Context Navigation

gsm_04_08.c @ 474d19f5c00f6224852e28606dbe4f2e455198c0

Visit:

Revision 474d19f5c00f6224852e28606dbe4f2e455198c0, 90.7 kB (checked in by Harald Welte <laforge@gnumonks.org>, 6 months ago)
remove gsm04.08 utility code that has been moved to libosmocore
Property mode set to `100644`

Line
1	/* GSM Mobile Radio Interface Layer 3 messages on the A-bis interface
2	* 3GPP TS 04.08 version 7.21.0 Release 1998 / ETSI TS 100 940 V7.21.0 */
3
4	/* (C) 2008-2009 by Harald Welte <laforge@gnumonks.org>
5	* (C) 2008, 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
6	*
7	* All Rights Reserved
8	*
9	* This program is free software; you can redistribute it and/or modify
10	* it under the terms of the GNU General Public License as published by
11	* the Free Software Foundation; either version 2 of the License, or
12	* (at your option) any later version.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License along
20	* with this program; if not, write to the Free Software Foundation, Inc.,
21	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22	*
23	*/
24
25
26	#include <stdio.h>
27	#include <stdlib.h>
28	#include <string.h>
29	#include <errno.h>
30	#include <time.h>
31	#include <netinet/in.h>
32
33	#include <openbsc/db.h>
34	#include <osmocore/msgb.h>
35	#include <osmocore/bitvec.h>
36	#include <osmocore/tlv.h>
37	#include <openbsc/debug.h>
38	#include <openbsc/gsm_data.h>
39	#include <osmocore/gsm_utils.h>
40	#include <openbsc/gsm_subscriber.h>
41	#include <openbsc/gsm_04_11.h>
42	#include <openbsc/gsm_04_08.h>
43	#include <openbsc/abis_rsl.h>
44	#include <openbsc/chan_alloc.h>
45	#include <openbsc/paging.h>
46	#include <openbsc/signal.h>
47	#include <openbsc/trau_frame.h>
48	#include <openbsc/trau_mux.h>
49	#include <openbsc/rtp_proxy.h>
50	#include <osmocore/talloc.h>
51	#include <openbsc/transaction.h>
52	#include <openbsc/ussd.h>
53	#include <openbsc/silent_call.h>
54
55	#define GSM_MAX_FACILITY 128
56	#define GSM_MAX_SSVERSION 128
57	#define GSM_MAX_USERUSER 128
58
59	void *tall_locop_ctx;
60
61	int gsm0408_loc_upd_acc(struct gsm_lchan *lchan, u_int32_t tmsi);
62	static int gsm48_tx_simple(struct gsm_lchan *lchan,
63	u_int8_t pdisc, u_int8_t msg_type);
64	static void schedule_reject(struct gsm_lchan *lchan);
65
66	struct gsm_lai {
67	u_int16_t mcc;
68	u_int16_t mnc;
69	u_int16_t lac;
70	};
71
72	static u_int32_t new_callref = 0x80000001;
73
74	static int authorize_subscriber(struct gsm_loc_updating_operation *loc,
75	struct gsm_subscriber *subscriber)
76	{
77	if (!subscriber)
78	return 0;
79
80	/*
81	* Do not send accept yet as more information should arrive. Some
82	* phones will not send us the information and we will have to check
83	* what we want to do with that.
84	*/
85	if (loc && (loc->waiting_for_imsi \|\| loc->waiting_for_imei))
86	return 0;
87
88	switch (subscriber->net->auth_policy) {
89	case GSM_AUTH_POLICY_CLOSED:
90	return subscriber->authorized;
91	case GSM_AUTH_POLICY_TOKEN:
92	if (subscriber->authorized)
93	return subscriber->authorized;
94	return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT);
95	case GSM_AUTH_POLICY_ACCEPT_ALL:
96	return 1;
97	default:
98	return 0;
99	}
100	}
101
102	static void release_loc_updating_req(struct gsm_lchan *lchan)
103	{
104	if (!lchan->loc_operation)
105	return;
106
107	bsc_del_timer(&lchan->loc_operation->updating_timer);
108	talloc_free(lchan->loc_operation);
109	lchan->loc_operation = 0;
110	put_lchan(lchan);
111	}
112
113	static void allocate_loc_updating_req(struct gsm_lchan *lchan)
114	{
115	use_lchan(lchan);
116	release_loc_updating_req(lchan);
117
118	lchan->loc_operation = talloc_zero(tall_locop_ctx,
119	struct gsm_loc_updating_operation);
120	}
121
122	static int gsm0408_authorize(struct gsm_lchan lchan, struct msgb msg)
123	{
124	if (authorize_subscriber(lchan->loc_operation, lchan->subscr)) {
125	int rc;
126
127	db_subscriber_alloc_tmsi(lchan->subscr);
128	release_loc_updating_req(lchan);
129	rc = gsm0408_loc_upd_acc(msg->lchan, lchan->subscr->tmsi);
130	if (lchan->ts->trx->bts->network->send_mm_info) {
131	/* send MM INFO with network name */
132	rc = gsm48_tx_mm_info(msg->lchan);
133	}
134
135	/* call subscr_update after putting the loc_upd_acc
136	* in the transmit queue, since S_SUBSCR_ATTACHED might
137	* trigger further action like SMS delivery */
138	subscr_update(lchan->subscr, msg->trx->bts,
139	GSM_SUBSCRIBER_UPDATE_ATTACHED);
140	/* try to close channel ASAP */
141	lchan_auto_release(lchan);
142	return rc;
143	}
144
145	return 0;
146	}
147
148	static int gsm0408_handle_lchan_signal(unsigned int subsys, unsigned int signal,
149	void handler_data, void signal_data)
150	{
151	struct gsm_trans trans, temp;
152
153	if (subsys != SS_LCHAN \|\| signal != S_LCHAN_UNEXPECTED_RELEASE)
154	return 0;
155
156	/*
157	* Cancel any outstanding location updating request
158	* operation taking place on the lchan.
159	*/
160	struct gsm_lchan lchan = (struct gsm_lchan )signal_data;
161	if (!lchan)
162	return 0;
163
164	release_loc_updating_req(lchan);
165
166	/* Free all transactions that are associated with the released lchan */
167	/* FIXME: this is not neccessarily the right thing to do, we should
168	* only set trans->lchan to NULL and wait for another lchan to be
169	* established to the same MM entity (phone/subscriber) */
170	llist_for_each_entry_safe(trans, temp, &lchan->ts->trx->bts->network->trans_list, entry) {
171	if (trans->lchan == lchan)
172	trans_free(trans);
173	}
174
175	return 0;
176	}
177
178	static const char bcd_num_digits[] = {
179	'0', '1', '2', '3', '4', '5', '6', '7',
180	'8', '9', '*', '#', 'a', 'b', 'c', '\0'
181	};
182
183	/* decode a 'called/calling/connect party BCD number' as in 10.5.4.7 */
184	int decode_bcd_number(char output, int output_len, const u_int8_t bcd_lv,
185	int h_len)
186	{
187	u_int8_t in_len = bcd_lv[0];
188	int i;
189
190	for (i = 1 + h_len; i <= in_len; i++) {
191	/* lower nibble */
192	output_len--;
193	if (output_len <= 1)
194	break;
195	*output++ = bcd_num_digits[bcd_lv[i] & 0xf];
196
197	/* higher nibble */
198	output_len--;
199	if (output_len <= 1)
200	break;
201	*output++ = bcd_num_digits[bcd_lv[i] >> 4];
202	}
203	if (output_len >= 1)
204	*output++ = '\0';
205
206	return 0;
207	}
208
209	/* convert a single ASCII character to call-control BCD */
210	static int asc_to_bcd(const char asc)
211	{
212	int i;
213
214	for (i = 0; i < ARRAY_SIZE(bcd_num_digits); i++) {
215	if (bcd_num_digits[i] == asc)
216	return i;
217	}
218	return -EINVAL;
219	}
220
221	/* convert a ASCII phone number to 'called/calling/connect party BCD number' */
222	int encode_bcd_number(u_int8_t *bcd_lv, u_int8_t max_len,
223	int h_len, const char *input)
224	{
225	int in_len = strlen(input);
226	int i;
227	u_int8_t *bcd_cur = bcd_lv + 1 + h_len;
228
229	/* two digits per byte, plus type byte */
230	bcd_lv[0] = in_len/2 + h_len;
231	if (in_len % 2)
232	bcd_lv[0]++;
233
234	if (bcd_lv[0] > max_len)
235	return -EIO;
236
237	for (i = 0; i < in_len; i++) {
238	int rc = asc_to_bcd(input[i]);
239	if (rc < 0)
240	return rc;
241	if (i % 2 == 0)
242	*bcd_cur = rc;
243	else
244	*bcd_cur++ \|= (rc << 4);
245	}
246	/* append padding nibble in case of odd length */
247	if (i % 2)
248	*bcd_cur++ \|= 0xf0;
249
250	/* return how many bytes we used */
251	return (bcd_cur - bcd_lv);
252	}
253
254	/* decode 'bearer capability' */
255	static int decode_bearer_cap(struct gsm_mncc_bearer_cap *bcap,
256	const u_int8_t *lv)
257	{
258	u_int8_t in_len = lv[0];
259	int i, s;
260
261	if (in_len < 1)
262	return -EINVAL;
263
264	bcap->speech_ver[0] = -1; /* end of list, of maximum 7 values */
265
266	/* octet 3 */
267	bcap->transfer = lv[1] & 0x07;
268	bcap->mode = (lv[1] & 0x08) >> 3;
269	bcap->coding = (lv[1] & 0x10) >> 4;
270	bcap->radio = (lv[1] & 0x60) >> 5;
271
272	if (bcap->transfer == GSM_MNCC_BCAP_SPEECH) {
273	i = 1;
274	s = 0;
275	while(!(lv[i] & 0x80)) {
276	i++; /* octet 3a etc */
277	if (in_len < i)
278	return 0;
279	bcap->speech_ver[s++] = lv[i] & 0x0f;
280	bcap->speech_ver[s] = -1; /* end of list */
281	if (i == 2) /* octet 3a */
282	bcap->speech_ctm = (lv[i] & 0x20) >> 5;
283	if (s == 7) /* maximum speech versions + end of list */
284	return 0;
285	}
286	} else {
287	i = 1;
288	while (!(lv[i] & 0x80)) {
289	i++; /* octet 3a etc */
290	if (in_len < i)
291	return 0;
292	/* ignore them */
293	}
294	/* FIXME: implement OCTET 4+ parsing */
295	}
296
297	return 0;
298	}
299
300	/* encode 'bearer capability' */
301	static int encode_bearer_cap(struct msgb *msg, int lv_only,
302	const struct gsm_mncc_bearer_cap *bcap)
303	{
304	u_int8_t lv[32 + 1];
305	int i = 1, s;
306
307	lv[1] = bcap->transfer;
308	lv[1] \|= bcap->mode << 3;
309	lv[1] \|= bcap->coding << 4;
310	lv[1] \|= bcap->radio << 5;
311
312	if (bcap->transfer == GSM_MNCC_BCAP_SPEECH) {
313	for (s = 0; bcap->speech_ver[s] >= 0; s++) {
314	i++; /* octet 3a etc */
315	lv[i] = bcap->speech_ver[s];
316	if (i == 2) /* octet 3a */
317	lv[i] \|= bcap->speech_ctm << 5;
318	}
319	lv[i] \|= 0x80; /* last IE of octet 3 etc */
320	} else {
321	/* FIXME: implement OCTET 4+ encoding */
322	}
323
324	lv[0] = i;
325	if (lv_only)
326	msgb_lv_put(msg, lv[0], lv+1);
327	else
328	msgb_tlv_put(msg, GSM48_IE_BEARER_CAP, lv[0], lv+1);
329
330	return 0;
331	}
332
333	/* decode 'call control cap' */
334	static int decode_cccap(struct gsm_mncc_cccap ccap, const u_int8_t lv)
335	{
336	u_int8_t in_len = lv[0];
337
338	if (in_len < 1)
339	return -EINVAL;
340
341	/* octet 3 */
342	ccap->dtmf = lv[1] & 0x01;
343	ccap->pcp = (lv[1] & 0x02) >> 1;
344
345	return 0;
346	}
347
348	/* decode 'called party BCD number' */
349	static int decode_called(struct gsm_mncc_number *called,
350	const u_int8_t *lv)
351	{
352	u_int8_t in_len = lv[0];
353
354	if (in_len < 1)
355	return -EINVAL;
356
357	/* octet 3 */
358	called->plan = lv[1] & 0x0f;
359	called->type = (lv[1] & 0x70) >> 4;
360
361	/* octet 4..N */
362	decode_bcd_number(called->number, sizeof(called->number), lv, 1);
363
364	return 0;
365	}
366
367	/* encode 'called party BCD number' */
368	static int encode_called(struct msgb *msg,
369	const struct gsm_mncc_number *called)
370	{
371	u_int8_t lv[18];
372	int ret;
373
374	/* octet 3 */
375	lv[1] = called->plan;
376	lv[1] \|= called->type << 4;
377
378	/* octet 4..N, octet 2 */
379	ret = encode_bcd_number(lv, sizeof(lv), 1, called->number);
380	if (ret < 0)
381	return ret;
382
383	msgb_tlv_put(msg, GSM48_IE_CALLED_BCD, lv[0], lv+1);
384
385	return 0;
386	}
387
388	/* encode callerid of various IEs */
389	static int encode_callerid(struct msgb *msg, int ie,
390	const struct gsm_mncc_number *callerid)
391	{
392	u_int8_t lv[13];
393	int h_len = 1;
394	int ret;
395
396	/* octet 3 */
397	lv[1] = callerid->plan;
398	lv[1] \|= callerid->type << 4;
399
400	if (callerid->present \|\| callerid->screen) {
401	/* octet 3a */
402	lv[2] = callerid->screen;
403	lv[2] \|= callerid->present << 5;
404	lv[2] \|= 0x80;
405	h_len++;
406	} else
407	lv[1] \|= 0x80;
408
409	/* octet 4..N, octet 2 */
410	ret = encode_bcd_number(lv, sizeof(lv), h_len, callerid->number);
411	if (ret < 0)
412	return ret;
413
414	msgb_tlv_put(msg, ie, lv[0], lv+1);
415
416	return 0;
417	}
418
419	/* decode 'cause' */
420	static int decode_cause(struct gsm_mncc_cause *cause,
421	const u_int8_t *lv)
422	{
423	u_int8_t in_len = lv[0];
424	int i;
425
426	if (in_len < 2)
427	return -EINVAL;
428
429	cause->diag_len = 0;
430
431	/* octet 3 */
432	cause->location = lv[1] & 0x0f;
433	cause->coding = (lv[1] & 0x60) >> 5;
434
435	i = 1;
