From 044fbe6568f82a12bf4e3addc7e3d6db529b6548 Mon Sep 17 00:00:00 2001 From: Vadim Yanitskiy Date: Wed, 16 Mar 2016 21:14:03 +0600 Subject: move to hex TMSI representation In OpenBSC, we traditionally displayed a TMSI in its integer representation, which is quite unusual in the telecom world. A TMSI is normally printed as a series of 8 hex digits. This patch aligns OpenBSC with the telecom industry standard. Signed-off-by: Vadim Yanitskiy --- openbsc/tests/db/db_test.c | 4 ++-- openbsc/tests/gsm0408/gsm0408_test.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'openbsc/tests') diff --git a/openbsc/tests/db/db_test.c b/openbsc/tests/db/db_test.c index a02d1f801..faea82055 100644 --- a/openbsc/tests/db/db_test.c +++ b/openbsc/tests/db/db_test.c @@ -200,7 +200,7 @@ int main() alice->lac=42; db_sync_subscriber(alice); /* Get by TMSI */ - snprintf(scratch_str, sizeof(scratch_str), "%"PRIu32, alice->tmsi); + snprintf(scratch_str, sizeof(scratch_str), "0x%08x", alice->tmsi); alice_db = db_get_subscriber(GSM_SUBSCRIBER_TMSI, scratch_str); COMPARE(alice, alice_db); SUBSCR_PUT(alice_db); @@ -227,7 +227,7 @@ int main() db_subscriber_assoc_imei(alice, "1234567890"); db_subscriber_assoc_imei(alice, "6543560920"); /* Get by TMSI */ - snprintf(scratch_str, sizeof(scratch_str), "%"PRIu32, alice->tmsi); + snprintf(scratch_str, sizeof(scratch_str), "0x%08x", alice->tmsi); alice_db = db_get_subscriber(GSM_SUBSCRIBER_TMSI, scratch_str); COMPARE(alice, alice_db); SUBSCR_PUT(alice_db); diff --git a/openbsc/tests/gsm0408/gsm0408_test.c b/openbsc/tests/gsm0408/gsm0408_test.c index 781ef6147..8ed57ca17 100644 --- a/openbsc/tests/gsm0408/gsm0408_test.c +++ b/openbsc/tests/gsm0408/gsm0408_test.c @@ -93,7 +93,7 @@ static void test_mi_functionality(void) /* tmsi code */ mi_len = gsm48_generate_mid_from_tmsi(mi, tmsi); gsm48_mi_to_string(mi_parsed, sizeof(mi_parsed), mi + 2, mi_len - 2); - COMPARE((uint32_t)strtoul(mi_parsed, NULL, 10), ==, tmsi); + COMPARE((uint32_t)tmsi_from_string(mi_parsed), ==, tmsi); /* imsi code */ mi_len = gsm48_generate_mid_from_imsi(mi, imsi_odd); -- cgit v1.2.3 From 3ad0346f00c4d135f7d4d15017ce2941e13e2c54 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Thu, 17 Mar 2016 14:41:26 +0100 Subject: Revert "move to hex TMSI representation" This reverts commit 044fbe6568f82a12bf4e3addc7e3d6db529b6548. --- openbsc/tests/db/db_test.c | 4 ++-- openbsc/tests/gsm0408/gsm0408_test.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'openbsc/tests') diff --git a/openbsc/tests/db/db_test.c b/openbsc/tests/db/db_test.c index faea82055..a02d1f801 100644 --- a/openbsc/tests/db/db_test.c +++ b/openbsc/tests/db/db_test.c @@ -200,7 +200,7 @@ int main() alice->lac=42; db_sync_subscriber(alice); /* Get by TMSI */ - snprintf(scratch_str, sizeof(scratch_str), "0x%08x", alice->tmsi); + snprintf(scratch_str, sizeof(scratch_str), "%"PRIu32, alice->tmsi); alice_db = db_get_subscriber(GSM_SUBSCRIBER_TMSI, scratch_str); COMPARE(alice, alice_db); SUBSCR_PUT(alice_db); @@ -227,7 +227,7 @@ int main() db_subscriber_assoc_imei(alice, "1234567890"); db_subscriber_assoc_imei(alice, "6543560920"); /* Get by TMSI */ - snprintf(scratch_str, sizeof(scratch_str), "0x%08x", alice->tmsi); + snprintf(scratch_str, sizeof(scratch_str), "%"PRIu32, alice->tmsi); alice_db = db_get_subscriber(GSM_SUBSCRIBER_TMSI, scratch_str); COMPARE(alice, alice_db); SUBSCR_PUT(alice_db); diff --git a/openbsc/tests/gsm0408/gsm0408_test.c b/openbsc/tests/gsm0408/gsm0408_test.c index 8ed57ca17..781ef6147 100644 --- a/openbsc/tests/gsm0408/gsm0408_test.c +++ b/openbsc/tests/gsm0408/gsm0408_test.c @@ -93,7 +93,7 @@ static void test_mi_functionality(void) /* tmsi code */ mi_len = gsm48_generate_mid_from_tmsi(mi, tmsi); gsm48_mi_to_string(mi_parsed, sizeof(mi_parsed), mi + 2, mi_len - 2); - COMPARE((uint32_t)tmsi_from_string(mi_parsed), ==, tmsi); + COMPARE((uint32_t)strtoul(mi_parsed, NULL, 10), ==, tmsi); /* imsi code */ mi_len = gsm48_generate_mid_from_imsi(mi, imsi_odd); -- cgit v1.2.3 From 37984bdb1b507446421e5aa6131ccdf117dd269f Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:24 +0200 Subject: Add MM Auth test; add auth_action_str() function Add basic MM Authentication test setup, with fake DB access and RAND_bytes(). So far implement simple tests for IO error during DB access and missing auth entry. To print the auth action during tests, add struct auth_action_names and auth_action_str() inline function in auth.