In this mode by default we set authorized = 1 for all new subscribers. BSC accepts all MS, except subscribers not authorized in DB. All subscribers with authorized = 0 are part of the blacklist and not accepted. --- openbsc/include/openbsc/gsm_data.h | 1 + openbsc/src/libbsc/bsc_vty.c | 5 +++-- openbsc/src/libcommon/gsm_data.c | 1 + openbsc/src/libmsc/gsm_04_08.c | 2 ++ openbsc/src/libmsc/gsm_subscriber.c | 8 +++++++- 5 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/openbsc/include/openbsc/gsm_data.h b/openbsc/include/openbsc/gsm_data.h index 8741505..71a878d 100644 --- a/openbsc/include/openbsc/gsm_data.h +++ b/openbsc/include/openbsc/gsm_data.h @@ -194,6 +194,7 @@ enum gsm_auth_policy { GSM_AUTH_POLICY_CLOSED, /* only subscribers authorized in DB */ GSM_AUTH_POLICY_ACCEPT_ALL, /* accept everyone, even if not authorized in DB */ GSM_AUTH_POLICY_TOKEN, /* accept first, send token per sms, then revoke authorization */ + GSM_AUTH_POLICY_BLACKLIST /* accept everyone, except subscribers not authorized in DB */ };
#define GSM_T3101_DEFAULT 10 diff --git a/openbsc/src/libbsc/bsc_vty.c b/openbsc/src/libbsc/bsc_vty.c index 5d03b2a..e3cb917 100644 --- a/openbsc/src/libbsc/bsc_vty.c +++ b/openbsc/src/libbsc/bsc_vty.c @@ -1214,12 +1214,13 @@ DEFUN(cfg_net_name_long,
DEFUN(cfg_net_auth_policy, cfg_net_auth_policy_cmd, - "auth policy (closed|accept-all|token)", + "auth policy (closed|accept-all|token|blacklist)", "Authentication (not cryptographic)\n" "Set the GSM network authentication policy\n" "Require the MS to be activated in HLR\n" "Accept all MS, whether in HLR or not\n" - "Use SMS-token based authentication\n") + "Use SMS-token based authentication\n" + "Accept all MS, except not authorized in HLR\n") { enum gsm_auth_policy policy = gsm_auth_policy_parse(argv[0]); struct gsm_network *gsmnet = gsmnet_from_vty(vty); diff --git a/openbsc/src/libcommon/gsm_data.c b/openbsc/src/libcommon/gsm_data.c index 5f7e32e..4c2d8e7 100644 --- a/openbsc/src/libcommon/gsm_data.c +++ b/openbsc/src/libcommon/gsm_data.c @@ -256,6 +256,7 @@ static const struct value_string auth_policy_names[] = { { GSM_AUTH_POLICY_CLOSED, "closed" }, { GSM_AUTH_POLICY_ACCEPT_ALL, "accept-all" }, { GSM_AUTH_POLICY_TOKEN, "token" }, + { GSM_AUTH_POLICY_BLACKLIST, "blacklist"}, { 0, NULL } };
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index c41443e..addacda 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -241,6 +241,8 @@ static int authorize_subscriber(struct gsm_loc_updating_operation *loc, return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT); case GSM_AUTH_POLICY_ACCEPT_ALL: return 1; + case GSM_AUTH_POLICY_BLACKLIST: + return subscriber->authorized; default: return 0; } diff --git a/openbsc/src/libmsc/gsm_subscriber.c b/openbsc/src/libmsc/gsm_subscriber.c index bc6f3cf..d417b9f 100644 --- a/openbsc/src/libmsc/gsm_subscriber.c +++ b/openbsc/src/libmsc/gsm_subscriber.c @@ -279,8 +279,14 @@ struct gsm_subscriber *subscr_create_subscriber(struct gsm_network *net, const char *imsi) { struct gsm_subscriber *subscr = db_create_subscriber(imsi); - if (subscr) + if (subscr) { subscr->net = net; + if (subscr->net->auth_policy == GSM_AUTH_POLICY_BLACKLIST) { + subscr->authorized = 1; + db_sync_subscriber(subscr); + } + } + return subscr; }
--- openbsc/tests/vty_test_runner.py | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+)
diff --git a/openbsc/tests/vty_test_runner.py b/openbsc/tests/vty_test_runner.py index 0bd7972..baa89ba 100644 --- a/openbsc/tests/vty_test_runner.py +++ b/openbsc/tests/vty_test_runner.py @@ -231,6 +231,42 @@ class TestVTYNITB(TestVTYGenericBSC): res = self.vty.command('show subscriber imsi '+imsi) self.assert_(res.find(" IMSI: "+imsi) > 0)
