Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-gbproxy / 7ca0e60c640db4097dde896ae95a03555538268e / . / src / gb_proxy_patch.c
blob: 6235b04f44f6c32902c3d2e5a9152ae478aaab30 [file] [log] [blame]
Pau Espin Pedrol1ddefb12019-08-30 19:48:34 +0200[diff] [blame]1/* Gb-proxy message patching */
2
3/* (C) 2014 by On-Waves
4 * All Rights Reserved
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Affero General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Affero General Public License for more details.
15 *
16 * You should have received a copy of the GNU Affero General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21#include <osmocom/sgsn/gb_proxy.h>
22
23#include <osmocom/sgsn/gprs_utils.h>
24#include <osmocom/sgsn/gprs_gb_parse.h>
25
26#include <osmocom/sgsn/debug.h>
27
28#include <osmocom/gprs/protocol/gsm_08_18.h>
29#include <osmocom/core/rate_ctr.h>
30#include <osmocom/gsm/apn.h>
31
32extern void *tall_sgsn_ctx;
33
34/* patch RA identifier in place */
35static void gbproxy_patch_raid(struct gsm48_ra_id *raid_enc, struct gbproxy_peer *peer,
36 int to_bss, const char *log_text)
37{
38 struct gbproxy_patch_state *state = &peer->patch_state;
39 struct osmo_plmn_id old_plmn;
40 struct gprs_ra_id raid;
41 enum gbproxy_peer_ctr counter =
42 to_bss ?
43 GBPROX_PEER_CTR_RAID_PATCHED_SGSN :
44 GBPROX_PEER_CTR_RAID_PATCHED_BSS;
45
46 if (!state->local_plmn.mcc || !state->local_plmn.mnc)
47 return;
48
49 gsm48_parse_ra(&raid, (uint8_t *)raid_enc);
50
51 old_plmn = (struct osmo_plmn_id){
52 .mcc = raid.mcc,
53 .mnc = raid.mnc,
54 .mnc_3_digits = raid.mnc_3_digits,
55 };
56
57 if (!to_bss) {
58 /* BSS -> SGSN */
59 if (state->local_plmn.mcc)
60 raid.mcc = peer->cfg->core_plmn.mcc;
61
62 if (state->local_plmn.mnc) {
63 raid.mnc = peer->cfg->core_plmn.mnc;
64 raid.mnc_3_digits = peer->cfg->core_plmn.mnc_3_digits;
65 }
66 } else {
67 /* SGSN -> BSS */
68 if (state->local_plmn.mcc)
69 raid.mcc = state->local_plmn.mcc;
70
71 if (state->local_plmn.mnc) {
72 raid.mnc = state->local_plmn.mnc;
73 raid.mnc_3_digits = state->local_plmn.mnc_3_digits;
74 }
75 }
76
77 LOGP(DGPRS, LOGL_DEBUG,
78 "Patching %s to %s: "
79 "%s-%d-%d -> %s\n",
80 log_text,
81 to_bss ? "BSS" : "SGSN",
82 osmo_plmn_name(&old_plmn), raid.lac, raid.rac,
83 osmo_rai_name(&raid));
84
85 gsm48_encode_ra(raid_enc, &raid);
86 rate_ctr_inc(&peer->ctrg->ctr[counter]);
87}
88
89static void gbproxy_patch_apn_ie(struct msgb *msg,
90 uint8_t *apn_ie, size_t apn_ie_len,
91 struct gbproxy_peer *peer,
92 size_t *new_apn_ie_len, const char *log_text)
93{
94 struct apn_ie_hdr {
95 uint8_t iei;
96 uint8_t apn_len;
97 uint8_t apn[0];
98 } *hdr = (void *)apn_ie;
99
100 size_t apn_len = hdr->apn_len;
101 uint8_t *apn = hdr->apn;
102
103 OSMO_ASSERT(apn_ie_len == apn_len + sizeof(struct apn_ie_hdr));
104 OSMO_ASSERT(apn_ie_len > 2 && apn_ie_len <= 102);
105
106 if (peer->cfg->core_apn_size == 0) {
107 char str1[110];
108 /* Remove the IE */
109 LOGP(DGPRS, LOGL_DEBUG,
110 "Patching %s to SGSN: Removing APN '%s'\n",
111 log_text,
112 osmo_apn_to_str(str1, apn, apn_len));
113
114 *new_apn_ie_len = 0;
115 msgb_resize_area(msg, apn_ie, apn_ie_len, 0);
116 } else {
117 /* Resize the IE */
118 char str1[110];
119 char str2[110];
120
121 OSMO_ASSERT(peer->cfg->core_apn_size <= 100);
122
123 LOGP(DGPRS, LOGL_DEBUG,
124 "Patching %s to SGSN: "
125 "Replacing APN '%s' -> '%s'\n",
126 log_text,
127 osmo_apn_to_str(str1, apn, apn_len),
128 osmo_apn_to_str(str2, peer->cfg->core_apn,
129 peer->cfg->core_apn_size));
130
131 *new_apn_ie_len = peer->cfg->core_apn_size + 2;
132 msgb_resize_area(msg, apn, apn_len, peer->cfg->core_apn_size);
133 memcpy(apn, peer->cfg->core_apn, peer->cfg->core_apn_size);
134 hdr->apn_len = peer->cfg->core_apn_size;
135 }
136
137 rate_ctr_inc(&peer->ctrg->ctr[GBPROX_PEER_CTR_APN_PATCHED]);
138}
139
140static int gbproxy_patch_tlli(uint8_t *tlli_enc,
141 struct gbproxy_peer *peer,
142 uint32_t new_tlli,
143 int to_bss, const char *log_text)
144{
145 uint32_t tlli_be;
146 uint32_t tlli;
147 enum gbproxy_peer_ctr counter =
148 to_bss ?
