/* * Copyright (C) 2019 by Sukchan Lee * * This file is part of Open5GS. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include "mme-event.h" #include "mme-timer.h" #include "s1ap-handler.h" #include "mme-gn-handler.h" #include "mme-fd-path.h" #include "emm-handler.h" #include "emm-build.h" #include "esm-handler.h" #include "nas-path.h" #include "nas-security.h" #include "s1ap-path.h" #include "sgsap-types.h" #include "sgsap-path.h" #include "mme-gtp-path.h" #include "mme-path.h" #include "mme-sm.h" #undef OGS_LOG_DOMAIN #define OGS_LOG_DOMAIN __emm_log_domain typedef enum { EMM_COMMON_STATE_DEREGISTERED, EMM_COMMON_STATE_REGISTERED, } emm_common_state_e; static void common_register_state(ogs_fsm_t *s, mme_event_t *e, emm_common_state_e state); void emm_state_initial(ogs_fsm_t *s, mme_event_t *e) { ogs_assert(s); mme_sm_debug(e); OGS_FSM_TRAN(s, &emm_state_de_registered); } void emm_state_final(ogs_fsm_t *s, mme_event_t *e) { ogs_assert(s); mme_sm_debug(e); } void emm_state_de_registered(ogs_fsm_t *s, mme_event_t *e) { int r; mme_ue_t *mme_ue = NULL; ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: CLEAR_SERVICE_INDICATOR(mme_ue); CLEAR_MME_UE_ALL_TIMERS(mme_ue); break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: common_register_state(s, e, EMM_COMMON_STATE_DEREGISTERED); break; case MME_EVENT_EMM_TIMER: switch (e->timer_id) { case MME_TIMER_T3470: if (mme_ue->t3470.retry_count >= mme_timer_cfg(MME_TIMER_T3470)->max_count) { ogs_warn("Retransmission of Identity-Request failed. " "Stop retransmission"); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } else { mme_ue->t3470.retry_count++; r = nas_eps_send_identity_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); } } void emm_state_registered(ogs_fsm_t *s, mme_event_t *e) { int r; mme_ue_t *mme_ue = NULL; ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: common_register_state(s, e, EMM_COMMON_STATE_REGISTERED); break; case MME_EVENT_EMM_TIMER: switch (e->timer_id) { case MME_TIMER_T3413: if (mme_ue->t3413.retry_count >= mme_timer_cfg(MME_TIMER_T3413)->max_count) { /* Paging failed */ ogs_warn("Paging to IMSI[%s] failed. Stop paging", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t3413); mme_ue->paging.failed = true; if (MME_PAGING_ONGOING(mme_ue)) mme_send_after_paging(mme_ue, true); } else { mme_ue->t3413.retry_count++; /* * If t3413 is timeout, the saved pkbuf is used. * We don't have to set CNDomain. * So, we just set CNDomain to 0 */ r = s1ap_send_paging(mme_ue, 0); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case MME_TIMER_T3470: if (mme_ue->t3470.retry_count >= mme_timer_cfg(MME_TIMER_T3470)->max_count) { ogs_warn("Retransmission of Identity-Request failed. " "Stop retransmission"); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } else { mme_ue->t3470.retry_count++; r = nas_eps_send_identity_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case MME_TIMER_T3422: if (mme_ue->t3422.retry_count >= mme_timer_cfg(MME_TIMER_T3422)->max_count) { ogs_warn("Retransmission of Detach Request failed. " "Stop retransmission"); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } else { mme_ue->t3422.retry_count++; r = nas_eps_send_detach_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case MME_TIMER_MOBILE_REACHABLE: ogs_info("[%s] Mobile Reachable timer expired", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t_mobile_reachable); /* * TS 24.301 * Section 5.3.5 * Handling of the periodic tracking area update timer and * mobile reachable timer (S1 mode only) * * The periodic tracking area updating procedure is used to * periodically notify the availability of the UE to the network. * The procedure is controlled in the UE by timer T3412. * The value of timer T3412 is sent by the network to the UE * in the ATTACH ACCEPT message and can be sent in the TRACKING AREA * UPDATE ACCEPT message. The UE shall apply this value in all tracking * areas of the list of tracking areas assigned to the UE * until a new value is received. * * If timer T3412 received by the UE in an ATTACH ACCEPT or TRACKING * AREA UPDATE ACCEPT message contains an indication that the timer is * deactivated or the timer value is zero, then timer T3412 is * deactivated and the UE shall not perform the periodic tracking area * updating procedure. * * Timer T3412 is reset and started with its initial value, * when the UE changes from EMM-CONNECTED to EMM-IDLE mode. * * Timer T3412 is stopped when the UE enters EMM-CONNECTED mode or * the EMM-DEREGISTERED state. If the UE is attached for emergency * bearer services, and timer T3412 expires, the UE shall not initiate * a periodic tracking area updating procedure, but shall locally detach * from the network. When the