From 9bc6ccfec3113cc470edd7458c25084b8cd2e44e Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <nhofmeyr@sysmocom.de>
Date: Sat, 4 Mar 2017 01:26:14 +0100
Subject: implement utran security mode with vlr

Change-Id: Ib1e285b54cd7aaa0895e9c51a47720f446a07183
---
 openbsc/include/openbsc/vlr.h                      |   2 +-
 openbsc/src/libmsc/gsm_04_08.c                     |  37 ++++--
 openbsc/src/libmsc/iucs_ranap.c                    |  17 +--
 openbsc/src/libvlr/vlr.c                           |   3 +
 openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.c   | 135 +++++++++++++++------
 openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.err | 107 +++++++++++-----
 openbsc/tests/msc_vlr/msc_vlr_tests.c              |  45 ++++++-
 openbsc/tests/msc_vlr/msc_vlr_tests.h              |   6 +-
 8 files changed, 254 insertions(+), 98 deletions(-)

diff --git a/openbsc/include/openbsc/vlr.h b/openbsc/include/openbsc/vlr.h
index b45e4ae37..8cbd0c52a 100644
--- a/openbsc/include/openbsc/vlr.h
+++ b/openbsc/include/openbsc/vlr.h
@@ -191,7 +191,7 @@ struct vlr_ops {
 	int (*set_ciph_mode)(void *msc_conn_ref, enum vlr_ciph ciph_mode,
 			     bool retrieve_imeisv);
 
-	/* Common Id is transmitted when auth+ciph is complete on UTRAN */
+	/* UTRAN: send Common Id (when auth+ciph are complete) */
 	int (*tx_common_id)(void *msc_conn_ref);
 
 
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 26a5050e2..ade072097 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -266,12 +266,17 @@ static int gsm0408_loc_upd_acc(struct gsm_subscriber_connection *conn,
 		len = gsm48_generate_mid_from_imsi(mi, conn->vsub->imsi);
 		mid = msgb_put(msg, len);
 		memcpy(mid, mi, len);
+		DEBUGP(DMM, "-> %s LOCATION UPDATE ACCEPT\n",
+		       vlr_subscr_name(conn->vsub));
 	} else {
 		/* Include the TMSI, which means that the MS will send a
 		 * TMSI REALLOCATION COMPLETE, and we should wait for
 		 * that until T3250 expiration */
 		mid = msgb_put(msg, GSM48_MID_TMSI_LEN);
 		gsm48_generate_mid_from_tmsi(mid, send_tmsi);
+		DEBUGP(DMM, "-> %s LOCATION UPDATE ACCEPT (TMSI = 0x%08x)\n",
+		       vlr_subscr_name(conn->vsub),
+		       send_tmsi);
 	}
 	/* TODO: Follow-on proceed */
 	/* TODO: CTS permission */
@@ -279,7 +284,6 @@ static int gsm0408_loc_upd_acc(struct gsm_subscriber_connection *conn,
 	/* TODO: Emergency Number List */
 	/* TODO: Per-MS T3312 */
 
-	DEBUGP(DMM, "-> LOCATION UPDATE ACCEPT\n");
 
 	return gsm48_conn_sendmsg(msg, conn, NULL);
 }
@@ -417,7 +421,8 @@ int mm_rx_loc_upd_req(struct gsm_subscriber_connection *conn, struct msgb *msg)
 				net->vlr, conn, vlr_lu_type, tmsi, imsi,
 				&old_lai, &new_lai,
 				is_utran || conn->network->authentication_required,
-				conn->network->a5_encryption,
+				is_utran? VLR_CIPH_A5_3
+					: conn->network->a5_encryption,
 				classmark_is_r99(&conn->classmark),
 				is_utran,
 				net->vlr->cfg.assign_tmsi);
@@ -732,7 +737,8 @@ int gsm48_rx_mm_serv_req(struct gsm_subscriber_connection *conn, struct msgb *ms
 			 net->vlr, conn,
 			 VLR_PR_ARQ_T_CM_SERV_REQ, mi-1, &lai,
 			 is_utran || conn->network->authentication_required,
-			 conn->network->a5_encryption,
+			 is_utran? VLR_CIPH_A5_3
+				 : conn->network->a5_encryption,
 			 classmark_is_r99(&conn->classmark),
 			 is_utran);
 
