diff options
| author | Ivan Kluchnikov <kluchnikovi@gmail.com> | 2015-12-11 19:24:07 +0300 |
|---|---|---|
| committer | Ivan Kluchnikov <kluchnikovi@gmail.com> | 2017-02-07 18:59:54 +0300 |
| commit | db0e216845a7859bf878a891e2a210dbef6395df (patch) | |
| tree | 0b8be144ed907f777298ec18c68328913f82c202 /openbsc | |
| parent | 2d9f39ec43254589c6487698d067774199ae7bcd (diff) | |
msc: Implement 'remote-closed' authentication policy
This mode is modified version of 'remote' policy.
Osmo-nitb uses remote subscription data only if the MS is activated in local HLR, otherwise osmo-nitb rejects subscriber.
Diffstat (limited to 'openbsc')
| -rw-r--r-- | openbsc/include/openbsc/gsm_data.h | 1 | ||||
| -rw-r--r-- | openbsc/src/libcommon-cs/common_cs_vty.c | 5 | ||||
| -rw-r--r-- | openbsc/src/libcommon/gsm_data.c | 1 | ||||
| -rw-r--r-- | openbsc/src/libmsc/auth.c | 6 | ||||
| -rw-r--r-- | openbsc/src/libmsc/gsm_04_08.c | 7 | ||||
| -rw-r--r-- | openbsc/src/osmo-nitb/bsc_hack.c | 5 |
6 files changed, 18 insertions, 7 deletions
diff --git a/openbsc/include/openbsc/gsm_data.h b/openbsc/include/openbsc/gsm_data.h index 4504988b5..606ea61a1 100644 --- a/openbsc/include/openbsc/gsm_data.h +++ b/openbsc/include/openbsc/gsm_data.h @@ -269,6 +269,7 @@ enum gsm_auth_policy { GSM_AUTH_POLICY_TOKEN, /* accept first, send token per sms, then revoke authorization */ GSM_AUTH_POLICY_REGEXP, /* accept IMSIs matching given regexp */ GSM_AUTH_POLICY_REMOTE, + GSM_AUTH_POLICY_REMOTE_CLOSED }; #define GSM_T3101_DEFAULT 10 diff --git a/openbsc/src/libcommon-cs/common_cs_vty.c b/openbsc/src/libcommon-cs/common_cs_vty.c index 1d7e28f3a..2d215cae0 100644 --- a/openbsc/src/libcommon-cs/common_cs_vty.c +++ b/openbsc/src/libcommon-cs/common_cs_vty.c @@ -105,14 +105,15 @@ DEFUN(cfg_net_name_long, DEFUN(cfg_net_auth_policy, cfg_net_auth_policy_cmd, - "auth policy (closed|accept-all|regexp|token|remote)", + "auth policy (closed|accept-all|regexp|token|remote|remote-closed)", "Authentication (not cryptographic)\n" "Set the GSM network authentication policy\n" "Require the MS to be activated in HLR\n" "Accept all MS, whether in HLR or not\n" "Use regular expression for IMSI authorization decision\n" "Use SMS-token based authentication\n" - "Use remote subscription data only (HLR)\n") + "Use remote subscription data only (HLR)\n" + "Use remote subscription data if the MS is activated in local HLR\n") { enum gsm_auth_policy policy = gsm_auth_policy_parse(argv[0]); struct gsm_network *gsmnet = gsmnet_from_vty(vty); diff --git a/openbsc/src/libcommon/gsm_data.c b/openbsc/src/libcommon/gsm_data.c index 6419e1932..adbcb8041 100644 --- a/openbsc/src/libcommon/gsm_data.c +++ b/openbsc/src/libcommon/gsm_data.c @@ -164,6 +164,7 @@ static const struct value_string auth_policy_names[] = { { GSM_AUTH_POLICY_TOKEN, "token" }, { GSM_AUTH_POLICY_REGEXP, "regexp" }, { GSM_AUTH_POLICY_REMOTE, "remote" }, + { GSM_AUTH_POLICY_REMOTE_CLOSED, "remote-closed" }, { 0, NULL } }; diff --git a/openbsc/src/libmsc/auth.c b/openbsc/src/libmsc/auth.c index 90376744c..edd6f58fc 100644 --- a/openbsc/src/libmsc/auth.c +++ b/openbsc/src/libmsc/auth.c @@ -89,7 +89,8 @@ int auth_get_tuple_for_subscr(enum gsm_auth_policy auth_policy, struct gsm_auth_info ainfo; int rc; - if (auth_policy != GSM_AUTH_POLICY_REMOTE) { + if (auth_policy != GSM_AUTH_POLICY_REMOTE && + auth_policy != GSM_AUTH_POLICY_REMOTE_CLOSED) { /* Get subscriber info (if any) */ rc = db_get_authinfo_for_subscr(&ainfo, subscr); if (rc < 0) { @@ -112,7 +113,8 @@ int auth_get_tuple_for_subscr(enum gsm_auth_policy auth_policy, return AUTH_DO_CIPH; } - if (auth_policy == GSM_AUTH_POLICY_REMOTE) { + if (auth_policy == GSM_AUTH_POLICY_REMOTE || + auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED) { /* Request a new tuple from remote HLR */ return 0; } diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index 5126c986b..14eade9c6 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -214,7 +214,8 @@ int gsm48_secure_channel(struct gsm_subscriber_connection *conn, int key_seq, /* If not done yet, try to get info for this user */ if (status < 0) { rc = auth_get_tuple_for_subscr(net->auth_policy, &atuple, subscr, key_seq); - if ((rc == 0) && (net->auth_policy == GSM_AUTH_POLICY_REMOTE)) { + if ((rc == 0) && (net->auth_policy == GSM_AUTH_POLICY_REMOTE || + net->auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED)) { allocate_security_operation(conn); conn->sec_operation->cb = cb; conn->sec_operation->cb_data = cb_data; @@ -297,6 +298,10 @@ static int authorize_subscriber(struct gsm_loc_updating_operation *loc, return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT); case GSM_AUTH_POLICY_ACCEPT_ALL: return 1; + case GSM_AUTH_POLICY_REMOTE_CLOSED: + if (!subscriber->authorized) { + return subscriber->authorized; + } case GSM_AUTH_POLICY_REMOTE: if (loc->waiting_for_remote_accept) { subscr_location_update(subscriber); diff --git a/openbsc/src/osmo-nitb/bsc_hack.c b/openbsc/src/osmo-nitb/bsc_hack.c index b74b71f14..86a36b793 100644 --- a/openbsc/src/osmo-nitb/bsc_hack.c +++ b/openbsc/src/osmo-nitb/bsc_hack.c @@ -368,8 +368,9 @@ int main(int argc, char **argv) } printf("DB: Database prepared.\n"); - /* Prepare HLR SUP socket if auth policy is "remote" */ - if (bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE) { + /* Prepare HLR SUP socket if auth policy is "remote" or "remote-closed"*/ + if (bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE || + bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED) { bsc_gsmnet->hlr_sup_client = gprs_gsup_client_create( "127.0.0.1", 8183, &sup_read_cb); |