radius_client.c 39 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491
  1. /*
  2. * RADIUS client
  3. * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "includes.h"
  9. #include "common.h"
  10. #include "radius.h"
  11. #include "radius_client.h"
  12. #include "eloop.h"
  13. /* Defaults for RADIUS retransmit values (exponential backoff) */
  14. /**
  15. * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
  16. */
  17. #define RADIUS_CLIENT_FIRST_WAIT 3
  18. /**
  19. * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
  20. */
  21. #define RADIUS_CLIENT_MAX_WAIT 120
  22. /**
  23. * RADIUS_CLIENT_MAX_RETRIES - RADIUS client maximum retries
  24. *
  25. * Maximum number of retransmit attempts before the entry is removed from
  26. * retransmit list.
  27. */
  28. #define RADIUS_CLIENT_MAX_RETRIES 10
  29. /**
  30. * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
  31. *
  32. * Maximum number of entries in retransmit list (oldest entries will be
  33. * removed, if this limit is exceeded).
  34. */
  35. #define RADIUS_CLIENT_MAX_ENTRIES 30
  36. /**
  37. * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
  38. *
  39. * The number of failed retry attempts after which the RADIUS server will be
  40. * changed (if one of more backup servers are configured).
  41. */
  42. #define RADIUS_CLIENT_NUM_FAILOVER 4
  43. /**
  44. * struct radius_rx_handler - RADIUS client RX handler
  45. *
  46. * This data structure is used internally inside the RADIUS client module to
  47. * store registered RX handlers. These handlers are registered by calls to
  48. * radius_client_register() and unregistered when the RADIUS client is
  49. * deinitialized with a call to radius_client_deinit().
  50. */
  51. struct radius_rx_handler {
  52. /**
  53. * handler - Received RADIUS message handler
  54. */
  55. RadiusRxResult (*handler)(struct radius_msg *msg,
  56. struct radius_msg *req,
  57. const u8 *shared_secret,
  58. size_t shared_secret_len,
  59. void *data);
  60. /**
  61. * data - Context data for the handler
  62. */
  63. void *data;
  64. };
  65. /**
  66. * struct radius_msg_list - RADIUS client message retransmit list
  67. *
  68. * This data structure is used internally inside the RADIUS client module to
  69. * store pending RADIUS requests that may still need to be retransmitted.
  70. */
  71. struct radius_msg_list {
  72. /**
  73. * addr - STA/client address
  74. *
  75. * This is used to find RADIUS messages for the same STA.
  76. */
  77. u8 addr[ETH_ALEN];
  78. /**
  79. * msg - RADIUS message
  80. */
  81. struct radius_msg *msg;
  82. /**
  83. * msg_type - Message type
  84. */
  85. RadiusType msg_type;
  86. /**
  87. * first_try - Time of the first transmission attempt
  88. */
  89. os_time_t first_try;
  90. /**
  91. * next_try - Time for the next transmission attempt
  92. */
  93. os_time_t next_try;
  94. /**
  95. * attempts - Number of transmission attempts
  96. */
  97. int attempts;
  98. /**
  99. * next_wait - Next retransmission wait time in seconds
  100. */
  101. int next_wait;
  102. /**
  103. * last_attempt - Time of the last transmission attempt
  104. */
  105. struct os_time last_attempt;
  106. /**
  107. * shared_secret - Shared secret with the target RADIUS server
  108. */
  109. const u8 *shared_secret;
  110. /**
  111. * shared_secret_len - shared_secret length in octets
  112. */
  113. size_t shared_secret_len;
  114. /* TODO: server config with failover to backup server(s) */
  115. /**
  116. * next - Next message in the list
  117. */
  118. struct radius_msg_list *next;
  119. };
  120. /**
  121. * struct radius_client_data - Internal RADIUS client data
  122. *
  123. * This data structure is used internally inside the RADIUS client module.
  124. * External users allocate this by calling radius_client_init() and free it by
  125. * calling radius_client_deinit(). The pointer to this opaque data is used in
  126. * calls to other functions as an identifier for the RADIUS client instance.
  127. */
  128. struct radius_client_data {
  129. /**
  130. * ctx - Context pointer for hostapd_logger() callbacks
  131. */
  132. void *ctx;
  133. /**
  134. * conf - RADIUS client configuration (list of RADIUS servers to use)
  135. */
  136. struct hostapd_radius_servers *conf;
  137. /**
  138. * auth_serv_sock - IPv4 socket for RADIUS authentication messages
  139. */
  140. int auth_serv_sock;
  141. /**
  142. * acct_serv_sock - IPv4 socket for RADIUS accounting messages
  143. */
  144. int acct_serv_sock;
  145. /**
  146. * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
  147. */
  148. int auth_serv_sock6;
  149. /**
  150. * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
  151. */
  152. int acct_serv_sock6;
  153. /**
  154. * auth_sock - Currently used socket for RADIUS authentication server
  155. */
  156. int auth_sock;
  157. /**
  158. * acct_sock - Currently used socket for RADIUS accounting server
  159. */
  160. int acct_sock;
  161. /**
  162. * auth_handlers - Authentication message handlers
  163. */
  164. struct radius_rx_handler *auth_handlers;
  165. /**
  166. * num_auth_handlers - Number of handlers in auth_handlers
  167. */
  168. size_t num_auth_handlers;
  169. /**
  170. * acct_handlers - Accounting message handlers
  171. */
  172. struct radius_rx_handler *acct_handlers;
  173. /**
  174. * num_acct_handlers - Number of handlers in acct_handlers
  175. */
  176. size_t num_acct_handlers;
  177. /**
  178. * msgs - Pending outgoing RADIUS messages
  179. */
  180. struct radius_msg_list *msgs;
  181. /**
  182. * num_msgs - Number of pending messages in the msgs list
  183. */
  184. size_t num_msgs;
  185. /**
  186. * next_radius_identifier - Next RADIUS message identifier to use
  187. */
  188. u8 next_radius_identifier;
  189. };
  190. static int
  191. radius_change_server(struct radius_client_data *radius,
  192. struct hostapd_radius_server *nserv,
  193. struct hostapd_radius_server *oserv,
  194. int sock, int sock6, int auth);
  195. static int radius_client_init_acct(struct radius_client_data *radius);
  196. static int radius_client_init_auth(struct radius_client_data *radius);
  197. static void radius_client_msg_free(struct radius_msg_list *req)
  198. {
  199. radius_msg_free(req->msg);
  200. os_free(req);
  201. }
  202. /**
  203. * radius_client_register - Register a RADIUS client RX handler
  204. * @radius: RADIUS client context from radius_client_init()
  205. * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
  206. * @handler: Handler for received RADIUS messages
  207. * @data: Context pointer for handler callbacks
  208. * Returns: 0 on success, -1 on failure
  209. *
  210. * This function is used to register a handler for processing received RADIUS
  211. * authentication and accounting messages. The handler() callback function will
  212. * be called whenever a RADIUS message is received from the active server.
