chore: wrap ngksi increment in helper and add unit tests

Signed-off-by: Guillaume Belanger <guillaume.belanger27@gmail.com>

Author: gruyaume

internal/amf/nas/gmm/common.go

@@ -4,6 +4,17 @@ import (
 	"github.com/ellanetworks/core/internal/models"
 )
 
+// nextNgKsi returns the next available NAS Key Set Identifier.
+// KSI is a 3-bit field (0–6 valid, 7 means "no key available").
+// See 3GPP TS 24.501 section 9.11.3.32.
+func nextNgKsi(current int32) int32 {
+	if current >= 0 && current < 6 {
+		return current + 1
+	}
+
+	return 0
+}
+
 func plmnIDStringToModels(plmnIDStr string) models.PlmnID {
 	if len(plmnIDStr) < 5 {
 		return models.PlmnID{}

internal/amf/nas/gmm/common_test.go

@@ -0,0 +1,28 @@
+package gmm
+
+import "testing"
+
+func TestNextNgKsi(t *testing.T) {
+	tests := []struct {
+		name    string
+		current int32
+		want    int32
+	}{
+		{"0 -> 1", 0, 1},
+		{"3 -> 4", 3, 4},
+		{"5 -> 6", 5, 6},
+		{"6 wraps to 0", 6, 0},
+		{"7 (no key) wraps to 0", 7, 0},
+		{"8 (out of range) wraps to 0", 8, 0},
+		{"negative wraps to 0", -1, 0},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := nextNgKsi(tt.current)
+			if got != tt.want {
+				t.Errorf("nextNgKsi(%d) = %d, want %d", tt.current, got, tt.want)
+			}
+		})
+	}
+}

internal/amf/nas/gmm/handle_authentication_failure.go

@@ -46,12 +46,7 @@ func handleAuthenticationFailure(ctx context.Context, amfInstance *amf.AMF, ue *
 		ue.Log.Warn("Authentication Failure Cause: NgKSI Already In Use")
 		ue.AuthFailureCauseSynchFailureTimes = 0
 		ue.Log.Warn("Select new NgKsi")
-		// select new ngksi
-		if ue.NgKsi.Ksi < 6 { // ksi is range from 0 to 6
-			ue.NgKsi.Ksi += 1
-		} else {
-			ue.NgKsi.Ksi = 0
-		}
+		ue.NgKsi.Ksi = nextNgKsi(ue.NgKsi.Ksi)
 
 		err := message.SendAuthenticationRequest(ctx, amfInstance, ue.RanUe())
 		if err != nil {

internal/amf/nas/gmm/handle_registration_request.go

@@ -163,9 +163,8 @@ func handleRegistrationRequestMessage(ctx context.Context, amfInstance *amf.AMF,
 		ue.NgKsi.Tsc = models.ScTypeMapped
 	}
 
-	ue.NgKsi.Ksi = int32(registrationRequest.NgksiAndRegistrationType5GS.GetNasKeySetIdentifiler()) + 1
-	if ue.NgKsi.Tsc == models.ScTypeNative && ue.NgKsi.Ksi != 7 {
-	} else {
+	ue.NgKsi.Ksi = nextNgKsi(int32(registrationRequest.NgksiAndRegistrationType5GS.GetNasKeySetIdentifiler()))
+	if ue.NgKsi.Tsc != models.ScTypeNative || ue.NgKsi.Ksi == 7 {
 		ue.NgKsi.Tsc = models.ScTypeNative
 		ue.NgKsi.Ksi = 0
 	}

internal/amf/nas/gmm/handle_registration_request_test.go

@@ -858,15 +858,155 @@ func TestHandleRegistrationRequest_CipheredNAS_MacFailed_SkipContainer(t *testin
 	}
 }
 
