Line data Source code
1 : /*
2 : * RADIUS client
3 : * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "includes.h"
10 :
11 : #include "common.h"
12 : #include "radius.h"
13 : #include "radius_client.h"
14 : #include "eloop.h"
15 :
16 : /* Defaults for RADIUS retransmit values (exponential backoff) */
17 :
18 : /**
19 : * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
20 : */
21 : #define RADIUS_CLIENT_FIRST_WAIT 3
22 :
23 : /**
24 : * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
25 : */
26 : #define RADIUS_CLIENT_MAX_WAIT 120
27 :
28 : /**
29 : * RADIUS_CLIENT_MAX_RETRIES - RADIUS client maximum retries
30 : *
31 : * Maximum number of retransmit attempts before the entry is removed from
32 : * retransmit list.
33 : */
34 : #define RADIUS_CLIENT_MAX_RETRIES 10
35 :
36 : /**
37 : * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
38 : *
39 : * Maximum number of entries in retransmit list (oldest entries will be
40 : * removed, if this limit is exceeded).
41 : */
42 : #define RADIUS_CLIENT_MAX_ENTRIES 30
43 :
44 : /**
45 : * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
46 : *
47 : * The number of failed retry attempts after which the RADIUS server will be
48 : * changed (if one of more backup servers are configured).
49 : */
50 : #define RADIUS_CLIENT_NUM_FAILOVER 4
51 :
52 :
53 : /**
54 : * struct radius_rx_handler - RADIUS client RX handler
55 : *
56 : * This data structure is used internally inside the RADIUS client module to
57 : * store registered RX handlers. These handlers are registered by calls to
58 : * radius_client_register() and unregistered when the RADIUS client is
59 : * deinitialized with a call to radius_client_deinit().
60 : */
61 : struct radius_rx_handler {
62 : /**
63 : * handler - Received RADIUS message handler
64 : */
65 : RadiusRxResult (*handler)(struct radius_msg *msg,
66 : struct radius_msg *req,
67 : const u8 *shared_secret,
68 : size_t shared_secret_len,
69 : void *data);
70 :
71 : /**
72 : * data - Context data for the handler
73 : */
74 : void *data;
75 : };
76 :
77 :
78 : /**
79 : * struct radius_msg_list - RADIUS client message retransmit list
80 : *
81 : * This data structure is used internally inside the RADIUS client module to
82 : * store pending RADIUS requests that may still need to be retransmitted.
83 : */
84 : struct radius_msg_list {
85 : /**
86 : * addr - STA/client address
87 : *
88 : * This is used to find RADIUS messages for the same STA.
89 : */
90 : u8 addr[ETH_ALEN];
91 :
92 : /**
93 : * msg - RADIUS message
94 : */
95 : struct radius_msg *msg;
96 :
97 : /**
98 : * msg_type - Message type
99 : */
100 : RadiusType msg_type;
101 :
102 : /**
103 : * first_try - Time of the first transmission attempt
104 : */
105 : os_time_t first_try;
106 :
107 : /**
108 : * next_try - Time for the next transmission attempt
109 : */
110 : os_time_t next_try;
111 :
112 : /**
113 : * attempts - Number of transmission attempts
114 : */
115 : int attempts;
116 :
117 : /**
118 : * next_wait - Next retransmission wait time in seconds
119 : */
120 : int next_wait;
121 :
122 : /**
123 : * last_attempt - Time of the last transmission attempt
124 : */
125 : struct os_reltime last_attempt;
126 :
127 : /**
128 : * shared_secret - Shared secret with the target RADIUS server
129 : */
130 : const u8 *shared_secret;
131 :
132 : /**
133 : * shared_secret_len - shared_secret length in octets
134 : */
135 : size_t shared_secret_len;
136 :
137 : /* TODO: server config with failover to backup server(s) */
138 :
139 : /**
140 : * next - Next message in the list
141 : */
142 : struct radius_msg_list *next;
143 : };
144 :
145 :
146 : /**
147 : * struct radius_client_data - Internal RADIUS client data
148 : *
149 : * This data structure is used internally inside the RADIUS client module.
150 : * External users allocate this by calling radius_client_init() and free it by
151 : * calling radius_client_deinit(). The pointer to this opaque data is used in
152 : * calls to other functions as an identifier for the RADIUS client instance.
153 : */
154 : struct radius_client_data {
155 : /**
156 : * ctx - Context pointer for hostapd_logger() callbacks
157 : */
158 : void *ctx;
159 :
160 : /**
161 : * conf - RADIUS client configuration (list of RADIUS servers to use)
162 : */
163 : struct hostapd_radius_servers *conf;
164 :
165 : /**
166 : * auth_serv_sock - IPv4 socket for RADIUS authentication messages
167 : */
168 : int auth_serv_sock;
169 :
170 : /**
171 : * acct_serv_sock - IPv4 socket for RADIUS accounting messages
172 : */
173 : int acct_serv_sock;
174 :
175 : /**
176 : * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
177 : */
178 : int auth_serv_sock6;
179 :
180 : /**
181 : * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
182 : */
183 : int acct_serv_sock6;
184 :
185 : /**
186 : * auth_sock - Currently used socket for RADIUS authentication server
187 : */
188 : int auth_sock;
189 :
190 : /**
191 : * acct_sock - Currently used socket for RADIUS accounting server
192 : */
193 : int acct_sock;
194 :
195 : /**
196 : * auth_handlers - Authentication message handlers
197 : */
198 : struct radius_rx_handler *auth_handlers;
199 :
200 : /**
201 : * num_auth_handlers - Number of handlers in auth_handlers
202 : */
203 : size_t num_auth_handlers;
204 :
205 : /**
206 : * acct_handlers - Accounting message handlers
207 : */
208 : struct radius_rx_handler *acct_handlers;
209 :
210 : /**
211 : * num_acct_handlers - Number of handlers in acct_handlers
212 : */
213 : size_t num_acct_handlers;
214 :
215 : /**
216 : * msgs - Pending outgoing RADIUS messages
217 : */
218 : struct radius_msg_list *msgs;
219 :
220 : /**
221 : * num_msgs - Number of pending messages in the msgs list
222 : */
223 : size_t num_msgs;
224 :
225 : /**
226 : * next_radius_identifier - Next RADIUS message identifier to use
227 : */
228 : u8 next_radius_identifier;
229 : };
230 :
231 :
232 : static int
233 : radius_change_server(struct radius_client_data *radius,
234 : struct hostapd_radius_server *nserv,
235 : struct hostapd_radius_server *oserv,
236 : int sock, int sock6, int auth);
237 : static int radius_client_init_acct(struct radius_client_data *radius);
238 : static int radius_client_init_auth(struct radius_client_data *radius);
239 :
240 :
241 3758 : static void radius_client_msg_free(struct radius_msg_list *req)
242 : {
243 3758 : radius_msg_free(req->msg);
244 3758 : os_free(req);
245 3758 : }
246 :
247 :
248 : /**
249 : * radius_client_register - Register a RADIUS client RX handler
250 : * @radius: RADIUS client context from radius_client_init()
251 : * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
252 : * @handler: Handler for received RADIUS messages
253 : * @data: Context pointer for handler callbacks
254 : * Returns: 0 on success, -1 on failure
255 : *
256 : * This function is used to register a handler for processing received RADIUS
257 : * authentication and accounting messages. The handler() callback function will
258 : * be called whenever a RADIUS message is received from the active server.
