This patch adds functions to encode and decode GSUP messages. This
does not include the layer 1 framing (IPA). The messages so far
supported are: send_auth_info_*, update_location_*,
location_cancellation_*.
Sponsored-by: On-Waves ehf
Most of the "fixes" have nothing to do with gcc-4.9.2 but are a
question of ABI/Architecture (e.g. x86 vs. AMD64). Revert these
for now.
This partially reverts commit 7b1d25a11e.
abis_test.c: In function ‘test_simple_sw_config’:
abis_test.c:68:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - simple_config, descr[0].len);
^
abis_test.c: In function ‘test_dual_sw_config’:
abis_test.c:111:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - dual_config, descr[0].len);
^
abis_test.c:115:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - dual_config, descr[1].len);
^
abis_test.c: In function ‘test_sw_selection’:
abis_test.c:132:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[0].start - load_config, descr[0].len);
^
abis_test.c:136:2: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘int’ [-Wformat=]
printf("Start: %ld len: %zu\n", descr[1].start - load_config, descr[1].len);
This implements the MAP way of subscriber validation when the MS
tries to perform an Attach Request:
1. perform authentication (optionally invoke the sendAuthInfo
procedure), starts the Auth & Ciph procedure
2. perform update location
3. insert subscriber data
4. finish the update location
5. Attach Accept / Attach Reject
The authentication triplets are used and eventually updated if all of
them have been used.
This is currently accessible via the VTY interface by the following
commands:
- update-subscriber imsi IMSI update-auth-info
- update-subscriber imsi IMSI update-location-result (ok|ERR-CAUSE)
Sponsored-by: On-Waves ehf
This commit add data structures, functions, initialization, and VTY
commands for per subscriber authentication triplets.
The following VTY command is added:
- update-subscriber imsi IMSI \
insert auth-triplet <1-5> sres SRES rand RAND kc KC
Note that the triplets are not really used by the SGSN yet.
Sponsored-by: On-Waves ehf
Currently the parser functions for single information elements are
defined within gprs_gb_parse.c and not exported explicitely. In
addition they are named like libosmocore's TLV parser functions and
do not have a proper name prefix. Since it is planned to use them for
other protocols, they need to be globally accessible.
This patch moves them to gprs_utils.c and renames them.
The new names are:
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
lv_shift -> gprs_shift_lv
v_fixed_shift -> gprs_shift_v_fixed
In the long term, these functions should be moved to libosmocore (and
renamed again).
Sponsored-by: On-Waves ehf
This commit mainly extends sgsn_auth.c to use and support the
auth_state SGSN_AUTH_AUTHENTICATE. It will be activated when IMSI and
IMEI are available, authentication is required
(subscr->sgsn_data->authenticate is set), but the MM context is not
marked as authenticated. If the state has been set to
SGSN_AUTH_AUTHENTICATE and sgsn_auth_update() is called, the GMM
layer will be informed by invoking gsm0408_gprs_authenticate().
Sponsored-by: On-Waves ehf
This adds the following commands to the ENABLE node:
- show subscriber cache
- update-subscriber imsi IMSI insert authorized (0|1)
- update-subscriber imsi IMSI cancel
- update-subscriber imsi IMSI commit
These commands are mainly testing tools and maintenance helpers. The
update commands work asynchronously and can be used to complete a
pending update request or to terminate an existing connection. The
'insert' command just update the subscriber records but does not
notify the GMM layer. Invoke the 'commit' command to continue with
pending procedures.
Note that the subscriber cache is not stored persistently and will
always be empty after an SGSN restart.
Sponsored-by: On-Waves ehf
This function is called to delete an established MM context
silently without invoking a detach procedure.
It is called when a subscriber is cancelled by the HLR. This
generally happens, when an MS has moved to another routing area and
has to use another SGSN.
Sponsored-by: On-Waves ehf
This commit adds a new authorization policy 'remote' and uses
the subscriber cache for authorization when this policy is being used.
Note that there is no remote backend implemented yet. After the
IMSI/IMEI have been acquired, a request would be sent to the remote
peer. The attach/auth-ciph procedure continues when authorization
info has been received from the peer. This means, that
gprs_subscr_update() must be called then to tell the GMM layer
that it can proceed. A later commit will add VTY commands to do this
manually.
Sponsored-by: On-Waves ehf
This patch adds GPRS specific functions for gsm_subscriber objects
(allocation, retrieval, deletion) and subscriber data
requests/updates. The sgsn_update_subscriber_data callback is used to
notify the sgsn about updates and is extended by a parameter that
passes a reference to a gsm_subscriber.
Sponsored-by: On-Waves ehf
Currently the keep_subscr flag in gsm_subscriber_group refers to a
whole group of subscribers which makes it difficult to really delete
single entries if the flag is set.
This patch adds a keep_in_ram field to gsm_subscriber which allows for
keeping subscriber objects in RAM while deleting others.
Note that really deleting an entry requires that both flags
(subscr_group->keep_subscr and subscr->keep_in_ram) are set to 0. So
only the latter should be used if a specification requires the
deletion of a subscriber entry.
Sponsored-by: On-Waves ehf
Currently every subcriber object directly refers to the gsm_network
which contains a flag shared by every related subscriber
(keep_subscr). This adds a dependency on gsm_network even if only the
function defined in gsm_subscriber_base.c are used.
This patch adds a new struct gsm_subscriber_group which contains the
keep_subscr flag and a back reference to the network object. The
latter is not dereferenced in gsm_subscriber_base.c, so it can safely
be set to NULL when only that part of the gsm_subscriber API is being
used. It also changes that API to use gsm_subscriber_group instead of
gsm_network parameters.
Since there are some places where a pointer to the gsm_network is
needed but where only a gsm_subscriber is available, a 'net' back
pointer is added to the group struct, too. Nevertheless subscr group
and network could be separated completely, but this is not the topic
of this commit.
Sponsored-by: On-Waves ehf
The commit "sgsn: Don't send XID reset after Detach Accept" fixed the
SGSN to not respond to a Detach Accept message when there is no MM
context.
This patch adds a test case to verify, that there is really no
message sent in that case.
The test fails when the commit mentioned aboved is reverted.
Sponsored-by: On-Waves ehf
Currently the expected P-TMSI generated by the SGSN is hard-coded
into the test. This adds a dependency on the implementation of rand()
and thus the libc used. This breaks the test e.g. on FreeBSD.
This patch modifies test_gmm_attach() to srand(1) first, generate the
P-TMSI, and finally srand(1) again before starting the test.
Sponsored-by: On-Waves ehf
Currently when the MS does a re-attach without doing a proper detach
first, the gbproxy uses the old local TLLI if patching and the keep
mode are enabled. This leads to a failing attachment procedure when
TLLI patching is also enabled.
This patch changes gbproxy_update_link_state_ul to reset all TLLIs
within the link_info if the message contains an unknown TLLI and an
MI. This is generally the case with Attach Request messages.
The gbproxy_get_link_info_ul gets an additional tlli_is_valid
output parameter that is set, when a TLLI was present and found.
This flag is then used instead of checking tlli.current == 0 to
set TLLI/P-TMSI e.g. Attach Requests when a link_info was already
present for the P-TMSI/IMSI used in such a request.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Increase the bcch_change_mark and generate a new copy of the
system information. Make the method public, add a small test
case. Manually verified using the FakeBTS. I don't know if
the MS will re-read these SIs.
Related: SYS#739
The session name must be present in a SDP file. The RFC proposes
to use a space for it but the other equipment is using the dash
so I have picked that as well.
RFC 4566:
The "s=" field is the textual session name. There MUST be one and
only one "s=" field per session description. The "s=" field MUST NOT
be empty and SHOULD contain ISO 10646 characters (but see also the
"a=charset" attribute). If a session has no meaningful name, the
alue "s= " SHOULD be used (i.e., a single space as the session
name).
Fixes: RT#2196
Currently the function in sgsn_auth.c either have an sgsn_config or
an sgsn_instance parameter. Since then global sgsn variable is
already being used in that file and since other parts of the SGSN
related code also rely on a global sgsn singleton, these parameters
pretend to provide a flexibility that is not really supported.
