From fc06c73f398a51b3b96f2d49431b97ebc7ef6996 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Wed, 19 Aug 2020 12:52:28 +0000 Subject: msc: add TC_attached_imsi_lu_unknown_tmsi() The test currently fails with osmo-msc master. It uncovers the evil twin aspect of osmo-msc's VLR, for an attached IMSI re-attaching with an unknown TMSI. Related: OS#4721 Change-Id: Ia53733fc5bc414b0e3d3897f25b549f5183c862d --- msc/MSC_Tests.ttcn | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) (limited to 'msc/MSC_Tests.ttcn') diff --git a/msc/MSC_Tests.ttcn b/msc/MSC_Tests.ttcn index a801db92..43c62874 100644 --- a/msc/MSC_Tests.ttcn +++ b/msc/MSC_Tests.ttcn @@ -962,6 +962,94 @@ testcase TC_lu_by_tmsi_noauth_unknown() runs on MTC_CT { vc_conn.done; } +/* Test LU by unknown TMSI, while the IMSI is already attached: osmo-msc should switch to the attached vlr_subscr. */ +private function f_tc_attached_imsi_lu_unknown_tmsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr { + f_init_handler(pars); + + var PDU_ML3_MS_NW l3_lu := f_build_lu_tmsi('56111111'O); + var PDU_DTAP_MT dtap_mt; + + /* tell GSUP dispatcher to send this IMSI to us */ + f_create_gsup_expect(hex2str(g_pars.imsi)); + + /* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */ + f_cl3_or_initial_ue(l3_lu); + + /* Send Early Classmark, just for the fun of it */ + BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3)); + + /* Wait for + respond to ID REQ (IMSI) */ + BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req(CM_ID_TYPE_IMSI))); + BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp_IMSI(g_pars.imsi))); + f_expect_common_id(); + + /* Expect MSC to do UpdateLocation to HLR; respond to it */ + GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi)); + GSUP.send(ts_GSUP_ISD_REQ(g_pars.imsi, g_pars.msisdn)); + GSUP.receive(tr_GSUP_ISD_RES(g_pars.imsi)); + GSUP.send(ts_GSUP_UL_RES(g_pars.imsi)); + + alt { + [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Acc)) { + BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_TmsiRealloc_Cmpl)); + } + [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) { + setverdict(fail, "Expected LU ACK, but received REJ"); + mtc.stop; + } + } + + /* Wait for MM-Information (if enabled) */ + f_expect_mm_info(); + + /* wait for normal teardown */ + f_expect_clear(); + + /* Now the same IMSI is still attached in the VLR, and a LU with an unknown TMSI reveals the same IMSI only + * later during ID Response. osmo-msc first creates a new vlr_subscr for the unknown TMSI, and as soon as the + * IMSI becomes known, must notice that this IMSI is still regarded as attached, and must not create evil twins. + */ + + /* (since the TMSI Reallocation happened, we could do this with exactly the same TMSI as above, but for test + * readability just use a different one.) */ + l3_lu := f_build_lu_tmsi('56222222'O); + f_cl3_or_initial_ue(l3_lu); + + /* Wait for + respond to ID REQ (IMSI) */ + BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req(CM_ID_TYPE_IMSI))); + BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp_IMSI(g_pars.imsi))); + f_expect_common_id(); + + /* Expect MSC to do UpdateLocation to HLR; respond to it */ + GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi)); + GSUP.send(ts_GSUP_ISD_REQ(g_pars.imsi, g_pars.msisdn)); + GSUP.receive(tr_GSUP_ISD_RES(g_pars.imsi)); + GSUP.send(ts_GSUP_UL_RES(g_pars.imsi)); + + alt { + [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Acc)) { + BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_TmsiRealloc_Cmpl)); + } + [] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) { + setverdict(fail, "Expected LU ACK, but received REJ"); + mtc.stop; + } + } + + /* Wait for MM-Information (if enabled) */ + f_expect_mm_info(); + + /* wait for normal teardown */ + f_expect_clear(); +} +testcase TC_attached_imsi_lu_unknown_tmsi() runs on MTC_CT { + var BSC_ConnHdlr vc_conn; + f_init(); + + vc_conn := f_start_handler(refers(f_tc_attached_imsi_lu_unknown_tmsi), 56); + vc_conn.done; +} + friend function f_imsi_detach_by_imsi() runs on BSC_ConnHdlr { var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi)); @@ -6079,6 +6167,7 @@ control { execute( TC_lu_disconnect() ); execute( TC_lu_by_imei() ); execute( TC_lu_by_tmsi_noauth_unknown() ); + execute( TC_attached_imsi_lu_unknown_tmsi() ); execute( TC_imsi_detach_by_imsi() ); execute( TC_imsi_detach_by_tmsi() ); execute( TC_imsi_detach_by_imei() ); -- cgit v1.2.3