msc/MSC_Tests.ttcn

module MSC_Tests {

import from General_Types all;
import from Osmocom_Types all;

import from M3UA_Types all;
import from M3UA_Emulation all;

import from MTP3asp_Types all;
import from MTP3asp_PortType all;

import from SCCPasp_Types all;
import from SCCP_Types all;
import from SCCP_Emulation all;

import from SCTPasp_Types all;
import from SCTPasp_PortType all;

import from Osmocom_CTRL_Functions all;
import from Osmocom_CTRL_Types all;
import from Osmocom_CTRL_Adapter all;

import from TELNETasp_PortType all;
import from Osmocom_VTY_Functions all;

import from MNCC_Emulation all;
import from MNCC_Types all;

import from MGCP_Emulation all;
import from MGCP_Types all;
import from MGCP_Templates all;
import from SDP_Types all;

import from GSUP_Emulation all;
import from GSUP_Types all;
import from IPA_Emulation all;

import from BSSAP_Types all;
import from BSSAP_Adapter all;
import from BSSAP_CodecPort all;
import from BSSMAP_Templates all;
import from BSSMAP_Emulation all;
import from BSC_ConnectionHandler all;

import from SGsAP_Templates all;
import from SGsAP_Types all;
import from SGsAP_Emulation all;

import from MobileL3_Types all;
import from MobileL3_CommonIE_Types all;
import from MobileL3_SMS_Types all;
import from L3_Templates all;
import from L3_Common all;

import from SMPP_Types all;
import from SMPP_Templates all;
import from SMPP_Emulation all;

import from SCCP_Templates all;

import from SS_Types all;
import from SS_Templates all;
import from USSD_Helpers all;
import from DNS_Helpers all;

const integer NUM_BSC := 2;
type record of BSSAP_Configuration BSSAP_Configurations;

/* Needed for SGsAP SMS */
import from MobileL3_SMS_Types all;

type component MTC_CT extends CTRL_Adapter_CT {
	var boolean g_initialized := false;

	var BSSAP_Adapter g_bssap[NUM_BSC];

	/* no 'adapter_CT' for MNCC or GSUP */
	var MNCC_Emulation_CT vc_MNCC;
	var MGCP_Emulation_CT vc_MGCP;
	var GSUP_Emulation_CT vc_GSUP;
	var IPA_Emulation_CT vc_GSUP_IPA;
	var SMPP_Emulation_CT vc_SMPP;
	var SGsAP_Emulation_CT vc_SGsAP;

	/* only to get events from IPA underneath GSUP */
	port IPA_CTRL_PT GSUP_IPA_EVENT;
	/* VTY to MSC */
	port TELNETasp_PT MSCVTY;

	/* A port to directly send BSSAP messages. This port is used for
	 * tests that require low level access to sen arbitrary BSSAP
	 * messages. Run f_init_bssap_direct() to connect and initialize */
	port BSSAP_CODEC_PT BSSAP_DIRECT;

	/* When BSSAP messages are directly sent, then the connection
	 * handler is not active, which means that also no guard timer is
	 * set up. The following timer will serve as a replacement */
	timer Tguard_direct := 60.0;
}

modulepar {
	/* remote parameters of IUT */
	charstring mp_msc_ip := "127.0.0.1";
	integer mp_msc_ctrl_port := 4255;
	integer mp_msc_vty_port := 4254;

	/* local parameters of emulated HLR */
	boolean mp_mm_info := false;
	charstring mp_hlr_ip := "127.0.0.1";
	integer mp_hlr_port := 4222;
	charstring mp_mgw_ip := "127.0.0.1";
	integer mp_mgw_port := 2427;

	charstring mp_msc_mncc := "/tmp/mncc";

	integer mp_msc_smpp_port := 2775;
	charstring mp_smpp_system_id := "msc_tester";
	charstring mp_smpp_password := "osmocom1";
	charstring mp_mme_name := "mmec01.mmegi0001.mme.epc.mnc070.mcc901.3gppnetwork.org";
	charstring mp_vlr_name := "vlr.example.net";

	BSSAP_Configurations mp_bssap_cfg := {
		{
			sccp_service_type := "mtp3_itu",
			sctp_addr := { 23905, "127.0.0.1", 2905, "127.0.0.1" },
			own_pc := 185,
			own_ssn := 254,
			peer_pc := 187,
			peer_ssn := 254,
			sio := '83'O,
			rctx := 0
		},
		{
			sccp_service_type := "mtp3_itu",
			sctp_addr := { 23906, "127.0.0.1", 2905, "127.0.0.1" },
			own_pc := 186,
			own_ssn := 254,
			peer_pc := 187,
			peer_ssn := 254,
			sio := '83'O,
			rctx := 1
		}
	};
}

/* altstep for the global guard timer (only used when BSSAP_DIRECT
 * is used for communication */
private altstep as_Tguard_direct() runs on MTC_CT {
	[] Tguard_direct.timeout {
		setverdict(fail, "Tguard timeout");
		mtc.stop;
	}
}

function f_init_smpp(charstring id) runs on MTC_CT {
	id := id & "-SMPP";
	var EsmePars pars := {
		mode := MODE_TRANSCEIVER,
		bind := {
			system_id := mp_smpp_system_id,
			password := mp_smpp_password,
			system_type := "MSC_Tests",
			interface_version := hex2int('34'H),
			addr_ton := unknown,
			addr_npi := unknown,
			address_range := ""
		},
		esme_role := true
	}

	vc_SMPP := SMPP_Emulation_CT.create(id);
	map(vc_SMPP:SMPP_PORT, system:SMPP_PORT);
	vc_SMPP.start(SMPP_Emulation.main_client(pars, mp_msc_ip, mp_msc_smpp_port, "", -1));
}


function f_init_mncc(charstring id) runs on MTC_CT {
	id := id & "-MNCC";
	var MnccOps ops := {
		create_cb := refers(MNCC_Emulation.ExpectedCreateCallback),
		unitdata_cb := refers(MNCC_Emulation.DummyUnitdataCallback)
	}

	vc_MNCC := MNCC_Emulation_CT.create(id);
	map(vc_MNCC:MNCC, system:MNCC_CODEC_PT);
	vc_MNCC.start(MNCC_Emulation.main(ops, id, mp_msc_mncc));
}

function f_init_mgcp(charstring id) runs on MTC_CT {
	id := id & "-MGCP";
	var MGCPOps ops := {
		create_cb := refers(MGCP_Emulation.ExpectedCreateCallback),
		unitdata_cb := refers(MGCP_Emulation.DummyUnitdataCallback)
	}
	var MGCP_conn_parameters pars := {
		callagent_ip := mp_msc_ip,
		callagent_udp_port := -1,
		mgw_ip := mp_mgw_ip,
		mgw_udp_port := mp_mgw_port
	}

	vc_MGCP := MGCP_Emulation_CT.create(id);
	map(vc_MGCP:MGCP, system:MGCP_CODEC_PT);
	vc_MGCP.start(MGCP_Emulation.main(ops, pars, id));
}

function f_init_sgsap(charstring id) runs on MTC_CT {
	id := id & "-SGsAP";
	var SGsAPOps ops := {
		create_cb := refers(SGsAP_Emulation.ExpectedCreateCallback),
		unitdata_cb := refers(SGsAP_Emulation.DummyUnitdataCallback)
	}
	var SGsAP_conn_parameters pars := {
		remote_ip := mp_msc_ip,
		remote_sctp_port := 29118,
		local_ip := "",
		local_sctp_port := -1
	}

	vc_SGsAP := SGsAP_Emulation_CT.create(id);
	map(vc_SGsAP:SGsAP, system:SGsAP_CODEC_PT);
	vc_SGsAP.start(SGsAP_Emulation.main(ops, pars, id));
}


function f_init_gsup(charstring id) runs on MTC_CT {
	id := id & "-GSUP";
	var GsupOps ops := {
		create_cb := refers(GSUP_Emulation.ExpectedCreateCallback)
	}

	vc_GSUP_IPA := IPA_Emulation_CT.create(id & "-IPA");
	vc_GSUP := GSUP_Emulation_CT.create(id);

	map(vc_GSUP_IPA:IPA_PORT, system:IPA_CODEC_PT);
	connect(vc_GSUP:GSUP, vc_GSUP_IPA:IPA_GSUP_PORT);
	/* we use this hack to get events like ASP_IPA_EVENT_UP */
	connect(vc_GSUP_IPA:IPA_CTRL_PORT, self:GSUP_IPA_EVENT);

	vc_GSUP.start(GSUP_Emulation.main(ops, id));
	vc_GSUP_IPA.start(IPA_Emulation.main_server(mp_hlr_ip, mp_hlr_port));

	/* wait for incoming connection to GSUP port before proceeding */
	timer T := 10.0;
	T.start;
	alt {
		[] GSUP_IPA_EVENT.receive(t_ASP_IPA_EVT_UD(ASP_IPA_EVENT_UP)) { }
		[] T.timeout {
			setverdict(fail, "No connection to GSUP Port");
			mtc.stop
		}
	}
}

function f_init(integer num_bsc := 1, boolean sgsap := false) runs on MTC_CT {

	if (g_initialized == true) {
		return;
	}
	g_initialized := true;

	if (num_bsc > NUM_BSC) {
		testcase.stop("excess number of BSC instances requested");
	}

	for (var integer i := 0; i < num_bsc; i := i + 1) {
		if (isbound(mp_bssap_cfg[i])) {
			f_bssap_init(g_bssap[i], mp_bssap_cfg[i], "MSC_Test_" & int2str(i), BSC_BssmapOps);
			f_bssap_start(g_bssap[i]);
		} else {
			testcase.stop("missing BSSAP configuration");
		}
	}

	f_ipa_ctrl_start(mp_msc_ip, mp_msc_ctrl_port);
	f_init_mncc("MSC_Test");
	f_init_mgcp("MSC_Test");
	f_init_gsup("MSC_Test");
	f_init_smpp("MSC_Test");

	if (sgsap == true) {
		f_init_sgsap("MSC_Test");
	}

	map(self:MSCVTY, system:MSCVTY);
	f_vty_set_prompts(MSCVTY);
	f_vty_transceive(MSCVTY, "enable");

	/* set some defaults */
	f_vty_config(MSCVTY, "network", "authentication optional");
	f_vty_config(MSCVTY, "msc", "assign-tmsi");
	f_vty_config(MSCVTY, "network", "encryption a5 0");
}

/* Initialize for a direct connection to BSSAP. This function is an alternative
 * to f_init() when the high level functions of the BSC_ConnectionHandler are
 * not needed. */
function f_init_bssap_direct() runs on MTC_CT {
	f_bssap_init(g_bssap[0], mp_bssap_cfg[0], "MSC_Test", omit);
	connect(g_bssap[0].vc_SCCP:SCCP_SP_PORT, self:BSSAP_DIRECT);

	/* Start guard timer and activate it as default */
	Tguard_direct.start
	activate(as_Tguard_direct());
}

template PDU_BSSAP ts_BSSAP_BSSMAP := {
	discriminator := '0'B,
	spare := '0000000'B,
	dlci := omit,
	lengthIndicator := 0,	/* overwritten by codec */
	pdu := ?
}

template PDU_BSSAP tr_BSSAP_BSSMAP := {
	discriminator := '0'B,
	spare := '0000000'B,
	dlci := omit,
	lengthIndicator := ?,
	pdu := {
		bssmap := ?
	}
}


type integer BssmapCause;

template (value) BSSMAP_IE_Cause ts_BSSMAP_IE_Cause(BssmapCause val) := {
	elementIdentifier := '04'O,
	lengthIndicator := 0,
	causeValue := int2bit(val, 7),
	extensionCauseValue := '0'B,
	spare1 := omit
}

template (value) PDU_BSSAP ts_BSSMAP_Reset(BssmapCause cause) modifies ts_BSSAP_BSSMAP := {
	pdu := {
		bssmap := {
			reset := {
				messageType := '30'O,
				cause := ts_BSSMAP_IE_Cause(cause),
				a_InterfaceSelectorForReset := omit
			}
		}
	}
}

template (value) PDU_BSSAP ts_BSSMAP_ResetAck modifies ts_BSSAP_BSSMAP := {
	pdu := {
		bssmap := {
			resetAck := {
				messageType := '31'O,
				a_InterfaceSelectorForReset := omit
			}
		}
	}
}

template PDU_BSSAP tr_BSSMAP_ResetAck modifies tr_BSSAP_BSSMAP := {
	pdu := {
		bssmap := {
			resetAck := {
				messageType := '31'O,
				a_InterfaceSelectorForReset := *
			}
		}
	}
}

template BSSMAP_IE_CellIdentifier ts_BSSMAP_IE_CellID := {
	elementIdentifier := '05'O,
	lengthIndicator := 0,
	cellIdentifierDiscriminator := '0000'B,
	spare1_4 := '0000'B,
	cellIdentification := ?
}

type uint16_t BssmapLAC;
type uint16_t BssmapCI;

/*
template BSSMAP_IE_CellIdentifier ts_CellId_CGI(mcc, mnc, lac, ci)
modifies ts_BSSMAP_IE_CellID := {
	cellIdentification := {
		cI_LAC_CGI := {
			mnc_mcc := FIXME,
			lac := int2oct(lac, 2),
			ci := int2oct(ci, 2)
		}
	}
}
*/

template BSSMAP_IE_CellIdentifier ts_CellID_LAC_CI(BssmapLAC lac, BssmapCI ci)
modifies ts_BSSMAP_IE_CellID := {
	cellIdentification := {
		cI_LAC_CI := {
			lac := int2oct(lac, 2),
			ci := int2oct(ci, 2)
		}
	}
}

template BSSMAP_IE_CellIdentifier ts_CellId_CI(BssmapCI ci)
modifies ts_BSSMAP_IE_CellID := {
	cellIdentification := {
		cI_CI := int2oct(ci, 2)
	}
}

template BSSMAP_IE_CellIdentifier ts_CellId_none
modifies ts_BSSMAP_IE_CellID := {
	cellIdentification := {
		cI_noCell := ''O
	}
}


template BSSMAP_IE_Layer3Information ts_BSSMAP_IE_L3Info(octetstring l3info) := {
	elementIdentifier := '17'O,
	lengthIndicator := 0,
	layer3info := l3info
}

template PDU_BSSAP ts_BSSMAP_ComplL3(BSSMAP_IE_CellIdentifier cell_id, octetstring l3_info)
modifies ts_BSSAP_BSSMAP := {
	pdu := {
		bssmap := {
			completeLayer3Information := {
				messageType := '57'O,
				cellIdentifier := cell_id,
				layer3Information := ts_BSSMAP_IE_L3Info(l3_info),
				chosenChannel := omit,
				lSAIdentifier := omit,
				aPDU := omit,
				codecList := omit,
				redirectAttemptFlag := omit,
				sendSequenceNumber := omit,
				iMSI := omit
			}
		}
	}
}

template PDU_BSSAP ts_BSSMAP_HandoReq(BssmapCause cause, BSSMAP_IE_CellIdentifierList cid_list)
modifies ts_BSSAP_BSSMAP := {
	pdu := {
		bssmap := {
			handoverRequired := {
				messageType := '11'O,
				cause := ts_BSSMAP_IE_Cause(cause),
				responseRequest := omit,
				cellIdentifierList := cid_list,
				circuitPoolList := omit,
				currentChannelType1 := omit,
				speechVersion := omit,
				queueingIndicator := omit,
				oldToNewBSSInfo := omit,
				sourceToTargetRNCTransparentInfo := omit,
				sourceToTargetRNCTransparentInfoCDMA := omit,
				gERANClassmark := omit,
				talkerPriority := omit,
				speechCodec := omit,
				cSG_Identifier := omit
			}
		}
	}
}

type function void_fn(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr;

/* FIXME: move into BSC_ConnectionHandler? */
function f_init_pars(integer imsi_suffix, boolean sgsap := false) runs on MTC_CT return BSC_ConnHdlrPars {
	var BSC_ConnHdlrNetworkPars net_pars := {
		kc_support := '0A'O,	/* A5/1 and A5/3 enabled */
		expect_tmsi := true,
		expect_auth := false,
		expect_ciph := false
	};
	var BSC_ConnHdlrPars pars := {
		sccp_addr_own := g_bssap[0].sccp_addr_own,
		sccp_addr_peer := g_bssap[0].sccp_addr_peer,
		cell_id := valueof(ts_CellId_CGI('262'H, '42'H, 23, 42)),
		imei := f_gen_imei(imsi_suffix),
		imsi := f_gen_imsi(imsi_suffix),
		msisdn := f_gen_msisdn(imsi_suffix),
		tmsi := omit,
		cm1 := valueof(ts_CM1),
		cm2 := valueof(ts_CM2_default),
		cm3 := omit,
		vec := omit,
		net := net_pars,
		send_early_cm := true,
		ipa_ctrl_ip := mp_msc_ip,
		ipa_ctrl_port := mp_msc_ctrl_port,
		ipa_ctrl_enable := true,
		mm_info := mp_mm_info,
		sgsap_enable := sgsap
	};
	return pars;
}

function f_start_handler_with_pars(void_fn fn, BSC_ConnHdlrPars pars) runs on MTC_CT return BSC_ConnHdlr {
	var BSC_ConnHdlr vc_conn;
	var charstring id := testcasename();

	vc_conn := BSC_ConnHdlr.create(id);
	/* BSSMAP part / A interface */
	connect(vc_conn:BSSAP, g_bssap[0].vc_BSSMAP:CLIENT);
	connect(vc_conn:BSSAP_PROC, g_bssap[0].vc_BSSMAP:PROC);
	/* MNCC part */
	connect(vc_conn:MNCC, vc_MNCC:MNCC_CLIENT);
	connect(vc_conn:MNCC_PROC, vc_MNCC:MNCC_PROC);
	/* MGCP part */
	connect(vc_conn:MGCP, vc_MGCP:MGCP_CLIENT);
	connect(vc_conn:MGCP_PROC, vc_MGCP:MGCP_PROC);
	/* GSUP part */
	connect(vc_conn:GSUP, vc_GSUP:GSUP_CLIENT);
	connect(vc_conn:GSUP_PROC, vc_GSUP:GSUP_PROC);
	/* SMPP part */
	connect(vc_conn:SMPP, vc_SMPP:SMPP_CLIENT);
	connect(vc_conn:SMPP_PROC, vc_SMPP:SMPP_PROC);
	/* SGs part */
	if (pars.sgsap_enable == true) {
		connect(vc_conn:SGsAP, vc_SGsAP:SGsAP_CLIENT);
		connect(vc_conn:SGsAP_PROC, vc_SGsAP:SGsAP_PROC);
	}