Therefore this patch removes these parameters except for the ACL
related functions, which do not call code that uses the sgsn
variable.
Sponsored-by: On-Waves ehf
Currently every time an RA Update Req or an Attach Req is processed, a
new P-TMSI is allocated. When an MS issues another of these messages
before it has completed the first procedure, old_ptmsi is replaced by
ptmsi (and thus lost) and ptmsi is replaced by the newly allocated
P-TMSI. This can confuse the gbproxy, which can loose track of the
logical link then. At least a Blackberry emits a double set of RA Upd
Req messages from time to time which may be just 20ms apart.
This patch adds a check whether mm->ptmsi or mm->old_ptmsi are set.
If both are set, the P-TMSI is not re-allocated. This is only the
case, when the Complete message has not been received yet, since that
message will reset old_ptmsi.
Sponsored-by: On-Waves ehf
Currently, the LLME is not cleaned up after sending an RA Update
Reject. This happens after entering a routing area from outside,
since in that case the SGSN sends an RA Update Reject (implicitly
detached) which causes the MS to restart the attach procedure.
The LLME is also not updated if an Attach Request with message errors
(encoding, invalid MI type) is received or if an MM context cannot be
allocated.
This patch changes gsm48_rx_gmm_ra_upd_req and gsm48_rx_gmm_att_req
to unassign the LLME or free the MM context (if available) after a
Reject message has been sent.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Currently the VTY 'auth-policy' command results in setting or clearing
the acl_enabled flag. This also enables the matching of the MCC/MNC
prefix of the IMSI.
This patch adds an additional policy 'acl-only' which disables the
MCC/MNC matching and relies on the ACL only.
Sponsored-by: On-Waves ehf
Currently the IMSI is only checked immediately when an Attach Request
is received that contains an IMSI IE. If it contains a P-TMSI
instead, access is always granted.
This commit moves the IMSI check to gsm48_gmm_authorize where it is
applied when IMSI and IMEI have been acquired. This fixes the
authorization when the Attach Accept doesn't contain an IMSI.
Sponsored-by: On-Waves ehf
Currently the GMM state is set to GMM-REGISTERED when an Attach
Accept or a RA Update Accept message is sent, even if a new P-TMSI is
included. In this case 04.08 requires (see 4.7.3.1.3 and 4.7.5.1.3),
that the state is set to GMM-COMMON-PROCEDURE-INITIATED when the
Accept is sent. When the Complete is received, the SGSN shall set
the state to GMM-REGISTERED.
This patch modifies the state updates accordingly.
Sponsored-by: On-Waves ehf
Currently libcommon depends on libbsc, because gsm_network_init
(libcommon/gsm_data.c) directly calls gsm_net_update_ctype
(libbsc/gsm_04_08_utils.c).
This patch moves gsm_network_init to a new file libbsc/net_init.c.
Sponsored-by: On-Waves ehf
This test checks the attach procedure until the Attach Complete is
received.
Note that authorization and GMM state updates are not working
properly yet.
Sponsored-by: On-Waves ehf
This replaces serveral occurences of duplicated code for message
creation and sending (passing to gsm0408_gprs_rcvmsg) into a single
function. In addition, the sgsn_tx_counter is always reset within
send_0408_message to simplify the code that checks for the number of
messages sent.
Sponsored-by: On-Waves ehf
Currently the LLME is not deleted when a GMM Status message is
received for which a mmctx cannot be found. This can fill the LLME
list with unneeded entries.
This patch adds code to unassign the LLME in that case.
Ticket: OW#1324
Sponsored-by: On-Waves ehf
Some switches do not like to receive the IPA PING/PONG messages.
Allow to disable the handling with "no timeout-ping" and create
test cases that verify the switching between the modes. Change the
code to trat <= 0 as an invalid timeout.
Fixes: SYS#713
Currently, when a Detach Request is received with an unknown TLLI,
it is answered by another Detach Request (!), even when a power_off
Type is used.
This patch uses gsm48_rx_gmm_det_req to handle the message instead.
So this function is changed to cope with a NULL mmctx. In that case
it doesn't unassign the llme, so this must be done manually
afterwards.
Sponsored-by: On-Waves ehf
Currently, every time the SGSN received a Detach Request from the MS
via an established logical link, it is answered by a Detach Accept.
This violates the specification (GSM 04.08, 4.7.4.1.2 and .3), which
states, that it should only be sent, if "the detach type IE value
indicates that the detach request has not been sent due to switching
off".
This patch adds a conditional to limit the sending of Detach Accept
accordingly.
Sponsored-by: On-Waves ehf
Currently only a Detach Request (MO) message with power_off = 0 is
checked.
This commit adds a new test case with power_off set to 1. It also
adds checks for the number of messages generated by the SGSN to
verify that these messages are handled differently.
Note that the handling of power_off isn't implemented yet. Therefore
the corresponding assertion is being disabled yet.
Sponsored-by: On-Waves ehf
Currently the ACL code is located in sgsn_vty.c.
This commit moves this to a new file sgsn_auth.c as a first step to
make authorization more flexible in order to implement remote
acquisition on subsciber data.
Sponsored-by: On-Waves ehf
Currently the P-TMSI IE in PAGING_PS is not patched.
This commit adds code to patch BSSGP P-TMSI IE in
gbproxy_patch_bssgp independently from the P-TMSI patching at the LLC
layer. It also extends gbproxy_update_link_state_dl to use the IMSI
to find the link_info if the TLLI is not present in the message.
Note that the spec (GSM 08.18, 7.2) requires to use of the P-TMSI
instead of the IMSI to select the MS if that IE is available.
Nevertheless as long as the IMSI is always present in downlink BSSGP
messages and as long as the optional P-TMSI refers to the same MS
(which is the case currently), this is not an issue.
Sponsored-by: On-Waves ehf
Currently, when P-TMSI patching is enabled, a new BSS P-TMSI is
generated for each Attach Accept. So two duplicated, subsequent
Attach Accept messages will be mapped to different BSS side P-TMSI.
Because the last one will replace former ones in the link_info
struct, the MS will fail to access the SGSN if it uses the former
P-TMSI to derive the new TLLI.
This patch checks the SGSN P-TMSI already assigned to the link_info
and only generates a new BSS P-TMSI on mismatch (or if the BSS P-TMSI
hasn't been set yet).
Ticket: OW#1322
Sponsored-by: On-Waves ehf
This adds a test case to check gbproxy's behaviour when processing
two subsequent but identical Attach Accept messages.
Ticket: OW#1322
Sponsored-by: On-Waves ehf
This patch adds assertions to check the LLC/GMM message received from
the gbproxy by the test framework within the function
test_gbproxy_keep_info.
It also fixes the source address of the DETACH ACC messages.
Sponsored-by: On-Waves ehf
Coverity complains about having side effects in OSMO_ASSERT argument
expressions. This would be an issue in this case, because that
variable is only reference in other OSMO_ASSERT expressions.
Nevertheless this patch changes this to assign the variable outside
of OSMO_ASSERT.
Fixes: Coverity CID 1244239
Sponsored-by: On-Waves ehf
Currently one regexp ('patching') is used for all matching.
This patch adds a second category 'routing' which is exclusively used
for SGSN selection. It also adds a corresponding VTY command:
- match-imsi patching RE : MS related patching (currently APN)
- match-imsi routing RE : Select secondary SGSN on match only
- no match-imsi : Clear all filter expressions
Ticket: OW#1258
Sponsored-by: On-Waves ehf
Currently, patch filter configurations are leaking between tests.
This adds a call to gbproxy_clear_patch_filter() to the end of each
test that calls gbproxy_set_patch_filter().
Sponsored-by: On-Waves ehf
The current implementation makes it difficult to add further match
expressions.
This patch adds a new struct gbproxy_match that contains the fields
needed for each match expression. The matches (config) and the
results (link_info) are stored in arrays. All related functions are
updated to use them. The old fields in the config structure are
removed.