  213. *
  214. * There can be multiple registered RADIUS message handlers. The handlers will
  215. * be called in order until one of them indicates that it has processed or
  216. * queued the message.
  217. */
  218. int radius_client_register(struct radius_client_data *radius,
  219. RadiusType msg_type,
  220. RadiusRxResult (*handler)(struct radius_msg *msg,
  221. struct radius_msg *req,
  222. const u8 *shared_secret,
  223. size_t shared_secret_len,
  224. void *data),
  225. void *data)
  226. {
  227. struct radius_rx_handler **handlers, *newh;
  228. size_t *num;
  229. if (msg_type == RADIUS_ACCT) {
  230. handlers = &radius->acct_handlers;
  231. num = &radius->num_acct_handlers;
  232. } else {
  233. handlers = &radius->auth_handlers;
  234. num = &radius->num_auth_handlers;
  235. }
  236. newh = os_realloc_array(*handlers, *num + 1,
  237. sizeof(struct radius_rx_handler));
  238. if (newh == NULL)
  239. return -1;
  240. newh[*num].handler = handler;
  241. newh[*num].data = data;
  242. (*num)++;
  243. *handlers = newh;
  244. return 0;
  245. }
  246. static void radius_client_handle_send_error(struct radius_client_data *radius,
  247. int s, RadiusType msg_type)
  248. {
  249. #ifndef CONFIG_NATIVE_WINDOWS
  250. int _errno = errno;
  251. wpa_printf(MSG_INFO, "send[RADIUS]: %s", strerror(errno));
  252. if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
  253. _errno == EBADF) {
  254. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  255. HOSTAPD_LEVEL_INFO,
  256. "Send failed - maybe interface status changed -"
  257. " try to connect again");
  258. eloop_unregister_read_sock(s);
  259. close(s);
  260. if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM)
  261. radius_client_init_acct(radius);
  262. else
  263. radius_client_init_auth(radius);
  264. }
  265. #endif /* CONFIG_NATIVE_WINDOWS */
  266. }
  267. static int radius_client_retransmit(struct radius_client_data *radius,
  268. struct radius_msg_list *entry,
  269. os_time_t now)
  270. {
  271. struct hostapd_radius_servers *conf = radius->conf;
  272. int s;
  273. struct wpabuf *buf;
  274. if (entry->msg_type == RADIUS_ACCT ||
  275. entry->msg_type == RADIUS_ACCT_INTERIM) {
  276. s = radius->acct_sock;
  277. if (entry->attempts == 0)
  278. conf->acct_server->requests++;
  279. else {
  280. conf->acct_server->timeouts++;
  281. conf->acct_server->retransmissions++;
  282. }
  283. } else {
  284. s = radius->auth_sock;
  285. if (entry->attempts == 0)
  286. conf->auth_server->requests++;
  287. else {
  288. conf->auth_server->timeouts++;
  289. conf->auth_server->retransmissions++;
  290. }
  291. }
  292. /* retransmit; remove entry if too many attempts */
  293. entry->attempts++;
  294. hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
  295. HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
  296. radius_msg_get_hdr(entry->msg)->identifier);
  297. os_get_time(&entry->last_attempt);
  298. buf = radius_msg_get_buf(entry->msg);
  299. if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0)
  300. radius_client_handle_send_error(radius, s, entry->msg_type);
  301. entry->next_try = now + entry->next_wait;
  302. entry->next_wait *= 2;
  303. if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
  304. entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
  305. if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
  306. wpa_printf(MSG_INFO, "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
  307. return 1;
  308. }
  309. return 0;
  310. }
  311. static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
  312. {
  313. struct radius_client_data *radius = eloop_ctx;
  314. struct hostapd_radius_servers *conf = radius->conf;
  315. struct os_time now;
  316. os_time_t first;
  317. struct radius_msg_list *entry, *prev, *tmp;
  318. int auth_failover = 0, acct_failover = 0;
  319. char abuf[50];
  320. entry = radius->msgs;
  321. if (!entry)
  322. return;
  323. os_get_time(&now);
  324. first = 0;
  325. prev = NULL;
  326. while (entry) {
  327. if (now.sec >= entry->next_try &&
  328. radius_client_retransmit(radius, entry, now.sec)) {
  329. if (prev)
  330. prev->next = entry->next;
  331. else
  332. radius->msgs = entry->next;
  333. tmp = entry;
  334. entry = entry->next;
  335. radius_client_msg_free(tmp);
  336. radius->num_msgs--;
  337. continue;
  338. }
  339. if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER) {
  340. if (entry->msg_type == RADIUS_ACCT ||
  341. entry->msg_type == RADIUS_ACCT_INTERIM)
  342. acct_failover++;
  343. else
  344. auth_failover++;
  345. }
  346. if (first == 0 || entry->next_try < first)
  347. first = entry->next_try;
  348. prev = entry;
  349. entry = entry->next;
  350. }
  351. if (radius->msgs) {
  352. if (first < now.sec)
  353. first = now.sec;
  354. eloop_register_timeout(first - now.sec, 0,
  355. radius_client_timer, radius, NULL);
  356. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  357. HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
  358. "retransmit in %ld seconds",
  359. (long int) (first - now.sec));
  360. }
  361. if (auth_failover && conf->num_auth_servers > 1) {
  362. struct hostapd_radius_server *next, *old;
  363. old = conf->auth_server;
  364. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  365. HOSTAPD_LEVEL_NOTICE,
  366. "No response from Authentication server "
  367. "%s:%d - failover",
  368. hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
  369. old->port);
  370. for (entry = radius->msgs; entry; entry = entry->next) {