[hc]. --- openbsc/tests/Makefile.am | 2 +- openbsc/tests/mm_auth/Makefile.am | 21 ++++++ openbsc/tests/mm_auth/mm_auth_test.c | 119 ++++++++++++++++++++++++++++++++++ openbsc/tests/mm_auth/mm_auth_test.ok | 8 +++ openbsc/tests/testsuite.at | 7 ++ 5 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 openbsc/tests/mm_auth/Makefile.am create mode 100644 openbsc/tests/mm_auth/mm_auth_test.c create mode 100644 openbsc/tests/mm_auth/mm_auth_test.ok (limited to 'openbsc/tests') diff --git a/openbsc/tests/Makefile.am b/openbsc/tests/Makefile.am index 04b8e345f..09298a35c 100644 --- a/openbsc/tests/Makefile.am +++ b/openbsc/tests/Makefile.am @@ -1,4 +1,4 @@ -SUBDIRS = gsm0408 db channel mgcp gprs abis gbproxy trau subscr +SUBDIRS = gsm0408 db channel mgcp gprs abis gbproxy trau subscr mm_auth if BUILD_NAT SUBDIRS += bsc-nat bsc-nat-trie diff --git a/openbsc/tests/mm_auth/Makefile.am b/openbsc/tests/mm_auth/Makefile.am new file mode 100644 index 000000000..516df0007 --- /dev/null +++ b/openbsc/tests/mm_auth/Makefile.am @@ -0,0 +1,21 @@ +AM_CPPFLAGS = $(all_includes) -I$(top_srcdir)/include +AM_CFLAGS=-Wall \ + $(LIBOSMOCORE_CFLAGS) \ + $(LIBOSMOGSM_CFLAGS) \ + $(LIBCRYPTO_CFLAGS) + +noinst_PROGRAMS = mm_auth_test + +EXTRA_DIST = mm_auth_test.ok + +mm_auth_test_SOURCES = mm_auth_test.c + +mm_auth_test_LDFLAGS = \ + -Wl,--wrap=db_get_authinfo_for_subscr \ + -Wl,--wrap=db_get_lastauthtuple_for_subscr \ + -Wl,--wrap=db_sync_lastauthtuple_for_subscr + +mm_auth_test_LDADD = $(top_builddir)/src/libmsc/libmsc.a \ + $(top_builddir)/src/libcommon/libcommon.a \ + $(LIBOSMOCORE_LIBS) \ + $(LIBOSMOGSM_LIBS) diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c new file mode 100644 index 000000000..d8e44758c --- /dev/null +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -0,0 +1,119 @@ +#include + +#include +#include + +#include +#include +#include +#include + +/* override, requires '-Wl,--wrap=db_get_authinfo_for_subscr' */ +int __real_db_get_authinfo_for_subscr(struct gsm_auth_info *ainfo, + struct gsm_subscriber *subscr); + +int test_get_authinfo_rc = 0; +struct gsm_auth_info test_auth_info = {0}; +struct gsm_auth_info default_auth_info = { + .auth_algo = AUTH_ALGO_COMP128v1, + .a3a8_ki_len = 16, + .a3a8_ki = { 0 } +}; + +int __wrap_db_get_authinfo_for_subscr(struct gsm_auth_info *ainfo, + struct gsm_subscriber *subscr) +{ + *ainfo = test_auth_info; + printf("wrapped: db_get_authinfo_for_subscr(): rc = %d\n", test_get_authinfo_rc); + return test_get_authinfo_rc; +} + +/* override, requires '-Wl,--wrap=db_get_lastauthtuple_for_subscr' */ +int __real_db_get_lastauthtuple_for_subscr(struct gsm_auth_tuple *atuple, + struct gsm_subscriber *subscr); + +int test_get_lastauthtuple_rc = 0; +struct gsm_auth_tuple test_last_auth_tuple = { 0 }; +struct gsm_auth_tuple default_auth_tuple = { 0 }; + +int __wrap_db_get_lastauthtuple_for_subscr(struct gsm_auth_tuple *atuple, + struct gsm_subscriber *subscr) +{ + *atuple = test_last_auth_tuple; + printf("wrapped: db_get_lastauthtuple_for_subscr(): rc = %d\n", test_get_lastauthtuple_rc); + return test_get_lastauthtuple_rc; +} + +/* override, requires '-Wl,--wrap=db_sync_lastauthtuple_for_subscr' */ +int __real_db_sync_lastauthtuple_for_subscr(struct gsm_auth_tuple *atuple, + struct gsm_subscriber *subscr); +int test_sync_lastauthtuple_rc = 0; +int __wrap_db_sync_lastauthtuple_for_subscr(struct gsm_auth_tuple *atuple, + struct gsm_subscriber *subscr) +{ + test_last_auth_tuple = *atuple; + printf("wrapped: db_sync_lastauthtuple_for_subscr(): rc = %d\n", test_sync_lastauthtuple_rc); + return test_sync_lastauthtuple_rc; +} + +int auth_get_tuple_for_subscr_verbose(struct gsm_auth_tuple *atuple, + struct gsm_subscriber *subscr, + int key_seq) +{ + int auth_action; + auth_action = auth_get_tuple_for_subscr(atuple, subscr, key_seq); + printf("auth_get_tuple_for_subscr(key_seq=%d) --> auth_action == %s\n", + key_seq, auth_action_str(auth_action)); + return auth_action; +} + +/* override libssl RAND_bytes() to get testable crypto results */ +int RAND_bytes(uint8_t *rand, int len) +{ + memset(rand, 23, len); + return 1; +} + +static void test_error() +{ + int auth_action; + + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq = 0; + + printf("\n* test_error()\n"); + + /* any error (except -ENOENT) */ + test_get_authinfo_rc = -EIO; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == -1); +} + +static void test_auth_not_avail() +{ + int auth_action; + + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq = 0; + + printf("\n* test_auth_not_avail()\n"); + + /* no entry */ + test_get_authinfo_rc = -ENOENT; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_NOT_AVAIL); +} + +int main(void) +{ + osmo_init_logging(&log_info); + log_set_log_level(osmo_stderr_target, LOGL_INFO); + + test_error(); + test_auth_not_avail(); + return 0; +} diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok new file mode 100644 index 000000000..5efb3deca --- /dev/null +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -0,0 +1,8 @@ + +* test_error() +wrapped: db_get_authinfo_for_subscr(): rc = -5 +auth_get_tuple_for_subscr(key_seq=0) --> auth_action == (internal error) + +* test_auth_not_avail() +wrapped: db_get_authinfo_for_subscr(): rc = -2 +auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_NOT_AVAIL diff --git a/openbsc/tests/testsuite.at b/openbsc/tests/testsuite.at index 6a1c77f54..dab956888 100644 --- a/openbsc/tests/testsuite.at +++ b/openbsc/tests/testsuite.at @@ -117,3 +117,10 @@ AT_CHECK([test "$enable_gtphub_test" != no || exit 77]) cat $abs_srcdir/gtphub/gtphub_test.ok > expout AT_CHECK([$abs_top_builddir/tests/gtphub/gtphub_test], [], [expout], [ignore]) AT_CLEANUP + +AT_SETUP([mm_auth]) +AT_KEYWORDS([mm_auth]) +cat $abs_srcdir/mm_auth/mm_auth_test.ok > expout +AT_CHECK([$abs_top_builddir/tests/mm_auth/mm_auth_test], [], [expout], [ignore]) +AT_CLEANUP + -- cgit v1.2.3 From 4554a62c4d16bd95ae4fb38ede0fd9f64a4d1429 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:25 +0200 Subject: MM Auth test: add two tests for AUTH_THEN_CIPH Test two situations for AUTH_DO_AUTH_THEN_CIPH: - when no auth tuple is available - when the key sequence from LU is marked invalid Add convenience auth tuple comparison function using stringification. --- openbsc/tests/mm_auth/mm_auth_test.c | 136 ++++++++++++++++++++++++++++++++++ openbsc/tests/mm_auth/mm_auth_test.ok | 16 ++++ 2 files changed, 152 insertions(+) (limited to 'openbsc/tests') diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c index d8e44758c..c0b8da424 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.c +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -8,6 +8,59 @@ #include #include +#define min(A,B) ((A)>(B)? (B) : (A)) + +static char *auth_tuple_str(struct gsm_auth_tuple *atuple) +{ + static char buf[256]; + char *pos = buf; + int len = sizeof(buf); + int l; + +#define print2buf(FMT, args...) do {\ + l = snprintf(pos, len, FMT, ## args); \ + pos += l;\ + len -= l;\ + } while (0) + + print2buf("gsm_auth_tuple {\n"); + print2buf(" .use_count = %d\n", atuple->use_count); + print2buf(" .key_seq = %d\n", atuple->key_seq); + print2buf(" .rand = %s\n", osmo_hexdump(atuple->rand, sizeof(atuple->rand))); + print2buf(" .sres = %s\n", osmo_hexdump(atuple->sres, sizeof(atuple->sres))); + print2buf(" .kc = %s\n", osmo_hexdump(atuple->kc, sizeof(atuple->kc))); + print2buf("}\n"); +#undef print2buf + + return buf; +} + +static bool auth_tuple_is(struct gsm_auth_tuple *atuple, + const char *expect_str) +{ + int l, l1, l2; + int i; + char *tuple_str = auth_tuple_str(atuple); + bool same = (strcmp(expect_str, tuple_str) == 0); + if (!same) { + l1 = strlen(expect_str); + l2 = strlen(tuple_str); + printf("Expected %d:\n%s\nGot %d:\n%s\n", + l1, expect_str, l2, tuple_str); + l = min(l1, l2); + for (i = 0; i < l; i++) { + if (expect_str[i] != tuple_str[i]) { + printf("Difference at pos %d" + " (%c 0x%0x != %c 0x%0x)\n", + i, expect_str[i], expect_str[i], + tuple_str[i], tuple_str[i]); + break; + } + } + } + return same; +} + /* override, requires '-Wl,--wrap=db_get_authinfo_for_subscr' */ int __real_db_get_authinfo_for_subscr(struct gsm_auth_info *ainfo, struct gsm_subscriber *subscr); @@ -108,6 +161,87 @@ static void test_auth_not_avail() OSMO_ASSERT(auth_action == AUTH_NOT_AVAIL); } +static void test_auth_then_ciph1() +{ + int auth_action; + + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq; + + printf("\n* test_auth_then_ciph1()\n"); + + /* Ki entry, but no auth tuple negotiated yet */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = -ENOENT; + key_seq = 0; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 1\n" + " .key_seq = 1\n" + " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" + " .sres = a1 ab c6 90 \n" + " .kc = 0f 27 ed f3 ac 97 ac 00 \n" + "}\n" + )); +} + +static void test_auth_then_ciph2() +{ + int auth_action; + + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq; + + printf("\n* test_auth_then_ciph2()\n"); + + /* Ki entry, auth tuple negotiated, but invalid incoming key_seq */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_last_auth_tuple.key_seq = 2; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = 0; + key_seq = GSM_KEY_SEQ_INVAL; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 1\n" + " .key_seq = 3\n" + " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" + " .sres = a1 ab c6 90 \n" + " .kc = 0f 27 ed f3 ac 97 ac 00 \n" + "}\n" + )); + + /* Change the last saved key_seq, expect last_auth_tuple.key_seq + 1 */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_last_auth_tuple.key_seq = 3; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = 0; + key_seq = GSM_KEY_SEQ_INVAL; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 1\n" + " .key_seq = 4\n" + " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" + " .sres = a1 ab c6 90 \n" + " .kc = 0f 27 ed f3 ac 97 ac 00 \n" + "}\n" + )); +} + int main(void) { osmo_init_logging(&log_info); @@ -115,5 +249,7 @@ int main(void) test_error(); test_auth_not_avail(); + test_auth_then_ciph1(); + test_auth_then_ciph2(); return 0; } diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok index 5efb3deca..52feb3679 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.ok +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -6,3 +6,19 @@ auth_get_tuple_for_subscr(key_seq=0) --> auth_action == (internal error) * test_auth_not_avail() wrapped: db_get_authinfo_for_subscr(): rc = -2 auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_NOT_AVAIL + +* test_auth_then_ciph1() +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = -2 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_DO_AUTH_THEN_CIPH + +* test_auth_then_ciph2() +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=7) --> auth_action == AUTH_DO_AUTH_THEN_CIPH +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=7) --> auth_action == AUTH_DO_AUTH_THEN_CIPH -- cgit v1.2.3 From d617c5d3ac65b5090f787da3e2911fb6742f515c Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:26 +0200 Subject: MM Auth test: add test to re-use existing auth --- openbsc/tests/mm_auth/mm_auth_test.c | 31 +++++++++++++++++++++++++++++++ openbsc/tests/mm_auth/mm_auth_test.ok | 6 ++++++ 2 files changed, 37 insertions(+) (limited to 'openbsc/tests') diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c index c0b8da424..e54189834 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.c +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -242,6 +242,36 @@ static void