3 * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
13 #include "radius_client.h"
16 /* Defaults for RADIUS retransmit values (exponential backoff) */
19 * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
21 #define RADIUS_CLIENT_FIRST_WAIT 3
24 * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
26 #define RADIUS_CLIENT_MAX_WAIT 120
29 * RADIUS_CLIENT_MAX_FAILOVER - RADIUS client maximum retries
31 * Maximum number of server failovers before the entry is removed from
34 #define RADIUS_CLIENT_MAX_FAILOVER 3
37 * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
39 * Maximum number of entries in retransmit list (oldest entries will be
40 * removed, if this limit is exceeded).
42 #define RADIUS_CLIENT_MAX_ENTRIES 30
45 * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
47 * The number of failed retry attempts after which the RADIUS server will be
48 * changed (if one of more backup servers are configured).
50 #define RADIUS_CLIENT_NUM_FAILOVER 4
54 * struct radius_rx_handler - RADIUS client RX handler
56 * This data structure is used internally inside the RADIUS client module to
57 * store registered RX handlers. These handlers are registered by calls to
58 * radius_client_register() and unregistered when the RADIUS client is
59 * deinitialized with a call to radius_client_deinit().
61 struct radius_rx_handler {
63 * handler - Received RADIUS message handler
65 RadiusRxResult (*handler)(struct radius_msg *msg,
66 struct radius_msg *req,
67 const u8 *shared_secret,
68 size_t shared_secret_len,
72 * data - Context data for the handler
79 * struct radius_msg_list - RADIUS client message retransmit list
81 * This data structure is used internally inside the RADIUS client module to
82 * store pending RADIUS requests that may still need to be retransmitted.
84 struct radius_msg_list {
86 * addr - STA/client address
88 * This is used to find RADIUS messages for the same STA.
93 * msg - RADIUS message
95 struct radius_msg *msg;
98 * msg_type - Message type
103 * first_try - Time of the first transmission attempt
108 * next_try - Time for the next transmission attempt
113 * attempts - Number of transmission attempts for one server
118 * accu_attempts - Number of accumulated attempts
123 * next_wait - Next retransmission wait time in seconds
128 * last_attempt - Time of the last transmission attempt
130 struct os_reltime last_attempt;
133 * shared_secret - Shared secret with the target RADIUS server
135 const u8 *shared_secret;
138 * shared_secret_len - shared_secret length in octets
140 size_t shared_secret_len;
142 /* TODO: server config with failover to backup server(s) */
145 * next - Next message in the list
147 struct radius_msg_list *next;
152 * struct radius_client_data - Internal RADIUS client data
154 * This data structure is used internally inside the RADIUS client module.
155 * External users allocate this by calling radius_client_init() and free it by
156 * calling radius_client_deinit(). The pointer to this opaque data is used in
157 * calls to other functions as an identifier for the RADIUS client instance.
