3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
13 #include "radius_client.h"
16 /* Defaults for RADIUS retransmit values (exponential backoff) */
19 * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
21 #define RADIUS_CLIENT_FIRST_WAIT 3
24 * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
26 #define RADIUS_CLIENT_MAX_WAIT 120
29 * RADIUS_CLIENT_MAX_RETRIES - RADIUS client maximum retries
31 * Maximum number of retransmit attempts before the entry is removed from
34 #define RADIUS_CLIENT_MAX_RETRIES 10
37 * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
39 * Maximum number of entries in retransmit list (oldest entries will be
40 * removed, if this limit is exceeded).
42 #define RADIUS_CLIENT_MAX_ENTRIES 30
45 * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
47 * The number of failed retry attempts after which the RADIUS server will be
48 * changed (if one of more backup servers are configured).
50 #define RADIUS_CLIENT_NUM_FAILOVER 4
54 * struct radius_rx_handler - RADIUS client RX handler
56 * This data structure is used internally inside the RADIUS client module to
57 * store registered RX handlers. These handlers are registered by calls to
58 * radius_client_register() and unregistered when the RADIUS client is
59 * deinitialized with a call to radius_client_deinit().
61 struct radius_rx_handler {
63 * handler - Received RADIUS message handler
65 RadiusRxResult (*handler)(struct radius_msg *msg,
66 struct radius_msg *req,
67 const u8 *shared_secret,
68 size_t shared_secret_len,
72 * data - Context data for the handler
79 * struct radius_msg_list - RADIUS client message retransmit list
81 * This data structure is used internally inside the RADIUS client module to
82 * store pending RADIUS requests that may still need to be retransmitted.
84 struct radius_msg_list {
86 * addr - STA/client address
88 * This is used to find RADIUS messages for the same STA.
93 * msg - RADIUS message
95 struct radius_msg *msg;
98 * msg_type - Message type
103 * first_try - Time of the first transmission attempt
108 * next_try - Time for the next transmission attempt
113 * attempts - Number of transmission attempts
118 * next_wait - Next retransmission wait time in seconds
123 * last_attempt - Time of the last transmission attempt
125 struct os_reltime last_attempt;
128 * shared_secret - Shared secret with the target RADIUS server
130 const u8 *shared_secret;
133 * shared_secret_len - shared_secret length in octets
135 size_t shared_secret_len;
137 /* TODO: server config with failover to backup server(s) */
140 * next - Next message in the list
142 struct radius_msg_list *next;
147 * struct radius_client_data - Internal RADIUS client data
149 * This data structure is used internally inside the RADIUS client module.
150 * External users allocate this by calling radius_client_init() and free it by
151 * calling radius_client_deinit(). The pointer to this opaque data is used in
152 * calls to other functions as an identifier for the RADIUS client instance.
154 struct radius_client_data {
156 * ctx - Context pointer for hostapd_logger() callbacks
161 * conf - RADIUS client configuration (list of RADIUS servers to use)
163 struct hostapd_radius_servers *conf;
166 * auth_serv_sock - IPv4 socket for RADIUS authentication messages
171 * acct_serv_sock - IPv4 socket for RADIUS accounting messages
176 * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
181 * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
186 * auth_sock - Currently used socket for RADIUS authentication server
191 * acct_sock - Currently used socket for RADIUS accounting server
196 * auth_handlers - Authentication message handlers
198 struct radius_rx_handler *auth_handlers;
201 * num_auth_handlers - Number of handlers in auth_handlers
203 size_t num_auth_handlers;
206 * acct_handlers - Accounting message handlers
208 struct radius_rx_handler *acct_handlers;
211 * num_acct_handlers - Number of handlers in acct_handlers
213 size_t num_acct_handlers;
216 * msgs - Pending outgoing RADIUS messages
218 struct radius_msg_list *msgs;
221 * num_msgs - Number of pending messages in the msgs list
226 * next_radius_identifier - Next RADIUS message identifier to use
228 u8 next_radius_identifier;
233 radius_change_server(struct radius_client_data *radius,
234 struct hostapd_radius_server *nserv,
235 struct hostapd_radius_server *oserv,
236 int sock, int sock6, int auth);
237 static int radius_client_init_acct(struct radius_client_data *radius);
238 static int radius_client_init_auth(struct radius_client_data *radius);
239 static void radius_client_auth_failover(struct radius_client_data *radius);
240 static void radius_client_acct_failover(struct radius_client_data *radius);
243 static void radius_client_msg_free(struct radius_msg_list *req)
245 radius_msg_free(req->msg);
251 * radius_client_register - Register a RADIUS client RX handler
252 * @radius: RADIUS client context from radius_client_init()
253 * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
254 * @handler: Handler for received RADIUS messages
255 * @data: Context pointer for handler callbacks
256 * Returns: 0 on success, -1 on failure
258 * This function is used to register a handler for processing received RADIUS
259 * authentication and accounting messages. The handler() callback function will
260 * be called whenever a RADIUS message is received from the active server.