  371. if (entry->msg_type == RADIUS_AUTH)
  372. old->timeouts++;
  373. }
  374. next = old + 1;
  375. if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
  376. next = conf->auth_servers;
  377. conf->auth_server = next;
  378. radius_change_server(radius, next, old,
  379. radius->auth_serv_sock,
  380. radius->auth_serv_sock6, 1);
  381. }
  382. if (acct_failover && conf->num_acct_servers > 1) {
  383. struct hostapd_radius_server *next, *old;
  384. old = conf->acct_server;
  385. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  386. HOSTAPD_LEVEL_NOTICE,
  387. "No response from Accounting server "
  388. "%s:%d - failover",
  389. hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
  390. old->port);
  391. for (entry = radius->msgs; entry; entry = entry->next) {
  392. if (entry->msg_type == RADIUS_ACCT ||
  393. entry->msg_type == RADIUS_ACCT_INTERIM)
  394. old->timeouts++;
  395. }
  396. next = old + 1;
  397. if (next > &conf->acct_servers[conf->num_acct_servers - 1])
  398. next = conf->acct_servers;
  399. conf->acct_server = next;
  400. radius_change_server(radius, next, old,
  401. radius->acct_serv_sock,
  402. radius->acct_serv_sock6, 0);
  403. }
  404. }
  405. static void radius_client_update_timeout(struct radius_client_data *radius)
  406. {
  407. struct os_time now;
  408. os_time_t first;
  409. struct radius_msg_list *entry;
  410. eloop_cancel_timeout(radius_client_timer, radius, NULL);
  411. if (radius->msgs == NULL) {
  412. return;
  413. }
  414. first = 0;
  415. for (entry = radius->msgs; entry; entry = entry->next) {
  416. if (first == 0 || entry->next_try < first)
  417. first = entry->next_try;
  418. }
  419. os_get_time(&now);
  420. if (first < now.sec)
  421. first = now.sec;
  422. eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
  423. NULL);
  424. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  425. HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
  426. " %ld seconds", (long int) (first - now.sec));
  427. }
  428. static void radius_client_list_add(struct radius_client_data *radius,
  429. struct radius_msg *msg,
  430. RadiusType msg_type,
  431. const u8 *shared_secret,
  432. size_t shared_secret_len, const u8 *addr)
  433. {
  434. struct radius_msg_list *entry, *prev;
  435. if (eloop_terminated()) {
  436. /* No point in adding entries to retransmit queue since event
  437. * loop has already been terminated. */
  438. radius_msg_free(msg);
  439. return;
  440. }
  441. entry = os_zalloc(sizeof(*entry));
  442. if (entry == NULL) {
  443. wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
  444. radius_msg_free(msg);
  445. return;
  446. }
  447. if (addr)
  448. os_memcpy(entry->addr, addr, ETH_ALEN);
  449. entry->msg = msg;
  450. entry->msg_type = msg_type;
  451. entry->shared_secret = shared_secret;
  452. entry->shared_secret_len = shared_secret_len;
  453. os_get_time(&entry->last_attempt);
  454. entry->first_try = entry->last_attempt.sec;
  455. entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
  456. entry->attempts = 1;
  457. entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
  458. entry->next = radius->msgs;
  459. radius->msgs = entry;
  460. radius_client_update_timeout(radius);
  461. if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
  462. wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
  463. prev = NULL;
  464. while (entry->next) {
  465. prev = entry;
  466. entry = entry->next;
  467. }
  468. if (prev) {
  469. prev->next = NULL;
  470. radius_client_msg_free(entry);
  471. }
  472. } else
  473. radius->num_msgs++;
  474. }
  475. static void radius_client_list_del(struct radius_client_data *radius,
  476. RadiusType msg_type, const u8 *addr)
  477. {
  478. struct radius_msg_list *entry, *prev, *tmp;
  479. if (addr == NULL)
  480. return;
  481. entry = radius->msgs;
  482. prev = NULL;
  483. while (entry) {
  484. if (entry->msg_type == msg_type &&
  485. os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
  486. if (prev)
  487. prev->next = entry->next;
  488. else
  489. radius->msgs = entry->next;
  490. tmp = entry;
  491. entry = entry->next;
  492. hostapd_logger(radius->ctx, addr,
  493. HOSTAPD_MODULE_RADIUS,
  494. HOSTAPD_LEVEL_DEBUG,
  495. "Removing matching RADIUS message");
  496. radius_client_msg_free(tmp);
  497. radius->num_msgs--;
  498. continue;
  499. }
  500. prev = entry;
  501. entry = entry->next;
  502. }
  503. }
  504. /**
  505. * radius_client_send - Send a RADIUS request
  506. * @radius: RADIUS client context from radius_client_init()
  507. * @msg: RADIUS message to be sent
  508. * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
  509. * @addr: MAC address of the device related to this message or %NULL
  510. * Returns: 0 on success, -1 on failure
  511. *
  512. * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
  513. * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
  514. * between accounting and interim accounting messages is that the interim
  515. * message will override any pending interim accounting updates while a new
  516. * accounting message does not remove any pending messages.
  517. *
  518. * The message is added on the retransmission queue and will be retransmitted
  519. * automatically until a response is received or maximum number of retries
  520. * (RADIUS_CLIENT_MAX_RETRIES) is reached.
  521. *
  522. * The related device MAC address can be used to identify pending messages that
  523. * can be removed with radius_client_flush_auth() or with interim accounting
  524. * updates.