159 struct radius_client_data {
161 * ctx - Context pointer for hostapd_logger() callbacks
166 * conf - RADIUS client configuration (list of RADIUS servers to use)
168 struct hostapd_radius_servers *conf;
171 * auth_serv_sock - IPv4 socket for RADIUS authentication messages
176 * acct_serv_sock - IPv4 socket for RADIUS accounting messages
181 * auth_serv_sock6 - IPv6 socket for RADIUS authentication messages
186 * acct_serv_sock6 - IPv6 socket for RADIUS accounting messages
191 * auth_sock - Currently used socket for RADIUS authentication server
196 * acct_sock - Currently used socket for RADIUS accounting server
201 * auth_handlers - Authentication message handlers
203 struct radius_rx_handler *auth_handlers;
206 * num_auth_handlers - Number of handlers in auth_handlers
208 size_t num_auth_handlers;
211 * acct_handlers - Accounting message handlers
213 struct radius_rx_handler *acct_handlers;
216 * num_acct_handlers - Number of handlers in acct_handlers
218 size_t num_acct_handlers;
221 * msgs - Pending outgoing RADIUS messages
223 struct radius_msg_list *msgs;
226 * num_msgs - Number of pending messages in the msgs list
231 * next_radius_identifier - Next RADIUS message identifier to use
233 u8 next_radius_identifier;
236 * interim_error_cb - Interim accounting error callback
238 void (*interim_error_cb)(const u8 *addr, void *ctx);
241 * interim_error_cb_ctx - interim_error_cb() context data
243 void *interim_error_cb_ctx;
248 radius_change_server(struct radius_client_data *radius,
249 struct hostapd_radius_server *nserv,
250 struct hostapd_radius_server *oserv,
251 int sock, int sock6, int auth);
252 static int radius_client_init_acct(struct radius_client_data *radius);
253 static int radius_client_init_auth(struct radius_client_data *radius);
254 static void radius_client_auth_failover(struct radius_client_data *radius);
255 static void radius_client_acct_failover(struct radius_client_data *radius);
258 static void radius_client_msg_free(struct radius_msg_list *req)
260 radius_msg_free(req->msg);
266 * radius_client_register - Register a RADIUS client RX handler
267 * @radius: RADIUS client context from radius_client_init()
268 * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
269 * @handler: Handler for received RADIUS messages
270 * @data: Context pointer for handler callbacks
271 * Returns: 0 on success, -1 on failure
273 * This function is used to register a handler for processing received RADIUS
274 * authentication and accounting messages. The handler() callback function will
275 * be called whenever a RADIUS message is received from the active server.
277 * There can be multiple registered RADIUS message handlers. The handlers will
278 * be called in order until one of them indicates that it has processed or
279 * queued the message.
281 int radius_client_register(struct radius_client_data *radius,
283 RadiusRxResult (*handler)(struct radius_msg *msg,
284 struct radius_msg *req,
285 const u8 *shared_secret,
286 size_t shared_secret_len,
290 struct radius_rx_handler **handlers, *newh;
293 if (msg_type == RADIUS_ACCT) {
294 handlers = &radius->acct_handlers;
295 num = &radius->num_acct_handlers;
297 handlers = &radius->auth_handlers;
298 num = &radius->num_auth_handlers;
301 newh = os_realloc_array(*handlers, *num + 1,
302 sizeof(struct radius_rx_handler));
306 newh[*num].handler = handler;
307 newh[*num].data = data;
316 * radius_client_set_interim_erro_cb - Register an interim acct error callback
317 * @radius: RADIUS client context from radius_client_init()
318 * @addr: Station address from the failed message
319 * @cb: Handler for interim accounting errors
320 * @ctx: Context pointer for handler callbacks
322 * This function is used to register a handler for processing failed
323 * transmission attempts of interim accounting update messages.
325 void radius_client_set_interim_error_cb(struct radius_client_data *radius,
326 void (*cb)(const u8 *addr, void *ctx),
329 radius->interim_error_cb = cb;
330 radius->interim_error_cb_ctx = ctx;
335 * Returns >0 if message queue was flushed (i.e., the message that triggered
336 * the error is not available anymore)
338 static int radius_client_handle_send_error(struct radius_client_data *radius,
339 int s, RadiusType msg_type)
341 #ifndef CONFIG_NATIVE_WINDOWS
343 wpa_printf(MSG_INFO, "send[RADIUS,s=%d]: %s", s, strerror(errno));
344 if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
345 _errno == EBADF || _errno == ENETUNREACH || _errno == EACCES) {
346 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
348 "Send failed - maybe interface status changed -"
349 " try to connect again");