@@ -1085,6 +1091,7 @@ static int gsm48_rx_rr_pag_resp(struct gsm_subscriber_connection *conn, struct m
 	char mi_string[GSM48_MI_SIZE];
 	int rc = 0;
 	struct osmo_location_area_id lai;
+	bool is_utran;
 
 	lai.plmn.mcc = conn->network->country_code;
 	lai.plmn.mnc = conn->network->network_code;
@@ -1110,16 +1117,18 @@ static int gsm48_rx_rr_pag_resp(struct gsm_subscriber_connection *conn, struct m
 	memcpy(conn->classmark.classmark2, classmark2_lv+1, *classmark2_lv);
 	conn->classmark.classmark2_len = *classmark2_lv;
 
+	is_utran = (conn->via_ran == RAN_UTRAN_IU);
 	vlr_proc_acc_req(conn->conn_fsm,
 			 SUBSCR_CONN_E_ACCEPTED,
 			 SUBSCR_CONN_E_CN_CLOSE,
 			 (void*)&conn_from_paging_resp,
 			 net->vlr, conn,
 			 VLR_PR_ARQ_T_PAGING_RESP, mi_lv, &lai,
-			 conn->network->authentication_required,
-			 conn->network->a5_encryption,
+			 is_utran || conn->network->authentication_required,
+			 is_utran? VLR_CIPH_A5_3
+				 : conn->network->a5_encryption,
 			 classmark_is_r99(&conn->classmark),
-			 conn->via_ran == RAN_UTRAN_IU);
+			 is_utran);
 
 	return 0;
 }
@@ -3789,8 +3798,20 @@ static int msc_vlr_set_ciph_mode(void *msc_conn_ref,
 		return -EINVAL;
 	}
 
-	return msc_gsm0808_tx_cipher_mode(conn, ciph, tuple->vec.kc, 8,
-					  retrieve_imeisv);
+	switch (conn->via_ran) {
+	case RAN_GERAN_A:
+		return msc_gsm0808_tx_cipher_mode(conn, ciph, tuple->vec.kc, 8,
+						  retrieve_imeisv);
+	case RAN_UTRAN_IU:
+		return iu_tx_sec_mode_cmd(conn->iu.ue_ctx, tuple, 0, 1);
+
+	default:
+		break;
+	}
+	LOGP(DMM, LOGL_ERROR,
+	     "%s: cannot start ciphering, unknown RAN type %d\n",
+	     vlr_subscr_name(conn->vsub), conn->via_ran);
+	return -ENOTSUP;
 }
 
 /* VLR informs us that the subscriber data has somehow been modified */
diff --git a/openbsc/src/libmsc/iucs_ranap.c b/openbsc/src/libmsc/iucs_ranap.c
index b16eebc47..7215b6c69 100644
--- a/openbsc/src/libmsc/iucs_ranap.c
+++ b/openbsc/src/libmsc/iucs_ranap.c
@@ -54,18 +54,10 @@ static int iucs_rx_rab_assign(struct gsm_subscriber_connection *conn,
 int iucs_rx_sec_mode_compl(struct gsm_subscriber_connection *conn,
 			   RANAP_SecurityModeCompleteIEs_t *ies)
 {
-	gsm_cbfn *cb;
+	struct vlr_ciph_result vlr_res = {};
 
 	OSMO_ASSERT(conn->via_ran == RAN_UTRAN_IU);
 
-	if (!conn->sec_operation) {
-		LOGP(DIUCS, LOGL_ERROR,
-		     "Received Security Mode Complete message, but no"
-		     " authentication/cipher operation in progress"
-		     " for subscr %s\n", vlr_subscr_name(conn->vsub));
-		return -EINVAL;
-	}
-
 	/* TODO evalute ies */
 
 	if (conn->iu.integrity_protection)
@@ -75,11 +67,8 @@ int iucs_rx_sec_mode_compl(struct gsm_subscriber_connection *conn,
 
 	conn->iu.integrity_protection = INTEGRITY_PROTECTION_IK;
 
-	cb = conn->sec_operation->cb;
-	if (cb)
-		cb(GSM_HOOK_RR_SECURITY, GSM_SECURITY_SUCCEEDED, NULL,
-		   conn, conn->sec_operation->cb_data);
-	release_security_operation(conn);
+	vlr_res.cause = VLR_CIPH_COMPL;
+	vlr_subscr_rx_ciph_res(conn->vsub, &vlr_res);
 	return 0;
 }
 