	/* We cannot use vc_conn.start(f_init_handler(fn, id, pars)); as we cannot have
	 * a stand-alone 'derefers()' call, see https://www.eclipse.org/forums/index.php/t/1091364/ */
	vc_conn.start(derefers(fn)(id, pars));
	return vc_conn;
}

function f_start_handler(void_fn fn, integer imsi_suffix) runs on MTC_CT return BSC_ConnHdlr {
	return f_start_handler_with_pars(fn, f_init_pars(imsi_suffix));
}

private function f_tc_lu_imsi_noauth_tmsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_noauth_tmsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_noauth_tmsi), 1);
	vc_conn.done;
}

private function f_tc_lu_imsi_noauth_notmsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_tmsi := false;
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_noauth_notmsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "msc", "no assign-tmsi");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_noauth_notmsi), 2);
	vc_conn.done;
}

/* Do LU by IMSI, refuse it on GSUP and expect LU REJ back to MS */
private function f_tc_lu_imsi_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi);

	f_create_gsup_expect(hex2str(g_pars.imsi));
	f_bssap_compl_l3(l3_lu);
	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_UL_ERR(g_pars.imsi, 23));
	alt {
		[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej(int2oct(23,1)))) {
			f_expect_clear();
			}
		[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Acc)) {
			setverdict(fail, "Expecting LU REJ, but got ACCEPT");
			mtc.stop;
		}
	}
}
testcase TC_lu_imsi_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_reject), 3);
	vc_conn.done;
}

/* Do LU by IMSI, timeout on GSUP */
private function f_tc_lu_imsi_timeout_gsup(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi);

	f_create_gsup_expect(hex2str(g_pars.imsi));
	f_bssap_compl_l3(l3_lu);
	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	/* Normally the HLR would need to respond here, but we decide to force a timeout here */
	alt {
		/* FIXME: Expect specific reject cause */
		[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
			f_expect_clear();
			}
		[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Acc)) {
			setverdict(fail, "Expecting LU REJ, but got ACCEPT");
			mtc.stop;
		}
	}
}
testcase TC_lu_imsi_timeout_gsup() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_timeout_gsup), 4);
	vc_conn.done;
}

private function f_tc_lu_imsi_auth_tmsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_auth_tmsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi), 5);
	vc_conn.done;
}


/* Send CM SERVICE REQ for IMSI that has never performed LU before */
private function f_tc_cmserv_imsi_unknown(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var BSSMAP_IE_CellIdentifier cell_id := valueof(ts_CellId_CGI('262'H, '42'H, 23, 42));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_MO_CALL, mi));

	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_info);

	timer T := 10.0;
	T.start;
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ)) { }
	//[] BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_ACC)) { }
	[] BSSAP.receive {
		setverdict(fail, "Received unexpected BSSAP");
		mtc.stop;
		}
	[] GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi)) {
		setverdict(fail, "Unexpected GSUP UL REQ");
		mtc.stop;
		}
	[] T.timeout {
		setverdict(fail, "Timeout waiting for CM SERV REQ");
		mtc.stop;
		}
	}

	f_expect_clear();
}
testcase TC_cmserv_imsi_unknown() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_cmserv_imsi_unknown), 6);
	vc_conn.done;
}

private function f_tc_lu_and_mo_call(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '22222'H;
	cpars.mgcp_connection_id_mss := '33333'H;
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	f_perform_lu();
	f_mo_call(cpars);
}
testcase TC_lu_and_mo_call() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_and_mo_call), 7);
	vc_conn.done;
}

/* Test LU (with authentication enabled), where HLR times out sending SAI response */
private function f_tc_lu_auth_sai_timeout(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	GSUP.receive(tr_GSUP_SAI_REQ(g_pars.imsi));
	/* The HLR would normally return an auth vector here, but we fail to do so. */

	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej));
	f_expect_clear();
}
testcase TC_lu_auth_sai_timeout() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");

	vc_conn := f_start_handler(refers(f_tc_lu_auth_sai_timeout), 8);
	vc_conn.done;
}

/* Test LU (with authentication enabled), where HLR rejects sending SAI error */
private function f_tc_lu_auth_sai_err(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	GSUP.receive(tr_GSUP_SAI_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_SAI_ERR(g_pars.imsi, 13));

	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej));
	f_expect_clear();
}
testcase TC_lu_auth_sai_err() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");

	vc_conn := f_start_handler(refers(f_tc_lu_auth_sai_err), 9);
	vc_conn.done;
}

/* Test LU but BSC will send a clear request in the middle */
private function f_tc_lu_clear_request(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	f_sleep(1.0);
	/* send clear request in the middle of the LU */
	BSSAP.send(ts_BSSMAP_ClearRequest(0));
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) { repeat; }
	[] BSSAP.receive(tr_BSSMAP_ClearCommand) {}
	}
	BSSAP.send(ts_BSSMAP_ClearComplete);
	alt {
	/* See https://osmocom.org/issues/2862 */
	[] BSSAP.receive(tr_BSSMAP_ClearCommand) {
			setverdict(fail, "Got a second Clear Command, only one expected");
			mtc.stop;
			repeat;
		}
	[] BSSAP.receive(BSSAP_Conn_Prim:MSC_CONN_PRIM_DISC_IND) {}
	}
	setverdict(pass);
}
testcase TC_lu_clear_request() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_clear_request), 10);
	vc_conn.done;
}

/* Test LU but BSC will send a clear request in the middle */
private function f_tc_lu_disconnect(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	f_sleep(1.0);
	/* send clear request in the middle of the LU */
	BSSAP.send(BSSAP_Conn_Prim:MSC_CONN_PRIM_DISC_REQ);
	setverdict(pass);
}
testcase TC_lu_disconnect() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_disconnect), 11);
	vc_conn.done;
}


/* Test LU but with illegal mobile identity type = IMEI */
private function f_tc_lu_by_imei(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imei(g_pars.imei)
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));
	/* wait for LU reject, ignore any ID REQ */
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) { }
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req)) { repeat; }
	}
	/* wait for normal teardown */
	f_expect_clear();
}
testcase TC_lu_by_imei() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_by_imei), 12);
	vc_conn.done;
}

/* Test LU by TMSI with unknown TMSI, expect (and answer) ID REQ. */
private function f_tc_lu_tmsi_noauth_unknown(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	/* We piggyback a test for an MSC crash on overlong IMSI (OS#2864) onto this test. */
	var hexstring overlong_imsi := '012345789ABCDEF0123456789ABCDEF'H;
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_tmsi('01020304'O); /* FIXME: Random */
	var PDU_DTAP_MT dtap_mt;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	/* Wait for + respond to ID REQ (IMSI) */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_ID_Req('001'B)));
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp_IMSI(overlong_imsi))); /* test for OS#2864 */
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_MM_ID_Rsp_IMSI(g_pars.imsi)));

	/* Expect MSC to do UpdateLocation to HLR; respond to it */
	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_ISD_REQ(g_pars.imsi, g_pars.msisdn));
	GSUP.receive(tr_GSUP_ISD_RES(g_pars.imsi));
	GSUP.send(ts_GSUP_UL_RES(g_pars.imsi));

	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Acc)) {
		BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_TmsiRealloc_Cmpl));
		}
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
		setverdict(fail, "Expected LU ACK, but received REJ");
		mtc.stop;
		}
	}

	/* Wait for MM-Information (if enabled) */
	f_expect_mm_info();

	/* wait for normal teardown */
	f_expect_clear();
}
testcase TC_lu_by_tmsi_noauth_unknown() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_tmsi_noauth_unknown), 13);
	vc_conn.done;
}


/* Test IMSI DETACH (MI=IMSI) */
private function f_tc_imsi_detach_by_imsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(valueof(ts_ML3_MO_MM_IMSI_DET_Ind(mi)));

	/* Send Early Classmark, just for the fun of it? */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	/* wait for normal teardown */
	f_expect_clear();
}
testcase TC_imsi_detach_by_imsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_imsi_detach_by_imsi), 14);
	vc_conn.done;
}

/* Test IMSI DETACH (MI=TMSI) */
private function f_tc_imsi_detach_by_tmsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var MobileIdentityLV mi := valueof(ts_MI_TMSI_LV('01020304'O));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(valueof(ts_ML3_MO_MM_IMSI_DET_Ind(mi)));

	/* Send Early Classmark, just for the fun of it? */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	/* wait for normal teardown */
	f_expect_clear();
}
testcase TC_imsi_detach_by_tmsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_imsi_detach_by_tmsi), 15);
	vc_conn.done;
}

/* Test IMSI DETACH (MI=IMEI), which is illegal */
private function f_tc_imsi_detach_by_imei(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var MobileIdentityLV mi := valueof(ts_MI_IMEI_LV(g_pars.imei));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(valueof(ts_ML3_MO_MM_IMSI_DET_Ind(mi)));

	/* Send Early Classmark, just for the fun of it? */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	/* wait for normal teardown */
	f_expect_clear();
}
testcase TC_imsi_detach_by_imei() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_imsi_detach_by_imei), 16);
	vc_conn.done;
}


/* helper function for an emergency call. caller passes in mobile identity to use */
private function f_emerg_call(MobileIdentityLV mi) runs on BSC_ConnHdlr {
	var CallParameters cpars := valueof(t_CallParams('112'H, 0));
	cpars.emergency := true;
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	f_mo_call(cpars);
}

/* establish an emergency call by IMEI, no SIM inserted (and hence no IMSI) */
private function f_tc_emerg_call_imei_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var MobileIdentityLV mi := valueof(ts_MI_IMEI_LV(g_pars.imei));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_EMERG_CALL, mi));
	f_bssap_compl_l3(l3_info);
	BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ('05'O)));
	f_expect_clear();
}
testcase TC_emerg_call_imei_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_emerg_call_imei_reject), 17);
	vc_conn.done;
}

/* establish an emergency call by IMSI, SIM inserted (and hence IMSI) */
private function f_tc_emerg_call_imsi(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	/* First perform location update to ensure subscriber is known */
	f_perform_lu();
	/* Then issue emergency call identified by IMSI */
	f_emerg_call(valueof(ts_MI_IMSI_LV(g_pars.imsi)));
}
testcase TC_emerg_call_imsi() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_emerg_call_imsi), 18);
	vc_conn.done;
}

/* CM Service Request for VGCS -> reject */
private function f_tc_cm_serv_req_vgcs_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* First perform location update to ensure subscriber is known */
	f_perform_lu();

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_VGCS, mi));
	f_bssap_compl_l3(l3_info);
	BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ(int2oct(32,1))));
	f_expect_clear();
}
testcase TC_cm_serv_req_vgcs_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cm_serv_req_vgcs_reject), 19);
	vc_conn.done;
}

/* CM Service Request for VBS -> reject */
private function f_tc_cm_serv_req_vbs_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* First perform location update to ensure subscriber is known */
	f_perform_lu();

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_VBS, mi));
	f_bssap_compl_l3(l3_info);
	BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ(int2oct(32,1))));
	f_expect_clear();
}
testcase TC_cm_serv_req_vbs_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cm_serv_req_vbs_reject), 20);
	vc_conn.done;
}

/* CM Service Request for LCS -> reject */
private function f_tc_cm_serv_req_lcs_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* First perform location update to ensure subscriber is known */
	f_perform_lu();

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_LCS, mi));
	f_bssap_compl_l3(l3_info);
	BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ(int2oct(32,1))));
	f_expect_clear();
}
testcase TC_cm_serv_req_lcs_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cm_serv_req_lcs_reject), 21);
	vc_conn.done;
}

/* CM Re-Establishment Request */
private function f_tc_cm_reest_req_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* First perform location update to ensure subscriber is known */
	f_perform_lu();

	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_REEST_REQ(0, mi));
	f_bssap_compl_l3(l3_info);
	BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ(int2oct(32,1))));
	f_expect_clear();
}
testcase TC_cm_reest_req_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cm_reest_req_reject), 22);
	vc_conn.done;
}

/* Test LU (with authentication enabled), with wrong response from MS */
private function f_tc_lu_auth_2G_fail(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	f_bssap_compl_l3(l3_lu);

	/* Send Early Classmark, just for the fun of it */
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));

	var AuthVector vec := f_gen_auth_vec_2g();
	var GSUP_IE auth_tuple := valueof(ts_GSUP_IE_AuthTuple2G(vec.rand, vec.sres, vec.kc));
	GSUP.receive(tr_GSUP_SAI_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_SAI_RES(g_pars.imsi, auth_tuple));

	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_MM_AUTH_REQ(vec.rand)));
	/* Send back wrong auth response */
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MT_MM_AUTH_RESP_2G('00000000'O)));

	/* Expect GSUP AUTH FAIL REP to HLR */
	GSUP.receive(tr_GSUP_AUTH_FAIL_IND(g_pars.imsi));

	/* Expect LU REJECT with Cause == Illegal MS */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej('03'O)));
	f_expect_clear();
}
testcase TC_lu_auth_2G_fail() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");

	vc_conn := f_start_handler(refers(f_tc_lu_auth_2G_fail), 23);
	vc_conn.done;
}

/* A5/1 + A5/3 permitted on network side, and MS capable to do it */
private function f_tc_lu_imsi_auth_tmsi_encr_13_13(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_auth_tmsi_encr_13_13() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 1 3");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_13_13), 24);
	vc_conn.done;
}

/* Test Complete L3 without payload */
private function f_tc_cl3_no_payload(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Send Complete L3 Info with empty L3 frame */
	BSSAP.send(ts_BSSAP_Conn_Req(g_pars.sccp_addr_peer, g_pars.sccp_addr_own,
					valueof(ts_BSSMAP_ComplL3(g_pars.cell_id, ''O))));

	timer T := 5.0;
	T.start;
	alt {
	[] BSSAP.receive(BSSAP_Conn_Prim:MSC_CONN_PRIM_DISC_IND) {}
	/* Expect LU REJECT with Cause == Illegal MS */
	[] BSSAP.receive(tr_PDU_DTAP_MT(?)) { repeat; }
	[] BSSAP.receive(BSSAP_Conn_Prim:MSC_CONN_PRIM_CONF_IND) { repeat; }
	[] as_clear_cmd_compl_disc();
	[] T.timeout {
		setverdict(fail, "Timeout waiting for ClearCommand or SCCP Release");
		mtc.stop;
		}
	}
	setverdict(pass);
}
testcase TC_cl3_no_payload() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cl3_no_payload), 25);
	vc_conn.done;
}

/* Test Complete L3 with random payload */
private function f_tc_cl3_rnd_payload(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* length is limited by PDU_BSSAP length field which includes some
	 * other fields beside l3info payload. So payl can only be 240 bytes
	 * Since rnd() returns values < 1 multiply with 241
	 */
	var integer len := float2int(rnd() * 241.0);
	var octetstring payl := f_rnd_octstring(len);

	/* Send Complete L3 Info with empty L3 frame */
	BSSAP.send(ts_BSSAP_Conn_Req(g_pars.sccp_addr_peer, g_pars.sccp_addr_own,
					valueof(ts_BSSMAP_ComplL3(g_pars.cell_id, payl))));

	timer T := 5.0;
	T.start;
	alt {
	/* Immediate disconnect */
	[] BSSAP.receive(BSSAP_Conn_Prim:MSC_CONN_PRIM_DISC_IND) {}
	[] BSSAP.receive(tr_PDU_DTAP_MT(?)) { repeat; }
	[] BSSAP.receive(BSSAP_Conn_Prim:MSC_CONN_PRIM_CONF_IND) { repeat; }
	[] as_clear_cmd_compl_disc();
	[] T.timeout {
		setverdict(fail, "Timeout waiting for ClearCommand or SCCP Release");
		mtc.stop;
		}
	}
	setverdict(pass);
}
testcase TC_cl3_rnd_payload() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_cl3_rnd_payload), 26);
	vc_conn.done;
}

/* Test Complete L3 with random payload */
private function f_tc_establish_and_nothing(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	f_perform_lu();

	f_establish_fully();
	f_expect_clear(10.0);
}
testcase TC_establish_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_establish_and_nothing), 27);
	vc_conn.done;
}