350 if (msg_type == RADIUS_ACCT ||
351 msg_type == RADIUS_ACCT_INTERIM) {
352 radius_client_init_acct(radius);
355 radius_client_init_auth(radius);
359 #endif /* CONFIG_NATIVE_WINDOWS */
365 static int radius_client_retransmit(struct radius_client_data *radius,
366 struct radius_msg_list *entry,
369 struct hostapd_radius_servers *conf = radius->conf;
372 size_t prev_num_msgs;
374 size_t acct_delay_time_len;
377 if (entry->msg_type == RADIUS_ACCT ||
378 entry->msg_type == RADIUS_ACCT_INTERIM) {
379 num_servers = conf->num_acct_servers;
380 if (radius->acct_sock < 0)
381 radius_client_init_acct(radius);
382 if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
383 prev_num_msgs = radius->num_msgs;
384 radius_client_acct_failover(radius);
385 if (prev_num_msgs != radius->num_msgs)
388 s = radius->acct_sock;
389 if (entry->attempts == 0)
390 conf->acct_server->requests++;
392 conf->acct_server->timeouts++;
393 conf->acct_server->retransmissions++;
396 num_servers = conf->num_auth_servers;
397 if (radius->auth_sock < 0)
398 radius_client_init_auth(radius);
399 if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
400 prev_num_msgs = radius->num_msgs;
401 radius_client_auth_failover(radius);
402 if (prev_num_msgs != radius->num_msgs)
405 s = radius->auth_sock;
406 if (entry->attempts == 0)
407 conf->auth_server->requests++;
409 conf->auth_server->timeouts++;
410 conf->auth_server->retransmissions++;
414 if (entry->msg_type == RADIUS_ACCT_INTERIM) {
415 wpa_printf(MSG_DEBUG,
416 "RADIUS: Failed to transmit interim accounting update to "
417 MACSTR " - drop message and request a new update",
418 MAC2STR(entry->addr));
419 if (radius->interim_error_cb)
420 radius->interim_error_cb(entry->addr,
421 radius->interim_error_cb_ctx);
427 "RADIUS: No valid socket for retransmission");
431 if (entry->msg_type == RADIUS_ACCT &&
432 radius_msg_get_attr_ptr(entry->msg, RADIUS_ATTR_ACCT_DELAY_TIME,
433 &acct_delay_time, &acct_delay_time_len,
435 acct_delay_time_len == 4) {
436 struct radius_hdr *hdr;
440 * Need to assign a new identifier since attribute contents
443 hdr = radius_msg_get_hdr(entry->msg);
444 hdr->identifier = radius_client_get_id(radius);
446 /* Update Acct-Delay-Time to show wait time in queue */
447 delay_time = now - entry->first_try;
448 WPA_PUT_BE32(acct_delay_time, delay_time);
450 wpa_printf(MSG_DEBUG,
451 "RADIUS: Updated Acct-Delay-Time to %u for retransmission",
453 radius_msg_finish_acct(entry->msg, entry->shared_secret,
454 entry->shared_secret_len);
455 if (radius->conf->msg_dumps)
456 radius_msg_dump(entry->msg);
459 /* retransmit; remove entry if too many attempts */
460 if (entry->accu_attempts > RADIUS_CLIENT_MAX_FAILOVER *
461 RADIUS_CLIENT_NUM_FAILOVER * num_servers) {
463 "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
468 entry->accu_attempts++;
469 hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
470 HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
471 radius_msg_get_hdr(entry->msg)->identifier);
473 os_get_reltime(&entry->last_attempt);
474 buf = radius_msg_get_buf(entry->msg);
475 if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
476 if (radius_client_handle_send_error(radius, s, entry->msg_type)
481 entry->next_try = now + entry->next_wait;
482 entry->next_wait *= 2;
483 if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
484 entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
490 static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
492 struct radius_client_data *radius = eloop_ctx;
493 struct os_reltime now;
495 struct radius_msg_list *entry, *prev, *tmp;
496 int auth_failover = 0, acct_failover = 0;
497 size_t prev_num_msgs;
500 entry = radius->msgs;
504 os_get_reltime(&now);
507 if (now.sec >= entry->next_try) {
508 s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
510 if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER ||
511 (s < 0 && entry->attempts > 0)) {
512 if (entry->msg_type == RADIUS_ACCT ||
513 entry->msg_type == RADIUS_ACCT_INTERIM)
523 radius_client_auth_failover(radius);
526 radius_client_acct_failover(radius);
528 entry = radius->msgs;
533 prev_num_msgs = radius->num_msgs;
534 if (now.sec >= entry->next_try &&
535 radius_client_retransmit(radius, entry, now.sec)) {
537 prev->next = entry->next;
539 radius->msgs = entry->next;
543 radius_client_msg_free(tmp);
548 if (prev_num_msgs != radius->num_msgs) {
549 wpa_printf(MSG_DEBUG,
550 "RADIUS: Message removed from queue - restart from beginning");
551 entry = radius->msgs;
556 if (first == 0 || entry->next_try < first)
557 first = entry->next_try;
566 eloop_cancel_timeout(radius_client_timer, radius, NULL);