Sponsored-by: On-Waves ehf
This patch adds assertions to check the LLC/GMM message received from
the gbproxy by the test framework within the function
test_gbproxy_ra_patching.
Sponsored-by: On-Waves ehf
Currently the only way to check, whether the right message have been
generated is to look into the generated text output. This is
error-prone if there are many messages.
This patch adds a way to optionally store all received messages into
a FIFO. They can then be checked by calling expect_msg() which
removes the first message from the FIFO and returns a pointer to it
or NULL if there is none. The pointer is only valid until the next
call to this function.
A few convenience functions are added to check for common message
types:
- expect_gmm_msg checks for certain GSM 04.08 messages in LLC/GMM
- expect_llc_msg checks for arbitrary LLC messages in BSSGP/UD
- expect_bssgp_msg checks for arbitrary BSSG messages
Each of their arguments can be set by MATCH_ANY to ignore it while
matching. On success, they return a pointer to a statically
allocated struct containing the pointer to the msg and the full parse
context.
Recording is enabled by setting the global variable received_messages
to a pointer to a struct llist_head. It can be disabled again by
setting it to NULL.
Sponsored-by: On-Waves ehf
This patch adds und uses the function gbproxy_gsm48_to_peer() which
takes a GSM 04.08 message, encapsulates it in BSSGP and LLC, and
sends it to the BSS peer. This function increments vu_gen_tx_bss
which is now used instead of imsi_acq_retries to set the N(U) of the
outgoing message.
Since imsi_acq_retries isn't currently incremented before a Detach
Accept is generated, this patch also fixes the N(U) of such messages.
Sponsored-by: On-Waves ehf
Currently then link_info is not cleaned up completely, when
gbproxy_unregister_link_info is called.
This patch adds a function gbproxy_reset_link that must be defined
externally. This is done in gb_proxy.c, where it resets the IMSI
acquisition.
Sponsored-by: On-Waves ehf
That message is currently ignored but should invalidate the TLLI and
de-register the logical link instead.
This patch extends the parser to recognize such messages and to set
the invalidate_tlli flag.
Sponsored-by: On-Waves ehf
The TLLI should also be invalidated:
- when an Attach Reject info is received from the SGSN
- when an Attach Req is immediately followed by a Detach Req
- when an Attach Req is immediately followed by an MT detach
procedure
To verify that, this patch adds corresponding message sequences to
the test.
Sponsored-by: On-Waves ehf
This fixes the IMSI length assertion, which currently uses a
greater-or-equal than zero comparison which always yields true. It is
replaced by a greater than zero check.
Fixes: Coverity CID 1239442
Sponsored-by: On-Waves ehf
A single test case still uses time() to obtain the reference time.
This commit fixes this by using the 'now' variable instead, that
contains a fixed time value and does therefore not depend on when the
test is executed.
Sponsored-by: On-Waves ehf
This field in struct gbproxy_patch_state has involved and holds a
list of all tracked logical links now. Thus the name is modified
accordingly.
Sponsored-by: On-Waves ehf
Currently in many places where 'tlli' (Temporary Logical Link
Identifier) within identifiers is used, the logical link itself is
meant instead. For instance, the tlli_info contain information about
an LLC logical link including up to four individual TLLI.
To avoid confusion between these concepts, this patch replaces all
'tlli_info' by 'link_info' and a few 'tlli' by 'link'.
Sponsored-by: On-Waves ehf
This patch replaces 'tlli' by 'tlli_info' within the following
function identifiers:
- gbproxy_delete_tlli
- gbproxy_delete_tllis
- gbproxy_remove_stale_tllis
- gbproxy_touch_tlli
- gbproxy_unregister_tlli
- gbproxy_remove_matching_tllis
- gbproxy_find_tlli -> gbproxy_tlli_info_by_tlli
- gbproxy_find_tlli_by_* -> gbproxy_tlli_info_by_*
These functions refer to the whole logical link info rather than to a
certain TLLI. So they are renamed to be named consistently with
gbproxy_attach_tlli_info and others.
Sponsored-by: On-Waves ehf
This patch renames gbproxy_check_tlli() to
gbproxy_imsi_matches() and struct tlli_info's
enable_patching to imsi_matches.
It's meant to be more obvious and consistent this way.
Sponsored-by: On-Waves ehf
Currently the IMSI acquisition is not restarted when a RA Update
Request is received. This leads to repeated N(U) in the generated
Ident Request message, which in turn causes the MS to drop the
second of these message. This is bad, when the first Ident Response
has been lost between MS and gbproxy.
This patch changes gbproxy_imsi_acquisition() to handle RA Update
Request messages like Attach Requests.
Sponsored-by: On-Waves ehf
When a MS is state GMM_REGISTERED enters a new RA, it sends a RA
Update Request which is then handled by a gbproxy that possibly
doesn't have a matching tlli_info. In this case, depending on the
configuration an identification procedure to acquire the IMSI must be
started.
This adds tests to test_gbproxy_imsi_acquisition():
- IMSI acquisition triggered by a RA Update Request message
- Reaction to repeated RA Update Request messages, like it could be
caused by packet loss between PCU and gbproxy.
Sponsored-by: On-Waves ehf
On a Detach/Re-attach cycle the Address Sanitizer detected a
use-after-free kind of problem. That is because we tried to
destroy the LLME twice. The first time it is destroyed as part
of the Detach handling ans the second time it is destroyed as
part of destroying the old MM context.
In case the GPRS GMM detach message is lost the SGSN needs
to reply besides not having a MM entry.
The alternative would have been to add NULL checks for all
usages of ctx->llme which would not have helped with the
readability.
Sponsored-by: On-Waves ehf
For jitter, transit and packet loss we should count the data
that arrived and not the data we send towards the remote. This
is changing the jitter timings to what they were before the
re-factoring.
For forced timing we might willingly add jumps in the sequence
number but for jitter and packet loss we are more interested
in the data that traveled through the wire/air.
The Annex A code has a probation period but we don't have it. When
starting with seq_no==0 do not assume that the sequence numbers
have wrapped. Do it by moving the entire checking code into the
else.
mgcp_patch_and_count has grown due supporting linearizing timestamps,
ssrc and other things for equipment like the ip.access nanoBTS. Fight
back and move the Annex A code into a dedicated method.
The result is updated as we now count after all the patching and for
the Annex A code no change in SSRC can be detected.
Currently the SGSN side message's TLLI are searched without checking
the originating SGSN. This leads to collisions if both SGSN use the
same P-TMSI for different MS.
With this patch, the SGSN NSEI is stored within the tlli_info and is
used in comparisons to separate the namespaces.
Note that this type of collision cannot happen with BSS numbers,
since the tlli_info are already separated and stored per (BSS) peer.
Sponsored-by: On-Waves ehf
This patch extends test_gbproxy_secondary_sgsn() by the establishment
of a third MS connection using a P-TMSI that has been assigned by the
other SGSN already. It is expected that the entries do not
interfere and are properly retrieved.
Note that these collisions are not handled properly yet.
Sponsored-by: On-Waves ehf
Currently it is possible to create serveral entries referring to the
same P-TMSI/TLLI by using P-TMSI assigment via Attach Accept or
RA Update Accept messages. This can lead to the use of the wrong
tlli_info.
This patch adds gbproxy_remove_matching_tllis() that removes all
conflicting entries. This function is called after the P-TMSIs and
the resulting TLLIs has been set up.
Sponsored-by: On-Waves ehf
This tests P-TMSI assignment when P-TMSI patching is disabled. A test
with colliding P-TMSI in Attach Accept messages is included.
Note that P-TMSI collisions are not handled properly yet.
Sponsored-by: On-Waves ehf
Since this message puts the MS into DEREGISTERED state (like a detach
procedure), this message is parsed and the invalidate_tlli field is
set accordingly.
Sponsored-by: On-Waves ehf
Currently it is possible to create several tlli_info entries with the
same IMSI.
This patch disables this by adding a check before the imsi field
is updated.