/* Test MO Call SETUP with no response from MNCC */
private function f_tc_mo_setup_and_nothing(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars, 190.0);

	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));

	f_perform_lu();

	f_establish_fully();
	f_create_mncc_expect(hex2str(cpars.called_party));
	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_SETUP(cpars.transaction_id, cpars.called_party)));

	f_expect_clear(185.0);
}
testcase TC_mo_setup_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_setup_and_nothing), 28);
	vc_conn.done;
}

/* Test MO Call with no response to RAN-side CRCX */
private function f_tc_mo_crcx_ran_timeout(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_perform_lu();

	f_establish_fully();
	f_create_mncc_expect(hex2str(cpars.called_party));
	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_SETUP(cpars.transaction_id, cpars.called_party)));
	MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc;
	cpars.mncc_callref := mncc.u.signal.callref;
	MNCC.send(ts_MNCC_CALL_PROC_req(cpars.mncc_callref, cpars.mncc_bearer_cap));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CALL_PROC(cpars.transaction_id)));

	MGCP.receive(tr_CRCX) -> value mgcp_cmd;
	cpars.mgcp_call_id := f_MgcpCmd_extract_call_id(mgcp_cmd);
	cpars.mgcp_ep := mgcp_cmd.line.ep;
	/* never respond to this */

	/* When the connection with the MGW fails, the MSC will first request
	 * a release via call control. We will answer this request normally. */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id)));
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_REL_COMPL(cpars.transaction_id)));

	f_expect_clear(30.0);
}
testcase TC_mo_crcx_ran_timeout() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_crcx_ran_timeout), 29);
	vc_conn.done;
}

/* Test MO Call with reject to RAN-side CRCX */
private function f_tc_mo_crcx_ran_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_perform_lu();

	f_establish_fully();
	f_create_mncc_expect(hex2str(cpars.called_party));
	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_SETUP(cpars.transaction_id, cpars.called_party)));
	MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc;
	cpars.mncc_callref := mncc.u.signal.callref;
	MNCC.send(ts_MNCC_CALL_PROC_req(cpars.mncc_callref, cpars.mncc_bearer_cap));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CALL_PROC(cpars.transaction_id)));

	MGCP.receive(tr_CRCX) -> value mgcp_cmd;

	/* Detect if the received CRCX is a wildcarded CRCX request. If yes,
	 * set an endpoint name that fits the pattern. If not, just use the
	 * endpoint name from the request */
	if (match(mgcp_cmd.line.ep, t_MGCP_EP_wildcard)) {
		cpars.mgcp_ep := "rtpbridge/1@mgw";
	} else {
		cpars.mgcp_ep := mgcp_cmd.line.ep;
	}

	cpars.mgcp_call_id := f_MgcpCmd_extract_call_id(mgcp_cmd);

	/* Respond to CRCX with error */
	var MgcpResponse mgcp_rsp := {
		line := {
			code := "542",
			trans_id := mgcp_cmd.line.trans_id,
			string := "FORCED_FAIL"
		},
		sdp := omit
	}
	var MgcpParameter mgcp_rsp_param := {
		code := "Z",
		val := cpars.mgcp_ep
	};
	mgcp_rsp.params[0] := mgcp_rsp_param;
	MGCP.send(mgcp_rsp);

	timer T := 30.0;
	T.start;
	alt {
	[] T.timeout {
		setverdict(fail, "Timeout waiting for channel release");
		mtc.stop;
		}
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id))) {
		BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_REL_COMPL(cpars.transaction_id)));
		repeat;
		}
	[] MNCC.receive { repeat; }
	[] GSUP.receive { repeat; }
	/* Note: As we did not respond properly to the CRCX from the MSC we
	 * expect the MSC to omit any further MGCP operation (At least in the
	 * the current implementation, there is no recovery mechanism implemented
	 * and a DLCX can not be performed as the MSC does not know a specific
	 * endpoint yet. */
	[] MGCP.receive {
		setverdict(fail, "Unexpected MGCP message");
		mtc.stop;
		}
	[] as_clear_cmd_compl_disc();
	}
}
testcase TC_mo_crcx_ran_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_crcx_ran_reject), 30);
	vc_conn.done;
}


/* helper function to start a MT call: MNCC SETUP; Paging; DChan est.; DTAP SETUP */
private function f_mt_call_start(inout CallParameters cpars) runs on BSC_ConnHdlr {
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;
	var OCT4 tmsi;

	f_perform_lu();
	if (isvalue(g_pars.tmsi)) {
		tmsi := g_pars.tmsi;
	} else {
		tmsi := 'FFFFFFFF'O;
	}
	f_bssmap_register_imsi(g_pars.imsi, tmsi);

	/* Allocate call reference and send SETUP via MNCC to MSC */
	cpars.mncc_callref := f_rnd_int(2147483648);
	MNCC.send(ts_MNCC_SETUP_req(cpars.mncc_callref, hex2str(g_pars.msisdn),
				    hex2str(cpars.called_party), hex2str(g_pars.imsi)));

	/* MSC->BSC: expect PAGING from MSC */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	/* MS -> MSC: PAGING RESPONSE */
	f_establish_fully(EST_TYPE_PAG_RESP);

	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	/* MSC->MS: SETUP */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_SETUP(cpars.transaction_id, *, cpars.called_party)));
}

/* Test MT Call */
private function f_tc_mt_crcx_ran_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('123456'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_mt_call_start(cpars);

	/* MS->MSC: CALL CONFIRMED */
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_CALL_CONF(cpars.transaction_id)));

	MNCC.receive(tr_MNCC_CALL_CONF_ind(cpars.mncc_callref));

	MGCP.receive(tr_CRCX) -> value mgcp_cmd;
	cpars.mgcp_call_id := f_MgcpCmd_extract_call_id(mgcp_cmd);

	/* Detect if the received CRCX is a wildcarded CRCX request. If yes,
	 * set an endpoint name that fits the pattern. If not, just use the
	 * endpoint name from the request */
	if (match(mgcp_cmd.line.ep, t_MGCP_EP_wildcard)) {
		cpars.mgcp_ep := "rtpbridge/1@mgw";
	} else {
		cpars.mgcp_ep := mgcp_cmd.line.ep;
	}

	/* Respond to CRCX with error */
	var MgcpResponse mgcp_rsp := {
		line := {
			code := "542",
			trans_id := mgcp_cmd.line.trans_id,
			string := "FORCED_FAIL"
		},
		sdp := omit
	}
	var MgcpParameter mgcp_rsp_param := {
		code := "Z",
		val := cpars.mgcp_ep
	};
	mgcp_rsp.params[0] := mgcp_rsp_param;
	MGCP.send(mgcp_rsp);

	timer T := 30.0;
	T.start;
	alt {
	[] T.timeout {
		setverdict(fail, "Timeout waiting for channel release");
		mtc.stop;
		}
	[] BSSAP.receive { repeat; }
	[] MNCC.receive { repeat; }
	[] GSUP.receive { repeat; }
	[] MGCP.receive(tr_DLCX(?)) -> value mgcp_cmd {
		MGCP.send(ts_DLCX_ACK2(mgcp_cmd.line.trans_id));
		f_create_mgcp_delete_ep(cpars.mgcp_ep);
		repeat;
		}
	[] MGCP.receive { repeat; }
	[] as_clear_cmd_compl_disc();
	}
}
testcase TC_mt_crcx_ran_reject() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mt_crcx_ran_reject), 31);
	vc_conn.done;
}


/* Test MT Call T310 timer */
private function f_tc_mt_t310(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars, 200.0);
	var CallParameters cpars := valueof(t_CallParams('123456'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_mt_call_start(cpars);

	/* MS->MSC: CALL CONFIRMED */
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_CALL_CONF(cpars.transaction_id)));
	MNCC.receive(tr_MNCC_CALL_CONF_ind(cpars.mncc_callref));

	MGCP.receive(tr_CRCX) -> value mgcp_cmd;
	cpars.mgcp_call_id := f_MgcpCmd_extract_call_id(mgcp_cmd);
	cpars.mgcp_ep := mgcp_cmd.line.ep;
	/* FIXME: Respond to CRCX */

	/* old libosmocore T310 default timeout is 180s. so let's wait 190 */
	timer T := 190.0;
	T.start;
	alt {
	[] T.timeout {
		setverdict(fail, "Timeout waiting for T310");
		mtc.stop;
		}
	[] MNCC.receive(tr_MNCC_DISC_ind(cpars.mncc_callref)) {
		MNCC.send(ts_MNCC_REL_req(cpars.mncc_callref, valueof(ts_MNCC_cause(23))));
		}
	}
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_DISC(cpars.transaction_id)));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id)));
	/* FIXME: We're sending this with TIflag 0: allocated by sender, which is wrong */
	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_REL_COMPL(cpars.transaction_id)));

	alt {
	[] MGCP.receive(tr_DLCX(?)) -> value mgcp_cmd {
		MGCP.send(ts_DLCX_ACK2(mgcp_cmd.line.trans_id));
		f_create_mgcp_delete_ep(cpars.mgcp_ep);
		repeat;
		}
	[] as_clear_cmd_compl_disc();
	}
}
testcase TC_mt_t310() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mt_t310), 32);
	vc_conn.done;
}

/* Perform successful LU + MO call, then GSUP LocationCancel. Subscriber must be denied CM SERV */
private function f_tc_gsup_cancel(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '22222'H;
	cpars.mgcp_connection_id_mss := '33333'H;
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	/* Location Update to make subscriber known */
	f_perform_lu();

	/* First MO call should succeed */
	f_mo_call(cpars);

	/* Cancel the subscriber in the VLR */
	GSUP.send(ts_GSUP_CL_REQ(g_pars.imsi, OSMO_GSUP_CANCEL_TYPE_WITHDRAW));
	alt {
	[] GSUP.receive(tr_GSUP_CL_RES(g_pars.imsi)) { }
	[] GSUP.receive(tr_GSUP_CL_ERR(g_pars.imsi)) {
		setverdict(fail, "Received GSUP Location Cancel Error");
		mtc.stop;
		}
	}

	/* Follow-up transactions should fail */
	var MobileIdentityLV mi := valueof(ts_MI_IMSI_LV(g_pars.imsi));
	var PDU_ML3_MS_NW l3_info := valueof(ts_CM_SERV_REQ(CM_TYPE_MO_CALL, mi));
	f_bssap_compl_l3(l3_info);
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_CM_SERV_REJ)) { }
	[] BSSAP.receive {
		setverdict(fail, "Received unexpected BSSAP instead of CM SERV REJ");
		mtc.stop;
		}
	}
	setverdict(pass);
}
testcase TC_gsup_cancel() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_gsup_cancel), 33);
	vc_conn.done;
}

/* A5/1 only permitted on network side, and MS capable to do it */
private function f_tc_lu_imsi_auth_tmsi_encr_1_13(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '02'O;	/* A5/1 only */
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_auth_tmsi_encr_1_13() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 1");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_1_13), 34);
	vc_conn.done;
}

/* A5/3 only permitted on network side, and MS capable to do it */
private function f_tc_lu_imsi_auth_tmsi_encr_3_13(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '08'O;	/* A5/3 only */
	f_init_handler(pars);
	f_perform_lu();
}
testcase TC_lu_imsi_auth_tmsi_encr_3_13() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 3");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_3_13), 35);
	vc_conn.done;
}

/* A5/3 only permitted on network side, and MS with only A5/1 support */
private function f_tc_lu_imsi_auth_tmsi_encr_3_1(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '08'O;	/* A5/3 only */
	pars.cm2.classmarkInformationType2_oct5.a5_3 := '0'B;
	f_init_handler(pars, 15.0);

	/* cannot use f_perform_lu() as we expect a reject */
	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi);
	f_create_gsup_expect(hex2str(g_pars.imsi));
	f_bssap_compl_l3(l3_lu);
	if (pars.send_early_cm) {
		BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));
	} else {
		pars.cm1.esind := '0'B;
	}
	f_mm_auth();
	alt {
	[] BSSAP.receive(tr_BSSMAP_ClassmarkReq) {
		BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));
		repeat;
		}
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
		f_expect_clear();
		}
	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(?,?)) {
		setverdict(fail, "CipherModeCommand despite no A5 intersection");
		mtc.stop;
		}
	[] BSSAP.receive {
		setverdict(fail, "Unknown/unexpected BSSAP received");
		mtc.stop;
		}
	}
	setverdict(pass);
}
testcase TC_lu_imsi_auth_tmsi_encr_3_1() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 3");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_3_1), 360);
	vc_conn.done;
}
testcase TC_lu_imsi_auth_tmsi_encr_3_1_no_cm() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 3");

	pars := f_init_pars(361);
	pars.send_early_cm := false;
	vc_conn := f_start_handler_with_pars(refers(f_tc_lu_imsi_auth_tmsi_encr_3_1), pars);
	vc_conn.done;
}
testcase TC_lu_imsi_auth_tmsi_encr_3_1_log_msc_debug() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 3");

	/* Make sure the MSC category is on DEBUG level to trigger the log
	 * message that is reported in OS#2947 to trigger the segfault */
	f_vty_config(MSCVTY, "log stderr", "logging level msc debug");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_3_1), 362);
	vc_conn.done;
}

/* A5/1 + A5/3 only permitted on network side, and MS with only A5/2 support */
private function f_tc_lu_imsi_auth_tmsi_encr_13_2(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '0A'O;	/* A5/1 + A5/3 */
	pars.cm1.a5_1 := '1'B;
	pars.cm2.a5_1 := '1'B;
	pars.cm2.classmarkInformationType2_oct5.a5_3 := '0'B;
	pars.cm2.classmarkInformationType2_oct5.a5_2 := '1'B;
	f_init_handler(pars, 15.0);

	/* cannot use f_perform_lu() as we expect a reject */
	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi);
	f_create_gsup_expect(hex2str(g_pars.imsi));
	f_bssap_compl_l3(l3_lu);
	BSSAP.send(ts_BSSMAP_ClassmarkUpd(g_pars.cm2, g_pars.cm3));
	f_mm_auth();
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
		f_expect_clear();
		}
	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(?,?)) {
		setverdict(fail, "CipherModeCommand despite no A5 intersection");
		mtc.stop;
		}
	[] BSSAP.receive {
		setverdict(fail, "Unknown/unexpected BSSAP received");
		mtc.stop;
		}
	}
	setverdict(pass);
}
testcase TC_lu_imsi_auth_tmsi_encr_13_2() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 1 3");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_13_2), 37);
	vc_conn.done;
}

/* A5/0 + A5/1 + A5/3 only permitted on network side, and MS with only A5/2 support */
private function f_tc_lu_imsi_auth_tmsi_encr_013_2(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '0B'O;	/* A5/1 + A5/3 */
	pars.cm1.a5_1 := '1'B;
	pars.cm2.a5_1 := '1'B;
	pars.cm2.classmarkInformationType2_oct5.a5_3 := '0'B;
	pars.cm2.classmarkInformationType2_oct5.a5_2 := '1'B;
	f_init_handler(pars, 15.0);
	f_perform_lu();
}
testcase TC_lu_imsi_auth_tmsi_encr_013_2() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "authentication required");
	f_vty_config(MSCVTY, "network", "encryption a5 0 1 3");

	vc_conn := f_start_handler(refers(f_tc_lu_imsi_auth_tmsi_encr_013_2), 38);
	vc_conn.done;
}

/* LU followed by MT call (including paging) */
private function f_tc_lu_and_mt_call(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '10004'H;
	cpars.mgcp_connection_id_mss := '10005'H;

	/* Note: This is an optional parameter. When the call-agent (MSC) does
	 * supply a full endpoint name this setting will be overwritten. */
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	f_perform_lu();
	f_mt_call(cpars);
}
testcase TC_lu_and_mt_call() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_lu_and_mt_call), 39);
	vc_conn.done;
}

/* Test MO Call SETUP with DTMF */
private function f_tc_mo_setup_dtmf_dup(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '22222'H;
	cpars.mgcp_connection_id_mss := '33333'H;

	f_perform_lu();
	f_mo_seq_dtmf_dup(cpars);
}
testcase TC_mo_setup_and_dtmf_dup() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_setup_dtmf_dup), 39);
	vc_conn.done;
}

testcase TC_cr_before_reset() runs on MTC_CT {
	timer T := 4.0;
	var boolean reset_ack_seen := false;
	f_init_bssap_direct();

	f_bssap_start(g_bssap[0]);

	f_sleep(3.0);

	/* Make a blind connection attemt, to trigger the deadlock condition */
	BSSAP_DIRECT.send(ts_BSSAP_CONNECT_req(g_bssap[0].sccp_addr_peer, g_bssap[0].sccp_addr_own, 1, omit));

	/* Send a BSSMAP reset */
	BSSAP_DIRECT.send(ts_BSSAP_UNITDATA_req(g_bssap[0].sccp_addr_peer, g_bssap[0].sccp_addr_own, ts_BSSMAP_Reset(0)));
	T.start
	alt {
	[] BSSAP_DIRECT.receive(tr_BSSAP_UNITDATA_ind(?, ?, tr_BSSMAP_ResetAck)) {
		reset_ack_seen := true;
		repeat;
	}

	/* Acknowledge MSC sided reset requests */
	[] BSSAP_DIRECT.receive(tr_BSSAP_UNITDATA_ind(?, ?, tr_BSSMAP_Reset)) {
		BSSAP_DIRECT.send(ts_BSSAP_UNITDATA_req(g_bssap[0].sccp_addr_peer, g_bssap[0].sccp_addr_own, ts_BSSMAP_ResetAck));
		repeat;
	}