436	if (!(lv[i] & 0x80)) {
437	i++; /* octet 3a */
438	if (in_len < i+1)
439	return 0;
440	cause->rec = 1;
441	cause->rec_val = lv[i] & 0x7f;
442
443	}
444	i++;
445
446	/* octet 4 */
447	cause->value = lv[i] & 0x7f;
448	i++;
449
450	if (in_len < i) /* no diag */
451	return 0;
452
453	if (in_len - (i-1) > 32) /* maximum 32 octets */
454	return 0;
455
456	/* octet 5-N */
457	memcpy(cause->diag, lv + i, in_len - (i-1));
458	cause->diag_len = in_len - (i-1);
459
460	return 0;
461	}
462
463	/* encode 'cause' */
464	static int encode_cause(struct msgb *msg, int lv_only,
465	const struct gsm_mncc_cause *cause)
466	{
467	u_int8_t lv[32+4];
468	int i;
469
470	if (cause->diag_len > 32)
471	return -EINVAL;
472
473	/* octet 3 */
474	lv[1] = cause->location;
475	lv[1] \|= cause->coding << 5;
476
477	i = 1;
478	if (cause->rec) {
479	i++; /* octet 3a */
480	lv[i] = cause->rec_val;
481	}
482	lv[i] \|= 0x80; /* end of octet 3 */
483
484	/* octet 4 */
485	i++;
486	lv[i] = 0x80 \| cause->value;
487
488	/* octet 5-N */
489	if (cause->diag_len) {
490	memcpy(lv + i, cause->diag, cause->diag_len);
491	i += cause->diag_len;
492	}
493
494	lv[0] = i;
495	if (lv_only)
496	msgb_lv_put(msg, lv[0], lv+1);
497	else
498	msgb_tlv_put(msg, GSM48_IE_CAUSE, lv[0], lv+1);
499
500	return 0;
501	}
502
503	/* encode 'calling number' */
504	static int encode_calling(struct msgb *msg,
505	const struct gsm_mncc_number *calling)
506	{
507	return encode_callerid(msg, GSM48_IE_CALLING_BCD, calling);
508	}
509
510	/* encode 'connected number' */
511	static int encode_connected(struct msgb *msg,
512	const struct gsm_mncc_number *connected)
513	{
514	return encode_callerid(msg, GSM48_IE_CONN_BCD, connected);
515	}
516
517	/* encode 'redirecting number' */
518	static int encode_redirecting(struct msgb *msg,
519	const struct gsm_mncc_number *redirecting)
520	{
521	return encode_callerid(msg, GSM48_IE_REDIR_BCD, redirecting);
522	}
523
524	/* decode 'facility' */
525	static int decode_facility(struct gsm_mncc_facility *facility,
526	const u_int8_t *lv)
527	{
528	u_int8_t in_len = lv[0];
529
530	if (in_len < 1)
531	return -EINVAL;
532
533	if (in_len > sizeof(facility->info))
534	return -EINVAL;
535
536	memcpy(facility->info, lv+1, in_len);
537	facility->len = in_len;
538
539	return 0;
540	}
541
542	/* encode 'facility' */
543	static int encode_facility(struct msgb *msg, int lv_only,
544	const struct gsm_mncc_facility *facility)
545	{
546	u_int8_t lv[GSM_MAX_FACILITY + 1];
547
548	if (facility->len < 1 \|\| facility->len > GSM_MAX_FACILITY)
549	return -EINVAL;
550
551	memcpy(lv+1, facility->info, facility->len);
552	lv[0] = facility->len;
553	if (lv_only)
554	msgb_lv_put(msg, lv[0], lv+1);
555	else
556	msgb_tlv_put(msg, GSM48_IE_FACILITY, lv[0], lv+1);
557
558	return 0;
559	}
560
561	/* decode 'notify' */
562	static int decode_notify(int notify, const u_int8_t v)
563	{
564	*notify = v[0] & 0x7f;
565
566	return 0;
567	}
568
569	/* encode 'notify' */
570	static int encode_notify(struct msgb *msg, int notify)
571	{
572	msgb_v_put(msg, notify \| 0x80);
573
574	return 0;
575	}
576
577	/* encode 'signal' */
578	static int encode_signal(struct msgb *msg, int signal)
579	{
580	msgb_tv_put(msg, GSM48_IE_SIGNAL, signal);
581
582	return 0;
583	}
584
585	/* decode 'keypad' */
586	static int decode_keypad(int keypad, const u_int8_t lv)
587	{
588	u_int8_t in_len = lv[0];
589
590	if (in_len < 1)
591	return -EINVAL;
592
593	*keypad = lv[1] & 0x7f;
594
595	return 0;
596	}
597
598	/* encode 'keypad' */
599	static int encode_keypad(struct msgb *msg, int keypad)
600	{
601	msgb_tv_put(msg, GSM48_IE_KPD_FACILITY, keypad);
602
603	return 0;
604	}
605
606	/* decode 'progress' */
607	static int decode_progress(struct gsm_mncc_progress *progress,
608	const u_int8_t *lv)
609	{
610	u_int8_t in_len = lv[0];
611
612	if (in_len < 2)
613	return -EINVAL;
614
615	progress->coding = (lv[1] & 0x60) >> 5;
616	progress->location = lv[1] & 0x0f;
617	progress->descr = lv[2] & 0x7f;
618
619	return 0;
620	}
621
622	/* encode 'progress' */
623	static int encode_progress(struct msgb *msg, int lv_only,
624	const struct gsm_mncc_progress *p)
625	{
626	u_int8_t lv[3];
627
628	lv[0] = 2;
629	lv[1] = 0x80 \| ((p->coding & 0x3) << 5) \| (p->location & 0xf);
630	lv[2] = 0x80 \| (p->descr & 0x7f);
631	if (lv_only)
632	msgb_lv_put(msg, lv[0], lv+1);
633	else
634	msgb_tlv_put(msg, GSM48_IE_PROGR_IND, lv[0], lv+1);
635
636	return 0;
637	}
638
639	/* decode 'user-user' */
640	static int decode_useruser(struct gsm_mncc_useruser *uu,
641	const u_int8_t *lv)
642	{
643	u_int8_t in_len = lv[0];
644	char *info = uu->info;
645	int info_len = sizeof(uu->info);
646	int i;
647
648	if (in_len < 1)
649	return -EINVAL;
650
651	uu->proto = lv[1];
652
653	for (i = 2; i <= in_len; i++) {
654	info_len--;
655	if (info_len <= 1)
656	break;
657	*info++ = lv[i];
658	}
659	if (info_len >= 1)
660	*info++ = '\0';
661
662	return 0;
663	}
664
665	/* encode 'useruser' */
666	static int encode_useruser(struct msgb *msg, int lv_only,
667	const struct gsm_mncc_useruser *uu)
668	{
669	u_int8_t lv[GSM_MAX_USERUSER + 2];
670
671	if (strlen(uu->info) > GSM_MAX_USERUSER)
672	return -EINVAL;
673
674	lv[0] = 1 + strlen(uu->info);
675	lv[1] = uu->proto;
676	memcpy(lv + 2, uu->info, strlen(uu->info));
677	if (lv_only)
678	msgb_lv_put(msg, lv[0], lv+1);
679	else
680	msgb_tlv_put(msg, GSM48_IE_USER_USER, lv[0], lv+1);
681
682	return 0;
683	}
684
685	/* decode 'ss version' */
686	static int decode_ssversion(struct gsm_mncc_ssversion *ssv,
687	const u_int8_t *lv)
688	{
689	u_int8_t in_len = lv[0];
690
691	if (in_len < 1 \|\| in_len < sizeof(ssv->info))
692	return -EINVAL;
693
694	memcpy(ssv->info, lv + 1, in_len);
695	ssv->len = in_len;
696
697	return 0;
698	}
699
700	/* encode 'more data' */
701	static int encode_more(struct msgb *msg)
702	{
703	u_int8_t *ie;
704
705	ie = msgb_put(msg, 1);
706	ie[0] = GSM48_IE_MORE_DATA;
707
708	return 0;
709	}
710
711	/* Chapter 9.2.14 : Send LOCATION UPDATING REJECT */
712	int gsm0408_loc_upd_rej(struct gsm_lchan *lchan, u_int8_t cause)
713	{
714	struct gsm_bts *bts = lchan->ts->trx->bts;
715	struct msgb *msg = gsm48_msgb_alloc();
716	struct gsm48_hdr *gh;
717
718	msg->lchan = lchan;
719
720	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh) + 1);
721	gh->proto_discr = GSM48_PDISC_MM;
722	gh->msg_type = GSM48_MT_MM_LOC_UPD_REJECT;
723	gh->data[0] = cause;
724
725	LOGP(DMM, LOGL_INFO, "Subscriber %s: LOCATION UPDATING REJECT "
726	"LAC=%u BTS=%u\n", lchan->subscr ?
727	subscr_name(lchan->subscr) : "unknown",
728	lchan->ts->trx->bts->location_area_code, lchan->ts->trx->bts->nr);
729
730	counter_inc(bts->network->stats.loc_upd_resp.reject);
731
732	return gsm48_sendmsg(msg, NULL);
733	}
734
735	/* Chapter 9.2.13 : Send LOCATION UPDATE ACCEPT */
736	int gsm0408_loc_upd_acc(struct gsm_lchan *lchan, u_int32_t tmsi)
737	{
738	struct gsm_bts *bts = lchan->ts->trx->bts;
739	struct msgb *msg = gsm48_msgb_alloc();
740	struct gsm48_hdr *gh;
741	struct gsm48_loc_area_id *lai;
742	u_int8_t *mid;
743
744	msg->lchan = lchan;
745
746	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh));
747	gh->proto_discr = GSM48_PDISC_MM;
748	gh->msg_type = GSM48_MT_MM_LOC_UPD_ACCEPT;
749
750	lai = (struct gsm48_loc_area_id ) msgb_put(msg, sizeof(lai));
751	gsm0408_generate_lai(lai, bts->network->country_code,
752	bts->network->network_code, bts->location_area_code);
753
754	mid = msgb_put(msg, GSM48_MID_TMSI_LEN);
755	gsm48_generate_mid_from_tmsi(mid, tmsi);
756
757	DEBUGP(DMM, "-> LOCATION UPDATE ACCEPT\n");
758
759	counter_inc(bts->network->stats.loc_upd_resp.accept);
760
761	return gsm48_sendmsg(msg, NULL);
762	}
763
764	/* Transmit Chapter 9.2.10 Identity Request */
765	static int mm_tx_identity_req(struct gsm_lchan *lchan, u_int8_t id_type)
766	{
767	struct msgb *msg = gsm48_msgb_alloc();
768	struct gsm48_hdr *gh;
769
770	msg->lchan = lchan;
771
772	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh) + 1);
773	gh->proto_discr = GSM48_PDISC_MM;
774	gh->msg_type = GSM48_MT_MM_ID_REQ;
775	gh->data[0] = id_type;
776
777	return gsm48_sendmsg(msg, NULL);
778	}
779
780
781	/* Parse Chapter 9.2.11 Identity Response */
782	static int mm_rx_id_resp(struct msgb *msg)
783	{
784	struct gsm48_hdr *gh = msgb_l3(msg);
785	struct gsm_lchan *lchan = msg->lchan;
786	struct gsm_bts *bts = lchan->ts->trx->bts;
787	struct gsm_network *net = bts->network;
788	u_int8_t mi_type = gh->data[1] & GSM_MI_TYPE_MASK;
789	char mi_string[GSM48_MI_SIZE];
790
791	gsm48_mi_to_string(mi_string, sizeof(mi_string), &gh->data[1], gh->data[0]);
792	DEBUGP(DMM, "IDENTITY RESPONSE: mi_type=0x%02x MI(%s)\n",
793	mi_type, mi_string);
794
795	dispatch_signal(SS_SUBSCR, S_SUBSCR_IDENTITY, gh->data);
796
797	switch (mi_type) {
798	case GSM_MI_TYPE_IMSI:
799	/* look up subscriber based on IMSI, create if not found */
800	if (!lchan->subscr) {
801	lchan->subscr = subscr_get_by_imsi(net, mi_string);
802	if (!lchan->subscr)
803	lchan->subscr = db_create_subscriber(net, mi_string);
804	}
805	if (lchan->loc_operation)
806	lchan->loc_operation->waiting_for_imsi = 0;
807	break;
808	case GSM_MI_TYPE_IMEI:
809	case GSM_MI_TYPE_IMEISV:
810	/* update subscribe <-> IMEI mapping */
811	if (lchan->subscr) {
812	db_subscriber_assoc_imei(lchan->subscr, mi_string);
813	db_sync_equipment(&lchan->subscr->equipment);
814	}
815	if (lchan->loc_operation)
816	lchan->loc_operation->waiting_for_imei = 0;
817	break;
818	}
819
820	/* Check if we can let the mobile station enter */
821	return gsm0408_authorize(lchan, msg);
822	}
823
824
825	static void loc_upd_rej_cb(void *data)
826	{
827	struct gsm_lchan *lchan = data;
828	struct gsm_bts *bts = lchan->ts->trx->bts;
829
830	release_loc_updating_req(lchan);
831	gsm0408_loc_upd_rej(lchan, bts->network->reject_cause);
832	lchan_auto_release(lchan);
833	}
834
835	static void schedule_reject(struct gsm_lchan *lchan)
836	{
837	lchan->loc_operation->updating_timer.cb = loc_upd_rej_cb;
838	lchan->loc_operation->updating_timer.data = lchan;
839	bsc_schedule_timer(&lchan->loc_operation->updating_timer, 5, 0);
840	}
841
842	static const char *lupd_name(u_int8_t type)
843	{
844	switch (type) {
845	case GSM48_LUPD_NORMAL:
846	return "NORMAL";
847	case GSM48_LUPD_PERIODIC:
848	return "PEROIDOC";
849	case GSM48_LUPD_IMSI_ATT:
850	return "IMSI ATTACH";
851	default:
852	return "UNKNOWN";
853	}
854	}
855
856	/* Chapter 9.2.15: Receive Location Updating Request */
857	static int mm_rx_loc_upd_req(struct msgb *msg)
858	{
859	struct gsm48_hdr *gh = msgb_l3(msg);
860	struct gsm48_loc_upd_req *lu;
861	struct gsm_subscriber *subscr = NULL;
862	struct gsm_lchan *lchan = msg->lchan;
863	struct gsm_bts *bts = lchan->ts->trx->bts;
864	u_int8_t mi_type;
865	char mi_string[GSM48_MI_SIZE];
866	int rc;
867
868	lu = (struct gsm48_loc_upd_req *) gh->data;
869
870	mi_type = lu->mi[0] & GSM_MI_TYPE_MASK;
871
872	gsm48_mi_to_string(mi_string, sizeof(mi_string), lu->mi, lu->mi_len);
873
874	DEBUGPC(DMM, "mi_type=0x%02x MI(%s) type=%s ", mi_type, mi_string,
875	lupd_name(lu->type));
876
877	dispatch_signal(SS_SUBSCR, S_SUBSCR_IDENTITY, &lu->mi_len);
878
879	switch (lu->type) {
880	case GSM48_LUPD_NORMAL:
881	counter_inc(bts->network->stats.loc_upd_type.normal);
882	break;
883	case GSM48_LUPD_IMSI_ATT:
884	counter_inc(bts->network->stats.loc_upd_type.attach);
885	break;
886	case GSM48_LUPD_PERIODIC:
887	counter_inc(bts->network->stats.loc_upd_type.periodic);
888	break;
889	}
890
891	/*
892	* Pseudo Spoof detection: Just drop a second/concurrent
893	* location updating request.