262 * There can be multiple registered RADIUS message handlers. The handlers will
263 * be called in order until one of them indicates that it has processed or
264 * queued the message.
266 int radius_client_register(struct radius_client_data *radius,
268 RadiusRxResult (*handler)(struct radius_msg *msg,
269 struct radius_msg *req,
270 const u8 *shared_secret,
271 size_t shared_secret_len,
275 struct radius_rx_handler **handlers, *newh;
278 if (msg_type == RADIUS_ACCT) {
279 handlers = &radius->acct_handlers;
280 num = &radius->num_acct_handlers;
282 handlers = &radius->auth_handlers;
283 num = &radius->num_auth_handlers;
286 newh = os_realloc_array(*handlers, *num + 1,
287 sizeof(struct radius_rx_handler));
291 newh[*num].handler = handler;
292 newh[*num].data = data;
301 * Returns >0 if message queue was flushed (i.e., the message that triggered
302 * the error is not available anymore)
304 static int radius_client_handle_send_error(struct radius_client_data *radius,
305 int s, RadiusType msg_type)
307 #ifndef CONFIG_NATIVE_WINDOWS
309 wpa_printf(MSG_INFO, "send[RADIUS,s=%d]: %s", s, strerror(errno));
310 if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
311 _errno == EBADF || _errno == ENETUNREACH) {
312 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
314 "Send failed - maybe interface status changed -"
315 " try to connect again");
316 if (msg_type == RADIUS_ACCT ||
317 msg_type == RADIUS_ACCT_INTERIM) {
318 radius_client_init_acct(radius);
321 radius_client_init_auth(radius);
325 #endif /* CONFIG_NATIVE_WINDOWS */
331 static int radius_client_retransmit(struct radius_client_data *radius,
332 struct radius_msg_list *entry,
335 struct hostapd_radius_servers *conf = radius->conf;
338 size_t prev_num_msgs;
340 if (entry->msg_type == RADIUS_ACCT ||
341 entry->msg_type == RADIUS_ACCT_INTERIM) {
342 if (radius->acct_sock < 0)
343 radius_client_init_acct(radius);
344 if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
345 prev_num_msgs = radius->num_msgs;
346 radius_client_acct_failover(radius);
347 if (prev_num_msgs != radius->num_msgs)
350 s = radius->acct_sock;
351 if (entry->attempts == 0)
352 conf->acct_server->requests++;
354 conf->acct_server->timeouts++;
355 conf->acct_server->retransmissions++;
358 if (radius->auth_sock < 0)
359 radius_client_init_auth(radius);
360 if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
361 prev_num_msgs = radius->num_msgs;
362 radius_client_auth_failover(radius);
363 if (prev_num_msgs != radius->num_msgs)
366 s = radius->auth_sock;
367 if (entry->attempts == 0)
368 conf->auth_server->requests++;
370 conf->auth_server->timeouts++;
371 conf->auth_server->retransmissions++;
376 "RADIUS: No valid socket for retransmission");
380 /* retransmit; remove entry if too many attempts */
382 hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
383 HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
384 radius_msg_get_hdr(entry->msg)->identifier);
386 os_get_reltime(&entry->last_attempt);
387 buf = radius_msg_get_buf(entry->msg);
388 if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
389 if (radius_client_handle_send_error(radius, s, entry->msg_type)
394 entry->next_try = now + entry->next_wait;
395 entry->next_wait *= 2;
396 if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
397 entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
398 if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
399 wpa_printf(MSG_INFO, "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
407 static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
409 struct radius_client_data *radius = eloop_ctx;
410 struct hostapd_radius_servers *conf = radius->conf;
411 struct os_reltime now;
413 struct radius_msg_list *entry, *prev, *tmp;
414 int auth_failover = 0, acct_failover = 0;
415 size_t prev_num_msgs;
418 entry = radius->msgs;
422 os_get_reltime(&now);
427 prev_num_msgs = radius->num_msgs;
428 if (now.sec >= entry->next_try &&
429 radius_client_retransmit(radius, entry, now.sec)) {
431 prev->next = entry->next;
433 radius->msgs = entry->next;
437 radius_client_msg_free(tmp);
442 if (prev_num_msgs != radius->num_msgs) {
443 wpa_printf(MSG_DEBUG,
444 "RADIUS: Message removed from queue - restart from beginning");
445 entry = radius->msgs;
450 s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
452 if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER ||
453 (s < 0 && entry->attempts > 0)) {
454 if (entry->msg_type == RADIUS_ACCT ||
455 entry->msg_type == RADIUS_ACCT_INTERIM)
461 if (first == 0 || entry->next_try < first)
462 first = entry->next_try;
471 eloop_register_timeout(first - now.sec, 0,
472 radius_client_timer, radius, NULL);
473 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
474 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
475 "retransmit in %ld seconds",
476 (long int) (first - now.sec));
479 if (auth_failover && conf->num_auth_servers > 1)
