From patchwork Sat Mar 26 20:35:38 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Neels Hofmeyr <nhofmeyr@sysmocom.de>
X-Patchwork-Id: 602200
Return-Path: <openbsc-bounces@lists.osmocom.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.osmocom.org (lists.osmocom.org [144.76.43.76])
	by ozlabs.org (Postfix) with ESMTP id 3qXX6v0yd5z9s9Y
	for <incoming@patchwork.ozlabs.org>;
	Sun, 27 Mar 2016 07:37:59 +1100 (AEDT)
Received: from lists.osmocom.org (lists.osmocom.org [144.76.43.76])
	by lists.osmocom.org (Postfix) with ESMTP id A9AD41CF48;
	Sat, 26 Mar 2016 20:37:57 +0000 (UTC)
X-Original-To: openbsc@lists.osmocom.org
Delivered-To: openbsc@lists.osmocom.org
Received: from einhorn.in-berlin.de (einhorn.in-berlin.de
	[IPv6:2001:bf0:c000::1:8])
	by lists.osmocom.org (Postfix) with ESMTP id 595121CF39
	for <openbsc@lists.osmocom.org>; Sat, 26 Mar 2016 20:37:56 +0000 (UTC)
X-Envelope-From: nhofmeyr@sysmocom.de
X-Envelope-To: <openbsc@lists.osmocom.org>
Received: from localhost (tmo-115-112.customers.d1-online.com
	[80.187.115.112]) (authenticated bits=0)
	by einhorn.in-berlin.de (8.14.4/8.14.4/Debian-4) with ESMTP id
	u2QKboGC002886
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT)
	for <openbsc@lists.osmocom.org>; Sat, 26 Mar 2016 21:37:54 +0100
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
To: openbsc@lists.osmocom.org
Subject: [PATCH 6/7] Fix MM Auth: disallow key_seq mismatch
Date: Sat, 26 Mar 2016 21:35:38 +0100
Message-Id: <1459024539-31433-7-git-send-email-nhofmeyr@sysmocom.de>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1459024539-31433-1-git-send-email-nhofmeyr@sysmocom.de>
References: <1459024539-31433-1-git-send-email-nhofmeyr@sysmocom.de>
X-BeenThere: openbsc@lists.osmocom.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Development of OpenBSC, OsmoBSC, OsmoNITB,
	OsmoCSCN" <openbsc.lists.osmocom.org>
List-Unsubscribe: <https://lists.osmocom.org/mailman/options/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=unsubscribe>
List-Archive: <http://lists.osmocom.org/pipermail/openbsc/>
List-Post: <mailto:openbsc@lists.osmocom.org>
List-Help: <mailto:openbsc-request@lists.osmocom.org?subject=help>
List-Subscribe: <https://lists.osmocom.org/mailman/listinfo/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=subscribe>
Errors-To: openbsc-bounces@lists.osmocom.org
Sender: "OpenBSC" <openbsc-bounces@lists.osmocom.org>

In auth_get_tuple_for_subscr(), add missing condition to match incoming
key_seq with stored key_seq, so that re-authentication is requested for
mismatching key_seqs.

Add test for this issue.
---
 openbsc/src/libmsc/auth.c             |  1 +
 openbsc/tests/mm_auth/mm_auth_test.c  | 32 ++++++++++++++++++++++++++++++++
 openbsc/tests/mm_auth/mm_auth_test.ok |  6 ++++++
 3 files changed, 39 insertions(+)

diff --git a/openbsc/src/libmsc/auth.c b/openbsc/src/libmsc/auth.c
index 0a8fbf4..e4d33f0 100644
--- a/openbsc/src/libmsc/auth.c
+++ b/openbsc/src/libmsc/auth.c
@@ -91,6 +91,7 @@ int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
 	rc = db_get_lastauthtuple_for_subscr(atuple, subscr);
 	if ((rc == 0) &&
 	    (key_seq != GSM_KEY_SEQ_INVAL) &&
+	    (key_seq == atuple->key_seq) &&
 	    (atuple->use_count < 3))
 	{
 		atuple->use_count++;
diff --git a/openbsc/tests/mm_auth/mm_auth_test.c b/openbsc/tests/mm_auth/mm_auth_test.c
index 1d65984..2b45861 100644
--- a/openbsc/tests/mm_auth/mm_auth_test.c
+++ b/openbsc/tests/mm_auth/mm_auth_test.c
@@ -272,6 +272,37 @@ static void test_auth_reuse()
 		));
 }
 
+static void test_auth_reuse_key_seq_mismatch()
+{
+	int auth_action;
+	struct gsm_auth_tuple atuple = {0};
+	struct gsm_subscriber subscr = {0};
+	int key_seq;
+
+	printf("\n* test_auth_reuse_key_seq_mismatch()\n");
+
+	/* Ki entry, auth tuple negotiated, valid+matching incoming key_seq */
+	test_auth_info = default_auth_info;
+	test_last_auth_tuple = default_auth_tuple;
+	test_last_auth_tuple.key_seq = 3;
+	key_seq = 4;
+	test_last_auth_tuple.use_count = 1;
+	test_get_authinfo_rc = 0;
+	test_get_lastauthtuple_rc = 0;
+	auth_action = auth_get_tuple_for_subscr_verbose(&atuple, &subscr,
+							key_seq);
+	OSMO_ASSERT(auth_action == AUTH_DO_AUTH_THEN_CIPH);
+	OSMO_ASSERT(auth_tuple_is(&atuple,
+		"gsm_auth_tuple {\n"
+		"  .use_count = 1\n"
+		"  .key_seq = 4\n"
+		"  .rand = 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 \n"
+		"  .sres = a1 ab c6 90 \n"
+		"  .kc = 0f 27 ed f3 ac 97 ac 00 \n"
+		"}\n"
+		));
+}
+
 int main(void)
 {
 	osmo_init_logging(&log_info);
@@ -282,5 +313,6 @@ int main(void)
 	test_auth_then_ciph1();
 	test_auth_then_ciph2();
 	test_auth_reuse();
+	test_auth_reuse_key_seq_mismatch();
 	return 0;
 }
diff --git a/openbsc/tests/mm_auth/mm_auth_test.ok b/openbsc/tests/mm_auth/mm_auth_test.ok
index 7dedadc..9d89bfb 100644
--- a/openbsc/tests/mm_auth/mm_auth_test.ok
+++ b/openbsc/tests/mm_auth/mm_auth_test.ok
@@ -28,3 +28,9 @@ wrapped: db_get_authinfo_for_subscr(): rc = 0
 wrapped: db_get_lastauthtuple_for_subscr(): rc = 0
 wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0
 auth_get_tuple_for_subscr(key_seq=3) --> auth_action == AUTH_DO_CIPH
+
+* test_auth_reuse_key_seq_mismatch()
+wrapped: db_get_authinfo_for_subscr(): rc = 0
+wrapped: db_get_lastauthtuple_for_subscr(): rc = 0
+wrapped: db_sync_lastauthtuple_for_subscr(): rc = 0
+auth_get_tuple_for_subscr(key_seq=4) --> auth_action == AUTH_DO_AUTH_THEN_CIPH