259 : *
260 : * There can be multiple registered RADIUS message handlers. The handlers will
261 : * be called in order until one of them indicates that it has processed or
262 : * queued the message.
263 : */
264 2949 : int radius_client_register(struct radius_client_data *radius,
265 : RadiusType msg_type,
266 : RadiusRxResult (*handler)(struct radius_msg *msg,
267 : struct radius_msg *req,
268 : const u8 *shared_secret,
269 : size_t shared_secret_len,
270 : void *data),
271 : void *data)
272 : {
273 : struct radius_rx_handler **handlers, *newh;
274 : size_t *num;
275 :
276 2949 : if (msg_type == RADIUS_ACCT) {
277 983 : handlers = &radius->acct_handlers;
278 983 : num = &radius->num_acct_handlers;
279 : } else {
280 1966 : handlers = &radius->auth_handlers;
281 1966 : num = &radius->num_auth_handlers;
282 : }
283 :
284 2949 : newh = os_realloc_array(*handlers, *num + 1,
285 : sizeof(struct radius_rx_handler));
286 2949 : if (newh == NULL)
287 1 : return -1;
288 :
289 2948 : newh[*num].handler = handler;
290 2948 : newh[*num].data = data;
291 2948 : (*num)++;
292 2948 : *handlers = newh;
293 :
294 2948 : return 0;
295 : }
296 :
297 :
298 : /*
299 : * Returns >0 if message queue was flushed (i.e., the message that triggered
300 : * the error is not available anymore)
301 : */
302 943 : static int radius_client_handle_send_error(struct radius_client_data *radius,
303 : int s, RadiusType msg_type)
304 : {
305 : #ifndef CONFIG_NATIVE_WINDOWS
306 943 : int _errno = errno;
307 943 : wpa_printf(MSG_INFO, "send[RADIUS]: %s", strerror(errno));
308 943 : if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
309 7 : _errno == EBADF || _errno == ENETUNREACH) {
310 940 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
311 : HOSTAPD_LEVEL_INFO,
312 : "Send failed - maybe interface status changed -"
313 : " try to connect again");
314 940 : if (msg_type == RADIUS_ACCT ||
315 : msg_type == RADIUS_ACCT_INTERIM) {
316 4 : radius_client_init_acct(radius);
317 4 : return 0;
318 : } else {
319 936 : radius_client_init_auth(radius);
320 936 : return 1;
321 : }
322 : }
323 : #endif /* CONFIG_NATIVE_WINDOWS */
324 :
325 3 : return 0;
326 : }
327 :
328 :
329 960 : static int radius_client_retransmit(struct radius_client_data *radius,
330 : struct radius_msg_list *entry,
331 : os_time_t now)
332 : {
333 960 : struct hostapd_radius_servers *conf = radius->conf;
334 : int s;
335 : struct wpabuf *buf;
336 :
337 1909 : if (entry->msg_type == RADIUS_ACCT ||
338 949 : entry->msg_type == RADIUS_ACCT_INTERIM) {
339 11 : s = radius->acct_sock;
340 22 : if (entry->attempts == 0)
341 1 : conf->acct_server->requests++;
342 : else {
343 10 : conf->acct_server->timeouts++;
344 10 : conf->acct_server->retransmissions++;
345 : }
346 : } else {
347 949 : s = radius->auth_sock;
348 949 : if (entry->attempts == 0)
349 0 : conf->auth_server->requests++;
350 : else {
351 949 : conf->auth_server->timeouts++;
352 949 : conf->auth_server->retransmissions++;
353 : }
354 : }
355 :
356 : /* retransmit; remove entry if too many attempts */
357 960 : entry->attempts++;
358 960 : hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
359 : HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
360 960 : radius_msg_get_hdr(entry->msg)->identifier);
361 :
362 960 : os_get_reltime(&entry->last_attempt);
363 960 : buf = radius_msg_get_buf(entry->msg);
364 960 : if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
365 938 : if (radius_client_handle_send_error(radius, s, entry->msg_type)
366 : > 0)
367 934 : return 0;
368 : }
369 :
370 26 : entry->next_try = now + entry->next_wait;
371 26 : entry->next_wait *= 2;
372 26 : if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
373 0 : entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
374 26 : if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
375 0 : wpa_printf(MSG_INFO, "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
376 0 : return 1;
377 : }
378 :
379 26 : return 0;
380 : }
381 :
382 :
383 988 : static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
384 : {
385 988 : struct radius_client_data *radius = eloop_ctx;
386 988 : struct hostapd_radius_servers *conf = radius->conf;
387 : struct os_reltime now;
388 : os_time_t first;
389 : struct radius_msg_list *entry, *prev, *tmp;
390 988 : int auth_failover = 0, acct_failover = 0;
391 : char abuf[50];
392 : size_t prev_num_msgs;
393 : int s;
394 :
395 988 : entry = radius->msgs;
396 988 : if (!entry)
397 1020 : return;
398 :
399 956 : os_get_reltime(&now);
400 956 : first = 0;
401 :
402 956 : prev = NULL;
403 2879 : while (entry) {
404 967 : prev_num_msgs = radius->num_msgs;
405 1927 : if (now.sec >= entry->next_try &&
406 960 : radius_client_retransmit(radius, entry, now.sec)) {
407 0 : if (prev)
408 0 : prev->next = entry->next;
409 : else
410 0 : radius->msgs = entry->next;
411 :
412 0 : tmp = entry;
413 0 : entry = entry->next;
414 0 : radius_client_msg_free(tmp);
415 0 : radius->num_msgs--;
416 0 : continue;
417 : }
418 :
419 967 : if (prev_num_msgs != radius->num_msgs) {
420 0 : wpa_printf(MSG_DEBUG,
421 : "RADIUS: Message removed from queue - restart from beginning");
422 0 : entry = radius->msgs;
423 0 : prev = NULL;
424 0 : continue;
425 : }
426 :
427 967 : s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
428 : radius->acct_sock;
429 967 : if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER ||
430 9 : (s < 0 && entry->attempts > 0)) {
431 1873 : if (entry->msg_type == RADIUS_ACCT ||
432 934 : entry->msg_type == RADIUS_ACCT_INTERIM)
433 5 : acct_failover++;
434 : else
435 934 : auth_failover++;
436 : }
437 :
438 967 : if (first == 0 || entry->next_try < first)
439 958 : first = entry->next_try;
440 :
441 967 : prev = entry;
442 967 : entry = entry->next;
443 : }
444 :
445 956 : if (radius->msgs) {
446 956 : if (first < now.sec)
447 142 : first = now.sec;
448 956 : eloop_register_timeout(first - now.sec, 0,
449 : radius_client_timer, radius, NULL);
450 956 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
451 : HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
452 : "retransmit in %ld seconds",
453 956 : (long int) (first - now.sec));
454 : }
455 :
456 956 : if (auth_failover && conf->num_auth_servers > 1) {