567 eloop_register_timeout(first - now.sec, 0,
568 radius_client_timer, radius, NULL);
569 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
570 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
571 "retransmit in %ld seconds",
572 (long int) (first - now.sec));
577 static void radius_client_auth_failover(struct radius_client_data *radius)
579 struct hostapd_radius_servers *conf = radius->conf;
580 struct hostapd_radius_server *next, *old;
581 struct radius_msg_list *entry;
584 old = conf->auth_server;
585 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
586 HOSTAPD_LEVEL_NOTICE,
587 "No response from Authentication server %s:%d - failover",
588 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
591 for (entry = radius->msgs; entry; entry = entry->next) {
592 if (entry->msg_type == RADIUS_AUTH)
597 if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
598 next = conf->auth_servers;
599 conf->auth_server = next;
600 radius_change_server(radius, next, old,
601 radius->auth_serv_sock,
602 radius->auth_serv_sock6, 1);
606 static void radius_client_acct_failover(struct radius_client_data *radius)
608 struct hostapd_radius_servers *conf = radius->conf;
609 struct hostapd_radius_server *next, *old;
610 struct radius_msg_list *entry;
613 old = conf->acct_server;
614 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
615 HOSTAPD_LEVEL_NOTICE,
616 "No response from Accounting server %s:%d - failover",
617 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
620 for (entry = radius->msgs; entry; entry = entry->next) {
621 if (entry->msg_type == RADIUS_ACCT ||
622 entry->msg_type == RADIUS_ACCT_INTERIM)
627 if (next > &conf->acct_servers[conf->num_acct_servers - 1])
628 next = conf->acct_servers;
629 conf->acct_server = next;
630 radius_change_server(radius, next, old,
631 radius->acct_serv_sock,
632 radius->acct_serv_sock6, 0);
636 static void radius_client_update_timeout(struct radius_client_data *radius)
638 struct os_reltime now;
640 struct radius_msg_list *entry;
642 eloop_cancel_timeout(radius_client_timer, radius, NULL);
644 if (radius->msgs == NULL) {
649 for (entry = radius->msgs; entry; entry = entry->next) {
650 if (first == 0 || entry->next_try < first)
651 first = entry->next_try;
654 os_get_reltime(&now);
657 eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
659 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
660 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
661 " %ld seconds", (long int) (first - now.sec));
665 static void radius_client_list_add(struct radius_client_data *radius,
666 struct radius_msg *msg,
668 const u8 *shared_secret,
669 size_t shared_secret_len, const u8 *addr)
671 struct radius_msg_list *entry, *prev;
673 if (eloop_terminated()) {
674 /* No point in adding entries to retransmit queue since event
675 * loop has already been terminated. */
676 radius_msg_free(msg);
680 entry = os_zalloc(sizeof(*entry));
682 wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
683 radius_msg_free(msg);
688 os_memcpy(entry->addr, addr, ETH_ALEN);
690 entry->msg_type = msg_type;
691 entry->shared_secret = shared_secret;
692 entry->shared_secret_len = shared_secret_len;
693 os_get_reltime(&entry->last_attempt);
694 entry->first_try = entry->last_attempt.sec;
695 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
697 entry->accu_attempts = 1;
698 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
699 if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
700 entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
701 entry->next = radius->msgs;
702 radius->msgs = entry;
703 radius_client_update_timeout(radius);
705 if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
706 wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
708 while (entry->next) {
714 radius_client_msg_free(entry);
722 * radius_client_send - Send a RADIUS request
723 * @radius: RADIUS client context from radius_client_init()
724 * @msg: RADIUS message to be sent
725 * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
726 * @addr: MAC address of the device related to this message or %NULL
727 * Returns: 0 on success, -1 on failure
729 * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
730 * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
731 * between accounting and interim accounting messages is that the interim
732 * message will not be retransmitted. Instead, a callback is used to indicate
733 * that the transmission failed for the specific station @addr so that a new
734 * interim accounting update message can be generated with up-to-date session
735 * data instead of trying to resend old information.
