECT_CONN_COUNT(1);
224
225 btw("MS also sends RP-ACK, MSC in turn sends CP-ACK for that");
226 dtap_expect_tx("0904");
227 ms_sends_msg("890106020041020000");
228 VERBOSE_ASSERT(dtap_tx_confirmed, == true, "%d");
229
230 btw("SMS is done, conn is gone");
231 EXPECT_CONN_COUNT(0);
232
233 BTW("subscriber detaches");
234 ms_sends_msg("050130"
235 "089910070000106005" /* IMSI */);
236
237 EXPECT_CONN_COUNT(0);
238 clear_vlr();
239}
240
241void test_umts_authen_geran()
242{
243 comment_start();
244 _test_umts_authen(RAN_GERAN_A);
245 comment_end();
246}
247
248void test_umts_authen_utran()
249{
250 comment_start();
251 _test_umts_authen(RAN_UTRAN_IU);
252 comment_end();
253}
254
255#define RECALC_AUTS 0
256
257#if RECALC_AUTS
258typedef uint8_t u8;
259extern int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
260 u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar);
261extern int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
262 const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s);
263#endif
264
265void _test_umts_authen_resync(enum ran_type via_ran)
266{
267 net->authentication_required = true;
268 rx_from_ran = via_ran;
269
270 btw("Location Update request causes a GSUP Send Auth Info request to HLR");
271 lu_result_sent = RES_NONE;
272 gsup_expect_tx("080108" "09710000000156f0");
273 ms_sends_msg("0508" /* MM LU */
274 "7" /* ciph key seq: no key available */
275 "0" /* LU type: normal */
276 "ffffff" "0000" /* LAI, LAC */
277 "57" /* classmark 1: R99, early classmark, no power lvl */
278 "089910070000106005" /* IMSI */
279 "3303575886" /* classmark 2 */
280 );
281 OSMO_ASSERT(gsup_tx_confirmed);
282 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
283
284 btw("from HLR, rx _SEND_AUTH_INFO_RESULT; VLR sends Auth Req to MS");
285 /* based on auc_3g:
286 * K = 'EB215756028D60E3275E613320AEC880',
287 * OPC = 'FB2A3D1B360F599ABAB99DB8669F8308'
288 * SQN = 0
289 */
290 auth_request_sent = false;
291 auth_request_expect_rand = "39fa2f4e3d523d8619a73b4f65c3e14d";
292 auth_request_expect_autn = "8704f5ba55f30000d2ee44b22c8ea919";
293 gsup_rx("0a"
294 /* imsi */
295 "0108" "09710000000156f0"
296 /* auth vectors... */
297 /* TL TL rand */
298 "0362" "2010" "39fa2f4e3d523d8619a73b4f65c3e14d"
299 /* TL sres TL kc */
300 "2104" "9b36efdf" "2208" "059a4f668f6fbe39"
301 /* TL 3G IK */
302 "2310" "27497388b6cb044648f396aa155b95ef"
303 /* TL 3G CK */
304 "2410" "f64735036e5871319c679f4742a75ea1"
305 /* TL AUTN */
306 "2510" "8704f5ba55f30000d2ee44b22c8ea919"
307 /* TL RES */
308 "2708" "e229c19e791f2e41"
309 ,NULL);
310 VERBOSE_ASSERT(auth_request_sent, == true, "%d");
311 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
312
313 /* The AUTN sent was 8704f5ba55f30000d2ee44b22c8ea919
314 * (see expected error output)
315 * with the first 6 bytes being SQN ^ AK.
316 * K = EB215756028D60E3275E613320AEC880
317 * OPC = FB2A3D1B360F599ABAB99DB8669F8308
318 * RAND = 39fa2f4e3d523d8619a73b4f65c3e14d
319 * --milenage-f5-->
320 * AK = 8704f5ba55f3
321 *
322 * The first six bytes are 8704f5ba55f3,
323 * and 8704f5ba55f3 ^ AK = 0.
324 * --> SQN = 0.
325 *
326 * Say the USIM doesn't like that, let's say it is at SQN 23.