  525. */
  526. int radius_client_send(struct radius_client_data *radius,
  527. struct radius_msg *msg, RadiusType msg_type,
  528. const u8 *addr)
  529. {
  530. struct hostapd_radius_servers *conf = radius->conf;
  531. const u8 *shared_secret;
  532. size_t shared_secret_len;
  533. char *name;
  534. int s, res;
  535. struct wpabuf *buf;
  536. if (msg_type == RADIUS_ACCT_INTERIM) {
  537. /* Remove any pending interim acct update for the same STA. */
  538. radius_client_list_del(radius, msg_type, addr);
  539. }
  540. if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
  541. if (conf->acct_server == NULL) {
  542. hostapd_logger(radius->ctx, NULL,
  543. HOSTAPD_MODULE_RADIUS,
  544. HOSTAPD_LEVEL_INFO,
  545. "No accounting server configured");
  546. return -1;
  547. }
  548. shared_secret = conf->acct_server->shared_secret;
  549. shared_secret_len = conf->acct_server->shared_secret_len;
  550. radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
  551. name = "accounting";
  552. s = radius->acct_sock;
  553. conf->acct_server->requests++;
  554. } else {
  555. if (conf->auth_server == NULL) {
  556. hostapd_logger(radius->ctx, NULL,
  557. HOSTAPD_MODULE_RADIUS,
  558. HOSTAPD_LEVEL_INFO,
  559. "No authentication server configured");
  560. return -1;
  561. }
  562. shared_secret = conf->auth_server->shared_secret;
  563. shared_secret_len = conf->auth_server->shared_secret_len;
  564. radius_msg_finish(msg, shared_secret, shared_secret_len);
  565. name = "authentication";
  566. s = radius->auth_sock;
  567. conf->auth_server->requests++;
  568. }
  569. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  570. HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
  571. "server", name);
  572. if (conf->msg_dumps)
  573. radius_msg_dump(msg);
  574. buf = radius_msg_get_buf(msg);
  575. res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
  576. if (res < 0)
  577. radius_client_handle_send_error(radius, s, msg_type);
  578. radius_client_list_add(radius, msg, msg_type, shared_secret,
  579. shared_secret_len, addr);
  580. return 0;
  581. }
  582. static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
  583. {
  584. struct radius_client_data *radius = eloop_ctx;
  585. struct hostapd_radius_servers *conf = radius->conf;
  586. RadiusType msg_type = (RadiusType) sock_ctx;
  587. int len, roundtrip;
  588. unsigned char buf[3000];
  589. struct radius_msg *msg;
  590. struct radius_hdr *hdr;
  591. struct radius_rx_handler *handlers;
  592. size_t num_handlers, i;
  593. struct radius_msg_list *req, *prev_req;
  594. struct os_time now;
  595. struct hostapd_radius_server *rconf;
  596. int invalid_authenticator = 0;
  597. if (msg_type == RADIUS_ACCT) {
  598. handlers = radius->acct_handlers;
  599. num_handlers = radius->num_acct_handlers;
  600. rconf = conf->acct_server;
  601. } else {
  602. handlers = radius->auth_handlers;
  603. num_handlers = radius->num_auth_handlers;
  604. rconf = conf->auth_server;
  605. }
  606. len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
  607. if (len < 0) {
  608. wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
  609. return;
  610. }
  611. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  612. HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
  613. "server", len);
  614. if (len == sizeof(buf)) {
  615. wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
  616. return;
  617. }
  618. msg = radius_msg_parse(buf, len);
  619. if (msg == NULL) {
  620. wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
  621. rconf->malformed_responses++;
  622. return;
  623. }
  624. hdr = radius_msg_get_hdr(msg);
  625. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  626. HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
  627. if (conf->msg_dumps)
  628. radius_msg_dump(msg);
  629. switch (hdr->code) {
  630. case RADIUS_CODE_ACCESS_ACCEPT:
  631. rconf->access_accepts++;
  632. break;
  633. case RADIUS_CODE_ACCESS_REJECT:
  634. rconf->access_rejects++;
  635. break;
  636. case RADIUS_CODE_ACCESS_CHALLENGE:
  637. rconf->access_challenges++;
  638. break;
  639. case RADIUS_CODE_ACCOUNTING_RESPONSE:
  640. rconf->responses++;
  641. break;
  642. }
  643. prev_req = NULL;
  644. req = radius->msgs;
  645. while (req) {
  646. /* TODO: also match by src addr:port of the packet when using
  647. * alternative RADIUS servers (?) */
  648. if ((req->msg_type == msg_type ||
  649. (req->msg_type == RADIUS_ACCT_INTERIM &&
  650. msg_type == RADIUS_ACCT)) &&
  651. radius_msg_get_hdr(req->msg)->identifier ==
  652. hdr->identifier)
  653. break;
  654. prev_req = req;
  655. req = req->next;
  656. }
  657. if (req == NULL) {
  658. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  659. HOSTAPD_LEVEL_DEBUG,
  660. "No matching RADIUS request found (type=%d "
  661. "id=%d) - dropping packet",
  662. msg_type, hdr->identifier);
  663. goto fail;
  664. }
  665. os_get_time(&now);
  666. roundtrip = (now.sec - req->last_attempt.sec) * 100 +
  667. (now.usec - req->last_attempt.usec) / 10000;
  668. hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
  669. HOSTAPD_LEVEL_DEBUG,
  670. "Received RADIUS packet matched with a pending "
  671. "request, round trip time %d.%02d sec",
  672. roundtrip / 100, roundtrip % 100);
  673. rconf->round_trip_time = roundtrip;
  674. /* Remove ACKed RADIUS packet from retransmit list */
  675. if (prev_req)
  676. prev_req->next = req->next;
  677. else
  678. radius->msgs = req->next;
  679. radius->num_msgs--;
  680. for (i = 0; i < num_handlers; i++) {
  681. RadiusRxResult res;
  682. res = handlers[i].handler(msg, req->msg, req->shared_secret,
  683. req->shared_secret_len,
  684. handlers[i].data);
  685. switch (res) {
  686. case RADIUS_RX_PROCESSED:
  687. radius_msg_free(msg);
  688. /* continue */
  689. case RADIUS_RX_QUEUED:
  690. radius_client_msg_free(req);
  691. return;
  692. case RADIUS_RX_INVALID_AUTHENTICATOR:
  693. invalid_authenticator++;
  694. /* continue */
  695. case RADIUS_RX_UNKNOWN:
  696. /* continue with next handler */
  697. break;
  698. }
  699. }
  700. if (invalid_authenticator)
  701. rconf->bad_authenticators++;
  702. else
  703. rconf->unknown_types++;
  704. hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
  705. HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
  706. "(type=%d code=%d id=%d)%s - dropping packet",
  707. msg_type, hdr->code, hdr->identifier,
  708. invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
  709. "");
  710. radius_client_msg_free(req);
  711. fail:
  712. radius_msg_free(msg);
  713. }
  714. /**
  715. * radius_client_get_id - Get an identifier for a new RADIUS message
  716. * @radius: RADIUS client context from radius_client_init()
  717. * Returns: Allocated identifier
  718. *
  719. * This function is used to fetch a unique (among pending requests) identifier
  720. * for a new RADIUS message.
