Commit Graph

6332 Commits

Author SHA1 Message Date
Neels Hofmeyr a7fd88ce1b msc_vlr_tests: add test_a5_3_not_supported
See also change-id I72a1dbb30e0a39dbf4b81c7e378d5607b62e10d3 in
osmo-ttcn3-hacks.git, which adds a similar test to the MSC_Tests.ttcn suite.

Writing this test helped me fix the issue faster, why not keep it now that it's
there.

Related: OS#2947
Change-Id: Iba56556207cf6e79e6531b0e7dd3eaec28fb5eaa
2018-03-10 23:21:34 +01:00
Neels Hofmeyr a9099bc99a cosmetic: vlr_auth_fsm: log RAN and size along with SRES/RES
Change-Id: Ib0f9f573ffac2302fbd3ee28f48ccd8fce5fe286
2018-03-10 22:23:13 +01:00
Neels Hofmeyr 11d2ce3e34 cosmetic: vlr_auth_fsm: clarify decision on UMTS AKA or GSM AKA
The code deciding on whether UMTS AKA is used was cascaded and convoluted. By
flattening the decisions, they become easier to read and possibly catch more
weird corner cases / log information more clearly.

- First decide what AKA the RES length reflects.
- Then decide whether all prerequisites for UMTS AKA are satisfied.
- Finally, on UTRAN, turn down the auth if we don't have UMTS AKA, and neatly
  log all of the potential causes.

One corner case that should never occur is that the UMTS AKA RES length is
actually the same length as the GSM AKA SRES. If this nevertheless occurs, log
this as an error, though not turning down authentication because of it. (The
effect is that we would favor UMTS AKA when it has a res_len == sizeof(sres)
and would not succeed to GSM AKA. At least the log will tell us why, now.)

Adjust an expected test output, trivial logging difference.

Change-Id: I43f7f301ea85e518bac91f707391a53182e54fab
2018-03-10 22:23:13 +01:00
Neels Hofmeyr 31adcae654 msc_vlr_test_umts_authen: test response with only SRES half of RES
Change-Id: I0e9099625bd9d3de3db5ee29fbf81b2d8a30071d
2018-03-10 22:23:13 +01:00
Neels Hofmeyr c6d20dd5a2 msc_vlr_test_umts_authen: test response with too long RES
Change-Id: Ie5473f06fc2d04c6a9f343da5764ec95b292a5f9
2018-03-10 22:23:13 +01:00
Neels Hofmeyr 15ed426df2 msc_vlr_test_umts_authen: test response with too short RES
Change-Id: Ia1bc57b3dc1f3c3c654ba2d907b16ba925cd03e8
2018-03-10 22:23:13 +01:00
Neels Hofmeyr d97821f8e5 cosmetic: gsm48_rx_mm_auth_resp(): log 'UMTS AUTH', not 'R99 AUTH'
Change-Id: Iba43c685cbe238d96175267e9cc954b2f2f3e7fc
2018-03-10 22:22:56 +01:00
Neels Hofmeyr 25f69d5615 gsm48_rx_mm_auth_resp(): pass is_r99 from classmark, not response size
Do not interpret the SRES/RES length returned in the auth response as the R99
capability bit, instead determine it from the actual Classmark information
associated with the conn.

This fixes the is_r99 flag passed in to vlr_subscr_rx_auth_resp(), which ends
up in the struct vlr_auth_resp_par dispatched to the auth_fi and influences the
authentication acceptance.

Though the effect of a wrongly-set-to-false R99 flag is not harmful in this
code path, let's not get this confused.

Change-Id: Ib7f7d89a8b9455d2c022d53d74328fa7488577f4
2018-03-10 22:14:01 +01:00
Neels Hofmeyr 8e0af0ba69 vlr auth: gracefully reject malformed auth response
Instead of just closing down the conn hard, actually feed invalid auth response
data to vlr_subscr_rc_auth_resp() in order to trigger all the actions we want
to see with a failed authentication:
- a GSUP signal that the auth failed,
- a LU reject.
Verify this in new test_wrong_sres_length() in msc_vlr_test_gsm_authen.c.

Note that in gsm48_rx_mm_auth_resp(), the is_r99 flag is falsely derived from
the RES length, which upcoming commit Ib7f7d89a8b9455d2c022d53d74328fa7488577f4
will fix.

Change-Id: I4179a290069ac61d0662de4ec7ca3edb76988899
2018-03-10 22:12:13 +01:00
Neels Hofmeyr 7795a19ced vlr: fix GSM AKA in a UMTS AKA capable environment
Switch by vsub->sec_ctx to use the proper Kc for ciphering.