894	*/
895	if (lchan->loc_operation) {
896	DEBUGPC(DMM, "ignoring request due an existing one: %p.\n",
897	lchan->loc_operation);
898	gsm0408_loc_upd_rej(lchan, GSM48_REJECT_PROTOCOL_ERROR);
899	return 0;
900	}
901
902	allocate_loc_updating_req(lchan);
903
904	switch (mi_type) {
905	case GSM_MI_TYPE_IMSI:
906	DEBUGPC(DMM, "\n");
907	/* we always want the IMEI, too */
908	rc = mm_tx_identity_req(lchan, GSM_MI_TYPE_IMEI);
909	lchan->loc_operation->waiting_for_imei = 1;
910
911	/* look up subscriber based on IMSI, create if not found */
912	subscr = subscr_get_by_imsi(bts->network, mi_string);
913	if (!subscr) {
914	subscr = db_create_subscriber(bts->network, mi_string);
915	}
916	break;
917	case GSM_MI_TYPE_TMSI:
918	DEBUGPC(DMM, "\n");
919	/* we always want the IMEI, too */
920	rc = mm_tx_identity_req(lchan, GSM_MI_TYPE_IMEI);
921	lchan->loc_operation->waiting_for_imei = 1;
922
923	/* look up the subscriber based on TMSI, request IMSI if it fails */
924	subscr = subscr_get_by_tmsi(bts->network,
925	tmsi_from_string(mi_string));
926	if (!subscr) {
927	/* send IDENTITY REQUEST message to get IMSI */
928	rc = mm_tx_identity_req(lchan, GSM_MI_TYPE_IMSI);
929	lchan->loc_operation->waiting_for_imsi = 1;
930	}
931	break;
932	case GSM_MI_TYPE_IMEI:
933	case GSM_MI_TYPE_IMEISV:
934	/* no sim card... FIXME: what to do ? */
935	DEBUGPC(DMM, "unimplemented mobile identity type\n");
936	break;
937	default:
938	DEBUGPC(DMM, "unknown mobile identity type\n");
939	break;
940	}
941
942	/* schedule the reject timer */
943	schedule_reject(lchan);
944
945	if (!subscr) {
946	DEBUGPC(DRR, "<- Can't find any subscriber for this ID\n");
947	/* FIXME: request id? close channel? */
948	return -EINVAL;
949	}
950
951	lchan->subscr = subscr;
952	lchan->subscr->equipment.classmark1 = lu->classmark1;
953
954	/* check if we can let the subscriber into our network immediately
955	* or if we need to wait for identity responses. */
956	return gsm0408_authorize(lchan, msg);
957	}
958
959	#if 0
960	static u_int8_t to_bcd8(u_int8_t val)
961	{
962	return ((val / 10) << 4) \| (val % 10);
963	}
964	#endif
965
966	/* Section 9.2.15a */
967	int gsm48_tx_mm_info(struct gsm_lchan *lchan)
968	{
969	struct msgb *msg = gsm48_msgb_alloc();
970	struct gsm48_hdr *gh;
971	struct gsm_network *net = lchan->ts->trx->bts->network;
972	u_int8_t *ptr8;
973	int name_len, name_pad;
974	#if 0
975	time_t cur_t;
976	struct tm* cur_time;
977	int tz15min;
978	#endif
979
980	msg->lchan = lchan;
981
982	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh));
983	gh->proto_discr = GSM48_PDISC_MM;
984	gh->msg_type = GSM48_MT_MM_INFO;
985
986	if (net->name_long) {
987	#if 0
988	name_len = strlen(net->name_long);
989	/* 10.5.3.5a */
990	ptr8 = msgb_put(msg, 3);
991	ptr8[0] = GSM48_IE_NAME_LONG;
992	ptr8[1] = name_len*2 +1;
993	ptr8[2] = 0x90; /* UCS2, no spare bits, no CI */
994
995	ptr16 = (u_int16_t ) msgb_put(msg, name_len2);
996	for (i = 0; i < name_len; i++)
997	ptr16[i] = htons(net->name_long[i]);
998
999	/* FIXME: Use Cell Broadcast, not UCS-2, since
1000	* UCS-2 is only supported by later revisions of the spec */
1001	#endif
1002	name_len = (strlen(net->name_long)*7)/8;
1003	name_pad = (8 - strlen(net->name_long)*7)%8;
1004	if (name_pad > 0)
1005	name_len++;
1006	/* 10.5.3.5a */
1007	ptr8 = msgb_put(msg, 3);
1008	ptr8[0] = GSM48_IE_NAME_LONG;
1009	ptr8[1] = name_len +1;
1010	ptr8[2] = 0x80 \| name_pad; /* Cell Broadcast DCS, no CI */
1011
1012	ptr8 = msgb_put(msg, name_len);
1013	gsm_7bit_encode(ptr8, net->name_long);
1014
1015	}
1016
1017	if (net->name_short) {
1018	#if 0
1019	name_len = strlen(net->name_short);
1020	/* 10.5.3.5a */
1021	ptr8 = (u_int8_t *) msgb_put(msg, 3);
1022	ptr8[0] = GSM48_IE_NAME_SHORT;
1023	ptr8[1] = name_len*2 + 1;
1024	ptr8[2] = 0x90; /* UCS2, no spare bits, no CI */
1025
1026	ptr16 = (u_int16_t ) msgb_put(msg, name_len2);
1027	for (i = 0; i < name_len; i++)
1028	ptr16[i] = htons(net->name_short[i]);
1029	#endif
1030	name_len = (strlen(net->name_short)*7)/8;
1031	name_pad = (8 - strlen(net->name_short)*7)%8;
1032	if (name_pad > 0)
1033	name_len++;
1034	/* 10.5.3.5a */
1035	ptr8 = (u_int8_t *) msgb_put(msg, 3);
1036	ptr8[0] = GSM48_IE_NAME_SHORT;
1037	ptr8[1] = name_len +1;
1038	ptr8[2] = 0x80 \| name_pad; /* Cell Broadcast DCS, no CI */
1039
1040	ptr8 = msgb_put(msg, name_len);
1041	gsm_7bit_encode(ptr8, net->name_short);
1042
1043	}
1044
1045	#if 0
1046	/* Section 10.5.3.9 */
1047	cur_t = time(NULL);
1048	cur_time = gmtime(&cur_t);
1049	ptr8 = msgb_put(msg, 8);
1050	ptr8[0] = GSM48_IE_NET_TIME_TZ;
1051	ptr8[1] = to_bcd8(cur_time->tm_year % 100);
1052	ptr8[2] = to_bcd8(cur_time->tm_mon);
1053	ptr8[3] = to_bcd8(cur_time->tm_mday);
1054	ptr8[4] = to_bcd8(cur_time->tm_hour);
1055	ptr8[5] = to_bcd8(cur_time->tm_min);
1056	ptr8[6] = to_bcd8(cur_time->tm_sec);
1057	/* 02.42: coded as BCD encoded signed value in units of 15 minutes */
1058	tz15min = (cur_time->tm_gmtoff)/(60*15);
1059	ptr8[7] = to_bcd8(tz15min);
1060	if (tz15min < 0)
1061	ptr8[7] \|= 0x80;
1062	#endif
1063
1064	DEBUGP(DMM, "-> MM INFO\n");
1065
1066	return gsm48_sendmsg(msg, NULL);
1067	}
1068
1069	/* Section 9.2.2 */
1070	int gsm48_tx_mm_auth_req(struct gsm_lchan lchan, u_int8_t rand, int key_seq)
1071	{
1072	struct msgb *msg = gsm48_msgb_alloc();
1073	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
1074	struct gsm48_auth_req ar = (struct gsm48_auth_req ) msgb_put(msg, sizeof(*ar));
1075
1076	DEBUGP(DMM, "-> AUTH REQ (rand = %s)\n", hexdump(rand, 16));
1077
1078	msg->lchan = lchan;
1079	gh->proto_discr = GSM48_PDISC_MM;
1080	gh->msg_type = GSM48_MT_MM_AUTH_REQ;
1081
1082	ar->key_seq = key_seq;
1083
1084	/* 16 bytes RAND parameters */
1085	if (rand)
1086	memcpy(ar->rand, rand, 16);
1087
1088	return gsm48_sendmsg(msg, NULL);
1089	}
1090
1091	/* Section 9.2.1 */
1092	int gsm48_tx_mm_auth_rej(struct gsm_lchan *lchan)
1093	{
1094	DEBUGP(DMM, "-> AUTH REJECT\n");
1095	return gsm48_tx_simple(lchan, GSM48_PDISC_MM, GSM48_MT_MM_AUTH_REJ);
1096	}
1097
1098	static int gsm48_tx_mm_serv_ack(struct gsm_lchan *lchan)
1099	{
1100	DEBUGP(DMM, "-> CM SERVICE ACK\n");
1101	return gsm48_tx_simple(lchan, GSM48_PDISC_MM, GSM48_MT_MM_CM_SERV_ACC);
1102	}
1103
1104	/* 9.2.6 CM service reject */
1105	static int gsm48_tx_mm_serv_rej(struct gsm_lchan *lchan,
1106	enum gsm48_reject_value value)
1107	{
1108	struct msgb *msg = gsm48_msgb_alloc();
1109	struct gsm48_hdr *gh;
1110
1111	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh) + 1);
1112
1113	msg->lchan = lchan;
1114	use_lchan(lchan);
1115
1116	gh->proto_discr = GSM48_PDISC_MM;
1117	gh->msg_type = GSM48_MT_MM_CM_SERV_REJ;
1118	gh->data[0] = value;
1119	DEBUGP(DMM, "-> CM SERVICE Reject cause: %d\n", value);
1120
1121	return gsm48_sendmsg(msg, NULL);
1122	}
1123
1124	/*
1125	* Handle CM Service Requests
1126	* a) Verify that the packet is long enough to contain the information
1127	* we require otherwsie reject with INCORRECT_MESSAGE
1128	* b) Try to parse the TMSI. If we do not have one reject
1129	* c) Check that we know the subscriber with the TMSI otherwise reject
1130	* with a HLR cause
1131	* d) Set the subscriber on the gsm_lchan and accept
1132	*/
1133	static int gsm48_rx_mm_serv_req(struct msgb *msg)
1134	{
1135	u_int8_t mi_type;
1136	char mi_string[GSM48_MI_SIZE];
1137
1138	struct gsm_bts *bts = msg->lchan->ts->trx->bts;
1139	struct gsm_subscriber *subscr;
1140	struct gsm48_hdr *gh = msgb_l3(msg);
1141	struct gsm48_service_request *req =
1142	(struct gsm48_service_request *)gh->data;
1143	/* unfortunately in Phase1 the classmar2 length is variable */
1144	u_int8_t classmark2_len = gh->data[1];
1145	u_int8_t *classmark2 = gh->data+2;
1146	u_int8_t mi_len = *(classmark2 + classmark2_len);
1147	u_int8_t *mi = (classmark2 + classmark2_len + 1);
1148
1149	DEBUGP(DMM, "<- CM SERVICE REQUEST ");
1150	if (msg->data_len < sizeof(struct gsm48_service_request*)) {
1151	DEBUGPC(DMM, "wrong sized message\n");
1152	return gsm48_tx_mm_serv_rej(msg->lchan,
1153	GSM48_REJECT_INCORRECT_MESSAGE);
1154	}
1155
1156	if (msg->data_len < req->mi_len + 6) {
1157	DEBUGPC(DMM, "does not fit in packet\n");
1158	return gsm48_tx_mm_serv_rej(msg->lchan,
1159	GSM48_REJECT_INCORRECT_MESSAGE);
1160	}
1161
1162	mi_type = mi[0] & GSM_MI_TYPE_MASK;
1163	if (mi_type != GSM_MI_TYPE_TMSI) {
1164	DEBUGPC(DMM, "mi_type is not TMSI: %d\n", mi_type);
1165	return gsm48_tx_mm_serv_rej(msg->lchan,
1166	GSM48_REJECT_INCORRECT_MESSAGE);
1167	}
1168
1169	gsm48_mi_to_string(mi_string, sizeof(mi_string), mi, mi_len);
1170	DEBUGPC(DMM, "serv_type=0x%02x mi_type=0x%02x M(%s)\n",
1171	req->cm_service_type, mi_type, mi_string);
1172
1173	dispatch_signal(SS_SUBSCR, S_SUBSCR_IDENTITY, (classmark2 + classmark2_len));
1174
1175	if (is_siemens_bts(bts))
1176	send_siemens_mrpci(msg->lchan, classmark2-1);
1177
1178	subscr = subscr_get_by_tmsi(bts->network,
1179	tmsi_from_string(mi_string));
1180
1181	/* FIXME: if we don't know the TMSI, inquire abit IMSI and allocate new TMSI */