  721. */
  722. u8 radius_client_get_id(struct radius_client_data *radius)
  723. {
  724. struct radius_msg_list *entry, *prev, *_remove;
  725. u8 id = radius->next_radius_identifier++;
  726. /* remove entries with matching id from retransmit list to avoid
  727. * using new reply from the RADIUS server with an old request */
  728. entry = radius->msgs;
  729. prev = NULL;
  730. while (entry) {
  731. if (radius_msg_get_hdr(entry->msg)->identifier == id) {
  732. hostapd_logger(radius->ctx, entry->addr,
  733. HOSTAPD_MODULE_RADIUS,
  734. HOSTAPD_LEVEL_DEBUG,
  735. "Removing pending RADIUS message, "
  736. "since its id (%d) is reused", id);
  737. if (prev)
  738. prev->next = entry->next;
  739. else
  740. radius->msgs = entry->next;
  741. _remove = entry;
  742. } else {
  743. _remove = NULL;
  744. prev = entry;
  745. }
  746. entry = entry->next;
  747. if (_remove)
  748. radius_client_msg_free(_remove);
  749. }
  750. return id;
  751. }
  752. /**
  753. * radius_client_flush - Flush all pending RADIUS client messages
  754. * @radius: RADIUS client context from radius_client_init()
  755. * @only_auth: Whether only authentication messages are removed
  756. */
  757. void radius_client_flush(struct radius_client_data *radius, int only_auth)
  758. {
  759. struct radius_msg_list *entry, *prev, *tmp;
  760. if (!radius)
  761. return;
  762. prev = NULL;
  763. entry = radius->msgs;
  764. while (entry) {
  765. if (!only_auth || entry->msg_type == RADIUS_AUTH) {
  766. if (prev)
  767. prev->next = entry->next;
  768. else
  769. radius->msgs = entry->next;
  770. tmp = entry;
  771. entry = entry->next;
  772. radius_client_msg_free(tmp);
  773. radius->num_msgs--;
  774. } else {
  775. prev = entry;
  776. entry = entry->next;
  777. }
  778. }
  779. if (radius->msgs == NULL)
  780. eloop_cancel_timeout(radius_client_timer, radius, NULL);
  781. }
  782. static void radius_client_update_acct_msgs(struct radius_client_data *radius,
  783. const u8 *shared_secret,
  784. size_t shared_secret_len)
  785. {
  786. struct radius_msg_list *entry;
  787. if (!radius)
  788. return;
  789. for (entry = radius->msgs; entry; entry = entry->next) {
  790. if (entry->msg_type == RADIUS_ACCT) {
  791. entry->shared_secret = shared_secret;
  792. entry->shared_secret_len = shared_secret_len;
  793. radius_msg_finish_acct(entry->msg, shared_secret,
  794. shared_secret_len);
  795. }
  796. }
  797. }
  798. static int
  799. radius_change_server(struct radius_client_data *radius,
  800. struct hostapd_radius_server *nserv,
  801. struct hostapd_radius_server *oserv,
  802. int sock, int sock6, int auth)
  803. {
  804. struct sockaddr_in serv, claddr;
  805. #ifdef CONFIG_IPV6
  806. struct sockaddr_in6 serv6, claddr6;
  807. #endif /* CONFIG_IPV6 */
  808. struct sockaddr *addr, *cl_addr;
  809. socklen_t addrlen, claddrlen;
  810. char abuf[50];
  811. int sel_sock;
  812. struct radius_msg_list *entry;
  813. struct hostapd_radius_servers *conf = radius->conf;
  814. hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
  815. HOSTAPD_LEVEL_INFO,
  816. "%s server %s:%d",
  817. auth ? "Authentication" : "Accounting",
  818. hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
  819. nserv->port);
  820. if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len ||
  821. os_memcmp(nserv->shared_secret, oserv->shared_secret,
  822. nserv->shared_secret_len) != 0) {
  823. /* Pending RADIUS packets used different shared secret, so
  824. * they need to be modified. Update accounting message
  825. * authenticators here. Authentication messages are removed
  826. * since they would require more changes and the new RADIUS
  827. * server may not be prepared to receive them anyway due to
  828. * missing state information. Client will likely retry
  829. * authentication, so this should not be an issue. */
  830. if (auth)
  831. radius_client_flush(radius, 1);
  832. else {
  833. radius_client_update_acct_msgs(
  834. radius, nserv->shared_secret,
  835. nserv->shared_secret_len);
  836. }
  837. }
  838. /* Reset retry counters for the new server */
  839. for (entry = radius->msgs; entry; entry = entry->next) {
  840. if ((auth && entry->msg_type != RADIUS_AUTH) ||
  841. (!auth && entry->msg_type != RADIUS_ACCT))
  842. continue;
  843. entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
  844. entry->attempts = 0;
  845. entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
  846. }
  847. if (radius->msgs) {
  848. eloop_cancel_timeout(radius_client_timer, radius, NULL);
  849. eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
  850. radius_client_timer, radius, NULL);
  851. }
  852. switch (nserv->addr.af) {
  853. case AF_INET:
  854. os_memset(&serv, 0, sizeof(serv));
  855. serv.sin_family = AF_INET;
  856. serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
  857. serv.sin_port = htons(nserv->port);
  858. addr = (struct sockaddr *) &serv;
  859. addrlen = sizeof(serv);
