Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 34c1202b3e71c63661a850aad81f663e40e48ca1 / . / src / radius / radius_client.c
blob: 34f568532a65a36d9598fa728efd14993b6c0c54 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * RADIUS client
3 * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4 *
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "radius.h"
13#include "radius_client.h"
14#include "eloop.h"
15
16/* Defaults for RADIUS retransmit values (exponential backoff) */
17
18/**
19 * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
20 */
21#define RADIUS_CLIENT_FIRST_WAIT 3
22
23/**
24 * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
25 */
26#define RADIUS_CLIENT_MAX_WAIT 120
27
28/**
29 * RADIUS_CLIENT_MAX_RETRIES - RADIUS client maximum retries
30 *
31 * Maximum number of retransmit attempts before the entry is removed from
32 * retransmit list.
33 */
34#define RADIUS_CLIENT_MAX_RETRIES 10
35
36/**
37 * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
38 *
39 * Maximum number of entries in retransmit list (oldest entries will be
40 * removed, if this limit is exceeded).
41 */
42#define RADIUS_CLIENT_MAX_ENTRIES 30
43
44/**
45 * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
46 *
47 * The number of failed retry attempts after which the RADIUS server will be
48 * changed (if one of more backup servers are configured).
49 */
50#define RADIUS_CLIENT_NUM_FAILOVER 4
51
52
53/**
54 * struct radius_rx_handler - RADIUS client RX handler
55 *
56 * This data structure is used internally inside the RADIUS client module to
57 * store registered RX handlers. These handlers are registered by calls to
58 * radius_client_register() and unregistered when the RADIUS client is
59 * deinitialized with a call to radius_client_deinit().
60 */
61struct radius_rx_handler {
62 /**
63 * handler - Received RADIUS message handler
64 */
65 RadiusRxResult (*handler)(struct radius_msg *msg,
66 struct radius_msg *req,
67 const u8 *shared_secret,
68 size_t shared_secret_len,
69 void *data);
70
71 /**
72 * data - Context data for the handler
73 */
74 void *data;
75};
76
77
78/**
79 * struct radius_msg_list - RADIUS client message retransmit list
80 *
81 * This data structure is used internally inside the RADIUS client module to
82 * store pending RADIUS requests that may still need to be retransmitted.
83 */
84struct radius_msg_list {
85 /**
86 * addr - STA/client address
87 *
88 * This is used to find RADIUS messages for the same STA.
89 */
90 u8 addr[ETH_ALEN];
91
92 /**
93 * msg - RADIUS message
94 */
95 struct radius_msg *msg;
96
97 /**
98 * msg_type - Message type
99 */
100 RadiusType msg_type;
101
102 /**
103 * first_try - Time of the first transmission attempt
104 */
105 os_time_t first_try;
106
107 /**
108 * next_try - Time for the next transmission attempt
109 */
110 os_time_t next_try;
111
112 /**
113 * attempts - Number of transmission attempts
114 */
115 int attempts;
116
117 /**
118 * next_wait - Next retransmission wait time in seconds
119 */
120 int next_wait;
121
122 /**
123 * last_attempt - Time of the last transmission attempt
124 */
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]125 struct os_reltime last_attempt;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]126
127 /**
128 * shared_secret - Shared secret with the target RADIUS server
129 */
130 const u8 *shared_secret;
131
132 /**
133 * shared_secret_len - shared_secret length in octets
134 */
135 size_t shared_secret_len;
136
137 /* TODO: server config with failover to backup server(s) */
138
139 /**
140 * next - Next message in the list
141 */
142 struct radius_msg_list *next;
143};
144
145
146/**
147 * struct radius_client_data - Internal RADIUS client data
148 *
149 * This data structure is used internally inside the RADIUS client module.
150 * External users allocate this by calling radius_client_init() and free it by
151 * calling radius_client_deinit(). The pointer to this opaque data is used in
152 * calls to other functions as an identifier for the RADIUS client instance.
153 */
154struct radius_client_data {
155 /**
156 * ctx - Context pointer for hostapd_logger() callbacks
157 */
158 void *ctx;
159
160 /**
161 * conf - RADIUS client configuration (list of RADIUS servers to use)
162 */
163 struct hostapd_radius_servers *conf;
164
165 /**
166 * auth_serv_sock - IPv4 socket for RADIUS authentication messages
167 */
168 int auth_serv_sock;
169
170 /**
171 * acct_serv_sock - IPv4 socket for RADIUS accounting messages
172 */
173 int acct_serv_sock;
174
175 /**
176 * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
177 */
178 int auth_serv_sock6;
179
180 /**
181 * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
182 */
183 int acct_serv_sock6;
184
185 /**
186 * auth_sock - Currently used socket for RADIUS authentication server
187 */
188 int auth_sock;
189
190 /**
191 * acct_sock - Currently used socket for RADIUS accounting server
192 */
193 int acct_sock;
194
195 /**
196 * auth_handlers - Authentication message handlers
197 */
198 struct radius_rx_handler *auth_handlers;
199
200 /**
201 * num_auth_handlers - Number of handlers in auth_handlers
202 */
203 size_t num_auth_handlers;
204
205 /**
206 * acct_handlers - Accounting message handlers
207 */
208 struct radius_rx_handler *acct_handlers;
209
210 /**
211 * num_acct_handlers - Number of handlers in acct_handlers
212 */
213 size_t num_acct_handlers;
214
215 /**
216 * msgs - Pending outgoing RADIUS messages
217 */
218 struct radius_msg_list *msgs;
219
220 /**
221 * num_msgs - Number of pending messages in the msgs list
222 */
223 size_t num_msgs;
224
225 /**
226 * next_radius_identifier - Next RADIUS message identifier to use
227 */
228 u8 next_radius_identifier;
229};
230
231
232static int
233radius_change_server(struct radius_client_data *radius,
234 struct hostapd_radius_server *nserv,
235 struct hostapd_radius_server *oserv,
236 int sock, int sock6, int auth);
237static int radius_client_init_acct(struct radius_client_data *radius);
238static int radius_client_init_auth(struct radius_client_data *radius);
239
240
241static void radius_client_msg_free(struct radius_msg_list *req)
242{
243 radius_msg_free(req->msg);
244 os_free(req);
245}
246
247
248/**
249 * radius_client_register - Register a RADIUS client RX handler
250 * @radius: RADIUS client context from radius_client_init()
251 * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
252 * @handler: Handler for received RADIUS messages
253 * @data: Context pointer for handler callbacks
254 * Returns: 0 on success, -1 on failure
255 *
256 * This function is used to register a handler for processing received RADIUS
257 * authentication and accounting messages. The handler() callback function will
258 * be called whenever a RADIUS message is received from the active server.
