Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-gbproxy / 84125e71670b342c75e1e8b63f3d337e5269ccf8 / . / openbsc / src / gprs / sgsn_auth.c
blob: 4b69a0d10af1ef21ea08a932645d90755b2165c3 [file] [log] [blame]
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]1/* MS authorization and subscriber data handling */
2
3/* (C) 2009-2010 by Harald Welte <laforge@gnumonks.org>
4 *
5 * All Rights Reserved
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
16 *
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 *
20 */
21
Harald Welte35ade5e2016-04-20 17:11:43 +0200[diff] [blame]22#include <osmocom/gsm/protocol/gsm_04_08_gprs.h>
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]23#include <openbsc/sgsn.h>
24#include <openbsc/gprs_sgsn.h>
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]25#include <openbsc/gprs_gmm.h>
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]26#include <openbsc/gsm_subscriber.h>
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]27#include <openbsc/debug.h>
28
29const struct value_string auth_state_names[] = {
30 { SGSN_AUTH_ACCEPTED, "accepted"},
31 { SGSN_AUTH_REJECTED, "rejected"},
32 { SGSN_AUTH_UNKNOWN, "unknown"},
Harald Welte84125e72016-05-05 18:31:37 +0200[diff] [blame^]33 { SGSN_AUTH_AUTHENTICATE, "authenticate" },
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]34 { 0, NULL }
35};
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]36
Jacob Erlbeck802d78a2014-11-07 14:17:44 +0100[diff] [blame]37const struct value_string *sgsn_auth_state_names = auth_state_names;
38
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]39void sgsn_auth_init(void)
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]40{
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]41 INIT_LLIST_HEAD(&sgsn->cfg.imsi_acl);
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]42}
43
44/* temporary IMSI ACL hack */
45struct imsi_acl_entry *sgsn_acl_lookup(const char *imsi, struct sgsn_config *cfg)
46{
47 struct imsi_acl_entry *acl;
48 llist_for_each_entry(acl, &cfg->imsi_acl, list) {
49 if (!strcmp(imsi, acl->imsi))
50 return acl;
51 }
52 return NULL;
53}
54
55int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg)
56{
57 struct imsi_acl_entry *acl;
58
59 if (sgsn_acl_lookup(imsi, cfg))
60 return -EEXIST;
61
62 acl = talloc_zero(NULL, struct imsi_acl_entry);
63 if (!acl)
64 return -ENOMEM;
Jacob Erlbeckb485ee92015-01-26 10:38:12 +0100[diff] [blame]65 strncpy(acl->imsi, imsi, sizeof(acl->imsi) - 1);
Jacob Erlbeck4760eae2014-10-24 15:11:03 +0200[diff] [blame]66
67 llist_add(&acl->list, &cfg->imsi_acl);
68
69 return 0;
70}
71
72int sgsn_acl_del(const char *imsi, struct sgsn_config *cfg)
73{
74 struct imsi_acl_entry *acl;
75
76 acl = sgsn_acl_lookup(imsi, cfg);
77 if (!acl)
78 return -ENODEV;
79
80 llist_del(&acl->list);
81 talloc_free(acl);
82
83 return 0;
84}
85
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]86enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]87{
88 char mccmnc[16];
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]89 int check_net = 0;
90 int check_acl = 0;
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]91
92 OSMO_ASSERT(mmctx);
93
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]94 switch (sgsn->cfg.auth_policy) {
95 case SGSN_AUTH_POLICY_OPEN:
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]96 return SGSN_AUTH_ACCEPTED;
97
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]98 case SGSN_AUTH_POLICY_CLOSED:
99 check_net = 1;
100 check_acl = 1;
101 break;
102
103 case SGSN_AUTH_POLICY_ACL_ONLY:
104 check_acl = 1;
105 break;
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]106
107 case SGSN_AUTH_POLICY_REMOTE:
108 if (!mmctx->subscr)
109 return mmctx->auth_state;
110
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]111 if (mmctx->subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]112 return mmctx->auth_state;
113
Jacob Erlbeck16b17ed2014-12-17 13:20:08 +0100[diff] [blame]114 if (sgsn->cfg.require_authentication &&
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]115 (!mmctx->is_authenticated ||
116 mmctx->subscr->sgsn_data->auth_triplets_updated))
Jacob Erlbeckd8126992014-12-08 15:26:47 +0100[diff] [blame]117 return SGSN_AUTH_AUTHENTICATE;
118
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]119 if (mmctx->subscr->authorized)
120 return SGSN_AUTH_ACCEPTED;
121
122 return SGSN_AUTH_REJECTED;
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]123 }
124
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]125 if (!strlen(mmctx->imsi)) {
126 LOGMMCTXP(LOGL_NOTICE, mmctx,
127 "Missing IMSI, authorization state not known\n");
128 return SGSN_AUTH_UNKNOWN;
129 }
130
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]131 if (check_net) {
132 /* We simply assume that the IMSI exists, as long as it is part
133 * of 'our' network */
134 snprintf(mccmnc, sizeof(mccmnc), "%03d%02d",
135 mmctx->ra.mcc, mmctx->ra.mnc);
136 if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
137 return SGSN_AUTH_ACCEPTED;
138 }
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]139
Jacob Erlbeckd7b77732014-11-04 10:08:37 +0100[diff] [blame]140 if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]141 return SGSN_AUTH_ACCEPTED;
142
143 return SGSN_AUTH_REJECTED;
144}
145
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]146/*
147 * This function is directly called by e.g. the GMM layer. It returns either
148 * after calling sgsn_auth_update directly or after triggering an asynchronous
149 * procedure which will call sgsn_auth_update later on.
