Push Tracker
ria-ran--sim-drop/CHANGELOG.md
A ashkan@beigi.net f367103ceb Harden: capability-token profile URLs, fast core failure, config validation
Security:
- Serve generated profiles at /api/profile/<random-token> instead of
  /api/profile/<sequential-int>. Profiles carry Ki/OPc, so the enumerable id
  scheme allowed anyone on the WiFi to harvest all subscriber keys. Unknown
  tokens return a plain 404 so they can't be probed.

Robustness:
- Open5GS/free5gc adapters use short MongoDB timeouts so an unreachable core
  fails provisioning fast instead of blocking ~30s on the default.
- Profile cache is now a size-capped LRU (OrderedDict) to prevent unbounded
  memory growth.
- load_config rejects empty/non-mapping YAML and validates network.op_key is a
  16-byte hex string.

Tests: +25 (test_app.py API coverage, test_utils.py); 78 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 06:11:14 +00:00

2.9 KiB

Changelog

All notable changes to this project are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Security

  • Profile download URLs now use an unguessable capability token (secrets.token_urlsafe) instead of the sequential subscriber id. Profiles contain Ki/OPc, so the old /api/profile/<int> scheme let anyone on the WiFi enumerate and harvest every subscriber's keys. Unknown tokens return a plain 404 (indistinguishable from evicted) so tokens cannot be probed.

Hardened

  • Core adapters set short MongoDB timeouts (serverSelectionTimeoutMS etc.) so an unreachable core fails provisioning fast instead of hanging ~30s.
  • In-memory profile cache is now a size-capped LRU (_MAX_CACHED_PROFILES) and can no longer grow without bound.
  • load_config rejects an empty/non-mapping YAML file and validates network.op_key is a 16-byte hex string, with clear error messages.
  • Added test_app.py (API-level: provision, rate-limit, token download, 404 on unknown/enumerated ids) and test_utils.py (MAC/IMSI/op_key/config).

Added

  • Phase-2 profile generation. create_esim_profile now emits a structured profile package with real 3GPP encodings instead of a loose JSON mock:
    • enc_iccid — EF_ICCID encoding (nibble-swapped BCD, 10-byte, 0xF padded) per 3GPP TS 31.102 §4.2.1.
    • enc_imsi — EF_IMSI encoding (length octet + parity nibble + nibble-swapped BCD) per 3GPP TS 31.102 §4.2.2.
    • build_lpa_activation_code — SGP.22 LPA activation string (LPA:1$<smdp>$<matching-id>) so the profile carries a device-consumable activation reference.
  • CHANGELOG.md.

Changed

  • Profile package type is now profile-package-v2; it embeds the raw credentials plus the encoded EF byte values and the LPA activation code.

Fixed

  • generate_imsi hardcoded a 10-digit MSIN, producing invalid 16-digit IMSIs for a 3-digit MNC (e.g. MCC 302 / MNC 720). MSIN length is now 15 - len(mcc) - len(mnc).
  • check_rate_limit compared timestamps as strings across mismatched formats (SQLite CURRENT_TIMESTAMP vs Python isoformat), making the rate-limit window unreliable. Both sides are now normalized via SQLite datetime().

Notes

  • Full SGP.22 SIMalliance Interoperable Profile (SAIP / ASN.1 UPP) generation via osmocom pySim remains the follow-up step; it needs an SM-DP+ / LPA to be installed onto consumer devices over the air. The current package targets programmable SIMs and core-network sync.

[0.1.0] — 2026-07-01

Added

  • Initial Phase-1 closed-loop eSIM provisioning stack: Flask API, SQLite subscriber store, credential generator (IMSI/Ki/OPc/ICCID), Open5GS and free5gc core adapters, captive portal, operational scripts, systemd units, network configs, and a test suite.