Even on an R99 capable MS with a UMTS AKA capable USIM, the MS may still choose
to only perform GSM AKA, as long as the bearer is GERAN. The VLR already stores
whether the MS replied with a GSM AKA SRES or a UMTS AKA RES in vsub->sec_ctx.
So far, though, we were always using the UMTS AKA Kc just because the USIM and
core net are capable of it, ignoring the choice the MS might have made in the
Authentication Response.

In msc_vlr_test_gsm_ciph, fix the test expectations to the correct GSM AKA Kc
keys, showing that all of LU, CM Service Request and Paging Response now
support MS choosing GSM AKA in a UMTS capable environment.

Related: OS#2793
Change-Id: I42ce51ae979f42d173a45ae69273071c426bf97c
2018-03-10 20:58:24 +00:00
Neels Hofmeyr cac6e89d2a msc_vlr_test_gsm_ciph: add test for GSM AKA in UMTS environment
Even on an R99 capable MS with a UMTS AKA capable USIM, the MS may still choose
to only perform GSM AKA, as long as the bearer is GERAN. In that case, we must
make sure to send the GSM AKA Kc for ciphering.

Add test_gsm_ciph_in_umts_env() to msc_vlr_test_gsm_ciph.c to answer an Auth
Request with a GSM AKA response (see the log stating "AUTH established GSM
security context" after we sent a UMTS AKA challenge).

In the test, show that we currently send the *wrong* Kc, i.e. the UMTS AKA
derived Kc for GERAN, instead of the correct Kc for GSM AKA (which was received
from the HLR in the auth tuples).

Subsequent patch I42ce51ae979f42d173a45ae69273071c426bf97c will fix this and
correct the test expectations.

Related: OS#2793
Change-Id: I85f12a20dcd701e671188e56811ec7b58d84da82
2018-03-10 20:58:24 +00:00
Neels Hofmeyr dbabfd3c43 msc_vlr_tests: clearly separate Ciph Mode from Security Mode checking
Clearly distinguish between Ciphering Mode Command on GERAN and Security Mode
Control on UTRAN.

Cosmetic: explicitly verify the key strings in the testing code (not only in
the expected output).

Change-Id: Ica93ed06c4c63dc6768736d25231de8068001114
2018-03-10 20:58:20 +00:00
Neels Hofmeyr d656dff235 silent call: clarify rc and error messages logged on vty
In gsm_silent_call_{start,stop}(), return meaningful error codes and interpret
them on the VTY to clearly indicate the result.

Change-Id: Id5abb8f2ba901689e03040af8e51483b6c618e7f
2018-03-10 05:17:38 +01:00
Neels Hofmeyr e9495388d9 msc_main: do not say 'osmo-nitb' in the usage
Change-Id: I2090097dc0d7e0251c116b95b802076df3419455
2018-03-10 05:17:38 +01:00
Neels Hofmeyr 596ef65a6b vty: add 'subscriber ... paging' cmd
Allow issuing an empty paging from the VTY, for debugging purposes.

Change-Id: I403904cb789ece699f14b4cbd52c336eb02d45e4
2018-03-10 05:17:38 +01:00
Neels Hofmeyr 11010b1b85 vty: add 'msisdn' as alias for 'extension'
Rationale: in the HLR, it is called 'msisdn' after the database column, so a
user going back and forth between osmo-hlr and osmo-msc would appreciate being
able to type 'msisdn' in the MSC's vty as well.

Change-Id: I7b46f9736421e8edd8a95ae89e025ebe486fde4c
2018-03-10 05:17:38 +01:00
Neels Hofmeyr 72a41dd198 vty: drop unused commands
Change-Id: I76d6777ebe9105b8abf37993b86c3749a7e18008
2018-03-10 05:17:38 +01:00
Neels Hofmeyr 1db394f22b fix: clear vlr_subscr->msc_conn_ref when the conn is discarded
Before this, it was for example possible to crash the MSC by the vty 'show
subscriber' command, which would dereference a potentially stale
vsub->msc_conn_ref pointer.

Related: OS#3050
Change-Id: Ia4105d9f135ba3216ad3c86157be7658b1d568fb
2018-03-10 05:17:38 +01:00
Philipp Maier ce1298b7dc a_iface: fix BSSMAP reset handling
When osmo-msc restarts it looses all information about the BSC. The
BSC will not be aware of the reboot and on the next communication
attemt it will notice that something is wrong and start the reset
procedure on his side. osmo-msc will receive the reset messages
and send a reset.

The reset is received. Osmo-msc detects that no context information
is created yet. The context is created. Then it is checked if the
UNITTDATA message that came in is a reset. If it is one. Nothing
happens. The UNITTDATA is passed on and triggers the RESET-ACK
some layers above. Unfortunately by the current code this also
means that no reset FSM is created and therefore a_reset_conn_ready()
can never be true. Which means it will also drop any legitimate
reset from the BSC in the future.

- Ensure that the reset FSM is always created when a new BSC
  context is created

- Make sure that reset related traffic always passes so that
  the higher layers can handle the procedure properly

Change-Id: I3fdcec5dbeaa0e21fd6a92568a623faa368239be
2018-03-07 18:10:23 +01:00
Max 48d4ec06e1 VLR: fix potential NULL dereference
The vlr_subscr_get() can return NULL if its argument is NULL
(which isn't checked for) so before dereferencing it's result
we should check for it.

Change-Id: I13632908d0b67323202effa9dd6f29732a12cc91
2018-03-05 14:29:55 +00:00
Neels Hofmeyr da21a52c92 msc_vlr_tests: improve cipher mode coverage
Actually call msc_vlr_set_ciph_mode() and wrap away a_iface_tx_cipher_mode()
and ranap_iu_tx_sec_mode_cmd(). Hence we'll see decisions and errors in
msc_vlr_set_ciph_mode() as well.

Change-Id: Id23bc245d4b5707edcd27c44db272fbb211bf9bd
2018-03-02 17:00:37 +01:00
Neels Hofmeyr f3d81f6ef5 msc_vlr_tests: make all test functions static
All functions in the individual msc_vlr_test_*.c files should be static; hence
we would be warned if one of them were unused (forgotten to add to the tests
array).

Change-Id: Ia169c6a1443a48879ab4777e09c2040c48810bf6
2018-03-02 03:22:16 +01:00
Neels Hofmeyr 87524ab620 msc_vlr_test_gsm_ciph: drop unused function
This test is actually in msc_vlr_test_rest.c, shouldn't be copied here, and was
anyway unused.

Change-Id: I9bba10a05d43f7f94aa2cd6dcb63dd8f2f644d35
2018-03-02 03:22:16 +01:00
Neels Hofmeyr dfdc61de68 msc_vlr_tests: revert IMSI parameter and test nr output
Three recently merged commits take the msc_vlr_tests in a wrong direction.

The IMSI is usually encoded in the hex streams. The rationale behind hex
streams is that it is a) easily copied from a wireshark trace and b) exactly
the bytes as sent by an actual phone. It is hard to parameterize the IMSI
because we would have to employ our encoding functions, which I intentionally
want to keep out of the loop here.

The test number should not appear in the normal test output, so that adding a
test or changing their order does not affect expected output for following
tests. The nr is simply for manual invocation, only seen when invoked with -v.

Revert
- "VLR tests: always print test parameters"
  b0a4314911.
- "Expand VLR tests"
  d5feadeee8.
- "Move IMSI into test parameters"
  093300d141.

Change-Id: Ie1b49237746751021da88f6f07bbb9f780d077c9
2018-03-02 03:22:16 +01:00
Neels Hofmeyr c5e0ace751 vlr_lu_fsm: guard against using the wrong fi
Various functions in vlr_lu_fsm.c belong to one of the four FSMs defined in
that file. After the recent error was uncovered where the lu_fsm called
lu_compl_fsm()'s termination function, I want to make sure it's correct.

Introduce distinct inline functions to dereference the respective fi->priv
pointers, each asserting that the fi indeed belongs to the proper FSM. Use
those *everywhere* to dereference fi->priv.

From this patch on, we are sure beyond doubt that we are not inadvertently
passing an fi pointer to the wrong FSM's handling functions, though we will
only catch this at runtime -- but then will immediately know the reason.

vlr_lu_fsm.c is the only file defining more than one FSM, so the other FSM
definitions are already reasonably safe.

Change-Id: I7419a780ff2d8b02efc4195bb1702818e4df181c
2018-03-02 03:21:14 +01:00
Neels Hofmeyr d2278ec899 vlr: fix post-auth LU failure handling
From the vlr_loc_update() FSM, don't call the vlr_lu_compl_fsm_failure()
function. These are two distinct FSMs with distinct priv pointers, but they are
defined in the same .c file.

In vlr_loc_upd_post_auth(), change two erratic calls of
vlr_lu_compl_fsm_failure() to lu_fsm_failure(), so that the proper fi and priv
struct are used.

Fixes: OS#2947
Change-Id: I7fd2c6fa23254fffd0d526e53541f4068153929f
2018-03-02 03:20:21 +01:00
Neels Hofmeyr 379d5799f0 implement support for 3-digit MNC with leading zeros
Add 3-digit flags and use the new RAI and LAI API from libosmocore throughout
the code base to be able to handle an MNC < 100 that has three digits (leading
zeros).

Depends: Id2240f7f518494c9df6c8bda52c0d5092f90f221 (libosmocore),
         Ib7176b1d65a03b76f41f94bc9d3293a8a07d24c6 (libosmocore)
Change-Id: I82f0016d9512ee8722a3489a3cb4b6c704a271fc
2018-02-28 19:30:14 +01:00
Neels Hofmeyr 7f48420923 cosmetic: gsm_network_init(): imply default 001-01 PLMN
All callers pass mcc=1, mnc=1, so just have it as default.
(Prepare for net->country_code etc to be replaced by net->plmn)

Change-Id: Ibcd1cc38f170895305ae176a5574384c74a33939
2018-02-27 13:01:42 +01:00
Philipp Maier e4f9172f44 msc_mgcp: Add FSM event names
The FSM (fsm_msc_mgcp) lacks a proper definition of the FSM event
names. This causes problems when inspecting the FSM using the VTY.

- Add proper FSM Event names

Closes: OS#2924

Change-Id: I6823756a63b08a71e5518130e49751aa073dbcd2
2018-02-26 15:50:17 +00:00
Philipp Maier 58616788ba a_reset: Add FSM event names
The FSM lacks a proper definition of the FSM event names. This causes
problems when inspecting the FSM using the VTY.

- Add proper FSM Event names

Change-Id: I76d7d9e0accffd433a3f3b5e5f8ab17ecd4a348c
Related: OS#2924
2018-02-26 16:03:05 +01:00
Stefan Sperling 617ac806c7 enable osmo_fsm vty commands in osmo-msc vty
Call osmo_fsm_vty_add_cmds() to make osmo_fsm VTY commands available
in osmo-msc's VTY interface.

Change-Id: Iaf970f6039c3f668f275dd8c21fb9071774a5d9e
Related: OS#2967
2018-02-22 17:58:20 +01:00
Neels Hofmeyr 2568f01779 drop unused libmsc/meas_feed.h
Change I0d57ac214e574e267fa9752daf76566197b9aa64 forgot to remove this
file along with meas_feed.c.

Note also the weirdness: that patch removes the proper
include/osmocom/msc/meas_feed.h, but there's also this other one.

This libmsc/meas_feed.h always existed from the start as an unused
orphan, see: 

https://git.osmocom.org/osmo-bsc/diff/openbsc/src/libmsc/Makefile.am?id=b4771a6871efb3cf12b371aedc575912984ca528

No need to drop from Makefile.am, since it is already gone from there.

(meas_feed from the old osmo-nitb (openbsc.git) has / should have moved to
osmo-bsc. There are no measurement reports in the MSC. Refer to osmo-bsc.git
instead from now on.)

Change-Id: Ib2566013dd30b21ce2774cd4cc7dcba2408f938f
2018-02-19 17:01:11 +00:00
Daniel Willmann 58d9dd8b3f libmsc: Pretend MNCC requested release in handle_error()
Send a release request to the MS so the connection does not stay open
indefinitely.

Change-Id: I7669d29cf5be3e4a60a1d121edbfcf9056f6d82b
2018-02-19 08:29:17 +00:00
Pau Espin 02a79d8545 libmsc: bssap: Remove fixme and properly update msgb tail
Change-Id: I28073efd5cff58cd212341bceee784caf08d5ad8
2018-02-16 13:29:57 +01:00
Daniel Willmann 4e825b6a68 libmsc: Add a function to return a unique ID of the subscriber conn
The ID will include the type of connection (GERAN_A, UTRAN_IU) followed
by the SCCP conn_id.
This can be used for the fsm instance ID before we know the IMSI.

Change-Id: I4b875772e3994ad3458ee60dbf880604486d9afd
2018-02-16 08:09:33 +00:00
Daniel Willmann 6fbd3bf732 iucs: Add a function to return the connection ID for the IU SCCP conn
Change-Id: Ica4a7f463fcf1bd67fe082296cecea8d10f2fc5b
2018-02-16 08:09:32 +00:00
Pau Espin 75559284d0 libmsc: bssap: Catch TLV parse failures
Change-Id: I1d1951f4a5daf200e85c76fea14a35e952491d27
2018-02-14 14:31:45 +01:00
Pau Espin 31776ff58f libmsc: bssap: Refactor rx paths to to avoid parse_tlv code duplication
Change-Id: I6aef9a94fa5b2e0b62a9c1744b8e18e5985f788f
2018-02-14 14:31:45 +01:00
Pau Espin 9f055f5983 libmsc: bssap: Fix typo in log message
Change-Id: I941cd7f4e9eec3e4f2786100a0e64770d5aee4a7
2018-02-14 14:13:43 +01:00
Harald Welte c0e425dbd0 remove dead code (gsm_parse_reg)
Change-Id: I47b0260561a9c2bad65c50c8164873e4c23d61b7
2018-02-14 09:04:56 +01:00
Harald Welte 098aa71e83 remove unused "auth policy" VTY command
This is yet another unsused bit from the OsmoNITB legacy.

Related: OS#2528
Change-Id: I825e659da529257e5edec94d9d59f0e10c1b4c63
2018-02-14 09:04:56 +01:00
Harald Welte 2346619c1a remove unused "authorized-regexp" VTY command
This is another left-over VTY command from the OsmoNITB days.

If such functionality is desired, it must be implemented in OsmoHLR,
but not here.

Related: OS#2528
Change-Id: Icf0897c47388e49ba7886b55acc728a6f7d213fe
2018-02-14 09:04:52 +01:00
Harald Welte 27b40c601c remove unused VTY command "location updating reject cause"
OsmoMSC is using whatever reject cause is apropriate in the given
situation.  This user-configurable reject cause only had relevance
in OsmoNITB, and hence it is an unused parameter that can be removed
in OsmoMSC.

Related: OS#2528
Change-Id: Ie1f39e706477aaf42051877b52d4b3ae1c5f138e
2018-02-14 08:29:24 +01:00
Harald Welte 3db47c4e51 osmo-msc: Add talloc context introspection via VTY
This requires libosmocore with Change-Id
I43fc42880b22294d83c565ae600ac65e4f38b30d or later.

Change-Id: I575500bd911f9792ab5ca76eebb1d2682ee34fa3
2018-02-14 00:56:26 +00:00
Harald Welte 7421a6e4b7 remove unused dyn_ts_allow_tch_f VTY option
This belongs into the BSC and has no relevance in the MSC, as the MSC
has no clue about dynamic timeslots.

Related: OS#2528
Change-Id: Iaa41d22db81120572d4cd2c0c4c75d258947a42f
2018-02-14 00:28:10 +01:00
Harald Welte 9199f8b60d dead code removal
Related: OS#2528
Change-Id: I89157c446d66e11adbe3cad587eb34ec40271c12
2018-02-14 00:28:07 +01:00
Harald Welte d5db170261 remove bsc_api.h and all users - they're all dead code
Related: OS#2528
Change-Id: I332aa8697c98a0d7b3db65f98711275da3d381d7
2018-02-14 00:28:02 +01:00
Harald Welte c93ce02042 gsm_data: remove unused gsm_subscriber_connection members
The mncc_rtp_create_pending and mncc_rtp_connect_pending members
were unused, let's remove them.

Related: OS#2528
Change-Id: I417e23ec53323ddd8e1e5d18952566fe8fd6ac24
2018-02-14 00:27:52 +01:00
Harald Welte 4804c558ea MNCC: Copy bearer_cap from MNCC to gsm_trans
When we receive bearer capabilities from MNCC and encode thme into
a CC message, we have to also update our "cache" inside 'struct
gsm_trans'.  Only that way, the BSSMAP ASSIGNMENT code is aware of
the actual current/present bearer capabilities such as permitted speech
codecs.

This will in practise only work if the related CC/MNCC message with
berer_cap IE will happen before the MSC performs the BSSMAP ASSIGNMENT
procedure.  Our logic still needs to change in a way that the CC/MNCC
code in gsm_04_08.c detects if trans->bearer_cap != new bearer_cap, and
in that case triggers a new follow-up BSSMAP ASSIGNMENT.

Change-Id: I6838dc0c8c4c2c6bba385da548c92f3fc91060c1
Closes: OS#2854
2018-02-12 12:32:48 +01:00
Harald Welte 329588721f MT Calls: Copy bearer capabilities from NNCC primitive to trans
When we receive a MNCC_SETUP_REQ primitive from the external MNCC
handler, we must not only encode it into the TS 04.08 CC SETUP, but
also keep it around in the "trans" structure representing this voice
call, as it is needed e.g. at BSSMAP ASSIGNMENT time.

Change-Id: Ib6919d148ff6687112e8166dbde947be19e70a76
Related: OS#2322
Closes: OS#2929
2018-02-12 11:56:51 +01:00