summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeels Hofmeyr <nhofmeyr@sysmocom.de>2016-03-07 16:53:02 +0100
committerNeels Hofmeyr <nhofmeyr@sysmocom.de>2016-03-14 23:58:23 +0100
commit4a9b871de5fb8167ba678165ccdbad808fec4116 (patch)
tree4acf11aaf4575357d2b1e396b38f895ffb832701
parent93f6fa5a814e888e8ed93c0536e0d94beed8f144 (diff)
Adjust authentication logic for Iu, move a log notice
Depending on conn->via_iface, fail upon missing auth for 3G. Move the log notice saying "skipping auth" to gsm48_secure_channel() where conn->via_iface is actually known.
-rw-r--r--openbsc/src/libmsc/auth.c2
-rw-r--r--openbsc/src/libmsc/gsm_04_08.c31
2 files changed, 27 insertions, 6 deletions
diff --git a/openbsc/src/libmsc/auth.c b/openbsc/src/libmsc/auth.c
index 65a9b03c4..322ea376b 100644
--- a/openbsc/src/libmsc/auth.c
+++ b/openbsc/src/libmsc/auth.c
@@ -82,8 +82,6 @@ int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
/* Get subscriber info (if any) */
rc = db_get_authinfo_for_subscr(&ainfo, subscr);
if (rc < 0) {
- LOGP(DMM, LOGL_NOTICE,
- "No retrievable Ki for subscriber, skipping auth\n");
return rc == -ENOENT ? AUTH_NOT_AVAIL : -1;
}
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 84a024e1e..4b82830a7 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -156,7 +156,14 @@ int gsm48_secure_channel(struct gsm_subscriber_connection *conn, int key_seq,
* - Subscriber equipment doesn't support configured encryption
*/
if (!net->a5_encryption) {
- status = GSM_SECURITY_NOAVAIL;
+ if (conn->via_iface == IFACE_IU) {
+ DEBUGP(DMM, "No A5 encryption configured, but doing"
+ " authentication as required by Iu\n");
+ status = -1;
+ } else {
+ DEBUGP(DMM, "No A5 encryption configured\n");
+ status = GSM_SECURITY_NOAVAIL;
+ }
} else if (conn->encr.alg_id > RSL_ENC_ALG_A5(0)) {
DEBUGP(DMM, "Requesting to secure an already secure channel");
status = GSM_SECURITY_ALREADY;
@@ -169,8 +176,22 @@ int gsm48_secure_channel(struct gsm_subscriber_connection *conn, int key_seq,
/* If not done yet, try to get info for this user */
if (status < 0) {
rc = auth_get_tuple_for_subscr(&atuple, subscr, key_seq);
- if (rc <= 0)
- status = GSM_SECURITY_NOAVAIL;
+ DEBUGP(DMM, "auth_get_tuple_for_subscr(%s) == %d\n",
+ subscr_name(subscr), rc);
+ if (rc <= 0) {
+ if (conn->via_iface == IFACE_IU) {
+ LOGP(DMM, LOGL_ERROR,
+ "Iu requires authentication but no"
+ " retreivable Ki for subscriber %s\n",
+ subscr_name(subscr));
+ status = GSM_SECURITY_AUTH_FAILED;
+ } else {
+ LOGP(DMM, LOGL_NOTICE,
+ "No retrievable Ki for subscriber,"
+ " skipping auth\n");
+ status = GSM_SECURITY_NOAVAIL;
+ }
+ }
}
/* Are we done yet ? */
@@ -354,7 +375,9 @@ static int _gsm0408_authorize_sec_cb(unsigned int hooknum, unsigned int event,
LOGP(DMM, LOGL_ERROR,
"Authorization failed for subscriber %s\n",
subscr_name(conn->subscr));
- /* fall through */
+ rc = -1;
+ break;
+
default:
LOGP(DMM, LOGL_DEBUG, "invalid authorization event\n");
rc = -EINVAL;