1182	if (!subscr)
1183	return gsm48_tx_mm_serv_rej(msg->lchan,
1184	GSM48_REJECT_IMSI_UNKNOWN_IN_HLR);
1185
1186	if (!msg->lchan->subscr)
1187	msg->lchan->subscr = subscr;
1188	else if (msg->lchan->subscr == subscr)
1189	subscr_put(subscr); /* lchan already has a ref, don't need another one */
1190	else {
1191	DEBUGP(DMM, "<- CM Channel already owned by someone else?\n");
1192	subscr_put(subscr);
1193	}
1194
1195	subscr->equipment.classmark2_len = classmark2_len;
1196	memcpy(subscr->equipment.classmark2, classmark2, classmark2_len);
1197	db_sync_equipment(&subscr->equipment);
1198
1199	return gsm48_tx_mm_serv_ack(msg->lchan);
1200	}
1201
1202	static int gsm48_rx_mm_imsi_detach_ind(struct msgb *msg)
1203	{
1204	struct gsm_bts *bts = msg->lchan->ts->trx->bts;
1205	struct gsm48_hdr *gh = msgb_l3(msg);
1206	struct gsm48_imsi_detach_ind *idi =
1207	(struct gsm48_imsi_detach_ind *) gh->data;
1208	u_int8_t mi_type = idi->mi[0] & GSM_MI_TYPE_MASK;
1209	char mi_string[GSM48_MI_SIZE];
1210	struct gsm_subscriber *subscr = NULL;
1211
1212	gsm48_mi_to_string(mi_string, sizeof(mi_string), idi->mi, idi->mi_len);
1213	DEBUGP(DMM, "IMSI DETACH INDICATION: mi_type=0x%02x MI(%s): ",
1214	mi_type, mi_string);
1215
1216	counter_inc(bts->network->stats.loc_upd_type.detach);
1217
1218	switch (mi_type) {
1219	case GSM_MI_TYPE_TMSI:
1220	subscr = subscr_get_by_tmsi(bts->network,
1221	tmsi_from_string(mi_string));
1222	break;
1223	case GSM_MI_TYPE_IMSI:
1224	subscr = subscr_get_by_imsi(bts->network, mi_string);
1225	break;
1226	case GSM_MI_TYPE_IMEI:
1227	case GSM_MI_TYPE_IMEISV:
1228	/* no sim card... FIXME: what to do ? */
1229	DEBUGPC(DMM, "unimplemented mobile identity type\n");
1230	break;
1231	default:
1232	DEBUGPC(DMM, "unknown mobile identity type\n");
1233	break;
1234	}
1235
1236	if (subscr) {
1237	subscr_update(subscr, msg->trx->bts,
1238	GSM_SUBSCRIBER_UPDATE_DETACHED);
1239	DEBUGP(DMM, "Subscriber: %s\n", subscr_name(subscr));
1240
1241	subscr->equipment.classmark1 = idi->classmark1;
1242	db_sync_equipment(&subscr->equipment);
1243
1244	subscr_put(subscr);
1245	} else
1246	DEBUGP(DMM, "Unknown Subscriber ?!?\n");
1247
1248	/* FIXME: iterate over all transactions and release them,
1249	* imagine an IMSI DETACH happening during an active call! */
1250
1251	/* subscriber is detached: should we release lchan? */
1252	lchan_auto_release(msg->lchan);
1253
1254	return 0;
1255	}
1256
1257	static int gsm48_rx_mm_status(struct msgb *msg)
1258	{
1259	struct gsm48_hdr *gh = msgb_l3(msg);
1260
1261	DEBUGP(DMM, "MM STATUS (reject cause 0x%02x)\n", gh->data[0]);
1262
1263	return 0;
1264	}
1265
1266	/* Receive a GSM 04.08 Mobility Management (MM) message */
1267	static int gsm0408_rcv_mm(struct msgb *msg)
1268	{
1269	struct gsm48_hdr *gh = msgb_l3(msg);
1270	int rc = 0;
1271
1272	switch (gh->msg_type & 0xbf) {
1273	case GSM48_MT_MM_LOC_UPD_REQUEST:
1274	DEBUGP(DMM, "LOCATION UPDATING REQUEST: ");
1275	rc = mm_rx_loc_upd_req(msg);
1276	break;
1277	case GSM48_MT_MM_ID_RESP:
1278	rc = mm_rx_id_resp(msg);
1279	break;
1280	case GSM48_MT_MM_CM_SERV_REQ:
1281	rc = gsm48_rx_mm_serv_req(msg);
1282	break;
1283	case GSM48_MT_MM_STATUS:
1284	rc = gsm48_rx_mm_status(msg);
1285	break;
1286	case GSM48_MT_MM_TMSI_REALL_COMPL:
1287	DEBUGP(DMM, "TMSI Reallocation Completed. Subscriber: %s\n",
1288	msg->lchan->subscr ?
1289	subscr_name(msg->lchan->subscr) :
1290	"unknown subscriber");
1291	break;
1292	case GSM48_MT_MM_IMSI_DETACH_IND:
1293	rc = gsm48_rx_mm_imsi_detach_ind(msg);
1294	break;
1295	case GSM48_MT_MM_CM_REEST_REQ:
1296	DEBUGP(DMM, "CM REESTABLISH REQUEST: Not implemented\n");
1297	break;
1298	case GSM48_MT_MM_AUTH_RESP:
1299	DEBUGP(DMM, "AUTHENTICATION RESPONSE: Not implemented\n");
1300	break;
1301	default:
1302	LOGP(DMM, LOGL_NOTICE, "Unknown GSM 04.08 MM msg type 0x%02x\n",
1303	gh->msg_type);
1304	break;
1305	}
1306
1307	return rc;
1308	}
1309
1310	/* Receive a PAGING RESPONSE message from the MS */
1311	static int gsm48_rx_rr_pag_resp(struct msgb *msg)
1312	{
1313	struct gsm_bts *bts = msg->lchan->ts->trx->bts;
1314	struct gsm48_hdr *gh = msgb_l3(msg);
1315	u_int8_t *classmark2_lv = gh->data + 1;
1316	u_int8_t mi_type;
1317	char mi_string[GSM48_MI_SIZE];
1318	struct gsm_subscriber *subscr = NULL;
1319	int rc = 0;
1320
1321	gsm48_paging_extract_mi(msg, mi_string, &mi_type);
1322	DEBUGP(DRR, "PAGING RESPONSE: mi_type=0x%02x MI(%s)\n",
1323	mi_type, mi_string);
1324
1325	switch (mi_type) {
1326	case GSM_MI_TYPE_TMSI:
1327	subscr = subscr_get_by_tmsi(bts->network,
1328	tmsi_from_string(mi_string));
1329	break;
1330	case GSM_MI_TYPE_IMSI:
1331	subscr = subscr_get_by_imsi(bts->network, mi_string);
1332	break;
1333	}
1334
1335	if (!subscr) {
1336	DEBUGP(DRR, "<- Can't find any subscriber for this ID\n");
1337	/* FIXME: request id? close channel? */
1338	return -EINVAL;
1339	}
1340	DEBUGP(DRR, "<- Channel was requested by %s\n",
1341	subscr->name && strlen(subscr->name) ? subscr->name : subscr->imsi);
1342
1343	subscr->equipment.classmark2_len = *classmark2_lv;
1344	memcpy(subscr->equipment.classmark2, classmark2_lv+1, *classmark2_lv);
1345	db_sync_equipment(&subscr->equipment);
1346
1347	rc = gsm48_handle_paging_resp(msg, subscr);
1348	return rc;
1349	}
1350
1351	static int gsm48_rx_rr_classmark(struct msgb *msg)
1352	{
1353	struct gsm48_hdr *gh = msgb_l3(msg);
1354	struct gsm_subscriber *subscr = msg->lchan->subscr;
1355	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
1356	u_int8_t cm2_len, cm3_len = 0;
1357	u_int8_t cm2, cm3 = NULL;
1358
1359	DEBUGP(DRR, "CLASSMARK CHANGE ");
1360
1361	/* classmark 2 */
1362	cm2_len = gh->data[0];
1363	cm2 = &gh->data[1];
1364	DEBUGPC(DRR, "CM2(len=%u) ", cm2_len);
1365
1366	if (payload_len > cm2_len + 1) {
1367	/* we must have a classmark3 */
1368	if (gh->data[cm2_len+1] != 0x20) {
1369	DEBUGPC(DRR, "ERR CM3 TAG\n");
1370	return -EINVAL;
1371	}
1372	if (cm2_len > 3) {
1373	DEBUGPC(DRR, "CM2 too long!\n");
1374	return -EINVAL;
1375	}
1376
1377	cm3_len = gh->data[cm2_len+2];
1378	cm3 = &gh->data[cm2_len+3];
1379	if (cm3_len > 14) {
1380	DEBUGPC(DRR, "CM3 len %u too long!\n", cm3_len);
1381	return -EINVAL;
1382	}
1383	DEBUGPC(DRR, "CM3(len=%u)\n", cm3_len);
1384	}
1385	if (subscr) {
1386	subscr->equipment.classmark2_len = cm2_len;
1387	memcpy(subscr->equipment.classmark2, cm2, cm2_len);
1388	if (cm3) {
1389	subscr->equipment.classmark3_len = cm3_len;
1390	memcpy(subscr->equipment.classmark3, cm3, cm3_len);
1391	}
1392	db_sync_equipment(&subscr->equipment);
1393	}
1394
1395	return 0;
1396	}
1397
1398	static int gsm48_rx_rr_status(struct msgb *msg)
1399	{
1400	struct gsm48_hdr *gh = msgb_l3(msg);
1401
1402	DEBUGP(DRR, "STATUS rr_cause = %s\n",
1403	rr_cause_name(gh->data[0]));
1404
1405	return 0;
1406	}
1407
1408	static int gsm48_rx_rr_meas_rep(struct msgb *msg)
1409	{
1410	struct gsm_meas_rep *meas_rep = lchan_next_meas_rep(msg->lchan);
1411
1412	/* This shouldn't actually end up here, as RSL treats
1413	* L3 Info of 08.58 MEASUREMENT REPORT different by calling
1414	* directly into gsm48_parse_meas_rep */
1415	DEBUGP(DMEAS, "DIRECT GSM48 MEASUREMENT REPORT ?!? ");
1416	gsm48_parse_meas_rep(meas_rep, msg);
1417
1418	return 0;
1419	}
1420
1421	static int gsm48_rx_rr_app_info(struct msgb *msg)
1422	{
1423	struct gsm48_hdr *gh = msgb_l3(msg);
1424	u_int8_t apdu_id_flags;
1425	u_int8_t apdu_len;
1426	u_int8_t *apdu_data;
1427
1428	apdu_id_flags = gh->data[0];
1429	apdu_len = gh->data[1];
1430	apdu_data = gh->data+2;
1431
1432	DEBUGP(DNM, "RX APPLICATION INFO id/flags=0x%02x apdu_len=%u apdu=%s",
1433	apdu_id_flags, apdu_len, hexdump(apdu_data, apdu_len));
1434
1435	return db_apdu_blob_store(msg->lchan->subscr, apdu_id_flags, apdu_len, apdu_data);
1436	}
1437
1438	/* Chapter 9.1.16 Handover complete */
1439	static int gsm48_rx_rr_ho_compl(struct msgb *msg)
1440	{
1441	struct gsm48_hdr *gh = msgb_l3(msg);
1442
1443	DEBUGP(DRR, "HANDOVER COMPLETE cause = %s\n",
1444	rr_cause_name(gh->data[0]));
1445
1446	dispatch_signal(SS_LCHAN, S_LCHAN_HANDOVER_COMPL, msg->lchan);
1447	/* FIXME: release old channel */
1448
1449	return 0;
1450	}
1451
1452	/* Chapter 9.1.17 Handover Failure */
1453	static int gsm48_rx_rr_ho_fail(struct msgb *msg)
1454	{
1455	struct gsm48_hdr *gh = msgb_l3(msg);
1456
1457	DEBUGP(DRR, "HANDOVER FAILED cause = %s\n",
1458	rr_cause_name(gh->data[0]));
1459
1460	dispatch_signal(SS_LCHAN, S_LCHAN_HANDOVER_FAIL, msg->lchan);
1461	/* FIXME: release allocated new channel */
1462
1463	return 0;
1464	}
1465
1466	/* Receive a GSM 04.08 Radio Resource (RR) message */
1467	static int gsm0408_rcv_rr(struct msgb *msg)
1468	{
1469	struct gsm48_hdr *gh = msgb_l3(msg);
1470	int rc = 0;
1471
1472	switch (gh->msg_type) {
1473	case GSM48_MT_RR_CLSM_CHG:
1474	rc = gsm48_rx_rr_classmark(msg);
1475	break;
1476	case GSM48_MT_RR_GPRS_SUSP_REQ:
1477	DEBUGP(DRR, "GRPS SUSPEND REQUEST\n");
1478	break;
1479	case GSM48_MT_RR_PAG_RESP:
1480	rc = gsm48_rx_rr_pag_resp(msg);
1481	break;
1482	case GSM48_MT_RR_CHAN_MODE_MODIF_ACK:
1483	rc = gsm48_rx_rr_modif_ack(msg);
1484	break;
1485	case GSM48_MT_RR_STATUS:
1486	rc = gsm48_rx_rr_status(msg);
1487	break;
1488	case GSM48_MT_RR_MEAS_REP:
1489	rc = gsm48_rx_rr_meas_rep(msg);
1490	break;
1491	case GSM48_MT_RR_APP_INFO:
1492	rc = gsm48_rx_rr_app_info(msg);
1493	break;
1494	case GSM48_MT_RR_CIPH_M_COMPL:
1495	DEBUGP(DRR, "CIPHERING MODE COMPLETE\n");
1496	/* FIXME: check for MI (if any) */
1497	break;
1498	case GSM48_MT_RR_HANDO_COMPL:
1499	rc = gsm48_rx_rr_ho_compl(msg);
1500	break;
1501	case GSM48_MT_RR_HANDO_FAIL:
1502	rc = gsm48_rx_rr_ho_fail(msg);
1503	break;
1504	default:
1505	LOGP(DRR, LOGL_NOTICE, "Unimplemented "
1506	"GSM 04.08 RR msg type 0x%02x\n", gh->msg_type);
1507	break;
1508	}
1509
1510	return rc;
1511	}
1512
1513	int gsm48_send_rr_app_info(struct gsm_lchan *lchan, u_int8_t apdu_id,
1514	u_int8_t apdu_len, const u_int8_t *apdu)
1515	{
1516	struct msgb *msg = gsm48_msgb_alloc();
1517	struct gsm48_hdr *gh;
1518
1519	msg->lchan = lchan;
1520
1521	DEBUGP(DRR, "TX APPLICATION INFO id=0x%02x, len=%u\n",
1522	apdu_id, apdu_len);
1523
1524	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh) + 2 + apdu_len);
1525	gh->proto_discr = GSM48_PDISC_RR;
1526	gh->msg_type = GSM48_MT_RR_APP_INFO;
1527	gh->data[0] = apdu_id;
1528	gh->data[1] = apdu_len;
1529	memcpy(gh->data+2, apdu, apdu_len);
1530
1531	return gsm48_sendmsg(msg, NULL);
1532	}
1533
1534	/* Call Control */
1535
1536	/* The entire call control code is written in accordance with Figure 7.10c
1537	* for 'very early assignment', i.e. we allocate a TCH/F during IMMEDIATE
1538	* ASSIGN, then first use that TCH/F for signalling and later MODE MODIFY
1539	* it for voice */
1540
1541	static void new_cc_state(struct gsm_trans *trans, int state)
1542	{
1543	if (state > 31 \|\| state < 0)
1544	return;
1545
1546	DEBUGP(DCC, "new state %s -> %s\n",
1547	cc_state_names[trans->cc.state], cc_state_names[state]);
1548
1549	trans->cc.state = state;
1550	}
1551
1552	static int gsm48_cc_tx_status(struct gsm_trans trans, void arg)
1553	{
1554	struct msgb *msg = gsm48_msgb_alloc();
1555	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
1556	u_int8_t cause, call_state;
1557
1558	gh->msg_type = GSM48_MT_CC_STATUS;
1559
1560	cause = msgb_put(msg, 3);
1561	cause[0] = 2;
1562	cause[1] = GSM48_CAUSE_CS_GSM \| GSM48_CAUSE_LOC_USER;
1563	cause[2] = 0x80 \| 30; /* response to status inquiry */
1564
1565	call_state = msgb_put(msg, 1);
1566	call_state[0] = 0xc0 \| 0x00;
1567
1568	return gsm48_sendmsg(msg, trans);
1569	}
1570
1571	static int gsm48_tx_simple(struct gsm_lchan *lchan,
1572	u_int8_t pdisc, u_int8_t msg_type)
1573	{
1574	struct msgb *msg = gsm48_msgb_alloc();
1575	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
1576
1577	msg->lchan = lchan;
1578
1579	gh->proto_discr = pdisc;
1580	gh->msg_type = msg_type;
1581
1582	return gsm48_sendmsg(msg, NULL);
1583	}
1584
1585	static void gsm48_stop_cc_timer(struct gsm_trans *trans)
1586	{
1587	if (bsc_timer_pending(&trans->cc.timer)) {
1588	DEBUGP(DCC, "stopping pending timer T%x\n", trans->cc.Tcurrent);
1589	bsc_del_timer(&trans->cc.timer);
1590	trans->cc.Tcurrent = 0;
1591	}
1592	}
1593
1594	static int mncc_recvmsg(struct gsm_network net, struct gsm_trans trans,
1595	int msg_type, struct gsm_mncc *mncc)
1596	{
1597	struct msgb *msg;
1598
1599	if (trans)
1600	if (trans->lchan)
1601	DEBUGP(DCC, "(bts %d trx %d ts %d ti %x sub %s) "
1602	"Sending '%s' to MNCC.\n",
1603	trans->lchan->ts->trx->bts->nr,
1604	trans->lchan->ts->trx->nr,
1605	trans->lchan->ts->nr, trans->transaction_id,
1606	(trans->subscr)?(trans->subscr->extension):"-",
1607	get_mncc_name(msg_type));
1608	else
1609	DEBUGP(DCC, "(bts - trx - ts - ti -- sub %s) "
1610	"Sending '%s' to MNCC.\n",
1611	(trans->subscr)?(trans->subscr->extension):"-",
1612	get_mncc_name(msg_type));
1613	else
1614	DEBUGP(DCC, "(bts - trx - ts - ti -- sub -) "
1615	"Sending '%s' to MNCC.\n", get_mncc_name(msg_type));
1616
1617	mncc->msg_type = msg_type;
1618
1619	msg = msgb_alloc(sizeof(struct gsm_mncc), "MNCC");
1620	if (!msg)
1621	return -ENOMEM;
1622	memcpy(msg->data, mncc, sizeof(struct gsm_mncc));
1623	msgb_enqueue(&net->upqueue, msg);
1624
1625	return 0;
1626	}
1627
1628	int mncc_release_ind(struct gsm_network net, struct gsm_trans trans,
1629	u_int32_t callref, int location, int value)
1630	{
1631	struct gsm_mncc rel;
1632
1633	memset(&rel, 0, sizeof(rel));
1634	rel.callref = callref;
1635	mncc_set_cause(&rel, location, value);
1636	return mncc_recvmsg(net, trans, MNCC_REL_IND, &rel);
1637	}
1638
1639	/* Call Control Specific transaction release.
1640	* gets called by trans_free, DO NOT CALL YOURSELF! */
1641	void _gsm48_cc_trans_free(struct gsm_trans *trans)
1642	{
1643	gsm48_stop_cc_timer(trans);
1644
1645	/* send release to L4, if callref still exists */
1646	if (trans->callref) {
1647	/* Ressource unavailable */
1648	mncc_release_ind(trans->subscr->net, trans, trans->callref,
1649	GSM48_CAUSE_LOC_PRN_S_LU,
1650	GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
1651	}
1652	if (trans->cc.state != GSM_CSTATE_NULL)
1653	new_cc_state(trans, GSM_CSTATE_NULL);
1654	if (trans->lchan)
1655	trau_mux_unmap(&trans->lchan->ts->e1_link, trans->callref);
1656	}
1657
1658	static int gsm48_cc_tx_setup(struct gsm_trans trans, void arg);
1659
1660	/* call-back from paging the B-end of the connection */
1661	static int setup_trig_pag_evt(unsigned int hooknum, unsigned int event,
1662	struct msgb msg, void _lchan, void *param)
1663	{
1664	struct gsm_lchan *lchan = _lchan;
1665	struct gsm_subscriber *subscr = param;
1666	struct gsm_trans transt, tmp;
1667	struct gsm_network *net;
1668
1669	if (hooknum != GSM_HOOK_RR_PAGING)
1670	return -EINVAL;
1671
1672	if (!subscr)
1673	return -EINVAL;
1674	net = subscr->net;
1675	if (!net) {
1676	DEBUGP(DCC, "Error Network not set!\n");
1677	return -EINVAL;
1678	}
1679
1680	/* check all tranactions (without lchan) for subscriber */
1681	llist_for_each_entry_safe(transt, tmp, &net->trans_list, entry) {
1682	if (transt->subscr != subscr \|\| transt->lchan)
1683	continue;
1684	switch (event) {
1685	case GSM_PAGING_SUCCEEDED:
1686	if (!lchan) // paranoid
1687	break;
1688	DEBUGP(DCC, "Paging subscr %s succeeded!\n",
1689	subscr->extension);
1690	/* Assign lchan */
1691	if (!transt->lchan) {
1692	transt->lchan = lchan;
1693	use_lchan(lchan);
1694	}
1695	/* send SETUP request to called party */
1696	gsm48_cc_tx_setup(transt, &transt->cc.msg);
1697	break;
1698	case GSM_PAGING_EXPIRED:
1699	DEBUGP(DCC, "Paging subscr %s expired!\n",
1700	subscr->extension);
1701	/* Temporarily out of order */
1702	mncc_release_ind(transt->subscr->net, transt,
1703	transt->callref,
1704	GSM48_CAUSE_LOC_PRN_S_LU,
1705	GSM48_CC_CAUSE_DEST_OOO);
1706	transt->callref = 0;
1707	trans_free(transt);
1708	break;
1709	}
1710	}
1711	return 0;
1712	}
1713
1714	static int tch_recv_mncc(struct gsm_network *net, u_int32_t callref, int enable);
1715
1716	/* some other part of the code sends us a signal */
1717	static int handle_abisip_signal(unsigned int subsys, unsigned int signal,
1718	void handler_data, void signal_data)
1719	{
1720	struct gsm_lchan *lchan = signal_data;
1721	int rc;
1722	struct gsm_network *net;
1723	struct gsm_trans *trans;
1724
1725	if (subsys != SS_ABISIP)
1726	return 0;
1727
1728	/* in case we use direct BTS-to-BTS RTP */
1729	if (ipacc_rtp_direct)
1730	return 0;
1731
1732	switch (signal) {
1733	case S_ABISIP_CRCX_ACK:
1734	/* check if any transactions on this lchan still have
1735	* a tch_recv_mncc request pending */
1736	net = lchan->ts->trx->bts->network;
1737	llist_for_each_entry(trans, &net->trans_list, entry) {
1738	if (trans->lchan == lchan && trans->tch_recv) {
1739	DEBUGP(DCC, "pending tch_recv_mncc request\n");
1740	tch_recv_mncc(net, trans->callref, 1);
1741	}
1742	}
1743	break;
1744	}
1745
1746	return 0;
1747	}
1748
1749	/* map two ipaccess RTP streams onto each other */
1750	static int tch_map(struct gsm_lchan lchan, struct gsm_lchan remote_lchan)
1751	{
1752	struct gsm_bts *bts = lchan->ts->trx->bts;
1753	struct gsm_bts *remote_bts = remote_lchan->ts->trx->bts;
1754	int rc;
1755
1756	DEBUGP(DCC, "Setting up TCH map between (bts=%u,trx=%u,ts=%u) and (bts=%u,trx=%u,ts=%u)\n",
1757	bts->nr, lchan->ts->trx->nr, lchan->ts->nr,
1758	remote_bts->nr, remote_lchan->ts->trx->nr, remote_lchan->ts->nr);
1759
1760	if (bts->type != remote_bts->type) {
1761	DEBUGP(DCC, "Cannot switch calls between different BTS types yet\n");
1762	return -EINVAL;
1763	}
1764
1765	// todo: map between different bts types
1766	switch (bts->type) {
1767	case GSM_BTS_TYPE_NANOBTS:
1768	if (!ipacc_rtp_direct) {
1769	/* connect the TCH's to our RTP proxy */
1770	rc = rsl_ipacc_mdcx_to_rtpsock(lchan);
1771	if (rc < 0)
1772	return rc;
1773	rc = rsl_ipacc_mdcx_to_rtpsock(remote_lchan);
1774	#warning do we need a check of rc here?
