2 * Host AP (software wireless LAN access point) user space daemon for
3 * Host AP kernel driver / IEEE 802.11 authentication (ACL)
4 * Copyright (c) 2003-2005, Jouni Malinen <jkmaline@cc.hut.fi>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
10 * Alternatively, this software may be distributed under the terms of BSD
13 * See README and COPYING for more details.
20 #include <netinet/in.h>
21 #include <arpa/inet.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
26 #include "ieee802_11.h"
27 #include "ieee802_11_auth.h"
29 #include "radius_client.h"
31 #include "hostap_common.h"
33 #define RADIUS_ACL_TIMEOUT 30
36 struct hostapd_cached_radius_acl {
39 int accepted; /* HOSTAPD_ACL_* */
40 struct hostapd_cached_radius_acl *next;
42 u32 acct_interim_interval;
46 struct hostapd_acl_query_data {
50 u8 *auth_msg; /* IEEE 802.11 authentication frame from station */
52 struct hostapd_acl_query_data *next;
56 static void hostapd_acl_cache_free(struct hostapd_cached_radius_acl *acl_cache)
58 struct hostapd_cached_radius_acl *prev;
62 acl_cache = acl_cache->next;
68 static int hostapd_acl_cache_get(struct hostapd_data *hapd, u8 *addr,
70 u32 *acct_interim_interval)
72 struct hostapd_cached_radius_acl *entry;
76 entry = hapd->acl_cache;
79 if (memcmp(entry->addr, addr, ETH_ALEN) == 0) {
80 if (now - entry->timestamp > RADIUS_ACL_TIMEOUT)
81 return -1; /* entry has expired */
82 if (entry->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT)
83 *session_timeout = entry->session_timeout;
84 *acct_interim_interval = entry->acct_interim_interval;
85 return entry->accepted;
95 static void hostapd_acl_query_free(struct hostapd_acl_query_data *query)
99 free(query->auth_msg);
104 static int hostapd_radius_acl_query(hostapd *hapd, u8 *addr,
105 struct hostapd_acl_query_data *query)
107 struct radius_msg *msg;
110 query->radius_id = radius_client_get_id(hapd->radius);
111 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, query->radius_id);
115 radius_msg_make_authenticator(msg, addr, ETH_ALEN);
117 snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
118 if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
120 printf("Could not add User-Name\n");
124 if (!radius_msg_add_attr_user_password(
125 msg, (u8 *) buf, strlen(buf),
126 hapd->conf->radius->auth_server->shared_secret,
127 hapd->conf->radius->auth_server->shared_secret_len)) {
128 printf("Could not add User-Password\n");
132 if (hapd->conf->own_ip_addr.af == AF_INET &&
133 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
134 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
135 printf("Could not add NAS-IP-Address\n");
140 if (hapd->conf->own_ip_addr.af == AF_INET6 &&
141 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
142 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
143 printf("Could not add NAS-IPv6-Address\n");
146 #endif /* CONFIG_IPV6 */
148 if (hapd->conf->nas_identifier &&
149 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
150 (u8 *) hapd->conf->nas_identifier,
151 strlen(hapd->conf->nas_identifier))) {
152 printf("Could not add NAS-Identifier\n");
156 snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
157 MAC2STR(hapd->own_addr), hapd->conf->ssid);
158 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
159 (u8 *) buf, strlen(buf))) {
160 printf("Could not add Called-Station-Id\n");
164 snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
166 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
167 (u8 *) buf, strlen(buf))) {
168 printf("Could not add Calling-Station-Id\n");
172 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
173 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
174 printf("Could not add NAS-Port-Type\n");
178 snprintf(buf, sizeof(buf), "CONNECT 11Mbps 802.11b");
179 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
180 (u8 *) buf, strlen(buf))) {
181 printf("Could not add Connect-Info\n");
185 radius_client_send(hapd->radius, msg, RADIUS_AUTH, addr);
189 radius_msg_free(msg);
195 int hostapd_allowed_address(hostapd *hapd, u8 *addr, u8 *msg, size_t len,
196 u32 *session_timeout, u32 *acct_interim_interval)
198 *session_timeout = 0;
199 *acct_interim_interval = 0;
201 if (hostapd_maclist_found(hapd->conf->accept_mac,
202 hapd->conf->num_accept_mac, addr))
203 return HOSTAPD_ACL_ACCEPT;
205 if (hostapd_maclist_found(hapd->conf->deny_mac,
206 hapd->conf->num_deny_mac, addr))
207 return HOSTAPD_ACL_REJECT;
209 if (hapd->conf->macaddr_acl == ACCEPT_UNLESS_DENIED)
210 return HOSTAPD_ACL_ACCEPT;
211 if (hapd->conf->macaddr_acl == DENY_UNLESS_ACCEPTED)
212 return HOSTAPD_ACL_REJECT;
214 if (hapd->conf->macaddr_acl == USE_EXTERNAL_RADIUS_AUTH) {
215 struct hostapd_acl_query_data *query;
217 /* Check whether ACL cache has an entry for this station */
218 int res = hostapd_acl_cache_get(hapd, addr, session_timeout,
219 acct_interim_interval);
220 if (res == HOSTAPD_ACL_ACCEPT ||
221 res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
223 if (res == HOSTAPD_ACL_REJECT)
224 return HOSTAPD_ACL_REJECT;
226 query = hapd->acl_queries;
228 if (memcmp(query->addr, addr, ETH_ALEN) == 0) {
