Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / 882200929f0f5173086664a77ec88cde34253640 / . / src / gprs / sgsn_auth.c
blob: b8d8035905ae092d9c65cd25158aea97e2864ff2 [file] [log] [blame]
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]1/* MS authorization and subscriber data handling */
2
3/* (C) 2009-2010 by Harald Welte <laforge@gnumonks.org>
4 *
5 * All Rights Reserved
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
16 *
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
19 *
20 */
21
Harald Welte53373bc2016-04-20 17:11:43 +0200[diff] [blame]22#include <osmocom/gsm/protocol/gsm_04_08_gprs.h>
Neels Hofmeyr93bafb62017-01-13 03:12:08 +0100[diff] [blame]23#include <osmocom/core/utils.h>
Neels Hofmeyr396f2e62017-09-04 15:13:25 +0200[diff] [blame]24#include <osmocom/sgsn/sgsn.h>
25#include <osmocom/sgsn/gprs_sgsn.h>
26#include <osmocom/sgsn/gprs_gmm.h>
27#include <osmocom/sgsn/gprs_subscriber.h>
28#include <osmocom/sgsn/debug.h>
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]29
30const struct value_string auth_state_names[] = {
31 { SGSN_AUTH_ACCEPTED, "accepted"},
32 { SGSN_AUTH_REJECTED, "rejected"},
33 { SGSN_AUTH_UNKNOWN, "unknown"},
Harald Welte7c55ede2016-05-05 18:31:37 +0200[diff] [blame]34 { SGSN_AUTH_AUTHENTICATE, "authenticate" },
Neels Hofmeyr058cd572017-02-24 06:24:45 +0100[diff] [blame]35 { SGSN_AUTH_UMTS_RESYNC, "UMTS-resync" },
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]36 { 0, NULL }
37};
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]38
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]39const struct value_string *sgsn_auth_state_names = auth_state_names;
40
Max2e485762018-12-10 18:01:47 +0100[diff] [blame]41void sgsn_auth_init(struct sgsn_instance *sgsn)
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]42{
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]43 INIT_LLIST_HEAD(&sgsn->cfg.imsi_acl);
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]44}
45
Max40124c82018-12-10 18:17:21 +0100[diff] [blame]46struct imsi_acl_entry *sgsn_acl_lookup(const char *imsi, const struct sgsn_config *cfg)
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]47{
48 struct imsi_acl_entry *acl;
49 llist_for_each_entry(acl, &cfg->imsi_acl, list) {
50 if (!strcmp(imsi, acl->imsi))
51 return acl;
52 }
53 return NULL;
54}
55
56int sgsn_acl_add(const char *imsi, struct sgsn_config *cfg)
57{
58 struct imsi_acl_entry *acl;
59
60 if (sgsn_acl_lookup(imsi, cfg))
61 return -EEXIST;
62
63 acl = talloc_zero(NULL, struct imsi_acl_entry);
64 if (!acl)
65 return -ENOMEM;
Neels Hofmeyr93bafb62017-01-13 03:12:08 +0100[diff] [blame]66 osmo_strlcpy(acl->imsi, imsi, sizeof(acl->imsi));
Jacob Erlbeck3b5d4072014-10-24 15:11:03 +0200[diff] [blame]67
68 llist_add(&acl->list, &cfg->imsi_acl);
69
70 return 0;
71}
72
73int sgsn_acl_del(const char *imsi, struct sgsn_config *cfg)
74{
75 struct imsi_acl_entry *acl;
76
77 acl = sgsn_acl_lookup(imsi, cfg);
78 if (!acl)
79 return -ENODEV;
80
81 llist_del(&acl->list);
82 talloc_free(acl);
83
84 return 0;
85}
86
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]87enum sgsn_auth_state sgsn_auth_state(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]88{
89 char mccmnc[16];
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]90 int check_net = 0;
91 int check_acl = 0;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]92
93 OSMO_ASSERT(mmctx);
94
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]95 switch (sgsn->cfg.auth_policy) {
96 case SGSN_AUTH_POLICY_OPEN:
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]97 return SGSN_AUTH_ACCEPTED;
98
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]99 case SGSN_AUTH_POLICY_CLOSED:
100 check_net = 1;
101 check_acl = 1;
102 break;
103
104 case SGSN_AUTH_POLICY_ACL_ONLY:
105 check_acl = 1;
106 break;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]107
108 case SGSN_AUTH_POLICY_REMOTE:
109 if (!mmctx->subscr)
110 return mmctx->auth_state;
111
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]112 if (mmctx->subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]113 return mmctx->auth_state;
114
Jacob Erlbeck9d4f46c2014-12-17 13:20:08 +0100[diff] [blame]115 if (sgsn->cfg.require_authentication &&
Neels Hofmeyraa4ed672018-04-22 19:29:41 +0200[diff] [blame]116 (!sgsn_mm_ctx_is_authenticated(mmctx) ||
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]117 mmctx->subscr->sgsn_data->auth_triplets_updated))
