<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14445">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">sgsn: Have authentication required on by default<br><br>Previous commit introduced command "authentication (optional|required)",<br>which is only meaningful if auth-policy is remote. Upon adding the cmd,<br>it changed the default logic for remote policy to not require<br>authentication, which broke TTCN3 tests because sgsn no longer tries to<br>authenticate the users.<br><br>Since it's actually good to enable authentication by default where<br>possible, let's enable it by default when on auth-policy remote.<br><br>In order to do so, let's simply not care about the value of variable<br>require_authentication if auth_policy is not REMOTE. As a result, we<br>drop parts of the previous patch and remove unneeded checks (which are<br>only partially useful based on order of commands during VTY read).<br><br>Fixes: 794f446a284ed1ac6d31eb79a8f4c874d66fc34e<br>Change-Id: Ic707a95af178b44f08809df3d3bc8354bf34273c<br>---<br>M doc/manuals/vty/sgsn_vty_reference.xml<br>M include/osmocom/sgsn/sgsn.h<br>M src/gprs/gprs_sgsn.c<br>M src/gprs/sgsn_vty.c<br>4 files changed, 11 insertions(+), 20 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/45/14445/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>index ed11777..e9cd322 100644</span><br><span>--- a/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>+++ b/doc/manuals/vty/sgsn_vty_reference.xml</span><br><span>@@ -2232,9 +2232,9 @@</span><br><span>     </command></span><br><span>     <command id='authentication (optional|required)'></span><br><span>       <params></span><br><span style="color: hsl(0, 100%, 40%);">-        <param name='authentication' doc='Whether to enforce MS authentication in GERAN' /></span><br><span style="color: hsl(0, 100%, 40%);">-        <param name='optional' doc='Allow MS to attach via GERAN without authentication' /></span><br><span style="color: hsl(0, 100%, 40%);">-        <param name='required' doc='Always require authentication' /></span><br><span style="color: hsl(120, 100%, 40%);">+        <param name='authentication' doc='Whether to enforce MS authentication in GERAN (only with auth-policy remote)' /></span><br><span style="color: hsl(120, 100%, 40%);">+        <param name='optional' doc='Allow MS to attach via GERAN without authentication (default and only possible value for non-remote auth-policy)' /></span><br><span style="color: hsl(120, 100%, 40%);">+        <param name='required' doc='Always require authentication (only available for auth-policy remote, default with that auth-policy)' /></span><br><span>       </params></span><br><span>     </command></span><br><span>     <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'></span><br><span>diff --git a/include/osmocom/sgsn/sgsn.h b/include/osmocom/sgsn/sgsn.h</span><br><span>index c80355d..0a6ea29 100644</span><br><span>--- a/include/osmocom/sgsn/sgsn.h</span><br><span>+++ b/include/osmocom/sgsn/sgsn.h</span><br><span>@@ -78,7 +78,9 @@</span><br><span>  struct sockaddr_in gsup_server_addr;</span><br><span>         int gsup_server_port;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+     /* Only meaningful if auth_policy is SGSN_AUTH_POLICY_REMOTE */</span><br><span>      int require_authentication;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>        int require_update_location;</span><br><span> </span><br><span>     /* CDR configuration */</span><br><span>diff --git a/src/gprs/gprs_sgsn.c b/src/gprs/gprs_sgsn.c</span><br><span>index f725811..5801107 100644</span><br><span>--- a/src/gprs/gprs_sgsn.c</span><br><span>+++ b/src/gprs/gprs_sgsn.c</span><br><span>@@ -987,6 +987,7 @@</span><br><span>   inst = talloc_zero(talloc_ctx, struct sgsn_instance);</span><br><span>        inst->cfg.gtp_statedir = talloc_strdup(inst, "./");</span><br><span>     inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED;</span><br><span style="color: hsl(120, 100%, 40%);">+   inst->cfg.require_authentication = true; /* only applies if auth_policy is REMOTE */</span><br><span>      inst->cfg.gsup_server_port = OSMO_GSUP_PORT;</span><br><span>      return inst;</span><br><span> }</span><br><span>diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c</span><br><span>index 29c9771..c7ec48b 100644</span><br><span>--- a/src/gprs/sgsn_vty.c</span><br><span>+++ b/src/gprs/sgsn_vty.c</span><br><span>@@ -211,8 +211,8 @@</span><br><span>     if (g_cfg->gsup_server_port)</span><br><span>              vty_out(vty, " gsup remote-port %d%s",</span><br><span>                     g_cfg->gsup_server_port, VTY_NEWLINE);</span><br><span style="color: hsl(0, 100%, 40%);">-       vty_out(vty, " authentication %s%s",</span><br><span style="color: hsl(0, 100%, 40%);">-          g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !g_cfg->require_authentication)</span><br><span style="color: hsl(120, 100%, 40%);">+              vty_out(vty, " authentication optional%s", VTY_NEWLINE);</span><br><span>   vty_out(vty, " auth-policy %s%s",</span><br><span>          get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),</span><br><span>                 VTY_NEWLINE);</span><br><span>@@ -697,9 +697,9 @@</span><br><span> </span><br><span> DEFUN(cfg_authentication, cfg_authentication_cmd,</span><br><span>       "authentication (optional|required)",</span><br><span style="color: hsl(0, 100%, 40%);">-      "Whether to enforce MS authentication in GERAN\n"</span><br><span style="color: hsl(0, 100%, 40%);">-      "Allow MS to attach via GERAN without authentication\n"</span><br><span style="color: hsl(0, 100%, 40%);">-      "Always require authentication\n")</span><br><span style="color: hsl(120, 100%, 40%);">+      "Whether to enforce MS authentication in GERAN (only with auth-policy remote)\n"</span><br><span style="color: hsl(120, 100%, 40%);">+      "Allow MS to attach via GERAN without authentication (default and only possible value for non-remote auth-policy)\n"</span><br><span style="color: hsl(120, 100%, 40%);">+      "Always require authentication (only available for auth-policy remote, default with that auth-policy)\n")</span><br><span> {</span><br><span>      int required = (argv[0][0] == 'r');</span><br><span> </span><br><span>@@ -730,10 +730,6 @@</span><br><span>       g_cfg->auth_policy = val;</span><br><span>         g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-       /* Authentication is not possible without HLR */</span><br><span style="color: hsl(0, 100%, 40%);">-        if (val != SGSN_AUTH_POLICY_REMOTE)</span><br><span style="color: hsl(0, 100%, 40%);">-             g_cfg->require_authentication = 0;</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span>        return CMD_SUCCESS;</span><br><span> }</span><br><span> </span><br><span>@@ -1489,14 +1485,6 @@</span><br><span>                return rc;</span><br><span>   }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-   if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE</span><br><span style="color: hsl(0, 100%, 40%);">-        && g_cfg->require_authentication) {</span><br><span style="color: hsl(0, 100%, 40%);">-              fprintf(stderr, "Configuration error:"</span><br><span style="color: hsl(0, 100%, 40%);">-                        " authentication is not possible without HLR."</span><br><span style="color: hsl(0, 100%, 40%);">-                        " Consider setting 'auth-policy' to 'remote'\n");</span><br><span style="color: hsl(0, 100%, 40%);">-             return -EINVAL;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span>    if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE</span><br><span>             && !(g_cfg->gsup_server_addr.sin_addr.s_addr</span><br><span>           && g_cfg->gsup_server_port)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14445">change 14445</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-sgsn/+/14445"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-sgsn </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ic707a95af178b44f08809df3d3bc8354bf34273c </div>
<div style="display:none"> Gerrit-Change-Number: 14445 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>