sgsn: Add 'acl-only' authentication policy
Currently the VTY 'auth-policy' command results in setting or clearing
the acl_enabled flag. This also enables the matching of the MCC/MNC
prefix of the IMSI.
This patch adds an additional policy 'acl-only' which disables the
MCC/MNC matching and relies on the ACL only.
Sponsored-by: On-Waves ehf
diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index e123909..d2d4913 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c
@@ -83,25 +83,41 @@
struct sgsn_config *cfg)
{
char mccmnc[16];
+ int check_net = 0;
+ int check_acl = 0;
OSMO_ASSERT(mmctx);
- if (!sgsn->cfg.acl_enabled)
+ switch (sgsn->cfg.auth_policy) {
+ case SGSN_AUTH_POLICY_OPEN:
return SGSN_AUTH_ACCEPTED;
+ case SGSN_AUTH_POLICY_CLOSED:
+ check_net = 1;
+ check_acl = 1;
+ break;
+
+ case SGSN_AUTH_POLICY_ACL_ONLY:
+ check_acl = 1;
+ break;
+ }
+
if (!strlen(mmctx->imsi)) {
LOGMMCTXP(LOGL_NOTICE, mmctx,
"Missing IMSI, authorization state not known\n");
return SGSN_AUTH_UNKNOWN;
}
- /* As a temorary hack, we simply assume that the IMSI exists,
- * as long as it is part of 'our' network */
- snprintf(mccmnc, sizeof(mccmnc), "%03d%02d", mmctx->ra.mcc, mmctx->ra.mnc);
- if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
- return SGSN_AUTH_ACCEPTED;
+ if (check_net) {
+ /* We simply assume that the IMSI exists, as long as it is part
+ * of 'our' network */
+ snprintf(mccmnc, sizeof(mccmnc), "%03d%02d",
+ mmctx->ra.mcc, mmctx->ra.mnc);
+ if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
+ return SGSN_AUTH_ACCEPTED;
+ }
- if (sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
+ if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
return SGSN_AUTH_ACCEPTED;
return SGSN_AUTH_REJECTED;