Sponsored-by: On-Waves ehf
Currently a tlli_info entry is deleted when the TLLI gets invalidated
by a Detach message.
This patch introduces the possibility to keep tlli_info entries in
the list. Those entries then have cleared TLLI fields, are marked as
de-registered, and can only be retrieved by a message containing an
IMSI or a P-TMSI.
The following VTY configuration commands are added to the gbproxy
node:
- tlli-list keep-mode never : Don't keep the entries (default)
- tlli-list keep-mode re-attach : Only keep them, when a Detach
message with re-attach required has been received
- tlli-list keep-mode identified : Only keep entries which are
associated with an IMSI
- tlli-list keep-mode always : Keep all entries
Note that at least one of max-length or max-age should be set when
this feature is used to limit the number of entries.
Sponsored-by: On-Waves ehf
Currently when patching is basically enabled P-TMSI and TLLI gets
patched even when P-TMSI patching is not enabled. Albeit the result
is correct in this case (the same value is re-written), the counter
shows unexpected results.
This patch adds configuration checks for P-TMSI and TLLI patching. It
also reorders the code of gbproxy_patch_raid to return early if there
is nothing to patch.
Sponsored-by: On-Waves ehf
This test case consists of a sequence of several attach and detach
procedures. The kind of detach varies (mobile originated, mobile
terminated re-attach required, mobile terminated re-attach not
required, routing area update reject). To main focus is to check that
the tlli_info is de-registered correctly (not accessible via the
TLLI) and that can be re-used afterwards (which is not implemented
yet).
Sponsored-by: On-Waves ehf
This function is a remainder of the initial implemenation that was
not meant for TLLI patching and can be used for the BSS side only.
The SGSN side is already using a composition of more flexible
single purpose functions.
This patch changes the implementation to use a similar approach. The
function is moved to gbproxy_test.c and renamed to register_tlli to
keep the tests intact.
Sponsored-by: On-Waves ehf
If IMSI acquisition is enabled and the gbproxy receives a Detach
request from the MS, it cannot pass it to the SGSN since the
acquisition has not yet been completed.
This patch implements the generation of a Detach Accept message and
for this case and updates the TLLI state accordingly.
Sponsored-by: On-Waves ehf
Currently the RAI in the LLC part of the message is not updated if
the message has been taken from the list of stored messages. The
reason is, that old_raid_matches is update in
gbprox_process_bssgp_ul() but not in gbproxy_flush_stored_messages().
This patch moves the check to gprs_gb_parse_bssgp() which is called
at both places and where other fields like parse_ctx->tlli are set,
too.
In addition, old_raid_matches is replaced by old_raid_is_foreign
since this is clearer in the case when there is no old RAI at all.
Several RAI patch counter assertions are also added to
test_gbproxy_ra_patching().
Sponsored-by: On-Waves ehf
Add a Attach Request message to test_gbproxy_ra_patching, where the
BSSGP RAI differs from the old RAI signalled in the LLC part. This
case had not been tested explicitely yet.
Change the RAI in the first Attach Request in
test_gbproxy_imsi_acquisition from rai_unknown to rai_bss.
Add Detach Requests to test_gbproxy_imsi_acquisition, one for a
incomplete attach procedure and one for an unknown (fresh) TLLI.
In these cases, the acquisition of a IMSI is not necessary and also
doesn't work properly with an E71.
Sponsored-by: On-Waves ehf
Since at all places where mi_data/mi_data_len is used it will always
contain an IMSI. Thus the names of the identifiers have been updated
accordingly for clarity.
Sponsored-by: On-Waves ehf
This patch add explicit tests for
- gbproxy_peer_by_bvci
- gbproxy_peer_by_nsei
- gbproxy_cleanup_peers
- gbproxy_peer_by_rai
- gbproxy_peer_by_lai
- gbproxy_peer_by_lac
and for messages with an unknown TLLI sent by the SGSN.
Sponsored-by: On-Waves ehf
Currently the stored messages are only removed, when IMSI acquisition
has succeeded. In addition, receiving two ATTACH_REQ messages in
sequence (e.g. due to loss of a Identity Req/Resp message) will not
restart the IMSI acquisition procedure.
This patch adds gbproxy_tlli_info_discard_messages() to clean up the
message list and calls it from gbproxy_delete_tlli() fixing a
potential memory leak. It is also called when an Attach Request
message has been received. In that case the imsi_acq_pending flag is
cleared, too. This would (re-)trigger the IMSI acquisition procedure
at each of these messages. If an Ident Response has been lost,
resending the Ident Request with the same N(U) will not work.
Therefore the N(U) gets incremented on each Ident Request generated
by the gbproxy. The first N(U) used is 256 which shouldn't collide
with the V(UT) used by the SGSN given that P-TMSI patching is enabled
(since a new random TLLI is used initially on every new (no
tlli_info) connection and V(U) starts with zero then).
Ticket: OW#1261
Sponsored-by: On-Waves ehf
If the Attach Request procedure gets restarted e.g. because of a lost
message, all of these messages are stored if IMSI acquisition is in
progress.
This patch adds a test for this case and modifies the dump_peers
function to output the number of stored messages.
Note that the number of stored messages currently increases with each
(repeatedly) received Attach Request which is not the desired behaviour.
Sponsored-by: On-Waves ehf
Currently, a new P-TMSI within an Attach Accept or within an RA
Update Request is applied to the TLLI mapping (gbproxy_reassign_tlli)
_before_ patching is done. This can lead to inconsistent behaviour
when the TLLI validation has not been completed, which is the case
when subsequent RA UDP REQ are received. The new TLLI must not be
applied to the message itself yet, it should only be considered for
following messages.
This patch moves the TLLI reassignment to
gbproxy_update_tlli_state_after() to fix that.
It also separates the implementation of the feature that a new
tlli_info can be created when such a message is received from the
SGSN. This makes sense, when P-TMSI patching is not active and the
tlli_info entry has expired.
Sponsored-by: On-Waves ehf
Currently tlli_info are created for SGSN originated messages when
the SGSN TLLI cannot be found and P-TMSI patching is active. This
doesn't make much sense, since the BSS side TLLI is not known in this
case. Given that the SGSN is working properly, that can only happen
if either the tlli_info has expired or the gbproxy has been
restarted.
This patch disables the creation of a tlli_info in this case.
Note that these messages are passed unmodified to the MS so far.
Sponsored-by: On-Waves ehf
This adds a sequence of two RA update procedures to
test_gbproxy_ptmsi_patching(). Each of them assigns a new P-TMSI.
Note that the implementation fails to patch the RAI within the
message labelled 'RA UDP ACC (P-TMSI 3)' and logs 'TLLI sent by the
SGSN is unknown'.
Sponsored-by: On-Waves ehf
Currently the gbproxy sends STATUS messages that are not compliant to
GSM 08.18, 10.4.14.1: The BVCI must be included if (and only if) the
cause is either "BVCI blocked" or "BVCI unknown".
This patch adds a missing BVCI to UNKNOWN_BVCI and BVCI_BLOCKED
status messages if the BVCI is available. Otherwise, INV_MAND_INF is
used instead.
Sponsored-by: On-Waves ehf
Currently the numeric TLLI or tlli_info's enable_patching flag is
used to decide, whether a APN shall be patched or the secondary SGSN
shall be used. Using the numeric TLLI imposes a problem, when
TLLI/P-TMSI patching is used, since gbproxy_check_tlli uses the BSS
side TLLI namespace when trying to get the tlli_info.
This patch modifies the gbproxy_check_tlli() function to accept a
tlli_info pointer instead of a numeric TLLI. The tlli_info is already
available when the function is called. Since this a similar approach
has been used by accessing the enable_patching flag directly, this
commit unifies checking by always using this function instead of the
flag outside of gb_proxy_tlli.c.
This fixes the APN patching that doesn't work currently when P-TMSI
patching is enabled.
Sponsored-by: On-Waves ehf
This commit adds a single ACT PDP CTX REQ message to
test_gbproxy_ptmsi_patching() to check whether APN patching works in
this case, too.