1775
1776	/* connect them with each other */
1777	rtp_socket_proxy(lchan->abis_ip.rtp_socket,
1778	remote_lchan->abis_ip.rtp_socket);
1779	} else {
1780	/* directly connect TCH RTP streams to each other */
1781	rc = rsl_ipacc_mdcx(lchan, remote_lchan->abis_ip.bound_ip,
1782	remote_lchan->abis_ip.bound_port,
1783	remote_lchan->abis_ip.rtp_payload2);
1784	if (rc < 0)
1785	return rc;
1786	rc = rsl_ipacc_mdcx(remote_lchan, lchan->abis_ip.bound_ip,
1787	lchan->abis_ip.bound_port,
1788	lchan->abis_ip.rtp_payload2);
1789	}
1790	break;
1791	case GSM_BTS_TYPE_BS11:
1792	trau_mux_map_lchan(lchan, remote_lchan);
1793	break;
1794	default:
1795	DEBUGP(DCC, "Unknown BTS type %u\n", bts->type);
1796	return -EINVAL;
1797	}
1798
1799	return 0;
1800	}
1801
1802	/* bridge channels of two transactions */
1803	static int tch_bridge(struct gsm_network net, u_int32_t refs)
1804	{
1805	struct gsm_trans *trans1 = trans_find_by_callref(net, refs[0]);
1806	struct gsm_trans *trans2 = trans_find_by_callref(net, refs[1]);
1807
1808	if (!trans1 \|\| !trans2)
1809	return -EIO;
1810
1811	if (!trans1->lchan \|\| !trans2->lchan)
1812	return -EIO;
1813
1814	/* through-connect channel */
1815	return tch_map(trans1->lchan, trans2->lchan);
1816	}
1817
1818	/* enable receive of channels to MNCC upqueue */
1819	static int tch_recv_mncc(struct gsm_network *net, u_int32_t callref, int enable)
1820	{
1821	struct gsm_trans *trans;
1822	struct gsm_lchan *lchan;
1823	struct gsm_bts *bts;
1824	int rc;
1825
1826	/* Find callref */
1827	trans = trans_find_by_callref(net, callref);
1828	if (!trans)
1829	return -EIO;
1830	if (!trans->lchan)
1831	return 0;
1832	lchan = trans->lchan;
1833	bts = lchan->ts->trx->bts;
1834
1835	switch (bts->type) {
1836	case GSM_BTS_TYPE_NANOBTS:
1837	if (ipacc_rtp_direct) {
1838	DEBUGP(DCC, "Error: RTP proxy is disabled\n");
1839	return -EINVAL;
1840	}
1841	/* in case, we don't have a RTP socket yet, we note this
1842	* in the transaction and try later */
1843	if (!lchan->abis_ip.rtp_socket) {
1844	trans->tch_recv = enable;
1845	DEBUGP(DCC, "queue tch_recv_mncc request (%d)\n", enable);
1846	return 0;
1847	}
1848	if (enable) {
1849	/* connect the TCH's to our RTP proxy */
1850	rc = rsl_ipacc_mdcx_to_rtpsock(lchan);
1851	if (rc < 0)
1852	return rc;
1853	/* assign socket to application interface */
1854	rtp_socket_upstream(lchan->abis_ip.rtp_socket,
1855	net, callref);
1856	} else
1857	rtp_socket_upstream(lchan->abis_ip.rtp_socket,
1858	net, 0);
1859	break;
1860	case GSM_BTS_TYPE_BS11:
1861	if (enable)
1862	return trau_recv_lchan(lchan, callref);
1863	return trau_mux_unmap(NULL, callref);
1864	break;
1865	default:
1866	DEBUGP(DCC, "Unknown BTS type %u\n", bts->type);
1867	return -EINVAL;
1868	}
1869
1870	return 0;
1871	}
1872
1873	static int gsm48_cc_rx_status_enq(struct gsm_trans trans, struct msgb msg)
1874	{
1875	DEBUGP(DCC, "-> STATUS ENQ\n");
1876	return gsm48_cc_tx_status(trans, msg);
1877	}
1878
1879	static int gsm48_cc_tx_release(struct gsm_trans trans, void arg);
1880	static int gsm48_cc_tx_disconnect(struct gsm_trans trans, void arg);
1881
1882	static void gsm48_cc_timeout(void *arg)
1883	{
1884	struct gsm_trans *trans = arg;
1885	int disconnect = 0, release = 0;
1886	int mo_cause = GSM48_CC_CAUSE_RECOVERY_TIMER;
1887	int mo_location = GSM48_CAUSE_LOC_USER;
1888	int l4_cause = GSM48_CC_CAUSE_NORMAL_UNSPEC;
1889	int l4_location = GSM48_CAUSE_LOC_PRN_S_LU;
1890	struct gsm_mncc mo_rel, l4_rel;
1891
1892	memset(&mo_rel, 0, sizeof(struct gsm_mncc));
1893	mo_rel.callref = trans->callref;
1894	memset(&l4_rel, 0, sizeof(struct gsm_mncc));
1895	l4_rel.callref = trans->callref;
1896
1897	switch(trans->cc.Tcurrent) {
1898	case 0x303:
1899	release = 1;
1900	l4_cause = GSM48_CC_CAUSE_USER_NOTRESPOND;
1901	break;
1902	case 0x310:
1903	disconnect = 1;
1904	l4_cause = GSM48_CC_CAUSE_USER_NOTRESPOND;
1905	break;
1906	case 0x313:
1907	disconnect = 1;
1908	/* unknown, did not find it in the specs */
1909	break;
1910	case 0x301:
1911	disconnect = 1;
1912	l4_cause = GSM48_CC_CAUSE_USER_NOTRESPOND;
1913	break;
1914	case 0x308:
1915	if (!trans->cc.T308_second) {
1916	/* restart T308 a second time */
1917	gsm48_cc_tx_release(trans, &trans->cc.msg);
1918	trans->cc.T308_second = 1;
1919	break; /* stay in release state */
1920	}
1921	trans_free(trans);
1922	return;
1923	// release = 1;
1924	// l4_cause = 14;
1925	// break;
1926	case 0x306:
1927	release = 1;
1928	mo_cause = trans->cc.msg.cause.value;
1929	mo_location = trans->cc.msg.cause.location;
1930	break;
1931	case 0x323:
1932	disconnect = 1;
1933	break;
1934	default:
1935	release = 1;
1936	}
1937
1938	if (release && trans->callref) {
1939	/* process release towards layer 4 */
1940	mncc_release_ind(trans->subscr->net, trans, trans->callref,
1941	l4_location, l4_cause);
1942	trans->callref = 0;
1943	}
1944
1945	if (disconnect && trans->callref) {
1946	/* process disconnect towards layer 4 */
1947	mncc_set_cause(&l4_rel, l4_location, l4_cause);
1948	mncc_recvmsg(trans->subscr->net, trans, MNCC_DISC_IND, &l4_rel);
1949	}
1950
1951	/* process disconnect towards mobile station */
1952	if (disconnect \|\| release) {
1953	mncc_set_cause(&mo_rel, mo_location, mo_cause);
1954	mo_rel.cause.diag[0] = ((trans->cc.Tcurrent & 0xf00) >> 8) + '0';
1955	mo_rel.cause.diag[1] = ((trans->cc.Tcurrent & 0x0f0) >> 4) + '0';
1956	mo_rel.cause.diag[2] = (trans->cc.Tcurrent & 0x00f) + '0';
1957	mo_rel.cause.diag_len = 3;
1958
1959	if (disconnect)
1960	gsm48_cc_tx_disconnect(trans, &mo_rel);
1961	if (release)
1962	gsm48_cc_tx_release(trans, &mo_rel);
1963	}
1964
1965	}
1966
1967	static void gsm48_start_cc_timer(struct gsm_trans *trans, int current,
1968	int sec, int micro)
1969	{
1970	DEBUGP(DCC, "starting timer T%x with %d seconds\n", current, sec);
1971	trans->cc.timer.cb = gsm48_cc_timeout;
1972	trans->cc.timer.data = trans;
1973	bsc_schedule_timer(&trans->cc.timer, sec, micro);
1974	trans->cc.Tcurrent = current;
1975	}
1976
1977	static int gsm48_cc_rx_setup(struct gsm_trans trans, struct msgb msg)
1978	{
1979	struct gsm48_hdr *gh = msgb_l3(msg);
1980	u_int8_t msg_type = gh->msg_type & 0xbf;
1981	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
1982	struct tlv_parsed tp;
1983	struct gsm_mncc setup;
1984
1985	memset(&setup, 0, sizeof(struct gsm_mncc));
1986	setup.callref = trans->callref;
1987	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
1988	/* emergency setup is identified by msg_type */
1989	if (msg_type == GSM48_MT_CC_EMERG_SETUP)
1990	setup.emergency = 1;
1991
1992	/* use subscriber as calling party number */
1993	if (trans->subscr) {
1994	setup.fields \|= MNCC_F_CALLING;
1995	strncpy(setup.calling.number, trans->subscr->extension,
1996	sizeof(setup.calling.number)-1);
1997	strncpy(setup.imsi, trans->subscr->imsi,
1998	sizeof(setup.imsi)-1);
1999	}
2000	/* bearer capability */
2001	if (TLVP_PRESENT(&tp, GSM48_IE_BEARER_CAP)) {
2002	setup.fields \|= MNCC_F_BEARER_CAP;
2003	decode_bearer_cap(&setup.bearer_cap,
2004	TLVP_VAL(&tp, GSM48_IE_BEARER_CAP)-1);
2005	}
2006	/* facility */
2007	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2008	setup.fields \|= MNCC_F_FACILITY;
2009	decode_facility(&setup.facility,
2010	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2011	}
2012	/* called party bcd number */
2013	if (TLVP_PRESENT(&tp, GSM48_IE_CALLED_BCD)) {
2014	setup.fields \|= MNCC_F_CALLED;
2015	decode_called(&setup.called,
2016	TLVP_VAL(&tp, GSM48_IE_CALLED_BCD)-1);
2017	}
2018	/* user-user */
2019	if (TLVP_PRESENT(&tp, GSM48_IE_USER_USER)) {
2020	setup.fields \|= MNCC_F_USERUSER;
2021	decode_useruser(&setup.useruser,
2022	TLVP_VAL(&tp, GSM48_IE_USER_USER)-1);
2023	}
2024	/* ss-version */
2025	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2026	setup.fields \|= MNCC_F_SSVERSION;
2027	decode_ssversion(&setup.ssversion,
2028	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2029	}
2030	/* CLIR suppression */
2031	if (TLVP_PRESENT(&tp, GSM48_IE_CLIR_SUPP))
2032	setup.clir.sup = 1;
2033	/* CLIR invocation */
2034	if (TLVP_PRESENT(&tp, GSM48_IE_CLIR_INVOC))
2035	setup.clir.inv = 1;
2036	/* cc cap */
2037	if (TLVP_PRESENT(&tp, GSM48_IE_CC_CAP)) {
2038	setup.fields \|= MNCC_F_CCCAP;
2039	decode_cccap(&setup.cccap,
2040	TLVP_VAL(&tp, GSM48_IE_CC_CAP)-1);
2041	}
2042
2043	new_cc_state(trans, GSM_CSTATE_INITIATED);
2044
2045	LOGP(DCC, LOGL_INFO, "Subscriber %s (%s) sends SETUP to %s\n",
2046	subscr_name(trans->subscr), trans->subscr->extension,
2047	setup.called.number);
2048
2049	/* indicate setup to MNCC */
2050	mncc_recvmsg(trans->subscr->net, trans, MNCC_SETUP_IND, &setup);
2051
2052	/* MNCC code will modify the channel asynchronously, we should
2053	* ipaccess-bind only after the modification has been made to the
2054	* lchan->tch_mode */
2055	return 0;
2056	}
2057
2058	static int gsm48_cc_tx_setup(struct gsm_trans trans, void arg)
2059	{
2060	struct msgb *msg = gsm48_msgb_alloc();
2061	struct gsm48_hdr *gh;
2062	struct gsm_mncc *setup = arg;
2063	int rc, trans_id;
2064
2065	gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(gh));
2066
2067	/* transaction id must not be assigned */
2068	if (trans->transaction_id != 0xff) { /* unasssigned */
2069	DEBUGP(DCC, "TX Setup with assigned transaction. "
2070	"This is not allowed!\n");
2071	/* Temporarily out of order */
2072	rc = mncc_release_ind(trans->subscr->net, trans, trans->callref,
2073	GSM48_CAUSE_LOC_PRN_S_LU,
2074	GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
2075	trans->callref = 0;
2076	trans_free(trans);
2077	return rc;
2078	}
2079
2080	/* Get free transaction_id */
2081	trans_id = trans_assign_trans_id(trans->subscr, GSM48_PDISC_CC, 0);
2082	if (trans_id < 0) {
2083	/* no free transaction ID */
2084	rc = mncc_release_ind(trans->subscr->net, trans, trans->callref,
2085	GSM48_CAUSE_LOC_PRN_S_LU,
2086	GSM48_CC_CAUSE_RESOURCE_UNAVAIL);
2087	trans->callref = 0;
2088	trans_free(trans);
2089	return rc;
2090	}
2091	trans->transaction_id = trans_id;
2092
2093	gh->msg_type = GSM48_MT_CC_SETUP;
2094
2095	gsm48_start_cc_timer(trans, 0x303, GSM48_T303);
2096
2097	/* bearer capability */
2098	if (setup->fields & MNCC_F_BEARER_CAP)
2099	encode_bearer_cap(msg, 0, &setup->bearer_cap);
2100	/* facility */
2101	if (setup->fields & MNCC_F_FACILITY)
2102	encode_facility(msg, 0, &setup->facility);
2103	/* progress */
2104	if (setup->fields & MNCC_F_PROGRESS)
2105	encode_progress(msg, 0, &setup->progress);
2106	/* calling party BCD number */
2107	if (setup->fields & MNCC_F_CALLING)
2108	encode_calling(msg, &setup->calling);
2109	/* called party BCD number */
2110	if (setup->fields & MNCC_F_CALLED)
2111	encode_called(msg, &setup->called);
2112	/* user-user */
2113	if (setup->fields & MNCC_F_USERUSER)
2114	encode_useruser(msg, 0, &setup->useruser);
2115	/* redirecting party BCD number */
2116	if (setup->fields & MNCC_F_REDIRECTING)
2117	encode_redirecting(msg, &setup->redirecting);
2118	/* signal */
2119	if (setup->fields & MNCC_F_SIGNAL)
2120	encode_signal(msg, setup->signal);
2121
2122	new_cc_state(trans, GSM_CSTATE_CALL_PRESENT);
2123
2124	return gsm48_sendmsg(msg, trans);
2125	}
2126
2127	static int gsm48_cc_rx_call_conf(struct gsm_trans trans, struct msgb msg)
2128	{
2129	struct gsm48_hdr *gh = msgb_l3(msg);
2130	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2131	struct tlv_parsed tp;
2132	struct gsm_mncc call_conf;
2133
2134	gsm48_stop_cc_timer(trans);
2135	gsm48_start_cc_timer(trans, 0x310, GSM48_T310);
2136
2137	memset(&call_conf, 0, sizeof(struct gsm_mncc));
2138	call_conf.callref = trans->callref;
2139	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2140	#if 0
2141	/* repeat */
2142	if (TLVP_PRESENT(&tp, GSM48_IE_REPEAT_CIR))
2143	call_conf.repeat = 1;
2144	if (TLVP_PRESENT(&tp, GSM48_IE_REPEAT_SEQ))
2145	call_conf.repeat = 2;
2146	#endif
2147	/* bearer capability */
2148	if (TLVP_PRESENT(&tp, GSM48_IE_BEARER_CAP)) {
2149	call_conf.fields \|= MNCC_F_BEARER_CAP;
