The AMF will crash on the following locations when it receives a sequence
of NAS messages from a UE.
- ogs_nas_encrypt: Assertion `pkbuf->len' failed. (../lib/nas/common/security.c:86)
- gmm_state_authentication: Assertion `r != OGS_ERROR' failed. (../src/amf/gmm-sm.c:1561)
Besides the crashes found above, an incorrect protocol transition
is identified in Open5GS. Without any Registration/Attach Request message,
when the Identity Response message sent, the Core Network responds
with an Authentication Request message. According to the standard,
only the Registration/Attach Request message can start a state transition
from the 5GMM/EMM-DEREGISTERED state to the 5GMM/EMM-COMMON-PROCEDURE-INITIATED.
So I've modified the relevant code to address these issues.
3GPP TS 24.501 version 16.6.0 Release 16
4.4 NAS security
4.4.6 Protection of initial NAS signalling messages
1) the UE needs to send non-cleartext IEs in a REGISTRATION REQUEST
or SERVICE REQUEST message, the UE includes the entire REGISTRATION
REQUEST or SERVICE REQUEST message (i.e. containing both cleartext IEs
and non-cleartext IEs) in the NAS message container IE and shall cipher
the value part of the NAS message container IE. The UE shall then send
a REGISTRATION REQUEST or SERVICE REQUEST message containing
the cleartext IEs and the NAS message container IE;
* HACK: Don't retransmit InitialContextSetupReq
Related: #256
* HACK: Don't use buggy sa1p_copy() in eNBConfigTransfer
Related: #257
* mme: don't reject with 'IMSI is unknown in HLR' (permanent reject)
* MME: Implement S6a result -> EMM cause code mapping
Closes: #263
* Spencer: modification to Haralds fix because macros are now renamed
* MME: don't assert on MAC failures of uplink NAS frames
Closes: #267
* MME: Avoid ogs_assert() in many situations
We don't want to crash the entire program just because a message
received from an external entity didn't match some of our expectations.
* compiles fine, checked DIFFs and only difference is the ogs_assert -> ogs_expect
Sukchan Lee
Spencer Sevilla