149 GBPROX_PEER_CTR_TLLI_PATCHED_SGSN :
150 GBPROX_PEER_CTR_TLLI_PATCHED_BSS;
151
152 memcpy(&tlli_be, tlli_enc, sizeof(tlli_be));
153 tlli = ntohl(tlli_be);
154
155 if (tlli == new_tlli)
156 return 0;
157
158 LOGP(DGPRS, LOGL_DEBUG,
159 "Patching %ss: "
160 "Replacing %08x -> %08x\n",
161 log_text, tlli, new_tlli);
162
163 tlli_be = htonl(new_tlli);
164 memcpy(tlli_enc, &tlli_be, sizeof(tlli_be));
165
166 rate_ctr_inc(&peer->ctrg->ctr[counter]);
167
168 return 1;
169}
170
171static int gbproxy_patch_ptmsi(uint8_t *ptmsi_enc,
172 struct gbproxy_peer *peer,
173 uint32_t new_ptmsi,
174 int to_bss, const char *log_text)
175{
176 uint32_t ptmsi_be;
177 uint32_t ptmsi;
178 enum gbproxy_peer_ctr counter =
179 to_bss ?
180 GBPROX_PEER_CTR_PTMSI_PATCHED_SGSN :
181 GBPROX_PEER_CTR_PTMSI_PATCHED_BSS;
182 memcpy(&ptmsi_be, ptmsi_enc, sizeof(ptmsi_be));
183 ptmsi = ntohl(ptmsi_be);
184
185 if (ptmsi == new_ptmsi)
186 return 0;
187
188 LOGP(DGPRS, LOGL_DEBUG,
189 "Patching %ss: "
190 "Replacing %08x -> %08x\n",
191 log_text, ptmsi, new_ptmsi);
192
193 ptmsi_be = htonl(new_ptmsi);
194 memcpy(ptmsi_enc, &ptmsi_be, sizeof(ptmsi_be));
195
196 rate_ctr_inc(&peer->ctrg->ctr[counter]);
197
198 return 1;
199}
200
201int gbproxy_patch_llc(struct msgb *msg, uint8_t *llc, size_t llc_len,
202 struct gbproxy_peer *peer,
203 struct gbproxy_link_info *link_info, int *len_change,
204 struct gprs_gb_parse_context *parse_ctx)
205{
206 struct gprs_llc_hdr_parsed *ghp = &parse_ctx->llc_hdr_parsed;
207 int have_patched = 0;
208 int fcs;
209 struct gbproxy_config *cfg = peer->cfg;
210
211 if (parse_ctx->ptmsi_enc && link_info &&
212 !parse_ctx->old_raid_is_foreign && peer->cfg->patch_ptmsi) {
213 uint32_t ptmsi;
214 if (parse_ctx->to_bss)
215 ptmsi = link_info->tlli.ptmsi;
216 else
217 ptmsi = link_info->sgsn_tlli.ptmsi;
218
219 if (ptmsi != GSM_RESERVED_TMSI) {
220 if (gbproxy_patch_ptmsi(parse_ctx->ptmsi_enc, peer,
221 ptmsi, parse_ctx->to_bss, "P-TMSI"))
222 have_patched = 1;
223 } else {
224 /* TODO: invalidate old RAI if present (see below) */
225 }
226 }
227
228 if (parse_ctx->new_ptmsi_enc && link_info && cfg->patch_ptmsi) {
229 uint32_t ptmsi;
230 if (parse_ctx->to_bss)
231 ptmsi = link_info->tlli.ptmsi;
232 else
233 ptmsi = link_info->sgsn_tlli.ptmsi;
234
235 OSMO_ASSERT(ptmsi);
236 if (gbproxy_patch_ptmsi(parse_ctx->new_ptmsi_enc, peer,
237 ptmsi, parse_ctx->to_bss, "new P-TMSI"))
238 have_patched = 1;
239 }
240
241 if (parse_ctx->raid_enc) {
242 gbproxy_patch_raid((struct gsm48_ra_id *)parse_ctx->raid_enc, peer, parse_ctx->to_bss,
243 parse_ctx->llc_msg_name);
244 have_patched = 1;
245 }
246
247 if (parse_ctx->old_raid_enc && !parse_ctx->old_raid_is_foreign) {
248 /* TODO: Patch to invalid if P-TMSI unknown. */
249 gbproxy_patch_raid((struct gsm48_ra_id *)parse_ctx->old_raid_enc, peer, parse_ctx->to_bss,
250 parse_ctx->llc_msg_name);
251 have_patched = 1;
252 }
253
254 if (parse_ctx->apn_ie &&
255 cfg->core_apn &&