259 *
260 * There can be multiple registered RADIUS message handlers. The handlers will
261 * be called in order until one of them indicates that it has processed or
262 * queued the message.
263 */
264int radius_client_register(struct radius_client_data *radius,
265 RadiusType msg_type,
266 RadiusRxResult (*handler)(struct radius_msg *msg,
267 struct radius_msg *req,
268 const u8 *shared_secret,
269 size_t shared_secret_len,
270 void *data),
271 void *data)
272{
273 struct radius_rx_handler **handlers, *newh;
274 size_t *num;
275
276 if (msg_type == RADIUS_ACCT) {
277 handlers = &radius->acct_handlers;
278 num = &radius->num_acct_handlers;
279 } else {
280 handlers = &radius->auth_handlers;
281 num = &radius->num_auth_handlers;
282 }
283
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700[diff] [blame]284 newh = os_realloc_array(*handlers, *num + 1,
285 sizeof(struct radius_rx_handler));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]286 if (newh == NULL)
287 return -1;
288
289 newh[*num].handler = handler;
290 newh[*num].data = data;
291 (*num)++;
292 *handlers = newh;
293
294 return 0;
295}
296
297
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]298/*
299 * Returns >0 if message queue was flushed (i.e., the message that triggered
300 * the error is not available anymore)
301 */
302static int radius_client_handle_send_error(struct radius_client_data *radius,
303 int s, RadiusType msg_type)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]304{
305#ifndef CONFIG_NATIVE_WINDOWS
306 int _errno = errno;
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]307 wpa_printf(MSG_INFO, "send[RADIUS]: %s", strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]308 if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]309 _errno == EBADF || _errno == ENETUNREACH) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]310 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
311 HOSTAPD_LEVEL_INFO,
312 "Send failed - maybe interface status changed -"
313 " try to connect again");
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]314 if (msg_type == RADIUS_ACCT ||
315 msg_type == RADIUS_ACCT_INTERIM) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]316 radius_client_init_acct(radius);
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]317 return 0;
318 } else {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]319 radius_client_init_auth(radius);
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]320 return 1;
321 }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]322 }
323#endif /* CONFIG_NATIVE_WINDOWS */
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]324
325 return 0;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]326}
327
328
329static int radius_client_retransmit(struct radius_client_data *radius,
330 struct radius_msg_list *entry,
331 os_time_t now)
332{
333 struct hostapd_radius_servers *conf = radius->conf;
334 int s;
335 struct wpabuf *buf;
336
337 if (entry->msg_type == RADIUS_ACCT ||
338 entry->msg_type == RADIUS_ACCT_INTERIM) {
339 s = radius->acct_sock;
340 if (entry->attempts == 0)
341 conf->acct_server->requests++;
342 else {
343 conf->acct_server->timeouts++;
344 conf->acct_server->retransmissions++;
345 }
346 } else {
347 s = radius->auth_sock;
348 if (entry->attempts == 0)
349 conf->auth_server->requests++;
350 else {
351 conf->auth_server->timeouts++;
352 conf->auth_server->retransmissions++;
353 }
354 }
355
356 /* retransmit; remove entry if too many attempts */
357 entry->attempts++;
358 hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
359 HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
360 radius_msg_get_hdr(entry->msg)->identifier);
361
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]362 os_get_reltime(&entry->last_attempt);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]363 buf = radius_msg_get_buf(entry->msg);
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]364 if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
365 if (radius_client_handle_send_error(radius, s, entry->msg_type)
366 > 0)
367 return 0;
368 }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]369
370 entry->next_try = now + entry->next_wait;
371 entry->next_wait *= 2;
372 if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
373 entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
374 if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]375 wpa_printf(MSG_INFO, "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]376 return 1;
377 }
378
379 return 0;
380}
381
382
383static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
384{
385 struct radius_client_data *radius = eloop_ctx;
386 struct hostapd_radius_servers *conf = radius->conf;
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]387 struct os_reltime now;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]388 os_time_t first;
389 struct radius_msg_list *entry, *prev, *tmp;
390 int auth_failover = 0, acct_failover = 0;
391 char abuf[50];
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]392 size_t prev_num_msgs;
393 int s;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]394
395 entry = radius->msgs;
396 if (!entry)
397 return;
398
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]399 os_get_reltime(&now);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]400 first = 0;
401
402 prev = NULL;
403 while (entry) {
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]404 prev_num_msgs = radius->num_msgs;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]405 if (now.sec >= entry->next_try &&
406 radius_client_retransmit(radius, entry, now.sec)) {
407 if (prev)
408 prev->next = entry->next;
409 else
410 radius->msgs = entry->next;
411
412 tmp = entry;
413 entry = entry->next;
414 radius_client_msg_free(tmp);
415 radius->num_msgs--;
416 continue;
417 }
418
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]419 if (prev_num_msgs != radius->num_msgs) {
420 wpa_printf(MSG_DEBUG,
421 "RADIUS: Message removed from queue - restart from beginning");
422 entry = radius->msgs;
423 prev = NULL;
424 continue;
425 }
426
427 s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
428 radius->acct_sock;
429 if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER ||
430 (s < 0 && entry->attempts > 0)) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]431 if (entry->msg_type == RADIUS_ACCT ||
432 entry->msg_type == RADIUS_ACCT_INTERIM)
433 acct_failover++;
434 else
435 auth_failover++;
436 }
437
438 if (first == 0 || entry->next_try < first)