480 radius_client_auth_failover(radius);
482 if (acct_failover && conf->num_acct_servers > 1)
483 radius_client_acct_failover(radius);
487 static void radius_client_auth_failover(struct radius_client_data *radius)
489 struct hostapd_radius_servers *conf = radius->conf;
490 struct hostapd_radius_server *next, *old;
491 struct radius_msg_list *entry;
494 old = conf->auth_server;
495 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
496 HOSTAPD_LEVEL_NOTICE,
497 "No response from Authentication server %s:%d - failover",
498 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
501 for (entry = radius->msgs; entry; entry = entry->next) {
502 if (entry->msg_type == RADIUS_AUTH)
507 if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
508 next = conf->auth_servers;
509 conf->auth_server = next;
510 radius_change_server(radius, next, old,
511 radius->auth_serv_sock,
512 radius->auth_serv_sock6, 1);
516 static void radius_client_acct_failover(struct radius_client_data *radius)
518 struct hostapd_radius_servers *conf = radius->conf;
519 struct hostapd_radius_server *next, *old;
520 struct radius_msg_list *entry;
523 old = conf->acct_server;
524 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
525 HOSTAPD_LEVEL_NOTICE,
526 "No response from Accounting server %s:%d - failover",
527 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
530 for (entry = radius->msgs; entry; entry = entry->next) {
531 if (entry->msg_type == RADIUS_ACCT ||
532 entry->msg_type == RADIUS_ACCT_INTERIM)
537 if (next > &conf->acct_servers[conf->num_acct_servers - 1])
538 next = conf->acct_servers;
539 conf->acct_server = next;
540 radius_change_server(radius, next, old,
541 radius->acct_serv_sock,
542 radius->acct_serv_sock6, 0);
546 static void radius_client_update_timeout(struct radius_client_data *radius)
548 struct os_reltime now;
550 struct radius_msg_list *entry;
552 eloop_cancel_timeout(radius_client_timer, radius, NULL);
554 if (radius->msgs == NULL) {
559 for (entry = radius->msgs; entry; entry = entry->next) {
560 if (first == 0 || entry->next_try < first)
561 first = entry->next_try;
564 os_get_reltime(&now);
567 eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
569 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
570 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
571 " %ld seconds", (long int) (first - now.sec));
575 static void radius_client_list_add(struct radius_client_data *radius,
576 struct radius_msg *msg,
578 const u8 *shared_secret,
579 size_t shared_secret_len, const u8 *addr)
581 struct radius_msg_list *entry, *prev;
583 if (eloop_terminated()) {
584 /* No point in adding entries to retransmit queue since event
585 * loop has already been terminated. */
586 radius_msg_free(msg);
590 entry = os_zalloc(sizeof(*entry));
592 wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
593 radius_msg_free(msg);
598 os_memcpy(entry->addr, addr, ETH_ALEN);
600 entry->msg_type = msg_type;
601 entry->shared_secret = shared_secret;
602 entry->shared_secret_len = shared_secret_len;
603 os_get_reltime(&entry->last_attempt);
604 entry->first_try = entry->last_attempt.sec;
605 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
607 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
608 entry->next = radius->msgs;
609 radius->msgs = entry;
610 radius_client_update_timeout(radius);
612 if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
613 wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
615 while (entry->next) {
621 radius_client_msg_free(entry);
628 static void radius_client_list_del(struct radius_client_data *radius,
629 RadiusType msg_type, const u8 *addr)
631 struct radius_msg_list *entry, *prev, *tmp;
636 entry = radius->msgs;
639 if (entry->msg_type == msg_type &&
640 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
642 prev->next = entry->next;
644 radius->msgs = entry->next;
647 hostapd_logger(radius->ctx, addr,
648 HOSTAPD_MODULE_RADIUS,
650 "Removing matching RADIUS message");
651 radius_client_msg_free(tmp);
662 * radius_client_send - Send a RADIUS request
663 * @radius: RADIUS client context from radius_client_init()
664 * @msg: RADIUS message to be sent
665 * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
666 * @addr: MAC address of the device related to this message or %NULL
667 * Returns: 0 on success, -1 on failure
669 * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
670 * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
671 * between accounting and interim accounting messages is that the interim
672 * message will override any pending interim accounting updates while a new
673 * accounting message does not remove any pending messages.
675 * The message is added on the retransmission queue and will be retransmitted
676 * automatically until a response is received or maximum number of retries
677 * (RADIUS_CLIENT_MAX_RETRIES) is reached.