+// TestHandleRegistrationRequest_NgKsi_Increment validates that the AMF
+// allocates the next available ngKSI slot (current + 1) to avoid reusing
+// the UE's active key, per 3GPP TS 24.501 section 9.11.3.32.
+func TestHandleRegistrationRequest_NgKsi_Increment(t *testing.T) {
+	ctx := context.TODO()
+	amfInstance := amf.New(&FakeDBInstance{
+		Operator: &db.Operator{
+			Mcc:           "001",
+			Mnc:           "01",
+			Sst:           1,
+			SupportedTACs: "[\"000001\"]",
+		},
+	}, &FakeAusf{
+		AvKgAka: &ausf.AuthResult{
+			Rand: hex.EncodeToString(make([]byte, 16)),
+			Autn: hex.EncodeToString(make([]byte, 16)),
+		},
+		Supi:  mustSUPIFromPrefixed("imsi-001019756139935"),
+		Kseaf: "testkey",
+	}, nil)
+
+	ue, _, err := buildUeAndRadio()
+	if err != nil {
+		t.Fatalf("could not create UE and radio: %v", err)
+	}
+
+	ue.Suci = "testsuci"
+	ue.Supi = mustSUPIFromPrefixed("imsi-001019756139935")
+
+	m, err := buildTestRegistrationRequestMessageWithNgKsi(0, nil, 0, 3)
+	if err != nil {
+		t.Fatalf("could not build registration request message: %v", err)
+	}
+
+	err = handleRegistrationRequest(ctx, amfInstance, ue, m)
+	if err != nil {
+		t.Fatalf("registration request should be accepted, got: %v", err)
+	}
+
+	if ue.NgKsi.Ksi != 4 {
+		t.Fatalf("expected ngKSI=4 (next after 3), got %d", ue.NgKsi.Ksi)
+	}
+}
+
+// TestHandleRegistrationRequest_NgKsi_WrapAt6 validates that when the UE sends
+// ngKSI=6 (the maximum valid value), the AMF wraps around to 0 rather than
+// using value 7 (which means "no key available").
+func TestHandleRegistrationRequest_NgKsi_WrapAt6(t *testing.T) {
+	ctx := context.TODO()
+	amfInstance := amf.New(&FakeDBInstance{
+		Operator: &db.Operator{
+			Mcc:           "001",
+			Mnc:           "01",
+			Sst:           1,
+			SupportedTACs: "[\"000001\"]",
+		},
+	}, &FakeAusf{
+		AvKgAka: &ausf.AuthResult{
+			Rand: hex.EncodeToString(make([]byte, 16)),
+			Autn: hex.EncodeToString(make([]byte, 16)),
+		},
+		Supi:  mustSUPIFromPrefixed("imsi-001019756139935"),
+		Kseaf: "testkey",
+	}, nil)
+
+	ue, _, err := buildUeAndRadio()
+	if err != nil {
+		t.Fatalf("could not create UE and radio: %v", err)
+	}
+
+	ue.Suci = "testsuci"
+	ue.Supi = mustSUPIFromPrefixed("imsi-001019756139935")
+
+	m, err := buildTestRegistrationRequestMessageWithNgKsi(0, nil, 0, 6)
+	if err != nil {
+		t.Fatalf("could not build registration request message: %v", err)
+	}
+
+	err = handleRegistrationRequest(ctx, amfInstance, ue, m)
+	if err != nil {
+		t.Fatalf("registration request should be accepted, got: %v", err)
+	}
+
+	if ue.NgKsi.Ksi != 0 {
+		t.Fatalf("expected ngKSI=0 (wrapped from 6), got %d", ue.NgKsi.Ksi)
+	}
+}
+
+// TestHandleRegistrationRequest_NgKsi_NoKeyAvailable validates that when the UE
+// sends ngKSI=7 ("no key available"), the AMF handles it gracefully by
+// resetting to 0 with native security context type.
+func TestHandleRegistrationRequest_NgKsi_NoKeyAvailable(t *testing.T) {
+	ctx := context.TODO()
+	amfInstance := amf.New(&FakeDBInstance{
+		Operator: &db.Operator{
+			Mcc:           "001",
+			Mnc:           "01",
+			Sst:           1,
+			SupportedTACs: "[\"000001\"]",
+		},
+	}, &FakeAusf{
+		AvKgAka: &ausf.AuthResult{
+			Rand: hex.EncodeToString(make([]byte, 16)),
+			Autn: hex.EncodeToString(make([]byte, 16)),
+		},
+		Supi:  mustSUPIFromPrefixed("imsi-001019756139935"),
+		Kseaf: "testkey",
+	}, nil)
+
+	ue, _, err := buildUeAndRadio()
+	if err != nil {
+		t.Fatalf("could not create UE and radio: %v", err)
+	}
+
+	ue.Suci = "testsuci"
+	ue.Supi = mustSUPIFromPrefixed("imsi-001019756139935")
+
+	m, err := buildTestRegistrationRequestMessageWithNgKsi(0, nil, 0, 7)
+	if err != nil {
+		t.Fatalf("could not build registration request message: %v", err)
+	}
+
+	err = handleRegistrationRequest(ctx, amfInstance, ue, m)
+	if err != nil {
+		t.Fatalf("registration request should be accepted, got: %v", err)
+	}
+
+	if ue.NgKsi.Ksi != 0 {
+		t.Fatalf("expected ngKSI=0 (reset from no-key-available=7), got %d", ue.NgKsi.Ksi)
+	}
+
+	if ue.NgKsi.Tsc != models.ScTypeNative {
+		t.Fatalf("expected TSC=NATIVE, got %v", ue.NgKsi.Tsc)
+	}
+}
+
 func buildTestRegistrationRequestMessage(cipherAlg uint8, key *[16]uint8, ulcount uint32) (*nas.GmmMessage, error) {
+	return buildTestRegistrationRequestMessageWithNgKsi(cipherAlg, key, ulcount, 0)
+}
+
+func buildTestRegistrationRequestMessageWithNgKsi(cipherAlg uint8, key *[16]uint8, ulcount uint32, ngKsi uint8) (*nas.GmmMessage, error) {
 	m := nas.NewGmmMessage()
 
 	registrationRequest := nasMessage.NewRegistrationRequest(0)
 	registrationRequest.SetExtendedProtocolDiscriminator(nasMessage.Epd5GSMobilityManagementMessage)
 	registrationRequest.SetSecurityHeaderType(nas.SecurityHeaderTypePlainNas)
 	registrationRequest.SetSpareHalfOctet(0x00)
 	registrationRequest.SetMessageType(nas.MsgTypeRegistrationRequest)
-	registrationRequest.NgksiAndRegistrationType5GS.SetNasKeySetIdentifiler(uint8(0))
+	registrationRequest.NgksiAndRegistrationType5GS.SetNasKeySetIdentifiler(ngKsi)
 	registrationRequest.SetRegistrationType5GS(nasMessage.RegistrationType5GSInitialRegistration)
 	registrationRequest.SetFOR(1)
 	registrationRequest.MobileIdentity5GS = nasType.MobileIdentity5GS{