  860. sel_sock = sock;
  861. break;
  862. #ifdef CONFIG_IPV6
  863. case AF_INET6:
  864. os_memset(&serv6, 0, sizeof(serv6));
  865. serv6.sin6_family = AF_INET6;
  866. os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
  867. sizeof(struct in6_addr));
  868. serv6.sin6_port = htons(nserv->port);
  869. addr = (struct sockaddr *) &serv6;
  870. addrlen = sizeof(serv6);
  871. sel_sock = sock6;
  872. break;
  873. #endif /* CONFIG_IPV6 */
  874. default:
  875. return -1;
  876. }
  877. if (conf->force_client_addr) {
  878. switch (conf->client_addr.af) {
  879. case AF_INET:
  880. os_memset(&claddr, 0, sizeof(claddr));
  881. claddr.sin_family = AF_INET;
  882. claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
  883. claddr.sin_port = htons(0);
  884. cl_addr = (struct sockaddr *) &claddr;
  885. claddrlen = sizeof(claddr);
  886. break;
  887. #ifdef CONFIG_IPV6
  888. case AF_INET6:
  889. os_memset(&claddr6, 0, sizeof(claddr6));
  890. claddr6.sin6_family = AF_INET6;
  891. os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
  892. sizeof(struct in6_addr));
  893. claddr6.sin6_port = htons(0);
  894. cl_addr = (struct sockaddr *) &claddr6;
  895. claddrlen = sizeof(claddr6);
  896. break;
  897. #endif /* CONFIG_IPV6 */
  898. default:
  899. return -1;
  900. }
  901. if (bind(sel_sock, cl_addr, claddrlen) < 0) {
  902. wpa_printf(MSG_INFO, "bind[radius]: %s",
  903. strerror(errno));
  904. return -1;
  905. }
  906. }
  907. if (connect(sel_sock, addr, addrlen) < 0) {
  908. wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
  909. return -1;
  910. }
  911. #ifndef CONFIG_NATIVE_WINDOWS
  912. switch (nserv->addr.af) {
  913. case AF_INET:
  914. claddrlen = sizeof(claddr);
  915. getsockname(sel_sock, (struct sockaddr *) &claddr, &claddrlen);
  916. wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
  917. inet_ntoa(claddr.sin_addr), ntohs(claddr.sin_port));
  918. break;
  919. #ifdef CONFIG_IPV6
  920. case AF_INET6: {
  921. claddrlen = sizeof(claddr6);
  922. getsockname(sel_sock, (struct sockaddr *) &claddr6,
  923. &claddrlen);
  924. wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
  925. inet_ntop(AF_INET6, &claddr6.sin6_addr,
  926. abuf, sizeof(abuf)),
  927. ntohs(claddr6.sin6_port));
  928. break;
  929. }
  930. #endif /* CONFIG_IPV6 */
  931. }
  932. #endif /* CONFIG_NATIVE_WINDOWS */
  933. if (auth)
  934. radius->auth_sock = sel_sock;
  935. else
  936. radius->acct_sock = sel_sock;
  937. return 0;
  938. }
  939. static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
  940. {
  941. struct radius_client_data *radius = eloop_ctx;
  942. struct hostapd_radius_servers *conf = radius->conf;
  943. struct hostapd_radius_server *oserv;
  944. if (radius->auth_sock >= 0 && conf->auth_servers &&
  945. conf->auth_server != conf->auth_servers) {
  946. oserv = conf->auth_server;
  947. conf->auth_server = conf->auth_servers;
  948. radius_change_server(radius, conf->auth_server, oserv,
  949. radius->auth_serv_sock,
  950. radius->auth_serv_sock6, 1);
  951. }
  952. if (radius->acct_sock >= 0 && conf->acct_servers &&
  953. conf->acct_server != conf->acct_servers) {
  954. oserv = conf->acct_server;
  955. conf->acct_server = conf->acct_servers;
  956. radius_change_server(radius, conf->acct_server, oserv,
  957. radius->acct_serv_sock,
  958. radius->acct_serv_sock6, 0);
  959. }
  960. if (conf->retry_primary_interval)
  961. eloop_register_timeout(conf->retry_primary_interval, 0,
  962. radius_retry_primary_timer, radius,
  963. NULL);
  964. }
  965. static int radius_client_disable_pmtu_discovery(int s)
  966. {
  967. int r = -1;
  968. #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
  969. /* Turn off Path MTU discovery on IPv4/UDP sockets. */
  970. int action = IP_PMTUDISC_DONT;
  971. r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
  972. sizeof(action));
  973. if (r == -1)
  974. wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
  975. strerror(errno));
  976. #endif
  977. return r;
  978. }
  979. static int radius_client_init_auth(struct radius_client_data *radius)
  980. {
  981. struct hostapd_radius_servers *conf = radius->conf;
  982. int ok = 0;
  983. radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
  984. if (radius->auth_serv_sock < 0)
  985. wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
  986. strerror(errno));
  987. else {
  988. radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
  989. ok++;
  990. }
  991. #ifdef CONFIG_IPV6
  992. radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
  993. if (radius->auth_serv_sock6 < 0)
  994. wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
  995. strerror(errno));
  996. else
  997. ok++;
  998. #endif /* CONFIG_IPV6 */
  999. if (ok == 0)
  1000. return -1;
  1001. radius_change_server(radius, conf->auth_server, NULL,
  1002. radius->auth_serv_sock, radius->auth_serv_sock6,
  1003. 1);
  1004. if (radius->auth_serv_sock >= 0 &&