UE is camping on a suitable cell, it may * re-attach to regain normal service. * * When a UE is not attached for emergency bearer services, and timer * T3412 expires, the periodic tracking area updating procedure shall * be started and the timer shall be set to its initial value * for the next start. * * If the UE is not attached for emergency bearer services, the mobile * reachable timer shall be longer than T3412. In this case, by default, * the mobile reachable timer is 4 minutes greater than timer T3412. * * Upon expiry of the mobile reachable timer the network shall start * the implicit detach timer. The value of the implicit detach timer is * network dependent. If ISR is activated, the default value of * the implicit detach timer is 4 minutes greater than timer T3423. * If the implicit detach timer expires before the UE contacts * the network, the network shall implicitly detach the UE. If the MME * includes timer T3346 in the TRACKING AREA UPDATE REJECT message or * the SERVICE REJECT message and timer T3346 is greater than timer * T3412, the MME sets the mobile reachable timer and the implicit * detach timer such that the sum of the timer values is greater than * timer T3346. */ ogs_debug("[%s] Starting Implicit Detach timer", mme_ue->imsi_bcd); ogs_timer_start(mme_ue->t_implicit_detach.timer, ogs_time_from_sec(mme_self()->time.t3412.value + 240)); break; case MME_TIMER_IMPLICIT_DETACH: ogs_info("[%s] Implicit Detach timer expired, detaching UE", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t_implicit_detach); /* TS 24.301 5.3.5 * If the implicit detach timer expires before the UE contacts * the network, the network shall implicitly detach the UE. */ mme_ue->detach_type = MME_DETACH_TYPE_MME_IMPLICIT; if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_detach_indication(mme_ue)); } else { mme_send_delete_session_or_detach(mme_ue); } OGS_FSM_TRAN(s, &emm_state_de_registered); break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); } } static void common_register_state(ogs_fsm_t *s, mme_event_t *e, emm_common_state_e state) { int r, rv, xact_count = 0; mme_ue_t *mme_ue = NULL; enb_ue_t *enb_ue = NULL; mme_sgsn_t *sgsn = NULL; ogs_nas_eps_message_t *message = NULL; ogs_nas_rai_t rai; ogs_nas_security_header_type_t h; ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case MME_EVENT_EMM_MESSAGE: message = e->nas_message; ogs_assert(message); enb_ue = enb_ue_cycle(mme_ue->enb_ue); ogs_assert(enb_ue); h.type = e->nas_type; xact_count = mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR); if (message->emm.h.security_header_type == OGS_NAS_SECURITY_HEADER_FOR_SERVICE_REQUEST_MESSAGE) { ogs_info("[%s] Service request", mme_ue->imsi_bcd); if (state != EMM_COMMON_STATE_REGISTERED) { ogs_info("Service request : Not registered[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } rv = emm_handle_service_request( mme_ue, &message->emm.service_request); if (rv != OGS_OK) { ogs_error("emm_handle_service_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_info("Service request : Unknown UE"); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SESSION_CONTEXT_IS_AVAILABLE(mme_ue)) { ogs_error("No Session Context : IMSI[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!ACTIVE_EPS_BEARERS_IS_AVAIABLE(mme_ue)) { ogs_error("No active EPS bearers : IMSI[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_NO_EPS_BEARER_CONTEXT_ACTIVATED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); r = s1ap_send_initial_context_setup_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_registered); break; } switch (message->emm.h.message_type) { case OGS_NAS_EPS_IDENTITY_RESPONSE: ogs_info("Identity response"); CLEAR_MME_UE_TIMER(mme_ue->t3470); rv = emm_handle_identity_response(mme_ue, &message->emm.identity_response); if (rv != OGS_OK) { ogs_error("emm_handle_identity_response() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_error("No IMSI"); OGS_FSM_TRAN(s, emm_state_exception); break; } mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_SEND_AUTHENTICATION_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { mme_s6a_send_air(enb_ue, mme_ue, NULL); } OGS_FSM_TRAN(s, &emm_state_authentication); break; case OGS_NAS_EPS_ATTACH_REQUEST: ogs_info("[%s] Attach request", mme_ue->imsi_bcd); rv = emm_handle_attach_request( mme_ue, &message->emm.attach_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_attach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { CLEAR_MME_UE_TIMER(mme_ue->t3470); r = nas_eps_send_identity_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); break; } if (h.integrity_protected && SECURITY_CONTEXT_IS_VALID(mme_ue)) { /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_HANDLE_PDN_CONNECTIVITY_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { rv = nas_eps_send_emm_to_esm(mme_ue, &mme_ue->pdn_connectivity_request); if (rv != OGS_OK) { ogs_error("nas_eps_send_emm_to_esm() failed"); r = nas_eps_send_attach_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED, OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } } OGS_FSM_TRAN(s, &emm_state_initial_context_setup); } else { mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_SEND_AUTHENTICATION_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { mme_s6a_send_air(enb_ue, mme_ue, NULL); } OGS_FSM_TRAN(s, &emm_state_authentication); } break; case OGS_NAS_EPS_TRACKING_AREA_UPDATE_REQUEST: ogs_info("[%s] Tracking area update request", mme_ue->imsi_bcd); rv = emm_handle_tau_request(mme_ue, &message->emm.tracking_area_update_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_tau_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (emm_tau_request_ue_comes_from_gb_or_iu(&message->emm.tracking_area_update_request)) { ogs_info("TAU request : UE comes from SGSN, attempt retrieving context"); guti_to_rai_ptmsi(&mme_ue->next.guti, &rai, NULL, NULL); sgsn = mme_sgsn_find_by_routing_address(&rai, 0xffff); if (!sgsn) { ogs_plmn_id_t plmn_id; ogs_nas_to_plmn_id(&plmn_id, &rai.lai.nas_plmn_id); ogs_warn("No SGSN route matching RAI[MCC:%u MNC:%u LAC:%u RAC:%u]", ogs_plmn_id_mcc(&plmn_id), ogs_plmn_id_mnc(&plmn_id), rai.lai.lac, rai.rac); r = nas_eps_send_tau_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); OGS_FSM_TRAN(s, &emm_state_exception); break; } mme_gtp1_send_sgsn_context_request(sgsn, mme_ue); /* FIXME: use a specific FSM state here to state we are waiting for resolution from Gn? */ break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_info("TAU request : Unknown UE"); r = nas_eps_send_tau_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SESSION_CONTEXT_IS_AVAILABLE(mme_ue)) { ogs_warn("No PDN Connection : UE[%s]", mme_ue->imsi_bcd); r = nas_eps_send_tau_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!ACTIVE_EPS_BEARERS_IS_AVAIABLE(mme_ue)) { ogs_warn("No active EPS bearers : IMSI[%s]", mme_ue->imsi_bcd); r = nas_eps_send_tau_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_NO_EPS_BEARER_CONTEXT_ACTIVATED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!h.integrity_protected || !SECURITY_CONTEXT_IS_VALID(mme_ue)) { mme_s6a_send_air(enb_ue, mme_ue, NULL); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_authentication); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); /* * * 1. InitialUEMessage + Tracking area update request * Active flag : No bearer establishment requested (0) * EPS update type : TA updating (0) or Periodic updating (3) * 2. DownlinkNASTransport + Tracking area update accept * EPS update result value : TA updated (0) * 3. UEContextReleaseCommand * Cause : nas(2) + normal-release(0) * 4. UEContextReleaseComplete * * * 1. InitialUEMessage + Tracking area update request * Active flag : bearer establishment requested (1) * EPS update type : Combined TA/LA updating with IMSI attach (2) * 2. InitialContextSetupRequest + Tracking area update accept * EPS update result : Combined TA/LA updated (1) * New GUTI * 3. InitialContextSetupResponse * 4. UplinkNASTransport + Tracking area update complete * * * 1. S1SetupRequest/S1SetupResponse * 2. InitialUEMessage + Tracking area update request * Active flag : bearer establishment requested (1) * EPS update type : Periodic updating (3) * 3. InitialContextSetupRequest + Tracking area update accept * EPS update result : TA updated (0) * No GUTI * 4. InitialContextSetupResponse * * * 1. HandoverNotify (Target) * 2. UplinkNASTransport + Tracking area update request (Target) * Active flag : bearer establishment requested (1) * EPS update type : TA updating (0) * 3. UEContextReleaseCommand (Source) * Cause : radioNetwork(0) + successful-handover(2) * 4. UEcontextReleaseComplete (Source) * 5. DownlinkNASTransport + Tracking area update accept (Target) * EPS update result : TA updated (0) * * * 1. HandoverNotify (Target) * * 2. UEContextReleaseCommand (Source) * Cause : radioNetwork(0) + successful-handover(2) * 3. UEcontextReleaseComplete (Source) * 4. UEContextReleaseRequest (Target) * Cause : transport(1) + transport-resource-unavailable(0) * 5. UEContextReleaseCommand (Target) * Cause : nas(2) + normal-release(0) * 6. UEcontextReleaseComplete (Target) * * 7. InitialUEMessage + Tracking area update request (Target) * Active flag : bearer establishment requested (1) * EPS update type : TA updating (0) * 8. InitialContextSetupRequest + Tracking area update accept * EPS update result : TA updated (0) * New GUTI * 9. InitialContextSetupResponse (Target) * EPS update result : TA updated (0) * 10. UplinkNASTransport + Tracking area update complete (Target) */ if (e->s1ap_code == S1AP_ProcedureCode_id_initialUEMessage) { ogs_debug(" Iniital UE Message"); if (mme_ue->nas_eps.update.active_flag) { /* * TS33.401 * 7 Security procedures between UE and EPS access network elements * 7.2 Handling of user-related keys in E-UTRAN * 7.2.7 Key handling for the TAU procedure when registered in E-UTRAN * * If the "active flag" is set in the TAU request message or * the MME chooses to establish radio bearers when there is pending downlink * UP data or pending downlink signalling, radio bearers will be established * as part of the TAU procedure and a KeNB derivation is necessary. */ ogs_kdf_kenb(mme_ue->kasme, mme_ue->ul_count.i32, mme_ue->kenb); ogs_kdf_nh_enb(mme_ue->kasme, mme_ue->kenb, mme_ue->nh); mme_ue->nhcc = 1; r = nas_eps_send_tau_accept(mme_ue, S1AP_ProcedureCode_id_InitialContextSetup); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else { r = nas_eps_send_tau_accept(mme_ue, S1AP_ProcedureCode_id_downlinkNASTransport); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } } else if (e->s1ap_code == S1AP_ProcedureCode_id_uplinkNASTransport) { ogs_debug(" Uplink NAS Transport"); r = nas_eps_send_tau_accept(mme_ue, S1AP_ProcedureCode_id_downlinkNASTransport); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else { ogs_fatal("Invalid Procedure Code[%d]", (int)e->s1ap_code); } if (!mme_ue->nas_eps.update.active_flag) mme_send_release_access_bearer_or_ue_context_release(enb_ue); if (mme_ue->next.m_tmsi) { ogs_fatal("MME does not create new GUTI"); ogs_assert_if_reached(); OGS_FSM_TRAN(s, &emm_state_initial_context_setup); } else { OGS_FSM_TRAN(s, &emm_state_registered); } break; case OGS_NAS_EPS_EXTENDED_SERVICE_REQUEST: ogs_info("[%s] Extended service request", mme_ue->imsi_bcd); rv = emm_handle_extended_service_request( mme_ue, &message->emm.extended_service_request); if (rv != OGS_OK) { ogs_error("emm_handle_extended_service_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_warn("Extended Service request : Unknown UE"); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SESSION_CONTEXT_IS_AVAILABLE(mme_ue)) { ogs_warn("No PDN Connection : UE[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); if (e->s1ap_code == S1AP_ProcedureCode_id_initialUEMessage) { ogs_debug(" Initial UE Message"); if (!MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_warn("No P-TMSI : UE[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); mme_send_release_access_bearer_or_ue_context_release( enb_ue); break; } if (mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_FROM_UE || mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_EMERGENCY_CALL_FROM_UE) { ogs_debug(" MO-CSFB-INDICATION[%d]", mme_ue->nas_eps.service.value); ogs_assert(OGS_OK == sgsap_send_mo_csfb_indication(mme_ue)); } else if (mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_TO_UE) { ogs_debug(" SERVICE_REQUEST[%d]", mme_ue->nas_eps.service.value); ogs_assert(OGS_OK == sgsap_send_service_request(mme_ue, SGSAP_EMM_IDLE_MODE) ); } else { ogs_warn(" Unknown CSFB Service Type[%d]", mme_ue->nas_eps.service.value); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } r = s1ap_send_initial_context_setup_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else if (e->s1ap_code == S1AP_ProcedureCode_id_uplinkNASTransport) { ogs_debug(" Uplink NAS Transport"); if (!MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_warn("No P-TMSI : UE[%s]", mme_ue->imsi_bcd); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); break; } if (mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_FROM_UE || mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_EMERGENCY_CALL_FROM_UE) { ogs_debug(" MO-CSFB-INDICATION[%d]", mme_ue->nas_eps.service.value); ogs_assert(OGS_OK == sgsap_send_mo_csfb_indication(mme_ue)); } else if (mme_ue->nas_eps.service.value == OGS_NAS_SERVICE_TYPE_CS_FALLBACK_TO_UE) { ogs_debug(" SERVICE_REQUEST[%d]", mme_ue->nas_eps.service.value); ogs_assert(OGS_OK == sgsap_send_service_request( mme_ue, SGSAP_EMM_CONNECTED_MODE)); } else { ogs_warn(" Unknown CSFB Service Type[%d]", mme_ue->nas_eps.service.value); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } r = s1ap_send_ue_context_modification_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else { ogs_error("Invalid Procedure Code[%d]", (int)e->s1ap_code); } break; case OGS_NAS_EPS_EMM_STATUS: ogs_warn("EMM STATUS : IMSI[%s] Cause[%d]", mme_ue->imsi_bcd, message->emm.emm_status.emm_cause); break; case OGS_NAS_EPS_DETACH_REQUEST: ogs_info("[%s] Detach request", mme_ue->imsi_bcd); rv = emm_handle_detach_request( mme_ue, &message->emm.detach_request_from_ue); if (rv != OGS_OK) { ogs_error("emm_handle_detach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_warn("Detach request : Unknown UE"); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_detach_indication(mme_ue)); } else { mme_send_delete_session_or_detach(mme_ue); } OGS_FSM_TRAN(s, &emm_state_de_registered); break; case OGS_NAS_EPS_DETACH_ACCEPT: ogs_info("[%s] Detach accept", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t3422); r = s1ap_send_ue_context_release_command(enb_ue, S1AP_Cause_PR_nas, S1AP_CauseNas_detach, S1AP_UE_CTX_REL_UE_CONTEXT_REMOVE, 0); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_de_registered); break; case OGS_NAS_EPS_UPLINK_NAS_TRANSPORT: ogs_debug("Uplink NAS Transport"); ogs_debug(" IMSI[%s]", mme_ue->imsi_bcd); if (MME_SGSAP_IS_CONNECTED(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_uplink_unitdata(mme_ue, &message->emm. uplink_nas_transport.nas_message_container)); } else { S1AP_MME_UE_S1AP_ID_t MME_UE_S1AP_ID; S1AP_ENB_UE_S1AP_ID_t ENB_UE_S1AP_ID; ogs_warn("No connection of MSC/VLR"); MME_UE_S1AP_ID = enb_ue->mme_ue_s1ap_id; ENB_UE_S1AP_ID = enb_ue->enb_ue_s1ap_id; r = s1ap_send_error_indication(enb_ue->enb, &MME_UE_S1AP_ID, &ENB_UE_S1AP_ID, S1AP_Cause_PR_transport, S1AP_CauseTransport_transport_resource_unavailable); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; case OGS_NAS_EPS_ATTACH_COMPLETE: ogs_error("[%s] Attach complete in INVALID-STATE", mme_ue->imsi_bcd); break; case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE: ogs_error("[%s] Tracking area update complete in INVALID-STATE", mme_ue->imsi_bcd); break; default: ogs_warn("Unknown message[%d]", message->emm.h.message_type); } break; default: ogs_fatal("Unknown event[%s]", mme_event_get_name(e)); ogs_assert_if_reached(); } } void emm_state_authentication(ogs_fsm_t *s, mme_event_t *e) { int r, rv; mme_ue_t *mme_ue = NULL; enb_ue_t *enb_ue = NULL; ogs_nas_eps_message_t *message = NULL; ogs_assert(s); ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); MME_UE_CHECK(OGS_LOG_DEBUG, mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: message = e->nas_message; ogs_assert(message); enb_ue = enb_ue_cycle(mme_ue->enb_ue); ogs_assert(enb_ue); switch (message->emm.h.message_type) { case OGS_NAS_EPS_AUTHENTICATION_RESPONSE: { ogs_nas_eps_authentication_response_t *authentication_response = &message->emm.authentication_response; ogs_nas_authentication_response_parameter_t *authentication_response_parameter = &authentication_response-> authentication_response_parameter; ogs_debug("Authentication response"); ogs_debug(" IMSI[%s]", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t3460); if (authentication_response_parameter->length == 0 || memcmp(authentication_response_parameter->res, mme_ue->xres, authentication_response_parameter->length) != 0) { ogs_log_hexdump(OGS_LOG_WARN, authentication_response_parameter->res, authentication_response_parameter->length); ogs_log_hexdump(OGS_LOG_WARN, mme_ue->xres, OGS_MAX_RES_LEN); r = nas_eps_send_authentication_reject(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } else { OGS_FSM_TRAN(&mme_ue->sm, &emm_state_security_mode); } break; } case OGS_NAS_EPS_AUTHENTICATION_FAILURE: { ogs_nas_eps_authentication_failure_t *authentication_failure = &message->emm.authentication_failure; ogs_nas_authentication_failure_parameter_t *authentication_failure_parameter = &authentication_failure-> authentication_failure_parameter; ogs_debug("Authentication failure"); ogs_debug(" IMSI[%s] OGS_NAS_EMM_CAUSE[%d]", mme_ue->imsi_bcd, authentication_failure->emm_cause); CLEAR_MME_UE_TIMER(mme_ue->t3460); switch (authentication_failure->emm_cause) { case OGS_NAS_EMM_CAUSE_MAC_FAILURE: ogs_warn("Authentication failure(MAC failure)"); break; case OGS_NAS_EMM_CAUSE_NON_EPS_AUTHENTICATION_UNACCEPTABLE: ogs_error("Authentication failure" "(Non-EPS authentication unacceptable)"); break; case OGS_NAS_EMM_CAUSE_SYNCH_FAILURE: ogs_info("Authentication failure(Synch failure)"); mme_s6a_send_air(enb_ue, mme_ue, authentication_failure_parameter); return; default: ogs_error("Unknown OGS_NAS_EMM_CAUSE{%d] in Authentication" " failure", authentication_failure->emm_cause); break; } r = nas_eps_send_authentication_reject(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); break; } case OGS_NAS_EPS_ATTACH_REQUEST: ogs_warn("[%s] Attach request", mme_ue->imsi_bcd); rv = emm_handle_attach_request( mme_ue, &message->emm.attach_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_attach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } mme_s6a_send_air(enb_ue, mme_ue, NULL); OGS_FSM_TRAN(s, &emm_state_authentication); break; case OGS_NAS_EPS_EMM_STATUS: ogs_warn("EMM STATUS : IMSI[%s] Cause[%d]", mme_ue->imsi_bcd, message->emm.emm_status.emm_cause); break; case OGS_NAS_EPS_DETACH_REQUEST: ogs_warn("[%s] Detach request", mme_ue->imsi_bcd); rv = emm_handle_detach_request( mme_ue, &message->emm.detach_request_from_ue); if (rv != OGS_OK) { ogs_error("emm_handle_detach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_warn("Detach request : Unknown UE"); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_detach_indication(mme_ue)); } else { mme_send_delete_session_or_detach(mme_ue); } OGS_FSM_TRAN(s, &emm_state_de_registered); break; default: ogs_warn("Unknown message[%d]", message->emm.h.message_type); break; } break; case MME_EVENT_EMM_TIMER: switch (e->timer_id) { case MME_TIMER_T3460: if (mme_ue->t3460.retry_count >= mme_timer_cfg(MME_TIMER_T3460)->max_count) { ogs_warn("Retransmission of IMSI[%s] failed. " "Stop retransmission", mme_ue->imsi_bcd); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); r = nas_eps_send_authentication_reject(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else { mme_ue->t3460.retry_count++; r = nas_eps_send_authentication_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); break; } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); break; } } void emm_state_security_mode(ogs_fsm_t *s, mme_event_t *e) { int r, rv; mme_ue_t *mme_ue = NULL; enb_ue_t *enb_ue = NULL; ogs_nas_eps_message_t *message = NULL; ogs_nas_security_header_type_t h; ogs_assert(s); ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: CLEAR_MME_UE_TIMER(mme_ue->t3460); r = nas_eps_send_security_mode_command(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: message = e->nas_message; ogs_assert(message); enb_ue = enb_ue_cycle(mme_ue->enb_ue); ogs_assert(enb_ue); if (message->emm.h.security_header_type == OGS_NAS_SECURITY_HEADER_FOR_SERVICE_REQUEST_MESSAGE) { ogs_debug("Service request"); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } switch (message->emm.h.message_type) { case OGS_NAS_EPS_SECURITY_MODE_COMPLETE: ogs_debug("Security mode complete"); ogs_debug(" IMSI[%s]", mme_ue->imsi_bcd); CLEAR_MME_UE_TIMER(mme_ue->t3460); /* * TS24.301 * Section 4.4.4.3 * Integrity checking of NAS signalling messages in the MME: * * Once the secure exchange of NAS messages has been established * for the NAS signalling connection, the receiving EMM or ESM entity * in the MME shall not process any NAS signalling messages * unless they have been successfully integrity checked by the NAS. * If any NAS signalling message, having not successfully passed * the integrity check, is received, then the NAS in the MME shall * discard that message. If any NAS signalling message is received, * as not integrity protected even though the secure exchange * of NAS messages has been established, then the NAS shall discard * this message. */ h.type = e->nas_type; if (h.integrity_protected == 0) { ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("[%s] No Security Context", mme_ue->imsi_bcd); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); emm_handle_security_mode_complete( mme_ue, &message->emm.security_mode_complete); ogs_kdf_kenb(mme_ue->kasme, mme_ue->ul_count.i32, mme_ue->kenb); ogs_kdf_nh_enb(mme_ue->kasme, mme_ue->kenb, mme_ue->nh); mme_ue->nhcc = 1; /* Create New GUTI */ mme_ue_new_guti(mme_ue); mme_s6a_send_ulr(enb_ue, mme_ue); if (mme_ue->next.m_tmsi) { OGS_FSM_TRAN(s, &emm_state_initial_context_setup); } else { ogs_fatal("MME always creates new GUTI"); ogs_assert_if_reached(); OGS_FSM_TRAN(s, &emm_state_registered); } break; case OGS_NAS_EPS_SECURITY_MODE_REJECT: ogs_warn("Security mode reject : IMSI[%s] Cause[%d]", mme_ue->imsi_bcd, message->emm.security_mode_reject.emm_cause); CLEAR_MME_UE_TIMER(mme_ue->t3460); OGS_FSM_TRAN(s, &emm_state_exception); break; case OGS_NAS_EPS_ATTACH_REQUEST: ogs_warn("[%s] Attach request", mme_ue->imsi_bcd); rv = emm_handle_attach_request( mme_ue, &message->emm.attach_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_attach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } mme_s6a_send_air(enb_ue, mme_ue, NULL); OGS_FSM_TRAN(s, &emm_state_authentication); break; case OGS_NAS_EPS_TRACKING_AREA_UPDATE_REQUEST: ogs_debug("Tracking area update request"); r = nas_eps_send_tau_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; case OGS_NAS_EPS_EMM_STATUS: ogs_warn("EMM STATUS : IMSI[%s] Cause[%d]", mme_ue->imsi_bcd, message->emm.emm_status.emm_cause); break; case OGS_NAS_EPS_DETACH_REQUEST: ogs_warn("[%s] Detach request", mme_ue->imsi_bcd); rv = emm_handle_detach_request( mme_ue, &message->emm.detach_request_from_ue); if (rv != OGS_OK) { ogs_error("emm_handle_detach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_warn("Detach request : Unknown