diff --git a/openbsc/src/libvlr/vlr.c b/openbsc/src/libvlr/vlr.c
index 65d43f4d0..4259b5c38 100644
--- a/openbsc/src/libvlr/vlr.c
+++ b/openbsc/src/libvlr/vlr.c
@@ -937,6 +937,9 @@ struct vlr_instance *vlr_alloc(void *ctx, const struct vlr_ops *ops)
 {
 	struct vlr_instance *vlr = talloc_zero(ctx, struct vlr_instance);
 	OSMO_ASSERT(vlr);
+
+	/* Some of these are needed only on UTRAN, but in case the caller wants
+	 * only GERAN, she should just provide dummy callbacks. */
 	OSMO_ASSERT(ops->tx_auth_req);
 	OSMO_ASSERT(ops->tx_auth_rej);
 	OSMO_ASSERT(ops->tx_id_req);
diff --git a/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.c b/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.c
index 999c1d2bc..c224de334 100644
--- a/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.c
+++ b/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.c
@@ -27,6 +27,28 @@ void _test_umts_authen(enum ran_type via_ran)
 {
 	struct vlr_subscr *vsub;
 	const char *imsi = "901700000010650";
+	const char *sms =
+		"09" /* SMS messages */
+		"01" /* CP-DATA */
+		"58" /* length */
+		"01" /* Network to MS */
+		"00" /* reference */
+		/* originator (gsm411_send_sms() hardcodes this weird nr) */
+		"0791" "447758100650" /* 447785016005 */
+		"00" /* dest */
+		/* SMS TPDU */
+		"4c" /* len */
+		"00" /* SMS deliver */
+		"05802443f2" /* originating address 42342 */
+		"00" /* TP-PID */
+		"00" /* GSM default alphabet */
+		"071010" /* Y-M-D (from wrapped gsm340_gen_scts())*/
+		"000000" /* H-M-S */
+		"00" /* GMT+0 */
+		"44" /* data length */
+		"5079da1e1ee7416937485e9ea7c965373d1d6683c270383b3d0e"
+		"d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
+		"0c7ac3e9e9b7db05";
 
 	net->authentication_required = true;
 	net->vlr->cfg.assign_tmsi = true;
@@ -100,10 +122,26 @@ void _test_umts_authen(enum ran_type via_ran)
 	VERBOSE_ASSERT(auth_request_sent, == true, "%d");
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
 
-	btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
-	gsup_expect_tx("04010809710000000156f0");
-	ms_sends_msg("0554" "e229c19e" "2104" "791f2e41");
-	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	if (via_ran == RAN_GERAN_A) {
+		btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
+		gsup_expect_tx("04010809710000000156f0");
+		ms_sends_msg("0554" "e229c19e" "2104" "791f2e41");
+		VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	} else {
+		/* On UTRAN */
+		btw("MS sends Authen Response, VLR accepts and sends SecurityModeControl");
+		cipher_mode_cmd_sent = false;
+		ms_sends_msg("0554" "e229c19e" "2104" "791f2e41");
+		VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+
+		btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");
+		gsup_expect_tx("04010809710000000156f0");
+		ms_sends_security_mode_complete();
+		VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	}
 
 	btw("HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT");
 	gsup_rx("10010809710000000156f00804032443f2",
@@ -152,10 +190,23 @@ void _test_umts_authen(enum ran_type via_ran)
 	EXPECT_ACCEPTED(false);
 	thwart_rx_non_initial_requests();
 
-	btw("MS sends Authen Response, VLR accepts with a CM Service Accept");
-	gsup_expect_tx(NULL);
-	ms_sends_msg("0554" "7db47cf7" "2104" "f81e4dc7"); /* 2nd vector's res, s.a. */
-	VERBOSE_ASSERT(cm_service_result_sent, == RES_ACCEPT, "%d");
+	if (via_ran == RAN_GERAN_A) {
+		btw("MS sends Authen Response, VLR accepts with a CM Service Accept");
+		gsup_expect_tx(NULL);
+		ms_sends_msg("0554" "7db47cf7" "2104" "f81e4dc7"); /* 2nd vector's res, s.a. */
+		VERBOSE_ASSERT(cm_service_result_sent, == RES_ACCEPT, "%d");
+	} else {
+		/* On UTRAN */
+		btw("MS sends Authen Response, VLR accepts and sends SecurityModeControl");
+		cipher_mode_cmd_sent = false;
+		ms_sends_msg("0554" "7db47cf7" "2104" "f81e4dc7"); /* 2nd vector's res, s.a. */
+		VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
+		VERBOSE_ASSERT(cm_service_result_sent, == RES_NONE, "%d");
+
+		btw("MS sends SecurityModeControl acceptance, VLR accepts and sends CM Service Accept");
+		ms_sends_security_mode_complete();
+		VERBOSE_ASSERT(cm_service_result_sent, == RES_ACCEPT, "%d");
+	}
 
 	btw("a USSD request is serviced");
 	dtap_expect_tx_ussd("Your extension is 42342\r");
@@ -201,31 +252,25 @@ void _test_umts_authen(enum ran_type via_ran)
 	EXPECT_ACCEPTED(false);
 	thwart_rx_non_initial_requests();
 