  1005. eloop_register_read_sock(radius->auth_serv_sock,
  1006. radius_client_receive, radius,
  1007. (void *) RADIUS_AUTH)) {
  1008. wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
  1009. return -1;
  1010. }
  1011. #ifdef CONFIG_IPV6
  1012. if (radius->auth_serv_sock6 >= 0 &&
  1013. eloop_register_read_sock(radius->auth_serv_sock6,
  1014. radius_client_receive, radius,
  1015. (void *) RADIUS_AUTH)) {
  1016. wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
  1017. return -1;
  1018. }
  1019. #endif /* CONFIG_IPV6 */
  1020. return 0;
  1021. }
  1022. static int radius_client_init_acct(struct radius_client_data *radius)
  1023. {
  1024. struct hostapd_radius_servers *conf = radius->conf;
  1025. int ok = 0;
  1026. radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
  1027. if (radius->acct_serv_sock < 0)
  1028. wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
  1029. strerror(errno));
  1030. else {
  1031. radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
  1032. ok++;
  1033. }
  1034. #ifdef CONFIG_IPV6
  1035. radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
  1036. if (radius->acct_serv_sock6 < 0)
  1037. wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
  1038. strerror(errno));
  1039. else
  1040. ok++;
  1041. #endif /* CONFIG_IPV6 */
  1042. if (ok == 0)
  1043. return -1;
  1044. radius_change_server(radius, conf->acct_server, NULL,
  1045. radius->acct_serv_sock, radius->acct_serv_sock6,
  1046. 0);
  1047. if (radius->acct_serv_sock >= 0 &&
  1048. eloop_register_read_sock(radius->acct_serv_sock,
  1049. radius_client_receive, radius,
  1050. (void *) RADIUS_ACCT)) {
  1051. wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
  1052. return -1;
  1053. }
  1054. #ifdef CONFIG_IPV6
  1055. if (radius->acct_serv_sock6 >= 0 &&
  1056. eloop_register_read_sock(radius->acct_serv_sock6,
  1057. radius_client_receive, radius,
  1058. (void *) RADIUS_ACCT)) {
  1059. wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
  1060. return -1;
  1061. }
  1062. #endif /* CONFIG_IPV6 */
  1063. return 0;
  1064. }
  1065. /**
  1066. * radius_client_init - Initialize RADIUS client
  1067. * @ctx: Callback context to be used in hostapd_logger() calls
  1068. * @conf: RADIUS client configuration (RADIUS servers)
  1069. * Returns: Pointer to private RADIUS client context or %NULL on failure
  1070. *
  1071. * The caller is responsible for keeping the configuration data available for
  1072. * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
  1073. * called for the returned context pointer.
  1074. */
  1075. struct radius_client_data *
  1076. radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
  1077. {
  1078. struct radius_client_data *radius;
  1079. radius = os_zalloc(sizeof(struct radius_client_data));
  1080. if (radius == NULL)
  1081. return NULL;
  1082. radius->ctx = ctx;
  1083. radius->conf = conf;
  1084. radius->auth_serv_sock = radius->acct_serv_sock =
  1085. radius->auth_serv_sock6 = radius->acct_serv_sock6 =
  1086. radius->auth_sock = radius->acct_sock = -1;
  1087. if (conf->auth_server && radius_client_init_auth(radius)) {
  1088. radius_client_deinit(radius);
  1089. return NULL;
  1090. }
  1091. if (conf->acct_server && radius_client_init_acct(radius)) {
  1092. radius_client_deinit(radius);
  1093. return NULL;
  1094. }
  1095. if (conf->retry_primary_interval)
  1096. eloop_register_timeout(conf->retry_primary_interval, 0,
  1097. radius_retry_primary_timer, radius,
  1098. NULL);
  1099. return radius;
  1100. }
  1101. /**
  1102. * radius_client_deinit - Deinitialize RADIUS client
  1103. * @radius: RADIUS client context from radius_client_init()
  1104. */
  1105. void radius_client_deinit(struct radius_client_data *radius)
  1106. {
  1107. if (!radius)
  1108. return;
  1109. if (radius->auth_serv_sock >= 0)
  1110. eloop_unregister_read_sock(radius->auth_serv_sock);
  1111. if (radius->acct_serv_sock >= 0)
  1112. eloop_unregister_read_sock(radius->acct_serv_sock);
  1113. #ifdef CONFIG_IPV6
  1114. if (radius->auth_serv_sock6 >= 0)
  1115. eloop_unregister_read_sock(radius->auth_serv_sock6);
  1116. if (radius->acct_serv_sock6 >= 0)
  1117. eloop_unregister_read_sock(radius->acct_serv_sock6);
  1118. #endif /* CONFIG_IPV6 */
  1119. eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
  1120. radius_client_flush(radius, 0);
  1121. os_free(radius->auth_handlers);
  1122. os_free(radius->acct_handlers);
  1123. os_free(radius);
  1124. }
  1125. /**
  1126. * radius_client_flush_auth - Flush pending RADIUS messages for an address
  1127. * @radius: RADIUS client context from radius_client_init()
  1128. * @addr: MAC address of the related device
  1129. *
  1130. * This function can be used to remove pending RADIUS authentication messages
  1131. * that are related to a specific device. The addr parameter is matched with
  1132. * the one used in radius_client_send() call that was used to transmit the
  1133. * authentication request.