	/* Ignore all other messages (e.g CR from the connection request) */
	[] BSSAP_DIRECT.receive { repeat }

	/* If we got no BSSMAP RESET ACK back, then the MSC entered the
	 * deadlock situation. The MSC is then unable to respond to any
	 * further BSSMAP RESET or any other sort of traffic. */
	[reset_ack_seen == true] T.timeout { setverdict(pass) }
	[reset_ack_seen == false] T.timeout {
		setverdict(fail, "no BSSMAP RESET ACK seen!");
		mtc.stop;
	}
	}	
}

/* Test MO Call with no response to RAN-side CRCX or DTAP Release */
private function f_tc_mo_release_timeout(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_perform_lu();

	f_establish_fully();
	f_create_mncc_expect(hex2str(cpars.called_party));
	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_SETUP(cpars.transaction_id, cpars.called_party)));
	MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc;
	cpars.mncc_callref := mncc.u.signal.callref;
	MNCC.send(ts_MNCC_CALL_PROC_req(cpars.mncc_callref, cpars.mncc_bearer_cap));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CALL_PROC(cpars.transaction_id)));

	/* Drop CRCX */
	MGCP.receive(tr_CRCX) -> value mgcp_cmd;

	/* Drop DTAP Release */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id)));

	/* Drop resent DTAP Release */
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_RELEASE(cpars.transaction_id)));

	f_expect_clear(60.0);
}
testcase TC_mo_release_timeout() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_release_timeout), 40);
	vc_conn.done;
}


/* LU followed by MT call (including paging) */
private function f_tc_lu_and_mt_call_no_dlcx_resp(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '10004'H;
	cpars.mgcp_connection_id_mss := '10005'H;

	/* Note: This is an optional parameter. When the call-agent (MSC) does
	 * supply a full endpoint name this setting will be overwritten. */
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	/* Intentionally disable the CRCX response */
	cpars.mgw_drop_dlcx := true;

	/* Perform location update and call */
	f_perform_lu();
	f_mt_call(cpars);
}
testcase TC_lu_and_mt_call_no_dlcx_resp() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	/* Perform an almost normal looking locationupdate + mt-call, but do
	 * not respond to the DLCX at the end of the call */
	vc_conn := f_start_handler(refers(f_tc_lu_and_mt_call_no_dlcx_resp), 41);
	vc_conn.done;

	/* Wait a guard period until the MGCP layer in the MSC times out,
	 * if the MSC is vulnerable to the use-after-free situation that is
	 * fixed by I78f1b6a9149488a4ad3f120c1e190a83c07d4b89 then it should
	 * segfault now */
	f_sleep(6.0);

	/* Run the init procedures once more. If the MSC has crashed, this
	 * this will fail */
	f_init();
}

/* Two BSSMAP resets from two different BSCs */
testcase TC_reset_two() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init(2);
	f_sleep(2.0);
	setverdict(pass);
}

/***********************************************************************
 * SMS Testing
 ***********************************************************************/

/* LU followed by MO SMS */
private function f_tc_lu_and_mo_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);

	f_init_handler(pars);

	/* Perform location update and call */
	f_perform_lu();

	f_establish_fully(EST_TYPE_MO_SMS);

	//spars.exp_rp_err := 96; /* invalid mandatory information */
	f_mo_sms(spars);

	f_expect_clear();
}
testcase TC_lu_and_mo_sms() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mo_sms), 42);
	vc_conn.done;
}

private function f_vty_sms_send(charstring imsi, charstring msisdn, charstring text)
runs on MTC_CT {
	f_vty_transceive(MSCVTY, "subscriber imsi "&imsi&" sms sender msisdn "&msisdn&" send "&text);
}

/* LU followed by MT SMS */
private function f_tc_lu_and_mt_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);
	var OCT4 tmsi;

	f_init_handler(pars);

	/* Perform location update and call */
	f_perform_lu();

	/* register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		tmsi := g_pars.tmsi;
	} else {
		tmsi := 'FFFFFFFF'O;
	}
	f_bssmap_register_imsi(g_pars.imsi, tmsi);

	/* FIXME: actually cause MSC to send a SMS via VTY or SMPP */

	/* MSC->BSC: expect PAGING from MSC */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	/* Establish DTAP / BSSAP / SCCP connection */
	f_establish_fully(EST_TYPE_PAG_RESP);

	spars.tp.ud := 'C8329BFD064D9B53'O;
	f_mt_sms(spars);

	f_expect_clear();
}
testcase TC_lu_and_mt_sms() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(43);
	vc_conn := f_start_handler_with_pars(refers(f_tc_lu_and_mt_sms), pars);
	f_sleep(2.0);
	f_vty_sms_send(hex2str(pars.imsi), "2342", "Hello SMS");
	vc_conn.done;
}

/* Paging for MT SMS but no response */
private function f_tc_lu_and_mt_sms_paging_and_nothing(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);
	var OCT4 tmsi;
	var integer page_count := 0;
	f_init_handler(pars, 150.0);

	/* Perform location update */
	f_perform_lu();

	/* register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		tmsi := g_pars.tmsi;
	} else {
		tmsi := 'FFFFFFFF'O;
	}
	f_bssmap_register_imsi(g_pars.imsi, tmsi);

	/* Expect the MSC to page exactly 10 times before giving up */
	alt {
		[] BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi))
		{
			page_count := page_count + 1;

			if (page_count < 10) {
				repeat;
			}
		}
		[] BSSAP.receive {
			setverdict(fail, "unexpected BSSAP message received");
			self.stop;
		}
	}

	/* Wait some time to make sure the MSC is not delivering any further
	 * paging messages or anything else that could be unexpected. */
	timer T := 20.0;
	T.start
	alt {
		[] BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi))
		{
			setverdict(fail, "paging seems not to stop!");
			mtc.stop;
		}
		[] BSSAP.receive {
			setverdict(fail, "unexpected BSSAP message received");
			self.stop;
		}
		[] T.timeout {
			setverdict(pass);
		}
	}

	setverdict(pass);
}
testcase TC_lu_and_mt_sms_paging_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(1843);
	vc_conn := f_start_handler_with_pars(refers(f_tc_lu_and_mt_sms_paging_and_nothing), pars);
	f_sleep(2.0);
	f_vty_sms_send(hex2str(pars.imsi), "2342", "Hello SMS");
	vc_conn.done;
}

/* mobile originated SMS from MS/BTS/BSC side to SMPP */
private function f_tc_smpp_mo_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);

	f_init_handler(pars);

	/* Perform location update so IMSI is known + registered in MSC/VLR */
	f_perform_lu();
	f_establish_fully(EST_TYPE_MO_SMS);

	f_mo_sms(spars);

	var SMPP_PDU smpp;
	var template SMPP_PDU tr_smpp := tr_SMPP(c_SMPP_command_id_deliver_sm, ESME_ROK);
	tr_smpp.body.deliver_sm := {
		service_type := "CMT",
		source_addr_ton := network_specific,
		source_addr_npi := isdn,
		source_addr := hex2str(pars.msisdn),
		dest_addr_ton := f_sm_ton_from_gsm(spars.tp.da.tP_DA_NoPad.tP_TypeOfNumber),
		dest_addr_npi := f_sm_npi_from_gsm(spars.tp.da.tP_DA_NoPad.tP_NumberingPlanID),
		destination_addr := hex2str(spars.tp.da.tP_DA_NoPad.tP_DAValue),
		esm_class := '00000001'B,
		protocol_id := 0,
		priority_flag := 0,
		schedule_delivery_time := "",
		replace_if_present := 0,
		data_coding := '00000001'B,
		sm_default_msg_id := 0,
		sm_length := ?,
		short_message := spars.tp.ud,
		opt_pars := {
			{
				tag := user_message_reference,
				len := 2,
				opt_value := {
					int2_val := oct2int(spars.tp.msg_ref)
				}
			}
		}
	};
	alt {
	[] SMPP.receive(tr_smpp) -> value smpp {
		SMPP.send(ts_SMPP_DELIVER_SM_resp(ESME_ROK, smpp.header.seq_num));
		}
	[] SMPP.receive(tr_SMPP(c_SMPP_command_id_alert_notification, ESME_ROK)) { repeat; }
	}

	f_expect_clear();
}
testcase TC_smpp_mo_sms() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config2(MSCVTY, { "smpp", "esme msc_tester"}, "default-route");
	vc_conn := f_start_handler(refers(f_tc_smpp_mo_sms), 44);
	vc_conn.done;
	f_vty_config2(MSCVTY, { "smpp", "esme msc_tester"}, "no default-route");
}

/* Test MO-SMS from MS/BTS/BSC towards HLR (via GSUP) */
private function f_tc_gsup_mo_sms(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);
	var GSUP_PDU gsup_msg_rx;
	var octetstring sm_tpdu;

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Send CM Service Request for SMS */
	f_establish_fully(EST_TYPE_MO_SMS);

	/* Prepare expected SM-RP-UI (SM TPDU) */
	enc_TPDU_RP_DATA_MS_SGSN_fast(
		valueof(ts_SMS_SUBMIT(spars.tp.msg_ref,
			spars.tp.da, spars.tp.pid, spars.tp.dcs,
			spars.tp.udl, spars.tp.ud)),
		sm_tpdu);

	var template GSUP_PDU mo_forwardSM := tr_GSUP_MO_FORWARD_SM_REQ(
		imsi := g_pars.imsi,
		sm_rp_mr := spars.rp.msg_ref,
		/* FIXME: extract SM-RP-DA from spars.rp.dest */
		sm_rp_da := tr_GSUP_SM_RP_DA_SMSC_ADDR(?),
		/* FIXME: MSISDN coding troubles */
		sm_rp_oa := tr_GSUP_SM_RP_OA_MSISDN(?),
		/* TODO: can we use decmatch here? */
		sm_rp_ui := sm_tpdu
	);

	/* Submit an SMS on DTAP and expect MO-forwardSM-Req on GSUP */
	f_mo_sms_submit(spars);
	alt {
	[] GSUP.receive(mo_forwardSM) -> value gsup_msg_rx {
		log("RX MO-forwardSM-Req");
		log(gsup_msg_rx);
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	/* Trigger RP-ACK by sending MO-forwardSM-Res */
	GSUP.send(valueof(ts_GSUP_MO_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars.rp.msg_ref)));
	/* Expect RP-ACK on DTAP */
	f_mo_sms_wait_rp_ack(spars);

	f_expect_clear();
}
testcase TC_gsup_mo_sms() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler(refers(f_tc_gsup_mo_sms), 88);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Test MO-SMMA from MS/BTS/BSC towards HLR (via GSUP) */
private function f_tc_gsup_mo_smma(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);
	var GSUP_PDU gsup_msg_rx;

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Send CM Service Request for SMS */
	f_establish_fully(EST_TYPE_MO_SMS);

	var template GSUP_PDU mo_ReadyForSM := tr_GSUP_MO_READY_FOR_SM_REQ(
		imsi := g_pars.imsi,
		sm_rp_mr := spars.rp.msg_ref,
		sm_alert_rsn := GSUP_SM_ALERT_RSN_TYPE_MEM_AVAIL
	);

	/* Submit an SMS on DTAP and expect MO-forwardSM-Req on GSUP */
	f_mo_smma(spars);
	alt {
	[] GSUP.receive(mo_ReadyForSM) -> value gsup_msg_rx {
		log("RX MO-ReadyForSM-Req");
		log(gsup_msg_rx);
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	/* Trigger RP-ACK by sending MO-forwardSM-Res */
	GSUP.send(valueof(ts_GSUP_MO_READY_FOR_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars.rp.msg_ref)));
	/* Expect RP-ACK on DTAP */
	f_mo_sms_wait_rp_ack(spars);

	f_expect_clear();
}
testcase TC_gsup_mo_smma() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler(refers(f_tc_gsup_mo_smma), 89);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Helper for sending MT SMS over GSUP */
private function f_gsup_forwardSM_req(SmsParameters spars, OCT1 mms := '00'O)
runs on BSC_ConnHdlr {
	GSUP.send(ts_GSUP_MT_FORWARD_SM_REQ(
		imsi := g_pars.imsi,
		/* NOTE: MSC should assign RP-MR itself */
		sm_rp_mr := 'FF'O,
		/* FIXME: extract SM-RP-DA from spars.rp.dest */
		/* TODO: fix encoding of ts_GSUP_SM_RP_DA_IMSI */
		sm_rp_da := valueof(ts_GSUP_SM_RP_DA_MSISDN(g_pars.msisdn)),
		sm_rp_oa := valueof(ts_GSUP_SM_RP_OA_SMSC_ADDR(g_pars.msisdn)),
		/* Encoded SMS TPDU (taken from Wireshark)
		 * FIXME: we should encode spars somehow */
		sm_rp_ui := '00068021436500008111328130858200'O,
		sm_rp_mms := mms
	));
}

/* Test successful MT-SMS (RP-ACK) over GSUP */
private function f_tc_gsup_mt_sms_ack(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	} else {
		f_bssmap_register_imsi(g_pars.imsi, 'FFFFFFFF'O);
	}

	var template GSUP_PDU mt_forwardSM_res := tr_GSUP_MT_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		/* NOTE: MSC should assign RP-MR itself */
		sm_rp_mr := ?
	);

	/* Submit a MT SMS on GSUP */
	f_gsup_forwardSM_req(spars);

	/* Expect Paging Request and Establish DTAP / BSSAP / SCCP connection */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	f_establish_fully(EST_TYPE_PAG_RESP);

	/* Wait for MT SMS on DTAP */
	f_mt_sms_expect(spars);

	/* Send RP-ACK and expect MT-forwardSM-Res on GSUP */
	f_mt_sms_send_rp_ack(spars);
	alt {
	[] GSUP.receive(mt_forwardSM_res) {
		log("RX MT-forwardSM-Res (RP-ACK)");
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	f_expect_clear();
}
testcase TC_gsup_mt_sms_ack() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(90);
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler_with_pars(refers(f_tc_gsup_mt_sms_ack), pars);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Test rejected MT-SMS (RP-ERROR) over GSUP */
private function f_tc_gsup_mt_sms_err(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);
	var OCT1 sm_rp_cause := '78'O; /* dummy RP-Cause value */

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	} else {
		f_bssmap_register_imsi(g_pars.imsi, 'FFFFFFFF'O);
	}

	var template GSUP_PDU mt_forwardSM_err := tr_GSUP_MT_FORWARD_SM_ERR(
		imsi := g_pars.imsi,
		/* NOTE: MSC should assign RP-MR itself */
		sm_rp_mr := ?,
		sm_rp_cause := sm_rp_cause
	);

	/* Submit a MT SMS on GSUP */
	f_gsup_forwardSM_req(spars);

	/* Expect Paging Request and Establish DTAP / BSSAP / SCCP connection */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	f_establish_fully(EST_TYPE_PAG_RESP);

	/* Wait for MT SMS on DTAP */
	f_mt_sms_expect(spars);

	/* Send RP-ERROR and expect MT-forwardSM-Err on GSUP */
	f_mt_sms_send_rp_error(spars, oct2int(sm_rp_cause));
	alt {
	[] GSUP.receive(mt_forwardSM_err) {
		log("RX MT-forwardSM-Err (RP-ERROR)");
		setverdict(pass);
		mtc.stop;
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	f_expect_clear();
}
testcase TC_gsup_mt_sms_err() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(91);
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler_with_pars(refers(f_tc_gsup_mt_sms_err), pars);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Test SM-RP-MR assignment for MT-SMS over GSUP */
private function f_tc_gsup_mt_sms_rp_mr(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars1 := valueof(t_SmsPars); /* 1st SMS */
	var SmsParameters spars2 := valueof(t_SmsPars); /* 2nd SMS */

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	} else {
		f_bssmap_register_imsi(g_pars.imsi, 'FFFFFFFF'O);
	}

	/* Submit the 1st MT SMS on GSUP */
	log("TX MT-forwardSM-Req for the 1st SMS");
	f_gsup_forwardSM_req(spars1);

	/* Expect Paging Request and Establish DTAP / BSSAP / SCCP connection */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	f_establish_fully(EST_TYPE_PAG_RESP);

	/* Wait for 1st MT SMS on DTAP */
	f_mt_sms_expect(spars1);
	log("RX the 1st SMS on DTAP, DTAP TID is ", spars1.tid,
		", SM-RP-MR is ", spars1.rp.msg_ref);

	/* Submit the 2nd MT SMS on GSUP */
	log("TX MT-forwardSM-Req for the 2nd SMS");
	f_gsup_forwardSM_req(spars2);

	/* Wait for 2nd MT SMS on DTAP */
	f_mt_sms_expect(spars2);
	log("RX the 2nd SMS on DTAP, DTAP TID is ", spars2.tid,
		", SM-RP-MR is ", spars2.rp.msg_ref);

	/* Both transaction IDs shall be different */
	if (spars1.tid == spars2.tid) {
		log("Both DTAP transaction IDs shall be different");
		setverdict(fail);
	}

	/* Both SM-RP-MR values shall be different */
	if (spars1.rp.msg_ref == spars2.rp.msg_ref) {
		log("Both SM-RP-MR values shall be different");
		setverdict(fail);
	}