679 * The related device MAC address can be used to identify pending messages that
680 * can be removed with radius_client_flush_auth() or with interim accounting
683 int radius_client_send(struct radius_client_data *radius,
684 struct radius_msg *msg, RadiusType msg_type,
687 struct hostapd_radius_servers *conf = radius->conf;
688 const u8 *shared_secret;
689 size_t shared_secret_len;
694 if (msg_type == RADIUS_ACCT_INTERIM) {
695 /* Remove any pending interim acct update for the same STA. */
696 radius_client_list_del(radius, msg_type, addr);
699 if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
700 if (conf->acct_server && radius->acct_sock < 0)
701 radius_client_init_acct(radius);
703 if (conf->acct_server == NULL || radius->acct_sock < 0 ||
704 conf->acct_server->shared_secret == NULL) {
705 hostapd_logger(radius->ctx, NULL,
706 HOSTAPD_MODULE_RADIUS,
708 "No accounting server configured");
711 shared_secret = conf->acct_server->shared_secret;
712 shared_secret_len = conf->acct_server->shared_secret_len;
713 radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
715 s = radius->acct_sock;
716 conf->acct_server->requests++;
718 if (conf->auth_server && radius->auth_sock < 0)
719 radius_client_init_auth(radius);
721 if (conf->auth_server == NULL || radius->auth_sock < 0 ||
722 conf->auth_server->shared_secret == NULL) {
723 hostapd_logger(radius->ctx, NULL,
724 HOSTAPD_MODULE_RADIUS,
726 "No authentication server configured");
729 shared_secret = conf->auth_server->shared_secret;
730 shared_secret_len = conf->auth_server->shared_secret_len;
731 radius_msg_finish(msg, shared_secret, shared_secret_len);
732 name = "authentication";
733 s = radius->auth_sock;
734 conf->auth_server->requests++;
737 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
738 HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
741 radius_msg_dump(msg);
743 buf = radius_msg_get_buf(msg);
744 res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
746 radius_client_handle_send_error(radius, s, msg_type);
748 radius_client_list_add(radius, msg, msg_type, shared_secret,
749 shared_secret_len, addr);
755 static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
757 struct radius_client_data *radius = eloop_ctx;
758 struct hostapd_radius_servers *conf = radius->conf;
759 RadiusType msg_type = (RadiusType) sock_ctx;
761 unsigned char buf[3000];
762 struct radius_msg *msg;
763 struct radius_hdr *hdr;
764 struct radius_rx_handler *handlers;
765 size_t num_handlers, i;
766 struct radius_msg_list *req, *prev_req;
767 struct os_reltime now;
768 struct hostapd_radius_server *rconf;
769 int invalid_authenticator = 0;
771 if (msg_type == RADIUS_ACCT) {
772 handlers = radius->acct_handlers;
773 num_handlers = radius->num_acct_handlers;
774 rconf = conf->acct_server;
776 handlers = radius->auth_handlers;
777 num_handlers = radius->num_auth_handlers;
778 rconf = conf->auth_server;
781 len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
783 wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
786 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
787 HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
789 if (len == sizeof(buf)) {
790 wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
794 msg = radius_msg_parse(buf, len);
796 wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
797 rconf->malformed_responses++;
800 hdr = radius_msg_get_hdr(msg);
802 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
803 HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
805 radius_msg_dump(msg);
808 case RADIUS_CODE_ACCESS_ACCEPT:
809 rconf->access_accepts++;
811 case RADIUS_CODE_ACCESS_REJECT:
812 rconf->access_rejects++;
814 case RADIUS_CODE_ACCESS_CHALLENGE:
815 rconf->access_challenges++;
817 case RADIUS_CODE_ACCOUNTING_RESPONSE:
825 /* TODO: also match by src addr:port of the packet when using
826 * alternative RADIUS servers (?) */
827 if ((req->msg_type == msg_type ||
828 (req->msg_type == RADIUS_ACCT_INTERIM &&
829 msg_type == RADIUS_ACCT)) &&
830 radius_msg_get_hdr(req->msg)->identifier ==
839 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
841 "No matching RADIUS request found (type=%d "
842 "id=%d) - dropping packet",
843 msg_type, hdr->identifier);
847 os_get_reltime(&now);
848 roundtrip = (now.sec - req->last_attempt.sec) * 100 +
849 (now.usec - req->last_attempt.usec) / 10000;
850 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
852 "Received RADIUS packet matched with a pending "
853 "request, round trip time %d.%02d sec",
854 roundtrip / 100, roundtrip % 100);
855 rconf->round_trip_time = roundtrip;
857 /* Remove ACKed RADIUS packet from retransmit list */
859 prev_req->next = req->next;
861 radius->msgs = req->next;
864 for (i = 0; i < num_handlers; i++) {
866 res = handlers[i].handler(msg, req->msg, req->shared_secret,
867 req->shared_secret_len,
870 case RADIUS_RX_PROCESSED:
871 radius_msg_free(msg);
873 case RADIUS_RX_QUEUED:
874 radius_client_msg_free(req);
876 case RADIUS_RX_INVALID_AUTHENTICATOR:
877 invalid_authenticator++;
879 case RADIUS_RX_UNKNOWN:
880 /* continue with next handler */
885 if (invalid_authenticator)
886 rconf->bad_authenticators++;
888 rconf->unknown_types++;
889 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
890 HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
891 "(type=%d code=%d id=%d)%s - dropping packet",
892 msg_type, hdr->code, hdr->identifier,
893 invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
895 radius_client_msg_free(req);
898 radius_msg_free(msg);
903 * radius_client_get_id - Get an identifier for a new RADIUS message
904 * @radius: RADIUS client context from radius_client_init()
905 * Returns: Allocated identifier
907 * This function is used to fetch a unique (among pending requests) identifier
908 * for a new RADIUS message.