-	btw("MS sends Authen Response, VLR accepts and sends pending SMS");
-	dtap_expect_tx("09" /* SMS messages */
-		       "01" /* CP-DATA */
-		       "58" /* length */
-		       "01" /* Network to MS */
-		       "00" /* reference */
-		       /* originator (gsm411_send_sms() hardcodes this weird nr) */
-		       "0791" "447758100650" /* 447785016005 */
-		       "00" /* dest */
-		       /* SMS TPDU */
-		       "4c" /* len */
-		       "00" /* SMS deliver */
-		       "05802443f2" /* originating address 42342 */
-		       "00" /* TP-PID */
-		       "00" /* GSM default alphabet */
-		       "071010" /* Y-M-D (from wrapped gsm340_gen_scts())*/
-		       "000000" /* H-M-S */
-		       "00" /* GMT+0 */
-		       "44" /* data length */
-		       "5079da1e1ee7416937485e9ea7c965373d1d6683c270383b3d0e"
-		       "d3d36ff71c949e83c22072799e9687c5ec32a81d96afcbf4b4fb"
-		       "0c7ac3e9e9b7db05");
-	ms_sends_msg("0554" "706f9967" "2104" "19ba609c"); /* 3nd vector's res, s.a. */
-	VERBOSE_ASSERT(dtap_tx_confirmed, == true, "%d");
-	VERBOSE_ASSERT(paging_stopped, == true, "%d");
+	if (via_ran == RAN_GERAN_A) {
+		btw("MS sends Authen Response, VLR accepts and sends pending SMS");
+		dtap_expect_tx(sms);
+		ms_sends_msg("0554" "706f9967" "2104" "19ba609c"); /* 3nd vector's res, s.a. */
+		VERBOSE_ASSERT(dtap_tx_confirmed, == true, "%d");
+		VERBOSE_ASSERT(paging_stopped, == true, "%d");
+	} else {
+		/* On UTRAN */
+		btw("MS sends Authen Response, VLR accepts and sends SecurityModeControl");
+		cipher_mode_cmd_sent = false;
+		ms_sends_msg("0554" "706f9967" "2104" "19ba609c"); /* 3nd vector's res, s.a. */
+		VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
+		VERBOSE_ASSERT(paging_stopped, == false, "%d");
+
+		btw("MS sends SecurityModeControl acceptance, VLR accepts and sends SMS");
+		dtap_expect_tx(sms);
+		ms_sends_security_mode_complete();
+		VERBOSE_ASSERT(paging_stopped, == true, "%d");
+	}
 
 	btw("SMS was delivered, no requests pending for subscr");
 	vsub = vlr_subscr_find_by_imsi(net->vlr, imsi);
@@ -437,10 +482,26 @@ void _test_umts_authen_resync(enum ran_type via_ran)
 	VERBOSE_ASSERT(auth_request_sent, == true, "%d");
 	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
 
-	btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
-	gsup_expect_tx("04010809710000000156f0");
-	ms_sends_msg("0554" "1df5f0b4" "2104" "f22b696e");
-	VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	if (via_ran == RAN_GERAN_A) {
+		btw("MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR");
+		gsup_expect_tx("04010809710000000156f0");
+		ms_sends_msg("0554" "1df5f0b4" "2104" "f22b696e");
+		VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	} else {
+		/* On UTRAN */
+		btw("MS sends Authen Response, VLR accepts and sends SecurityModeControl");
+		cipher_mode_cmd_sent = false;
+		ms_sends_msg("0554" "1df5f0b4" "2104" "f22b696e");
+		VERBOSE_ASSERT(cipher_mode_cmd_sent, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+
+		btw("MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR");
+		gsup_expect_tx("04010809710000000156f0");
+		ms_sends_security_mode_complete();
+		VERBOSE_ASSERT(gsup_tx_confirmed, == true, "%d");
+		VERBOSE_ASSERT(lu_result_sent, == RES_NONE, "%d");
+	}
 