	/* Both SM-RP-MR values shall be assigned */
	if (spars1.rp.msg_ref == 'FF'O) {
		log("Unassigned SM-RP-MR value for the 1st SMS");
		setverdict(fail);
	}
	if (spars2.rp.msg_ref == 'FF'O) {
		log("Unassigned SM-RP-MR value for the 2nd SMS");
		setverdict(fail);
	}

	/* Send the 1st RP-ACK and expect MT-forwardSM-Res on GSUP */
	f_mt_sms_send_rp_ack(spars1);
	alt {
	[] GSUP.receive(tr_GSUP_MT_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars1.rp.msg_ref
	)) {
		log("RX MT-forwardSM-Res (RP-ACK)");
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	/* Send the 2nd RP-ACK and expect MT-forwardSM-Res on GSUP */
	f_mt_sms_send_rp_ack(spars2);
	alt {
	[] GSUP.receive(tr_GSUP_MT_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars2.rp.msg_ref
	)) {
		log("RX MT-forwardSM-Res (RP-ACK)");
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	f_expect_clear();
}
testcase TC_gsup_mt_sms_rp_mr() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(92);
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler_with_pars(refers(f_tc_gsup_mt_sms_rp_mr), pars);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Test SM-RP-MR assignment for MT-SMS over GSUP */
private function f_tc_gsup_mo_mt_sms_rp_mr(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars_mo := valueof(t_SmsPars); /* MO SMMA */
	var SmsParameters spars_mt := valueof(t_SmsPars); /* MT SMS */

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	} else {
		f_bssmap_register_imsi(g_pars.imsi, 'FFFFFFFF'O);
	}

	/* Send CM Service Request for MO SMMA */
	f_establish_fully(EST_TYPE_MO_SMS);

	/* Submit MO SMMA on DTAP */
	log("Submit MO SMMA on DTAP, SM-RP-MR is '00'O");
	spars_mo.rp.msg_ref := '00'O;
	f_mo_smma(spars_mo);

	/* Expect MO-forwardSM-Req for MO SMMA on GSUP */
	alt {
	[] GSUP.receive(tr_GSUP_MO_READY_FOR_SM_REQ(
		imsi := g_pars.imsi,
		sm_rp_mr := spars_mo.rp.msg_ref,
		sm_alert_rsn := GSUP_SM_ALERT_RSN_TYPE_MEM_AVAIL
	)) {
		log("RX MO-ReadyForSM-Req, SM-RP-MR is '00'O");
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	/* Submit MT SMS on GSUP */
	log("TX MT-forwardSM-Req for the MT SMS");
	f_gsup_forwardSM_req(spars_mt);

	/* Wait for MT SMS on DTAP */
	f_mt_sms_expect(spars_mt);
	log("RX MT SMS on DTAP, DTAP TID is ", spars_mt.tid,
		", SM-RP-MR is ", spars_mt.rp.msg_ref);

	/* Both SM-RP-MR values shall be different */
	if (spars_mo.rp.msg_ref == spars_mt.rp.msg_ref) {
		log("Both SM-RP-MR values shall be different");
		setverdict(fail);
	}

	/* SM-RP-MR value for MT SMS shall be assigned */
	if (spars_mt.rp.msg_ref == 'FF'O) {
		log("Unassigned SM-RP-MR value for the MT SMS");
		setverdict(fail);
	}

	/* Trigger RP-ACK for MO SMMA by sending MO-forwardSM-Res */
	GSUP.send(valueof(ts_GSUP_MO_READY_FOR_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars_mo.rp.msg_ref)));
	/* Expect RP-ACK for MO SMMA on DTAP */
	f_mo_sms_wait_rp_ack(spars_mo);

	/* Send RP-ACK for MT SMS and expect MT-forwardSM-Res on GSUP */
	f_mt_sms_send_rp_ack(spars_mt);
	alt {
	[] GSUP.receive(tr_GSUP_MT_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		sm_rp_mr := spars_mt.rp.msg_ref
	)) {
		log("RX MT-forwardSM-Res (RP-ACK)");
		setverdict(pass);
		}
	[] GSUP.receive {
		log("RX unexpected GSUP message");
		setverdict(fail);
		mtc.stop;
		}
	}

	f_expect_clear();
}
testcase TC_gsup_mo_mt_sms_rp_mr() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(93);
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler_with_pars(refers(f_tc_gsup_mo_mt_sms_rp_mr), pars);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* Test multi-part MT-SMS over GSUP */
private function f_tc_gsup_mt_multi_part_sms(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);

	f_init_handler(pars);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Perform location update */
	f_perform_lu();

	/* Register an 'expect' for given IMSI (+TMSI) */
	if (isvalue(g_pars.tmsi)) {
		f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	} else {
		f_bssmap_register_imsi(g_pars.imsi, 'FFFFFFFF'O);
	}

	var template GSUP_PDU mt_forwardSM_res := tr_GSUP_MT_FORWARD_SM_RES(
		imsi := g_pars.imsi,
		/* NOTE: MSC should assign RP-MR itself */
		sm_rp_mr := ?
	);

	/* Send 4 messages (NOTE: SM-RP-UI remains unchanged) */
	for (var integer i := 3; i >= 0; i := i-1) {
		/* Submit a MT SMS on GSUP (MMS is decremented) */
		f_gsup_forwardSM_req(spars, int2oct(i, 1));

		/* Expect Paging Request and Establish connection */
		if (i == 3) { /* ... only once! */
			BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
			f_establish_fully(EST_TYPE_PAG_RESP);
		}

		/* Wait for MT SMS on DTAP */
		f_mt_sms_expect(spars);

		/* Send RP-ACK and expect MT-forwardSM-Res on GSUP */
		f_mt_sms_send_rp_ack(spars);
		alt {
		[] GSUP.receive(mt_forwardSM_res) {
			log("RX MT-forwardSM-Res (RP-ACK)");
			setverdict(pass);
			}
		[] GSUP.receive {
			log("RX unexpected GSUP message");
			setverdict(fail);
			mtc.stop;
			}
		}

		/* Keep some 'distance' between transmissions */
		f_sleep(1.5);
	}

	f_expect_clear();
}
testcase TC_gsup_mt_multi_part_sms() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init();
	pars := f_init_pars(91);
	f_vty_config(MSCVTY, "msc", "sms-over-gsup");
	vc_conn := f_start_handler_with_pars(refers(f_tc_gsup_mt_multi_part_sms), pars);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "no sms-over-gsup");
}

/* convert GSM L3 TON to SMPP_TON enum */
function f_sm_ton_from_gsm(BIT3 ton) return SMPP_TON {
	select (ton) {
	case ('000'B) { return unknown; }
	case ('001'B) { return international; }
	case ('010'B) { return national; }
	case ('011'B) { return network_specific; }
	case ('100'B) { return subscriber_number; }
	case ('101'B) { return alphanumeric; }
	case ('110'B) { return abbreviated; }
	}
	setverdict(fail, "Unknown TON ", ton);
	mtc.stop;
}
/* convert GSM L3 NPI to SMPP_NPI enum */
function f_sm_npi_from_gsm(BIT4 npi) return SMPP_NPI {
	select (npi) {
	case ('0000'B) { return unknown; }
	case ('0001'B) { return isdn; }
	case ('0011'B) { return data; }
	case ('0100'B) { return telex; }
	case ('0110'B) { return land_mobile; }
	case ('1000'B) { return national; }
	case ('1001'B) { return private_; }
	case ('1010'B) { return ermes; }
	}
	setverdict(fail, "Unknown NPI ", npi);
	mtc.stop;
}

/* build a SMPP_SM from SmsParameters */
function f_mt_sm_from_spars(SmsParameters spars)
runs on BSC_ConnHdlr return SMPP_SM {
	var SMPP_SM sm := {
		service_type := "CMT",
		source_addr_ton := f_sm_ton_from_gsm(spars.tp.da.tP_DA_NoPad.tP_TypeOfNumber),
		source_addr_npi := f_sm_npi_from_gsm(spars.tp.da.tP_DA_NoPad.tP_NumberingPlanID),
		source_addr := hex2str(spars.tp.da.tP_DA_NoPad.tP_DAValue),
		dest_addr_ton := international,
		dest_addr_npi := isdn,
		destination_addr := hex2str(g_pars.msisdn),
		esm_class := '00000001'B,
		protocol_id := 0,
		priority_flag := 0,
		schedule_delivery_time := "",
		validity_period := "",
		registered_delivery := '00000000'B,
		replace_if_present := 0,
		data_coding := '00000001'B,
		sm_default_msg_id := 0,
		sm_length := spars.tp.udl,
		short_message := spars.tp.ud,
		opt_pars := {}
	};
	return sm;
}

/* helper function to encode SMS from 'spars', send it via SMPP to MSC; receive it on MS side */
private function f_smpp_mt_sms(SmsParameters spars, boolean trans_mode) runs on BSC_ConnHdlr {
	var SMPP_SM sm := f_mt_sm_from_spars(spars);
	if (trans_mode) {
		sm.esm_class := '00000010'B;
	}

	/* actually cause MSC to send a SMS via SUBMIT-SM from SMPP side */
	SMPP.send(ts_SMPP_SUBMIT_SM(sm));
	if (not match(sm.esm_class, tr_ESM_CLASS_TRANSACTION)) {
		/* if we're not in SMPP transaction mode, we expect the SMPP-level ACK
		 * before we expect the SMS delivery on the BSC/radio side */
		SMPP.receive(tr_SMPP(c_SMPP_command_id_submit_sm_resp, ESME_ROK));
	}

	/* MSC->BSC: expect PAGING from MSC */
	BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi));
	/* Establish DTAP / BSSAP / SCCP connection */
	f_establish_fully(EST_TYPE_PAG_RESP);
	SMPP.receive(tr_SMPP(c_SMPP_command_id_alert_notification, ESME_ROK));

	f_mt_sms(spars);

	if (match(sm.esm_class, tr_ESM_CLASS_TRANSACTION)) {
		SMPP.receive(tr_SMPP(c_SMPP_command_id_submit_sm_resp, ESME_ROK));
	}
	f_expect_clear();
}

/* mobile terminated SMS, from SMPP to BSC/BTS/MS */
private function f_tc_smpp_mt_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Perform location update so IMSI is known + registered in MSC/VLR */
	f_perform_lu();
	SMPP.receive(tr_SMPP(c_SMPP_command_id_alert_notification, ESME_ROK));

	/* register an 'expect' for given IMSI (+TMSI) */
	var OCT4 tmsi;
	if (isvalue(g_pars.tmsi)) {
		tmsi := g_pars.tmsi;
	} else {
		tmsi := 'FFFFFFFF'O;
	}
	f_bssmap_register_imsi(g_pars.imsi, tmsi);

	var SmsParameters spars := valueof(t_SmsPars);
	/* TODO: test with more intelligent user data; test different coding schemes */
	spars.tp.ud := '00'O;
	spars.tp.udl := 1;

	/* first test the non-transaction store+forward mode */
	f_smpp_mt_sms(spars, false);

	/* then test the transaction mode */
	f_smpp_mt_sms(spars, true);
}
testcase TC_smpp_mt_sms() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_smpp_mt_sms), 45);
	vc_conn.done;
}

/***********************************************************************
 * USSD Testing
 ***********************************************************************/

private altstep as_unexp_gsup_or_bssap_msg()
runs on BSC_ConnHdlr {
	[] GSUP.receive {
		setverdict(fail, "Unknown/unexpected GSUP received");
		self.stop;
		}
	[] BSSAP.receive {
		setverdict(fail, "Unknown/unexpected BSSAP message received");
		self.stop;
		}
}

private function f_expect_gsup_msg(template GSUP_PDU msg)
runs on BSC_ConnHdlr return GSUP_PDU {
	var GSUP_PDU gsup_msg_complete;

	alt {
	[] GSUP.receive(msg) -> value gsup_msg_complete {
		setverdict(pass);
		}
	/* We don't expect anything else */
	[] as_unexp_gsup_or_bssap_msg();
	}

	return gsup_msg_complete;
}

private function f_expect_mt_dtap_msg(template PDU_ML3_NW_MS msg)
runs on BSC_ConnHdlr return PDU_ML3_NW_MS {
	var PDU_DTAP_MT bssap_msg_complete;

	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(msg)) -> value bssap_msg_complete {
		setverdict(pass);
		}
	/* We don't expect anything else */
	[] as_unexp_gsup_or_bssap_msg();
	}

	return bssap_msg_complete.dtap;
}

/* LU followed by MO USSD request */
private function f_tc_lu_and_mo_ussd_single_request(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Perform location update */
	f_perform_lu();

	/* Send CM Service Request for SS/USSD */
	f_establish_fully(EST_TYPE_SS_ACT);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	var template OCTN facility_req := f_USSD_FACILITY_IE_INVOKE(
		invoke_id := 5, /* Phone may not start from 0 or 1 */
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "*#100#"
	);

	var template OCTN facility_rsp := f_USSD_FACILITY_IE_RETURN_RESULT(
		invoke_id := 5, /* InvokeID shall be the same for both REQ and RSP */
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "Your extension is " & hex2str(g_pars.msisdn) & "\r"
	)

	/* Compose a new SS/REGISTER message with request */
	var template (value) PDU_ML3_MS_NW ussd_req := ts_ML3_MO_SS_REGISTER(
		tid := 1, /* We just need a single transaction */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_req)
	);

	/* Compose SS/RELEASE_COMPLETE template with expected response */
	var template PDU_ML3_NW_MS ussd_rsp := tr_ML3_MT_SS_RELEASE_COMPLETE(
		tid := 1, /* Response should arrive within the same transaction */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		facility := valueof(facility_rsp)
	);

	/* Compose expected MSC -> HLR message */
	var template GSUP_PDU gsup_req := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_req)
	);

	/* To be used for sending response with correct session ID */
	var GSUP_PDU gsup_req_complete;

	/* Request own number */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_req));
	/* Expect GSUP message containing the SS payload */
	gsup_req_complete := f_expect_gsup_msg(gsup_req);

	/* Compose the response from HLR using received session ID */
	var template GSUP_PDU gsup_rsp := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := gsup_req_complete.ies[1].val.session_id,
		state := OSMO_GSUP_SESSION_STATE_END,
		ss := valueof(facility_rsp)
	);

	/* Finally, HLR terminates the session */
	GSUP.send(gsup_rsp);
	/* Expect RELEASE_COMPLETE message with the response */
	f_expect_mt_dtap_msg(ussd_rsp);

	f_expect_clear();
}
testcase TC_lu_and_mo_ussd_single_request() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mo_ussd_single_request), 46);
	vc_conn.done;
}

/* LU followed by MT USSD notification */
private function f_tc_lu_and_mt_ussd_notification(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Perform location update */
	f_perform_lu();

	f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Facility IE with network-originated USSD notification */
	var template OCTN facility_req := f_USSD_FACILITY_IE_INVOKE(
		op_code := SS_OP_CODE_USS_NOTIFY,
		ussd_string := "Mahlzeit!"
	);

	/* Facility IE with acknowledgment to the USSD notification */
	var template OCTN facility_rsp := enc_SS_FacilityInformation(
		/* In case of USSD notification, Return Result is empty */
		valueof(ts_SS_USSD_FACILITY_RETURN_RESULT_EMPTY())
	);

	/* Compose a new MT SS/REGISTER message with USSD notification */
	var template PDU_ML3_NW_MS ussd_ntf := tr_ML3_MT_SS_REGISTER(
		tid := 0, /* FIXME: most likely, it should be 0 */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_req)
	);

	/* Compose HLR -> MSC GSUP message */
	var template (value) GSUP_PDU gsup_req := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_req)
	);

	/* Send it to MSC and expect Paging Request */
	GSUP.send(gsup_req);
	alt {
	[] BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi)) {
		setverdict(pass);
		}
	/* We don't expect anything else */
	[] as_unexp_gsup_or_bssap_msg();
	}

	/* Send Paging Response and expect USSD notification */
	f_establish_fully(EST_TYPE_PAG_RESP);
	/* Expect MT REGISTER message with USSD notification */
	f_expect_mt_dtap_msg(ussd_ntf);

	/* Compose a new MO SS/FACILITY message with empty response */
	var template (value) PDU_ML3_MS_NW ussd_rsp := ts_ML3_MO_SS_FACILITY(
		tid := 0, /* FIXME: it shall match the request tid */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		facility := valueof(facility_rsp)
	);

	/* Compose expected MSC -> HLR GSUP message */
	var template GSUP_PDU gsup_rsp := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_CONTINUE,
		ss := valueof(facility_rsp)
	);

	/* MS sends response to the notification */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_rsp));
	/* Expect GSUP message containing the SS payload */
	f_expect_gsup_msg(gsup_rsp);

	/* Compose expected MT SS/RELEASE COMPLETE message */
	var template PDU_ML3_NW_MS ussd_term := tr_ML3_MT_SS_RELEASE_COMPLETE(
		tid := 0, /* FIXME: it shall match the request tid */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := omit
	);

	/* Compose MSC -> HLR GSUP message */
	var template GSUP_PDU gsup_term := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_END
	);

	/* Finally, HLR terminates the session */
	GSUP.send(gsup_term)
	/* Expect MT RELEASE COMPLETE without Facility IE */
	f_expect_mt_dtap_msg(ussd_term);

	f_expect_clear();
}
testcase TC_lu_and_mt_ussd_notification() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mt_ussd_notification), 47);
	vc_conn.done;
}

