Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / 10719b74c362591cd01c3766f74ef03639203e1d / . / src / gprs / sgsn_auth.c
blob: 6fb32b7110c50e94fb69e4dfbbdc6b943c66ccad [file] [log] [blame]
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]1/* MS authorization and subscriber data handling */
2
3/* (C) 2009-2010 by Harald Welte <laforge@gnumonks.org>
4 *
5 * All Rights Reserved
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
16 *
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 *
20 */
21
Harald Welte53373bc2016-04-20 17:11:43 +0200[diff] [blame]22#include <osmocom/gsm/protocol/gsm_04_08_gprs.h>
Neels Hofmeyr93bafb62017-01-13 03:12:08 +0100[diff] [blame]23#include <osmocom/core/utils.h>
Neels Hofmeyr396f2e62017-09-04 15:13:25 +0200[diff] [blame]24#include <osmocom/sgsn/sgsn.h>
25#include <osmocom/sgsn/gprs_sgsn.h>
26#include <osmocom/sgsn/gprs_gmm.h>
27#include <osmocom/sgsn/gprs_subscriber.h>
28#include <osmocom/sgsn/debug.h>
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]29
30const struct value_string auth_state_names[] = {
31 { SGSN_AUTH_ACCEPTED, "accepted"},
32 { SGSN_AUTH_REJECTED, "rejected"},
33 { SGSN_AUTH_UNKNOWN, "unknown"},
Harald Welte7c55ede2016-05-05 18:31:37 +0200[diff] [blame]34 { SGSN_AUTH_AUTHENTICATE, "authenticate" },
Neels Hofmeyr058cd572017-02-24 06:24:45 +0100[diff] [blame]35 { SGSN_AUTH_UMTS_RESYNC, "UMTS-resync" },
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]36 { 0, NULL }
37};
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]38
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]39const struct value_string *sgsn_auth_state_names = auth_state_names;
40
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]41void sgsn_auth_init(void)
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]42{
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]43 INIT_LLIST_HEAD(&sgsn->cfg.imsi_acl);
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]44}
45
46/* temporary IMSI ACL hack */
47struct imsi_acl_entry *sgsn_acl_lookup(const char *imsi, struct sgsn_config *cfg)
48{
49 struct imsi_acl_entry *acl;
50 llist_for_each_entry(acl, &cfg->imsi_acl, list) {
51 if (!strcmp(imsi, acl->imsi))
52 return acl;
53 }
54 return NULL;
55}
56
57int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg)
58{
59 struct imsi_acl_entry *acl;
60
61 if (sgsn_acl_lookup(imsi, cfg))
62 return -EEXIST;
63
64 acl = talloc_zero(NULL, struct imsi_acl_entry);
65 if (!acl)
66 return -ENOMEM;
Neels Hofmeyr93bafb62017-01-13 03:12:08 +0100[diff] [blame]67 osmo_strlcpy(acl->imsi, imsi, sizeof(acl->imsi));
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]68
69 llist_add(&acl->list, &cfg->imsi_acl);
70
71 return 0;
72}
73
74int sgsn_acl_del(const char *imsi, struct sgsn_config *cfg)
75{
76 struct imsi_acl_entry *acl;
77
78 acl = sgsn_acl_lookup(imsi, cfg);
79 if (!acl)
80 return -ENODEV;
81
82 llist_del(&acl->list);
83 talloc_free(acl);
84
85 return 0;
86}
87
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]88enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]89{
90 char mccmnc[16];
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]91 int check_net = 0;
92 int check_acl = 0;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]93
94 OSMO_ASSERT(mmctx);
95
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]96 switch (sgsn->cfg.auth_policy) {
97 case SGSN_AUTH_POLICY_OPEN:
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]98 return SGSN_AUTH_ACCEPTED;
99
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]100 case SGSN_AUTH_POLICY_CLOSED:
101 check_net = 1;
102 check_acl = 1;
103 break;
104
105 case SGSN_AUTH_POLICY_ACL_ONLY:
106 check_acl = 1;
107 break;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]108
109 case SGSN_AUTH_POLICY_REMOTE:
110 if (!mmctx->subscr)
111 return mmctx->auth_state;
112
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]113 if (mmctx->subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]114 return mmctx->auth_state;
115
Jacob Erlbeck9d4f46c2014-12-17 13:20:08 +0100[diff] [blame]116 if (sgsn->cfg.require_authentication &&
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]117 (!mmctx->is_authenticated ||
118 mmctx->subscr->sgsn_data->auth_triplets_updated))
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]119 return SGSN_AUTH_AUTHENTICATE;
120
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]121 if (mmctx->subscr->authorized)