UE"); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_detach_indication(mme_ue)); } else { mme_send_delete_session_or_detach(mme_ue); } OGS_FSM_TRAN(s, &emm_state_de_registered); break; default: ogs_warn("Unknown message[%d]", message->emm.h.message_type); break; } break; case MME_EVENT_EMM_TIMER: switch (e->timer_id) { case MME_TIMER_T3460: if (mme_ue->t3460.retry_count >= mme_timer_cfg(MME_TIMER_T3460)->max_count) { ogs_warn("Retransmission of IMSI[%s] failed. " "Stop retransmission", mme_ue->imsi_bcd); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); r = nas_eps_send_attach_reject(mme_ue->enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_SECURITY_MODE_REJECTED_UNSPECIFIED, OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } else { mme_ue->t3460.retry_count++; r = nas_eps_send_security_mode_command(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); break; } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); break; } } void emm_state_initial_context_setup(ogs_fsm_t *s, mme_event_t *e) { int r, rv, xact_count; mme_ue_t *mme_ue = NULL; enb_ue_t *enb_ue = NULL; ogs_nas_eps_message_t *message = NULL; ogs_nas_security_header_type_t h; ogs_assert(s); ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: message = e->nas_message; ogs_assert(message); enb_ue = enb_ue_cycle(mme_ue->enb_ue); ogs_assert(enb_ue); xact_count = mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR); if (message->emm.h.security_header_type == OGS_NAS_SECURITY_HEADER_FOR_SERVICE_REQUEST_MESSAGE) { ogs_debug("Service request"); r = nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } switch (message->emm.h.message_type) { case OGS_NAS_EPS_ATTACH_COMPLETE: ogs_info("[%s] Attach complete", mme_ue->imsi_bcd); /* * TS24.301 * Section 4.4.4.3 * Integrity checking of NAS signalling messages in the MME: * * Once the secure exchange of NAS messages has been established * for the NAS signalling connection, the receiving EMM or ESM entity * in the MME shall not process any NAS signalling messages * unless they have been successfully integrity checked by the NAS. * If any NAS signalling message, having not successfully passed * the integrity check, is received, then the NAS in the MME shall * discard that message. If any NAS signalling message is received, * as not integrity protected even though the secure exchange * of NAS messages has been established, then the NAS shall discard * this message. */ h.type = e->nas_type; if (h.integrity_protected == 0) { ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("[%s] No Security Context", mme_ue->imsi_bcd); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); CLEAR_MME_UE_TIMER(mme_ue->t3450); rv = emm_handle_attach_complete( mme_ue, &message->emm.attach_complete); if (rv != OGS_OK) { ogs_error("emm_handle_attach_complete() failed " "in emm_state_initial_context_setup"); OGS_FSM_TRAN(s, emm_state_exception); break; } /* Confirm GUTI */ if (mme_ue->next.m_tmsi) mme_ue_confirm_guti(mme_ue); if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) ogs_assert(OGS_OK == sgsap_send_tmsi_reallocation_complete(mme_ue)); OGS_FSM_TRAN(s, &emm_state_registered); break; case OGS_NAS_EPS_TRACKING_AREA_UPDATE_COMPLETE: ogs_debug("[%s] Tracking area update complete", mme_ue->imsi_bcd); /* * TS24.301 * Section 4.4.4.3 * Integrity checking of NAS signalling messages in the MME: * * Once the secure exchange of NAS messages has been established * for the NAS signalling connection, the receiving EMM or ESM entity * in the MME shall not process any NAS signalling messages * unless they have been successfully integrity checked by the NAS. * If any NAS signalling message, having not successfully passed * the integrity check, is received, then the NAS in the MME shall * discard that message. If any NAS signalling message is received, * as not integrity protected even though the secure exchange * of NAS messages has been established, then the NAS shall discard * this message. */ h.type = e->nas_type; if (h.integrity_protected == 0) { ogs_error("[%s] No Integrity Protected", mme_ue->imsi_bcd); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("[%s] No Security Context", mme_ue->imsi_bcd); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); CLEAR_MME_UE_TIMER(mme_ue->t3450); /* Confirm GUTI */ if (mme_ue->next.m_tmsi) mme_ue_confirm_guti(mme_ue); OGS_FSM_TRAN(s, &emm_state_registered); break; case OGS_NAS_EPS_ATTACH_REQUEST: ogs_warn("[%s] Attach request", mme_ue->imsi_bcd); rv = emm_handle_attach_request( mme_ue, &message->emm.attach_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_attach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_SEND_AUTHENTICATION_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { mme_s6a_send_air(enb_ue, mme_ue, NULL); } OGS_FSM_TRAN(s, &emm_state_authentication); break; case OGS_NAS_EPS_EMM_STATUS: ogs_warn("EMM STATUS : IMSI[%s] Cause[%d]", mme_ue->imsi_bcd, message->emm.emm_status.emm_cause); break; case OGS_NAS_EPS_DETACH_REQUEST: ogs_warn("[%s] Detach request", mme_ue->imsi_bcd); rv = emm_handle_detach_request( mme_ue, &message->emm.detach_request_from_ue); if (rv != OGS_OK) { ogs_error("emm_handle_detach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { ogs_warn("Detach request : Unknown UE"); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } if (!SECURITY_CONTEXT_IS_VALID(mme_ue)) { ogs_error("No Security Context : IMSI[%s]", mme_ue->imsi_bcd); ogs_assert(OGS_OK == nas_eps_send_service_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_UE_IDENTITY_CANNOT_BE_DERIVED_BY_THE_NETWORK)); OGS_FSM_TRAN(s, &emm_state_exception); break; } /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); if (MME_P_TMSI_IS_AVAILABLE(mme_ue)) { ogs_assert(OGS_OK == sgsap_send_detach_indication(mme_ue)); } else { mme_send_delete_session_or_detach(mme_ue); } OGS_FSM_TRAN(s, &emm_state_de_registered); break; case OGS_NAS_EPS_SECURITY_MODE_COMPLETE: ogs_warn("[%s] Duplicated : Security mode complete", mme_ue->imsi_bcd); break; default: ogs_warn("Unknown message[%d]", message->emm.h.message_type); break; } break; case MME_EVENT_EMM_TIMER: switch (e->timer_id) { case MME_TIMER_T3450: if (mme_ue->t3450.retry_count >= mme_timer_cfg(MME_TIMER_T3450)->max_count) { ogs_warn("Retransmission of IMSI[%s] failed. " "Stop retransmission", mme_ue->imsi_bcd); OGS_FSM_TRAN(&mme_ue->sm, &emm_state_exception); } else { ogs_pkbuf_t *emmbuf = NULL; mme_ue->t3450.retry_count++; emmbuf = mme_ue->t3450.pkbuf; if (!emmbuf) { ogs_error("No emmbuf"); return; } mme_ue->t3450.pkbuf = ogs_pkbuf_copy(emmbuf); if (!mme_ue->t3450.pkbuf) { ogs_error("ogs_pkbuf_copy() failed"); ogs_pkbuf_free(emmbuf); return; } ogs_timer_start(mme_ue->t3450.timer, mme_timer_cfg(MME_TIMER_T3450)->duration); r = nas_eps_send_to_downlink_nas_transport( mme_ue->enb_ue, emmbuf); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); } break; default: ogs_error("Unknown timer[%s:%d]", mme_timer_get_name(e->timer_id), e->timer_id); break; } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); break; } } void emm_state_exception(ogs_fsm_t *s, mme_event_t *e) { int r, rv, xact_count; mme_ue_t *mme_ue = NULL; enb_ue_t *enb_ue = NULL; ogs_nas_eps_message_t *message = NULL; ogs_nas_security_header_type_t h; ogs_assert(e); mme_sm_debug(e); mme_ue = e->mme_ue; ogs_assert(mme_ue); switch (e->id) { case OGS_FSM_ENTRY_SIG: CLEAR_SERVICE_INDICATOR(mme_ue); CLEAR_MME_UE_ALL_TIMERS(mme_ue); break; case OGS_FSM_EXIT_SIG: break; case MME_EVENT_EMM_MESSAGE: message = e->nas_message; ogs_assert(message); enb_ue = enb_ue_cycle(mme_ue->enb_ue); ogs_assert(enb_ue); h.type = e->nas_type; xact_count = mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR); switch (message->emm.h.message_type) { case OGS_NAS_EPS_ATTACH_REQUEST: ogs_warn("[%s] Attach request", mme_ue->imsi_bcd); rv = emm_handle_attach_request( mme_ue, &message->emm.attach_request, e->pkbuf); if (rv != OGS_OK) { ogs_error("emm_handle_attach_request() failed"); OGS_FSM_TRAN(s, emm_state_exception); break; } if (!MME_UE_HAVE_IMSI(mme_ue)) { CLEAR_MME_UE_TIMER(mme_ue->t3470); r = nas_eps_send_identity_request(mme_ue); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_de_registered); break; } if (h.integrity_protected && SECURITY_CONTEXT_IS_VALID(mme_ue)) { /* * If the OLD ENB_UE is being maintained in MME-UE Context, * it deletes the S1 Context after exchanging * the UEContextReleaseCommand/Complete with the eNB */ CLEAR_S1_CONTEXT(mme_ue); mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_HANDLE_PDN_CONNECTIVITY_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { rv = nas_eps_send_emm_to_esm(mme_ue, &mme_ue->pdn_connectivity_request); if (rv != OGS_OK) { ogs_error("nas_eps_send_emm_to_esm() failed"); r = nas_eps_send_attach_reject(enb_ue, mme_ue, OGS_NAS_EMM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED, OGS_NAS_ESM_CAUSE_PROTOCOL_ERROR_UNSPECIFIED); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); OGS_FSM_TRAN(s, &emm_state_exception); break; } } OGS_FSM_TRAN(s, &emm_state_initial_context_setup); } else { mme_gtp_send_delete_all_sessions(mme_ue, OGS_GTP_DELETE_SEND_AUTHENTICATION_REQUEST); if (!MME_SESSION_RELEASE_PENDING(mme_ue) && mme_ue_xact_count(mme_ue, OGS_GTP_LOCAL_ORIGINATOR) == xact_count) { mme_s6a_send_air(enb_ue, mme_ue, NULL); } OGS_FSM_TRAN(s, &emm_state_authentication); } break; default: ogs_warn("Unknown message[%d]", message->emm.h.message_type); } break; default: ogs_error("Unknown event[%s]", mme_event_get_name(e)); } }