457 : struct hostapd_radius_server *next, *old;
458 1 : old = conf->auth_server;
459 2 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
460 : HOSTAPD_LEVEL_NOTICE,
461 : "No response from Authentication server "
462 : "%s:%d - failover",
463 1 : hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
464 : old->port);
465 :
466 3 : for (entry = radius->msgs; entry; entry = entry->next) {
467 2 : if (entry->msg_type == RADIUS_AUTH)
468 1 : old->timeouts++;
469 : }
470 :
471 1 : next = old + 1;
472 1 : if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
473 0 : next = conf->auth_servers;
474 1 : conf->auth_server = next;
475 1 : radius_change_server(radius, next, old,
476 : radius->auth_serv_sock,
477 : radius->auth_serv_sock6, 1);
478 : }
479 :
480 956 : if (acct_failover && conf->num_acct_servers > 1) {
481 : struct hostapd_radius_server *next, *old;
482 1 : old = conf->acct_server;
483 2 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
484 : HOSTAPD_LEVEL_NOTICE,
485 : "No response from Accounting server "
486 : "%s:%d - failover",
487 1 : hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
488 : old->port);
489 :
490 2 : for (entry = radius->msgs; entry; entry = entry->next) {
491 1 : if (entry->msg_type == RADIUS_ACCT ||
492 0 : entry->msg_type == RADIUS_ACCT_INTERIM)
493 1 : old->timeouts++;
494 : }
495 :
496 1 : next = old + 1;
497 1 : if (next > &conf->acct_servers[conf->num_acct_servers - 1])
498 0 : next = conf->acct_servers;
499 1 : conf->acct_server = next;
500 1 : radius_change_server(radius, next, old,
501 : radius->acct_serv_sock,
502 : radius->acct_serv_sock6, 0);
503 : }
504 : }
505 :
506 :
507 3758 : static void radius_client_update_timeout(struct radius_client_data *radius)
508 : {
509 : struct os_reltime now;
510 : os_time_t first;
511 : struct radius_msg_list *entry;
512 :
513 3758 : eloop_cancel_timeout(radius_client_timer, radius, NULL);
514 :
515 3758 : if (radius->msgs == NULL) {
516 3758 : return;
517 : }
518 :
519 3758 : first = 0;
520 7952 : for (entry = radius->msgs; entry; entry = entry->next) {
521 4194 : if (first == 0 || entry->next_try < first)
522 3826 : first = entry->next_try;
523 : }
524 :
525 3758 : os_get_reltime(&now);
526 3758 : if (first < now.sec)
527 0 : first = now.sec;
528 3758 : eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
529 : NULL);
530 3758 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
531 : HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
532 3758 : " %ld seconds", (long int) (first - now.sec));
533 : }
534 :
535 :
536 3765 : static void radius_client_list_add(struct radius_client_data *radius,
537 : struct radius_msg *msg,
538 : RadiusType msg_type,
539 : const u8 *shared_secret,
540 : size_t shared_secret_len, const u8 *addr)
541 : {
542 : struct radius_msg_list *entry, *prev;
543 :
544 3765 : if (eloop_terminated()) {
545 : /* No point in adding entries to retransmit queue since event
546 : * loop has already been terminated. */
547 0 : radius_msg_free(msg);
548 0 : return;
549 : }
550 :
551 3765 : entry = os_zalloc(sizeof(*entry));
552 3765 : if (entry == NULL) {
553 7 : wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
554 7 : radius_msg_free(msg);
555 7 : return;
556 : }
557 :
558 3758 : if (addr)
559 3666 : os_memcpy(entry->addr, addr, ETH_ALEN);
560 3758 : entry->msg = msg;
561 3758 : entry->msg_type = msg_type;
562 3758 : entry->shared_secret = shared_secret;
563 3758 : entry->shared_secret_len = shared_secret_len;
564 3758 : os_get_reltime(&entry->last_attempt);
565 3758 : entry->first_try = entry->last_attempt.sec;
566 3758 : entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
567 3758 : entry->attempts = 1;
568 3758 : entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
569 3758 : entry->next = radius->msgs;
570 3758 : radius->msgs = entry;
571 3758 : radius_client_update_timeout(radius);
572 :
573 3758 : if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
574 0 : wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
575 0 : prev = NULL;
576 0 : while (entry->next) {
577 0 : prev = entry;
578 0 : entry = entry->next;
579 : }
580 0 : if (prev) {
581 0 : prev->next = NULL;
582 0 : radius_client_msg_free(entry);
583 : }
584 : } else
585 3758 : radius->num_msgs++;
586 : }
587 :
588 :
589 6 : static void radius_client_list_del(struct radius_client_data *radius,
590 : RadiusType msg_type, const u8 *addr)
591 : {
592 : struct radius_msg_list *entry, *prev, *tmp;
593 :
594 6 : if (addr == NULL)
595 6 : return;
596 :
597 6 : entry = radius->msgs;
598 6 : prev = NULL;
599 20 : while (entry) {
600 10 : if (entry->msg_type == msg_type &&
601 2 : os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
602 2 : if (prev)
603 0 : prev->next = entry->next;
604 : else
605 2 : radius->msgs = entry->next;
606 2 : tmp = entry;
607 2 : entry = entry->next;
608 2 : hostapd_logger(radius->ctx, addr,
609 : HOSTAPD_MODULE_RADIUS,
610 : HOSTAPD_LEVEL_DEBUG,
611 : "Removing matching RADIUS message");
612 2 : radius_client_msg_free(tmp);
613 2 : radius->num_msgs--;
614 2 : continue;
615 : }
616 6 : prev = entry;
617 6 : entry = entry->next;
618 : }
619 : }
620 :
621 :
622 : /**
623 : * radius_client_send - Send a RADIUS request
624 : * @radius: RADIUS client context from radius_client_init()
625 : * @msg: RADIUS message to be sent
626 : * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
627 : * @addr: MAC address of the device related to this message or %NULL
628 : * Returns: 0 on success, -1 on failure
629 : *
630 : * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
631 : * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
632 : * between accounting and interim accounting messages is that the interim
633 : * message will override any pending interim accounting updates while a new
634 : * accounting message does not remove any pending messages.
635 : *
636 : * The message is added on the retransmission queue and will be retransmitted
637 : * automatically until a response is received or maximum number of retries
638 : * (RADIUS_CLIENT_MAX_RETRIES) is reached.
639 : *
640 : * The related device MAC address can be used to identify pending messages that
641 : * can be removed with radius_client_flush_auth() or with interim accounting
642 : * updates.