256 !parse_ctx->to_bss &&
257 gbproxy_imsi_matches(cfg, GBPROX_MATCH_PATCHING, link_info) &&
258 cfg->core_apn) {
259 size_t new_len;
260 gbproxy_patch_apn_ie(msg,
261 parse_ctx->apn_ie, parse_ctx->apn_ie_len,
262 peer, &new_len, parse_ctx->llc_msg_name);
263 *len_change += (int)new_len - (int)parse_ctx->apn_ie_len;
264
265 have_patched = 1;
266 }
267
268 if (have_patched) {
269 llc_len += *len_change;
270 ghp->crc_length += *len_change;
271
272 /* Fix FCS */
273 fcs = gprs_llc_fcs(llc, ghp->crc_length);
274 LOGP(DLLC, LOGL_DEBUG, "Updated LLC message, CRC: %06x -> %06x\n",
275 ghp->fcs, fcs);
276
277 llc[llc_len - 3] = fcs & 0xff;
278 llc[llc_len - 2] = (fcs >> 8) & 0xff;
279 llc[llc_len - 1] = (fcs >> 16) & 0xff;
280 }
281
282 return have_patched;
283}
284
285/* patch BSSGP message to use core_plmn.mcc/mnc on the SGSN side */
286void gbproxy_patch_bssgp(struct msgb *msg, uint8_t *bssgp, size_t bssgp_len,
287 struct gbproxy_peer *peer,
288 struct gbproxy_link_info *link_info, int *len_change,
289 struct gprs_gb_parse_context *parse_ctx)
290{
291 const char *err_info = NULL;
292 int err_ctr = -1;
293
294 if (parse_ctx->bssgp_raid_enc)
295 gbproxy_patch_raid((struct gsm48_ra_id *)parse_ctx->bssgp_raid_enc, peer,
296 parse_ctx->to_bss, "BSSGP");
297
298 if (parse_ctx->need_decryption &&
299 (peer->cfg->patch_ptmsi || peer->cfg->core_apn)) {
300 /* Patching LLC messages has been requested
301 * explicitly, but the message (including the
302 * type) is encrypted, so we possibly fail to
303 * patch the LLC part of the message. */
304 err_ctr = GBPROX_PEER_CTR_PATCH_CRYPT_ERR;
305 err_info = "GMM message is encrypted";
306 goto patch_error;
307 }
308
309 if (!link_info && parse_ctx->tlli_enc && parse_ctx->to_bss) {
310 /* Happens with unknown (not cached) TLLI coming from
311 * the SGSN */
312 /* TODO: What shall be done with the message in this case? */
313 err_ctr = GBPROX_PEER_CTR_TLLI_UNKNOWN;
314 err_info = "TLLI sent by the SGSN is unknown";
315 goto patch_error;
316 }
317
318 if (!link_info)
319 return;
320
321 if (parse_ctx->tlli_enc && peer->cfg->patch_ptmsi) {
322 uint32_t tlli = gbproxy_map_tlli(parse_ctx->tlli,
323 link_info, parse_ctx->to_bss);
324
325 if (tlli) {
326 gbproxy_patch_tlli(parse_ctx->tlli_enc, peer, tlli,
327 parse_ctx->to_bss, "TLLI");
328 parse_ctx->tlli = tlli;
329 } else {
330 /* Internal error */
331 err_ctr = GBPROX_PEER_CTR_PATCH_ERR;
332 err_info = "Replacement TLLI is 0";
333 goto patch_error;
334 }
335 }
336
337 if (parse_ctx->bssgp_ptmsi_enc && peer->cfg->patch_ptmsi) {
338 uint32_t ptmsi;
339 if (parse_ctx->to_bss)
340 ptmsi = link_info->tlli.ptmsi;
341 else
342 ptmsi = link_info->sgsn_tlli.ptmsi;
343
344 if (ptmsi != GSM_RESERVED_TMSI)
345 gbproxy_patch_ptmsi(
346 parse_ctx->bssgp_ptmsi_enc, peer,
347 ptmsi, parse_ctx->to_bss, "BSSGP P-TMSI");
348 }
349
350 if (parse_ctx->llc) {
351 uint8_t *llc = parse_ctx->llc;
352 size_t llc_len = parse_ctx->llc_len;
