/* Osmocom Visitor Location Register (VLR) Autentication FSM */ /* (C) 2016 by Harald Welte * * All Rights Reserved * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . * */ #include #include #include #include #include #include "vlr_core.h" #include "vlr_auth_fsm.h" #define S(x) (1 << (x)) static const struct value_string fsm_auth_event_names[] = { OSMO_VALUE_STRING(VLR_AUTH_E_START), OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_ACK), OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_NACK), OSMO_VALUE_STRING(VLR_AUTH_E_HLR_SAI_ABORT), OSMO_VALUE_STRING(VLR_AUTH_E_MS_AUTH_RESP), OSMO_VALUE_STRING(VLR_AUTH_E_MS_AUTH_FAIL), OSMO_VALUE_STRING(VLR_AUTH_E_MS_ID_IMSI), { 0, NULL } }; const struct value_string vlr_auth_fsm_result_names[] = { OSMO_VALUE_STRING(VLR_AUTH_RES_ABORTED), OSMO_VALUE_STRING(VLR_AUTH_RES_UNKNOWN_SUBSCR), OSMO_VALUE_STRING(VLR_AUTH_RES_PROC_ERR), OSMO_VALUE_STRING(VLR_AUTH_RES_AUTH_FAILED), OSMO_VALUE_STRING(VLR_AUTH_RES_PASSED), {0, NULL} }; /* private state of the auth_fsm_instance */ struct auth_fsm_priv { struct vlr_subscr *vsub; bool by_imsi; bool is_r99; bool is_utran; bool auth_requested; int auth_tuple_max_use_count; /* see vlr->cfg instead */ }; /*********************************************************************** * Utility functions ***********************************************************************/ /* Always use either vlr_subscr_get_auth_tuple() or vlr_subscr_has_auth_tuple() * instead, to ensure proper use count. * Return an auth tuple with the lowest use_count among the auth tuples. If * max_use_count >= 0, return NULL if all available auth tuples have a use * count > max_use_count. If max_use_count is negative, return a currently * least used auth tuple without enforcing a maximum use count. If there are * no auth tuples, return NULL. */ static struct gsm_auth_tuple * _vlr_subscr_next_auth_tuple(struct vlr_subscr *vsub, int max_use_count) { unsigned int count; unsigned int idx; struct gsm_auth_tuple *at = NULL; unsigned int key_seq = GSM_KEY_SEQ_INVAL; if (!vsub) return NULL; if (vsub->last_tuple) key_seq = vsub->last_tuple->key_seq; if (key_seq == GSM_KEY_SEQ_INVAL) /* Start with 0 after increment modulo array size */ idx = ARRAY_SIZE(vsub->auth_tuples) - 1; else idx = key_seq; for (count = ARRAY_SIZE(vsub->auth_tuples); count > 0; count--) { idx = (idx + 1) % ARRAY_SIZE(vsub->auth_tuples); if (vsub->auth_tuples[idx].key_seq == GSM_KEY_SEQ_INVAL) continue; if (!at || vsub->auth_tuples[idx].use_count < at->use_count) at = &vsub->auth_tuples[idx]; } if (!at || (max_use_count >= 0 && at->use_count > max_use_count)) return NULL; return at; } /* Return an auth tuple and increment its use count. */ static struct gsm_auth_tuple * vlr_subscr_get_auth_tuple(struct vlr_subscr *vsub, int max_use_count) { struct gsm_auth_tuple *at = _vlr_subscr_next_auth_tuple(vsub, max_use_count); if (!at) return NULL; at->use_count++; return at; } /* Return whether an auth tuple with the given max_use_count is available. */ static bool vlr_subscr_has_auth_tuple(struct vlr_subscr *vsub, int max_use_count) { return _vlr_subscr_next_auth_tuple(vsub, max_use_count) != NULL; } static bool