122 return SGSN_AUTH_ACCEPTED;
123
124 return SGSN_AUTH_REJECTED;
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]125 }
126
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]127 if (!strlen(mmctx->imsi)) {
128 LOGMMCTXP(LOGL_NOTICE, mmctx,
129 "Missing IMSI, authorization state not known\n");
130 return SGSN_AUTH_UNKNOWN;
131 }
132
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]133 if (check_net) {
134 /* We simply assume that the IMSI exists, as long as it is part
135 * of 'our' network */
Neels Hofmeyr10719b72018-02-21 00:39:36 +0100[diff] [blame^]136 snprintf(mccmnc, sizeof(mccmnc), "%s%s",
137 osmo_mcc_name(mmctx->ra.mcc),
138 osmo_mnc_name(mmctx->ra.mnc, mmctx->ra.mnc_3_digits));
139 if (strncmp(mccmnc, mmctx->imsi, mmctx->ra.mnc_3_digits ? 6 : 5) == 0)
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]140 return SGSN_AUTH_ACCEPTED;
141 }
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]142
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]143 if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]144 return SGSN_AUTH_ACCEPTED;
145
146 return SGSN_AUTH_REJECTED;
147}
148
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]149/*
150 * This function is directly called by e.g. the GMM layer. It returns either
151 * after calling sgsn_auth_update directly or after triggering an asynchronous
152 * procedure which will call sgsn_auth_update later on.
153 */
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]154int sgsn_auth_request(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]155{
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]156 struct gprs_subscr *subscr;
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]157 struct gsm_auth_tuple *at;
158 int need_update_location;
159 int rc;
160
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]161 LOGMMCTXP(LOGL_DEBUG, mmctx, "Requesting authorization\n");
162
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]163 if (sgsn->cfg.auth_policy != SGSN_AUTH_POLICY_REMOTE) {
164 sgsn_auth_update(mmctx);
165 return 0;
166 }
167
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]168 need_update_location = sgsn->cfg.require_update_location &&
169 (mmctx->subscr == NULL ||
170 mmctx->pending_req == GSM48_MT_GMM_ATTACH_REQ);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]171
172 /* This has the side effect of registering the subscr with the mmctx */
173 subscr = gprs_subscr_get_or_create_by_mmctx(mmctx);
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]174 gprs_subscr_put(subscr);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]175
176 OSMO_ASSERT(mmctx->subscr != NULL);
177
Jacob Erlbeck9d4f46c2014-12-17 13:20:08 +0100[diff] [blame]178 if (sgsn->cfg.require_authentication && !mmctx->is_authenticated) {
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]179 /* Find next tuple */
180 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
181
182 if (!at) {
183 /* No valid tuple found, request fresh ones */
184 mmctx->auth_triplet.key_seq = GSM_KEY_SEQ_INVAL;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]185 LOGMMCTXP(LOGL_INFO, mmctx,
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]186 "Requesting authentication tuples\n");
Neels Hofmeyr058cd572017-02-24 06:24:45 +0100[diff] [blame]187 rc = gprs_subscr_request_auth_info(mmctx, NULL, NULL);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]188 if (rc >= 0)
189 return 0;
190
191 return rc;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]192 }
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]193
194 mmctx->auth_triplet = *at;
195 } else if (need_update_location) {
196 LOGMMCTXP(LOGL_INFO, mmctx,
197 "Missing information, requesting subscriber data\n");
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]198 rc = gprs_subscr_request_update_location(mmctx);
199 if (rc >= 0)
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]200 return 0;
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]201
202 return rc;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]203 }
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]204
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]205 sgsn_auth_update(mmctx);
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]206 return 0;
207}
208
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]209void sgsn_auth_update(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]210{