test_auth_then_ciph2() )); } +static void test_auth_reuse() +{ + int auth_action; + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq; + + printf("\n* test_auth_reuse()\n"); + + /* Ki entry, auth tuple negotiated, valid+matching incoming key_seq */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_last_auth_tuple.key_seq = key_seq = 3; + test_last_auth_tuple.use_count = 1; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = 0; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 2\n" + " .key_seq = 3\n" + " .rand = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n" + " .sres = 00 00 00 00 \n" + " .kc = 00 00 00 00 00 00 00 00 \n" + "}\n" + )); +} + int main(void) { osmo_init_logging(&log_info); @@ -251,5 +281,6 @@ int main(void) test_auth_not_avail(); test_auth_then_ciph1(); test_auth_then_ciph2(); + test_auth_reuse(); return 0; } diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok index 52feb3679..cc0e76960 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.ok +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -22,3 +22,9 @@ wrapped: db_get_authinfo_for_subscr(): rc = 0 wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 auth_get_tuple_for_subscr(key_seq=7) --> auth_action == AUTH_DO_AUTH_THEN_CIPH + +* test_auth_reuse() +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=3) --> auth_action == AUTH_DO_CIPH -- cgit v1.2.3 From f9b212fabd0d5c37dac9639fc9d9ecd73688e3a3 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:27 +0200 Subject: MM Auth: introduce AUTH_ERROR constant. Instead of using hardcoded -1 for errors, include -1 in the enum auth_action type; apply its use. In the mm_auth test, the string output changes from '(internal error)' to 'AUTH_ERROR', since now the proper enum value is used in auth_action_names[]. --- openbsc/tests/mm_auth/mm_auth_test.c | 2 +- openbsc/tests/mm_auth/mm_auth_test.ok | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'openbsc/tests') diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c index e54189834..1d65984cb 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.c +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -141,7 +141,7 @@ static void test_error() test_get_authinfo_rc = -EIO; auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, key_seq); - OSMO_ASSERT(auth_action == -1); + OSMO_ASSERT(auth_action == AUTH_ERROR); } static void test_auth_not_avail() diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok index cc0e76960..7dedadc38 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.ok +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -1,7 +1,7 @@ * test_error() wrapped: db_get_authinfo_for_subscr(): rc = -5 -auth_get_tuple_for_subscr(key_seq=0) --> auth_action == (internal error) +auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_ERROR * test_auth_not_avail() wrapped: db_get_authinfo_for_subscr(): rc = -2 -- cgit v1.2.3 From 0d929be8264ba592313f2cdd9bc4bd9b2579df00 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:29 +0200 Subject: Fix MM Auth: disallow key_seq mismatch In auth_get_tuple_for_subscr(), add missing condition to match incoming key_seq with stored key_seq, so that re-authentication is requested for mismatching key_seqs. Add test for this issue. --- openbsc/tests/mm_auth/mm_auth_test.c | 32 ++++++++++++++++++++++++++++++++ openbsc/tests/mm_auth/mm_auth_test.ok | 6 ++++++ 2 files changed, 38 insertions(+) (limited to 'openbsc/tests') diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c index 1d65984cb..2b4586101 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.c +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -272,6 +272,37 @@ static void test_auth_reuse() )); } +static void test_auth_reuse_key_seq_mismatch() +{ + int auth_action; + struct gsm_auth_tuple atuple = {0}; + struct gsm_subscriber subscr = {0}; + int key_seq; + + printf("\n* test_auth_reuse_key_seq_mismatch()\n"); + + /* Ki entry, auth tuple negotiated, valid+matching incoming key_seq */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_last_auth_tuple.key_seq = 3; + key_seq = 4; + test_last_auth_tuple.use_count = 1; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = 0; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 1\n" + " .key_seq = 4\n" + " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" + " .sres = a1 ab c6 90 \n" + " .kc = 0f 27 ed f3 ac 97 ac 00 \n" + "}\n" + )); +} + int main(void) { osmo_init_logging(&log_info); @@ -282,5 +313,6 @@ int main(void) test_auth_then_ciph1(); test_auth_then_ciph2(); test_auth_reuse(); + test_auth_reuse_key_seq_mismatch(); return 0; } diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok index 7dedadc38..9d89bfb84 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.ok +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -28,3 +28,9 @@ wrapped: db_get_authinfo_for_subscr(): rc = 0 wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 auth_get_tuple_for_subscr(key_seq=3) --> auth_action == AUTH_DO_CIPH + +* test_auth_reuse_key_seq_mismatch() +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = 0 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=4) --> auth_action == AUTH_DO_AUTH_THEN_CIPH -- cgit v1.2.3 From cf1302e4cb4875816615a23e5d7e2e9f7bcb5bca Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 30 Mar 2016 11:22:30 +0200 Subject: Fix MM Auth: zero-initialize auth tuple before first use Make sure a new auth tuple is initialized after db_get_lastauthtuple_for_subscr() returns an error, i.e. if no tuple is present for the subscriber yet. Before this patch, the first key_seq depended on the typically uninitialized value that was present in auth tuple's key_seq upon calling auth_get_tuple_for_subscr(). The very first key_seq used for a new subscriber will now always be 0. Before, it used to be mostly 1 ("(0 + 1) % 7"), but depended on whether the key_seq was indeed initialized with 0, actually by random. --- openbsc/tests/mm_auth/mm_auth_test.c | 24 +++++++++++++++++++++++- openbsc/tests/mm_auth/mm_auth_test.ok | 4 ++++ 2 files changed, 27 insertions(+), 1 deletion(-) (limited to 'openbsc/tests') diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c index 2b4586101..34d96f187 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.c +++ b/openbsc/tests/mm_auth/mm_auth_test.c @@ -183,7 +183,29 @@ static void test_auth_then_ciph1() OSMO_ASSERT(auth_tuple_is(&atuple, "gsm_auth_tuple {\n" " .use_count = 1\n" - " .key_seq = 1\n" + " .key_seq = 0\n" + " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" + " .sres = a1 ab c6 90 \n" + " .kc = 0f 27 ed f3 ac 97 ac 00 \n" + "}\n" + )); + + /* With a different last saved key_seq stored in the out-arg of + * db_get_lastauthtuple_for_subscr() by coincidence, expect absolutely + * the same as above. */ + test_auth_info = default_auth_info; + test_last_auth_tuple = default_auth_tuple; + test_last_auth_tuple.key_seq = 3; + test_get_authinfo_rc = 0; + test_get_lastauthtuple_rc = -ENOENT; + key_seq = 0; + auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr, + key_seq); + OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH); + OSMO_ASSERT(auth_tuple_is(&atuple, + "gsm_auth_tuple {\n" + " .use_count = 1\n" + " .key_seq = 0\n" " .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n" " .sres = a1 ab c6 90 \n" " .kc = 0f 27 ed f3 ac 97 ac 00 \n" diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok index 9d89bfb84..6c49f97b7 100644 --- a/openbsc/tests/mm_auth/mm_auth_test.ok +++ b/openbsc/tests/mm_auth/mm_auth_test.ok @@ -12,6 +12,10 @@ wrapped: db_get_authinfo_for_subscr(): rc = 0 wrapped: db_get_lastauthtuple_for_subscr(): rc = -2 wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_DO_AUTH_THEN_CIPH +wrapped: db_get_authinfo_for_subscr(): rc = 0 +wrapped: db_get_lastauthtuple_for_subscr(): rc = -2 +wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0 +auth_get_tuple_for_subscr(key_seq=0) --> auth_action == AUTH_DO_AUTH_THEN_CIPH * test_auth_then_ciph2() wrapped: db_get_authinfo_for_subscr(): rc = 0 -- cgit v1.2.3