check_auth_resp(struct vlr_subscr *vsub, bool is_r99, bool is_utran, const uint8_t *res, uint8_t res_len) { struct gsm_auth_tuple *at = vsub->last_tuple; struct osmo_auth_vector *vec = &at->vec; bool check_umts; OSMO_ASSERT(at); LOGVSUBP(LOGL_DEBUG, vsub, "received res: %s\n", osmo_hexdump(res, res_len)); /* RES must be present and at least 32bit */ if (!res || res_len < sizeof(vec->sres)) { LOGVSUBP(LOGL_NOTICE, vsub, "AUTH RES missing or too short " "(%u)\n", res_len); goto out_false; } check_umts = false; if (is_r99 && (vec->auth_types & OSMO_AUTH_TYPE_UMTS)) { check_umts = true; /* We have a R99 capable UE and have a UMTS AKA capable USIM. * However, the ME may still choose to only perform GSM AKA, as * long as the bearer is GERAN */ if (res_len != vec->res_len) { if (is_utran) { LOGVSUBP(LOGL_NOTICE, vsub, "AUTH via UTRAN but " "res_len(%u) != vec->res_len(%u)\n", res_len, vec->res_len); goto out_false; } check_umts = false; } } if (check_umts) { if (res_len != vec->res_len || memcmp(res, vec->res, res_len)) { LOGVSUBP(LOGL_INFO, vsub, "UMTS AUTH failure:" " mismatching res (expected res=%s)\n", osmo_hexdump(vec->res, vec->res_len)); goto out_false; } LOGVSUBP(LOGL_INFO, vsub, "AUTH established UMTS security" " context\n"); vsub->sec_ctx = VLR_SEC_CTX_UMTS; return true; } else { if (res_len != sizeof(vec->sres) || memcmp(res, vec->sres, sizeof(vec->sres))) { LOGVSUBP(LOGL_INFO, vsub, "GSM AUTH failure:" " mismatching sres (expected sres=%s)\n", osmo_hexdump(vec->sres, sizeof(vec->sres))); goto out_false; } LOGVSUBP(LOGL_INFO, vsub, "AUTH established GSM security" " context\n"); vsub->sec_ctx = VLR_SEC_CTX_GSM; return true; } out_false: vsub->sec_ctx = VLR_SEC_CTX_NONE; return false; } static void auth_fsm_onenter_failed(struct osmo_fsm_inst *fi, uint32_t prev_state) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; /* If authentication hasn't even started, e.g. the HLR sent no auth * info, then we also don't need to tell the HLR about an auth failure. */ if (afp->auth_requested) vlr_subscr_tx_auth_fail_rep(vsub); } static bool is_umts_auth(struct auth_fsm_priv *afp, uint32_t auth_types) { if (!afp->is_r99) return false; if (!(auth_types & OSMO_AUTH_TYPE_UMTS)) return false; return true; } /* Terminate the Auth FSM Instance and notify parent */ static void auth_fsm_term(struct osmo_fsm_inst *fi, enum vlr_auth_fsm_result res) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; LOGPFSM(fi, "Authentication terminating with result %s\n", vlr_auth_fsm_result_name(res)); /* Do one final state transition (mostly for logging purpose) */ if (res == VLR_AUTH_RES_PASSED) osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_AUTHENTICATED, 0, 0); else osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_AUTH_FAILED, 0, 0); /* return the result to the parent FSM */ osmo_fsm_inst_term(fi, OSMO_FSM_TERM_REGULAR, &res); vsub->auth_fsm = NULL; } /* back-end function transmitting authentication. Caller ensures we have valid * tuple */ static int _vlr_subscr_authenticate(struct osmo_fsm_inst *fi) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; struct gsm_auth_tuple *at; /* Caller ensures we have vectors available */ at = vlr_subscr_get_auth_tuple(vsub, afp->auth_tuple_max_use_count); if (!at) { LOGPFSML(fi, LOGL_ERROR, "A previous check ensured that an" " auth tuple was available, but now there is in fact" " none.