910 u8 radius_client_get_id(struct radius_client_data *radius)
912 struct radius_msg_list *entry, *prev, *_remove;
913 u8 id = radius->next_radius_identifier++;
915 /* remove entries with matching id from retransmit list to avoid
916 * using new reply from the RADIUS server with an old request */
917 entry = radius->msgs;
920 if (radius_msg_get_hdr(entry->msg)->identifier == id) {
921 hostapd_logger(radius->ctx, entry->addr,
922 HOSTAPD_MODULE_RADIUS,
924 "Removing pending RADIUS message, "
925 "since its id (%d) is reused", id);
927 prev->next = entry->next;
929 radius->msgs = entry->next;
938 radius_client_msg_free(_remove);
946 * radius_client_flush - Flush all pending RADIUS client messages
947 * @radius: RADIUS client context from radius_client_init()
948 * @only_auth: Whether only authentication messages are removed
950 void radius_client_flush(struct radius_client_data *radius, int only_auth)
952 struct radius_msg_list *entry, *prev, *tmp;
958 entry = radius->msgs;
961 if (!only_auth || entry->msg_type == RADIUS_AUTH) {
963 prev->next = entry->next;
965 radius->msgs = entry->next;
969 radius_client_msg_free(tmp);
977 if (radius->msgs == NULL)
978 eloop_cancel_timeout(radius_client_timer, radius, NULL);
982 static void radius_client_update_acct_msgs(struct radius_client_data *radius,
983 const u8 *shared_secret,
984 size_t shared_secret_len)
986 struct radius_msg_list *entry;
991 for (entry = radius->msgs; entry; entry = entry->next) {
992 if (entry->msg_type == RADIUS_ACCT) {
993 entry->shared_secret = shared_secret;
994 entry->shared_secret_len = shared_secret_len;
995 radius_msg_finish_acct(entry->msg, shared_secret,
1003 radius_change_server(struct radius_client_data *radius,
1004 struct hostapd_radius_server *nserv,
1005 struct hostapd_radius_server *oserv,
1006 int sock, int sock6, int auth)
1008 struct sockaddr_in serv, claddr;
1010 struct sockaddr_in6 serv6, claddr6;
1011 #endif /* CONFIG_IPV6 */
1012 struct sockaddr *addr, *cl_addr;
1013 socklen_t addrlen, claddrlen;
1016 struct radius_msg_list *entry;
1017 struct hostapd_radius_servers *conf = radius->conf;
1019 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
1022 auth ? "Authentication" : "Accounting",
1023 hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
1026 if (oserv && oserv != nserv &&
1027 (nserv->shared_secret_len != oserv->shared_secret_len ||
1028 os_memcmp(nserv->shared_secret, oserv->shared_secret,
1029 nserv->shared_secret_len) != 0)) {
1030 /* Pending RADIUS packets used different shared secret, so
1031 * they need to be modified. Update accounting message
1032 * authenticators here. Authentication messages are removed
1033 * since they would require more changes and the new RADIUS
1034 * server may not be prepared to receive them anyway due to
1035 * missing state information. Client will likely retry
1036 * authentication, so this should not be an issue. */
1038 radius_client_flush(radius, 1);
1040 radius_client_update_acct_msgs(
1041 radius, nserv->shared_secret,
1042 nserv->shared_secret_len);
1046 /* Reset retry counters for the new server */
1047 for (entry = radius->msgs; oserv && oserv != nserv && entry;
1048 entry = entry->next) {
1049 if ((auth && entry->msg_type != RADIUS_AUTH) ||
1050 (!auth && entry->msg_type != RADIUS_ACCT))
1052 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
1053 entry->attempts = 0;
1054 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
1058 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1059 eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
1060 radius_client_timer, radius, NULL);
1063 switch (nserv->addr.af) {
1065 os_memset(&serv, 0, sizeof(serv));
1066 serv.sin_family = AF_INET;
1067 serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
1068 serv.sin_port = htons(nserv->port);
1069 addr = (struct sockaddr *) &serv;
1070 addrlen = sizeof(serv);
1075 os_memset(&serv6, 0, sizeof(serv6));
1076 serv6.sin6_family = AF_INET6;
1077 os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
1078 sizeof(struct in6_addr));
1079 serv6.sin6_port = htons(nserv->port);
1080 addr = (struct sockaddr *) &serv6;
1081 addrlen = sizeof(serv6);
1084 #endif /* CONFIG_IPV6 */
1090 wpa_printf(MSG_INFO,
1091 "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d",
1092 nserv->addr.af, sock, sock6, auth);