Note that this doesn't work currently, the APN patch count is not
incremented.
Sponsored-by: On-Waves ehf
Some messages that are related to the BVC itself must be forwarded to
the secondary SGSN, too.
This patch implements this for BVC-RESET (BVCI != 0) and FLOW-CONTROL-BVC
messages. The resulting acknowledgement messages from the secondary
SGSN are silently dropped. The idea behind this is that the primary
SGSN is responsible for setting up and maintaining the BVC whereas
the secondary SGSN is rather passive and just has to accept it.
Ticket: OW#1258
Sponsored-by: On-Waves ehf
This patch modifies gbprox_process_bssgp_ul() to send the message to
the secondary SGSN if the IMSI has matched and routing to the
secondary SGSN is enabled. The destination for stored messages is
modified accordingly.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch adds a case to test the establishment (and shutdown) of
connection between 2 MS and 2 SGSN, where the assignment is based
on each IMSI. Since BVC-RESET and FLOW-CONTROL-BVC will have to be
sent to both SGSN, an ACK is simulated for both.
New functions to generate FLOW-CONTROL-BVC(-ACK) messages are
provided.
It modifies dump_peers to add the string "IMSI matches" to a TLLI dump
line if appropriate.
Note that there is no real support to use a secondary SGSN in the
gbproxy yet, but the test code reflects the expected behaviour when
the feature is implemented.
Sponsored-by: On-Waves ehf
Jacob ran the tests with ASAN and noticed that the state is
dead. This is on purpose as we have forced a change in the
transcoding. Re-load the state and verify that it has not
changed in the other cases.
To modify or route messages based on the IMSI the latter must be known
when the action shall take place.
This patch modifies the gbproxy to optionally retain and enqueue
messages from the MS while initiating an identification procedure.
Further message processing of the LLC PTP link towards the SGSN will
be done, when the identity of the MS has been acquired.
Note that the N(U) of the LLC GMM SAPI are not adjusted, so it is
possible that adjacent messages of a single LLC link arriving either
at the BSS or the SGSN have the same N(U) and might get discarded,
leading to retransmissions and additional delay.
Note also that retransmissions and packet loss are not yet handled
explicitely. If for instance the generated IDENT REQ gets lost, the
gbproxy will not act on its own. In this case, the MS will time out
and eventually resend the Attach Request on which the gbproxy will
act exactly like before (thus having two Attach Req messages in its
queue, which will both be sent after the Ident Resp arrives).
This has been tested successfully with an E71, needing one
retransmission by the SGSN due to an N(U) collision.
Ticket: OW#1261
Sponsored-by: On-Waves ehf
This patch copies test_gbproxy_ptmsi_patching to
test_gbproxy_imsi_acquisition as a base for a later test for IMSI
acquisition (which is not yet implemented). The idea behind this is
to make the different behaviour visible in the ok file without
compromising the P-TMSI test.
Sponsored-by: On-Waves ehf
Currently when patching is enabled and an error happens when
receiving a message from the SGSN, the patched message is sent back
with the PDU_IN_ERROR IE.
This patch modifies gbprox_rx_sig_from_sgsn() to copy the message
before it is patched, so that the original message can be used with
the STATUS message. gbprox_rx_ptp_from_sgsn() does all checks before
the message is patched, so copying is not necessary.
Since gbprox_rx_sig_from_sgsn() is not called for BSSGP UNITDATA
messages and the msgb is already been copied in the gbprox_relay2peer
function, the relative performance impact is expected to be low.
Note that the PDU IE of STATUS messages received from an MS and
forwarded to the SGSN will not be patched. STATUS messages from the
SGSN are only logged and not forwarded to the MS.
Sponsored-by: On-Waves ehf
Currently messages like these with a TLLI IE (BSSGP) are not
tested (properly) with TLLI patching.
This patch extends the send_bssgp_suspend* functions to accept a
TLLI as argument and adds the send_bssgp_llc_discarded function.
These are then used in test_gbproxy_ptmsi_patching() with a valid
TLLI.
Note that the TLLI IE patching doesn't work currently.
Sponsored-by: On-Waves ehf
In case we get offered G729 and G711 we might have selected
G729 as the audio codec. The first packet we receive might be
G711 though. In that case we will need to change. But only if
we have a matching alternate codec payload_type. E.g. in the
case of comfort noise we will receive the PT=11 and we don't
want to change.
In case of some RTP proxy from time to time we are offered both
G729 and G711 but only one of them will work. I intend to adjust
the codec at runtime in case we receive the wrong codec.
We might be offered multiple codecs by the remote and need to
switch between them once we receive data. Do this by moving it
to a struct so we can separate between proposed and current
codec. In SDP we can have multiple codecs but a global ptime.
The current code doesn't separate that clearly instead we write
it to the main codec.
The talloc_free on the nat lead to the freeing of the bsc_config
which lead to freeing of the rate_ctr_group. The rate_ctr_group
remained in a global list and the next creation of a bsc_config
would access dead memory. Fix it.
The free routine is only meant to be used by the test, for the
real nat we would need to make sure that all connections and
other state that refers to the cfg is removed/closed first.
Fix various memleaks in the test while we are at it. There are
still some to fix.
==7195== Invalid write of size 4
==7195== at 0x4043171: rate_ctr_group_alloc (linuxlist.h:65)
==7195== by 0x804D893: bsc_config_alloc (bsc_nat_utils.c:174)
==7195== by 0x804B5D2: main (bsc_nat_test.c:954)
==7195== Address 0x4311cbc is 52 bytes inside a block of size 208 free'd
==7195== at 0x4029D28: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7195== by 0x4048D98: _talloc_free (talloc.c:609)
==7195== by 0x4052806: talloc_free (talloc.c:578)
==7195== by 0x804B58A: main (bsc_nat_test.c:940)
This patch moves the peer related definitions from gb_proxy.c to
gb_proxy_peer.c and adjusts the prefix of each global symbol to
gbproxy_:
Peer definitions (prefix adjusted to gbproxy_):
peer_ctr_description -> gprs/gb_proxy_peer.c (static)
peer_ctrg_desc -> gprs/gb_proxy_peer.c (static)
*peer_by_* -> gprs/gb_proxy_peer.c
gbproxy_peer_alloc -> gprs/gb_proxy_peer.c
gbproxy_peer_free -> gprs/gb_proxy_peer.c
gbprox_cleanup_peers -> gprs/gb_proxy_peer.c
Sponsored-by: On-Waves ehf
This patch moves several functions and declarations out of gb_proxy.c
to make them reusable by other components and to separate them by
context and task.
Counter enums (prefix is changed to gbproxy_):
enum gbprox_global_ctr -> gprs/gb_proxy.h
enum gbprox_peer_ctr -> gprs/gb_proxy.h
Generic Gb parsing (prefix is changed to gprs_gb_):
struct gbproxy_parse_context -> openbsc/gprs_gb_parse.h
gbprox_parse_dtap() -> gprs/gprs_gb_parse.c
gbprox_parse_llc() -> gprs/gprs_gb_parse.c
gbprox_parse_bssgp() -> gprs/gprs_gb_parse.c
gbprox_log_parse_context() -> gprs/gprs_gb_parse.c
*_shift(), *_match() -> gprs/gprs_gb_parse.c (no prefix)
gbprox_parse_gmm_* -> gprs/gprs_gb_parse.c (static)
gbprox_parse_gsm_* -> gprs/gprs_gb_parse.c (static)
MI testing/parsing (prefix gprs_ added):
is_mi_tmsi() -> gprs/gprs_utils.c
is_mi_imsi() -> gprs/gprs_utils.c
parse_mi_tmsi() -> gprs/gprs_utils.c
TLLI state handling (prefix is changed to gbproxy_):
gbprox_*tlli* -> gprs/gb_proxy_tlli.c
(except gbprox_patch_tlli, gbproxy_make_sgsn_tlli)
Message patching (prefix is changed to gbproxy_):
gbprox_*patch* -> gprs/gb_proxy_patch.c
gbprox_check_imsi -> gprs/gb_proxy_patch.c
Sponsored-by: On-Waves ehf
Add LLC test messages containing XID (SAPI LLGMM, U frame) and IP traffic
(SAPI LL11, UI frame).
