summaryrefslogtreecommitdiffstats
path: root/openbsc/src/gprs
diff options
context:
space:
mode:
authorJacob Erlbeck <jerlbeck@sysmocom.de>2014-11-04 10:08:37 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-11-14 10:07:28 +0100
commit106f547733450afda1ddbd7e886dc8c902fed4d4 (patch)
tree036fdffd0c378776986c97633263e59bcc406260 /openbsc/src/gprs
parent144b8b1ca77f628ea4cf87ff903b7e79f0abf9dd (diff)
sgsn: Add 'acl-only' authentication policy
Currently the VTY 'auth-policy' command results in setting or clearing the acl_enabled flag. This also enables the matching of the MCC/MNC prefix of the IMSI. This patch adds an additional policy 'acl-only' which disables the MCC/MNC matching and relies on the ACL only. Sponsored-by: On-Waves ehf
Diffstat (limited to 'openbsc/src/gprs')
-rw-r--r--openbsc/src/gprs/sgsn_auth.c30
-rw-r--r--openbsc/src/gprs/sgsn_main.c2
-rw-r--r--openbsc/src/gprs/sgsn_vty.c25
3 files changed, 41 insertions, 16 deletions
diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index e123909f2..d2d4913b6 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c
@@ -83,25 +83,41 @@ enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx,
struct sgsn_config *cfg)
{
char mccmnc[16];
+ int check_net = 0;
+ int check_acl = 0;
OSMO_ASSERT(mmctx);
- if (!sgsn->cfg.acl_enabled)
+ switch (sgsn->cfg.auth_policy) {
+ case SGSN_AUTH_POLICY_OPEN:
return SGSN_AUTH_ACCEPTED;
+ case SGSN_AUTH_POLICY_CLOSED:
+ check_net = 1;
+ check_acl = 1;
+ break;
+
+ case SGSN_AUTH_POLICY_ACL_ONLY:
+ check_acl = 1;
+ break;
+ }
+
if (!strlen(mmctx->imsi)) {
LOGMMCTXP(LOGL_NOTICE, mmctx,
"Missing IMSI, authorization state not known\n");
return SGSN_AUTH_UNKNOWN;
}
- /* As a temorary hack, we simply assume that the IMSI exists,
- * as long as it is part of 'our' network */
- snprintf(mccmnc, sizeof(mccmnc), "%03d%02d", mmctx->ra.mcc, mmctx->ra.mnc);
- if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
- return SGSN_AUTH_ACCEPTED;
+ if (check_net) {
+ /* We simply assume that the IMSI exists, as long as it is part
+ * of 'our' network */
+ snprintf(mccmnc, sizeof(mccmnc), "%03d%02d",
+ mmctx->ra.mcc, mmctx->ra.mnc);
+ if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
+ return SGSN_AUTH_ACCEPTED;
+ }
- if (sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
+ if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
return SGSN_AUTH_ACCEPTED;
return SGSN_AUTH_REJECTED;
diff --git a/openbsc/src/gprs/sgsn_main.c b/openbsc/src/gprs/sgsn_main.c
index d8e01ff09..c7c852d5e 100644
--- a/openbsc/src/gprs/sgsn_main.c
+++ b/openbsc/src/gprs/sgsn_main.c
@@ -78,7 +78,7 @@ static struct sgsn_instance sgsn_inst = {
.config_file = "osmo_sgsn.cfg",
.cfg = {
.gtp_statedir = "./",
- .acl_enabled = 1,
+ .auth_policy = SGSN_AUTH_POLICY_CLOSED,
},
};
struct sgsn_instance *sgsn = &sgsn_inst;
diff --git a/openbsc/src/gprs/sgsn_vty.c b/openbsc/src/gprs/sgsn_vty.c
index 4c4eef331..63816710e 100644
--- a/openbsc/src/gprs/sgsn_vty.c
+++ b/openbsc/src/gprs/sgsn_vty.c
@@ -41,6 +41,14 @@
static struct sgsn_config *g_cfg = NULL;
+const struct value_string sgsn_auth_pol_strs[] = {
+ { SGSN_AUTH_POLICY_OPEN, "accept-all" },
+ { SGSN_AUTH_POLICY_CLOSED, "closed" },
+ { SGSN_AUTH_POLICY_ACL_ONLY, "acl-only" },
+ { 0, NULL }
+};
+
+
#define GSM48_MAX_APN_LEN 102 /* 10.5.6.1 */
static char *gprs_apn2str(uint8_t *apn, unsigned int len)
{
@@ -127,7 +135,8 @@ static int config_write_sgsn(struct vty *vty)
}
vty_out(vty, " auth-policy %s%s",
- g_cfg->acl_enabled ? "closed" : "accept-all", VTY_NEWLINE);
+ get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
+ VTY_NEWLINE);
llist_for_each_entry(acl, &g_cfg->imsi_acl, list)
vty_out(vty, " imsi-acl add %s%s", acl->imsi, VTY_NEWLINE);
@@ -349,15 +358,15 @@ DEFUN(imsi_acl, cfg_imsi_acl_cmd,
}
DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
- "auth-policy (accept-all|closed)",
+ "auth-policy (accept-all|closed|acl-only)",
"Autorization Policy of SGSN\n"
- "Accept all IMSIs (DANGEROUS\n"
- "Accept only home network subscribers or those in ACL\n")
+ "Accept all IMSIs (DANGEROUS)\n"
+ "Accept only home network subscribers or those in the ACL\n"
+ "Accept only subscribers in the ACL\n")
{
- if (!strcmp(argv[0], "accept-all"))
- g_cfg->acl_enabled = 0;
- else
- g_cfg->acl_enabled = 1;
+ int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
+ OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_ACL_ONLY);
+ g_cfg->auth_policy = val;
return CMD_SUCCESS;
}