Closed Bug 1038087 Opened 10 years ago Closed 6 years ago

[dolphin][flame] FFOS cannot receive the OTA message when userPIN is empty.

Categories

(Firefox OS Graveyard :: Gaia::Wappush, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Wappush
Platform:
Other
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: angelc04, Unassigned)

Details

(Whiteboard: [sprd332259])

Attachments

(4 files)

slog_20140710164435_scx15_sp7715ga_userdebug.zip
1.45 MB, application/zip
Details
OMA-WAP-ProvBoot-v1_1-20050428-C.pdf
224.38 KB, application/pdf
Details
Screenshot of WAP Push Test app after receiving message with USERPIN
78.37 KB, image/png
Details
Screenshot of WAP Push Test app after receiving message without USERPIN
39.86 KB, image/png
Details 
Partner is using "NOW SMS" to simulate the case that Operators send OTA msgs to users. The purpose is to check if APN can be configured successfully. 
userPIN is used to encrypt the OTA message. When user receives the OTA message, they need to input the user PIN to use this configuration.

The problem partner experienced is:
--> FFOS cannot receive the OTA message when userPIN is empty. 

Both dolphin and Flame has this problem. But on android device, the ota message can be received when userpin is empty.

Attached is the slog.
Whiteboard: [sprd332259][partner-blocker]
Hi Shawn,could you please kindly help with this ? Thanks !
Flags: needinfo?(sku)
If WAP Push message doesn't contain any authentication info, it will be dropped by wap push app[1] for security.
Maybe this is the cause.

[1] http://git.mozilla.org/?p=releases/gaia.git;a=blob;f=apps/wappush/js/parsed_message.js;h=cce6c59d9406b6e92ad7d66415614dfe68b82d73;hb=HEAD#l193
Clear ni? due to comment 2 by Chuck.

Hi Rachelle:
 It looks like OMA define auth as a must attribute. Please double confirm with partner if this is really an issue?
Flags: needinfo?(sku) → needinfo?(ryang)
Hi Shawn,thank you very much. I will further check with partner.Thanks!
Flags: needinfo?(ryang)
Just FYI. The reason partner why think this is an issue is because android device can receive such messages while ffos cannot.
Is it possible to not block this type of message but pop up a warning to users and let user choose to "Accept" or "Reject" it?

Because there might be some case that user needs such OTA message(although I cannot name for now), and the current design will block all OTA msg without authentication.
Whiteboard: [sprd332259][partner-blocker] → [sprd332259]
(In reply to pcheng from comment #6)
> Is it possible to not block this type of message but pop up a warning to
> users and let user choose to "Accept" or "Reject" it?
> 
> Because there might be some case that user needs such OTA message(although I
> cannot name for now), and the current design will block all OTA msg without
> authentication.

I am not sure if I understand the whole flow/spec. correctly.
However, OMA CP define one of NETWPIN/USERPIN/USERNETWPIN/USERPINMAC is mandatory.
If auth. is a necessary attribute, I am afraid we cannot simply ignore auth. check. (see also [1])


If there is anything wrong, please kindly correct me.


[1] http://dl-developer.sonymobile.com/documentation/DW-100361-dg_device_mgmnt(v5-6)_r14a.pdf
(In reply to shawn ku [:sku] (OOO 7/17 ~ 7/31) from comment #8)
For the Statistics Data from our test department For Global area:
1.Need Pin Area: Urop, Europe / America / Southeast Asia / Brazil and so on
2.No Need Pin Area:Middle East / in / Honduras and so on
Means many country no need pin, so this designe will make them lose the function. However as I know , in these areas , such as Wap Push, USSD are very useful. 

And our tester research the SPEC, found that the security check is optional,it says:
"The security information consists of the message authentication code and the
security method. The parameters MAC and SEC have been defined for this purpose and these MUST be supported by the WAP client
The parameter specifies the security mechanism used (if it is not present, no security is used)."

So what is the opinion please? Or waiting for the other customers feedback in future?
As I know, the target market for dolphin is Bangladesh. So maybe this should not be a problem for this release?
blocking-b2g: --- → 1.4?
Whiteboard: [sprd332259] → [sprd332259][partner-blocker]
siiaceon,

When a PIN input by user is not desired, you should not be sending type USERPIN with empty PIN. NetwPIN or UserNetwPIN should be used instead.

Can you provide the reference to the SPEC you are referring to?
Flags: needinfo?(siiaceon.cao)
The description of Comment 9 comes from Provisioning Content spec[1], clause 4.3. It's like a base definition of WAP Push message.
I think our wap push app implements Provisioning Bootstrap, as the attachment, where authentication info becomes a must according to clause 5.2.

[1] http://technical.openmobilealliance.org/Technical/release_program/docs/ClientProv/V1_1-20090728-A/OMA-WAP-TS-ProvCont-V1_1-20090728-A.pdf
The test case for this bug is: SEC authentication type is USERPIN, but user pin value is empty.

Reading through the spec and bootstrap, I didn't see any limitation on the user pin value. So maybe it could be empty?
The only limitation I saw is as following, but the limit is related to MAC calculation.

When presented to the user as well as when used as input to the MAC calculation, the user PIN MUST be a string of ASCII
encoded decimal digits (i.e. octets with hexadecimal values 30 to 39).
I don't know if you select USERPIN but doesn't provide PIN code in nowSMS, it will send message containing auth info of USERPIN and MAC, or ignore the USERPIN settings and send message with no auth info.

Based on the code, if we received a message of USERPIN, gaia would pop out a dialog ask for PIN code, because it doesn't know if the PIN code is empty. But the reported behavior says "cannot receive the OTA message", which means no dialog box is shown.
So I think it's more likely that the incoming message doesn't have authentication info at all.

We have a small test app, "Test Wap Push", in engineer build, that will show info of received WAP Push message[1].
If we all agree that incoming OTA message must contains authentication information, I suggest to check if the information do exist in the message sent from nowSMS.

[1] http://git.mozilla.org/?p=releases/gaia.git;a=tree;f=dev_apps/test-wappush;h=322230ba86fa88e01ec67d7e761c226198b66c97;hb=HEAD
siiaceon, could you please help check on comment 15? We don't have SMS NOW test environment. Please help.
According to jinghua's test, there is no authentication info in the message. Jinghua, could you please comment?
Flags: needinfo?(siiaceon.cao) → needinfo?(Jinghua.Xing)
In the test case, we didn't have checked any security type, and it shows there is no authentication info in the message by using the test app. 

How do we check if there is no userPIN in the case or the userPIN is null?
Flags: needinfo?(Jinghua.Xing)
If you receive WAP Push with USERPIN authentication, the app will show "USERPIN" in the "Auth - Security Type" field.
So if it's empty, there's no authentication info in WAP Push info.

Note that I found a bug in WAP Push Test app that, if it receives a message with auth info first, then a message without message.
The second message won't clear the Auth Info field.
(In reply to Chuck Lee [:chucklee] from comment #19)
The "Auth - Security Type" field is empty when we receive the message without userPIN.
This is behavior by design. Remove nomination for now. This would be the feature request if we need it.
blocking-b2g: 1.4? → ---
Whiteboard: [sprd332259][partner-blocker] → [sprd332259]
The check of "authInfo" is on gaia side, thus changing the component to Gaia:Wappush.
Component: RIL → Gaia::Wappush
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: