#include #include #include #include #include #include #include #include #define X(s) (1 << (s)) static int require_identity_imei = 1; static int require_auth = 1; static const struct osmo_tdef_state_timeout gmm_attach_fsm_timeouts[32] = { [ST_IDENTIY] = { .T=3370 }, [ST_AUTH] = { .T=3360 }, [ST_ACCEPT] = { .T=3350 }, [ST_ASK_VLR] = { .T=3350 }, [ST_IU_SECURITY_CMD] = { .T=3350 }, }; #define gmm_attach_fsm_state_chg(fi, NEXT_STATE) \ osmo_tdef_fsm_inst_state_chg(fi, NEXT_STATE, gmm_attach_fsm_timeouts, sgsn->cfg.T_defs, -1) static void st_init(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; struct msgb *attach_req = data; /* we can run st_init multiple times */ if (ctx->gmm_att_req.attach_req) msgb_free(ctx->gmm_att_req.attach_req); ctx->gmm_att_req.attach_req = msgb_copy(attach_req, "Attach Request"); ctx->auth_state = SGSN_AUTH_UNKNOWN; ctx->gmm_att_req.auth_reattempt = 0; /* * TODO: remove pending_req as soon the sgsn_auth code doesn't depend * on it. * pending_req must be set, even this fsm doesn't use it, because * the sgsn_auth code is using this too */ ctx->pending_req = GSM48_MT_GMM_ATTACH_REQ; if (require_identity_imei) { ctx->gmm_att_req.id_type = GSM_MI_TYPE_IMEI; gmm_attach_fsm_state_chg(fi, ST_IDENTIY); } else if (!strlen(ctx->imsi)) { ctx->gmm_att_req.id_type = GSM_MI_TYPE_IMSI; gmm_attach_fsm_state_chg(fi, ST_IDENTIY); } else if (require_auth) gmm_attach_fsm_state_chg(fi, ST_AUTH); else gmm_attach_fsm_state_chg(fi, ST_ACCEPT); } static void st_identity_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state) { struct sgsn_mm_ctx *ctx = fi->priv; int ret = 0; ctx->num_T_exp = 0; switch (ctx->gmm_att_req.id_type) { case GSM_MI_TYPE_IMEI: case GSM_MI_TYPE_IMSI: break; default: /* TODO logging */ osmo_fsm_inst_dispatch(fi, E_REJECT, NULL); return; } ctx->t3370_id_type = ctx->gmm_att_req.id_type; ret = gsm48_tx_gmm_id_req(ctx, ctx->gmm_att_req.id_type); if (ret < 0) { LOGPFSM(fi, "Can not send tx_gmm_id %d.\n", ret); osmo_fsm_inst_dispatch(fi, E_REJECT, NULL); } } static void st_identity(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; OSMO_ASSERT(event == E_IDEN_RESP_RECV); /* check if we received a identity response */ long type = (long) data; switch (type) { case GSM_MI_TYPE_IMEI: case GSM_MI_TYPE_IMSI: break; default: LOGMMCTXP(LOGL_ERROR, ctx, "Unknown mi type: 0x%lx, rejecting MS.\n", type); osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_NET_FAIL); return; } if (type != ctx->gmm_att_req.id_type) { /* ignore wrong package */ /* TODO logging */ return; } if (type == GSM_MI_TYPE_IMEI && !strlen(ctx->imsi)) { ctx->gmm_att_req.id_type = GSM_MI_TYPE_IMSI; gmm_attach_fsm_state_chg(fi, ST_IDENTIY); } else if (require_auth) gmm_attach_fsm_state_chg(fi, ST_AUTH); else gmm_attach_fsm_state_chg(fi, ST_ACCEPT); } static void st_auth_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state) { struct sgsn_mm_ctx *ctx = fi->priv; enum sgsn_auth_state auth_state; ctx->num_T_exp = 0; /* TODO: remove this layer violation. Don't parse any auth_policy here * The correct way would be to ask the SGSN is this mmctx has to be auth * regardless of the state. * Otherwise someone else could steal the TLLI and just use it without further * auth. */ if (sgsn->cfg.auth_policy != SGSN_AUTH_POLICY_REMOTE) { /* we can "trust" sgsn_auth_state as long it's not remote */ auth_state = sgsn_auth_state(ctx); } else { auth_state = ctx->auth_state; } switch(auth_state) { case SGSN_AUTH_UMTS_RESYNC: /* ask the vlr for a new vector to match the simcards seq */ case SGSN_AUTH_UNKNOWN: /* the SGSN doesn know this MS */ gmm_attach_fsm_state_chg(fi, ST_ASK_VLR); break; case SGSN_AUTH_REJECTED: /* TODO: correct GMM cause */ osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_GPRS_NOTALLOWED); break; case SGSN_AUTH_ACCEPTED: gmm_attach_fsm_state_chg(fi, ST_ACCEPT); break; case SGSN_AUTH_AUTHENTICATE: if (ctx->auth_triplet.key_seq == GSM_KEY_SEQ_INVAL) { /* invalid key material */ gmm_attach_fsm_state_chg(fi, ST_ASK_VLR); } struct gsm_auth_tuple *at = &ctx->auth_triplet; if (gsm48_tx_gmm_auth_ciph_req(ctx, &at->vec, at->key_seq, false) < 0) { /* network failure */ osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_NET_FAIL); } ctx->gmm_att_req.auth_reattempt++; break; } } static void st_auth(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; switch (event) { case E_AUTH_RESP_RECV_SUCCESS: sgsn_auth_request(ctx); #ifdef BUILD_IU if (ctx->ran_type == MM_CTX_T_UTRAN_Iu && !ctx->iu.ue_ctx->integrity_active) gmm_attach_fsm_state_chg(fi, ST_IU_SECURITY_CMD); else #endif /* BUILD_IU */ gmm_attach_fsm_state_chg(fi, ST_ACCEPT); break; case E_AUTH_RESP_RECV_RESYNC: if (ctx->gmm_att_req.auth_reattempt <= 1) gmm_attach_fsm_state_chg(fi, ST_ASK_VLR); else osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_SYNC_FAIL); break; } } static void st_accept_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state) { struct sgsn_mm_ctx *ctx = fi->priv; ctx->num_T_exp = 0; /* TODO: remove pending_req as soon the sgsn_auth code doesn't depend on it */ ctx->pending_req = 0; gsm48_tx_gmm_att_ack(ctx); } static void st_accept(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; switch(event) { case E_ATTACH_COMPLETE_RECV: /* TODO: #ifdef ! PTMSI_ALLOC is not supported */ extract_subscr_msisdn(ctx); extract_subscr_hlr(ctx); osmo_fsm_inst_state_chg(fi, ST_INIT, 0, 0); break; case E_VLR_ANSWERED: extract_subscr_msisdn(ctx); extract_subscr_hlr(ctx); LOGMMCTXP(LOGL_NOTICE, ctx, "Unusual event: if MS got no data connection, check that it has APN configured.\n"); break; } } static void st_reject(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; long reject_cause = (long) data; if (reject_cause != GMM_DISCARD_MS_WITHOUT_REJECT) gsm48_tx_gmm_att_rej(ctx, (uint8_t) reject_cause); sgsn_mm_ctx_cleanup_free(ctx); } static void st_ask_vlr_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state) { struct sgsn_mm_ctx *ctx = fi->priv; /* FIXME: remove this layer violation. * The VLR should send the message to the HLR and not the rx function * gsm48_rx_gmm_auth_ciph_fail. Because gmm_auth_ciph_fail already send a * message to the HLR, we don't send here a request. */ if (ctx->auth_state == SGSN_AUTH_UMTS_RESYNC) return; /* ask the auth layer for more data */ sgsn_auth_request(ctx); } static void st_ask_vlr(struct osmo_fsm_inst *fi, uint32_t event, void *data) { switch(event) { case E_VLR_ANSWERED: gmm_attach_fsm_state_chg(fi, ST_AUTH); break; } } static void st_iu_security_cmd_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state) { #ifdef BUILD_IU struct sgsn_mm_ctx *ctx = fi->priv; bool send_ck; /* TODO: shouldn't this set always? not only when the integrity_active? */ if (ctx->iu.ue_ctx->integrity_active) { gmm_attach_fsm_state_chg(fi, ST_ACCEPT); return; } /* Is any encryption above UEA0 enabled? */ send_ck = sgsn->cfg.uea_encryption_mask > (1 << OSMO_UTRAN_UEA0); LOGMMCTXP(LOGL_DEBUG, ctx, "Iu Security Mode Command: %s encryption key (UEA encryption mask = 0x%x)\n", send_ck ? "sending" : "not sending", sgsn->cfg.uea_encryption_mask); /* FIXME: we should send the set of allowed UEA, as in ranap_new_msg_sec_mod_cmd2(). However, this * is not possible in the iu_client API. See OS#5487. */ ranap_iu_tx_sec_mode_cmd(ctx->iu.ue_ctx, &ctx->auth_triplet.vec, send_ck, ctx->iu.new_key); ctx->iu.new_key = 0; #endif } static void st_iu_security_cmd(struct osmo_fsm_inst *fi, uint32_t event, void *data) { switch(event) { case E_VLR_ANSWERED: /* We may receive an event due to rx * OSMO_GSUP_MSGT_INSERT_DATA_REQUEST here. Do nothing, update of * subscriber is done by lower layers before event is signalled. * In this state we simply wait for E_IU_SECURITY_CMD_COMPLETE */ break; case E_IU_SECURITY_CMD_COMPLETE: gmm_attach_fsm_state_chg(fi, ST_ACCEPT); break; } } static struct osmo_fsm_state gmm_attach_req_fsm_states[] = { /* default state for non-DTX and DTX when SPEECH is in progress */ [ST_INIT] = { .in_event_mask = X(E_ATTACH_REQ_RECV), .out_state_mask = X(ST_INIT) | X(ST_IDENTIY) | X(ST_AUTH) | X(ST_ACCEPT), .name = "Init", .action = st_init, }, [ST_ASK_VLR] = { .in_event_mask = X(E_VLR_ANSWERED), .out_state_mask = X(ST_INIT) | X(ST_AUTH) | X(ST_ACCEPT) | X(ST_REJECT), .name = "AskVLR", .onenter = st_ask_vlr_on_enter, .action = st_ask_vlr, }, [ST_IDENTIY] = { .in_event_mask = X(E_IDEN_RESP_RECV), .out_state_mask = X(ST_INIT) | X(ST_AUTH) | X(ST_ACCEPT) | X(ST_IDENTIY) | X(ST_REJECT), .onenter = st_identity_on_enter, .name = "CheckIdentity", .action = st_identity, }, [ST_AUTH] = { .in_event_mask = X(E_AUTH_RESP_RECV_SUCCESS) | X(E_AUTH_RESP_RECV_RESYNC), .out_state_mask = X(ST_INIT) | X(ST_AUTH) | X(ST_IU_SECURITY_CMD) | X(ST_ACCEPT) | X(ST_ASK_VLR) | X(ST_REJECT), .name = "Authenticate", .onenter = st_auth_on_enter, .action = st_auth, }, [ST_IU_SECURITY_CMD] = { .in_event_mask = X(E_IU_SECURITY_CMD_COMPLETE) | X(E_VLR_ANSWERED), .out_state_mask = X(ST_INIT) | X(ST_AUTH) | X(ST_ACCEPT) | X(ST_REJECT), .name = "IuSecurityCommand", .onenter = st_iu_security_cmd_on_enter, .action = st_iu_security_cmd, }, [ST_ACCEPT] = { .in_event_mask = X(E_ATTACH_COMPLETE_RECV) | X(E_VLR_ANSWERED), .out_state_mask = X(ST_INIT) | X(ST_REJECT), .name = "WaitAttachComplete", .onenter = st_accept_on_enter, .action = st_accept, }, [ST_REJECT] = { .in_event_mask = X(E_REJECT), .out_state_mask = X(ST_INIT), .name = "Reject", .action = st_reject, }, }; const struct value_string gmm_attach_req_fsm_event_names[] = { OSMO_VALUE_STRING(E_ATTACH_REQ_RECV), OSMO_VALUE_STRING(E_IDEN_RESP_RECV), OSMO_VALUE_STRING(E_AUTH_RESP_RECV_SUCCESS), OSMO_VALUE_STRING(E_AUTH_RESP_RECV_RESYNC), OSMO_VALUE_STRING(E_ATTACH_ACCEPTED), OSMO_VALUE_STRING(E_ATTACH_ACCEPT_SENT), OSMO_VALUE_STRING(E_ATTACH_COMPLETE_RECV), OSMO_VALUE_STRING(E_IU_SECURITY_CMD_COMPLETE), OSMO_VALUE_STRING(E_REJECT), OSMO_VALUE_STRING(E_VLR_ANSWERED), { 0, NULL } }; void gmm_attach_allstate_action(struct osmo_fsm_inst *fi, uint32_t event, void *data) { struct sgsn_mm_ctx *ctx = fi->priv; struct msgb *new_attach_req = data; switch (event) { case E_ATTACH_REQ_RECV: switch (fi->state) { case ST_INIT: case ST_REJECT: st_init(fi, event, data); break; case ST_ACCEPT: /* TODO: drop all state (e.g. PDP Ctx) and do this procedure */ osmo_fsm_inst_state_chg(fi, ST_INIT, 0, 0); st_init(fi, event, data); break; case ST_ASK_VLR: case ST_AUTH: case ST_IDENTIY: case ST_RETRIEVE_AUTH: /* 04.08 4.7.3.1.6 d) Abnormal Case * Only do action if Req IEs differs. */ if (ctx->gmm_att_req.attach_req && gprs_gmm_msg_cmp(new_attach_req, ctx->gmm_att_req.attach_req)) { osmo_fsm_inst_state_chg(fi, ST_INIT, 0, 0); st_init(fi, event, data); } break; } break; case E_REJECT: if (fi->state != ST_REJECT) osmo_fsm_inst_state_chg(fi, ST_REJECT, 0, 0); st_reject(fi, event, data); break; } } int gmm_attach_timer_cb(struct osmo_fsm_inst *fi) { struct sgsn_mm_ctx *ctx = fi->priv; struct gsm_auth_tuple *at = &ctx->auth_triplet; unsigned long t_secs; ctx->num_T_exp++; switch(fi->state) { case ST_ASK_VLR: /* TODO: replace T3350 by a better timer or it's own * re-use T3350 - not defined by standard */ LOGMMCTXP(LOGL_ERROR, ctx, "HLR did not answer in time. Rejecting.\n"); osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_NET_FAIL); break; case ST_IDENTIY: /* T3370 */ if (ctx->num_T_exp >= 5) { osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_CAUSE_MS_ID_NOT_DERIVED); break; } gsm48_tx_gmm_id_req(ctx, ctx->gmm_att_req.id_type); t_secs = osmo_tdef_get(sgsn->cfg.T_defs, 3370, OSMO_TDEF_S, -1); osmo_timer_schedule(&fi->timer, t_secs, 0); break; case ST_AUTH: /* T3360 */ if (ctx->num_T_exp >= 5) { osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_DISCARD_MS_WITHOUT_REJECT); break; } gsm48_tx_gmm_auth_ciph_req(ctx, &at->vec, at->key_seq, false); t_secs = osmo_tdef_get(sgsn->cfg.T_defs, 3360, OSMO_TDEF_S, -1); osmo_timer_schedule(&fi->timer, t_secs, 0); break; case ST_ACCEPT: /* T3350 */ if (ctx->num_T_exp >= 5) { osmo_fsm_inst_dispatch(fi, E_REJECT, (void *) GMM_DISCARD_MS_WITHOUT_REJECT); break; } gsm48_tx_gmm_att_ack(ctx); t_secs = osmo_tdef_get(sgsn->cfg.T_defs, 3350, OSMO_TDEF_S, -1); osmo_timer_schedule(&fi->timer, t_secs, 0); break; } return 0; } struct osmo_fsm gmm_attach_req_fsm = { .name = "GMM_ATTACH_REQ_FSM", .states = gmm_attach_req_fsm_states, .num_states = ARRAY_SIZE(gmm_attach_req_fsm_states), .event_names = gmm_attach_req_fsm_event_names, .allstate_event_mask = X(E_REJECT) | X(E_ATTACH_REQ_RECV), .allstate_action = gmm_attach_allstate_action, .log_subsys = DMM, .timer_cb = gmm_attach_timer_cb, }; static __attribute__((constructor)) void gprs_gmm_fsm_init(void) { OSMO_ASSERT(osmo_fsm_register(&gmm_attach_req_fsm) == 0); } void gmm_att_req_free(struct sgsn_mm_ctx *mm) { if (mm->gmm_att_req.fsm) osmo_fsm_inst_free(mm->gmm_att_req.fsm); if (mm->gmm_att_req.attach_req) msgb_free(mm->gmm_att_req.attach_req); }