sgsn: Replace subscr.authenticate by global require_authentication flag

Currently the flag 'authenticate' is managed per subscriber.

This patch replaces that flag by a global cfg.require_authentication
flag that enables/disables the use of the Auth & Ciph procedure for
every subscriber. The flag is set by the VTY, if and only if the
authorization policy is 'remote'.

The VTY command

  - update-subscriber imsi IMSI insert authenticate <0-1>

is removed.

Sponsored-by: On-Waves ehf

4 files changed, 10 insertions, 11 deletions

diff --git a/openbsc/include/openbsc/sgsn.h b/openbsc/include/openbsc/sgsn.h
index 71be1ce2a..798bfde48 100644
--- a/openbsc/include/openbsc/sgsn.h
+++ b/openbsc/include/openbsc/sgsn.h
@@ -30,6 +30,8 @@ struct sgsn_config {
 
 	struct sockaddr_in gsup_server_addr;
 	int gsup_server_port;
+
+	int require_authentication;
 };
 
 struct sgsn_instance {
diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index 3755a51d4..83372e857 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c
@@ -110,7 +110,7 @@ enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx)
 		if (mmctx->subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)
 			return mmctx->auth_state;
 
-		if (mmctx->subscr->sgsn_data->authenticate &&
+		if (sgsn->cfg.require_authentication &&
 		    (!mmctx->is_authenticated ||
 		     mmctx->subscr->sgsn_data->auth_triplets_updated))
 			return SGSN_AUTH_AUTHENTICATE;
@@ -171,7 +171,7 @@ int sgsn_auth_request(struct sgsn_mm_ctx *mmctx)
 
 	OSMO_ASSERT(mmctx->subscr != NULL);
 
-	if (mmctx->subscr->sgsn_data->authenticate && !mmctx->is_authenticated) {
+	if (sgsn->cfg.require_authentication && !mmctx->is_authenticated) {
 		/* Find next tuple */
 		at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
 
diff --git a/openbsc/src/gprs/sgsn_vty.c b/openbsc/src/gprs/sgsn_vty.c
index e9333f562..3ca1570b9 100644
--- a/openbsc/src/gprs/sgsn_vty.c
+++ b/openbsc/src/gprs/sgsn_vty.c
@@ -376,6 +376,7 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
+	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 
 	return CMD_SUCCESS;
 }
@@ -472,15 +473,14 @@ DEFUN(show_subscr_cache,
 #define UPDATE_SUBSCR_INSERT_HELP "Insert data into the subscriber record\n"
 
 DEFUN(update_subscr_insert, update_subscr_insert_cmd,
-	UPDATE_SUBSCR_STR "insert (authorized|authenticate) (0|1)",
+	UPDATE_SUBSCR_STR "insert authorized <0-1>)",
 	UPDATE_SUBSCR_HELP
 	UPDATE_SUBSCR_INSERT_HELP
 	"Authorize the subscriber to attach\n"
 	"New option value\n")
 {
 	const char *imsi = argv[0];
-	const char *option = argv[1];
-	const char *value = argv[2];
+	const char *value = argv[1];
 
 	struct gsm_subscriber *subscr;
 
@@ -490,10 +490,7 @@ DEFUN(update_subscr_insert, update_subscr_insert_cmd,
 		return CMD_WARNING;
 	}
 
-	if (!strcmp(option, "authorized"))
-		subscr->authorized = atoi(value);
-	else
-		subscr->sgsn_data->authenticate = atoi(value);
+	subscr->authorized = atoi(value);
 
 	subscr_put(subscr);
 
diff --git a/openbsc/tests/sgsn/sgsn_test.c b/openbsc/tests/sgsn/sgsn_test.c
index ebe12c906..7c48eef0a 100644
--- a/openbsc/tests/sgsn/sgsn_test.c
+++ b/openbsc/tests/sgsn/sgsn_test.c
@@ -876,7 +876,7 @@ static void test_gmm_attach_subscr_fake_auth(void)
 
 	subscr = gprs_subscr_get_or_create("123456789012345");
 	subscr->authorized = 1;
-	subscr->sgsn_data->authenticate = 1;
+	sgsn->cfg.require_authentication = 1;
 	subscr_put(subscr);
 
 	printf("Auth policy 'remote', auth faked: ");
@@ -918,7 +918,7 @@ static void test_gmm_attach_subscr_real_auth(void)
 
 	subscr = gprs_subscr_get_or_create("123456789012345");
 	subscr->authorized = 1;
-	subscr->sgsn_data->authenticate = 1;
+	sgsn->cfg.require_authentication = 1;
 	subscr_put(subscr);
 
 	printf("Auth policy 'remote', triplet based auth: ");