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]118 return SGSN_AUTH_AUTHENTICATE;
119
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]120 if (mmctx->subscr->authorized)
121 return SGSN_AUTH_ACCEPTED;
122
123 return SGSN_AUTH_REJECTED;
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]124 }
125
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]126 if (!strlen(mmctx->imsi)) {
127 LOGMMCTXP(LOGL_NOTICE, mmctx,
128 "Missing IMSI, authorization state not known\n");
129 return SGSN_AUTH_UNKNOWN;
130 }
131
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]132 if (check_net) {
133 /* We simply assume that the IMSI exists, as long as it is part
134 * of 'our' network */
Neels Hofmeyr10719b72018-02-21 00:39:36 +0100[diff] [blame]135 snprintf(mccmnc, sizeof(mccmnc), "%s%s",
136 osmo_mcc_name(mmctx->ra.mcc),
137 osmo_mnc_name(mmctx->ra.mnc, mmctx->ra.mnc_3_digits));
138 if (strncmp(mccmnc, mmctx->imsi, mmctx->ra.mnc_3_digits ? 6 : 5) == 0)
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]139 return SGSN_AUTH_ACCEPTED;
140 }
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]141
Jacob Erlbeck106f5472014-11-04 10:08:37 +0100[diff] [blame]142 if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]143 return SGSN_AUTH_ACCEPTED;
144
145 return SGSN_AUTH_REJECTED;
146}
147
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]148/*
149 * This function is directly called by e.g. the GMM layer. It returns either
150 * after calling sgsn_auth_update directly or after triggering an asynchronous
151 * procedure which will call sgsn_auth_update later on.
152 */
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]153int sgsn_auth_request(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]154{
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]155 struct gprs_subscr *subscr;
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]156 struct gsm_auth_tuple *at;
157 int need_update_location;
158 int rc;
159
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]160 LOGMMCTXP(LOGL_DEBUG, mmctx, "Requesting authorization\n");
161
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]162 if (sgsn->cfg.auth_policy != SGSN_AUTH_POLICY_REMOTE) {
163 sgsn_auth_update(mmctx);
164 return 0;
165 }
166
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]167 need_update_location = sgsn->cfg.require_update_location &&
168 (mmctx->subscr == NULL ||
169 mmctx->pending_req == GSM48_MT_GMM_ATTACH_REQ);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]170
171 /* This has the side effect of registering the subscr with the mmctx */
172 subscr = gprs_subscr_get_or_create_by_mmctx(mmctx);
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]173 gprs_subscr_put(subscr);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]174
175 OSMO_ASSERT(mmctx->subscr != NULL);
176
Neels Hofmeyraa4ed672018-04-22 19:29:41 +0200[diff] [blame]177 if (sgsn->cfg.require_authentication && !sgsn_mm_ctx_is_authenticated(mmctx)) {
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]178 /* Find next tuple */
179 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
180
181 if (!at) {
182 /* No valid tuple found, request fresh ones */
183 mmctx->auth_triplet.key_seq = GSM_KEY_SEQ_INVAL;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]184 LOGMMCTXP(LOGL_INFO, mmctx,
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]185 "Requesting authentication tuples\n");
Neels Hofmeyr058cd572017-02-24 06:24:45 +0100[diff] [blame]186 rc = gprs_subscr_request_auth_info(mmctx, NULL, NULL);
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]187 if (rc >= 0)
188 return 0;
189
190 return rc;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]191 }
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]192
193 mmctx->auth_triplet = *at;
194 } else if (need_update_location) {
195 LOGMMCTXP(LOGL_INFO, mmctx,
196 "Missing information, requesting subscriber data\n");
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]197 rc = gprs_subscr_request_update_location(mmctx);
198 if (rc >= 0)
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]199 return 0;
Jacob Erlbeck771573c2014-12-19 18:08:48 +0100[diff] [blame]200
201 return rc;
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]202 }
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]203
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]204 sgsn_auth_update(mmctx);
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]205 return 0;
206}
207