2150	decode_bearer_cap(&call_conf.bearer_cap,
2151	TLVP_VAL(&tp, GSM48_IE_BEARER_CAP)-1);
2152	}
2153	/* cause */
2154	if (TLVP_PRESENT(&tp, GSM48_IE_CAUSE)) {
2155	call_conf.fields \|= MNCC_F_CAUSE;
2156	decode_cause(&call_conf.cause,
2157	TLVP_VAL(&tp, GSM48_IE_CAUSE)-1);
2158	}
2159	/* cc cap */
2160	if (TLVP_PRESENT(&tp, GSM48_IE_CC_CAP)) {
2161	call_conf.fields \|= MNCC_F_CCCAP;
2162	decode_cccap(&call_conf.cccap,
2163	TLVP_VAL(&tp, GSM48_IE_CC_CAP)-1);
2164	}
2165
2166	new_cc_state(trans, GSM_CSTATE_MO_TERM_CALL_CONF);
2167
2168	return mncc_recvmsg(trans->subscr->net, trans, MNCC_CALL_CONF_IND,
2169	&call_conf);
2170	}
2171
2172	static int gsm48_cc_tx_call_proc(struct gsm_trans trans, void arg)
2173	{
2174	struct gsm_mncc *proceeding = arg;
2175	struct msgb *msg = gsm48_msgb_alloc();
2176	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2177
2178	gh->msg_type = GSM48_MT_CC_CALL_PROC;
2179
2180	new_cc_state(trans, GSM_CSTATE_MO_CALL_PROC);
2181
2182	/* bearer capability */
2183	if (proceeding->fields & MNCC_F_BEARER_CAP)
2184	encode_bearer_cap(msg, 0, &proceeding->bearer_cap);
2185	/* facility */
2186	if (proceeding->fields & MNCC_F_FACILITY)
2187	encode_facility(msg, 0, &proceeding->facility);
2188	/* progress */
2189	if (proceeding->fields & MNCC_F_PROGRESS)
2190	encode_progress(msg, 0, &proceeding->progress);
2191
2192	return gsm48_sendmsg(msg, trans);
2193	}
2194
2195	static int gsm48_cc_rx_alerting(struct gsm_trans trans, struct msgb msg)
2196	{
2197	struct gsm48_hdr *gh = msgb_l3(msg);
2198	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2199	struct tlv_parsed tp;
2200	struct gsm_mncc alerting;
2201
2202	gsm48_stop_cc_timer(trans);
2203	gsm48_start_cc_timer(trans, 0x301, GSM48_T301);
2204
2205	memset(&alerting, 0, sizeof(struct gsm_mncc));
2206	alerting.callref = trans->callref;
2207	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2208	/* facility */
2209	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2210	alerting.fields \|= MNCC_F_FACILITY;
2211	decode_facility(&alerting.facility,
2212	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2213	}
2214
2215	/* progress */
2216	if (TLVP_PRESENT(&tp, GSM48_IE_PROGR_IND)) {
2217	alerting.fields \|= MNCC_F_PROGRESS;
2218	decode_progress(&alerting.progress,
2219	TLVP_VAL(&tp, GSM48_IE_PROGR_IND)-1);
2220	}
2221	/* ss-version */
2222	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2223	alerting.fields \|= MNCC_F_SSVERSION;
2224	decode_ssversion(&alerting.ssversion,
2225	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2226	}
2227
2228	new_cc_state(trans, GSM_CSTATE_CALL_RECEIVED);
2229
2230	return mncc_recvmsg(trans->subscr->net, trans, MNCC_ALERT_IND,
2231	&alerting);
2232	}
2233
2234	static int gsm48_cc_tx_alerting(struct gsm_trans trans, void arg)
2235	{
2236	struct gsm_mncc *alerting = arg;
2237	struct msgb *msg = gsm48_msgb_alloc();
2238	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2239
2240	gh->msg_type = GSM48_MT_CC_ALERTING;
2241
2242	/* facility */
2243	if (alerting->fields & MNCC_F_FACILITY)
2244	encode_facility(msg, 0, &alerting->facility);
2245	/* progress */
2246	if (alerting->fields & MNCC_F_PROGRESS)
2247	encode_progress(msg, 0, &alerting->progress);
2248	/* user-user */
2249	if (alerting->fields & MNCC_F_USERUSER)
2250	encode_useruser(msg, 0, &alerting->useruser);
2251
2252	new_cc_state(trans, GSM_CSTATE_CALL_DELIVERED);
2253
2254	return gsm48_sendmsg(msg, trans);
2255	}
2256
2257	static int gsm48_cc_tx_progress(struct gsm_trans trans, void arg)
2258	{
2259	struct gsm_mncc *progress = arg;
2260	struct msgb *msg = gsm48_msgb_alloc();
2261	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2262
2263	gh->msg_type = GSM48_MT_CC_PROGRESS;
2264
2265	/* progress */
2266	encode_progress(msg, 1, &progress->progress);
2267	/* user-user */
2268	if (progress->fields & MNCC_F_USERUSER)
2269	encode_useruser(msg, 0, &progress->useruser);
2270
2271	return gsm48_sendmsg(msg, trans);
2272	}
2273
2274	static int gsm48_cc_tx_connect(struct gsm_trans trans, void arg)
2275	{
2276	struct gsm_mncc *connect = arg;
2277	struct msgb *msg = gsm48_msgb_alloc();
2278	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2279
2280	gh->msg_type = GSM48_MT_CC_CONNECT;
2281
2282	gsm48_stop_cc_timer(trans);
2283	gsm48_start_cc_timer(trans, 0x313, GSM48_T313);
2284
2285	/* facility */
2286	if (connect->fields & MNCC_F_FACILITY)
2287	encode_facility(msg, 0, &connect->facility);
2288	/* progress */
2289	if (connect->fields & MNCC_F_PROGRESS)
2290	encode_progress(msg, 0, &connect->progress);
2291	/* connected number */
2292	if (connect->fields & MNCC_F_CONNECTED)
2293	encode_connected(msg, &connect->connected);
2294	/* user-user */
2295	if (connect->fields & MNCC_F_USERUSER)
2296	encode_useruser(msg, 0, &connect->useruser);
2297
2298	new_cc_state(trans, GSM_CSTATE_CONNECT_IND);
2299
2300	return gsm48_sendmsg(msg, trans);
2301	}
2302
2303	static int gsm48_cc_rx_connect(struct gsm_trans trans, struct msgb msg)
2304	{
2305	struct gsm48_hdr *gh = msgb_l3(msg);
2306	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2307	struct tlv_parsed tp;
2308	struct gsm_mncc connect;
2309
2310	gsm48_stop_cc_timer(trans);
2311
2312	memset(&connect, 0, sizeof(struct gsm_mncc));
2313	connect.callref = trans->callref;
2314	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2315	/* use subscriber as connected party number */
2316	if (trans->subscr) {
2317	connect.fields \|= MNCC_F_CONNECTED;
2318	strncpy(connect.connected.number, trans->subscr->extension,
2319	sizeof(connect.connected.number)-1);
2320	strncpy(connect.imsi, trans->subscr->imsi,
2321	sizeof(connect.imsi)-1);
2322	}
2323	/* facility */
2324	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2325	connect.fields \|= MNCC_F_FACILITY;
2326	decode_facility(&connect.facility,
2327	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2328	}
2329	/* user-user */
2330	if (TLVP_PRESENT(&tp, GSM48_IE_USER_USER)) {
2331	connect.fields \|= MNCC_F_USERUSER;
2332	decode_useruser(&connect.useruser,
2333	TLVP_VAL(&tp, GSM48_IE_USER_USER)-1);
2334	}
2335	/* ss-version */
2336	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2337	connect.fields \|= MNCC_F_SSVERSION;
2338	decode_ssversion(&connect.ssversion,
2339	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2340	}
2341
2342	new_cc_state(trans, GSM_CSTATE_CONNECT_REQUEST);
2343
2344	return mncc_recvmsg(trans->subscr->net, trans, MNCC_SETUP_CNF, &connect);
2345	}
2346
2347
2348	static int gsm48_cc_rx_connect_ack(struct gsm_trans trans, struct msgb msg)
2349	{
2350	struct gsm_mncc connect_ack;
2351
2352	gsm48_stop_cc_timer(trans);
2353
2354	new_cc_state(trans, GSM_CSTATE_ACTIVE);
2355
2356	memset(&connect_ack, 0, sizeof(struct gsm_mncc));
2357	connect_ack.callref = trans->callref;
2358	return mncc_recvmsg(trans->subscr->net, trans, MNCC_SETUP_COMPL_IND,
2359	&connect_ack);
2360	}
2361
2362	static int gsm48_cc_tx_connect_ack(struct gsm_trans trans, void arg)
2363	{
2364	struct msgb *msg = gsm48_msgb_alloc();
2365	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2366
2367	gh->msg_type = GSM48_MT_CC_CONNECT_ACK;
2368
2369	new_cc_state(trans, GSM_CSTATE_ACTIVE);
2370
2371	return gsm48_sendmsg(msg, trans);
2372	}
2373
2374	static int gsm48_cc_rx_disconnect(struct gsm_trans trans, struct msgb msg)
2375	{
2376	struct gsm48_hdr *gh = msgb_l3(msg);
2377	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2378	struct tlv_parsed tp;
2379	struct gsm_mncc disc;
2380
2381	gsm48_stop_cc_timer(trans);
2382
2383	new_cc_state(trans, GSM_CSTATE_DISCONNECT_REQ);
2384
2385	memset(&disc, 0, sizeof(struct gsm_mncc));
2386	disc.callref = trans->callref;
2387	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, GSM48_IE_CAUSE, 0);
2388	/* cause */
2389	if (TLVP_PRESENT(&tp, GSM48_IE_CAUSE)) {
2390	disc.fields \|= MNCC_F_CAUSE;
2391	decode_cause(&disc.cause,
2392	TLVP_VAL(&tp, GSM48_IE_CAUSE)-1);
2393	}
2394	/* facility */
2395	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2396	disc.fields \|= MNCC_F_FACILITY;
2397	decode_facility(&disc.facility,
2398	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2399	}
2400	/* user-user */
2401	if (TLVP_PRESENT(&tp, GSM48_IE_USER_USER)) {
2402	disc.fields \|= MNCC_F_USERUSER;
2403	decode_useruser(&disc.useruser,
2404	TLVP_VAL(&tp, GSM48_IE_USER_USER)-1);
2405	}
2406	/* ss-version */
2407	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2408	disc.fields \|= MNCC_F_SSVERSION;
2409	decode_ssversion(&disc.ssversion,
2410	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2411	}
2412
2413	return mncc_recvmsg(trans->subscr->net, trans, MNCC_DISC_IND, &disc);
2414
2415	}
2416
2417	static struct gsm_mncc_cause default_cause = {
2418	.location = GSM48_CAUSE_LOC_PRN_S_LU,
2419	.coding = 0,
2420	.rec = 0,
2421	.rec_val = 0,
2422	.value = GSM48_CC_CAUSE_NORMAL_UNSPEC,
2423	.diag_len = 0,
2424	.diag = { 0 },
2425	};
2426
2427	static int gsm48_cc_tx_disconnect(struct gsm_trans trans, void arg)
2428	{
2429	struct gsm_mncc *disc = arg;
2430	struct msgb *msg = gsm48_msgb_alloc();
2431	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2432
2433	gh->msg_type = GSM48_MT_CC_DISCONNECT;
2434
2435	gsm48_stop_cc_timer(trans);
2436	gsm48_start_cc_timer(trans, 0x306, GSM48_T306);
2437
2438	/* cause */
2439	if (disc->fields & MNCC_F_CAUSE)
2440	encode_cause(msg, 1, &disc->cause);
2441	else
2442	encode_cause(msg, 1, &default_cause);
2443
2444	/* facility */
2445	if (disc->fields & MNCC_F_FACILITY)
2446	encode_facility(msg, 0, &disc->facility);
2447	/* progress */
2448	if (disc->fields & MNCC_F_PROGRESS)
2449	encode_progress(msg, 0, &disc->progress);
2450	/* user-user */
2451	if (disc->fields & MNCC_F_USERUSER)
2452	encode_useruser(msg, 0, &disc->useruser);
2453
2454	/* store disconnect cause for T306 expiry */
2455	memcpy(&trans->cc.msg, disc, sizeof(struct gsm_mncc));
2456
2457	new_cc_state(trans, GSM_CSTATE_DISCONNECT_IND);
2458
2459	return gsm48_sendmsg(msg, trans);
2460	}
2461
2462	static int gsm48_cc_rx_release(struct gsm_trans trans, struct msgb msg)
2463	{
2464	struct gsm48_hdr *gh = msgb_l3(msg);
2465	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2466	struct tlv_parsed tp;
2467	struct gsm_mncc rel;
2468	int rc;
2469
2470	gsm48_stop_cc_timer(trans);
2471
2472	memset(&rel, 0, sizeof(struct gsm_mncc));
2473	rel.callref = trans->callref;
2474	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2475	/* cause */
2476	if (TLVP_PRESENT(&tp, GSM48_IE_CAUSE)) {
2477	rel.fields \|= MNCC_F_CAUSE;
2478	decode_cause(&rel.cause,
2479	TLVP_VAL(&tp, GSM48_IE_CAUSE)-1);
2480	}
2481	/* facility */
2482	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2483	rel.fields \|= MNCC_F_FACILITY;
2484	decode_facility(&rel.facility,
2485	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2486	}
2487	/* user-user */
2488	if (TLVP_PRESENT(&tp, GSM48_IE_USER_USER)) {
2489	rel.fields \|= MNCC_F_USERUSER;
2490	decode_useruser(&rel.useruser,
2491	TLVP_VAL(&tp, GSM48_IE_USER_USER)-1);
2492	}
2493	/* ss-version */
2494	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2495	rel.fields \|= MNCC_F_SSVERSION;
2496	decode_ssversion(&rel.ssversion,
2497	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2498	}
2499
2500	if (trans->cc.state == GSM_CSTATE_RELEASE_REQ) {
2501	/* release collision 5.4.5 */
2502	rc = mncc_recvmsg(trans->subscr->net, trans, MNCC_REL_CNF, &rel);
2503	} else {
2504	rc = gsm48_tx_simple(msg->lchan,
2505	GSM48_PDISC_CC \| (trans->transaction_id << 4),
2506	GSM48_MT_CC_RELEASE_COMPL);
2507	rc = mncc_recvmsg(trans->subscr->net, trans, MNCC_REL_IND, &rel);
2508	}
2509
2510	new_cc_state(trans, GSM_CSTATE_NULL);
2511
2512	trans->callref = 0;
2513	trans_free(trans);
2514
2515	return rc;
2516	}
2517
2518	static int gsm48_cc_tx_release(struct gsm_trans trans, void arg)
2519	{
2520	struct gsm_mncc *rel = arg;
2521	struct msgb *msg = gsm48_msgb_alloc();
2522	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2523