/* LU followed by MT call and MO USSD request during this call */
private function f_tc_lu_and_mo_ussd_during_mt_call(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Call parameters taken from f_tc_lu_and_mt_call */
	var CallParameters cpars := valueof(t_CallParams('123456'H, 0));
	cpars.mgcp_connection_id_bss := '10004'H;
	cpars.mgcp_connection_id_mss := '10005'H;
	cpars.mgcp_ep := "rtpbridge/1@mgw";
	cpars.bss_rtp_port := 1110;

	/* Perform location update */
	f_perform_lu();

	/* Establish a MT call */
	f_mt_call_establish(cpars);

	/* Hold the call for some time */
	f_sleep(1.0);

	var template OCTN facility_req := f_USSD_FACILITY_IE_INVOKE(
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "*#100#"
	);

	var template OCTN facility_rsp := f_USSD_FACILITY_IE_RETURN_RESULT(
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "Your extension is " & hex2str(g_pars.msisdn) & "\r"
	)

	/* Compose a new SS/REGISTER message with request */
	var template (value) PDU_ML3_MS_NW ussd_req := ts_ML3_MO_SS_REGISTER(
		tid := 1, /* We just need a single transaction */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_req)
	);

	/* Compose SS/RELEASE_COMPLETE template with expected response */
	var template PDU_ML3_NW_MS ussd_rsp := tr_ML3_MT_SS_RELEASE_COMPLETE(
		tid := 1, /* Response should arrive within the same transaction */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		facility := valueof(facility_rsp)
	);

	/* Compose expected MSC -> HLR message */
	var template GSUP_PDU gsup_req := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_req)
	);

	/* To be used for sending response with correct session ID */
	var GSUP_PDU gsup_req_complete;

	/* Request own number */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_req));
	/* Expect GSUP message containing the SS payload */
	gsup_req_complete := f_expect_gsup_msg(gsup_req);

	/* Compose the response from HLR using received session ID */
	var template GSUP_PDU gsup_rsp := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := gsup_req_complete.ies[1].val.session_id,
		state := OSMO_GSUP_SESSION_STATE_END,
		ss := valueof(facility_rsp)
	);

	/* Finally, HLR terminates the session */
	GSUP.send(gsup_rsp);
	/* Expect RELEASE_COMPLETE message with the response */
	f_expect_mt_dtap_msg(ussd_rsp);

	/* Hold the call for some time */
	f_sleep(1.0);

	/* Release the call (does Clear Complete itself) */
	f_call_hangup(cpars, true);
}
testcase TC_lu_and_mo_ussd_during_mt_call() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mo_ussd_during_mt_call), 48);
	vc_conn.done;
}

/* BSSMAP Clear Request in the middle of a call, see OS#3062 */
private function f_tc_mo_cc_bssmap_clear(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	var MNCC_PDU mncc;
	var MgcpCommand mgcp_cmd;

	f_perform_lu();

	f_establish_fully();
	f_create_mncc_expect(hex2str(cpars.called_party));
	f_create_mgcp_expect(ExpectCriteria:{omit,omit,omit});

	BSSAP.send(ts_PDU_DTAP_MO(ts_ML3_MO_CC_SETUP(cpars.transaction_id, cpars.called_party)));
	MNCC.receive(tr_MNCC_SETUP_ind(?, tr_MNCC_number(hex2str(cpars.called_party)))) -> value mncc;
	cpars.mncc_callref := mncc.u.signal.callref;
	log("mncc_callref=", cpars.mncc_callref);
	MNCC.send(ts_MNCC_CALL_PROC_req(cpars.mncc_callref, cpars.mncc_bearer_cap));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_CALL_PROC(cpars.transaction_id)));

	MNCC.send(ts_MNCC_ALERT_req(cpars.mncc_callref));
	BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_CC_ALERTING(cpars.transaction_id)));
	MGCP.receive(tr_CRCX);

	f_sleep(1.0);
	BSSAP.send(ts_BSSMAP_ClearRequest(0));

	MNCC.receive(tr_MNCC_REL_ind(?, ?)) -> value mncc;

	BSSAP.receive(tr_BSSMAP_ClearCommand);
	BSSAP.send(ts_BSSMAP_ClearComplete);

	f_sleep(1.0);
}
testcase TC_mo_cc_bssmap_clear() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();

	vc_conn := f_start_handler(refers(f_tc_mo_cc_bssmap_clear), 43);
	vc_conn.done;
}

/* LU followed by MT call and MT USSD request during this call */
private function f_tc_lu_and_mt_ussd_during_mt_call(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Call parameters taken from f_tc_lu_and_mt_call */
	var CallParameters cpars := valueof(t_CallParams('123456'H, 0));
	cpars.mgcp_connection_id_bss := '10004'H;
	cpars.mgcp_connection_id_mss := '10005'H;
	cpars.mgcp_ep := "rtpbridge/1@mgw";
	cpars.bss_rtp_port := 1110;

	/* Perform location update */
	f_perform_lu();

	/* Establish a MT call */
	f_mt_call_establish(cpars);

	/* Hold the call for some time */
	f_sleep(1.0);

	var template OCTN facility_req := f_USSD_FACILITY_IE_INVOKE(
		op_code := SS_OP_CODE_USS_REQUEST,
		ussd_string := "Please type anything..."
	);

	var template OCTN facility_rsp := f_USSD_FACILITY_IE_RETURN_RESULT(
		op_code := SS_OP_CODE_USS_REQUEST,
		ussd_string := "Nope."
	)

	/* Compose MT SS/REGISTER message with network-originated request */
	var template (value) PDU_ML3_NW_MS ussd_req := ts_ML3_MT_SS_REGISTER(
		tid := 0, /* FIXME: most likely, it should be 0 */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_req)
	);

	/* Compose HLR -> MSC GSUP message */
	var template (value) GSUP_PDU gsup_req := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_req)
	);

	/* Send it to MSC */
	GSUP.send(gsup_req);
	/* Expect MT REGISTER message with USSD request */
	f_expect_mt_dtap_msg(ussd_req);

	/* Compose a new MO SS/FACILITY message with response */
	var template (value) PDU_ML3_MS_NW ussd_rsp := ts_ML3_MO_SS_FACILITY(
		tid := 0, /* FIXME: it shall match the request tid */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		facility := valueof(facility_rsp)
	);

	/* Compose expected MSC -> HLR GSUP message */
	var template GSUP_PDU gsup_rsp := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_CONTINUE,
		ss := valueof(facility_rsp)
	);

	/* MS sends response */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_rsp));
	f_expect_gsup_msg(gsup_rsp);

	/* Compose expected MT SS/RELEASE COMPLETE message */
	var template PDU_ML3_NW_MS ussd_term := tr_ML3_MT_SS_RELEASE_COMPLETE(
		tid := 0, /* FIXME: it shall match the request tid */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := omit
	);

	/* Compose MSC -> HLR GSUP message */
	var template GSUP_PDU gsup_term := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := '20000101'O,
		state := OSMO_GSUP_SESSION_STATE_END
	);

	/* Finally, HLR terminates the session */
	GSUP.send(gsup_term);
	/* Expect MT RELEASE COMPLETE without Facility IE */
	f_expect_mt_dtap_msg(ussd_term);

	/* Hold the call for some time */
	f_sleep(1.0);

	/* Release the call (does Clear Complete itself) */
	f_call_hangup(cpars, true);
}
testcase TC_lu_and_mt_ussd_during_mt_call() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mt_ussd_during_mt_call), 49);
	vc_conn.done;
}

/* LU followed by MO USSD request and MO Release during transaction */
private function f_tc_lu_and_mo_ussd_mo_release(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Perform location update */
	f_perform_lu();

	/* Send CM Service Request for SS/USSD */
	f_establish_fully(EST_TYPE_SS_ACT);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	var template OCTN facility_ms_req := f_USSD_FACILITY_IE_INVOKE(
		invoke_id := 1, /* Initial request */
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "*6766*266#"
	);

	var template OCTN facility_net_req := f_USSD_FACILITY_IE_INVOKE(
		invoke_id := 2, /* Counter request */
		op_code := SS_OP_CODE_USS_REQUEST,
		ussd_string := "Password?!?"
	)

	/* Compose MO SS/REGISTER message with request */
	var template (value) PDU_ML3_MS_NW ussd_ms_req := ts_ML3_MO_SS_REGISTER(
		tid := 1, /* We just need a single transaction */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_ms_req)
	);

	/* Compose expected MSC -> HLR message */
	var template GSUP_PDU gsup_ms_req := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_ms_req)
	);

	/* To be used for sending response with correct session ID */
	var GSUP_PDU gsup_ms_req_complete;

	/* Initiate a new transaction */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_ms_req));
	/* Expect GSUP request with original Facility IE */
	gsup_ms_req_complete := f_expect_gsup_msg(gsup_ms_req);

	/* Compose the response from HLR using received session ID */
	var template (value) GSUP_PDU gsup_net_req := ts_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := gsup_ms_req_complete.ies[1].val.session_id,
		state := OSMO_GSUP_SESSION_STATE_CONTINUE,
		ss := valueof(facility_net_req)
	);

	/* Compose expected MT SS/FACILITY template with counter request */
	var template PDU_ML3_NW_MS ussd_net_req := tr_ML3_MT_SS_FACILITY(
		tid := 1, /* Response should arrive within the same transaction */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		facility := valueof(facility_net_req)
	);

	/* Send response over GSUP */
	GSUP.send(gsup_net_req);
	/* Expect MT SS/FACILITY message with counter request */
	f_expect_mt_dtap_msg(ussd_net_req);

	/* Compose MO SS/RELEASE COMPLETE */
	var template (value) PDU_ML3_MS_NW ussd_abort := ts_ML3_MO_SS_RELEASE_COMPLETE(
		tid := 1, /* Response should arrive within the same transaction */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := omit
		/* TODO: cause? */
	);

	/* Compose expected HLR -> MSC abort message */
	var template GSUP_PDU gsup_abort := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		sid := gsup_ms_req_complete.ies[1].val.session_id,
		state := OSMO_GSUP_SESSION_STATE_END
	);

	/* Abort transaction */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_abort));
	/* Expect GSUP message indicating abort */
	f_expect_gsup_msg(gsup_abort);

	f_expect_clear();
}
testcase TC_lu_and_mo_ussd_mo_release() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	vc_conn := f_start_handler(refers(f_tc_lu_and_mo_ussd_mo_release), 50);
	vc_conn.done;
}

/* LU followed by MO USSD request and MT Release due to timeout */
private function f_tc_lu_and_ss_session_timeout(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Perform location update */
	f_perform_lu();

	/* Send CM Service Request for SS/USSD */
	f_establish_fully(EST_TYPE_SS_ACT);

	/* We need to inspect GSUP activity */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	var template OCTN facility_ms_req := f_USSD_FACILITY_IE_INVOKE(
		invoke_id := 1,
		op_code := SS_OP_CODE_PROCESS_USS_REQ,
		ussd_string := "#release_me");

	/* Compose MO SS/REGISTER message with request */
	var template (value) PDU_ML3_MS_NW ussd_ms_req := ts_ML3_MO_SS_REGISTER(
		tid := 1, /* An arbitrary transaction identifier */
		ti_flag := c_TIF_ORIG, /* Sent from the side that originates the TI */
		facility := valueof(facility_ms_req));

	/* Compose expected MSC -> HLR message */
	var template GSUP_PDU gsup_ms_req := tr_GSUP_PROC_SS_REQ(
		imsi := g_pars.imsi,
		state := OSMO_GSUP_SESSION_STATE_BEGIN,
		ss := valueof(facility_ms_req));

	/* To be used for sending response with correct session ID */
	var GSUP_PDU gsup_ms_req_complete;

	/* Initiate a new SS transaction */
	BSSAP.send(ts_PDU_DTAP_MO(ussd_ms_req));
	/* Expect GSUP request with original Facility IE */
	gsup_ms_req_complete := f_expect_gsup_msg(gsup_ms_req);

	/* Don't respond, wait for timeout */
	f_sleep(3.0);

	var template PDU_ML3_NW_MS dtap_rel := tr_ML3_MT_SS_RELEASE_COMPLETE(
		tid := 1, /* Should match the request's tid */
		ti_flag := c_TIF_REPL, /* Sent to the side that originates the TI */
		cause := *, /* TODO: expect some specific value */
		facility := omit);

	var template GSUP_PDU gsup_rel := tr_GSUP_PROC_SS_ERR(
		imsi := g_pars.imsi,
		sid := gsup_ms_req_complete.ies[1].val.session_id,
		state := OSMO_GSUP_SESSION_STATE_END,
		cause := ?); /* TODO: expect some specific value */

	/* Expect release on both interfaces */
	interleave {
	[] BSSAP.receive(tr_PDU_DTAP_MT(dtap_rel)) {  };
	[] GSUP.receive(gsup_rel) {  };
	}

	f_expect_clear();
	setverdict(pass);
}
testcase TC_lu_and_ss_session_timeout() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "msc", "ncss guard-timeout 3");
	vc_conn := f_start_handler(refers(f_tc_lu_and_ss_session_timeout), 51);
	vc_conn.done;
	f_vty_config(MSCVTY, "msc", "ncss guard-timeout 0");
}

/* A5/1 only permitted on network side; attempt an invalid CIPHER MODE COMPLETE with A5/3 which MSC should reject. */
private function f_tc_cipher_complete_with_invalid_cipher(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	pars.net.expect_auth := true;
	pars.net.expect_ciph := true;
	pars.net.kc_support := '02'O;	/* A5/1 only */
	f_init_handler(pars);

	g_pars.vec := f_gen_auth_vec_2g();

	/* Can't use f_perform_lu() directly. Code below is based on it. */

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	/* Send BSSAP_Conn_Req with COMPL L3 INFO to MSC */
	var PDU_ML3_MS_NW l3_lu := f_build_lu_imsi(g_pars.imsi)
	f_bssap_compl_l3(l3_lu);

	f_mm_auth();

	var OCT1 a5_net := f_alg_mask_from_cm(g_pars.cm2);
	var OCT1 a5_intersect := g_pars.net.kc_support and4b a5_net;
	alt {
	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(a5_intersect, g_pars.vec.kc)) {
		BSSAP.send(ts_BSSMAP_CipherModeCompl(int2oct(4 /* "accept" A5/3 */, 1)));
		}
	[] BSSAP.receive(tr_BSSMAP_CipherModeCmd(?, g_pars.vec.kc)) {
		setverdict(fail, "Wrong ciphering algorithm mask in CiphModCmd");
		mtc.stop;
		}
	[] BSSAP.receive {
		setverdict(fail, "Unknown/unexpected BSSAP received");
		mtc.stop;
		}
	}

	/* Expect LU reject from MSC. */
	alt {
	[] BSSAP.receive(tr_PDU_DTAP_MT(tr_ML3_MT_LU_Rej)) {
		setverdict(pass);
		}
	[] BSSAP.receive {
		setverdict(fail, "Unknown/unexpected BSSAP received");
		mtc.stop;
		}
	}
	f_expect_clear();
}

testcase TC_cipher_complete_with_invalid_cipher() runs on MTC_CT {
	var BSC_ConnHdlr vc_conn;
	f_init();
	f_vty_config(MSCVTY, "network", "encryption a5 1");

	vc_conn := f_start_handler(refers(f_tc_cipher_complete_with_invalid_cipher), 52);
	vc_conn.done;
}

/* TODO (SMS):
   * different user data lengths
   * SMPP transaction mode with unsuccessful delivery
   * queued MT-SMS with no paging response + later delivery
   * different data coding schemes
   * multi-part SMS
   * user-data headers
   * TP-PID for SMS to SIM
   * behavior if SMS memory is full + RP-SMMA
   * delivery reports
   * SMPP osmocom extensions
   * more-messages-to-send
   * SMS during ongoing call (SACCH/SAPI3)
 */

/* TODO (General):
   * continue to send repeated MO signalling messages to keep channel open: does MSC tmeout?
   * malformed messages (missing IE, invalid message type): properly rejected?
   * MT call while LU or is ongoing: Do we use existing lchan or page while lchan active?
   * 3G/2G auth permutations
   * encryption algorithms vs. classmark vs. vty config
   * send new transaction after/during clear (like SMS, ...)
   * too long L3 INFO in DTAP
   * too long / padded BSSAP
   * too long / short TLV values
 */

/* Perform a location updatye at the A-Interface and run some checks to confirm
 * that everything is back to normal. */
private function f_sgsap_bssmap_screening()  runs on BSC_ConnHdlr {
	var SmsParameters spars := valueof(t_SmsPars);

	/* Perform a location update, the SGs association is expected to fall
	 * back to NULL */
	f_perform_lu();
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	/* Trigger a paging request and expect the paging on BSSMAP, this is
	 * to make sure that pagings are sent throught the A-Interface again
	 * and not throught the SGs interface.*/
	f_bssmap_register_imsi(g_pars.imsi, g_pars.tmsi);
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");

	alt {
	[] BSSAP.receive(tr_BSSMAP_Paging(g_pars.imsi)); {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Send an SMS to make sure that also payload messages are routed
	 * throught the A-Interface again */
	f_establish_fully(EST_TYPE_MO_SMS);
	f_mo_sms(spars);
	f_expect_clear();
}

private function f_tc_sgsap_reset(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var charstring vlr_name;
	f_init_handler(pars);

	vlr_name := f_sgsap_reset_mme(mp_mme_name);
	log("VLR name: ", vlr_name);
	setverdict(pass);
}

testcase TC_sgsap_reset() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11810, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_reset), pars);
	vc_conn.done;
}