\n"); auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR); return -1; } LOGPFSM(fi, "got auth tuple: use_count=%d key_seq=%d\n", at->use_count, at->key_seq); OSMO_ASSERT(at); /* Transmit auth req to subscriber */ afp->auth_requested = true; vsub->last_tuple = at; vsub->vlr->ops.tx_auth_req(vsub->msc_conn_ref, at, is_umts_auth(afp, at->vec.auth_types)); return 0; } /*********************************************************************** * FSM State Action functions ***********************************************************************/ /* Initial State of TS 23.018 AUT_VLR */ static void auth_fsm_needs_auth(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; OSMO_ASSERT(event == VLR_AUTH_E_START); /* Start off with the default max_use_count, possibly change that if we * need to re-use an old tuple. */ afp->auth_tuple_max_use_count = vsub->vlr->cfg.auth_tuple_max_use_count; /* Check if we have vectors available */ if (!vlr_subscr_has_auth_tuple(vsub, afp->auth_tuple_max_use_count)) { /* Obtain_Authentication_Sets_VLR */ vlr_subscr_req_sai(vsub, NULL, NULL); osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_NEEDS_AUTH_WAIT_AI, GSM_29002_TIMER_M, 0); } else { /* go straight ahead with sending auth request */ osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP, vlr_timer(vsub->vlr, 3260), 3260); _vlr_subscr_authenticate(fi); } } /* Waiting for Authentication Info from HLR */ static void auth_fsm_wait_ai(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; struct osmo_gsup_message *gsup = data; if (event == VLR_AUTH_E_HLR_SAI_NACK) LOGPFSM(fi, "GSUP: rx Auth Info Error cause: %d: %s\n", gsup->cause, get_value_string(gsm48_gmm_cause_names, gsup->cause)); /* We are in what corresponds to the * Wait_For_Authentication_Sets state of TS 23.018 OAS_VLR */ if ((event == VLR_AUTH_E_HLR_SAI_ACK && !gsup->num_auth_vectors) || (event == VLR_AUTH_E_HLR_SAI_NACK && gsup->cause != GMM_CAUSE_IMSI_UNKNOWN) || (event == VLR_AUTH_E_HLR_SAI_ABORT)) { if (vsub->vlr->cfg.auth_reuse_old_sets_on_error && vlr_subscr_has_auth_tuple(vsub, -1)) { /* To re-use an old tuple, disable the max_use_count * constraint. */ afp->auth_tuple_max_use_count = -1; goto pass; } /* result = procedure error */ auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR); return; } switch (event) { case VLR_AUTH_E_HLR_SAI_ACK: vlr_subscr_update_tuples(vsub, gsup); goto pass; break; case VLR_AUTH_E_HLR_SAI_NACK: auth_fsm_term(fi, gsup->cause == GMM_CAUSE_IMSI_UNKNOWN? VLR_AUTH_RES_UNKNOWN_SUBSCR : VLR_AUTH_RES_PROC_ERR); break; } return; pass: osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP, vlr_timer(vsub->vlr, 3260), 3260); _vlr_subscr_authenticate(fi); } /* Waiting for Authentication Response from MS */ static void auth_fsm_wait_auth_resp(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; struct vlr_instance *vlr = vsub->vlr; struct vlr_auth_resp_par *par = data; int rc; switch (event) { case VLR_AUTH_E_MS_AUTH_RESP: rc = check_auth_resp(vsub, par->is_r99, par->is_utran, par->res, par->res_len); if (rc == false) { if (!afp->by_imsi) { vlr->ops.tx_id_req(vsub->msc_conn_ref, GSM_MI_TYPE_IMSI); osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_ID_IMSI, vlr_timer(vlr, 3270), 3270); } else { auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED); } } else { auth_fsm_term(fi, VLR_AUTH_RES_PASSED); } break; case VLR_AUTH_E_MS_AUTH_FAIL: if (par->auts) { /* First failure, start re-sync attempt */ vlr_subscr_req_sai(vsub, par->auts, vsub->last_tuple->vec.rand); osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC, GSM_29002_TIMER_M, 0); } else auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED); break; } } /* Waiting for Authentication Info from HLR (resync case) */ static void auth_fsm_wait_ai_resync(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; struct osmo_gsup_message *gsup = data; /* We are in what corresponds to the * Wait_For_Authentication_Sets state of TS 23.018 OAS_VLR */ if ((event == VLR_AUTH_E_HLR_SAI_ACK && !gsup->num_auth_vectors) || (event == VLR_AUTH_E_HLR_SAI_NACK && gsup->cause != GMM_CAUSE_IMSI_UNKNOWN) || (event == VLR_AUTH_E_HLR_SAI_ABORT)) { /* result = procedure error */ auth_fsm_term(fi, VLR_AUTH_RES_PROC_ERR); } switch (event) { case VLR_AUTH_E_HLR_SAI_ACK: vlr_subscr_update_tuples(vsub, gsup); goto pass; break; case VLR_AUTH_E_HLR_SAI_NACK: auth_fsm_term(fi, gsup->cause == GMM_CAUSE_IMSI_UNKNOWN? VLR_AUTH_RES_UNKNOWN_SUBSCR : VLR_AUTH_RES_PROC_ERR); break; } return; pass: osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_RESP_RESYNC, vlr_timer(vsub->vlr, 3260), 3260); _vlr_subscr_authenticate(fi); } /* Waiting for AUTH RESP from MS (re-sync case) */ static void auth_fsm_wait_auth_resp_resync(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; struct vlr_auth_resp_par *par = data; struct vlr_instance *vlr = vsub->vlr; int rc; switch (event) { case VLR_AUTH_E_MS_AUTH_RESP: rc = check_auth_resp(vsub, par->is_r99, par->is_utran, par->res, par->res_len); if (rc == false) { if (!afp->by_imsi) { vlr->ops.tx_id_req(vsub->msc_conn_ref, GSM_MI_TYPE_IMSI); osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_WAIT_ID_IMSI, vlr_timer(vlr, 3270), 3270); } else { /* Result = Aborted */ auth_fsm_term(fi, VLR_AUTH_RES_ABORTED); } } else { /* Result = Pass */ auth_fsm_term(fi, VLR_AUTH_RES_PASSED); } break; case VLR_AUTH_E_MS_AUTH_FAIL: /* Second failure: Result = Fail */ auth_fsm_term(fi, VLR_AUTH_RES_AUTH_FAILED); break; } } /* AUT_VLR waiting for Obtain_IMSI_VLR result */ static void auth_fsm_wait_imsi(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct auth_fsm_priv *afp = fi->priv; struct vlr_subscr *vsub = afp->vsub; const char *mi_string = data; switch (event) { case VLR_AUTH_E_MS_ID_IMSI: if (vsub->imsi[0] && !vlr_subscr_matches_imsi(vsub, mi_string)) { LOGVSUBP(LOGL_ERROR, vsub, "IMSI in ID RESP differs:" " %s\n", mi_string); } else { strncpy(vsub->imsi, mi_string, sizeof(vsub->imsi)); vsub->imsi[sizeof(vsub->imsi)-1] = '\0'; } /* retry with identity=IMSI */ afp->by_imsi = true; osmo_fsm_inst_state_chg(fi, VLR_SUB_AS_NEEDS_AUTH, 0, 0); osmo_fsm_inst_dispatch(fi, VLR_AUTH_E_START, NULL); break; } } static