643 : */
644 3770 : int radius_client_send(struct radius_client_data *radius,
645 : struct radius_msg *msg, RadiusType msg_type,
646 : const u8 *addr)
647 : {
648 3770 : struct hostapd_radius_servers *conf = radius->conf;
649 : const u8 *shared_secret;
650 : size_t shared_secret_len;
651 : char *name;
652 : int s, res;
653 : struct wpabuf *buf;
654 :
655 3770 : if (msg_type == RADIUS_ACCT_INTERIM) {
656 : /* Remove any pending interim acct update for the same STA. */
657 6 : radius_client_list_del(radius, msg_type, addr);
658 : }
659 :
660 3770 : if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
661 957 : if (conf->acct_server == NULL || radius->acct_sock < 0 ||
662 477 : conf->acct_server->shared_secret == NULL) {
663 5 : hostapd_logger(radius->ctx, NULL,
664 : HOSTAPD_MODULE_RADIUS,
665 : HOSTAPD_LEVEL_INFO,
666 : "No accounting server configured");
667 5 : return -1;
668 : }
669 475 : shared_secret = conf->acct_server->shared_secret;
670 475 : shared_secret_len = conf->acct_server->shared_secret_len;
671 475 : radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
672 475 : name = "accounting";
673 475 : s = radius->acct_sock;
674 475 : conf->acct_server->requests++;
675 : } else {
676 6580 : if (conf->auth_server == NULL || radius->auth_sock < 0 ||
677 3290 : conf->auth_server->shared_secret == NULL) {
678 0 : hostapd_logger(radius->ctx, NULL,
679 : HOSTAPD_MODULE_RADIUS,
680 : HOSTAPD_LEVEL_INFO,
681 : "No authentication server configured");
682 0 : return -1;
683 : }
684 3290 : shared_secret = conf->auth_server->shared_secret;
685 3290 : shared_secret_len = conf->auth_server->shared_secret_len;
686 3290 : radius_msg_finish(msg, shared_secret, shared_secret_len);
687 3290 : name = "authentication";
688 3290 : s = radius->auth_sock;
689 3290 : conf->auth_server->requests++;
690 : }
691 :
692 3765 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
693 : HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
694 : "server", name);
695 3765 : if (conf->msg_dumps)
696 3765 : radius_msg_dump(msg);
697 :
698 3765 : buf = radius_msg_get_buf(msg);
699 3765 : res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
700 3765 : if (res < 0)
701 5 : radius_client_handle_send_error(radius, s, msg_type);
702 :
703 3765 : radius_client_list_add(radius, msg, msg_type, shared_secret,
704 : shared_secret_len, addr);
705 :
706 3765 : return 0;
707 : }
708 :
709 :
710 3725 : static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
711 : {
712 3725 : struct radius_client_data *radius = eloop_ctx;
713 3725 : struct hostapd_radius_servers *conf = radius->conf;
714 3725 : RadiusType msg_type = (RadiusType) sock_ctx;
715 : int len, roundtrip;
716 : unsigned char buf[3000];
717 : struct radius_msg *msg;
718 : struct radius_hdr *hdr;
719 : struct radius_rx_handler *handlers;
720 : size_t num_handlers, i;
721 : struct radius_msg_list *req, *prev_req;
722 : struct os_reltime now;
723 : struct hostapd_radius_server *rconf;
724 3725 : int invalid_authenticator = 0;
725 :
726 3725 : if (msg_type == RADIUS_ACCT) {
727 427 : handlers = radius->acct_handlers;
728 427 : num_handlers = radius->num_acct_handlers;
729 427 : rconf = conf->acct_server;
730 : } else {
731 3298 : handlers = radius->auth_handlers;
732 3298 : num_handlers = radius->num_auth_handlers;
733 3298 : rconf = conf->auth_server;
734 : }
735 :
736 3725 : len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
737 3725 : if (len < 0) {
738 12 : wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
739 12 : return;
740 : }
741 3713 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
742 : HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
743 : "server", len);
744 3713 : if (len == sizeof(buf)) {
745 0 : wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
746 0 : return;
747 : }
748 :
749 3713 : msg = radius_msg_parse(buf, len);
750 3713 : if (msg == NULL) {
751 19 : wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
752 19 : rconf->malformed_responses++;
753 19 : return;
754 : }
755 3694 : hdr = radius_msg_get_hdr(msg);
756 :
757 3694 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
758 : HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
759 3694 : if (conf->msg_dumps)
760 3694 : radius_msg_dump(msg);
761 :
762 3694 : switch (hdr->code) {
763 : case RADIUS_CODE_ACCESS_ACCEPT:
764 579 : rconf->access_accepts++;
765 579 : break;
766 : case RADIUS_CODE_ACCESS_REJECT:
767 93 : rconf->access_rejects++;
768 93 : break;
769 : case RADIUS_CODE_ACCESS_CHALLENGE:
770 2611 : rconf->access_challenges++;
771 2611 : break;
772 : case RADIUS_CODE_ACCOUNTING_RESPONSE:
773 411 : rconf->responses++;
774 411 : break;
775 : }
776 :
777 3694 : prev_req = NULL;
778 3694 : req = radius->msgs;
779 7576 : while (req) {
780 : /* TODO: also match by src addr:port of the packet when using
781 : * alternative RADIUS servers (?) */
782 3875 : if ((req->msg_type == msg_type ||
783 8 : (req->msg_type == RADIUS_ACCT_INTERIM &&
784 3868 : msg_type == RADIUS_ACCT)) &&
785 3868 : radius_msg_get_hdr(req->msg)->identifier ==
786 3868 : hdr->identifier)
787 3682 : break;
788 :
789 188 : prev_req = req;
790 188 : req = req->next;
791 : }
792 :
793 3694 : if (req == NULL) {
794 12 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
795 : HOSTAPD_LEVEL_DEBUG,
796 : "No matching RADIUS request found (type=%d "
797 : "id=%d) - dropping packet",
798 12 : msg_type, hdr->identifier);
799 12 : goto fail;
800 : }
801 :
802 3682 : os_get_reltime(&now);
803 7364 : roundtrip = (now.sec - req->last_attempt.sec) * 100 +
804 3682 : (now.usec - req->last_attempt.usec) / 10000;
805 3682 : hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
806 : HOSTAPD_LEVEL_DEBUG,
807 : "Received RADIUS packet matched with a pending "
808 : "request, round trip time %d.%02d sec",
809 : roundtrip / 100, roundtrip % 100);
810 3682 : rconf->round_trip_time = roundtrip;
811 :
812 : /* Remove ACKed RADIUS packet from retransmit list */
813 3682 : if (prev_req)
814 186 : prev_req->next = req->next;
815 : else
816 3496 : radius->msgs = req->next;
817 3682 : radius->num_msgs--;
818 :
819 6954 : for (i = 0; i < num_handlers; i++) {
820 : RadiusRxResult res;
821 13902 : res = handlers[i].handler(msg, req->msg, req->shared_secret,
822 : req->shared_secret_len,
823 6951 : handlers[i].data);
824 6951 : switch (res) {
825 : case RADIUS_RX_PROCESSED:
826 413 : radius_msg_free(msg);
827 : /* continue */
828 : case RADIUS_RX_QUEUED:
829 3679 : radius_client_msg_free(req);
830 3679 : return;
831 : case RADIUS_RX_INVALID_AUTHENTICATOR:
832 3 : invalid_authenticator++;
833 : /* continue */
834 : case RADIUS_RX_UNKNOWN:
835 : /* continue with next handler */
836 3272 : break;
837 : }
838 : }
839 :
840 3 : if (invalid_authenticator)
841 3 : rconf->bad_authenticators++;
842 : else
843 0 : rconf->unknown_types++;
844 9 : hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
845 : HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
846 : "(type=%d code=%d id=%d)%s - dropping packet",
847 6 : msg_type, hdr->code, hdr->identifier,
848 : invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
849 : "");
850 3 : radius_client_msg_free(req);
851 :
852 : fail:
853 15 : radius_msg_free(msg);
854 : }
855 :
856 :
857 : /**
858 : * radius_client_get_id - Get an identifier for a new RADIUS message
859 : * @radius: RADIUS client context from radius_client_init()
860 : * Returns: Allocated identifier
861 : *
862 : * This function is used to fetch a unique (among pending requests) identifier
863 : * for a new RADIUS message.