 	btw("HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT");
 	gsup_rx("10010809710000000156f00804032443f2",
diff --git a/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.err b/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.err
index 26ceb0d78..09bd362b2 100644
--- a/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.err
+++ b/openbsc/tests/msc_vlr/msc_vlr_test_umts_authen.err
@@ -66,6 +66,7 @@ DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Received Event UPD_HL
 DVLR GSUP tx: 04010809710000000156f0
 GSUP --> HLR: OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST: 04010809710000000156f0
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: state_chg to UPD_HLR_VLR_S_WAIT_FOR_DATA
+  gsup_tx_confirmed == 1
   lu_result_sent == 0
 - HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT
 <-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: 10010809710000000156f00804032443f2
@@ -418,7 +419,7 @@ DMM LOCATION UPDATING REQUEST: MI(IMSI)=901700000010650 type=NORMAL
 DMM LU/new-LAC: 0/0
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Allocated
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: is child of Subscr_Conn(901700000010650)
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: rev=R99 net=UTRAN Auth (no Ciph)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: rev=R99 net=UTRAN Auth+Ciph
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Received Event VLR_ULA_E_UPDATE_LA
 DREF VLR subscr unknown usage increases to: 1
 DVLR set IMSI on subscriber; IMSI=901700000010650 id=901700000010650
@@ -450,7 +451,7 @@ DREF VLR subscr IMSI:901700000010650 usage decreases to: 1
 <-- GSUP rx OSMO_GSUP_MSGT_SEND_AUTH_INFO_RESULT: vlr_gsupc_read_cb() returns 0
   auth_request_sent == 1
   lu_result_sent == 0
-- MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
   rx from MS: pdisc=0x05 msg_type=0x54
 DRLL Dispatching 04.08 message, pdisc=5
 DMM IMSI:901700000010650: MM R99 AUTHENTICATION RESPONSE (res = e229c19e791f2e41)
@@ -465,16 +466,28 @@ DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Freeing instan
 DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_ciph()
+- sending SecurityModeControl for IMSI:901700000010650
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
+  cipher_mode_cmd_sent == 1
+  lu_result_sent == 0
+- MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR
+DIUCS Looking for IuCS subscriber: link_id 0x23, conn_id 2a
+DIUCS   0: IMSI:901700000010650 Iu link 0x23, conn_id 42
+DIUCS subscribers registered: 1
+DIUCS Found IuCS subscriber for link_id 0x23, conn_id 2a
+DIUCS IuCS security mode complete for IMSI:901700000010650
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: Received Event VLR_ULA_E_CIPH_RES
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_post_ciph()
 DIUCS IMSI:901700000010650: tx CommonID 901700000010650
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_node_4()
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_HLR_UPD
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_node_4()
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: state_chg to VLR_ULA_S_WAIT_HLR_UPD
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Allocated
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: is child of vlr_lu_fsm(901700000010650)
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Received Event UPD_HLR_VLR_E_START
 DVLR GSUP tx: 04010809710000000156f0
 GSUP --> HLR: OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST: 04010809710000000156f0
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: state_chg to UPD_HLR_VLR_S_WAIT_FOR_DATA
+  gsup_tx_confirmed == 1
   lu_result_sent == 0
 - HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT
 <-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: 10010809710000000156f00804032443f2
@@ -579,7 +592,7 @@ DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Received Event SUBSCR_CON
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: state_chg to SUBSCR_CONN_S_NEW
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Allocated
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: is child of Subscr_Conn(901700000010650)
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: rev=R99 net=UTRAN Auth (no Ciph)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: rev=R99 net=UTRAN Auth+Ciph
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Received Event PR_ARQ_E_START
 DREF VLR subscr MSISDN:42342 usage increases to: 2
 DREF VLR subscr MSISDN:42342 usage increases to: 3
@@ -608,7 +621,7 @@ DRLL Dispatching 04.08 message, pdisc=6
 DRLL subscr MSISDN:42342: Message not permitted for initial conn: pdisc=0x06 msg_type=0x19
 DRLL Dispatching 04.08 message, pdisc=9
 DRLL subscr MSISDN:42342: Message not permitted for initial conn: pdisc=0x09 msg_type=0x01
-- MS sends Authen Response, VLR accepts with a CM Service Accept
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
   rx from MS: pdisc=0x05 msg_type=0x54
 DRLL Dispatching 04.08 message, pdisc=5
 DMM MSISDN:42342: MM R99 AUTHENTICATION RESPONSE (res = 7db47cf7f81e4dc7)
@@ -624,21 +637,31 @@ DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: Received Event PR_ARQ_E_AUTH_RES