  1134. */
  1135. void radius_client_flush_auth(struct radius_client_data *radius,
  1136. const u8 *addr)
  1137. {
  1138. struct radius_msg_list *entry, *prev, *tmp;
  1139. prev = NULL;
  1140. entry = radius->msgs;
  1141. while (entry) {
  1142. if (entry->msg_type == RADIUS_AUTH &&
  1143. os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
  1144. hostapd_logger(radius->ctx, addr,
  1145. HOSTAPD_MODULE_RADIUS,
  1146. HOSTAPD_LEVEL_DEBUG,
  1147. "Removing pending RADIUS authentication"
  1148. " message for removed client");
  1149. if (prev)
  1150. prev->next = entry->next;
  1151. else
  1152. radius->msgs = entry->next;
  1153. tmp = entry;
  1154. entry = entry->next;
  1155. radius_client_msg_free(tmp);
  1156. radius->num_msgs--;
  1157. continue;
  1158. }
  1159. prev = entry;
  1160. entry = entry->next;
  1161. }
  1162. }
  1163. static int radius_client_dump_auth_server(char *buf, size_t buflen,
  1164. struct hostapd_radius_server *serv,
  1165. struct radius_client_data *cli)
  1166. {
  1167. int pending = 0;
  1168. struct radius_msg_list *msg;
  1169. char abuf[50];
  1170. if (cli) {
  1171. for (msg = cli->msgs; msg; msg = msg->next) {
  1172. if (msg->msg_type == RADIUS_AUTH)
  1173. pending++;
  1174. }
  1175. }
  1176. return os_snprintf(buf, buflen,
  1177. "radiusAuthServerIndex=%d\n"
  1178. "radiusAuthServerAddress=%s\n"
  1179. "radiusAuthClientServerPortNumber=%d\n"
  1180. "radiusAuthClientRoundTripTime=%d\n"
  1181. "radiusAuthClientAccessRequests=%u\n"
  1182. "radiusAuthClientAccessRetransmissions=%u\n"
  1183. "radiusAuthClientAccessAccepts=%u\n"
  1184. "radiusAuthClientAccessRejects=%u\n"
  1185. "radiusAuthClientAccessChallenges=%u\n"
  1186. "radiusAuthClientMalformedAccessResponses=%u\n"
  1187. "radiusAuthClientBadAuthenticators=%u\n"
  1188. "radiusAuthClientPendingRequests=%u\n"
  1189. "radiusAuthClientTimeouts=%u\n"
  1190. "radiusAuthClientUnknownTypes=%u\n"
  1191. "radiusAuthClientPacketsDropped=%u\n",
  1192. serv->index,
  1193. hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
  1194. serv->port,
  1195. serv->round_trip_time,
  1196. serv->requests,
  1197. serv->retransmissions,
  1198. serv->access_accepts,
  1199. serv->access_rejects,
  1200. serv->access_challenges,
  1201. serv->malformed_responses,
  1202. serv->bad_authenticators,
  1203. pending,
  1204. serv->timeouts,
  1205. serv->unknown_types,
  1206. serv->packets_dropped);
  1207. }
  1208. static int radius_client_dump_acct_server(char *buf, size_t buflen,
  1209. struct hostapd_radius_server *serv,
  1210. struct radius_client_data *cli)
  1211. {
  1212. int pending = 0;
  1213. struct radius_msg_list *msg;
  1214. char abuf[50];
  1215. if (cli) {
  1216. for (msg = cli->msgs; msg; msg = msg->next) {
  1217. if (msg->msg_type == RADIUS_ACCT ||
  1218. msg->msg_type == RADIUS_ACCT_INTERIM)
  1219. pending++;
  1220. }
  1221. }
  1222. return os_snprintf(buf, buflen,
  1223. "radiusAccServerIndex=%d\n"
  1224. "radiusAccServerAddress=%s\n"
  1225. "radiusAccClientServerPortNumber=%d\n"
  1226. "radiusAccClientRoundTripTime=%d\n"
  1227. "radiusAccClientRequests=%u\n"
  1228. "radiusAccClientRetransmissions=%u\n"
  1229. "radiusAccClientResponses=%u\n"
  1230. "radiusAccClientMalformedResponses=%u\n"
  1231. "radiusAccClientBadAuthenticators=%u\n"
  1232. "radiusAccClientPendingRequests=%u\n"
  1233. "radiusAccClientTimeouts=%u\n"
  1234. "radiusAccClientUnknownTypes=%u\n"
  1235. "radiusAccClientPacketsDropped=%u\n",
  1236. serv->index,
  1237. hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
  1238. serv->port,
  1239. serv->round_trip_time,
  1240. serv->requests,
  1241. serv->retransmissions,
  1242. serv->responses,
  1243. serv->malformed_responses,
  1244. serv->bad_authenticators,
  1245. pending,
  1246. serv->timeouts,
  1247. serv->unknown_types,
  1248. serv->packets_dropped);
  1249. }
  1250. /**
  1251. * radius_client_get_mib - Get RADIUS client MIB information
  1252. * @radius: RADIUS client context from radius_client_init()
  1253. * @buf: Buffer for returning MIB data in text format
  1254. * @buflen: Maximum buf length in octets
  1255. * Returns: Number of octets written into the buffer
  1256. */
  1257. int radius_client_get_mib(struct radius_client_data *radius, char *buf,
  1258. size_t buflen)
  1259. {
  1260. struct hostapd_radius_servers *conf = radius->conf;
  1261. int i;
  1262. struct hostapd_radius_server *serv;
  1263. int count = 0;
  1264. if (conf->auth_servers) {
  1265. for (i = 0; i < conf->num_auth_servers; i++) {
  1266. serv = &conf->auth_servers[i];
  1267. count += radius_client_dump_auth_server(
  1268. buf + count, buflen - count, serv,
  1269. serv == conf->auth_server ?
  1270. radius : NULL);
  1271. }
  1272. }
  1273. if (conf->acct_servers) {
  1274. for (i = 0; i < conf->num_acct_servers; i++) {
  1275. serv = &conf->acct_servers[i];
  1276. count += radius_client_dump_acct_server(
  1277. buf + count, buflen - count, serv,
  1278. serv == conf->acct_server ?
  1279. radius : NULL);
  1280. }
  1281. }
  1282. return count;
  1283. }
  1284. void radius_client_reconfig(struct radius_client_data *radius,
  1285. struct hostapd_radius_servers *conf)
  1286. {
  1287. if (radius)
  1288. radius->conf = conf;
  1289. }