2524	gh->msg_type = GSM48_MT_CC_RELEASE;
2525
2526	trans->callref = 0;
2527
2528	gsm48_stop_cc_timer(trans);
2529	gsm48_start_cc_timer(trans, 0x308, GSM48_T308);
2530
2531	/* cause */
2532	if (rel->fields & MNCC_F_CAUSE)
2533	encode_cause(msg, 0, &rel->cause);
2534	/* facility */
2535	if (rel->fields & MNCC_F_FACILITY)
2536	encode_facility(msg, 0, &rel->facility);
2537	/* user-user */
2538	if (rel->fields & MNCC_F_USERUSER)
2539	encode_useruser(msg, 0, &rel->useruser);
2540
2541	trans->cc.T308_second = 0;
2542	memcpy(&trans->cc.msg, rel, sizeof(struct gsm_mncc));
2543
2544	if (trans->cc.state != GSM_CSTATE_RELEASE_REQ)
2545	new_cc_state(trans, GSM_CSTATE_RELEASE_REQ);
2546
2547	return gsm48_sendmsg(msg, trans);
2548	}
2549
2550	static int gsm48_cc_rx_release_compl(struct gsm_trans trans, struct msgb msg)
2551	{
2552	struct gsm48_hdr *gh = msgb_l3(msg);
2553	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2554	struct tlv_parsed tp;
2555	struct gsm_mncc rel;
2556	int rc = 0;
2557
2558	gsm48_stop_cc_timer(trans);
2559
2560	memset(&rel, 0, sizeof(struct gsm_mncc));
2561	rel.callref = trans->callref;
2562	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2563	/* cause */
2564	if (TLVP_PRESENT(&tp, GSM48_IE_CAUSE)) {
2565	rel.fields \|= MNCC_F_CAUSE;
2566	decode_cause(&rel.cause,
2567	TLVP_VAL(&tp, GSM48_IE_CAUSE)-1);
2568	}
2569	/* facility */
2570	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2571	rel.fields \|= MNCC_F_FACILITY;
2572	decode_facility(&rel.facility,
2573	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2574	}
2575	/* user-user */
2576	if (TLVP_PRESENT(&tp, GSM48_IE_USER_USER)) {
2577	rel.fields \|= MNCC_F_USERUSER;
2578	decode_useruser(&rel.useruser,
2579	TLVP_VAL(&tp, GSM48_IE_USER_USER)-1);
2580	}
2581	/* ss-version */
2582	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2583	rel.fields \|= MNCC_F_SSVERSION;
2584	decode_ssversion(&rel.ssversion,
2585	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2586	}
2587
2588	if (trans->callref) {
2589	switch (trans->cc.state) {
2590	case GSM_CSTATE_CALL_PRESENT:
2591	rc = mncc_recvmsg(trans->subscr->net, trans,
2592	MNCC_REJ_IND, &rel);
2593	break;
2594	case GSM_CSTATE_RELEASE_REQ:
2595	rc = mncc_recvmsg(trans->subscr->net, trans,
2596	MNCC_REL_CNF, &rel);
2597	/* FIXME: in case of multiple calls, we can't simply
2598	* hang up here ! */
2599	lchan_auto_release(msg->lchan);
2600	break;
2601	default:
2602	rc = mncc_recvmsg(trans->subscr->net, trans,
2603	MNCC_REL_IND, &rel);
2604	}
2605	}
2606
2607	trans->callref = 0;
2608	trans_free(trans);
2609
2610	return rc;
2611	}
2612
2613	static int gsm48_cc_tx_release_compl(struct gsm_trans trans, void arg)
2614	{
2615	struct gsm_mncc *rel = arg;
2616	struct msgb *msg = gsm48_msgb_alloc();
2617	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2618
2619	gh->msg_type = GSM48_MT_CC_RELEASE_COMPL;
2620
2621	trans->callref = 0;
2622
2623	gsm48_stop_cc_timer(trans);
2624
2625	/* cause */
2626	if (rel->fields & MNCC_F_CAUSE)
2627	encode_cause(msg, 0, &rel->cause);
2628	/* facility */
2629	if (rel->fields & MNCC_F_FACILITY)
2630	encode_facility(msg, 0, &rel->facility);
2631	/* user-user */
2632	if (rel->fields & MNCC_F_USERUSER)
2633	encode_useruser(msg, 0, &rel->useruser);
2634
2635	trans_free(trans);
2636
2637	return gsm48_sendmsg(msg, trans);
2638	}
2639
2640	static int gsm48_cc_rx_facility(struct gsm_trans trans, struct msgb msg)
2641	{
2642	struct gsm48_hdr *gh = msgb_l3(msg);
2643	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2644	struct tlv_parsed tp;
2645	struct gsm_mncc fac;
2646
2647	memset(&fac, 0, sizeof(struct gsm_mncc));
2648	fac.callref = trans->callref;
2649	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, GSM48_IE_FACILITY, 0);
2650	/* facility */
2651	if (TLVP_PRESENT(&tp, GSM48_IE_FACILITY)) {
2652	fac.fields \|= MNCC_F_FACILITY;
2653	decode_facility(&fac.facility,
2654	TLVP_VAL(&tp, GSM48_IE_FACILITY)-1);
2655	}
2656	/* ss-version */
2657	if (TLVP_PRESENT(&tp, GSM48_IE_SS_VERS)) {
2658	fac.fields \|= MNCC_F_SSVERSION;
2659	decode_ssversion(&fac.ssversion,
2660	TLVP_VAL(&tp, GSM48_IE_SS_VERS)-1);
2661	}
2662
2663	return mncc_recvmsg(trans->subscr->net, trans, MNCC_FACILITY_IND, &fac);
2664	}
2665
2666	static int gsm48_cc_tx_facility(struct gsm_trans trans, void arg)
2667	{
2668	struct gsm_mncc *fac = arg;
2669	struct msgb *msg = gsm48_msgb_alloc();
2670	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2671
2672	gh->msg_type = GSM48_MT_CC_FACILITY;
2673
2674	/* facility */
2675	encode_facility(msg, 1, &fac->facility);
2676
2677	return gsm48_sendmsg(msg, trans);
2678	}
2679
2680	static int gsm48_cc_rx_hold(struct gsm_trans trans, struct msgb msg)
2681	{
2682	struct gsm_mncc hold;
2683
2684	memset(&hold, 0, sizeof(struct gsm_mncc));
2685	hold.callref = trans->callref;
2686	return mncc_recvmsg(trans->subscr->net, trans, MNCC_HOLD_IND, &hold);
2687	}
2688
2689	static int gsm48_cc_tx_hold_ack(struct gsm_trans trans, void arg)
2690	{
2691	struct msgb *msg = gsm48_msgb_alloc();
2692	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2693
2694	gh->msg_type = GSM48_MT_CC_HOLD_ACK;
2695
2696	return gsm48_sendmsg(msg, trans);
2697	}
2698
2699	static int gsm48_cc_tx_hold_rej(struct gsm_trans trans, void arg)
2700	{
2701	struct gsm_mncc *hold_rej = arg;
2702	struct msgb *msg = gsm48_msgb_alloc();
2703	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2704
2705	gh->msg_type = GSM48_MT_CC_HOLD_REJ;
2706
2707	/* cause */
2708	if (hold_rej->fields & MNCC_F_CAUSE)
2709	encode_cause(msg, 1, &hold_rej->cause);
2710	else
2711	encode_cause(msg, 1, &default_cause);
2712
2713	return gsm48_sendmsg(msg, trans);
2714	}
2715
2716	static int gsm48_cc_rx_retrieve(struct gsm_trans trans, struct msgb msg)
2717	{
2718	struct gsm_mncc retrieve;
2719
2720	memset(&retrieve, 0, sizeof(struct gsm_mncc));
2721	retrieve.callref = trans->callref;
2722	return mncc_recvmsg(trans->subscr->net, trans, MNCC_RETRIEVE_IND,
2723	&retrieve);
2724	}
2725
2726	static int gsm48_cc_tx_retrieve_ack(struct gsm_trans trans, void arg)
2727	{
2728	struct msgb *msg = gsm48_msgb_alloc();
2729	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2730
2731	gh->msg_type = GSM48_MT_CC_RETR_ACK;
2732
2733	return gsm48_sendmsg(msg, trans);
2734	}
2735
2736	static int gsm48_cc_tx_retrieve_rej(struct gsm_trans trans, void arg)
2737	{
2738	struct gsm_mncc *retrieve_rej = arg;
2739	struct msgb *msg = gsm48_msgb_alloc();
2740	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2741
2742	gh->msg_type = GSM48_MT_CC_RETR_REJ;
2743
2744	/* cause */
2745	if (retrieve_rej->fields & MNCC_F_CAUSE)
2746	encode_cause(msg, 1, &retrieve_rej->cause);
2747	else
2748	encode_cause(msg, 1, &default_cause);
2749
2750	return gsm48_sendmsg(msg, trans);
2751	}
2752
2753	static int gsm48_cc_rx_start_dtmf(struct gsm_trans trans, struct msgb msg)
2754	{
2755	struct gsm48_hdr *gh = msgb_l3(msg);
2756	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2757	struct tlv_parsed tp;
2758	struct gsm_mncc dtmf;
2759
2760	memset(&dtmf, 0, sizeof(struct gsm_mncc));
2761	dtmf.callref = trans->callref;
2762	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, 0, 0);
2763	/* keypad facility */
2764	if (TLVP_PRESENT(&tp, GSM48_IE_KPD_FACILITY)) {
2765	dtmf.fields \|= MNCC_F_KEYPAD;
2766	decode_keypad(&dtmf.keypad,
2767	TLVP_VAL(&tp, GSM48_IE_KPD_FACILITY)-1);
2768	}
2769
2770	return mncc_recvmsg(trans->subscr->net, trans, MNCC_START_DTMF_IND, &dtmf);
2771	}
2772
2773	static int gsm48_cc_tx_start_dtmf_ack(struct gsm_trans trans, void arg)
2774	{
2775	struct gsm_mncc *dtmf = arg;
2776	struct msgb *msg = gsm48_msgb_alloc();
2777	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2778
2779	gh->msg_type = GSM48_MT_CC_START_DTMF_ACK;
2780
2781	/* keypad */
2782	if (dtmf->fields & MNCC_F_KEYPAD)
2783	encode_keypad(msg, dtmf->keypad);
2784
2785	return gsm48_sendmsg(msg, trans);
2786	}
2787
2788	static int gsm48_cc_tx_start_dtmf_rej(struct gsm_trans trans, void arg)
2789	{
2790	struct gsm_mncc *dtmf = arg;
2791	struct msgb *msg = gsm48_msgb_alloc();
2792	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2793
2794	gh->msg_type = GSM48_MT_CC_START_DTMF_REJ;
2795
2796	/* cause */
2797	if (dtmf->fields & MNCC_F_CAUSE)
2798	encode_cause(msg, 1, &dtmf->cause);
2799	else
2800	encode_cause(msg, 1, &default_cause);
2801
2802	return gsm48_sendmsg(msg, trans);
2803	}
2804
2805	static int gsm48_cc_tx_stop_dtmf_ack(struct gsm_trans trans, void arg)
2806	{
2807	struct msgb *msg = gsm48_msgb_alloc();
2808	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2809
2810	gh->msg_type = GSM48_MT_CC_STOP_DTMF_ACK;
2811
2812	return gsm48_sendmsg(msg, trans);
2813	}
2814
2815	static int gsm48_cc_rx_stop_dtmf(struct gsm_trans trans, struct msgb msg)
2816	{
2817	struct gsm_mncc dtmf;
2818
2819	memset(&dtmf, 0, sizeof(struct gsm_mncc));
2820	dtmf.callref = trans->callref;
2821
2822	return mncc_recvmsg(trans->subscr->net, trans, MNCC_STOP_DTMF_IND, &dtmf);
2823	}
2824
2825	static int gsm48_cc_rx_modify(struct gsm_trans trans, struct msgb msg)
2826	{
2827	struct gsm48_hdr *gh = msgb_l3(msg);
2828	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2829	struct tlv_parsed tp;
2830	struct gsm_mncc modify;
2831
2832	memset(&modify, 0, sizeof(struct gsm_mncc));
2833	modify.callref = trans->callref;
2834	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, GSM48_IE_BEARER_CAP, 0);
2835	/* bearer capability */
2836	if (TLVP_PRESENT(&tp, GSM48_IE_BEARER_CAP)) {
2837	modify.fields \|= MNCC_F_BEARER_CAP;
2838	decode_bearer_cap(&modify.bearer_cap,
2839	TLVP_VAL(&tp, GSM48_IE_BEARER_CAP)-1);
2840	}
2841
2842	new_cc_state(trans, GSM_CSTATE_MO_ORIG_MODIFY);
2843
2844	return mncc_recvmsg(trans->subscr->net, trans, MNCC_MODIFY_IND, &modify);
2845	}
2846
2847	static int gsm48_cc_tx_modify(struct gsm_trans trans, void arg)
2848	{
2849	struct gsm_mncc *modify = arg;
2850	struct msgb *msg = gsm48_msgb_alloc();
2851	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2852
2853	gh->msg_type = GSM48_MT_CC_MODIFY;
2854
2855	gsm48_start_cc_timer(trans, 0x323, GSM48_T323);
2856
2857	/* bearer capability */
2858	encode_bearer_cap(msg, 1, &modify->bearer_cap);
2859
2860	new_cc_state(trans, GSM_CSTATE_MO_TERM_MODIFY);
2861
2862	return gsm48_sendmsg(msg, trans);
2863	}
2864
2865	static int gsm48_cc_rx_modify_complete(struct gsm_trans trans, struct msgb msg)
2866	{
2867	struct gsm48_hdr *gh = msgb_l3(msg);
2868	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2869	struct tlv_parsed tp;
2870	struct gsm_mncc modify;
2871
2872	gsm48_stop_cc_timer(trans);
2873
2874	memset(&modify, 0, sizeof(struct gsm_mncc));
2875	modify.callref = trans->callref;
2876	tlv_parse(&tp, &gsm48_att_tlvdef, gh->data, payload_len, GSM48_IE_BEARER_CAP, 0);
2877	/* bearer capability */
2878	if (TLVP_PRESENT(&tp, GSM48_IE_BEARER_CAP)) {
2879	modify.fields \|= MNCC_F_BEARER_CAP;
2880	decode_bearer_cap(&modify.bearer_cap,
2881	TLVP_VAL(&tp, GSM48_IE_BEARER_CAP)-1);
2882	}
2883
2884	new_cc_state(trans, GSM_CSTATE_ACTIVE);
2885
2886	return mncc_recvmsg(trans->subscr->net, trans, MNCC_MODIFY_CNF, &modify);
2887	}
2888
2889	static int gsm48_cc_tx_modify_complete(struct gsm_trans trans, void arg)
2890	{
2891	struct gsm_mncc *modify = arg;
2892	struct msgb *msg = gsm48_msgb_alloc();
2893	struct gsm48_hdr gh = (struct gsm48_hdr ) msgb_put(msg, sizeof(*gh));
2894
2895	gh->msg_type = GSM48_MT_CC_MODIFY_COMPL;
2896
2897	/* bearer capability */
2898	encode_bearer_cap(msg, 1, &modify->bearer_cap);
2899
2900	new_cc_state(trans, GSM_CSTATE_ACTIVE);
2901
2902	return gsm48_sendmsg(msg, trans);
2903	}
2904
2905	static int gsm48_cc_rx_modify_reject(struct gsm_trans trans, struct msgb msg)
2906	{
2907	struct gsm48_hdr *gh = msgb_l3(msg);
2908	unsigned int payload_len = msgb_l3len(msg) - sizeof(*gh);
2909	struct tlv_parsed tp;
2910	struct gsm_mncc modify;
2911
2912	gsm48_stop_cc_timer(trans);
2913
2914	memset(&modify, 0, sizeof(