439 first = entry->next_try;
440
441 prev = entry;
442 entry = entry->next;
443 }
444
445 if (radius->msgs) {
446 if (first < now.sec)
447 first = now.sec;
448 eloop_register_timeout(first - now.sec, 0,
449 radius_client_timer, radius, NULL);
450 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
451 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
452 "retransmit in %ld seconds",
453 (long int) (first - now.sec));
454 }
455
456 if (auth_failover && conf->num_auth_servers > 1) {
457 struct hostapd_radius_server *next, *old;
458 old = conf->auth_server;
459 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
460 HOSTAPD_LEVEL_NOTICE,
461 "No response from Authentication server "
462 "%s:%d - failover",
463 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
464 old->port);
465
466 for (entry = radius->msgs; entry; entry = entry->next) {
467 if (entry->msg_type == RADIUS_AUTH)
468 old->timeouts++;
469 }
470
471 next = old + 1;
472 if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
473 next = conf->auth_servers;
474 conf->auth_server = next;
475 radius_change_server(radius, next, old,
476 radius->auth_serv_sock,
477 radius->auth_serv_sock6, 1);
478 }
479
480 if (acct_failover && conf->num_acct_servers > 1) {
481 struct hostapd_radius_server *next, *old;
482 old = conf->acct_server;
483 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
484 HOSTAPD_LEVEL_NOTICE,
485 "No response from Accounting server "
486 "%s:%d - failover",
487 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
488 old->port);
489
490 for (entry = radius->msgs; entry; entry = entry->next) {
491 if (entry->msg_type == RADIUS_ACCT ||
492 entry->msg_type == RADIUS_ACCT_INTERIM)
493 old->timeouts++;
494 }
495
496 next = old + 1;
497 if (next > &conf->acct_servers[conf->num_acct_servers - 1])
498 next = conf->acct_servers;
499 conf->acct_server = next;
500 radius_change_server(radius, next, old,
501 radius->acct_serv_sock,
502 radius->acct_serv_sock6, 0);
503 }
504}
505
506
507static void radius_client_update_timeout(struct radius_client_data *radius)
508{
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]509 struct os_reltime now;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]510 os_time_t first;
511 struct radius_msg_list *entry;
512
513 eloop_cancel_timeout(radius_client_timer, radius, NULL);
514
515 if (radius->msgs == NULL) {
516 return;
517 }
518
519 first = 0;
520 for (entry = radius->msgs; entry; entry = entry->next) {
521 if (first == 0 || entry->next_try < first)
522 first = entry->next_try;
523 }
524
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]525 os_get_reltime(&now);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]526 if (first < now.sec)
527 first = now.sec;
528 eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
529 NULL);
530 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
531 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]532 " %ld seconds", (long int) (first - now.sec));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]533}
534
535
536static void radius_client_list_add(struct radius_client_data *radius,
537 struct radius_msg *msg,
538 RadiusType msg_type,
539 const u8 *shared_secret,
540 size_t shared_secret_len, const u8 *addr)
541{
542 struct radius_msg_list *entry, *prev;
543
544 if (eloop_terminated()) {
545 /* No point in adding entries to retransmit queue since event
546 * loop has already been terminated. */
547 radius_msg_free(msg);
548 return;
549 }
550
551 entry = os_zalloc(sizeof(*entry));
552 if (entry == NULL) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]553 wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]554 radius_msg_free(msg);
555 return;
556 }
557
558 if (addr)
559 os_memcpy(entry->addr, addr, ETH_ALEN);
560 entry->msg = msg;
561 entry->msg_type = msg_type;
562 entry->shared_secret = shared_secret;
563 entry->shared_secret_len = shared_secret_len;
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]564 os_get_reltime(&entry->last_attempt);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]565 entry->first_try = entry->last_attempt.sec;
566 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
567 entry->attempts = 1;
568 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
569 entry->next = radius->msgs;
570 radius->msgs = entry;
571 radius_client_update_timeout(radius);
572
573 if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]574 wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]575 prev = NULL;
576 while (entry->next) {
577 prev = entry;
578 entry = entry->next;
579 }
580 if (prev) {
581 prev->next = NULL;
582 radius_client_msg_free(entry);
583 }
584 } else
585 radius->num_msgs++;
586}
587
588
589static void radius_client_list_del(struct radius_client_data *radius,
590 RadiusType msg_type, const u8 *addr)
591{
592 struct radius_msg_list *entry, *prev, *tmp;
593
594 if (addr == NULL)
595 return;
596
597 entry = radius->msgs;
598 prev = NULL;
599 while (entry) {
600 if (entry->msg_type == msg_type &&
601 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
602 if (prev)
603 prev->next = entry->next;
604 else
605 radius->msgs = entry->next;
606 tmp = entry;
607 entry = entry->next;
608 hostapd_logger(radius->ctx, addr,
609 HOSTAPD_MODULE_RADIUS,
610 HOSTAPD_LEVEL_DEBUG,
611 "Removing matching RADIUS message");
612 radius_client_msg_free(tmp);
613 radius->num_msgs--;
614 continue;
615 }
616 prev = entry;
617 entry = entry->next;
618 }
619}
620
621
622/**
623 * radius_client_send - Send a RADIUS request
624 * @radius: RADIUS client context from radius_client_init()
625 * @msg: RADIUS message to be sent
626 * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
627 * @addr: MAC address of the device related to this message or %NULL
628 * Returns: 0 on success, -1 on failure
629 *
630 * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
631 * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
632 * between accounting and interim accounting messages is that the interim
633 * message will override any pending interim accounting updates while a new
634 * accounting message does not remove any pending messages.
635 *
636 * The message is added on the retransmission queue and will be retransmitted
637 * automatically until a response is received or maximum number of retries
638 * (RADIUS_CLIENT_MAX_RETRIES) is reached.
639 *
640 * The related device MAC address can be used to identify pending messages that
641 * can be removed with radius_client_flush_auth() or with interim accounting
642 * updates.