Add a test case containing a complete SGSN session with TLLI/PTMSI
patching enabled.
Sponsored-by: On-Waves ehf
This patch separates BSS side from SGSN side TLLI/PTMSI tracking. When
TLLI/PTMSI patching is not enabled, the corresponding states shall be
identical. The TLLI/PTMSI state has been moved into the struct
gbproxy_tlli_state and is used twice in gbproxy_tlli_info.
Since the state handling for uplink and downlink messages is
diverging, gbprox_update_state() is replaced by two functions
gbprox_update_state_dl/gbprox_update_state_ul and
gbprox_process_bssgp_message() is replaced by
gbprox_process_bssgp_dl/gbprox_process_bssgp_ul.
Sponsored-by: On-Waves ehf
This patch adds the functions send_bssgp_ul_unitdata(),
send_bssgp_dl_unitdata(), send_llc_ul_ui(), and send_llc_dl_ui().
They are used instead of send_ns_unitdata() in
test_gbproxy_ra_patching(). This make it easier to modify TLLI, N(U),
and other parameters.
Sponsored-by: On-Waves ehf
The following parts of the messages have been fixed
- Attach Accept: checksum
- Attach Complete: checksum
- RA Update Accept: Use the same MS Radio Access Capabilities and
DRX Parameters like the other messages
The N(U) of most messages have not been fixed.
Sponsored-by: On-Waves ehf
Don't replace the current TLLI immediately, store it in an additional
'assigned_tlli' field and discard the old TLLI when both sides have
used the new one (see GSM 04.08, 4.7.1.5).
Add an Attach Complete message to test and check, whether the related
field of the corresponding tlli_info struct are set as expected
during the local TLLI validation cycle.
Sponsored-by: On-Waves ehf
Currently the enable_patching field in tlli_info is not updated,
when an IMSI is assigned to a TLLI that is already known.
This patch fixes this in gbprox_update_state() after the call to
gbprox_update_tlli_info().
The number of APN increases and the test output file is updated
accordingly.
Sponsored-by: On-Waves ehf
GSM 24.008 also allows a P-TMSI field in Detach request messages.
This patch adds gbprox_parse_gmm_detach_req() to parse Detach Request
messages which sets the ptmsi field if the IE is present.
In addition, when power_off is set to 1 (MO only), the
invalidate_tlli field is set, since Detach Request message is
expected in this case.
The second detach test (see 'RA update') is modified to use
power_off instead of relying on a Detach Accept from the network.
To make this work, the PTMSI of the RA Update Accept is fixed to
match the TLLI of the Detach Request.
Sponsored-by: On-Waves ehf
We started with only testing the VTY but now test VTY and CTRL
interface with this python framework and might even extend this
to SMPP. So add and "--enable-external-tests" directive which
enables the external interface tests.
Add a separate function to clear the IMSI filter to be used instead of
gbprox_set_patch_filter(cfg, NULL, ...). Albeit it fixes a Coverity
issue (Unchecked return value), it is a false positive, since the
return value is always 0 in these cases. Nevertheless it is more
obvious what happens when an explicit clear function is called. Using
NULL as filter argument of gbprox_set_patch_filter still clears the
filter.
Fixes: Coverity CID 1231255
Sponsored-by: On-Waves ehf
This patch modifies the code to pass a pointer to the tlli_info
around once it has been acquired. To achieve this,
gbprox_register_tlli() and gbprox_update_state() are modified to
return it (if it has been found or created), and gbprox_patch_llc(),
gbprox_patch_bssgp(), and gbprox_update_state_after() are modified to
take it as parameter.
Add a new function gbprox_touch_tlli() to update timestamp and list
ordering for existing tlli_infos.
The motivation behind this patch is to make the tlli_info available to
the patching code and to avoid repeated searches for the same TLLI.
Sponsored-by: On-Waves ehf
This patch adds a combined expiry test to remove one entry by list
length and another by age.
This patch also modifies the existing age based test to register both
TLLI with a different timestamp and to remove only one of the TLLI
entries by age based expiration.
Sponsored-by: On-Waves ehf
Currently time() is called at several places to control TLLI aging.
Beside calling time() more often than necessary, the decision which
timesource is to be used is coded into the TLLI handling, and testing
complex aging scenarios is cumbersome.
This patch passes the current time as a parameter instead. The call
to time() is moved to gbprox_process_bssgp_message().
Sponsored-by: On-Waves ehf
This patches removes the call to gbprox_remove_stale_tllis()
from gbprox_register_tlli(), so it must be called explicitly now.
The call is now done from within gbprox_update_state_after().
In addition, the TLLI cache size counter is also kept in sync when
gbprox_remove_stale_tllis is called manually. The call to
gbproxy_peer_free() in gbproxy_peer_free() is moved behind the TLLI
to allow for counter updates in gbprox_delete_tlli().
Sponsored-by: On-Waves ehf
This adds a test for gbprox_set_patch_filter() and
gbprox_check_imsi().
It also fixes the masking of the type field when IMSIs are checked by
using GSM_MI_TYPE_MASK (0x07) instead of 0x0f.
Sponsored-by: On-Waves ehf
Currently only TLLIs for which it is known that they may be patched
are put into the TLLI list.
This patch changes this to add TLLIs even when the IMSI is not yet
known. A enable_patching flag is added to the gbproxy_tlli_info
structure to control patching.
Note that this puts every active TLLI into the list where accesses
are O(N) currently.
Sponsored-by: On-Waves ehf
This adds parsing support for the following messages:
- Attach Request: IMSI/PTMSI
- Identity Response: IMSI/PTMSI
- BSSGP: Optional TLLI IE
- BSSGP/PAGING_PS: PTMSI
A new new_ptmsi_enc field is added for newly assigned PTMSI in
SGSN->BSS messages (instead of ptmsi_enc). The ptmsi_enc field is now
used for informational PTMSI IE in messages.
Sponsored-by: On-Waves ehf
This adds a unit test for gbprox_register_tlli() and
gbprox_remove_stale_tllis().
The dump_peers() function is extended by a cfg parameter to support
a non-global gbproxy_config.
Done with Jacob
Global state prevents us from writing simple units tests for
single routines. Go through the code and add pointers to the
gbproxy configuration. Only the vty and the test code remain
using the global gbproxy instance.
Create a testcase for the gprs_str_to_apn and gprs_apn_to_str
routines. While writing the testcase we noticed it is possible to
write more bytes than should have been allowed. This is fixed by
checking that the max_len is at least 1 (needed to write the first
length octet) and to do the size check before writing to the output.
Modify the signature of gprs_str_to_apn to put the length/size next
to the parameter that requires a size.
Done with Jacob
We intend to move some of these routines to libosmocore but to avoid
a feature symbol clash we are prefixing these routines with gprs_.
Done with Jacob
The application is called gbproxy but the structures and functions
were inconsistently named as either gbprox or gbproxy. Rename all
structures to use gbproxy.
Done with Jacob
This commit adds code to parse the PTMSI in network originated
messages
- Attach Accept,
- Routing Area Update Accept, and
- P-TMSI Reallocation Command (see below)
to keep track of the TLLI identifying the LLC connection.
The P_TMSI Realloc Command specific code is not being tested yet, so
a corresponding notice is logged when such a message will be
received.
NOTE:
The gbproxy will lose the TLLI when the MS doesn't receive/use
the message (normally the SGSN remembers the old TLLI for some time
to avoid this kind of problem). If this happens the MS will
probably restart the procedure and the network will have to answer
again eventually using one of the above messages which will
re-associate the IMSI with the TLLI before the MS can send a
PDP Context Request message.
Ticket: OW#1192
Sponsored-by: On-Waves ehf
This adds a set of function that parse a single tlv, lv, tv, or v
encoded information element. They are complementary to the *_put
functions defined in libosmocore's tlv.h file. The functions update
the data and data_len fields unless they are a 'match' function and
the tag field doesn't match.