353 int llc_len_change = 0;
354
355 gbproxy_patch_llc(msg, llc, llc_len, peer, link_info,
356 &llc_len_change, parse_ctx);
357 /* Note that the APN might have been resized here, but no
358 * pointer int the parse_ctx will refer to an adress after the
359 * APN. So it's possible to patch first and do the TLLI
360 * handling afterwards. */
361
362 if (llc_len_change) {
363 llc_len += llc_len_change;
364
365 /* Fix LLC IE len */
366 /* TODO: This is a kludge, but the a pointer to the
367 * start of the IE is not available here */
368 if (llc[-2] == BSSGP_IE_LLC_PDU && llc[-1] & 0x80) {
369 /* most probably a one byte length */
370 if (llc_len > 127) {
371 err_info = "Cannot increase size";
372 err_ctr = GBPROX_PEER_CTR_PATCH_ERR;
373 goto patch_error;
374 }
375 llc[-1] = llc_len | 0x80;
376 } else {
377 llc[-2] = (llc_len >> 8) & 0x7f;
378 llc[-1] = llc_len & 0xff;
379 }
380 *len_change += llc_len_change;
381 }
382 /* Note that the tp struct might contain invalid pointers here
383 * if the LLC field has changed its size */
384 parse_ctx->llc_len = llc_len;
385 }
386 return;
387
388patch_error:
389 OSMO_ASSERT(err_ctr >= 0);
390 rate_ctr_inc(&peer->ctrg->ctr[err_ctr]);
391 LOGP(DGPRS, LOGL_ERROR,
392 "NSEI=%u(%s) failed to patch BSSGP message as requested: %s.\n",
393 msgb_nsei(msg), parse_ctx->to_bss ? "SGSN" : "BSS",
394 err_info);
395}
396
397void gbproxy_clear_patch_filter(struct gbproxy_match *match)
398{
399 if (match->enable) {
400 regfree(&match->re_comp);
401 match->enable = false;
402 }
403 talloc_free(match->re_str);
404 match->re_str = NULL;
405}
406
407int gbproxy_set_patch_filter(struct gbproxy_match *match, const char *filter,
408 const char **err_msg)
409{
410 static char err_buf[300];
411 int rc;
412
413 gbproxy_clear_patch_filter(match);
414
415 if (!filter)
416 return 0;
417
418 rc = regcomp(&match->re_comp, filter,
419 REG_EXTENDED | REG_NOSUB | REG_ICASE);
420
421 if (rc == 0) {
422 match->enable = true;
423 match->re_str = talloc_strdup(tall_sgsn_ctx, filter);
424 return 0;
425 }
426
427 if (err_msg) {
428 regerror(rc, &match->re_comp,
429 err_buf, sizeof(err_buf));
430 *err_msg = err_buf;
431 }
432
433 return -1;
434}
435
436int gbproxy_check_imsi(struct gbproxy_match *match,
437 const uint8_t *imsi, size_t imsi_len)
438{
439 char mi_buf[200];
440 int rc;
441
442 if (!match->enable)
443 return 1;
444
445 rc = gprs_is_mi_imsi(imsi, imsi_len);
446 if (rc > 0)
447 rc = gsm48_mi_to_string(mi_buf, sizeof(mi_buf), imsi, imsi_len);
448 if (rc <= 0) {
449 LOGP(DGPRS, LOGL_NOTICE, "Invalid IMSI %s\n",
450 osmo_hexdump(imsi, imsi_len));
451 return -1;
452 }
453
454 LOGP(DGPRS, LOGL_DEBUG, "Checking IMSI '%s' (%d)\n", mi_buf, rc);
455
456 rc = regexec(&match->re_comp, mi_buf, 0, NULL, 0);
457 if (rc == REG_NOMATCH) {
458 LOGP(DGPRS, LOGL_INFO,
459 "IMSI '%s' doesn't match pattern '%s'\n",
460 mi_buf, match->re_str);
461 return 0;
462 }
463
464 return 1;
465}