1096 if (conf->force_client_addr) {
1097 switch (conf->client_addr.af) {
1099 os_memset(&claddr, 0, sizeof(claddr));
1100 claddr.sin_family = AF_INET;
1101 claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
1102 claddr.sin_port = htons(0);
1103 cl_addr = (struct sockaddr *) &claddr;
1104 claddrlen = sizeof(claddr);
1108 os_memset(&claddr6, 0, sizeof(claddr6));
1109 claddr6.sin6_family = AF_INET6;
1110 os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
1111 sizeof(struct in6_addr));
1112 claddr6.sin6_port = htons(0);
1113 cl_addr = (struct sockaddr *) &claddr6;
1114 claddrlen = sizeof(claddr6);
1116 #endif /* CONFIG_IPV6 */
1121 if (bind(sel_sock, cl_addr, claddrlen) < 0) {
1122 wpa_printf(MSG_INFO, "bind[radius]: %s",
1128 if (connect(sel_sock, addr, addrlen) < 0) {
1129 wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
1133 #ifndef CONFIG_NATIVE_WINDOWS
1134 switch (nserv->addr.af) {
1136 claddrlen = sizeof(claddr);
1137 if (getsockname(sel_sock, (struct sockaddr *) &claddr,
1139 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1140 inet_ntoa(claddr.sin_addr),
1141 ntohs(claddr.sin_port));
1146 claddrlen = sizeof(claddr6);
1147 if (getsockname(sel_sock, (struct sockaddr *) &claddr6,
1149 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1150 inet_ntop(AF_INET6, &claddr6.sin6_addr,
1151 abuf, sizeof(abuf)),
1152 ntohs(claddr6.sin6_port));
1156 #endif /* CONFIG_IPV6 */
1158 #endif /* CONFIG_NATIVE_WINDOWS */
1161 radius->auth_sock = sel_sock;
1163 radius->acct_sock = sel_sock;
1169 static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
1171 struct radius_client_data *radius = eloop_ctx;
1172 struct hostapd_radius_servers *conf = radius->conf;
1173 struct hostapd_radius_server *oserv;
1175 if (radius->auth_sock >= 0 && conf->auth_servers &&
1176 conf->auth_server != conf->auth_servers) {
1177 oserv = conf->auth_server;
1178 conf->auth_server = conf->auth_servers;
1179 if (radius_change_server(radius, conf->auth_server, oserv,
1180 radius->auth_serv_sock,
1181 radius->auth_serv_sock6, 1) < 0) {
1182 conf->auth_server = oserv;
1183 radius_change_server(radius, oserv, conf->auth_server,
1184 radius->auth_serv_sock,
1185 radius->auth_serv_sock6, 1);
1189 if (radius->acct_sock >= 0 && conf->acct_servers &&
1190 conf->acct_server != conf->acct_servers) {
1191 oserv = conf->acct_server;
1192 conf->acct_server = conf->acct_servers;
1193 if (radius_change_server(radius, conf->acct_server, oserv,
1194 radius->acct_serv_sock,
1195 radius->acct_serv_sock6, 0) < 0) {
1196 conf->acct_server = oserv;
1197 radius_change_server(radius, oserv, conf->acct_server,
1198 radius->acct_serv_sock,
1199 radius->acct_serv_sock6, 0);
1203 if (conf->retry_primary_interval)
1204 eloop_register_timeout(conf->retry_primary_interval, 0,
1205 radius_retry_primary_timer, radius,
1210 static int radius_client_disable_pmtu_discovery(int s)
1213 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
1214 /* Turn off Path MTU discovery on IPv4/UDP sockets. */
1215 int action = IP_PMTUDISC_DONT;
1216 r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
1219 wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
1226 static void radius_close_auth_sockets(struct radius_client_data *radius)
1228 radius->auth_sock = -1;
1230 if (radius->auth_serv_sock >= 0) {
1231 eloop_unregister_read_sock(radius->auth_serv_sock);
1232 close(radius->auth_serv_sock);
1233 radius->auth_serv_sock = -1;
1236 if (radius->auth_serv_sock6 >= 0) {
1237 eloop_unregister_read_sock(radius->auth_serv_sock6);
1238 close(radius->auth_serv_sock6);
1239 radius->auth_serv_sock6 = -1;
1241 #endif /* CONFIG_IPV6 */
1245 static void radius_close_acct_sockets(struct radius_client_data *radius)
1247 radius->acct_sock = -1;
1249 if (radius->acct_serv_sock >= 0) {
1250 eloop_unregister_read_sock(radius->acct_serv_sock);
1251 close(radius->acct_serv_sock);
1252 radius->acct_serv_sock = -1;
1255 if (radius->acct_serv_sock6 >= 0) {
1256 eloop_unregister_read_sock(radius->acct_serv_sock6);
1257 close(radius->acct_serv_sock6);
1258 radius->acct_serv_sock6 = -1;
1260 #endif /* CONFIG_IPV6 */
1264 static int radius_client_init_auth(struct radius_client_data *radius)
1266 struct hostapd_radius_servers *conf = radius->conf;
1269 radius_close_auth_sockets(radius);
1271 radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1272 if (radius->auth_serv_sock < 0)
