msc: Implement 'remote-closed' authentication policy

This mode is modified version of 'remote' policy.
Osmo-nitb uses remote subscription data only if the MS is activated in local HLR, otherwise osmo-nitb rejects subscriber.

openbsc/include/openbsc/gsm_data.h

@@ -269,6 +269,7 @@ enum gsm_auth_policy {
 	GSM_AUTH_POLICY_TOKEN, /* accept first, send token per sms, then revoke authorization */
 	GSM_AUTH_POLICY_REGEXP, /* accept IMSIs matching given regexp */
 	GSM_AUTH_POLICY_REMOTE,
+	GSM_AUTH_POLICY_REMOTE_CLOSED
 };
 
 #define GSM_T3101_DEFAULT 10

openbsc/src/libcommon-cs/common_cs_vty.c

@@ -105,14 +105,15 @@ DEFUN(cfg_net_name_long,
 
 DEFUN(cfg_net_auth_policy,
       cfg_net_auth_policy_cmd,
-      "auth policy (closed|accept-all|regexp|token|remote)",
+      "auth policy (closed|accept-all|regexp|token|remote|remote-closed)",
 	"Authentication (not cryptographic)\n"
 	"Set the GSM network authentication policy\n"
 	"Require the MS to be activated in HLR\n"
 	"Accept all MS, whether in HLR or not\n"
 	"Use regular expression for IMSI authorization decision\n"
 	"Use SMS-token based authentication\n"
-	"Use remote subscription data only (HLR)\n")
+	"Use remote subscription data only (HLR)\n"
+	"Use remote subscription data if the MS is activated in local HLR\n")
 {
 	enum gsm_auth_policy policy = gsm_auth_policy_parse(argv[0]);
 	struct gsm_network *gsmnet = gsmnet_from_vty(vty);

openbsc/src/libcommon/gsm_data.c

@@ -164,6 +164,7 @@ static const struct value_string auth_policy_names[] = {
 	{ GSM_AUTH_POLICY_TOKEN,	"token" },
 	{ GSM_AUTH_POLICY_REGEXP,	"regexp" },
 	{ GSM_AUTH_POLICY_REMOTE,	"remote" },
+	{ GSM_AUTH_POLICY_REMOTE_CLOSED,	"remote-closed" },
 	{ 0,				NULL }
 };
 

openbsc/src/libmsc/auth.c

@@ -89,7 +89,8 @@ int auth_get_tuple_for_subscr(enum gsm_auth_policy auth_policy,
 	struct gsm_auth_info ainfo;
 	int rc;
 
-	if (auth_policy != GSM_AUTH_POLICY_REMOTE) {
+	if (auth_policy != GSM_AUTH_POLICY_REMOTE &&
+	    auth_policy != GSM_AUTH_POLICY_REMOTE_CLOSED) {
 		/* Get subscriber info (if any) */
 		rc = db_get_authinfo_for_subscr(&ainfo, subscr);
 		if (rc < 0) {
@@ -112,7 +113,8 @@ int auth_get_tuple_for_subscr(enum gsm_auth_policy auth_policy,
 		return AUTH_DO_CIPH;
 	}
 
-	if (auth_policy == GSM_AUTH_POLICY_REMOTE) {
+	if (auth_policy == GSM_AUTH_POLICY_REMOTE ||
+	    auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED) {
 		/* Request a new tuple from remote HLR */
 		return 0;
 	}

openbsc/src/libmsc/gsm_04_08.c

@@ -214,7 +214,8 @@ int gsm48_secure_channel(struct gsm_subscriber_connection *conn, int key_seq,
 	/* If not done yet, try to get info for this user */
 	if (status < 0) {
 		rc = auth_get_tuple_for_subscr(net->auth_policy, &atuple, subscr, key_seq);
-		if ((rc == 0) && (net->auth_policy == GSM_AUTH_POLICY_REMOTE)) {
+		if ((rc == 0) && (net->auth_policy == GSM_AUTH_POLICY_REMOTE ||
+		                  net->auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED)) {
 			allocate_security_operation(conn);
 			conn->sec_operation->cb = cb;
 			conn->sec_operation->cb_data = cb_data;
@@ -297,6 +298,10 @@ static int authorize_subscriber(struct gsm_loc_updating_operation *loc,
 		return (subscriber->flags & GSM_SUBSCRIBER_FIRST_CONTACT);
 	case GSM_AUTH_POLICY_ACCEPT_ALL:
 		return 1;
+	case GSM_AUTH_POLICY_REMOTE_CLOSED:
+		if (!subscriber->authorized) {
+			return subscriber->authorized;
+		}
 	case GSM_AUTH_POLICY_REMOTE:
 		if (loc->waiting_for_remote_accept) {
 			subscr_location_update(subscriber);

openbsc/src/osmo-nitb/bsc_hack.c

@@ -368,8 +368,9 @@ int main(int argc, char **argv)
 	}
 	printf("DB: Database prepared.\n");
 
-	/* Prepare HLR SUP socket if auth policy is "remote" */
-	if (bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE) {
+	/* Prepare HLR SUP socket if auth policy is "remote" or "remote-closed"*/
+	if (bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE ||
+	    bsc_gsmnet->auth_policy == GSM_AUTH_POLICY_REMOTE_CLOSED) {
 		bsc_gsmnet->hlr_sup_client = gprs_gsup_client_create(
 			"127.0.0.1", 8183,
 			&sup_read_cb);