Bug #3193

auth: on GERAN, must allow GSM SRES response even to UMTS AKA challenge

Added by neels about 3 years ago. Updated about 3 years ago.

Target version:
Start date:
Due date:
% Done:


Spec Reference:


On OsmoSGSN:

20180421220155513 DMM INFO gprs_gmm.c:731 MM(901700000014702/e2269155) -> GPRS AUTH AND CIPH RESPONSE
20180421220155513 DMM DEBUG gprs_gmm.c:778 MM(901700000014702/e2269155) checking auth: received GSM SRES = f1 4c b4 f2 
20180421220155514 DMM ERROR gprs_gmm.c:714 MM(901700000014702/e2269155) Auth mismatch: expected UMTS RES = e374fa67087f0318
20180421220155514 DMM NOTICE gprs_gmm.c:651 MM(901700000014702/e2269155) <- GPRS AUTH AND CIPH REJECT

On OsmoMSC though it works fine:

20180421220150541 DMM DEBUG gsm_04_08.c:617 -> AUTH REQ (rand = cab3375ae19d30bf1550c3da41e55fd5)
20180421220150541 DMM DEBUG gsm_04_08.c:619    AUTH REQ (autn = 4d6215b4eaa900007b24c3d63bc49787)
20180421220151472 DRLL DEBUG gsm_04_08.c:3482 Dispatching 04.08 message GSM48_MT_MM_AUTH_RESP (0x5:0x14)
20180421220151472 DMM DEBUG gsm_04_08.c:996 IMSI:901700000014702: MM GSM AUTHENTICATION RESPONSE (sres = eb713263)
20180421220151472 DVLR DEBUG vlr.c:1205 VLR_Authenticate(LU:2652801335)[0x6120000132a0]{VLR_SUB_AS_WAIT_RESP}: Received Event VLR_AUTH_E_MS_AUTH_RESP
20180421220151472 DVLR DEBUG vlr_auth_fsm.c:136 SUBSCR(IMSI:901700000014702) AUTH on GERAN received SRES/RES: eb713263 (4 bytes)
20180421220151472 DVLR INFO vlr_auth_fsm.c:208 SUBSCR(IMSI:901700000014702) AUTH established GSM security context

Like osmo-msc, we should allow responding with a GSM SRES to a UMTS AKA auth request in OsmoSGSN.

Seen with Ingenico iWL221 (portable electronic payment terminal) on OsmoDevCon 2018.

(This reminds me of osmo-msc #2793 but actually is a bit different -- in osmo-msc, we accepted the SRES but then used the UMTS key for ciphering, here we still need to accept the SRES to begin with)

Related issues

Related to OsmoSGSN - Bug #3224: verify ciphering after UMTS AKANew04/30/2018

Associated revisions

Revision 4a8d5011 (diff)
Added by Neels Hofmeyr about 3 years ago

GERAN: allow GSM SRES on UMTS AKA challenge

Store the established security context type (GSM or UMTS) instead of the
boolean flag is_authenticated. Provide the previous boolean query with thin
sgsn_mm_ctx_is_authenticated() function.

Knowing which security context was established will be necessary for OS#3224,
i.e. using the proper ciphering key, which is not yet tested properly, and
probably not correct at this stage.

This change will make new SGSN_Tests.TC_attach_umts_aka_gsm_sres pass.

Related: OS#3193 OS#3224
Change-Id: I36807bad3bc55c0030d4f09cb2c369714f24bec7


#1 Updated by neels about 3 years ago

Same behavior observed on Samsung B2100!
Go to menu, select the "globe" symbol and enter a URL, it will then attempt to establish a GMM context.
So fixeria can take the credit card reader back home and we still have a device to reproduce the bug with =)

#2 Updated by neels about 3 years ago

  • Related to Bug #3224: verify ciphering after UMTS AKA added

#3 Updated by neels about 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)