864 : */
865 3780 : u8 radius_client_get_id(struct radius_client_data *radius)
866 : {
867 : struct radius_msg_list *entry, *prev, *_remove;
868 3780 : u8 id = radius->next_radius_identifier++;
869 :
870 : /* remove entries with matching id from retransmit list to avoid
871 : * using new reply from the RADIUS server with an old request */
872 3780 : entry = radius->msgs;
873 3780 : prev = NULL;
874 8002 : while (entry) {
875 442 : if (radius_msg_get_hdr(entry->msg)->identifier == id) {
876 0 : hostapd_logger(radius->ctx, entry->addr,
877 : HOSTAPD_MODULE_RADIUS,
878 : HOSTAPD_LEVEL_DEBUG,
879 : "Removing pending RADIUS message, "
880 : "since its id (%d) is reused", id);
881 0 : if (prev)
882 0 : prev->next = entry->next;
883 : else
884 0 : radius->msgs = entry->next;
885 0 : _remove = entry;
886 : } else {
887 442 : _remove = NULL;
888 442 : prev = entry;
889 : }
890 442 : entry = entry->next;
891 :
892 442 : if (_remove)
893 0 : radius_client_msg_free(_remove);
894 : }
895 :
896 3780 : return id;
897 : }
898 :
899 :
900 : /**
901 : * radius_client_flush - Flush all pending RADIUS client messages
902 : * @radius: RADIUS client context from radius_client_init()
903 : * @only_auth: Whether only authentication messages are removed
904 : */
905 1002 : void radius_client_flush(struct radius_client_data *radius, int only_auth)
906 : {
907 : struct radius_msg_list *entry, *prev, *tmp;
908 :
909 1002 : if (!radius)
910 1002 : return;
911 :
912 1002 : prev = NULL;
913 1002 : entry = radius->msgs;
914 :
915 2068 : while (entry) {
916 64 : if (!only_auth || entry->msg_type == RADIUS_AUTH) {
917 63 : if (prev)
918 0 : prev->next = entry->next;
919 : else
920 63 : radius->msgs = entry->next;
921 :
922 63 : tmp = entry;
923 63 : entry = entry->next;
924 63 : radius_client_msg_free(tmp);
925 63 : radius->num_msgs--;
926 : } else {
927 1 : prev = entry;
928 1 : entry = entry->next;
929 : }
930 : }
931 :
932 1002 : if (radius->msgs == NULL)
933 1001 : eloop_cancel_timeout(radius_client_timer, radius, NULL);
934 : }
935 :
936 :
937 1 : static void radius_client_update_acct_msgs(struct radius_client_data *radius,
938 : const u8 *shared_secret,
939 : size_t shared_secret_len)
940 : {
941 : struct radius_msg_list *entry;
942 :
943 1 : if (!radius)
944 1 : return;
945 :
946 2 : for (entry = radius->msgs; entry; entry = entry->next) {
947 1 : if (entry->msg_type == RADIUS_ACCT) {
948 1 : entry->shared_secret = shared_secret;
949 1 : entry->shared_secret_len = shared_secret_len;
950 1 : radius_msg_finish_acct(entry->msg, shared_secret,
951 : shared_secret_len);
952 : }
953 : }
954 : }
955 :
956 :
957 : static int
958 1344 : radius_change_server(struct radius_client_data *radius,
959 : struct hostapd_radius_server *nserv,
960 : struct hostapd_radius_server *oserv,
961 : int sock, int sock6, int auth)
962 : {
963 : struct sockaddr_in serv, claddr;
964 : #ifdef CONFIG_IPV6
965 : struct sockaddr_in6 serv6, claddr6;
966 : #endif /* CONFIG_IPV6 */
967 : struct sockaddr *addr, *cl_addr;
968 : socklen_t addrlen, claddrlen;
969 : char abuf[50];
970 : int sel_sock;
971 : struct radius_msg_list *entry;
972 1344 : struct hostapd_radius_servers *conf = radius->conf;
973 :
974 2688 : hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
975 : HOSTAPD_LEVEL_INFO,
976 : "%s server %s:%d",
977 : auth ? "Authentication" : "Accounting",
978 1344 : hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
979 : nserv->port);
980 :
981 1346 : if (oserv && oserv != nserv &&
982 2 : (nserv->shared_secret_len != oserv->shared_secret_len ||
983 0 : os_memcmp(nserv->shared_secret, oserv->shared_secret,
984 : nserv->shared_secret_len) != 0)) {
985 : /* Pending RADIUS packets used different shared secret, so
986 : * they need to be modified. Update accounting message
987 : * authenticators here. Authentication messages are removed
988 : * since they would require more changes and the new RADIUS
989 : * server may not be prepared to receive them anyway due to
990 : * missing state information. Client will likely retry
991 : * authentication, so this should not be an issue. */
992 2 : if (auth)
993 1 : radius_client_flush(radius, 1);
994 : else {
995 2 : radius_client_update_acct_msgs(
996 1 : radius, nserv->shared_secret,
997 : nserv->shared_secret_len);
998 : }
999 : }
1000 :
1001 : /* Reset retry counters for the new server */
1002 2690 : for (entry = radius->msgs; oserv && oserv != nserv && entry;
1003 2 : entry = entry->next) {
1004 2 : if ((auth && entry->msg_type != RADIUS_AUTH) ||
1005 1 : (!auth && entry->msg_type != RADIUS_ACCT))
1006 1 : continue;
1007 1 : entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
1008 1 : entry->attempts = 0;
1009 1 : entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
1010 : }
1011 :
1012 1344 : if (radius->msgs) {
1013 941 : eloop_cancel_timeout(radius_client_timer, radius, NULL);
1014 941 : eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
1015 : radius_client_timer, radius, NULL);
1016 : }
1017 :
1018 1344 : switch (nserv->addr.af) {
1019 : case AF_INET:
1020 1342 : os_memset(&serv, 0, sizeof(serv));
1021 1342 : serv.sin_family = AF_INET;
1022 1342 : serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
1023 1342 : serv.sin_port = htons(nserv->port);
1024 1342 : addr = (struct sockaddr *) &serv;
1025 1342 : addrlen = sizeof(serv);
1026 1342 : sel_sock = sock;
1027 1342 : break;
1028 : #ifdef CONFIG_IPV6
1029 : case AF_INET6:
1030 2 : os_memset(&serv6, 0, sizeof(serv6));
1031 2 : serv6.sin6_family = AF_INET6;
1032 2 : os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
1033 : sizeof(struct in6_addr));
1034 2 : serv6.sin6_port = htons(nserv->port);
1035 2 : addr = (struct sockaddr *) &serv6;
1036 2 : addrlen = sizeof(serv6);
1037 2 : sel_sock = sock6;
1038 2 : break;
1039 : #endif /* CONFIG_IPV6 */