643 */
644int radius_client_send(struct radius_client_data *radius,
645 struct radius_msg *msg, RadiusType msg_type,
646 const u8 *addr)
647{
648 struct hostapd_radius_servers *conf = radius->conf;
649 const u8 *shared_secret;
650 size_t shared_secret_len;
651 char *name;
652 int s, res;
653 struct wpabuf *buf;
654
655 if (msg_type == RADIUS_ACCT_INTERIM) {
656 /* Remove any pending interim acct update for the same STA. */
657 radius_client_list_del(radius, msg_type, addr);
658 }
659
660 if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
Dmitry Shmidt2f74e362015-01-21 13:19:05 -0800[diff] [blame]661 if (conf->acct_server == NULL || radius->acct_sock < 0 ||
662 conf->acct_server->shared_secret == NULL) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]663 hostapd_logger(radius->ctx, NULL,
664 HOSTAPD_MODULE_RADIUS,
665 HOSTAPD_LEVEL_INFO,
666 "No accounting server configured");
667 return -1;
668 }
669 shared_secret = conf->acct_server->shared_secret;
670 shared_secret_len = conf->acct_server->shared_secret_len;
671 radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
672 name = "accounting";
673 s = radius->acct_sock;
674 conf->acct_server->requests++;
675 } else {
Dmitry Shmidt2f74e362015-01-21 13:19:05 -0800[diff] [blame]676 if (conf->auth_server == NULL || radius->auth_sock < 0 ||
677 conf->auth_server->shared_secret == NULL) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]678 hostapd_logger(radius->ctx, NULL,
679 HOSTAPD_MODULE_RADIUS,
680 HOSTAPD_LEVEL_INFO,
681 "No authentication server configured");
682 return -1;
683 }
684 shared_secret = conf->auth_server->shared_secret;
685 shared_secret_len = conf->auth_server->shared_secret_len;
686 radius_msg_finish(msg, shared_secret, shared_secret_len);
687 name = "authentication";
688 s = radius->auth_sock;
689 conf->auth_server->requests++;
690 }
691
692 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
693 HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
694 "server", name);
695 if (conf->msg_dumps)
696 radius_msg_dump(msg);
697
698 buf = radius_msg_get_buf(msg);
699 res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
700 if (res < 0)
701 radius_client_handle_send_error(radius, s, msg_type);
702
703 radius_client_list_add(radius, msg, msg_type, shared_secret,
704 shared_secret_len, addr);
705
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]706 return 0;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]707}
708
709
710static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
711{
712 struct radius_client_data *radius = eloop_ctx;
713 struct hostapd_radius_servers *conf = radius->conf;
714 RadiusType msg_type = (RadiusType) sock_ctx;
715 int len, roundtrip;
716 unsigned char buf[3000];
717 struct radius_msg *msg;
718 struct radius_hdr *hdr;
719 struct radius_rx_handler *handlers;
720 size_t num_handlers, i;
721 struct radius_msg_list *req, *prev_req;
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]722 struct os_reltime now;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]723 struct hostapd_radius_server *rconf;
724 int invalid_authenticator = 0;
725
726 if (msg_type == RADIUS_ACCT) {
727 handlers = radius->acct_handlers;
728 num_handlers = radius->num_acct_handlers;
729 rconf = conf->acct_server;
730 } else {
731 handlers = radius->auth_handlers;
732 num_handlers = radius->num_auth_handlers;
733 rconf = conf->auth_server;
734 }
735
736 len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
737 if (len < 0) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]738 wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]739 return;
740 }
741 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
742 HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
743 "server", len);
744 if (len == sizeof(buf)) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]745 wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]746 return;
747 }
748
749 msg = radius_msg_parse(buf, len);
750 if (msg == NULL) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]751 wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]752 rconf->malformed_responses++;
753 return;
754 }
755 hdr = radius_msg_get_hdr(msg);
756
757 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
758 HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
759 if (conf->msg_dumps)
760 radius_msg_dump(msg);
761
762 switch (hdr->code) {
763 case RADIUS_CODE_ACCESS_ACCEPT:
764 rconf->access_accepts++;
765 break;
766 case RADIUS_CODE_ACCESS_REJECT:
767 rconf->access_rejects++;
768 break;
769 case RADIUS_CODE_ACCESS_CHALLENGE:
770 rconf->access_challenges++;
771 break;
772 case RADIUS_CODE_ACCOUNTING_RESPONSE:
773 rconf->responses++;
774 break;
775 }
776
777 prev_req = NULL;
778 req = radius->msgs;
779 while (req) {
780 /* TODO: also match by src addr:port of the packet when using
781 * alternative RADIUS servers (?) */
782 if ((req->msg_type == msg_type ||
783 (req->msg_type == RADIUS_ACCT_INTERIM &&
784 msg_type == RADIUS_ACCT)) &&
785 radius_msg_get_hdr(req->msg)->identifier ==
786 hdr->identifier)
787 break;
788
789 prev_req = req;
790 req = req->next;
791 }
792
793 if (req == NULL) {
794 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
795 HOSTAPD_LEVEL_DEBUG,
796 "No matching RADIUS request found (type=%d "
797 "id=%d) - dropping packet",
798 msg_type, hdr->identifier);
799 goto fail;
800 }
801
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]802 os_get_reltime(&now);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]803 roundtrip = (now.sec - req->last_attempt.sec) * 100 +
804 (now.usec - req->last_attempt.usec) / 10000;
805 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
806 HOSTAPD_LEVEL_DEBUG,
807 "Received RADIUS packet matched with a pending "
808 "request, round trip time %d.%02d sec",
809 roundtrip / 100, roundtrip % 100);
810 rconf->round_trip_time = roundtrip;
811
812 /* Remove ACKed RADIUS packet from retransmit list */
813 if (prev_req)
814 prev_req->next = req->next;
815 else
816 radius->msgs = req->next;
817 radius->num_msgs--;
818
819 for (i = 0; i < num_handlers; i++) {
820 RadiusRxResult res;
821 res = handlers[i].handler(msg, req->msg, req->shared_secret,
822 req->shared_secret_len,
823 handlers[i].data);
824 switch (res) {
825 case RADIUS_RX_PROCESSED:
826 radius_msg_free(msg);
827 /* continue */
828 case RADIUS_RX_QUEUED:
829 radius_client_msg_free(req);
830 return;
831 case RADIUS_RX_INVALID_AUTHENTICATOR:
832 invalid_authenticator++;
833 /* continue */
834 case RADIUS_RX_UNKNOWN:
835 /* continue with next handler */
836 break;
837 }
838 }
839
840 if (invalid_authenticator)
841 rconf->bad_authenticators++;
842 else
843 rconf->unknown_types++;
844 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
845 HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
846 "(type=%d code=%d id=%d)%s - dropping packet",
847 msg_type, hdr->code, hdr->identifier,
848 invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
849 "");
850 radius_client_msg_free(req);
851
852 fail:
853 radius_msg_free(msg);
854}
855
856
857/**
858 * radius_client_get_id - Get an identifier for a new RADIUS message
859 * @radius: RADIUS client context from radius_client_init()
860 * Returns: Allocated identifier
861 *
862 * This function is used to fetch a unique (among pending requests) identifier
863 * for a new RADIUS message.
864 */
865u8 radius_client_get_id(struct radius_client_data *radius)
866{
867 struct radius_msg_list *entry, *prev, *_remove;
868 u8 id = radius->next_radius_identifier++;
869
870 /* remove entries with matching id from retransmit list to avoid
871 * using new reply from the RADIUS server with an old request */
872 entry = radius->msgs;
873 prev = NULL;
874 while (entry) {
875 if (radius_msg_get_hdr(entry->msg)->identifier == id) {
876 hostapd_logger(radius->ctx, entry->addr,
877 HOSTAPD_MODULE_RADIUS,
878 HOSTAPD_LEVEL_DEBUG,
879 "Removing pending RADIUS message, "
880 "since its id (%d) is reused", id);
881 if (prev)
882 prev->next = entry->next;
883 else
884 radius->msgs = entry->next;
885 _remove = entry;
886 } else {
887 _remove = NULL;
888 prev = entry;
889 }
890 entry = entry->next;
891
892 if (_remove)
893 radius_client_msg_free(_remove);
894 }
895
896 return id;
897}
898
899
900/**
901 * radius_client_flush - Flush all pending RADIUS client messages
902 * @radius: RADIUS client context from radius_client_init()
903 * @only_auth: Whether only authentication messages are removed
904 */
905void radius_client_flush(struct radius_client_data *radius, int only_auth)
906{
907 struct radius_msg_list *entry, *prev, *tmp;
908
909 if (!radius)
910 return;
911
912 prev = NULL;
913 entry = radius->msgs;
914
915 while (entry) {
916 if (!only_auth || entry->msg_type == RADIUS_AUTH) {
917 if (prev)
918 prev->next = entry->next;
919 else
920 radius->msgs = entry->next;
921
922 tmp = entry;
923 entry = entry->next;
924 radius_client_msg_free(tmp);
925 radius->num_msgs--;
926 } else {
927 prev = entry;
928 entry = entry->next;
929 }
930 }
931
932 if (radius->msgs == NULL)
933 eloop_cancel_timeout(radius_client_timer, radius, NULL);
934}
935
936
937static void radius_client_update_acct_msgs(struct radius_client_data *radius,
938 const u8 *shared_secret,
939 size_t shared_secret_len)
940{
941 struct radius_msg_list *entry;
942
943 if (!radius)
944 return;
945
946 for (entry = radius->msgs; entry; entry = entry->next) {
947 if (entry->msg_type == RADIUS_ACCT) {
948 entry->shared_secret = shared_secret;
949 entry->shared_secret_len = shared_secret_len;
950 radius_msg_finish_acct(entry->msg, shared_secret,
951 shared_secret_len);
952 }
953 }
954}
955
956
957static int
958radius_change_server(struct radius_client_data *radius,
959 struct hostapd_radius_server *nserv,
960 struct hostapd_radius_server *oserv,
961 int sock, int sock6, int auth)
962{
963 struct sockaddr_in serv, claddr;
964#ifdef CONFIG_IPV6
965 struct sockaddr_in6 serv6, claddr6;
966#endif /* CONFIG_IPV6 */
967 struct sockaddr *addr, *cl_addr;
968 socklen_t addrlen, claddrlen;
969 char abuf[50];
970 int sel_sock;
971 struct radius_msg_list *entry;
972 struct hostapd_radius_servers *conf = radius->conf;
973
974 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
975 HOSTAPD_LEVEL_INFO,
976 "%s server %s:%d",
977 auth ? "Authentication" : "Accounting",
978 hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
979 nserv->port);
980
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]981 if (oserv && oserv != nserv &&
982 (nserv->shared_secret_len != oserv->shared_secret_len ||
983 os_memcmp(nserv->shared_secret, oserv->shared_secret,
984 nserv->shared_secret_len) != 0)) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]985 /* Pending RADIUS packets used different shared secret, so
986 * they need to be modified. Update accounting message
987 * authenticators here. Authentication messages are removed
988 * since they would require more changes and the new RADIUS
989 * server may not be prepared to receive them anyway due to
990 * missing state information. Client will likely retry
991 * authentication, so this should not be an issue. */
992 if (auth)
993 radius_client_flush(radius, 1);
994 else {
995 radius_client_update_acct_msgs(
996 radius, nserv->shared_secret,
997 nserv->shared_secret_len);
998 }
999 }
1000
1001 /* Reset retry counters for the new server */
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1002 for (entry = radius->msgs; oserv && oserv != nserv && entry;
1003 entry = entry->next) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1004 if ((auth && entry->msg_type != RADIUS_AUTH) ||
1005 (!auth && entry->msg_type != RADIUS_ACCT))
1006 continue;
1007 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
1008 entry->attempts = 0;
1009 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
1010 }
1011
1012 if (radius->msgs) {
1013 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1014 eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
1015 radius_client_timer, radius, NULL);
1016 }
1017
1018 switch (nserv->addr.af) {
1019 case AF_INET:
1020 os_memset(&serv, 0, sizeof(serv));
1021 serv.sin_family = AF_INET;
1022 serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
1023 serv.sin_port = htons(nserv->port);
1024 addr = (struct sockaddr *) &serv;
1025 addrlen = sizeof(serv);
1026 sel_sock = sock;
1027 break;
1028#ifdef CONFIG_IPV6
1029 case AF_INET6:
1030 os_memset(&serv6, 0, sizeof(serv6));
1031 serv6.sin6_family = AF_INET6;
1032 os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
1033 sizeof(struct in6_addr));
1034 serv6.sin6_port = htons(nserv->port);
1035 addr = (struct sockaddr *) &serv6;
1036 addrlen = sizeof(serv6);
1037 sel_sock = sock6;
1038 break;
1039#endif /* CONFIG_IPV6 */
1040 default:
1041 return -1;
1042 }
1043
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -0800[diff] [blame]1044 if (sel_sock < 0) {
1045 wpa_printf(MSG_INFO,
1046 "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d",
1047 nserv->addr.af, sock, sock6, auth);
1048 return -1;
1049 }
1050
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1051 if (conf->force_client_addr) {
1052 switch (conf->client_addr.af) {
1053 case AF_INET:
1054 os_memset(&claddr, 0, sizeof(claddr));
1055 claddr.sin_family = AF_INET;
1056 claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
1057 claddr.sin_port = htons(0);
1058 cl_addr = (struct sockaddr *) &claddr;
1059 claddrlen = sizeof(claddr);
1060 break;
1061#ifdef CONFIG_IPV6
1062 case AF_INET6:
1063 os_memset(&claddr6, 0, sizeof(claddr6));
1064 claddr6.sin6_family = AF_INET6;
1065 os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
1066 sizeof(struct in6_addr));
1067 claddr6.sin6_port = htons(0);
1068 cl_addr = (struct sockaddr *) &claddr6;
1069 claddrlen = sizeof(claddr6);
1070 break;
1071#endif /* CONFIG_IPV6 */
1072 default:
1073 return -1;
1074 }
1075
1076 if (bind(sel_sock, cl_addr, claddrlen) < 0) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1077 wpa_printf(MSG_INFO, "bind[radius]: %s",
1078 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1079 return -1;
1080 }
1081 }
1082
1083 if (connect(sel_sock, addr, addrlen) < 0) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1084 wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1085 return -1;
1086 }
1087
1088#ifndef CONFIG_NATIVE_WINDOWS
1089 switch (nserv->addr.af) {
1090 case AF_INET:
1091 claddrlen = sizeof(claddr);
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1092 if (getsockname(sel_sock, (struct sockaddr *) &claddr,
1093 &claddrlen) == 0) {
1094 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1095 inet_ntoa(claddr.sin_addr),
1096 ntohs(claddr.sin_port));
1097 }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1098 break;
1099#ifdef CONFIG_IPV6
1100 case AF_INET6: {
1101 claddrlen = sizeof(claddr6);
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1102 if (getsockname(sel_sock, (struct sockaddr *) &claddr6,
1103 &claddrlen) == 0) {
1104 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1105 inet_ntop(AF_INET6, &claddr6.sin6_addr,
1106 abuf, sizeof(abuf)),
1107 ntohs(claddr6.sin6_port));
1108 }
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1109 break;
1110 }
1111#endif /* CONFIG_IPV6 */
1112 }
1113#endif /* CONFIG_NATIVE_WINDOWS */
1114
1115 if (auth)
1116 radius->auth_sock = sel_sock;
1117 else
1118 radius->acct_sock = sel_sock;
1119
1120 return 0;
1121}
1122
1123
1124static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
1125{
1126 struct radius_client_data *radius = eloop_ctx;
1127 struct hostapd_radius_servers *conf = radius->conf;
1128 struct hostapd_radius_server *oserv;
1129
1130 if (radius->auth_sock >= 0 && conf->auth_servers &&
1131 conf->auth_server != conf->auth_servers) {
1132 oserv = conf->auth_server;
1133 conf->auth_server = conf->auth_servers;
1134 radius_change_server(radius, conf->auth_server, oserv,
1135 radius->auth_serv_sock,
1136 radius->auth_serv_sock6, 1);
1137 }
1138
1139 if (radius->acct_sock >= 0 && conf->acct_servers &&
1140 conf->acct_server != conf->acct_servers) {
1141 oserv = conf->acct_server;
1142 conf->acct_server = conf->acct_servers;
1143 radius_change_server(radius, conf->acct_server, oserv,
1144 radius->acct_serv_sock,
1145 radius->acct_serv_sock6, 0);
1146 }
1147
1148 if (conf->retry_primary_interval)
1149 eloop_register_timeout(conf->retry_primary_interval, 0,
1150 radius_retry_primary_timer, radius,
1151 NULL);
1152}
1153
1154
1155static int radius_client_disable_pmtu_discovery(int s)
1156{
1157 int r = -1;
1158#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
1159 /* Turn off Path MTU discovery on IPv4/UDP sockets. */
1160 int action = IP_PMTUDISC_DONT;
1161 r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
1162 sizeof(action));
1163 if (r == -1)
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1164 wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
1165 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1166#endif
1167 return r;
1168}
1169
1170
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1171static void radius_close_auth_sockets(struct radius_client_data *radius)
1172{
1173 radius->auth_sock = -1;
1174
1175 if (radius->auth_serv_sock >= 0) {
1176 eloop_unregister_read_sock(radius->auth_serv_sock);
1177 close(radius->auth_serv_sock);
1178 radius->auth_serv_sock = -1;
1179 }
1180#ifdef CONFIG_IPV6
1181 if (radius->auth_serv_sock6 >= 0) {
1182 eloop_unregister_read_sock(radius->auth_serv_sock6);
1183 close(radius->auth_serv_sock6);
1184 radius->auth_serv_sock6 = -1;
1185 }
1186#endif /* CONFIG_IPV6 */
1187}
1188
1189
1190static void radius_close_acct_sockets(struct radius_client_data *radius)
1191{
1192 radius->acct_sock = -1;
1193
1194 if (radius->acct_serv_sock >= 0) {
1195 eloop_unregister_read_sock(radius->acct_serv_sock);
1196 close(radius->acct_serv_sock);
1197 radius->acct_serv_sock = -1;
1198 }
1199#ifdef CONFIG_IPV6
1200 if (radius->acct_serv_sock6 >= 0) {
1201 eloop_unregister_read_sock(radius->acct_serv_sock6);
1202 close(radius->acct_serv_sock6);
1203 radius->acct_serv_sock6 = -1;
1204 }
1205#endif /* CONFIG_IPV6 */
1206}
1207
1208
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1209static int radius_client_init_auth(struct radius_client_data *radius)
1210{
1211 struct hostapd_radius_servers *conf = radius->conf;
1212 int ok = 0;
1213
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1214 radius_close_auth_sockets(radius);
1215
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1216 radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1217 if (radius->auth_serv_sock < 0)
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1218 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1219 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1220 else {
1221 radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
1222 ok++;
1223 }
1224
1225#ifdef CONFIG_IPV6
1226 radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1227 if (radius->auth_serv_sock6 < 0)
