From 89eb1f362f9461a9cc11de9b03b374381754259e Mon Sep 17 00:00:00 2001
From: Stefan Sperling <ssperling@sysmocom.de>
Date: Mon, 17 Dec 2018 15:06:20 +0100
Subject: add MSC test for an invalid CIPHER MODE COMPLETE command

Add new test TC_cipher_complete_with_invalid_cipher which verifies
that the MSC will reject a CIPHER MODE COMPLETE command with a
cipher which wasn't part of the preceding CIPHER MODE command.

Change-Id: I4492eb7d77371aaa047abae81a2dcf26fe46eb6a
Related: OS#2872
---
 msc/MSC_Tests.cfg        |  1 +
 msc/MSC_Tests.ttcn       | 59 ++++++++++++++++++++++++++++++++++++++++++++++++
 msc/expected-results.xml |  1 +
 3 files changed, 61 insertions(+)

diff --git a/msc/MSC_Tests.cfg b/msc/MSC_Tests.cfg
index 5a3c33c5..b4128898 100644
--- a/msc/MSC_Tests.cfg
+++ b/msc/MSC_Tests.cfg
@@ -60,3 +60,4 @@ MSC_Tests.control
 #MSC_Tests.TC_lu_and_mt_call_no_dlcx_resp
 #MSC_Tests.TC_reset_two
 #MSC_Tests.TC_lu_and_mt_call
+#MSC_Tests.TC_cipher_complete_with_invalid_cipher
diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn
index dc616a8b..adaeea3c 100644
--- a/msc/MSC_Tests.ttcn
+++ b/msc/MSC_Tests.ttcn
@@ -2766,6 +2766,63 @@ testcase TC_lu_and_ss_session_timeout() runs on MTC_CT {
 	f_vty_config(MSCVTY, "msc", "ncss guard-timeout 0");
 }
 
+/* A5/1 only permitted on network side; attempt an invalid CIPHER MODE COMPLETE with A5/3 which MSC should reject. */
+private function f_tc_cipher_complete_with_invalid_cipher(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
+	pars.net.expect_auth := true;
+	pars.net.expect_ciph := true;
+	pars.net.kc_support := '02'O;	/* A5/1 only */
+	f_init_handler(pars);
+
+	g_pars.vec := f_gen_auth_vec_2g();
+
+	/* Can't use f_perform_lu() directly. Code below is based on it. */
+
+	/* tell GSUP dispatcher to send this IMSI to us */
+	f_create_gsup_expect(hex2str(g_pars.imsi));
+
+	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
+	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
+	f_bssap_compl_l3(l3_lu);
+
+	f_mm_auth();
+
+	var OCT1 a5_net := f_alg_mask_from_cm(g_pars.cm2);
+	var OCT1 a5_intersect := g_pars.net.kc_support and4b a5_net;
+	alt {
+	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(a5_intersect, g_pars.vec.kc)) {
+		BSSAP.send(ts_BSSMAP_CipherModeCompl(int2oct(4 /* "accept" A5/3 */, 1)));
+		}
+	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(?, g_pars.vec.kc)) {
+		setverdict(fail, "Wrong ciphering algorithm mask in CiphModCmd");
+		mtc.stop;
+		}
+	[] BSSAP.receive {
+		setverdict(fail, "Unknown/unexpected BSSAP received");
+		mtc.stop;
+		}
+	}
+
+	/* Expect LU reject from MSC. */
+	alt {
+	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
+		setverdict(pass);
+		}
+	[] BSSAP.receive {
+		setverdict(fail, "Unknown/unexpected BSSAP received");
+		mtc.stop;
+		}
+	}
+}
+
+testcase TC_cipher_complete_with_invalid_cipher() runs on MTC_CT {
+	var BSC_ConnHdlr vc_conn;
+	f_init();
+	f_vty_config(MSCVTY, "network", "encryption a5 1");
+
+	vc_conn := f_start_handler(refers(f_tc_cipher_complete_with_invalid_cipher), 52);
+	vc_conn.done;
+}
+
 /* TODO (SMS):
    * different user data lengths
    * SMPP transaction mode with unsuccessful delivery
@@ -2854,6 +2911,8 @@ control {
 	execute( TC_lu_and_mo_ussd_mo_release() );
 	execute( TC_lu_and_ss_session_timeout() );
 
+	execute( TC_cipher_complete_with_invalid_cipher() );
+
 	/* Run this last: at the time of writing this test crashes the MSC */
 	execute( TC_lu_imsi_auth_tmsi_encr_3_1_log_msc_debug() );
 	execute( TC_mo_cc_bssmap_clear() );
diff --git a/msc/expected-results.xml b/msc/expected-results.xml
index 4a9529e8..83c80100 100644
--- a/msc/expected-results.xml
+++ b/msc/expected-results.xml
@@ -69,6 +69,7 @@
   <testcase classname='MSC_Tests' name='TC_lu_and_mt_ussd_during_mt_call' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_lu_and_mo_ussd_mo_release' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_lu_and_ss_session_timeout' time='MASKED'/>
+  <testcase classname='MSC_Tests' name='TC_cipher_complete_with_invalid_cipher' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_lu_imsi_auth_tmsi_encr_3_1_log_msc_debug' time='MASKED'/>
   <testcase classname='MSC_Tests' name='TC_mo_cc_bssmap_clear' time='MASKED'/>
 </testsuite>
-- 
cgit v1.2.3