/* like f_mm_auth() but for SGs */
function f_mm_auth_sgs() runs on BSC_ConnHdlr {
	if (g_pars.net.expect_auth) {
		g_pars.vec := f_gen_auth_vec_3g();
		var GSUP_IE auth_tuple := valueof(ts_GSUP_IE_AuthTuple2G3G(g_pars.vec.rand,
									   g_pars.vec.sres,
									   g_pars.vec.kc,
									   g_pars.vec.ik,
									   g_pars.vec.ck,
									   g_pars.vec.autn,
									   g_pars.vec.res));
		GSUP.receive(tr_GSUP_SAI_REQ(g_pars.imsi));
		GSUP.send(ts_GSUP_SAI_RES(g_pars.imsi, auth_tuple));
		SGsAP.receive(tr_ML3_MT_MM_AUTH_REQ_3G(g_pars.vec.rand, g_pars.vec.autn));
		SGsAP.send(ts_ML3_MT_MM_AUTH_RESP_3G(g_pars.vec.sres, g_pars.vec.res));
	}
}

/* like f_perform_lu(), but on SGs rather than BSSAP */
function f_sgs_perform_lu() runs on BSC_ConnHdlr {
	var octetstring mme_name := f_enc_dns_hostname(mp_mme_name);
	var PDU_SGsAP lur;
	var PDU_SGsAP lua;
	var PDU_SGsAP mm_info;
	var octetstring mm_info_dtap;

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	lur := valueof(ts_SGsAP_LU_REQ(g_pars.imsi, mme_name, IMSI_attach,
					ts_SGsAP_LAI('901'H, '70'H, 2342)));
	/* Old LAI, if MS sends it */
	/* TMSI status, if MS has no valid TMSI */
	/* IMEISV, if it supports "automatic device detection" */
	/* TAI, if available in MME */
	/* E-CGI, if available in MME */
	SGsAP.send(lur);

	/* FIXME: is this really done over SGs?  The Ue is already authenticated
	 * via the MME ... */
	f_mm_auth_sgs();

	/* Expect MSC to perform LU with HLR */
	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_ISD_REQ(g_pars.imsi, g_pars.msisdn));
	GSUP.receive(tr_GSUP_ISD_RES(g_pars.imsi));
	GSUP.send(ts_GSUP_UL_RES(g_pars.imsi));

	alt {
	[] SGsAP.receive(tr_SGsAP_LU_ACCEPT(g_pars.imsi, ?)) -> value lua {
		if (isvalue(lua.sGsAP_LOCATION_UPDATE_ACCEPT.newTMSIorIMSI.iD.iD.tmsi_ptmsi.octets)) {
			g_pars.tmsi :=lua.sGsAP_LOCATION_UPDATE_ACCEPT.newTMSIorIMSI.iD.iD.tmsi_ptmsi.octets
			SGsAP.send(ts_SGsAP_TMSI_REALL_CMPL(g_pars.imsi));
		}
		setverdict(pass);
		}
	[] SGsAP.receive(tr_SGsAP_LU_REJECT(g_pars.imsi, ?, ?)) {
		setverdict(fail, "Received LU-REJECT instead of ACCEPT");
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Check MM information */
	if (mp_mm_info == true) {
		SGsAP.receive(tr_SGsAP_MM_INFO_REQ(g_pars.imsi, ?)) -> value mm_info;
		mm_info_dtap := '0532'O & mm_info.sGsAP_MM_INFORMATION_REQUEST.mM_Information.information;
		if (not match(dec_PDU_ML3_NW_MS(mm_info_dtap), tr_ML3_MT_MM_Info)) {
			setverdict(fail, "Unexpected MM Information");
		}
	}

	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");
}

private function f_tc_sgsap_lu(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_lu() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11811, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_lu), pars);
	vc_conn.done;
}

/* Do LU by IMSI, refuse it on GSUP and expect LU REJ back to MS */
private function f_tc_sgsap_lu_imsi_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	var PDU_SGsAP lur;

	f_create_gsup_expect(hex2str(g_pars.imsi));
	var octetstring mme_name := f_enc_dns_hostname(mp_mme_name);
	lur := valueof(ts_SGsAP_LU_REQ(g_pars.imsi, mme_name, IMSI_attach,
					ts_SGsAP_LAI('901'H, '70'H, 2342)));
	SGsAP.send(lur);

	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_UL_ERR(g_pars.imsi, 23));
	alt {
	[] SGsAP.receive(tr_SGsAP_LU_REJECT(g_pars.imsi, ?, ?)) {
		setverdict(pass);
		}
	[] SGsAP.receive(tr_SGsAP_LU_ACCEPT(g_pars.imsi, ?)) {
		setverdict(fail, "Expecting LU REJ, but got ACCEPT");
		mtc.stop;
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_lu_imsi_reject() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11812, true);

	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_lu_imsi_reject), pars);
	vc_conn.done;
}

/* Do LU by IMSI, but then remain silent so that Ts6-1 times out */
private function f_tc_sgsap_lu_and_nothing(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	var octetstring mme_name := f_enc_dns_hostname(mp_mme_name);
	var PDU_SGsAP lur;

	f_init_handler(pars);

	/* tell GSUP dispatcher to send this IMSI to us */
	f_create_gsup_expect(hex2str(g_pars.imsi));

	lur := valueof(ts_SGsAP_LU_REQ(g_pars.imsi, mme_name, IMSI_attach,
					ts_SGsAP_LAI('901'H, '70'H, 2342)));
	/* Old LAI, if MS sends it */
	/* TMSI status, if MS has no valid TMSI */
	/* IMEISV, if it supports "automatic device detection" */
	/* TAI, if available in MME */
	/* E-CGI, if available in MME */
	SGsAP.send(lur);

	/* FIXME: is this really done over SGs?  The Ue is already authenticated
	 * via the MME ... */
	f_mm_auth_sgs();

	/* Expect MSC to perform LU with HLR */
	GSUP.receive(tr_GSUP_UL_REQ(g_pars.imsi));
	GSUP.send(ts_GSUP_ISD_REQ(g_pars.imsi, g_pars.msisdn));
	GSUP.receive(tr_GSUP_ISD_RES(g_pars.imsi));
	GSUP.send(ts_GSUP_UL_RES(g_pars.imsi));

	alt {
	[] SGsAP.receive(tr_SGsAP_LU_ACCEPT(g_pars.imsi, ?)) {
		setverdict(pass);
		}
	[] SGsAP.receive(tr_SGsAP_LU_REJECT(g_pars.imsi, ?, ?)) {
		setverdict(fail, "Received LU-REJECT instead of ACCEPT");
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	/* Wait until the VLR has abort the TMSI reallocation procedure */
	f_sleep(45.0);

	/* The outcome does not change the SGs state, see also 5.2.3.4 */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_lu_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11813, true);

	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_lu_and_nothing), pars);
	vc_conn.done;
}

private function f_tc_sgsap_expl_imsi_det_eps(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(3.0);

	var octetstring mme_name := f_enc_dns_hostname(mp_mme_name);
	SGsAP.send(ts_SGsAP_EPS_DETACH_IND(g_pars.imsi, mme_name, UE_initiated));
	SGsAP.receive(tr_SGsAP_EPS_DETACH_ACK(g_pars.imsi));
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_expl_imsi_det_eps() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11814, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_expl_imsi_det_eps), pars);
	vc_conn.done;
}

private function f_tc_sgsap_expl_imsi_det_noneps(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(3.0);

	var octetstring mme_name := f_enc_dns_hostname(mp_mme_name);
	SGsAP.send(ts_SGsAP_IMSI_DETACH_IND(g_pars.imsi, mme_name, combined_UE_initiated));
	SGsAP.receive(tr_SGsAP_IMSI_DETACH_ACK(g_pars.imsi));
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");
	/* FIXME: How to verify that VLR has removed MM context? */

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_expl_imsi_det_noneps() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11815, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_expl_imsi_det_noneps), pars);
	vc_conn.done;
}

/* Trigger a paging request via VTY and send a paging reject in response */
private function f_tc_sgsap_paging_rej(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_resp := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, CS_call_indicator, omit);
	var template  LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_resp.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Initiate paging via VTY */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(exp_resp) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Now reject the paging */
	SGsAP.send(ts_SGsAP_PAGING_REJ(g_pars.imsi, IMSI_unknown));

	/* Wait for the states inside the MSC to settle and check the state
	 * of the SGs Association */
	f_sleep(1.0);
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	/* FIXME: At the moment we send an IMSI_unknown as cause code, which is fine,
	 * but we also need to cover tha case where the cause code indicates an
	 * "IMSI detached for EPS services". In those cases the VLR is expected to
	 * try paging on tha A/Iu interface. This will be another testcase similar to
	 * this one, but extended with checks for the presence of the A/Iu paging
	 * messages. */

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_paging_rej() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11816, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_paging_rej), pars);
	vc_conn.done;
}

/* Trigger a paging request via VTY and send a paging reject that indicates
 * that the subscriber intentionally rejected the call. */
private function f_tc_sgsap_paging_subscr_rej(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_resp := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, CS_call_indicator, omit);
	var template  LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_resp.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Initiate paging via VTY */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(exp_resp) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Now reject the paging */
	SGsAP.send(ts_SGsAP_PAGING_REJ(g_pars.imsi, user_rejected_mobile_terminating_CS_fallback_call));

	/* Wait for the states inside the MSC to settle and check the state
	 * of the SGs Association */
	f_sleep(1.0);
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	/* FIXME: The VLR is supposed to trigger an User Determined User Busy (UDUB) as specified
	 * in 3GPP TS 24.082, this is not yet implemented in the MSC or in this tests, we need
	 * to check back how this works and how it can be tested */

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_paging_subscr_rej() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11817, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_paging_subscr_rej), pars);
	vc_conn.done;
}

/* Trigger a paging request via VTY and send an UE unreacable messge in response */
private function f_tc_sgsap_paging_ue_unr(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_resp := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, CS_call_indicator, omit);
	var template  LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_resp.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Initiate paging via VTY */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(exp_resp) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Now pretend that the UE is unreachable */
	SGsAP.send(ts_SGsAP_UE_UNREACHABLE(g_pars.imsi, UE_unreachable));

	/* Wait for the states inside the MSC to settle and check the state
	 * of the SGs Association. */
	f_sleep(1.0);
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_paging_ue_unr() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11818, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_paging_ue_unr), pars);
	vc_conn.done;
}

/* Trigger a paging request via VTY but don't respond to it */
private function f_tc_sgsap_paging_and_nothing(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_resp := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, CS_call_indicator, omit);
	var template  LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_resp.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Initiate paging via VTY */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(exp_resp) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Now do nothing, the MSC/VLR should fail silently to page after a
	 * few seconds, The SGs association must remain unchanged. */
	f_sleep(15.0);
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_paging_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11819, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_paging_and_nothing), pars);
	vc_conn.done;
}

/* Trigger a paging request via VTY and slip in an LU */
private function f_tc_sgsap_paging_and_lu(charstring id, BSC_ConnHdlrPars pars)
runs on BSC_ConnHdlr {
	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	f_init_handler(pars);

	/* First we prepar the situation, where the SGs association is in state
	 * NULL and the confirmed by radio contact indicator is set to false
	 * as well. This can be archived by performing an SGs LU and then
	 * resetting the VLR */
	f_sgs_perform_lu();
	f_sgsap_reset_mme(mp_mme_name);
	f_sleep(1.0);
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	/* Perform a paging, expect the paging messages on the SGs interface */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(tr_SGsAP_PAGING_REQ(pars.imsi, vlr_name, CS_call_indicator, omit)) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Perform the LU as normal */
	f_sgs_perform_lu();
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	/* Expect a new paging request right after the LU */
	alt {
	[] SGsAP.receive(tr_SGsAP_PAGING_REQ(pars.imsi, vlr_name, CS_call_indicator, omit)) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	/* Test is done now, lets round everything up by rejecting the paging
	 * cleanly. */
	SGsAP.send(ts_SGsAP_PAGING_REJ(g_pars.imsi, user_rejected_mobile_terminating_CS_fallback_call));
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_paging_and_lu() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11820, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_paging_and_lu), pars);
	vc_conn.done;
}

/* Send unexpected unit-data through the SGs interface */
private function f_tc_sgsap_unexp_ud(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sleep(1.0);

	/* This simulates what happens when a subscriber without SGs
	 * association gets unitdata via the SGs interface. */

	/* Make sure the subscriber exists and the SGs association
	 * is in NULL state */
	f_perform_lu();
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	/* Send some random unit data, the MSC/VLR should send a release
	 * immediately. */
	SGsAP.send(ts_SGsAP_UL_UD(pars.imsi,'1234'O));
	SGsAP.receive(tr_SGsAP_RELEASE_REQ(pars.imsi, IMSI_detached_for_EPS_nonEPS_services));

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_unexp_ud() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11821, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_unexp_ud), pars);
	vc_conn.done;
}

/* Send unsolicited unit-data through the SGs interface */
private function f_tc_sgsap_unsol_ud(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sleep(1.0);

	/* This simulates what happens when the MME attempts to send unitdata
	 * to a subscriber that is completely unknown to the VLR */

	/* Send some random unit data, the MSC/VLR should send a release
	 * immediately. */
	SGsAP.send(ts_SGsAP_UL_UD(pars.imsi,'1234'O));
	SGsAP.receive(tr_SGsAP_RELEASE_REQ(pars.imsi, IMSI_unknown));

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_unsol_ud() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11822, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_unsol_ud), pars);
	vc_conn.done;
}

private altstep as_other_sms_sgs() runs on BSC_ConnHdlr {
	/* FIXME: Match an actual payload (second questionmark), the type is
	 * octetstring, how do we use a tr_PDU_DTAP_MT here? */
	[] SGsAP.receive(tr_SGsAP_DL_UD(?,?)) {
		setverdict(fail, "Unexpected SMS related PDU from MSC");
		mtc.stop;
	}
}

/* receive a MT-SMS delivered from the MSC/SMSC over an already existing SGsAP connection */
function f_mt_sms_sgs(inout SmsParameters spars)
runs on BSC_ConnHdlr {
	var template (value) TPDU_RP_DATA_MS_SGSN tp_mo;
	var template (value) RPDU_MS_SGSN rp_mo;
	var template (value) PDU_ML3_MS_NW l3_mo;

	var template TPDU_RP_DATA_SGSN_MS tp_mt;
	var template RPDU_SGSN_MS rp_mt;
	var template PDU_ML3_NW_MS l3_mt;

	var PDU_ML3_NW_MS sgsap_l3_mt;

	var default d := activate(as_other_sms_sgs());

	/* Expect CP-DATA(RP-DATA(SMS-DELIVER)) */
	tp_mt := tr_SMS_DELIVER(?, spars.tp.ud, spars.tp.pid, spars.tp.dcs, ?);
	rp_mt := tr_RP_DATA_MT(?, ?, omit, tp_mt);
	l3_mt := tr_ML3_MT_SMS(?, c_TIF_ORIG, tr_CP_DATA_MT(rp_mt));

	SGsAP.receive(l3_mt) -> value sgsap_l3_mt;

	/* Extract relevant identifiers */
	spars.tid := bit2int(sgsap_l3_mt.tiOrSkip.transactionId.tio);
	spars.rp.msg_ref := sgsap_l3_mt.msgs.sms.cP_DATA.cP_User_Data.cP_RPDU.rP_DATA_SGSN_MS.rP_MessageReference;

	/* send CP-ACK for CP-DATA just received */
	l3_mo := ts_ML3_MO_SMS(spars.tid, c_TIF_REPL, ts_CP_ACK_MO);

	SGsAP.send(l3_mo);

	/* send RP-ACK for RP-DATA */
	rp_mo := ts_RP_ACK_MO(spars.rp.msg_ref);
	l3_mo := ts_ML3_MO_SMS(spars.tid, c_TIF_REPL, ts_CP_DATA_MO(rp_mo));

	SGsAP.send(l3_mo);

	/* expect CP-ACK for CP-DATA(RP-ACK) just sent */
	l3_mt := tr_ML3_MT_SMS(spars.tid, c_TIF_ORIG, tr_CP_ACK_MT);

	SGsAP.receive(l3_mt);

	deactivate(d);

	setverdict(pass);
}

/* submit a MO-SMS to MSC/SMSC over an already existing SGsAP connection */
function f_mo_sms_sgs(inout SmsParameters spars)
runs on BSC_ConnHdlr {
	var template (value) TPDU_RP_DATA_MS_SGSN tp_mo;
	var template (value) RPDU_MS_SGSN rp_mo;
	var template (value) PDU_ML3_MS_NW l3_mo;

	var template TPDU_RP_DATA_SGSN_MS tp_mt;
	var template RPDU_SGSN_MS rp_mt;
	var template PDU_ML3_NW_MS l3_mt;

	var default d := activate(as_other_sms_sgs());