Sponsored-by: On-Waves ehf
Currently the enabled_tllis_count field isn't always decremented when
an element is removed from the TLLI cache list.
This patch adds the missing update and also adjusts the counter
accordingly.
Sponsored-by: On-Waves ehf
Add TLLI cache output to gbprox_dump_peers() to include this info
into the test output.
Separate RA Update Req message handling from Attach Request handling.
Note: There is no test case for the P-TMSI Reallocation Command yet.
Sponsored-by: On-Waves ehf
This commit adds the following counters:
- attach-reqs: Number of Attach Request messages
- attach-rejs: Number of Attach Reject messages
- tlli-cache: Size of the TLLI cache
Sponsored-by: On-Waves ehf
This patch adds IMSI/TLLI connection tracking and uses it to control
APN patching based on the IMSI. TLLI entries can expire based on age
and/or by limiting the TLLI list size.
VTY config-gbproxy:
no core-access-point-name disable APN patching
core-access-point-name none remove APN if present
core-access-point-name APN replace APN if present
core-access-point-name none match-imsi RE remove if IMSI matches
core-access-point-name APN match-imsi RE replace if IMSI matches
tlli-list max-age SECONDS expire after SECONDS
no tlli-list max-age don't expire by age
tlli-list max-length N keep N entries only
no tlli-list max-length don't limit list length
RE is an extended regular expression, e.g. ^12345|^23456
Ticket: OW#1192
Sponsored-by: On-Waves ehf
Currently, all patching state is stored globally in the gbproxy. Thus
the feature cannot be used safely with a concentrating gbproxy (NAT).
This patch moves the state and relevant counters to the gbprox_peer
structure. It adds code to resolve the corresponding peer when
packets are received by looking at BVCI, NSEI, and BSSGP IEs (BVCI,
RAI/LAI/LAC) when the peer is not passed to the
gbprox_patch_bssgp_message() function.
Test cases are also added for the SGSN->BSS case including test cases
with invalid identifiers.
Note that this patch should make it possible to use RAI patching at a
NAT gbproxy as long as the messages are not encrypted.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This patch adds a Detach Request (MO) / Detach Accept sequence to the
test, followed by another (here invalid) Act PDP Context Req which
should be APN patched.
Sponsored-by: On-Waves ehf
Add a DTAP GMM Information message with an IMSI in the BSSGP header
to enable the association between IMSI and TLLI.
The TLLI of the Routing Area Update messages is set to foreign.
Sponsored-by: On-Waves ehf
Patch the APN in every 'Activate PDP Context Request' message to the
value given by the 'core-access-point-name' command. If the command is
given without an APN, the whole APN IE will be removed. If the
command is being prefixed by a 'no', the APN IE remains unmodified.
The patch mode 'llc-gsm' is added to selectively enable the patching
of LLC session management messages. This is enabled implicitely by
the patch mode 'llc'.
Note that the patch mode should not be set to a value not enabling
the patching of LLC GSM messages ('llc-gsm', 'llc', and 'default' are
sufficient to patch 'Activate PDP Context Request' messages).
Ticket: OW#1192
Sponsored-by: On-Waves ehf
This patch extends the BSSGP patch code to also patch LLC information
elements along with MCC/MNC patching support for the following messages:
- Attach Request
- Attach Accept
- Routing Area Update Request
- Routing Area Update Accept
- P-TMSI reallocation command
Note that encrypted packets will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This adds a feature to patch the BSSGP MNC/MCC fields of messages going
to and coming from the SGSN. To enable this feature, the gbproxy's
VTY commands 'core-mobile-country-code' and/or
'core-mobile-network-code' must be used. All packets to the SGSN are
patched to match the configured values. Packets received from the
SGSN are patched to the corresponding values as last seen from the BSS
side.
Note that this will probably not work with a gbproxy used for several
BSS simultaneously.
Note also, that MCC/MNC contained in a LLC IE will not be patched.
Ticket: OW#1185
Sponsored-by: On-Waves ehf
This patch makes a few changes to improve readability:
- change the sendto() hexdump to start with NS instead of BSSGP
- use more specific message descriptions instead of 'UNITDATA'
- add a title line per test
Sponsored-by: On-Waves ehf
Jacob pointed out that "free_endp" refers to the memory of
the endpoint being freed. What we want is actually a way to
release an endpoint (and the resource it allocated) or in
the case of the testcase/testapp initialize the data structure
correctly. Introduce two names for that.
In case the sender didn't send a couple of frames we will have
a time gap that is bigger than the accepted delta. Add a new
testcase for this and update the next_time.
Transcoding from GSM to PCMA can lead to the MGCP MGW sending
two PCMA packages with the same sequence number and timestamp.
Once with the encoded audio and once completely empty.
This is because "state->dst_packet_duration" is 0 in most cases
(unless a ptime is forced) and we attempt to encode audio even
if there are not enough samples. The encode_audio return will
return 0 in that case which is not trated as an error by the
mgcp network code.
Handle rc == 0 specially and document the semantic.
The sequence number was read from the wrong place and then
the wrong byte order conversion routine was used so we ended
up wirting 0x00, 0x00 into the patched sequence number. Add
a testcase for that.
It took me a long time to figure out that errx just exits and
the test output didn't indicate that the application was exited
early. Use a printf and good old abort in case of a failure.
An empty log_info is not enough. We need to make sure that at least
DLGLOBAL is present. Instead of doing that make sure that we have
enough entries.
==26163== Conditional jump or move depends on uninitialised value(s)
==26163== at 0x403B289: osmo_vlogp (logging.c:290)
==26163== by 0x403B3DA: logp2 (logging.c:339)
==26163== by 0x804D027: gbprox_relay2bvci (gb_proxy.c:347)
==26163== by 0x804D3CF: gbprox_rx_sig_from_sgsn (gb_proxy.c:589)
==26163== by 0x804DBFC: gbprox_rcvmsg (gb_proxy.c:685)
==26163== by 0x4052CB0: gprs_ns_process_msg (gprs_ns.c:669)
==26163== by 0x4052F70: gprs_ns_rcvmsg (gprs_ns.c:1053)
==26163== by 0x804BB49: gprs_process_message (gbproxy_test.c:488)
==26163== by 0x804BC4C: send_ns_unitdata (gbproxy_test.c:210)
==26163== by 0x804BDE8: send_bssgp_reset_ack (gbproxy_test.c:243)
==26163== by 0x804B54F: main (gbproxy_test.c:863)
==26163==
The peers are (talloc) children of the GPRS NS. This means the
peers (and the rate counters) are currently being deleted twice.
==23446== Invalid write of size 4
==23446== at 0x403C243: rate_ctr_group_alloc (linuxlist.h:66)
==23446== by 0x4050974: gprs_nsvc_create (gprs_ns.c:209)
==23446== by 0x405320D: gprs_ns_instantiate (gprs_ns.c:1330)
==23446== by 0x804ABEB: main (gbproxy_test.c:666)
==23446== Address 0x4300694 is 52 bytes inside a block of size 784 free'd
==23446== at 0x4029DA8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==23446== by 0x4041B9D: _talloc_free (talloc.c:609)
==23446== by 0x4043292: talloc_free (talloc.c:578)
==23446== by 0x40532D3: gprs_ns_destroy (gprs_ns.c:1363)
==23446== by 0x804ABD7: main (gbproxy_test.c:660)
This adds a test case with several messages to test BSSGP patching.
New messages:
- BSSGP/DTAP Attach Request
- BSSGP/DTAP Attach Accept
- BSSGP/DTAP Routing Area Update Request
- BSSGP/DTAP Routing Area Update Accept
- BSSGP/DTAP Activate PDP Context Request
- BSSGP SUSPEND
- BSSGP SUSPEND ACK
Sponsored-by: On-Waves ehf
This parameter is not used (the methods are always called with an
argument of 1 in the third position). Thus the parameter is removed
completely.
