In this mode by default we set authorized = 1 for all new subscribers. BSC accepts all MS, except subscribers not authorized in DB. All subscribers with authorized = 0 are part of the black list and not accepted. --- openbsc/include/openbsc/gsm_data.h | 1 + openbsc/src/libbsc/bsc_vty.c | 5 +++-- openbsc/src/libcommon/gsm_data.c | 1 + openbsc/src/libmsc/db.c | 12 +++++++++--- openbsc/src/libmsc/gsm_04_08.c | 2 ++ 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/openbsc/include/openbsc/gsm_data.h b/openbsc/include/openbsc/gsm_data.h index 8741505..99e9b27 100644 --- a/openbsc/include/openbsc/gsm_data.h +++ b/openbsc/include/openbsc/gsm_data.h @@ -194,6 +194,7 @@ enum gsm_auth_policy { GSM_AUTH_POLICY_CLOSED, /* only subscribers authorized in DB */ GSM_AUTH_POLICY_ACCEPT_ALL, /* accept everyone, even if not authorized in DB */ GSM_AUTH_POLICY_TOKEN, /* accept first, send token per sms, then revoke authorization */ + GSM_AUTH_POLICY_BLACK_LIST /* accept everyone, except subscribers not authorized in DB */ };

#define GSM_T3101_DEFAULT 10 diff --git a/openbsc/src/libbsc/bsc_vty.c b/openbsc/src/libbsc/bsc_vty.c index 5748945..7a89ca6 100644 --- a/openbsc/src/libbsc/bsc_vty.c +++ b/openbsc/src/libbsc/bsc_vty.c @@ -1186,12 +1186,13 @@ DEFUN(cfg_net_name_long,

DEFUN(cfg_net_auth_policy, cfg_net_auth_policy_cmd, - "auth policy (closed|accept-all|token)", + "auth policy (closed|accept-all|token|black-list)", "Authentication (not cryptographic)\n" "Set the GSM network authentication policy\n" "Require the MS to be activated in HLR\n" "Accept all MS, whether in HLR or not\n" - "Use SMS-token based authentication\n") + "Use SMS-token based authentication\n" + "Accept all MS, except not authorized in HLR\n") { enum gsm_auth_policy policy = gsm_auth_policy_parse(argv[0]); struct gsm_network *gsmnet = gsmnet_from_vty(vty); diff --git a/openbsc/src/libcommon/gsm_data.c b/openbsc/src/libcommon/gsm_data.c index 5f7e32e..31b65ee 100644 --- a/openbsc/src/libcommon/gsm_data.c +++ b/openbsc/src/libcommon/gsm_data.c @@ -256,6 +256,7 @@ static const struct value_string auth_policy_names[] = { { GSM_AUTH_POLICY_CLOSED, "closed" }, { GSM_AUTH_POLICY_ACCEPT_ALL, "accept-all" }, { GSM_AUTH_POLICY_TOKEN, "token" }, + { GSM_AUTH_POLICY_BLACK_LIST, "black-list"}, { 0, NULL } };

diff --git a/openbsc/src/libmsc/db.c b/openbsc/src/libmsc/db.c index 21abce9..440509a 100644 --- a/openbsc/src/libmsc/db.c +++ b/openbsc/src/libmsc/db.c @@ -319,6 +319,7 @@ struct gsm_subscriber *db_create_subscriber(struct gsm_network *net, char *imsi) { dbi_result result; struct gsm_subscriber *subscr; + int authorized = 0;

/* Is this subscriber known in the db? */ subscr = db_get_subscriber(net, GSM_SUBSCRIBER_IMSI, imsi); @@ -337,17 +338,22 @@ struct gsm_subscriber *db_create_subscriber(struct gsm_network *net, char *imsi) if (!subscr) return NULL; subscr->flags |= GSM_SUBSCRIBER_FIRST_CONTACT; + + if (net->auth_policy == GSM_AUTH_POLICY_BLACK_LIST) + authorized = 1; + result = dbi_conn_queryf(conn, "INSERT INTO Subscriber " - "(imsi, created, updated) " + "(imsi, created, updated, authorized) " "VALUES " - "(%s, datetime('now'), datetime('now')) ", - imsi + "(%s, datetime('now'), datetime('now'), %d) ", + imsi, authorized ); if (!result) LOGP(DDB, LOGL_ERROR, "Failed to create Subscriber by IMSI.\n"); subscr->net = net; subscr->id = dbi_conn_sequence_last(conn, NULL); + subscr->authorized = authorized; strncpy(subscr->imsi, imsi, GSM_IMSI_LENGTH-1); dbi_result_free(result); LOGP(DDB, LOGL_INFO, "New Subscriber: ID %llu, IMSI %s\n", subscr->id, subscr->imsi); diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index d81dab9..8f8eaa9 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -241,6 +241,8 @@ static int authorize_subscriber(struct gsm_loc_updating_operation *loc, return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT); case GSM_AUTH_POLICY_ACCEPT_ALL: return 1; + case GSM_AUTH_POLICY_BLACK_LIST: + return subscriber->authorized; default: return 0; }