	/* just in case this is routed to SMPP.. */
	f_create_smpp_expect(hex2str(spars.tp.da.tP_DA_NoPad.tP_DAValue));

	tp_mo := ts_SMS_SUBMIT(spars.tp.msg_ref, spars.tp.da, spars.tp.pid, spars.tp.dcs,
				 spars.tp.udl, spars.tp.ud);
	rp_mo := ts_RP_DATA_MO(spars.rp.msg_ref, spars.rp.orig, spars.rp.dest, tp_mo);
	l3_mo := ts_ML3_MO_SMS(spars.tid, c_TIF_ORIG, ts_CP_DATA_MO(rp_mo));

	SGsAP.send(l3_mo);

	/* receive CP-ACK for CP-DATA above */
	SGsAP.receive(tr_ML3_MT_SMS(spars.tid, c_TIF_REPL, tr_CP_ACK_MT));

	if (ispresent(spars.exp_rp_err)) {
		/* expect an RP-ERROR message from MSC with given cause */
		rp_mt := tr_RP_ERROR_MT(spars.rp.msg_ref, spars.exp_rp_err);
		l3_mt := tr_ML3_MT_SMS(spars.tid, c_TIF_REPL, tr_CP_DATA_MT(rp_mt));
		SGsAP.receive(l3_mt);
		/* send CP-ACK for CP-DATA just received */
		l3_mo := ts_ML3_MO_SMS(spars.tid, c_TIF_ORIG, ts_CP_ACK_MO);
		SGsAP.send(l3_mo);
	} else {
		/* expect RP-ACK for RP-DATA */
		rp_mt := tr_RP_ACK_MT(spars.rp.msg_ref);
		l3_mt := tr_ML3_MT_SMS(spars.tid, c_TIF_REPL, tr_CP_DATA_MT(rp_mt));
		SGsAP.receive(l3_mt);
		/* send CP-ACO for CP-DATA just received */
		l3_mo := ts_ML3_MO_SMS(spars.tid, c_TIF_ORIG, ts_CP_ACK_MO);
		SGsAP.send(l3_mo);
	}

	deactivate(d);

	setverdict(pass);
}

private function f_vty_sms_send_conn_hdlr(charstring imsi, charstring msisdn, charstring text)
runs on BSC_ConnHdlr {
	f_vty_transceive(MSCVTY, "subscriber imsi "&imsi&" sms sender msisdn "&msisdn&" send "&text);
}

/* Send a MT SMS via SGs interface */
private function f_tc_sgsap_mt_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);
	var SmsParameters spars := valueof(t_SmsPars);
	spars.tp.ud := 'C8329BFD064D9B53'O;

	/* Trigger SMS via VTY */
	f_vty_sms_send_conn_hdlr(hex2str(pars.imsi), "2342", "Hello SMS");
	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);

	/* Expect a paging request and respond accordingly with a service request */
	SGsAP.receive(tr_SGsAP_PAGING_REQ(pars.imsi, vlr_name, SMS_indicator, omit));
	SGsAP.send(ts_SGsAP_SERVICE_REQ(pars.imsi, SMS_indicator, EMM_CONNECTED));

	/* Connection is now live, receive the MT-SMS */
	f_mt_sms_sgs(spars);

	/* Expect a concluding release from the MSC */
	SGsAP.receive(tr_SGsAP_RELEASE_REQ(pars.imsi, omit));

	/* Make sure that subscriber is still present and the SGs association is in tact (ref-counting) */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	f_sgsap_bssmap_screening();

	setverdict(pass);
}
testcase TC_sgsap_mt_sms() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11823, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_mt_sms), pars);
	vc_conn.done;
}

/* Send a MO SMS via SGs interface */
private function f_tc_sgsap_mo_sms(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars);
	f_sgs_perform_lu();
	f_sleep(1.0);
	var SmsParameters spars := valueof(t_SmsPars);
	spars.tp.ud := 'C8329BFD064D9B53'O;

	/* Send the MO-SMS */
	f_mo_sms_sgs(spars);

	/* Expect a concluding release from the MSC/VLR */
	SGsAP.receive(tr_SGsAP_RELEASE_REQ(pars.imsi, omit));

	/* Make sure that subscriber is still present and the SGs association is in tact (ref-counting) */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	setverdict(pass);

	f_sgsap_bssmap_screening()
}
testcase TC_sgsap_mo_sms() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11824, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_mo_sms), pars);
	vc_conn.done;
}

/* Trigger sending of an MT sms via VTY but never respond to anything  */
private function f_tc_sgsap_mt_sms_and_nothing(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars, 170.0);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var SmsParameters spars := valueof(t_SmsPars);
	spars.tp.ud := 'C8329BFD064D9B53'O;
	var integer page_count := 0;
	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_pag_req := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, SMS_indicator, omit);
	var template LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_pag_req.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Trigger SMS via VTY */
	f_vty_sms_send_conn_hdlr(hex2str(pars.imsi), "2342", "Hello SMS");

	/* Expect the MSC/VLR to page exactly 10 times before giving up */
	alt {
		[] SGsAP.receive(exp_pag_req)
		{
			page_count := page_count + 1;

			if (page_count < 10) {
				repeat;
			}
		}
		[] SGsAP.receive {
			setverdict(fail, "unexpected SGsAP message received");
			self.stop;
		}
	}

	/* Wait some time to make sure the MSC is not delivering any further
	 * paging messages or anything else that could be unexpected. */
	timer T := 20.0;
	T.start
	alt {
		[] SGsAP.receive(exp_pag_req)
		{
			setverdict(fail, "paging seems not to stop!");
			mtc.stop;
		}
		[] SGsAP.receive {
			setverdict(fail, "unexpected SGsAP message received");
			self.stop;
		}
		[] T.timeout {
			setverdict(pass);
		}
	}

	/* Even on a failed paging the SGs Association should stay intact */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	/* Note: We do not execute f_sgsap_bssmap_screening() here since the
	 * MSC/VLR would re-try to deliver the test SMS trigered above and
	 * so the screening would fail. */

	/* Expire the subscriber now to avoid that the MSC will try the SMS
	 * delivery at some later point. */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " expire");

	setverdict(pass);
}
testcase TC_sgsap_mt_sms_and_nothing() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11825, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_mt_sms_and_nothing), pars);
	vc_conn.done;
}

/* Trigger sending of an MT sms via VTY but reject the paging immediately */
private function f_tc_sgsap_mt_sms_and_reject(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_init_handler(pars, 150.0);
	f_sgs_perform_lu();
	f_sleep(1.0);

	var SmsParameters spars := valueof(t_SmsPars);
	spars.tp.ud := 'C8329BFD064D9B53'O;
	var integer page_count := 0;
	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var template PDU_SGsAP exp_pag_req := tr_SGsAP_PAGING_REQ(g_pars.imsi, vlr_name, SMS_indicator, omit);
	var template LocationAreaId exp_lai := ts_SGsAP_IE_Lai(valueof(ts_SGsAP_LAI('901'H, '70'H, 2342)));
	exp_pag_req.sGsAP_PAGING_REQUEST.locationAreaId := exp_lai;

	/* Trigger SMS via VTY */
	f_vty_sms_send_conn_hdlr(hex2str(pars.imsi), "2342", "Hello SMS");

	/* Expect a paging request and reject it immediately */
	SGsAP.receive(exp_pag_req);
	SGsAP.send(ts_SGsAP_PAGING_REJ(g_pars.imsi, IMSI_unknown));

	/* The MSC/VLR should no longer try to page once the paging has been
	 * rejected. Wait some time and check if there are no unexpected
	 * messages on the SGs interface. */
	timer T := 20.0;
	T.start
	alt {
		[] SGsAP.receive(exp_pag_req)
		{
			setverdict(fail, "paging seems not to stop!");
			mtc.stop;
		}
		[] SGsAP.receive {
			setverdict(fail, "unexpected SGsAP message received");
			self.stop;
		}
		[] T.timeout {
			setverdict(pass);
		}
	}

	/* A rejected paging with IMSI_unknown (see above) should always send
	 * the SGs association to NULL. */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-NULL");

	f_sgsap_bssmap_screening();

	/* Expire the subscriber now to avoid that the MSC will try the SMS
	 * delivery at some later point. */
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " expire");

	setverdict(pass);
}
testcase TC_sgsap_mt_sms_and_reject() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11826, true);
	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_mt_sms_and_reject), pars);
	vc_conn.done;
}

/* Perform an MT CSDB call including LU */
private function f_mt_lu_and_csfb_call(charstring id, BSC_ConnHdlrPars pars, boolean bssmap_lu) runs on BSC_ConnHdlr {
	f_init_handler(pars);

	/* Be sure that the BSSMAP reset is done before we begin. */
	f_sleep(2.0);

	/* Testcase variation: See what happens when we do a regular BSSMAP
	 * LU first (this should not hurt in any way!) */
	if (bssmap_lu) {
		f_perform_lu();
	}

	f_sgs_perform_lu();
	f_sleep(1.0);

	var octetstring vlr_name := f_enc_dns_hostname(mp_vlr_name);
	var CallParameters cpars := valueof(t_CallParams('12345'H, 0));
	cpars.bss_rtp_port := 1110;
	cpars.mgcp_connection_id_bss := '10004'H;
	cpars.mgcp_connection_id_mss := '10005'H;

	/* Note: This is an optional parameter. When the call-agent (MSC) does
	 * supply a full endpoint name this setting will be overwritten. */
	cpars.mgcp_ep := "rtpbridge/1@mgw";

	/* Initiate a call via MNCC interface */
	f_mt_call_initate(cpars);

	/* Expect a paging request and respond accordingly with a service request */
	SGsAP.receive(tr_SGsAP_PAGING_REQ(pars.imsi, vlr_name, CS_call_indicator, omit));
	SGsAP.send(ts_SGsAP_SERVICE_REQ(pars.imsi, CS_call_indicator, EMM_CONNECTED));

	/* Complete the call, hold it for some time and then tear it down */
	f_mt_call_complete(cpars);
	f_sleep(3.0);
	f_call_hangup(cpars, true);

	/* Make sure that subscriber is still present and the SGs association is in tact (ref-counting) */
	f_ctrl_get_exp(IPA_CTRL, "fsm.SGs-UE.id.imsi:" & hex2str(g_pars.imsi) & ".state", "SGs-ASSOCIATED");

	/* Finally simulate the return of the UE to the 4G network */
	SGsAP.send(ts_SGsAP_MO_CSFB_IND(pars.imsi));

	/* Test for successful return by triggering a paging, when the paging
	 * request is received via SGs, we can be sure that the MSC/VLR has
	 * recognized that the UE is now back on 4G */
	f_sleep(1.0);
	f_vty_transceive(MSCVTY, "subscriber imsi " & hex2str(g_pars.imsi) & " paging");
	alt {
	[] SGsAP.receive(tr_SGsAP_PAGING_REQ(pars.imsi, vlr_name, CS_call_indicator, omit)) {
		setverdict(pass);
		}
	[] SGsAP.receive {
		setverdict(fail, "Received unexpected message on SGs");
		}
	}

	f_sgsap_bssmap_screening();

	setverdict(pass);
}

/* Perform a regular BSSAP LU first, do a SGSAP LU and then make a CSFB call */
private function f_tc_bssap_lu_sgsap_lu_and_mt_call(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_mt_lu_and_csfb_call(id, pars, true);
}
testcase TC_bssap_lu_sgsap_lu_and_mt_call() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(118139, true);

	vc_conn := f_start_handler_with_pars(refers(f_tc_bssap_lu_sgsap_lu_and_mt_call), pars);
	vc_conn.done;
}


/* Perform a SGSAP LU and then make a CSFB call */
private function f_tc_sgsap_lu_and_mt_call(charstring id, BSC_ConnHdlrPars pars) runs on BSC_ConnHdlr {
	f_mt_lu_and_csfb_call(id, pars, false);
}
testcase TC_sgsap_lu_and_mt_call() runs on MTC_CT {
	var BSC_ConnHdlrPars pars;
	var BSC_ConnHdlr vc_conn;
	f_init(1, true);
	pars := f_init_pars(11827, true);

	vc_conn := f_start_handler_with_pars(refers(f_tc_sgsap_lu_and_mt_call), pars);
	vc_conn.done;
}

/* SGs TODO:
   * LU attempt for IMSI without NAM_PS in HLR
   * LU attempt with AUTH FAIL due to invalid RES/SRES
   * LU attempt with no response from HLR (VLR should timeout + LU REJ)
   * LU attempt with new TMSI but without TMSI REALL CMPL baco to VLR
   * implicit IMSI detach from EPS
   * implicit IMSI detach from non-EPS
   * MM INFO
   *
 */

control {
	execute( TC_cr_before_reset() );
	execute( TC_lu_imsi_noauth_tmsi() );
	execute( TC_lu_imsi_noauth_notmsi() );
	execute( TC_lu_imsi_reject() );
	execute( TC_lu_imsi_timeout_gsup() );
	execute( TC_lu_imsi_auth_tmsi() );
	execute( TC_cmserv_imsi_unknown() );
	execute( TC_lu_and_mo_call() );
	execute( TC_lu_auth_sai_timeout() );
	execute( TC_lu_auth_sai_err() );
	execute( TC_lu_clear_request() );
	execute( TC_lu_disconnect() );
	execute( TC_lu_by_imei() );
	execute( TC_lu_by_tmsi_noauth_unknown() );
	execute( TC_imsi_detach_by_imsi() );
	execute( TC_imsi_detach_by_tmsi() );
	execute( TC_imsi_detach_by_imei() );
	execute( TC_emerg_call_imei_reject() );
	execute( TC_emerg_call_imsi() );
	execute( TC_cm_serv_req_vgcs_reject() );
	execute( TC_cm_serv_req_vbs_reject() );
	execute( TC_cm_serv_req_lcs_reject() );
	execute( TC_cm_reest_req_reject() );
	execute( TC_lu_auth_2G_fail() );
	execute( TC_lu_imsi_auth_tmsi_encr_13_13() );
	execute( TC_cl3_no_payload() );
	execute( TC_cl3_rnd_payload() );
	execute( TC_establish_and_nothing() );
	execute( TC_mo_setup_and_nothing() );
	execute( TC_mo_crcx_ran_timeout() );
	execute( TC_mo_crcx_ran_reject() );
	execute( TC_mt_crcx_ran_reject() );
	execute( TC_mo_setup_and_dtmf_dup() );
	//execute( TC_mt_t310() );
	execute( TC_gsup_cancel() );
	execute( TC_lu_imsi_auth_tmsi_encr_1_13() );
	execute( TC_lu_imsi_auth_tmsi_encr_3_13() );
	execute( TC_lu_imsi_auth_tmsi_encr_3_1() );
	execute( TC_lu_imsi_auth_tmsi_encr_3_1_no_cm() );
	execute( TC_lu_imsi_auth_tmsi_encr_13_2() );
	execute( TC_lu_imsi_auth_tmsi_encr_013_2() );
	execute( TC_mo_release_timeout() );
	execute( TC_lu_and_mt_call_no_dlcx_resp() );
	execute( TC_reset_two() );

	execute( TC_lu_and_mt_call() );

	execute( TC_lu_and_mo_sms() );
	execute( TC_lu_and_mt_sms() );
	execute( TC_lu_and_mt_sms_paging_and_nothing() );
	execute( TC_smpp_mo_sms() );
	execute( TC_smpp_mt_sms() );

	execute( TC_gsup_mo_sms() );
	execute( TC_gsup_mo_smma() );
	execute( TC_gsup_mt_sms_ack() );
	execute( TC_gsup_mt_sms_err() );
	execute( TC_gsup_mt_sms_rp_mr() );
	execute( TC_gsup_mo_mt_sms_rp_mr() );

	execute( TC_lu_and_mo_ussd_single_request() );
	execute( TC_lu_and_mt_ussd_notification() );
	execute( TC_lu_and_mo_ussd_during_mt_call() );
	execute( TC_lu_and_mt_ussd_during_mt_call() );
	execute( TC_lu_and_mo_ussd_mo_release() );
	execute( TC_lu_and_ss_session_timeout() );

	execute( TC_cipher_complete_with_invalid_cipher() );

	execute( TC_sgsap_reset() );
	execute( TC_sgsap_lu() );
	execute( TC_sgsap_lu_imsi_reject() );
	execute( TC_sgsap_lu_and_nothing() );
	execute( TC_sgsap_expl_imsi_det_eps() );
	execute( TC_sgsap_expl_imsi_det_noneps() );
	execute( TC_sgsap_paging_rej() );
	execute( TC_sgsap_paging_subscr_rej() );
	execute( TC_sgsap_paging_ue_unr() );
	execute( TC_sgsap_paging_and_nothing() );
	execute( TC_sgsap_paging_and_lu() );
	execute( TC_sgsap_mt_sms() );
	execute( TC_sgsap_mo_sms() );
	execute( TC_sgsap_mt_sms_and_nothing() );
	execute( TC_sgsap_mt_sms_and_reject() );
	execute( TC_sgsap_unexp_ud() );
	execute( TC_sgsap_unsol_ud() );
	execute( TC_bssap_lu_sgsap_lu_and_mt_call() );
	execute( TC_sgsap_lu_and_mt_call() );

	/* Run this last: at the time of writing this test crashes the MSC */
	execute( TC_lu_imsi_auth_tmsi_encr_3_1_log_msc_debug() );
	execute( TC_gsup_mt_multi_part_sms() );
	execute( TC_mo_cc_bssmap_clear() );
}


}