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]211 enum sgsn_auth_state auth_state;
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]212 struct gprs_subscr *subscr = mmctx->subscr;
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]213 struct gsm_auth_tuple *at;
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]214 int gmm_cause;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]215
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]216 auth_state = sgsn_auth_state(mmctx);
Jacob Erlbeck3ea22602014-12-19 18:17:10 +0100[diff] [blame]217
218 LOGMMCTXP(LOGL_DEBUG, mmctx, "Updating authorization (%s -> %s)\n",
219 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
220 get_value_string(sgsn_auth_state_names, auth_state));
221
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]222 if (auth_state == SGSN_AUTH_UNKNOWN && subscr &&
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]223 !(subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)) {
224 /* Reject requests if gprs_subscr_request_update_location fails */
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]225 LOGMMCTXP(LOGL_ERROR, mmctx,
226 "Missing information, authorization not possible\n");
227 auth_state = SGSN_AUTH_REJECTED;
228 }
229
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]230 if (auth_state == SGSN_AUTH_AUTHENTICATE &&
231 mmctx->auth_triplet.key_seq == GSM_KEY_SEQ_INVAL) {
232 /* The current tuple is not valid, but we are possibly called
233 * because new auth tuples have been received */
234 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
235 if (!at) {
236 LOGMMCTXP(LOGL_ERROR, mmctx,
237 "Missing auth tuples, authorization not possible\n");
238 auth_state = SGSN_AUTH_REJECTED;
239 } else {
240 mmctx->auth_triplet = *at;
241 }
242 }
243
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]244 if (mmctx->auth_state == auth_state)
245 return;
246
247 LOGMMCTXP(LOGL_INFO, mmctx, "Got authorization update: state %s -> %s\n",
248 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
249 get_value_string(sgsn_auth_state_names, auth_state));
250
251 mmctx->auth_state = auth_state;
252
253 switch (auth_state) {
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]254 case SGSN_AUTH_AUTHENTICATE:
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]255 if (subscr)
256 subscr->sgsn_data->auth_triplets_updated = 0;
257
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]258 gsm0408_gprs_authenticate(mmctx);
259 break;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]260 case SGSN_AUTH_ACCEPTED:
261 gsm0408_gprs_access_granted(mmctx);
262 break;
263 case SGSN_AUTH_REJECTED:
Jacob Erlbeckd6267d12015-01-19 11:10:04 +0100[diff] [blame]264 gmm_cause =
265 subscr ? subscr->sgsn_data->error_cause :
266 SGSN_ERROR_CAUSE_NONE;
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]267
Jacob Erlbeck98647ca2014-11-11 14:47:38 +0100[diff] [blame]268 if (subscr && (subscr->flags & GPRS_SUBSCRIBER_CANCELLED) != 0)
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]269 gsm0408_gprs_access_cancelled(mmctx, gmm_cause);
Jacob Erlbeck98647ca2014-11-11 14:47:38 +0100[diff] [blame]270 else
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]271 gsm0408_gprs_access_denied(mmctx, gmm_cause);
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]272 break;
273 default:
274 break;
275 }
276}
Jacob Erlbeck7921ab12014-12-08 15:52:00 +0100[diff] [blame]277
278struct gsm_auth_tuple *sgsn_auth_get_tuple(struct sgsn_mm_ctx *mmctx,
279 unsigned key_seq)
280{
281 unsigned count;
282 unsigned idx;
283 struct gsm_auth_tuple *at = NULL;
284
285 struct sgsn_subscriber_data *sdata;
286
287 if (!mmctx->subscr)
288 return NULL;
289
290 if (key_seq == GSM_KEY_SEQ_INVAL)
291 /* Start with 0 after increment module array size */
292 idx = ARRAY_SIZE(sdata->auth_triplets) - 1;
293 else
294 idx = key_seq;
295
296 sdata = mmctx->subscr->sgsn_data;
297
298 /* Find next tuple */
299 for (count = ARRAY_SIZE(sdata->auth_triplets); count > 0; count--) {
300 idx = (idx + 1) % ARRAY_SIZE(sdata->auth_triplets);
301
302 if (sdata->auth_triplets[idx].key_seq == GSM_KEY_SEQ_INVAL)
303 continue;
304
305 if (sdata->auth_triplets[idx].use_count == 0) {
306 at = &sdata->auth_triplets[idx];
307 at->use_count = 1;
308 return at;
309 }
310 }
311
312 return NULL;
313}