1273 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1276 radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
1281 radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1282 if (radius->auth_serv_sock6 < 0)
1283 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1287 #endif /* CONFIG_IPV6 */
1292 radius_change_server(radius, conf->auth_server, NULL,
1293 radius->auth_serv_sock, radius->auth_serv_sock6,
1296 if (radius->auth_serv_sock >= 0 &&
1297 eloop_register_read_sock(radius->auth_serv_sock,
1298 radius_client_receive, radius,
1299 (void *) RADIUS_AUTH)) {
1300 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1301 radius_close_auth_sockets(radius);
1306 if (radius->auth_serv_sock6 >= 0 &&
1307 eloop_register_read_sock(radius->auth_serv_sock6,
1308 radius_client_receive, radius,
1309 (void *) RADIUS_AUTH)) {
1310 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1311 radius_close_auth_sockets(radius);
1314 #endif /* CONFIG_IPV6 */
1320 static int radius_client_init_acct(struct radius_client_data *radius)
1322 struct hostapd_radius_servers *conf = radius->conf;
1325 radius_close_acct_sockets(radius);
1327 radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1328 if (radius->acct_serv_sock < 0)
1329 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1332 radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
1337 radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1338 if (radius->acct_serv_sock6 < 0)
1339 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1343 #endif /* CONFIG_IPV6 */
1348 radius_change_server(radius, conf->acct_server, NULL,
1349 radius->acct_serv_sock, radius->acct_serv_sock6,
1352 if (radius->acct_serv_sock >= 0 &&
1353 eloop_register_read_sock(radius->acct_serv_sock,
1354 radius_client_receive, radius,
1355 (void *) RADIUS_ACCT)) {
1356 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1357 radius_close_acct_sockets(radius);
1362 if (radius->acct_serv_sock6 >= 0 &&
1363 eloop_register_read_sock(radius->acct_serv_sock6,
1364 radius_client_receive, radius,
1365 (void *) RADIUS_ACCT)) {
1366 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1367 radius_close_acct_sockets(radius);
1370 #endif /* CONFIG_IPV6 */
1377 * radius_client_init - Initialize RADIUS client
1378 * @ctx: Callback context to be used in hostapd_logger() calls
1379 * @conf: RADIUS client configuration (RADIUS servers)
1380 * Returns: Pointer to private RADIUS client context or %NULL on failure
1382 * The caller is responsible for keeping the configuration data available for
1383 * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
1384 * called for the returned context pointer.
1386 struct radius_client_data *
1387 radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
1389 struct radius_client_data *radius;
1391 radius = os_zalloc(sizeof(struct radius_client_data));
1396 radius->conf = conf;
1397 radius->auth_serv_sock = radius->acct_serv_sock =
1398 radius->auth_serv_sock6 = radius->acct_serv_sock6 =
1399 radius->auth_sock = radius->acct_sock = -1;
1401 if (conf->auth_server && radius_client_init_auth(radius)) {
1402 radius_client_deinit(radius);
1406 if (conf->acct_server && radius_client_init_acct(radius)) {
1407 radius_client_deinit(radius);
1411 if (conf->retry_primary_interval)
1412 eloop_register_timeout(conf->retry_primary_interval, 0,
1413 radius_retry_primary_timer, radius,
1421 * radius_client_deinit - Deinitialize RADIUS client
1422 * @radius: RADIUS client context from radius_client_init()
1424 void radius_client_deinit(struct radius_client_data *radius)
1429 radius_close_auth_sockets(radius);
1430 radius_close_acct_sockets(radius);
1432 eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1434 radius_client_flush(radius, 0);
1435 os_free(radius->auth_handlers);
1436 os_free(radius->acct_handlers);
1442 * radius_client_flush_auth - Flush pending RADIUS messages for an address
1443 * @radius: RADIUS client context from radius_client_init()
1444 * @addr: MAC address of the related device
1446 * This function can be used to remove pending RADIUS authentication messages
1447 * that are related to a specific device. The addr parameter is matched with
1448 * the one used in radius_client_send() call that was used to transmit the
1449 * authentication request.