Sponsored-by: On-Waves ehf
Currently the terms 'Routing area code' (RAC) and 'Location area
code' (LAC) are used in several places where 'Routing area
identification' (RAI) or 'Location area identification' (LAI) are
meant in fact.
This patch replaces RAC/LAC by RAI/LAI and 'code' by 'identification'
at these places.
Note that RAI := MCC MNC LAC RAC, and LAI := MCC MNC LAC (see GSM
03.03, sections 4.1 and 4.2).
Sponsored-by: On-Waves ehf
Currently when ftmp_extra is set, a doubled a=rtpmap line is emitted
instead of the fmtp_extra info.
This patch fixes replaces the formerly copied and pasted but not
modified snprintf parameters by the correct ones.
Fixes: Coverity CID 1220873
Sponsored-by: On-Waves ehf
Add tests setting the fmtp_extra field to check the response
generation. This triggers a bug found by Coverity.
Addresses: Coverity CID 1220873
Sponsored-by: On-Waves ehf
Currently, if there is no SDP data in the MGCP message received from
the net, the fields containing audio encoding information are not set
in net_end. So in recvonly mode transcoding would not be set up
correctly.
This patch changes the implementation of the code handling CRCX and
MDCX to use the codec signalled in the MGCP local connection options
(field 'a:') if there isn't any SDP data. This is only halfway
negotiation, because the codec is used blindly and not matched
against the supported ones.
Sponsored-by: On-Waves ehf
This patch moves the files relevant to transcoding from
src/osmo-bsc_mgcp to src/libmgcp and src/include/openbsc. Makefiles
and include directives are being updated accordingly.
Sponsored-by: On-Waves ehf
The code currently uses an encoded sequence of (hex) 10 20 30 40 50
60 as RAI, for which no bijective mapping to the set of
representations MCC-MNC-LAC-RAC exists.
This patch changes the hard-coded RAI to 11 22 33 40 50 60 which maps
to 112-332-16464-96 (and vice-versa).
Sponsored-by: On-Waves ehf
This addresses an ASAN issue where the request was already deleted
by our callback function.
(gdb) where
#0 0xb69e7810 in __asan_report_error () from /usr/lib/i386-linux-gnu/libasan.so.0
#1 0xb69e0aff in __asan_report_store4 () from /usr/lib/i386-linux-gnu/libasan.so.0
#2 0x0804ea64 in subscr_send_paging_request (subscr=subscr@entry=0xb5103cb0)
at gsm_subscriber.c:212
#3 0x0804edac in subscr_get_channel (subscr=subscr@entry=0xb5103cb0, type=type@entry=2,
cbfn=cbfn@entry=0x804969d <subscr_cb>, param=param@entry=0x2342) at gsm_subscriber.c:246
#4 0x080498f7 in main (argc=1, argv=0xbffff804) at channel_test.c:77
Breakpoint 3, subscr_paging_dispatch (hooknum=hooknum@entry=101, event=event@entry=200,
msg=msg@entry=0x1323, data=<optimized out>, data@entry=0x8063900 <s_conn>,
param=<optimized out>, param@entry=0xb5103cb0) at gsm_subscriber.c:126
126 llist_del(&request->entry);
(gdb) b llist_del
(gdb) bt
#0 subscr_paging_dispatch (hooknum=hooknum@entry=101, event=event@entry=200,
msg=msg@entry=0x1323, data=<optimized out>, data@entry=0x8063900 <s_conn>,
param=<optimized out>, param@entry=0xb5103cb0) at gsm_subscriber.c:126
#1 0x0804e8a9 in subscr_paging_cb (hooknum=101, event=200, msg=0x1323,
data=0x8063900 <s_conn>, param=0xb5103cb0) at gsm_subscriber.c:187
#2 0x080497e9 in paging_request (bts=0xb5b03e70, subscriber=subscriber@entry=0xb5103cb0,
type=2, cbfn=cbfn@entry=0x804e881 <subscr_paging_cb>, data=data@entry=0xb5103cb0)
at channel_test.c:51
#3 0x0804ea39 in subscr_send_paging_request (subscr=subscr@entry=0xb5103cb0)
at gsm_subscriber.c:207
#4 0x0804edac in subscr_get_channel (subscr=subscr@entry=0xb5103cb0, type=type@entry=2,
cbfn=cbfn@entry=0x804969d <subscr_cb>, param=param@entry=0x2342) at gsm_subscriber.c:246
#5 0x080498f7 in main (argc=1, argv=0xbffff804) at channel_test.c:77
(gdb) q
In ae1997248c the handwritten tokenizer
was replaced with strtok_r. As part of this change the structural
checking of MGCP parameters was stopped. This means that a code like
"line + 3" might access beyond the first NUL and be possibly behind
the msgb. Manually add size checking again. Manually jumping to the
error label is not possible anymore as it has been removed. The result
is that invalid lines will be skipped. This is matching the general
approach by the IETF RFCs to be permissive in data being received.
This patch adds the voice muxer. You can use this to batch RTP
traffic to reduce bandwidth comsuption. Basically, osmux transforms
RTP flows to a compact batch format, that is later on decompacted
to its original form. Port UDP/1984 is used for the muxer traffic
between osmo-bsc_nat and osmo-bsc_mgcp (in the BSC side). This
feature depends on libosmo-netif, which contains the osmux core
support.
Osmux is requested on-demand via the MGCP CRCX/MDCX messages (using
the vendor-specific extension X-Osmux: on) coming from the BSC-NAT,
so you can selectively enable osmux per BSC from one the bsc-nat.cfg
file, so we have a centralized point to enable/disable osmux.
First thing you need to do is to accept requests to use Osmux,
this can be done from VTY interface of osmo-bsc_nat and
osmo-bsc_mgcp by adding the following line:
mgcp
...
osmux on
osmux batch-factor 4
This just initializes the osmux engine. You still have to specify
what BSC uses osmux from osmo-bsc_nat configuration file:
...
bsc 1
osmux on
bsc 2
...
bsc 3
osmux on
In this case, bsc 1 and 3 should use osmux if possible, bsc 2 does
not have osmux enabled.
Thus, you can selectively enable osmux depending on the BSC, and
we have a centralized point for configuration from the bsc-nat to
enable osmux on demand, as suggested by Holger.
At this moment, this patch contains heavy debug logging for each
RTP packet that can be removed later to save cycles.
The RTP ssrc/seqnum/timestamp is randomly allocated for each MDCX that
is received to configure an endpoint.
Add the control interface with no hierachy right now and implement
the first command to list IMSI + Context Address of active sessions.
sgsn_cmd_handle could share more code with bsc variant.
Fixes: SYS#264, SYS#265
Sadly there is no proper foreign key relationship on the tables
that related to the Subscriber. This means we can't use a DELETE
with Cascade and need to delete everything by hand. To make things
worse maybe the SMS/Paging code is still using the subscriber
making the operation more dangerous. I had added NULL checks for
sender_id/receiver_id at 30C3 so we should not crash in this
situation.
Fixes: SYS#274
The test has been manually verified. Executing the select for
the subscribers showed:
sqlite> select * from Subscriber;
1|2014-03-23 12:12:46|2014-03-23 12:19:09|2620345||445567|1||0|
This created a subscriber with the right IMSI, MSISDN and has
it authorized.
Fixes: SYS#275
The new definitions are: half rate and AMR
Change of definition name for bad frame, because it applies to all types of
traffic, not only TCH/F.
Increase MNCC interface version to 4. Version 3 is skipped, because it was
used by older version of Linux-Call-Router which is incompatible with the
current version of the MNCC interface.
Send the two strings that caused the read handling to misbehave.
Verify that we handle this correctly by still being able to issue
a VTY command. The CPU load issue could not be verified like this.
Make sure that bsc_gsmnet->bsc_data->rf_ctrl is initialized for
NITB. In commit a9fae1ae66 the
conditions for the rf_ctrl was removed but it was still needed
for the NITB.
Fixes regression from:
a9fae1ae66
bsc: rf_ctrl will always be created, remove the NULL checks
Jacob Erlbeck
Harald Welte