1040 : default:
1041 0 : return -1;
1042 : }
1043 :
1044 1344 : if (sel_sock < 0) {
1045 0 : wpa_printf(MSG_INFO,
1046 : "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d",
1047 : nserv->addr.af, sock, sock6, auth);
1048 0 : return -1;
1049 : }
1050 :
1051 1344 : if (conf->force_client_addr) {
1052 0 : switch (conf->client_addr.af) {
1053 : case AF_INET:
1054 0 : os_memset(&claddr, 0, sizeof(claddr));
1055 0 : claddr.sin_family = AF_INET;
1056 0 : claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
1057 0 : claddr.sin_port = htons(0);
1058 0 : cl_addr = (struct sockaddr *) &claddr;
1059 0 : claddrlen = sizeof(claddr);
1060 0 : break;
1061 : #ifdef CONFIG_IPV6
1062 : case AF_INET6:
1063 0 : os_memset(&claddr6, 0, sizeof(claddr6));
1064 0 : claddr6.sin6_family = AF_INET6;
1065 0 : os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
1066 : sizeof(struct in6_addr));
1067 0 : claddr6.sin6_port = htons(0);
1068 0 : cl_addr = (struct sockaddr *) &claddr6;
1069 0 : claddrlen = sizeof(claddr6);
1070 0 : break;
1071 : #endif /* CONFIG_IPV6 */
1072 : default:
1073 0 : return -1;
1074 : }
1075 :
1076 0 : if (bind(sel_sock, cl_addr, claddrlen) < 0) {
1077 0 : wpa_printf(MSG_INFO, "bind[radius]: %s",
1078 0 : strerror(errno));
1079 0 : return -1;
1080 : }
1081 : }
1082 :
1083 1344 : if (connect(sel_sock, addr, addrlen) < 0) {
1084 940 : wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
1085 940 : return -1;
1086 : }
1087 :
1088 : #ifndef CONFIG_NATIVE_WINDOWS
1089 404 : switch (nserv->addr.af) {
1090 : case AF_INET:
1091 402 : claddrlen = sizeof(claddr);
1092 402 : if (getsockname(sel_sock, (struct sockaddr *) &claddr,
1093 : &claddrlen) == 0) {
1094 402 : wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1095 : inet_ntoa(claddr.sin_addr),
1096 402 : ntohs(claddr.sin_port));
1097 : }
1098 402 : break;
1099 : #ifdef CONFIG_IPV6
1100 : case AF_INET6: {
1101 2 : claddrlen = sizeof(claddr6);
1102 2 : if (getsockname(sel_sock, (struct sockaddr *) &claddr6,
1103 : &claddrlen) == 0) {
1104 2 : wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1105 : inet_ntop(AF_INET6, &claddr6.sin6_addr,
1106 : abuf, sizeof(abuf)),
1107 2 : ntohs(claddr6.sin6_port));
1108 : }
1109 2 : break;
1110 : }
1111 : #endif /* CONFIG_IPV6 */
1112 : }
1113 : #endif /* CONFIG_NATIVE_WINDOWS */
1114 :
1115 404 : if (auth)
1116 353 : radius->auth_sock = sel_sock;
1117 : else
1118 51 : radius->acct_sock = sel_sock;
1119 :
1120 404 : return 0;
1121 : }
1122 :
1123 :
1124 0 : static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
1125 : {
1126 0 : struct radius_client_data *radius = eloop_ctx;
1127 0 : struct hostapd_radius_servers *conf = radius->conf;
1128 : struct hostapd_radius_server *oserv;
1129 :
1130 0 : if (radius->auth_sock >= 0 && conf->auth_servers &&
1131 0 : conf->auth_server != conf->auth_servers) {
1132 0 : oserv = conf->auth_server;
1133 0 : conf->auth_server = conf->auth_servers;
1134 0 : radius_change_server(radius, conf->auth_server, oserv,
1135 : radius->auth_serv_sock,
1136 : radius->auth_serv_sock6, 1);
1137 : }
1138 :
1139 0 : if (radius->acct_sock >= 0 && conf->acct_servers &&
1140 0 : conf->acct_server != conf->acct_servers) {
1141 0 : oserv = conf->acct_server;
1142 0 : conf->acct_server = conf->acct_servers;
1143 0 : radius_change_server(radius, conf->acct_server, oserv,
1144 : radius->acct_serv_sock,
1145 : radius->acct_serv_sock6, 0);
1146 : }
1147 :
1148 0 : if (conf->retry_primary_interval)
1149 0 : eloop_register_timeout(conf->retry_primary_interval, 0,
1150 : radius_retry_primary_timer, radius,
1151 : NULL);
1152 0 : }
1153 :
1154 :
1155 1342 : static int radius_client_disable_pmtu_discovery(int s)
1156 : {
1157 1342 : int r = -1;
1158 : #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
1159 : /* Turn off Path MTU discovery on IPv4/UDP sockets. */
1160 1342 : int action = IP_PMTUDISC_DONT;
1161 1342 : r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
1162 : sizeof(action));
1163 1342 : if (r == -1)
1164 0 : wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
1165 0 : strerror(errno));
1166 : #endif
1167 1342 : return r;
1168 : }
1169 :
1170 :
1171 2271 : static void radius_close_auth_sockets(struct radius_client_data *radius)
1172 : {
1173 2271 : radius->auth_sock = -1;
1174 :
1175 2271 : if (radius->auth_serv_sock >= 0) {
1176 1288 : eloop_unregister_read_sock(radius->auth_serv_sock);
1177 1288 : close(radius->auth_serv_sock);
1178 1288 : radius->auth_serv_sock = -1;
1179 : }
1180 : #ifdef CONFIG_IPV6
1181 2271 : if (radius->auth_serv_sock6 >= 0) {
1182 1288 : eloop_unregister_read_sock(radius->auth_serv_sock6);
1183 1288 : close(radius->auth_serv_sock6);
1184 1288 : radius->auth_serv_sock6 = -1;
1185 : }
1186 : #endif /* CONFIG_IPV6 */
1187 2271 : }
1188 :
1189 :
1190 1037 : static void radius_close_acct_sockets(struct radius_client_data *radius)
1191 : {
1192 1037 : radius->acct_sock = -1;
1193 :
1194 1037 : if (radius->acct_serv_sock >= 0) {
1195 54 : eloop_unregister_read_sock(radius->acct_serv_sock);
1196 54 : close(radius->acct_serv_sock);
1197 54 : radius->acct_serv_sock = -1;
1198 : }
1199 : #ifdef CONFIG_IPV6
1200 1037 : if (radius->acct_serv_sock6 >= 0) {
1201 54 : eloop_unregister_read_sock(radius->acct_serv_sock6);
1202 54 : close(radius->acct_serv_sock6);
1203 54 : radius->acct_serv_sock6 = -1;
1204 : }
1205 : #endif /* CONFIG_IPV6 */
1206 1037 : }
1207 :
1208 :
1209 1288 : static int radius_client_init_auth(struct radius_client_data *radius)
1210 : {
1211 1288 : struct hostapd_radius_servers *conf = radius->conf;
1212 1288 : int ok = 0;
1213 :
1214 1288 : radius_close_auth_sockets(radius);
1215 :
1216 1288 : radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1217 1288 : if (radius->auth_serv_sock < 0)
1218 0 : wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1219 0 : strerror(errno));