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1228 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1229 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1230 else
1231 ok++;
1232#endif /* CONFIG_IPV6 */
1233
1234 if (ok == 0)
1235 return -1;
1236
1237 radius_change_server(radius, conf->auth_server, NULL,
1238 radius->auth_serv_sock, radius->auth_serv_sock6,
1239 1);
1240
1241 if (radius->auth_serv_sock >= 0 &&
1242 eloop_register_read_sock(radius->auth_serv_sock,
1243 radius_client_receive, radius,
1244 (void *) RADIUS_AUTH)) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1245 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1246 radius_close_auth_sockets(radius);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1247 return -1;
1248 }
1249
1250#ifdef CONFIG_IPV6
1251 if (radius->auth_serv_sock6 >= 0 &&
1252 eloop_register_read_sock(radius->auth_serv_sock6,
1253 radius_client_receive, radius,
1254 (void *) RADIUS_AUTH)) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1255 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1256 radius_close_auth_sockets(radius);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1257 return -1;
1258 }
1259#endif /* CONFIG_IPV6 */
1260
1261 return 0;
1262}
1263
1264
1265static int radius_client_init_acct(struct radius_client_data *radius)
1266{
1267 struct hostapd_radius_servers *conf = radius->conf;
1268 int ok = 0;
1269
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1270 radius_close_acct_sockets(radius);
1271
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1272 radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1273 if (radius->acct_serv_sock < 0)
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1274 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1275 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1276 else {
1277 radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
1278 ok++;
1279 }
1280
1281#ifdef CONFIG_IPV6
1282 radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1283 if (radius->acct_serv_sock6 < 0)
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1284 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1285 strerror(errno));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1286 else
1287 ok++;
1288#endif /* CONFIG_IPV6 */
1289
1290 if (ok == 0)
1291 return -1;
1292
1293 radius_change_server(radius, conf->acct_server, NULL,
1294 radius->acct_serv_sock, radius->acct_serv_sock6,
1295 0);
1296
1297 if (radius->acct_serv_sock >= 0 &&
1298 eloop_register_read_sock(radius->acct_serv_sock,
1299 radius_client_receive, radius,
1300 (void *) RADIUS_ACCT)) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1301 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1302 radius_close_acct_sockets(radius);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1303 return -1;
1304 }
1305
1306#ifdef CONFIG_IPV6
1307 if (radius->acct_serv_sock6 >= 0 &&
1308 eloop_register_read_sock(radius->acct_serv_sock6,
1309 radius_client_receive, radius,
1310 (void *) RADIUS_ACCT)) {
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]1311 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1312 radius_close_acct_sockets(radius);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1313 return -1;
1314 }
1315#endif /* CONFIG_IPV6 */
1316
1317 return 0;
1318}
1319
1320
1321/**
1322 * radius_client_init - Initialize RADIUS client
1323 * @ctx: Callback context to be used in hostapd_logger() calls
1324 * @conf: RADIUS client configuration (RADIUS servers)
1325 * Returns: Pointer to private RADIUS client context or %NULL on failure
1326 *
1327 * The caller is responsible for keeping the configuration data available for
1328 * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
1329 * called for the returned context pointer.
1330 */
1331struct radius_client_data *
1332radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
1333{
1334 struct radius_client_data *radius;
1335
1336 radius = os_zalloc(sizeof(struct radius_client_data));
1337 if (radius == NULL)
1338 return NULL;
1339
1340 radius->ctx = ctx;
1341 radius->conf = conf;
1342 radius->auth_serv_sock = radius->acct_serv_sock =
1343 radius->auth_serv_sock6 = radius->acct_serv_sock6 =
1344 radius->auth_sock = radius->acct_sock = -1;
1345
1346 if (conf->auth_server && radius_client_init_auth(radius)) {
1347 radius_client_deinit(radius);
1348 return NULL;
1349 }
1350
1351 if (conf->acct_server && radius_client_init_acct(radius)) {
1352 radius_client_deinit(radius);
1353 return NULL;
1354 }
1355
1356 if (conf->retry_primary_interval)
1357 eloop_register_timeout(conf->retry_primary_interval, 0,
1358 radius_retry_primary_timer, radius,
1359 NULL);
1360
1361 return radius;
1362}
1363
1364
1365/**
1366 * radius_client_deinit - Deinitialize RADIUS client
1367 * @radius: RADIUS client context from radius_client_init()
1368 */
1369void radius_client_deinit(struct radius_client_data *radius)
1370{
1371 if (!radius)
1372 return;
1373
Dmitry Shmidt71757432014-06-02 13:50:35 -0700[diff] [blame]1374 radius_close_auth_sockets(radius);
1375 radius_close_acct_sockets(radius);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1376
1377 eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1378
1379 radius_client_flush(radius, 0);
1380 os_free(radius->auth_handlers);
1381 os_free(radius->acct_handlers);
1382 os_free(radius);
1383}
1384
1385
1386/**
1387 * radius_client_flush_auth - Flush pending RADIUS messages for an address
1388 * @radius: RADIUS client context from radius_client_init()
1389 * @addr: MAC address of the related device
1390 *
1391 * This function can be used to remove pending RADIUS authentication messages
1392 * that are related to a specific device. The addr parameter is matched with
1393 * the one used in radius_client_send() call that was used to transmit the
1394 * authentication request.