const struct osmo_fsm_state auth_fsm_states[] = { [VLR_SUB_AS_NEEDS_AUTH] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH), .in_event_mask = S(VLR_AUTH_E_START), .out_state_mask = S(VLR_SUB_AS_NEEDS_AUTH_WAIT_AI) | S(VLR_SUB_AS_WAIT_RESP), .action = auth_fsm_needs_auth, }, [VLR_SUB_AS_NEEDS_AUTH_WAIT_AI] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH_WAIT_AI), .in_event_mask = S(VLR_AUTH_E_HLR_SAI_ACK) | S(VLR_AUTH_E_HLR_SAI_NACK), .out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) | S(VLR_SUB_AS_WAIT_RESP), .action = auth_fsm_wait_ai, }, [VLR_SUB_AS_WAIT_RESP] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_RESP), .in_event_mask = S(VLR_AUTH_E_MS_AUTH_RESP) | S(VLR_AUTH_E_MS_AUTH_FAIL), .out_state_mask = S(VLR_SUB_AS_WAIT_ID_IMSI) | S(VLR_SUB_AS_AUTH_FAILED) | S(VLR_SUB_AS_AUTHENTICATED) | S(VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC), .action = auth_fsm_wait_auth_resp, }, [VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_NEEDS_AUTH_WAIT_SAI_RESYNC), .in_event_mask = S(VLR_AUTH_E_HLR_SAI_ACK) | S(VLR_AUTH_E_HLR_SAI_NACK), .out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) | S(VLR_SUB_AS_WAIT_RESP_RESYNC), .action = auth_fsm_wait_ai_resync, }, [VLR_SUB_AS_WAIT_RESP_RESYNC] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_RESP_RESYNC), .in_event_mask = S(VLR_AUTH_E_MS_AUTH_RESP) | S(VLR_AUTH_E_MS_AUTH_FAIL), .out_state_mask = S(VLR_SUB_AS_AUTH_FAILED) | S(VLR_SUB_AS_AUTHENTICATED), .action = auth_fsm_wait_auth_resp_resync, }, [VLR_SUB_AS_WAIT_ID_IMSI] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_WAIT_ID_IMSI), .in_event_mask = S(VLR_AUTH_E_MS_ID_IMSI), .out_state_mask = S(VLR_SUB_AS_NEEDS_AUTH), .action = auth_fsm_wait_imsi, }, [VLR_SUB_AS_AUTHENTICATED] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_AUTHENTICATED), .in_event_mask = 0, .out_state_mask = 0, }, [VLR_SUB_AS_AUTH_FAILED] = { .name = OSMO_STRINGIFY(VLR_SUB_AS_AUTH_FAILED), .in_event_mask = 0, .out_state_mask = 0, .onenter = auth_fsm_onenter_failed, }, }; struct osmo_fsm vlr_auth_fsm = { .name = "VLR_Authenticate", .states = auth_fsm_states, .num_states = ARRAY_SIZE(auth_fsm_states), .allstate_event_mask = 0, .allstate_action = NULL, .log_subsys = DVLR, .event_names = fsm_auth_event_names, }; /*********************************************************************** * User API (for SGSN/MSC code) ***********************************************************************/ /* MSC->VLR: Start Procedure Authenticate_VLR (TS 23.012 Ch. 4.1.2.2) */ struct osmo_fsm_inst *auth_fsm_start(struct vlr_subscr *vsub, uint32_t log_level, struct osmo_fsm_inst *parent, uint32_t parent_term_event, bool is_r99, bool is_utran) { struct osmo_fsm_inst *fi; struct auth_fsm_priv *afp; fi = osmo_fsm_inst_alloc_child(&vlr_auth_fsm, parent, parent_term_event); afp = talloc_zero(fi, struct auth_fsm_priv); if (!afp) { osmo_fsm_inst_dispatch(parent, parent_term_event, 0); return NULL; } afp->vsub = vsub; if (vsub->imsi[0]) afp->by_imsi = true; afp->is_r99 = is_r99; afp->is_utran = is_utran; fi->priv = afp; vsub->auth_fsm = fi; osmo_fsm_inst_dispatch(fi, VLR_AUTH_E_START, NULL); return fi; }