229 /* pending query in RADIUS retransmit queue;
230 * do not generate a new one */
231 return HOSTAPD_ACL_PENDING;
236 if (!hapd->conf->radius->auth_server)
237 return HOSTAPD_ACL_REJECT;
239 /* No entry in the cache - query external RADIUS server */
240 query = malloc(sizeof(*query));
242 printf("malloc for query data failed\n");
243 return HOSTAPD_ACL_REJECT;
245 memset(query, 0, sizeof(*query));
246 time(&query->timestamp);
247 memcpy(query->addr, addr, ETH_ALEN);
248 if (hostapd_radius_acl_query(hapd, addr, query)) {
249 printf("Failed to send Access-Request for ACL "
251 hostapd_acl_query_free(query);
252 return HOSTAPD_ACL_REJECT;
255 query->auth_msg = malloc(len);
256 if (query->auth_msg == NULL) {
257 printf("Failed to allocate memory for auth frame.\n");
258 hostapd_acl_query_free(query);
259 return HOSTAPD_ACL_REJECT;
261 memcpy(query->auth_msg, msg, len);
262 query->auth_msg_len = len;
263 query->next = hapd->acl_queries;
264 hapd->acl_queries = query;
266 /* Queued data will be processed in hostapd_acl_recv_radius()
267 * when RADIUS server replies to the sent Access-Request. */
268 return HOSTAPD_ACL_PENDING;
271 return HOSTAPD_ACL_REJECT;
275 static void hostapd_acl_expire_cache(hostapd *hapd, time_t now)
277 struct hostapd_cached_radius_acl *prev, *entry, *tmp;
280 entry = hapd->acl_cache;
283 if (now - entry->timestamp > RADIUS_ACL_TIMEOUT) {
284 HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
285 "Cached ACL entry for " MACSTR
286 " has expired.\n", MAC2STR(entry->addr));
288 prev->next = entry->next;
290 hapd->acl_cache = entry->next;
304 static void hostapd_acl_expire_queries(hostapd *hapd, time_t now)
306 struct hostapd_acl_query_data *prev, *entry, *tmp;
309 entry = hapd->acl_queries;
312 if (now - entry->timestamp > RADIUS_ACL_TIMEOUT) {
313 HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
314 "ACL query for " MACSTR
315 " has expired.\n", MAC2STR(entry->addr));
317 prev->next = entry->next;
319 hapd->acl_queries = entry->next;
323 hostapd_acl_query_free(tmp);
333 static void hostapd_acl_expire(void *eloop_ctx, void *timeout_ctx)
335 hostapd *hapd = eloop_ctx;
339 hostapd_acl_expire_cache(hapd, now);
340 hostapd_acl_expire_queries(hapd, now);
342 eloop_register_timeout(10, 0, hostapd_acl_expire, hapd, NULL);
346 /* Return 0 if RADIUS message was a reply to ACL query (and was processed here)
348 static RadiusRxResult
349 hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
350 u8 *shared_secret, size_t shared_secret_len,
353 struct hostapd_data *hapd = data;
354 struct hostapd_acl_query_data *query, *prev;
355 struct hostapd_cached_radius_acl *cache;
357 query = hapd->acl_queries;
360 if (query->radius_id == msg->hdr->identifier)
366 return RADIUS_RX_UNKNOWN;
368 HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Found matching Access-Request "
369 "for RADIUS message (id=%d)\n", query->radius_id);
371 if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
372 printf("Incoming RADIUS packet did not have correct "
373 "authenticator - dropped\n");
374 return RADIUS_RX_INVALID_AUTHENTICATOR;
377 if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
378 msg->hdr->code != RADIUS_CODE_ACCESS_REJECT) {
379 printf("Unknown RADIUS message code %d to ACL query\n",
381 return RADIUS_RX_UNKNOWN;
384 /* Insert Accept/Reject info into ACL cache */
385 cache = malloc(sizeof(*cache));
387 printf("Failed to add ACL cache entry\n");
390 memset(cache, 0, sizeof(*cache));
391 time(&cache->timestamp);
392 memcpy(cache->addr, query->addr, sizeof(cache->addr));
393 if (msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) {
394 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
395 &cache->session_timeout) == 0)
396 cache->accepted = HOSTAPD_ACL_ACCEPT_TIMEOUT;
398 cache->accepted = HOSTAPD_ACL_ACCEPT;
400 if (radius_msg_get_attr_int32(
401 msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
402 &cache->acct_interim_interval) == 0 &&
403 cache->acct_interim_interval < 60) {
404 HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Ignored too "
405 "small Acct-Interim-Interval %d for "
407 cache->acct_interim_interval,
408 MAC2STR(query->addr));
409 cache->acct_interim_interval = 0;
412 cache->accepted = HOSTAPD_ACL_REJECT;
413 cache->next = hapd->acl_cache;
414 hapd->acl_cache = cache;
416 /* Re-send original authentication frame for 802.11 processing */
417 HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Re-sending authentication frame "
418 "after successful RADIUS ACL query\n");
419 ieee802_11_mgmt(hapd, query->auth_msg, query->auth_msg_len,
424 hapd->acl_queries = query->next;
426 prev->next = query->next;
428 hostapd_acl_query_free(query);
430 return RADIUS_RX_PROCESSED;
434 int hostapd_acl_init(hostapd *hapd)
436 if (radius_client_register(hapd->radius, RADIUS_AUTH,
437 hostapd_acl_recv_radius, hapd))
440 eloop_register_timeout(10, 0, hostapd_acl_expire, hapd, NULL);
446 void hostapd_acl_deinit(hostapd *hapd)
448 struct hostapd_acl_query_data *query, *prev;
450 hostapd_acl_cache_free(hapd->acl_cache);
452 query = hapd->acl_queries;
456 hostapd_acl_query_free(prev);