150 */
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]151int sgsn_auth_request(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]152{
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]153 struct gsm_subscriber *subscr;
154 struct gsm_auth_tuple *at;
155 int need_update_location;
156 int rc;
157
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]158 LOGMMCTXP(LOGL_DEBUG, mmctx, "Requesting authorization\n");
159
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]160 if (sgsn->cfg.auth_policy != SGSN_AUTH_POLICY_REMOTE) {
161 sgsn_auth_update(mmctx);
162 return 0;
163 }
164
Jacob Erlbeck6ff7f642014-12-19 18:08:48 +0100[diff] [blame]165 need_update_location = sgsn->cfg.require_update_location &&
166 (mmctx->subscr == NULL ||
167 mmctx->pending_req == GSM48_MT_GMM_ATTACH_REQ);
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]168
169 /* This has the side effect of registering the subscr with the mmctx */
170 subscr = gprs_subscr_get_or_create_by_mmctx(mmctx);
171 subscr_put(subscr);
172
173 OSMO_ASSERT(mmctx->subscr != NULL);
174
Jacob Erlbeck16b17ed2014-12-17 13:20:08 +0100[diff] [blame]175 if (sgsn->cfg.require_authentication && !mmctx->is_authenticated) {
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]176 /* Find next tuple */
177 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
178
179 if (!at) {
180 /* No valid tuple found, request fresh ones */
181 mmctx->auth_triplet.key_seq = GSM_KEY_SEQ_INVAL;
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]182 LOGMMCTXP(LOGL_INFO, mmctx,
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]183 "Requesting authentication tuples\n");
184 rc = gprs_subscr_request_auth_info(mmctx);
185 if (rc >= 0)
186 return 0;
187
188 return rc;
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]189 }
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]190
191 mmctx->auth_triplet = *at;
192 } else if (need_update_location) {
193 LOGMMCTXP(LOGL_INFO, mmctx,
194 "Missing information, requesting subscriber data\n");
Jacob Erlbeck6ff7f642014-12-19 18:08:48 +0100[diff] [blame]195 rc = gprs_subscr_request_update_location(mmctx);
196 if (rc >= 0)
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]197 return 0;
Jacob Erlbeck6ff7f642014-12-19 18:08:48 +0100[diff] [blame]198
199 return rc;
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]200 }
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]201
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]202 sgsn_auth_update(mmctx);
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]203 return 0;
204}
205
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]206void sgsn_auth_update(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]207{
Jacob Erlbeck802d78a2014-11-07 14:17:44 +0100[diff] [blame]208 enum sgsn_auth_state auth_state;
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]209 struct gsm_subscriber *subscr = mmctx->subscr;
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]210 struct gsm_auth_tuple *at;
Jacob Erlbeck41010082015-01-05 17:51:17 +0100[diff] [blame]211 int gmm_cause;
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]212
Jacob Erlbeckb2acd742014-11-13 10:48:39 +0100[diff] [blame]213 auth_state = sgsn_auth_state(mmctx);
Jacob Erlbeck56af9f42014-12-19 18:17:10 +0100[diff] [blame]214
215 LOGMMCTXP(LOGL_DEBUG, mmctx, "Updating authorization (%s -> %s)\n",
216 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
217 get_value_string(sgsn_auth_state_names, auth_state));
218