737 * The message is added on the retransmission queue and will be retransmitted
738 * automatically until a response is received or maximum number of retries
739 * (RADIUS_CLIENT_MAX_FAILOVER * RADIUS_CLIENT_NUM_FAILOVER) is reached. No
740 * such retries are used with RADIUS_ACCT_INTERIM, i.e., such a pending message
741 * is removed from the queue automatically on transmission failure.
743 * The related device MAC address can be used to identify pending messages that
744 * can be removed with radius_client_flush_auth().
746 int radius_client_send(struct radius_client_data *radius,
747 struct radius_msg *msg, RadiusType msg_type,
750 struct hostapd_radius_servers *conf = radius->conf;
751 const u8 *shared_secret;
752 size_t shared_secret_len;
757 if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
758 if (conf->acct_server && radius->acct_sock < 0)
759 radius_client_init_acct(radius);
761 if (conf->acct_server == NULL || radius->acct_sock < 0 ||
762 conf->acct_server->shared_secret == NULL) {
763 hostapd_logger(radius->ctx, NULL,
764 HOSTAPD_MODULE_RADIUS,
766 "No accounting server configured");
769 shared_secret = conf->acct_server->shared_secret;
770 shared_secret_len = conf->acct_server->shared_secret_len;
771 radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
773 s = radius->acct_sock;
774 conf->acct_server->requests++;
776 if (conf->auth_server && radius->auth_sock < 0)
777 radius_client_init_auth(radius);
779 if (conf->auth_server == NULL || radius->auth_sock < 0 ||
780 conf->auth_server->shared_secret == NULL) {
781 hostapd_logger(radius->ctx, NULL,
782 HOSTAPD_MODULE_RADIUS,
784 "No authentication server configured");
787 shared_secret = conf->auth_server->shared_secret;
788 shared_secret_len = conf->auth_server->shared_secret_len;
789 radius_msg_finish(msg, shared_secret, shared_secret_len);
790 name = "authentication";
791 s = radius->auth_sock;
792 conf->auth_server->requests++;
795 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
796 HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
799 radius_msg_dump(msg);
801 buf = radius_msg_get_buf(msg);
802 res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
804 radius_client_handle_send_error(radius, s, msg_type);
806 radius_client_list_add(radius, msg, msg_type, shared_secret,
807 shared_secret_len, addr);
813 static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
815 struct radius_client_data *radius = eloop_ctx;
816 struct hostapd_radius_servers *conf = radius->conf;
817 RadiusType msg_type = (RadiusType) sock_ctx;
819 unsigned char buf[3000];
820 struct radius_msg *msg;
821 struct radius_hdr *hdr;
822 struct radius_rx_handler *handlers;
823 size_t num_handlers, i;
824 struct radius_msg_list *req, *prev_req;
825 struct os_reltime now;
826 struct hostapd_radius_server *rconf;
827 int invalid_authenticator = 0;
829 if (msg_type == RADIUS_ACCT) {
830 handlers = radius->acct_handlers;
831 num_handlers = radius->num_acct_handlers;
832 rconf = conf->acct_server;
834 handlers = radius->auth_handlers;
835 num_handlers = radius->num_auth_handlers;
836 rconf = conf->auth_server;
839 len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
841 wpa_printf(MSG_INFO, "recv[RADIUS]: %s", strerror(errno));
844 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
845 HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
847 if (len == sizeof(buf)) {
848 wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
852 msg = radius_msg_parse(buf, len);
854 wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
855 rconf->malformed_responses++;
