From d1463bc36574627c6315ab2f7346f897387b1345 Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Thu, 13 Jun 2019 19:03:25 +0200 Subject: sgsn: Have authentication required on by default Previous commit introduced command "authentication (optional|required)", which is only meaningful if auth-policy is remote. Upon adding the cmd, it changed the default logic for remote policy to not require authentication, which broke TTCN3 tests because sgsn no longer tries to authenticate the users. Since it's actually good to enable authentication by default where possible, let's enable it by default when on auth-policy remote. In order to do so, let's simply not care about the value of variable require_authentication if auth_policy is not REMOTE. As a result, we drop parts of the previous patch and remove unneeded checks (which are only partially useful based on order of commands during VTY read). Fixes: 794f446a284ed1ac6d31eb79a8f4c874d66fc34e Change-Id: Ic707a95af178b44f08809df3d3bc8354bf34273c --- src/gprs/gprs_sgsn.c | 1 + src/gprs/sgsn_vty.c | 22 +++++----------------- 2 files changed, 6 insertions(+), 17 deletions(-) (limited to 'src/gprs') diff --git a/src/gprs/gprs_sgsn.c b/src/gprs/gprs_sgsn.c index f725811d0..58011078d 100644 --- a/src/gprs/gprs_sgsn.c +++ b/src/gprs/gprs_sgsn.c @@ -987,6 +987,7 @@ struct sgsn_instance *sgsn_instance_alloc(void *talloc_ctx) inst = talloc_zero(talloc_ctx, struct sgsn_instance); inst->cfg.gtp_statedir = talloc_strdup(inst, "./"); inst->cfg.auth_policy = SGSN_AUTH_POLICY_CLOSED; + inst->cfg.require_authentication = true; /* only applies if auth_policy is REMOTE */ inst->cfg.gsup_server_port = OSMO_GSUP_PORT; return inst; } diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c index 29c97718e..edc5b09f9 100644 --- a/src/gprs/sgsn_vty.c +++ b/src/gprs/sgsn_vty.c @@ -211,8 +211,8 @@ static int config_write_sgsn(struct vty *vty) if (g_cfg->gsup_server_port) vty_out(vty, " gsup remote-port %d%s", g_cfg->gsup_server_port, VTY_NEWLINE); - vty_out(vty, " authentication %s%s", - g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE); + if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !g_cfg->require_authentication) + vty_out(vty, " authentication optional%s", VTY_NEWLINE); vty_out(vty, " auth-policy %s%s", get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy), VTY_NEWLINE); @@ -697,9 +697,9 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd, DEFUN(cfg_authentication, cfg_authentication_cmd, "authentication (optional|required)", - "Whether to enforce MS authentication in GERAN\n" - "Allow MS to attach via GERAN without authentication\n" - "Always require authentication\n") + "Whether to enforce MS authentication in GERAN (only with auth-policy remote)\n" + "Allow MS to attach via GERAN without authentication (default and only possible value for non-remote auth-policy)\n" + "Always require authentication (only available for auth-policy remote, default with that auth-policy)\n") { int required = (argv[0][0] == 'r'); @@ -730,10 +730,6 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd, g_cfg->auth_policy = val; g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE); - /* Authentication is not possible without HLR */ - if (val != SGSN_AUTH_POLICY_REMOTE) - g_cfg->require_authentication = 0; - return CMD_SUCCESS; } @@ -1489,14 +1485,6 @@ int sgsn_parse_config(const char *config_file) return rc; } - if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE - && g_cfg->require_authentication) { - fprintf(stderr, "Configuration error:" - " authentication is not possible without HLR." - " Consider setting 'auth-policy' to 'remote'\n"); - return -EINVAL; - } - if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE && !(g_cfg->gsup_server_addr.sin_addr.s_addr && g_cfg->gsup_server_port)) { -- cgit v1.2.3