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]208void sgsn_auth_update(struct sgsn_mm_ctx *mmctx)
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]209{
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]210 enum sgsn_auth_state auth_state;
Neels Hofmeyr0e5d8072017-01-10 00:49:56 +0100[diff] [blame]211 struct gprs_subscr *subscr = mmctx->subscr;
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]212 struct gsm_auth_tuple *at;
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]213 int gmm_cause;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]214
Jacob Erlbecka0b6efb2014-11-13 10:48:39 +0100[diff] [blame]215 auth_state = sgsn_auth_state(mmctx);
Jacob Erlbeck3ea22602014-12-19 18:17:10 +0100[diff] [blame]216
217 LOGMMCTXP(LOGL_DEBUG, mmctx, "Updating authorization (%s -> %s)\n",
218 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
219 get_value_string(sgsn_auth_state_names, auth_state));
220
Jacob Erlbeckbe2c8d92014-11-12 10:18:09 +0100[diff] [blame]221 if (auth_state == SGSN_AUTH_UNKNOWN && subscr &&
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]222 !(subscr->flags & GPRS_SUBSCRIBER_UPDATE_PENDING_MASK)) {
223 /* Reject requests if gprs_subscr_request_update_location fails */
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]224 LOGMMCTXP(LOGL_ERROR, mmctx,
225 "Missing information, authorization not possible\n");
226 auth_state = SGSN_AUTH_REJECTED;
227 }
228
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]229 if (auth_state == SGSN_AUTH_AUTHENTICATE &&
230 mmctx->auth_triplet.key_seq == GSM_KEY_SEQ_INVAL) {
231 /* The current tuple is not valid, but we are possibly called
232 * because new auth tuples have been received */
233 at = sgsn_auth_get_tuple(mmctx, mmctx->auth_triplet.key_seq);
234 if (!at) {
235 LOGMMCTXP(LOGL_ERROR, mmctx,
236 "Missing auth tuples, authorization not possible\n");
237 auth_state = SGSN_AUTH_REJECTED;
238 } else {
239 mmctx->auth_triplet = *at;
240 }
241 }
242
Jacob Erlbeckf951a012014-11-07 14:17:44 +0100[diff] [blame]243 if (mmctx->auth_state == auth_state)
244 return;
245
246 LOGMMCTXP(LOGL_INFO, mmctx, "Got authorization update: state %s -> %s\n",
247 get_value_string(sgsn_auth_state_names, mmctx->auth_state),
248 get_value_string(sgsn_auth_state_names, auth_state));
249
250 mmctx->auth_state = auth_state;
251
252 switch (auth_state) {
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]253 case SGSN_AUTH_AUTHENTICATE:
Jacob Erlbeck98a95ac2014-11-28 14:55:25 +0100[diff] [blame]254 if (subscr)
255 subscr->sgsn_data->auth_triplets_updated = 0;
256
Jacob Erlbeck2e5e94c2014-12-08 15:26:47 +0100[diff] [blame]257 gsm0408_gprs_authenticate(mmctx);
258 break;
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]259 case SGSN_AUTH_ACCEPTED:
260 gsm0408_gprs_access_granted(mmctx);
261 break;
262 case SGSN_AUTH_REJECTED:
Jacob Erlbeckd6267d12015-01-19 11:10:04 +0100[diff] [blame]263 gmm_cause =
264 subscr ? subscr->sgsn_data->error_cause :
265 SGSN_ERROR_CAUSE_NONE;
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]266
Jacob Erlbeck98647ca2014-11-11 14:47:38 +0100[diff] [blame]267 if (subscr && (subscr->flags & GPRS_SUBSCRIBER_CANCELLED) != 0)
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]268 gsm0408_gprs_access_cancelled(mmctx, gmm_cause);
Jacob Erlbeck98647ca2014-11-11 14:47:38 +0100[diff] [blame]269 else
Jacob Erlbeckaf3d5c52015-01-05 17:51:17 +0100[diff] [blame]270 gsm0408_gprs_access_denied(mmctx, gmm_cause);
Jacob Erlbeck423f8bf2014-10-24 18:09:54 +0200[diff] [blame]271 break;
272 default:
273 break;
274 }
275}
Jacob Erlbeck7921ab12014-12-08 15:52:00 +0100[diff] [blame]276
277struct gsm_auth_tuple *sgsn_auth_get_tuple(struct sgsn_mm_ctx *mmctx,
278 unsigned key_seq)
279{
280 unsigned count;
281 unsigned idx;
282 struct gsm_auth_tuple *at = NULL;
283
284 struct sgsn_subscriber_data *sdata;
285
286 if (!mmctx->subscr)
287 return NULL;
288
289 if (key_seq == GSM_KEY_SEQ_INVAL)
290 /* Start with 0 after increment module array size */
291 idx = ARRAY_SIZE(sdata->auth_triplets) - 1;
292 else
293 idx = key_seq;
294
295 sdata = mmctx->subscr->sgsn_data;
296
297 /* Find next tuple */
298 for (count = ARRAY_SIZE(sdata->auth_triplets); count > 0; count--) {
299 idx = (idx + 1) % ARRAY_SIZE(sdata->auth_triplets);
300
301 if (sdata->auth_triplets[idx].key_seq == GSM_KEY_SEQ_INVAL)
302 continue;
303
304 if (sdata->auth_triplets[idx].use_count == 0) {
305 at = &sdata->auth_triplets[idx];
306 at->use_count = 1;
307 return at;
308 }
309 }
310
311 return NULL;
312}