1220 : else {
1221 1288 : radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
1222 1288 : ok++;
1223 : }
1224 :
1225 : #ifdef CONFIG_IPV6
1226 1288 : radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1227 1288 : if (radius->auth_serv_sock6 < 0)
1228 0 : wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1229 0 : strerror(errno));
1230 : else
1231 1288 : ok++;
1232 : #endif /* CONFIG_IPV6 */
1233 :
1234 1288 : if (ok == 0)
1235 0 : return -1;
1236 :
1237 1288 : radius_change_server(radius, conf->auth_server, NULL,
1238 : radius->auth_serv_sock, radius->auth_serv_sock6,
1239 : 1);
1240 :
1241 2576 : if (radius->auth_serv_sock >= 0 &&
1242 1288 : eloop_register_read_sock(radius->auth_serv_sock,
1243 : radius_client_receive, radius,
1244 : (void *) RADIUS_AUTH)) {
1245 0 : wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1246 0 : radius_close_auth_sockets(radius);
1247 0 : return -1;
1248 : }
1249 :
1250 : #ifdef CONFIG_IPV6
1251 2576 : if (radius->auth_serv_sock6 >= 0 &&
1252 1288 : eloop_register_read_sock(radius->auth_serv_sock6,
1253 : radius_client_receive, radius,
1254 : (void *) RADIUS_AUTH)) {
1255 0 : wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1256 0 : radius_close_auth_sockets(radius);
1257 0 : return -1;
1258 : }
1259 : #endif /* CONFIG_IPV6 */
1260 :
1261 1288 : return 0;
1262 : }
1263 :
1264 :
1265 54 : static int radius_client_init_acct(struct radius_client_data *radius)
1266 : {
1267 54 : struct hostapd_radius_servers *conf = radius->conf;
1268 54 : int ok = 0;
1269 :
1270 54 : radius_close_acct_sockets(radius);
1271 :
1272 54 : radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1273 54 : if (radius->acct_serv_sock < 0)
1274 0 : wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1275 0 : strerror(errno));
1276 : else {
1277 54 : radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
1278 54 : ok++;
1279 : }
1280 :
1281 : #ifdef CONFIG_IPV6
1282 54 : radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1283 54 : if (radius->acct_serv_sock6 < 0)
1284 0 : wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1285 0 : strerror(errno));
1286 : else
1287 54 : ok++;
1288 : #endif /* CONFIG_IPV6 */
1289 :
1290 54 : if (ok == 0)
1291 0 : return -1;
1292 :
1293 54 : radius_change_server(radius, conf->acct_server, NULL,
1294 : radius->acct_serv_sock, radius->acct_serv_sock6,
1295 : 0);
1296 :
1297 108 : if (radius->acct_serv_sock >= 0 &&
1298 54 : eloop_register_read_sock(radius->acct_serv_sock,
1299 : radius_client_receive, radius,
1300 : (void *) RADIUS_ACCT)) {
1301 0 : wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1302 0 : radius_close_acct_sockets(radius);
1303 0 : return -1;
1304 : }
1305 :
1306 : #ifdef CONFIG_IPV6
1307 108 : if (radius->acct_serv_sock6 >= 0 &&
1308 54 : eloop_register_read_sock(radius->acct_serv_sock6,
1309 : radius_client_receive, radius,
1310 : (void *) RADIUS_ACCT)) {
1311 0 : wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1312 0 : radius_close_acct_sockets(radius);
1313 0 : return -1;
1314 : }
1315 : #endif /* CONFIG_IPV6 */
1316 :
1317 54 : return 0;
1318 : }
1319 :
1320 :
1321 : /**
1322 : * radius_client_init - Initialize RADIUS client
1323 : * @ctx: Callback context to be used in hostapd_logger() calls
1324 : * @conf: RADIUS client configuration (RADIUS servers)
1325 : * Returns: Pointer to private RADIUS client context or %NULL on failure
1326 : *
1327 : * The caller is responsible for keeping the configuration data available for
1328 : * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
1329 : * called for the returned context pointer.
1330 : */
1331 : struct radius_client_data *
1332 983 : radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
1333 : {
1334 : struct radius_client_data *radius;
1335 :
1336 983 : radius = os_zalloc(sizeof(struct radius_client_data));
1337 983 : if (radius == NULL)
1338 0 : return NULL;
1339 :
1340 983 : radius->ctx = ctx;
1341 983 : radius->conf = conf;
1342 983 : radius->auth_serv_sock = radius->acct_serv_sock =
1343 983 : radius->auth_serv_sock6 = radius->acct_serv_sock6 =
1344 983 : radius->auth_sock = radius->acct_sock = -1;
1345 :
1346 983 : if (conf->auth_server && radius_client_init_auth(radius)) {
1347 0 : radius_client_deinit(radius);
1348 0 : return NULL;
1349 : }
1350 :
1351 983 : if (conf->acct_server && radius_client_init_acct(radius)) {
1352 0 : radius_client_deinit(radius);
1353 0 : return NULL;
1354 : }
1355 :
1356 983 : if (conf->retry_primary_interval)
1357 0 : eloop_register_timeout(conf->retry_primary_interval, 0,
1358 : radius_retry_primary_timer, radius,
1359 : NULL);
1360 :
1361 983 : return radius;
1362 : }
1363 :
1364 :
1365 : /**
1366 : * radius_client_deinit - Deinitialize RADIUS client
1367 : * @radius: RADIUS client context from radius_client_init()
1368 : */
1369 987 : void radius_client_deinit(struct radius_client_data *radius)
1370 : {
1371 987 : if (!radius)
1372 991 : return;
1373 :
1374 983 : radius_close_auth_sockets(radius);
1375 983 : radius_close_acct_sockets(radius);
1376 :
1377 983 : eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1378 :
1379 983 : radius_client_flush(radius, 0);
1380 983 : os_free(radius->auth_handlers);
1381 983 : os_free(radius->acct_handlers);
1382 983 : os_free(radius);
1383 : }
1384 :
1385 :
1386 : /**
1387 : * radius_client_flush_auth - Flush pending RADIUS messages for an address
1388 : * @radius: RADIUS client context from radius_client_init()
1389 : * @addr: MAC address of the related device
1390 : *
1391 : * This function can be used to remove pending RADIUS authentication messages
1392 : * that are related to a specific device. The addr parameter is matched with
1393 : * the one used in radius_client_send() call that was used to transmit the
1394 : * authentication request.