+ def testAuthPolicy (self): + self.vty.enable() + self.vty.command("configure terminal") + self.vty.command("network") + + # Test invalid input + self.vty.verify("auth policy", ['% Command incomplete.']) + + # Enable auth policy closed + self.vty.verify("auth policy closed", ['']) + + # Verify settings + res = self.vty.command("write terminal") + self.assert_(res.find("auth policy closed") > 0) + + # Enable auth policy accept-all + self.vty.verify("auth policy accept-all", ['']) + + # Verify settings + res = self.vty.command("write terminal") + self.assert_(res.find("auth policy accept-all") > 0) + + # Enable auth policy token + self.vty.verify("auth policy token", ['']) + + # Verify settings + res = self.vty.command("write terminal") + self.assert_(res.find("auth policy token") > 0) + + # Enable auth policy blacklist + self.vty.verify("auth policy blacklist", ['']) + + # Verify settings + res = self.vty.command("write terminal") + self.assert_(res.find("auth policy blacklist") > 0) + class TestVTYBSC(TestVTYGenericBSC):
def vty_command(self):
On Fri, Oct 18, 2013 at 12:37:42PM +0400, Ivan Kluchnikov wrote:
Dear Ivan,
case GSM_AUTH_POLICY_CLOSED: return subscriber->authorized == GSM_SUBSCRIBER_AUTH_AUTHORIZED; ...
return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT);case GSM_AUTH_POLICY_ACCEPT_ALL: return 1;
- case GSM_AUTH_POLICY_BLACKLIST:
return subscriber->authorized;
return subscriber->authorized != GSM_SUBSCRIBER_AUTH_BLACKLIST; then you can omit this code.
- if (subscr) { subscr->net = net;
if (subscr->net->auth_policy == GSM_AUTH_POLICY_BLACKLIST) {subscr->authorized = 1;
The benefit is that moving from closed to black-list works without changing the database content. If you move from black-list to closed.. all your blacklisted subscribers are suddenly allowed.
holger
On Fri, Oct 18, 2013 at 03:14:06PM +0200, Holger Hans Peter Freyther wrote:
The benefit is that moving from closed to black-list works without changing the database content. If you move from black-list to closed.. all your blacklisted subscribers are suddenly allowed.
or after thinking more about it.. what is the point of ACCEPT_ALL. We can just have the blacklist mode replace it?
On Sat, Oct 19, 2013 at 12:36 AM, Holger Hans Peter Freyther holger@freyther.de wrote:
On Fri, Oct 18, 2013 at 03:14:06PM +0200, Holger Hans Peter Freyther wrote:
The benefit is that moving from closed to black-list works without changing the database content. If you move from black-list to closed.. all your blacklisted subscribers are suddenly allowed.
or after thinking more about it.. what is the point of ACCEPT_ALL. We can just have the blacklist mode replace it?
Well, ACCEPT_ALL is accept all - a different thing :)
I would rather rename BLACKLIST to ACCEPT_NEW and make it default instead of ACCEPT_ALL. It will give better experience to a random OsmoNITB user (user in terms of an NITB operator, not in terms of a subscriber).
On Sat, Oct 19, 2013 at 12:46:50AM +0400, Alexander Chemeris wrote:
Well, ACCEPT_ALL is accept all - a different thing :)
yes it is. But what does ACCEPT_NEW (blacklist) take away from ACCEPT_ALL? My argument is that ACCEPT_NEW is the better "ACCEPT"
I would rather rename BLACKLIST to ACCEPT_NEW and make it default instead of ACCEPT_ALL. It will give better experience to a random OsmoNITB user (user in terms of an NITB operator, not in terms of a subscriber).
Well, closed should be the default. We want to minizime the interference people can cause by default.
-
Alexander Chemeris -
Holger Hans Peter Freyther -
Ivan Kluchnikov