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2_post_ciph()
+- sending SecurityModeControl for MSISDN:42342
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
+  cipher_mode_cmd_sent == 1
+  cm_service_result_sent == 0
+- MS sends SecurityModeControl acceptance, VLR accepts and sends CM Service Accept
+DIUCS Looking for IuCS subscriber: link_id 0x23, conn_id 2a
+DIUCS   0: MSISDN:42342 Iu link 0x23, conn_id 42
+DIUCS subscribers registered: 1
+DIUCS Found IuCS subscriber for link_id 0x23, conn_id 2a
+DIUCS IuCS security mode complete for MSISDN:42342
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: Received Event PR_ARQ_E_CIPH_RES
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_ciph()
 DIUCS MSISDN:42342: tx CommonID 901700000010650
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2_post_vlr()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_pres()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_trace()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_imei()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: proc_arq_fsm_done(VLR_PR_ARQ_RES_PASSED)
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_DONE
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_vlr()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_pres()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_trace()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_imei()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: proc_arq_fsm_done(VLR_PR_ARQ_RES_PASSED)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: state_chg to PR_ARQ_S_DONE
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Process Access Request result: VLR_PR_ARQ_RES_PASSED
 - sending CM Service Accept for MSISDN:42342
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Received Event SUBSCR_CONN_E_ACCEPTED
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: SUBSCR_CONN_FROM_CM_SERVICE_REQ
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: state_chg to SUBSCR_CONN_S_ACCEPTED
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: received_cm_service_request = true
-DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_BUMP
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_BUMP
   cm_service_result_sent == 1
 - a USSD request is serviced
@@ -694,7 +717,7 @@ DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: Received Event SUBSCR_CON
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_INIT}: state_chg to SUBSCR_CONN_S_NEW
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Allocated
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: is child of Subscr_Conn(901700000010650)
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: rev=R99 net=UTRAN Auth (no Ciph)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: rev=R99 net=UTRAN Auth+Ciph
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_INIT}: Received Event PR_ARQ_E_START
 DREF VLR subscr MSISDN:42342 usage increases to: 4
 DREF VLR subscr MSISDN:42342 usage increases to: 5
@@ -722,7 +745,7 @@ DRLL Dispatching 04.08 message, pdisc=6
 DRLL subscr MSISDN:42342: Message not permitted for initial conn: pdisc=0x06 msg_type=0x19
 DRLL Dispatching 04.08 message, pdisc=9
 DRLL subscr MSISDN:42342: Message not permitted for initial conn: pdisc=0x09 msg_type=0x01
-- MS sends Authen Response, VLR accepts and sends pending SMS
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
   rx from MS: pdisc=0x05 msg_type=0x54
 DRLL Dispatching 04.08 message, pdisc=5
 DMM MSISDN:42342: MM R99 AUTHENTICATION RESPONSE (res = 706f996719ba609c)
@@ -738,14 +761,25 @@ DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: Received Event PR_ARQ_E_AUTH_RES
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: got VLR_AUTH_RES_PASSED
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2_post_ciph()
+- sending SecurityModeControl for MSISDN:42342
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_WAIT_CIPH
+  cipher_mode_cmd_sent == 1
+  paging_stopped == 0
+- MS sends SecurityModeControl acceptance, VLR accepts and sends SMS
+DIUCS Looking for IuCS subscriber: link_id 0x23, conn_id 2a
+DIUCS   0: MSISDN:42342 Iu link 0x23, conn_id 42
+DIUCS subscribers registered: 1
+DIUCS Found IuCS subscriber for link_id 0x23, conn_id 2a
+DIUCS IuCS security mode complete for MSISDN:42342
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: Received Event PR_ARQ_E_CIPH_RES
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_ciph()
 DIUCS MSISDN:42342: tx CommonID 901700000010650
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_node2_post_vlr()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_pres()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_trace()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: _proc_arq_vlr_post_imei()
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: proc_arq_fsm_done(VLR_PR_ARQ_RES_PASSED)
-DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_AUTH}: state_chg to PR_ARQ_S_DONE
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_node2_post_vlr()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_pres()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_trace()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: _proc_arq_vlr_post_imei()