1395 : */
1396 1804 : void radius_client_flush_auth(struct radius_client_data *radius,
1397 : const u8 *addr)
1398 : {
1399 : struct radius_msg_list *entry, *prev, *tmp;
1400 :
1401 1804 : prev = NULL;
1402 1804 : entry = radius->msgs;
1403 4028 : while (entry) {
1404 432 : if (entry->msg_type == RADIUS_AUTH &&
1405 12 : os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
1406 11 : hostapd_logger(radius->ctx, addr,
1407 : HOSTAPD_MODULE_RADIUS,
1408 : HOSTAPD_LEVEL_DEBUG,
1409 : "Removing pending RADIUS authentication"
1410 : " message for removed client");
1411 :
1412 11 : if (prev)
1413 0 : prev->next = entry->next;
1414 : else
1415 11 : radius->msgs = entry->next;
1416 :
1417 11 : tmp = entry;
1418 11 : entry = entry->next;
1419 11 : radius_client_msg_free(tmp);
1420 11 : radius->num_msgs--;
1421 11 : continue;
1422 : }
1423 :
1424 409 : prev = entry;
1425 409 : entry = entry->next;
1426 : }
1427 1804 : }
1428 :
1429 :
1430 8 : static int radius_client_dump_auth_server(char *buf, size_t buflen,
1431 : struct hostapd_radius_server *serv,
1432 : struct radius_client_data *cli)
1433 : {
1434 8 : int pending = 0;
1435 : struct radius_msg_list *msg;
1436 : char abuf[50];
1437 :
1438 8 : if (cli) {
1439 20 : for (msg = cli->msgs; msg; msg = msg->next) {
1440 12 : if (msg->msg_type == RADIUS_AUTH)
1441 2 : pending++;
1442 : }
1443 : }
1444 :
1445 16 : return os_snprintf(buf, buflen,
1446 : "radiusAuthServerIndex=%d\n"
1447 : "radiusAuthServerAddress=%s\n"
1448 : "radiusAuthClientServerPortNumber=%d\n"
1449 : "radiusAuthClientRoundTripTime=%d\n"
1450 : "radiusAuthClientAccessRequests=%u\n"
1451 : "radiusAuthClientAccessRetransmissions=%u\n"
1452 : "radiusAuthClientAccessAccepts=%u\n"
1453 : "radiusAuthClientAccessRejects=%u\n"
1454 : "radiusAuthClientAccessChallenges=%u\n"
1455 : "radiusAuthClientMalformedAccessResponses=%u\n"
1456 : "radiusAuthClientBadAuthenticators=%u\n"
1457 : "radiusAuthClientPendingRequests=%u\n"
1458 : "radiusAuthClientTimeouts=%u\n"
1459 : "radiusAuthClientUnknownTypes=%u\n"
1460 : "radiusAuthClientPacketsDropped=%u\n",
1461 : serv->index,
1462 8 : hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1463 : serv->port,
1464 : serv->round_trip_time,
1465 : serv->requests,
1466 : serv->retransmissions,
1467 : serv->access_accepts,
1468 : serv->access_rejects,
1469 : serv->access_challenges,
1470 : serv->malformed_responses,
1471 : serv->bad_authenticators,
1472 : pending,
1473 : serv->timeouts,
1474 : serv->unknown_types,
1475 : serv->packets_dropped);
1476 : }
1477 :
1478 :
1479 6 : static int radius_client_dump_acct_server(char *buf, size_t buflen,
1480 : struct hostapd_radius_server *serv,
1481 : struct radius_client_data *cli)
1482 : {
1483 6 : int pending = 0;
1484 : struct radius_msg_list *msg;
1485 : char abuf[50];
1486 :
1487 6 : if (cli) {
1488 16 : for (msg = cli->msgs; msg; msg = msg->next) {
1489 11 : if (msg->msg_type == RADIUS_ACCT ||
1490 1 : msg->msg_type == RADIUS_ACCT_INTERIM)
1491 10 : pending++;
1492 : }
1493 : }
1494 :
1495 12 : return os_snprintf(buf, buflen,
1496 : "radiusAccServerIndex=%d\n"
1497 : "radiusAccServerAddress=%s\n"
1498 : "radiusAccClientServerPortNumber=%d\n"
1499 : "radiusAccClientRoundTripTime=%d\n"
1500 : "radiusAccClientRequests=%u\n"
1501 : "radiusAccClientRetransmissions=%u\n"
1502 : "radiusAccClientResponses=%u\n"
1503 : "radiusAccClientMalformedResponses=%u\n"
1504 : "radiusAccClientBadAuthenticators=%u\n"
1505 : "radiusAccClientPendingRequests=%u\n"
1506 : "radiusAccClientTimeouts=%u\n"
1507 : "radiusAccClientUnknownTypes=%u\n"
1508 : "radiusAccClientPacketsDropped=%u\n",
1509 : serv->index,
1510 6 : hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1511 : serv->port,
1512 : serv->round_trip_time,
1513 : serv->requests,
1514 : serv->retransmissions,
1515 : serv->responses,
1516 : serv->malformed_responses,
1517 : serv->bad_authenticators,
1518 : pending,
1519 : serv->timeouts,
1520 : serv->unknown_types,
1521 : serv->packets_dropped);
1522 : }
1523 :
1524 :
1525 : /**
1526 : * radius_client_get_mib - Get RADIUS client MIB information
1527 : * @radius: RADIUS client context from radius_client_init()
1528 : * @buf: Buffer for returning MIB data in text format
1529 : * @buflen: Maximum buf length in octets
1530 : * Returns: Number of octets written into the buffer
1531 : */
1532 8 : int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1533 : size_t buflen)
1534 : {
1535 8 : struct hostapd_radius_servers *conf = radius->conf;
1536 : int i;
1537 : struct hostapd_radius_server *serv;
1538 8 : int count = 0;
1539 :
1540 8 : if (conf->auth_servers) {
1541 16 : for (i = 0; i < conf->num_auth_servers; i++) {
1542 8 : serv = &conf->auth_servers[i];
1543 8 : count += radius_client_dump_auth_server(
1544 : buf + count, buflen - count, serv,
1545 8 : serv == conf->auth_server ?
1546 : radius : NULL);
1547 : }
1548 : }
1549 :
1550 8 : if (conf->acct_servers) {
1551 12 : for (i = 0; i < conf->num_acct_servers; i++) {
1552 6 : serv = &conf->acct_servers[i];
1553 6 : count += radius_client_dump_acct_server(
1554 : buf + count, buflen - count, serv,
1555 6 : serv == conf->acct_server ?
1556 : radius : NULL);
1557 : }
1558 : }
1559 :
1560 8 : return count;
1561 : }
1562 :
1563 :
1564 18 : void radius_client_reconfig(struct radius_client_data *radius,
1565 : struct hostapd_radius_servers *conf)
1566 : {
1567 18 : if (radius)
1568 18 : radius->conf = conf;
1569 18 : }
|