1451 void radius_client_flush_auth(struct radius_client_data *radius,
1454 struct radius_msg_list *entry, *prev, *tmp;
1457 entry = radius->msgs;
1459 if (entry->msg_type == RADIUS_AUTH &&
1460 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
1461 hostapd_logger(radius->ctx, addr,
1462 HOSTAPD_MODULE_RADIUS,
1463 HOSTAPD_LEVEL_DEBUG,
1464 "Removing pending RADIUS authentication"
1465 " message for removed client");
1468 prev->next = entry->next;
1470 radius->msgs = entry->next;
1473 entry = entry->next;
1474 radius_client_msg_free(tmp);
1480 entry = entry->next;
1485 static int radius_client_dump_auth_server(char *buf, size_t buflen,
1486 struct hostapd_radius_server *serv,
1487 struct radius_client_data *cli)
1490 struct radius_msg_list *msg;
1494 for (msg = cli->msgs; msg; msg = msg->next) {
1495 if (msg->msg_type == RADIUS_AUTH)
1500 return os_snprintf(buf, buflen,
1501 "radiusAuthServerIndex=%d\n"
1502 "radiusAuthServerAddress=%s\n"
1503 "radiusAuthClientServerPortNumber=%d\n"
1504 "radiusAuthClientRoundTripTime=%d\n"
1505 "radiusAuthClientAccessRequests=%u\n"
1506 "radiusAuthClientAccessRetransmissions=%u\n"
1507 "radiusAuthClientAccessAccepts=%u\n"
1508 "radiusAuthClientAccessRejects=%u\n"
1509 "radiusAuthClientAccessChallenges=%u\n"
1510 "radiusAuthClientMalformedAccessResponses=%u\n"
1511 "radiusAuthClientBadAuthenticators=%u\n"
1512 "radiusAuthClientPendingRequests=%u\n"
1513 "radiusAuthClientTimeouts=%u\n"
1514 "radiusAuthClientUnknownTypes=%u\n"
1515 "radiusAuthClientPacketsDropped=%u\n",
1517 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1519 serv->round_trip_time,
1521 serv->retransmissions,
1522 serv->access_accepts,
1523 serv->access_rejects,
1524 serv->access_challenges,
1525 serv->malformed_responses,
1526 serv->bad_authenticators,
1529 serv->unknown_types,
1530 serv->packets_dropped);
1534 static int radius_client_dump_acct_server(char *buf, size_t buflen,
1535 struct hostapd_radius_server *serv,
1536 struct radius_client_data *cli)
1539 struct radius_msg_list *msg;
1543 for (msg = cli->msgs; msg; msg = msg->next) {
1544 if (msg->msg_type == RADIUS_ACCT ||
1545 msg->msg_type == RADIUS_ACCT_INTERIM)
1550 return os_snprintf(buf, buflen,
1551 "radiusAccServerIndex=%d\n"
1552 "radiusAccServerAddress=%s\n"
1553 "radiusAccClientServerPortNumber=%d\n"
1554 "radiusAccClientRoundTripTime=%d\n"
1555 "radiusAccClientRequests=%u\n"
1556 "radiusAccClientRetransmissions=%u\n"
1557 "radiusAccClientResponses=%u\n"
1558 "radiusAccClientMalformedResponses=%u\n"
1559 "radiusAccClientBadAuthenticators=%u\n"
1560 "radiusAccClientPendingRequests=%u\n"
1561 "radiusAccClientTimeouts=%u\n"
1562 "radiusAccClientUnknownTypes=%u\n"
1563 "radiusAccClientPacketsDropped=%u\n",
1565 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1567 serv->round_trip_time,
1569 serv->retransmissions,
1571 serv->malformed_responses,
1572 serv->bad_authenticators,
1575 serv->unknown_types,
1576 serv->packets_dropped);
1581 * radius_client_get_mib - Get RADIUS client MIB information
1582 * @radius: RADIUS client context from radius_client_init()
1583 * @buf: Buffer for returning MIB data in text format
1584 * @buflen: Maximum buf length in octets
1585 * Returns: Number of octets written into the buffer
1587 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1590 struct hostapd_radius_servers *conf = radius->conf;
1592 struct hostapd_radius_server *serv;
1595 if (conf->auth_servers) {
1596 for (i = 0; i < conf->num_auth_servers; i++) {
1597 serv = &conf->auth_servers[i];
1598 count += radius_client_dump_auth_server(
1599 buf + count, buflen - count, serv,
1600 serv == conf->auth_server ?
1605 if (conf->acct_servers) {
1606 for (i = 0; i < conf->num_acct_servers; i++) {
1607 serv = &conf->acct_servers[i];
1608 count += radius_client_dump_acct_server(
1609 buf + count, buflen - count, serv,
1610 serv == conf->acct_server ?
1619 void radius_client_reconfig(struct radius_client_data *radius,
1620 struct hostapd_radius_servers *conf)
1623 radius->conf = conf;