1395 */
1396void radius_client_flush_auth(struct radius_client_data *radius,
1397 const u8 *addr)
1398{
1399 struct radius_msg_list *entry, *prev, *tmp;
1400
1401 prev = NULL;
1402 entry = radius->msgs;
1403 while (entry) {
1404 if (entry->msg_type == RADIUS_AUTH &&
1405 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
1406 hostapd_logger(radius->ctx, addr,
1407 HOSTAPD_MODULE_RADIUS,
1408 HOSTAPD_LEVEL_DEBUG,
1409 "Removing pending RADIUS authentication"
1410 " message for removed client");
1411
1412 if (prev)
1413 prev->next = entry->next;
1414 else
1415 radius->msgs = entry->next;
1416
1417 tmp = entry;
1418 entry = entry->next;
1419 radius_client_msg_free(tmp);
1420 radius->num_msgs--;
1421 continue;
1422 }
1423
1424 prev = entry;
1425 entry = entry->next;
1426 }
1427}
1428
1429
1430static int radius_client_dump_auth_server(char *buf, size_t buflen,
1431 struct hostapd_radius_server *serv,
1432 struct radius_client_data *cli)
1433{
1434 int pending = 0;
1435 struct radius_msg_list *msg;
1436 char abuf[50];
1437
1438 if (cli) {
1439 for (msg = cli->msgs; msg; msg = msg->next) {
1440 if (msg->msg_type == RADIUS_AUTH)
1441 pending++;
1442 }
1443 }
1444
1445 return os_snprintf(buf, buflen,
1446 "radiusAuthServerIndex=%d\n"
1447 "radiusAuthServerAddress=%s\n"
1448 "radiusAuthClientServerPortNumber=%d\n"
1449 "radiusAuthClientRoundTripTime=%d\n"
1450 "radiusAuthClientAccessRequests=%u\n"
1451 "radiusAuthClientAccessRetransmissions=%u\n"
1452 "radiusAuthClientAccessAccepts=%u\n"
1453 "radiusAuthClientAccessRejects=%u\n"
1454 "radiusAuthClientAccessChallenges=%u\n"
1455 "radiusAuthClientMalformedAccessResponses=%u\n"
1456 "radiusAuthClientBadAuthenticators=%u\n"
1457 "radiusAuthClientPendingRequests=%u\n"
1458 "radiusAuthClientTimeouts=%u\n"
1459 "radiusAuthClientUnknownTypes=%u\n"
1460 "radiusAuthClientPacketsDropped=%u\n",
1461 serv->index,
1462 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1463 serv->port,
1464 serv->round_trip_time,
1465 serv->requests,
1466 serv->retransmissions,
1467 serv->access_accepts,
1468 serv->access_rejects,
1469 serv->access_challenges,
1470 serv->malformed_responses,
1471 serv->bad_authenticators,
1472 pending,
1473 serv->timeouts,
1474 serv->unknown_types,
1475 serv->packets_dropped);
1476}
1477
1478
1479static int radius_client_dump_acct_server(char *buf, size_t buflen,
1480 struct hostapd_radius_server *serv,
1481 struct radius_client_data *cli)
1482{
1483 int pending = 0;
1484 struct radius_msg_list *msg;
1485 char abuf[50];
1486
1487 if (cli) {
1488 for (msg = cli->msgs; msg; msg = msg->next) {
1489 if (msg->msg_type == RADIUS_ACCT ||
1490 msg->msg_type == RADIUS_ACCT_INTERIM)
1491 pending++;
1492 }
1493 }
1494
1495 return os_snprintf(buf, buflen,
1496 "radiusAccServerIndex=%d\n"
1497 "radiusAccServerAddress=%s\n"
1498 "radiusAccClientServerPortNumber=%d\n"
1499 "radiusAccClientRoundTripTime=%d\n"
1500 "radiusAccClientRequests=%u\n"
1501 "radiusAccClientRetransmissions=%u\n"
1502 "radiusAccClientResponses=%u\n"
1503 "radiusAccClientMalformedResponses=%u\n"
1504 "radiusAccClientBadAuthenticators=%u\n"
1505 "radiusAccClientPendingRequests=%u\n"
1506 "radiusAccClientTimeouts=%u\n"
1507 "radiusAccClientUnknownTypes=%u\n"
1508 "radiusAccClientPacketsDropped=%u\n",
1509 serv->index,
1510 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1511 serv->port,
1512 serv->round_trip_time,
1513 serv->requests,
1514 serv->retransmissions,
1515 serv->responses,
1516 serv->malformed_responses,
1517 serv->bad_authenticators,
1518 pending,
1519 serv->timeouts,
1520 serv->unknown_types,
1521 serv->packets_dropped);
1522}
1523
1524
1525/**
1526 * radius_client_get_mib - Get RADIUS client MIB information
1527 * @radius: RADIUS client context from radius_client_init()
1528 * @buf: Buffer for returning MIB data in text format
1529 * @buflen: Maximum buf length in octets
1530 * Returns: Number of octets written into the buffer
1531 */
1532int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1533 size_t buflen)
1534{
1535 struct hostapd_radius_servers *conf = radius->conf;
1536 int i;
1537 struct hostapd_radius_server *serv;
1538 int count = 0;
1539
1540 if (conf->auth_servers) {
1541 for (i = 0; i < conf->num_auth_servers; i++) {
1542 serv = &conf->auth_servers[i];
1543 count += radius_client_dump_auth_server(
1544 buf + count, buflen - count, serv,
1545 serv == conf->auth_server ?
1546 radius : NULL);
1547 }
1548 }
1549
1550 if (conf->acct_servers) {
1551 for (i = 0; i < conf->num_acct_servers; i++) {
1552 serv = &conf->acct_servers[i];
1553 count += radius_client_dump_acct_server(
1554 buf + count, buflen - count, serv,
1555 serv == conf->acct_server ?
1556 radius : NULL);
1557 }
1558 }
1559
1560 return count;
1561}
1562
1563
1564void radius_client_reconfig(struct radius_client_data *radius,
1565 struct hostapd_radius_servers *conf)
1566{
1567 if (radius)
1568 radius->conf = conf;
1569}