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: proc_arq_fsm_done(VLR_PR_ARQ_RES_PASSED)
+DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_WAIT_CIPH}: state_chg to PR_ARQ_S_DONE
 DVLR Process_Access_Request_VLR(901700000010650){PR_ARQ_S_DONE}: Process Access Request result: VLR_PR_ARQ_RES_PASSED
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: Received Event SUBSCR_CONN_E_ACCEPTED
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_NEW}: SUBSCR_CONN_FROM_PAGING_RESP
@@ -759,8 +793,6 @@ DMSC msc_tx 91 bytes to MSISDN:42342 via RAN_UTRAN_IU
 - DTAP matches expected message
 DREF VLR subscr MSISDN:42342 usage decreases to: 4
 DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_BUMP
-DVLR Subscr_Conn(901700000010650){SUBSCR_CONN_S_ACCEPTED}: Received Event SUBSCR_CONN_E_BUMP
-  dtap_tx_confirmed == 1
   paging_stopped == 1
 - SMS was delivered, no requests pending for subscr
 DREF VLR subscr MSISDN:42342 usage increases to: 5
@@ -912,6 +944,7 @@ DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Received Event UPD_HL
 DVLR GSUP tx: 04010809710000000156f0
 GSUP --> HLR: OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST: 04010809710000000156f0
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: state_chg to UPD_HLR_VLR_S_WAIT_FOR_DATA
+  gsup_tx_confirmed == 1
   lu_result_sent == 0
 - HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT
 <-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: 10010809710000000156f00804032443f2
@@ -1023,7 +1056,7 @@ DMM LOCATION UPDATING REQUEST: MI(IMSI)=901700000010650 type=NORMAL
 DMM LU/new-LAC: 0/0
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Allocated
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: is child of Subscr_Conn(901700000010650)
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: rev=R99 net=UTRAN Auth (no Ciph)
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: rev=R99 net=UTRAN Auth+Ciph
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_IDLE}: Received Event VLR_ULA_E_UPDATE_LA
 DREF VLR subscr unknown usage increases to: 1
 DVLR set IMSI on subscriber; IMSI=901700000010650 id=901700000010650
@@ -1082,7 +1115,7 @@ DREF VLR subscr IMSI:901700000010650 usage decreases to: 1
 <-- GSUP rx OSMO_GSUP_MSGT_SEND_AUTH_INFO_RESULT: vlr_gsupc_read_cb() returns 0
   auth_request_sent == 1
   lu_result_sent == 0
-- MS sends Authen Response, VLR accepts and sends GSUP LU Req to HLR
+- MS sends Authen Response, VLR accepts and sends SecurityModeControl
   rx from MS: pdisc=0x05 msg_type=0x54
 DRLL Dispatching 04.08 message, pdisc=5
 DMM IMSI:901700000010650: MM R99 AUTHENTICATION RESPONSE (res = 1df5f0b4f22b696e)
@@ -1097,16 +1130,28 @@ DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Freeing instan
 DVLR VLR_Authenticate(901700000010650){VLR_SUB_AS_AUTHENTICATED}: Deallocated
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: Received Event VLR_ULA_E_AUTH_RES
 DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_auth()
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_post_ciph()
+- sending SecurityModeControl for IMSI:901700000010650
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_CIPH
+  cipher_mode_cmd_sent == 1
+  lu_result_sent == 0
+- MS sends SecurityModeControl acceptance, VLR accepts and sends GSUP LU Req to HLR
+DIUCS Looking for IuCS subscriber: link_id 0x23, conn_id 2a
+DIUCS   0: IMSI:901700000010650 Iu link 0x23, conn_id 42
+DIUCS subscribers registered: 1
+DIUCS Found IuCS subscriber for link_id 0x23, conn_id 2a
+DIUCS IuCS security mode complete for IMSI:901700000010650
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: Received Event VLR_ULA_E_CIPH_RES
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_post_ciph()
 DIUCS IMSI:901700000010650: tx CommonID 901700000010650
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: vlr_loc_upd_node_4()
-DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_AUTH}: state_chg to VLR_ULA_S_WAIT_HLR_UPD
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: vlr_loc_upd_node_4()
+DVLR vlr_lu_fsm(901700000010650){VLR_ULA_S_WAIT_CIPH}: state_chg to VLR_ULA_S_WAIT_HLR_UPD
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Allocated
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: is child of vlr_lu_fsm(901700000010650)
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: Received Event UPD_HLR_VLR_E_START
 DVLR GSUP tx: 04010809710000000156f0
 GSUP --> HLR: OSMO_GSUP_MSGT_UPDATE_LOCATION_REQUEST: 04010809710000000156f0
 DVLR upd_hlr_vlr_fsm(901700000010650){UPD_HLR_VLR_S_INIT}: state_chg to UPD_HLR_VLR_S_WAIT_FOR_DATA
+  gsup_tx_confirmed == 1
   lu_result_sent == 0
 - HLR sends _INSERT_DATA_REQUEST, VLR responds with _INSERT_DATA_RESULT
 <-- GSUP rx OSMO_GSUP_MSGT_INSERT_DATA_REQUEST: 10010809710000000156f00804032443f2
diff --git a/openbsc/tests/msc_vlr/msc_vlr_tests.c b/openbsc/tests/msc_vlr/msc_vlr_tests.c
index feef3a0a7..4c0126305 100644
--- a/openbsc/tests/msc_vlr/msc_vlr_tests.c
+++ b/openbsc/tests/msc_vlr/msc_vlr_tests.c
@@ -34,6 +34,8 @@
 #include <openbsc/gsm_04_11.h>
 #include <openbsc/bsc_subscriber.h>
 #include <openbsc/debug.h>
+#include <openbsc/iu.h>
+#include <openbsc/iucs_ranap.h>
 