327 * SQN_MS = 000000000017
328 *
329 * AUTS = Conc(SQN_MS) || MAC-S
330 * Conc(SQN_MS) = SQN_MS ⊕ f5*[K](RAND)
331 * MAC-S = f1*[K] (SQN MS || RAND || AMF)
332 *
333 * f5*--> Conc(SQN_MS) = 000000000017 ^ 979498b1f73a
334 * = 979498b1f72d
335 * AMF = 0000 (TS 33.102 v7.0.0, 6.3.3)
336 *
337 * MAC-S = f1*[K] (000000000017 || 39fa2f4e3d523d8619a73b4f65c3e14d || 0000)
338 * = 3e28c59fa2e72f9c
339 *
340 * AUTS = 979498b1f72d || 3e28c59fa2e72f9c
341 */
342#if RECALC_AUTS
343 uint8_t ak[6];
344 uint8_t akstar[6];
345 uint8_t opc[16];
346 uint8_t k[16];
347 uint8_t rand[16];
348 osmo_hexparse("EB215756028D60E3275E613320AEC880", k, sizeof(k));
349 osmo_hexparse("FB2A3D1B360F599ABAB99DB8669F8308", opc, sizeof(opc));
350 osmo_hexparse("39fa2f4e3d523d8619a73b4f65c3e14d", rand, sizeof(rand));
351 milenage_f2345(opc, k, rand, NULL, NULL, NULL, ak, akstar);
352 btw("ak = %s", osmo_hexdump_nospc(ak, sizeof(ak)));
353 btw("akstar = %s", osmo_hexdump_nospc(akstar, sizeof(akstar)));
354
355 uint8_t sqn_ms[6] = { 0, 0, 0, 0, 0, 23 };
356 uint8_t amf[2] = { 0 };
357 uint8_t mac_s[8];
358 milenage_f1(opc, k, rand, sqn_ms, amf, NULL, mac_s);
359 btw("mac_s = %s", osmo_hexdump_nospc(mac_s, sizeof(mac_s)));
360 /* verify valid AUTS resulting in SQN 23 with:
361 osmo-auc-gen -3 -a milenage -k EB215756028D60E3275E613320AEC880 \
362 -o FB2A3D1B360F599ABAB99DB8669F8308 \
363 -r 39fa2f4e3d523d8619a73b4f65c3e14d \
364 -A 979498b1f72d3e28c59fa2e72f9c
365 */
366#endif
367
368 btw("MS sends Authen Failure with Resync cause, VLR sends GSUP to HLR to resync");
369 auth_request_sent = false;
370 gsup_expect_tx("08" /* OSMO_GSUP_MSGT_SEND_AUTH_INFO_REQUEST */
371 "0108" "09710000000156f0" /* IMSI */
372 "260e" "979498b1f72d3e28c59fa2e72f9c" /* AUTS */
373 "2010" "39fa2f4e3d523d8619a73b4f65c3e14d" /* RAND */);
374 ms_sends_msg("051c" /* 05 = MM; 1c = Auth Failure */
375 "15" /* cause = Synch Failure */
376 "220e" "979498b1f72d3e28c59fa2e72f9c" /* AUTS */);
377 VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");
378 VERBOSE_ASSERT(auth_request_sent, == false, "%d");
379 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
380
381 btw("HLR replies with new tuples");
382 auth_request_sent = false;
383 auth_request_expect_rand = "0f1feb1623e1bf626334e37ec448ac18";
384 auth_request_expect_autn = "02a83f62e9470000660d51afc75f169d";
385 gsup_rx("0a"
386 /* imsi */
387 "0108" "09710000000156f0"
388 /* 1 auth vector */
389 /* TL TL rand */
390 "0362" "2010" "0f1feb1623e1bf626334e37ec448ac18"
391 /* TL sres TL kc */
392 "2104" "efde99da" "2208" "14778c855c523730"
393 /* TL 3G IK */
394 "2310" "8a90c769b7272f3bb7a1c1fbb1ea9349"
395 /* TL 3G CK */
396 "2410" "43ffc1cf8c89a7fd6ab94bd8d6162cbf"
397 /* TL AUTN */
398 "2510" "02a83f62e9470000660d51afc75f169d"
399 /* TL RES */
400 "2708" "1df5f0b4f22b696e"
401 /* TL TL rand */
402 "0362" "2010" "ac21d34937b4e1142a2c757af2949319"
403 /* TL sres TL kc */
404 "2104" "7818bfdc" "2208" "d175571f41f314a4"
405 /* TL 3G IK */
406 "2310" "ff8edbceb6dd24799c77c3b9a6790c10"
407 /* TL 3G CK */
408 "2410" "157c39022ca9d885a7f0766a7dfee448"
409 /* TL AUTN */
410 "2510" "8a43b91898e500002cf354c6f5d1f8c3"
411 /* TL RES */
412 "2708" "f748a7078f5018db"
413 ,NULL);
414
415 VERBOSE_ASSERT(auth_request_sent, == true, "%d");
416 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
417
418 btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
419 gsup_expect_tx("04010809710000000156f0");
420 ms_sends_msg("0554" "1df5f0b4" "2104" "f22b696e");
421 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
422
423 btw("HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT");
424 gsup_rx("10010809710000000156f00804032443f2",
425 "12010809710000000156f0");
426 VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
427
428 btw("HLR also sends GSUP _UPDATE_LOCATION_RESULT");
429 gsup_rx("06010809710000000156f0", NULL);
430
431 btw("LU was successful, and the conn has already been closed");
432 VERBOSE_ASSERT(lu_result_sent, == RES_ACCEPT, "%d");
433 EXPECT_CONN_COUNT(0);
434
435 clear_vlr();
436}
437
438void test_umts_authen_resync_geran()
439{
440 comment_start();
441 _test_umts_authen_resync(RAN_GERAN_A);
442 comment_end();
443}
444
445void test_umts_authen_resync_utran()
446{
447 comment_start();
448 _test_umts_authen_resync(RAN_UTRAN_IU);
449 comment_end();
450}
451
452msc_vlr_test_func_t msc_vlr_tests[] = {
453 test_umts_authen_geran,
454 test_umts_authen_utran,
455 test_umts_authen_resync_geran,
456 test_umts_authen_resync_utran,
457 NULL
458};