From 106f547733450afda1ddbd7e886dc8c902fed4d4 Mon Sep 17 00:00:00 2001 From: Jacob Erlbeck Date: Tue, 4 Nov 2014 10:08:37 +0100 Subject: sgsn: Add 'acl-only' authentication policy Currently the VTY 'auth-policy' command results in setting or clearing the acl_enabled flag. This also enables the matching of the MCC/MNC prefix of the IMSI. This patch adds an additional policy 'acl-only' which disables the MCC/MNC matching and relies on the ACL only. Sponsored-by: On-Waves ehf --- openbsc/src/gprs/sgsn_auth.c | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) (limited to 'openbsc/src/gprs/sgsn_auth.c') diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c index e123909f2..d2d4913b6 100644 --- a/openbsc/src/gprs/sgsn_auth.c +++ b/openbsc/src/gprs/sgsn_auth.c @@ -83,25 +83,41 @@ enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx, struct sgsn_config *cfg) { char mccmnc[16]; + int check_net = 0; + int check_acl = 0; OSMO_ASSERT(mmctx); - if (!sgsn->cfg.acl_enabled) + switch (sgsn->cfg.auth_policy) { + case SGSN_AUTH_POLICY_OPEN: return SGSN_AUTH_ACCEPTED; + case SGSN_AUTH_POLICY_CLOSED: + check_net = 1; + check_acl = 1; + break; + + case SGSN_AUTH_POLICY_ACL_ONLY: + check_acl = 1; + break; + } + if (!strlen(mmctx->imsi)) { LOGMMCTXP(LOGL_NOTICE, mmctx, "Missing IMSI, authorization state not known\n"); return SGSN_AUTH_UNKNOWN; } - /* As a temorary hack, we simply assume that the IMSI exists, - * as long as it is part of 'our' network */ - snprintf(mccmnc, sizeof(mccmnc), "%03d%02d", mmctx->ra.mcc, mmctx->ra.mnc); - if (strncmp(mccmnc, mmctx->imsi, 5) == 0) - return SGSN_AUTH_ACCEPTED; + if (check_net) { + /* We simply assume that the IMSI exists, as long as it is part + * of 'our' network */ + snprintf(mccmnc, sizeof(mccmnc), "%03d%02d", + mmctx->ra.mcc, mmctx->ra.mnc); + if (strncmp(mccmnc, mmctx->imsi, 5) == 0) + return SGSN_AUTH_ACCEPTED; + } - if (sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg)) + if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg)) return SGSN_AUTH_ACCEPTED; return SGSN_AUTH_REJECTED; -- cgit v1.2.3