Jacob Erlbeckd04f7cc2014-11-12 10:18:09 +0100[diff] [blame]219 if (auth_state == SGSN_AUTH_UNKNOWN && subscr &&
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]220 !(subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)) {
221 /* Reject requests if gprs_subscr_request_update_location fails */
Jacob Erlbeck802d78a2014-11-07 14:17:44 +0100[diff] [blame]222 LOGMMCTXP(LOGL_ERROR, mmctx,
223 "Missing information, authorization not possible\n");
224 auth_state = SGSN_AUTH_REJECTED;
225 }
226
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]227 if (auth_state == SGSN_AUTH_AUTHENTICATE &&
228 mmctx->auth_triplet.key_seq == GSM_KEY_SEQ_INVAL) {
229 /* The current tuple is not valid, but we are possibly called
230 * because new auth tuples have been received */
231 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
232 if (!at) {
233 LOGMMCTXP(LOGL_ERROR, mmctx,
234 "Missing auth tuples, authorization not possible\n");
235 auth_state = SGSN_AUTH_REJECTED;
236 } else {
237 mmctx->auth_triplet = *at;
238 }
239 }
240
Jacob Erlbeck802d78a2014-11-07 14:17:44 +0100[diff] [blame]241 if (mmctx->auth_state == auth_state)
242 return;
243
244 LOGMMCTXP(LOGL_INFO, mmctx, "Got authorization update: state %s -> %s\n",
245 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
246 get_value_string(sgsn_auth_state_names, auth_state));
247
248 mmctx->auth_state = auth_state;
249
250 switch (auth_state) {
Jacob Erlbeckd8126992014-12-08 15:26:47 +0100[diff] [blame]251 case SGSN_AUTH_AUTHENTICATE:
Jacob Erlbeck828059f2014-11-28 14:55:25 +0100[diff] [blame]252 if (subscr)
253 subscr->sgsn_data->auth_triplets_updated = 0;
254
Jacob Erlbeckd8126992014-12-08 15:26:47 +0100[diff] [blame]255 gsm0408_gprs_authenticate(mmctx);
256 break;
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]257 case SGSN_AUTH_ACCEPTED:
258 gsm0408_gprs_access_granted(mmctx);
259 break;
260 case SGSN_AUTH_REJECTED:
Jacob Erlbeckf96779f2015-01-19 11:10:04 +0100[diff] [blame]261 gmm_cause =
262 subscr ? subscr->sgsn_data->error_cause :
263 SGSN_ERROR_CAUSE_NONE;
Jacob Erlbeck41010082015-01-05 17:51:17 +0100[diff] [blame]264
Jacob Erlbeckbf0b8742014-11-11 14:47:38 +0100[diff] [blame]265 if (subscr && (subscr->flags & GPRS_SUBSCRIBER_CANCELLED) != 0)
Jacob Erlbeck41010082015-01-05 17:51:17 +0100[diff] [blame]266 gsm0408_gprs_access_cancelled(mmctx, gmm_cause);
Jacob Erlbeckbf0b8742014-11-11 14:47:38 +0100[diff] [blame]267 else
Jacob Erlbeck41010082015-01-05 17:51:17 +0100[diff] [blame]268 gsm0408_gprs_access_denied(mmctx, gmm_cause);
Jacob Erlbeckc64af7a2014-10-24 18:09:54 +0200[diff] [blame]269 break;
270 default:
271 break;
272 }
273}
Jacob Erlbeckb1332b62014-12-08 15:52:00 +0100[diff] [blame]274
275struct gsm_auth_tuple *sgsn_auth_get_tuple(struct sgsn_mm_ctx *mmctx,
276 unsigned key_seq)
277{
278 unsigned count;
279 unsigned idx;
280 struct gsm_auth_tuple *at = NULL;
281
282 struct sgsn_subscriber_data *sdata;
283
284 if (!mmctx->subscr)
285 return NULL;
286
287 if (key_seq == GSM_KEY_SEQ_INVAL)
288 /* Start with 0 after increment module array size */
289 idx = ARRAY_SIZE(sdata->auth_triplets) - 1;
290 else
291 idx = key_seq;
292
293 sdata = mmctx->subscr->sgsn_data;
294
295 /* Find next tuple */
296 for (count = ARRAY_SIZE(sdata->auth_triplets); count > 0; count--) {
297 idx = (idx + 1) % ARRAY_SIZE(sdata->auth_triplets);
298
299 if (sdata->auth_triplets[idx].key_seq == GSM_KEY_SEQ_INVAL)
300 continue;
301
302 if (sdata->auth_triplets[idx].use_count == 0) {
303 at = &sdata->auth_triplets[idx];
304 at->use_count = 1;
305 return at;
306 }
307 }
308
309 return NULL;
310}