 #include "msc_vlr_tests.h"
 
@@ -133,6 +135,14 @@ struct gsm_subscriber_connection *conn_new(void)
 	conn = msc_subscr_con_allocate(net);
 	conn->bts = the_bts;
 	conn->via_ran = rx_from_ran;
+	if (conn->via_ran == RAN_UTRAN_IU) {
+		struct ue_conn_ctx *ue_ctx = talloc_zero(conn, struct ue_conn_ctx);
+		*ue_ctx = (struct ue_conn_ctx){
+			.link = (void*)0x23,
+			.conn_id = 42,
+		};
+		conn->iu.ue_ctx = ue_ctx;
+	}
 	return conn;
 }
 
@@ -550,17 +560,40 @@ static int fake_vlr_tx_ciph_mode_cmd(void *msc_conn_ref, enum vlr_ciph ciph,
 	 * gsm0808_cipher_mode() directly. When the MSCSPLIT is ready, check
 	 * the tx bytes in the sense of dtap_expect_tx() above. */
 	struct gsm_subscriber_connection *conn = msc_conn_ref;
-	btw("sending Ciphering Mode Command for %s: cipher=%s kc=%s"
-	    " retrieve_imeisv=%d",
-	    vlr_subscr_name(conn->vsub),
-	    vlr_ciph_name(conn->network->a5_encryption),
-	    osmo_hexdump_nospc(conn->vsub->last_tuple->vec.kc, 8),
-	    retrieve_imeisv);
+	switch (conn->via_ran) {
+	case RAN_GERAN_A:
+		btw("sending Ciphering Mode Command for %s: cipher=%s kc=%s"
+		    " retrieve_imeisv=%d",
+		    vlr_subscr_name(conn->vsub),
+		    vlr_ciph_name(conn->network->a5_encryption),
+		    osmo_hexdump_nospc(conn->vsub->last_tuple->vec.kc, 8),
+		    retrieve_imeisv);
+		break;
+	case RAN_UTRAN_IU:
+		btw("sending SecurityModeControl for %s",
+		    vlr_subscr_name(conn->vsub));
+		break;
+	default:
+		btw("UNKNOWN RAN TYPE %d", conn->via_ran);
+		OSMO_ASSERT(false);
+		return -1;
+	}
 	cipher_mode_cmd_sent = true;
 	cipher_mode_cmd_sent_with_imeisv = retrieve_imeisv;
 	return 0;
 }
 
+void ms_sends_security_mode_complete()
+{
+	OSMO_ASSERT(g_conn);
+	OSMO_ASSERT(g_conn->via_ran == RAN_UTRAN_IU);
+	OSMO_ASSERT(g_conn->iu.ue_ctx);
+	/* TODO mock IEs or call vlr callback directly */
+	iucs_rx_ranap_event(g_conn->network, g_conn->iu.ue_ctx,
+			    IU_EVENT_SECURITY_MODE_COMPLETE,
+			    NULL);
+}
+
 const struct timeval fake_time_start_time = { 123, 456 };
 
 void fake_time_start()
diff --git a/openbsc/tests/msc_vlr/msc_vlr_tests.h b/openbsc/tests/msc_vlr/msc_vlr_tests.h
index 82ff51ada..ae0f83c9a 100644
--- a/openbsc/tests/msc_vlr/msc_vlr_tests.h
+++ b/openbsc/tests/msc_vlr/msc_vlr_tests.h
@@ -98,6 +98,7 @@ void paging_expect_imsi(const char *imsi);
 void paging_expect_tmsi(uint32_t tmsi);
 
 void ms_sends_msg(const char *hex);
+void ms_sends_security_mode_complete();
 void gsup_rx(const char *rx_hex, const char *expect_tx_hex);
 void send_sms(struct vlr_subscr *receiver,
 	      struct vlr_subscr *sender,
@@ -126,7 +127,10 @@ void check_talloc(void *msgb_ctx, void *tall_bsc_ctx, int expected_blocks);
 
 #define gsup_expect_tx(hex) do \
 { \
-	OSMO_ASSERT(!gsup_tx_expected); \
+	if (gsup_tx_expected) { \
+		log("Previous expected GSUP tx was not confirmed!"); \
+		OSMO_ASSERT(!gsup_tx_expected); \
+	} \
 	if (!hex) \
 		break; \
 	gsup_tx_expected = hex; \
-- 
cgit v1.2.3