[PATCH] openbsc[master]: sgsn: Fix broken ACL based authentication

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

dexter gerrit-no-reply at lists.osmocom.org
Tue Feb 28 16:08:01 UTC 2017 

Review at  https://gerrit.osmocom.org/1939

sgsn: Fix broken ACL based authentication

The function sgsn_auth_state() in sgsn_auth.c checks if a subscriber
is allowed to enter the network or not. Depending on the auth policy
that is set via the VTY config, different checks apply:

SGSN_AUTH_POLICY_CLOSED: requires checking the net (MCC/MNC must
match) and also requires to check if the IMSI is inside the ACL
list. In this case check_net and check_acl are set to one.

SGSN_AUTH_POLICY_ACL_ONLY: only requires the ACL to be correct.
Here only check_acl is set to one.

In the code at the end of the function we can see that if checking
the network is required (check_acl=1) The authentication is granted
if MCC/MNC are correct. The function returns at that point, meaning,
that an evenually required ACL check is completely ignored.

This commit corrects the check logic.

Change-Id: I463afa5cc407f5c56d29fb5a501185cd3e7ea5be
---
M openbsc/src/gprs/sgsn_auth.c
1 file changed, 8 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/openbsc refs/changes/39/1939/1

diff --git a/openbsc/src/gprs/sgsn_auth.c b/openbsc/src/gprs/sgsn_auth.c
index a64339c..c0954c0 100644
--- a/openbsc/src/gprs/sgsn_auth.c
+++ b/openbsc/src/gprs/sgsn_auth.c
@@ -51,6 +51,7 @@
 		if (!strcmp(imsi, acl->imsi))
 			return acl;
 	}
+
 	return NULL;
 }
 
@@ -135,14 +136,16 @@
 		 * of 'our' network */
 		snprintf(mccmnc, sizeof(mccmnc), "%03d%02d",
 			 mmctx->ra.mcc, mmctx->ra.mnc);
-		if (strncmp(mccmnc, mmctx->imsi, 5) == 0)
-			return SGSN_AUTH_ACCEPTED;
+		if (strncmp(mccmnc, mmctx->imsi, 5) != 0)
+			return SGSN_AUTH_REJECTED;
 	}
 
-	if (check_acl && sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg))
-		return SGSN_AUTH_ACCEPTED;
+	if (check_acl) {
+		if (sgsn_acl_lookup(mmctx->imsi, &sgsn->cfg) == NULL)
+			return SGSN_AUTH_REJECTED;
+	}
 
-	return SGSN_AUTH_REJECTED;
+	return SGSN_AUTH_ACCEPTED;
 }
 
 /*

-- 
To view, visit https://gerrit.osmocom.org/1939
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I463afa5cc407f5c56d29fb5a501185cd3e7ea5be
Gerrit-PatchSet: 1
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>

More information about the gerrit-log mailing list