858 hdr = radius_msg_get_hdr(msg);
860 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
861 HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
863 radius_msg_dump(msg);
866 case RADIUS_CODE_ACCESS_ACCEPT:
867 rconf->access_accepts++;
869 case RADIUS_CODE_ACCESS_REJECT:
870 rconf->access_rejects++;
872 case RADIUS_CODE_ACCESS_CHALLENGE:
873 rconf->access_challenges++;
875 case RADIUS_CODE_ACCOUNTING_RESPONSE:
883 /* TODO: also match by src addr:port of the packet when using
884 * alternative RADIUS servers (?) */
885 if ((req->msg_type == msg_type ||
886 (req->msg_type == RADIUS_ACCT_INTERIM &&
887 msg_type == RADIUS_ACCT)) &&
888 radius_msg_get_hdr(req->msg)->identifier ==
897 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
899 "No matching RADIUS request found (type=%d "
900 "id=%d) - dropping packet",
901 msg_type, hdr->identifier);
905 os_get_reltime(&now);
906 roundtrip = (now.sec - req->last_attempt.sec) * 100 +
907 (now.usec - req->last_attempt.usec) / 10000;
908 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
910 "Received RADIUS packet matched with a pending "
911 "request, round trip time %d.%02d sec",
912 roundtrip / 100, roundtrip % 100);
913 rconf->round_trip_time = roundtrip;
915 /* Remove ACKed RADIUS packet from retransmit list */
917 prev_req->next = req->next;
919 radius->msgs = req->next;
922 for (i = 0; i < num_handlers; i++) {
924 res = handlers[i].handler(msg, req->msg, req->shared_secret,
925 req->shared_secret_len,
928 case RADIUS_RX_PROCESSED:
929 radius_msg_free(msg);
931 case RADIUS_RX_QUEUED:
932 radius_client_msg_free(req);
934 case RADIUS_RX_INVALID_AUTHENTICATOR:
935 invalid_authenticator++;
937 case RADIUS_RX_UNKNOWN:
938 /* continue with next handler */
943 if (invalid_authenticator)
944 rconf->bad_authenticators++;
946 rconf->unknown_types++;
947 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
948 HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
949 "(type=%d code=%d id=%d)%s - dropping packet",
950 msg_type, hdr->code, hdr->identifier,
951 invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
953 radius_client_msg_free(req);
956 radius_msg_free(msg);
961 * radius_client_get_id - Get an identifier for a new RADIUS message
962 * @radius: RADIUS client context from radius_client_init()
963 * Returns: Allocated identifier
965 * This function is used to fetch a unique (among pending requests) identifier
966 * for a new RADIUS message.
968 u8 radius_client_get_id(struct radius_client_data *radius)
970 struct radius_msg_list *entry, *prev, *_remove;
971 u8 id = radius->next_radius_identifier++;
973 /* remove entries with matching id from retransmit list to avoid
974 * using new reply from the RADIUS server with an old request */
975 entry = radius->msgs;
978 if (radius_msg_get_hdr(entry->msg)->identifier == id) {
979 hostapd_logger(radius->ctx, entry->addr,
980 HOSTAPD_MODULE_RADIUS,
982 "Removing pending RADIUS message, "
983 "since its id (%d) is reused", id);
985 prev->next = entry->next;
987 radius->msgs = entry->next;
996 radius_client_msg_free(_remove);
1004 * radius_client_flush - Flush all pending RADIUS client messages
1005 * @radius: RADIUS client context from radius_client_init()
1006 * @only_auth: Whether only authentication messages are removed
1008 void radius_client_flush(struct radius_client_data *radius, int only_auth)
1010 struct radius_msg_list *entry, *prev, *tmp;
1016 entry = radius->msgs;
1019 if (!only_auth || entry->msg_type == RADIUS_AUTH) {
1021 prev->next = entry->next;
1023 radius->msgs = entry->next;
1026 entry = entry->next;
1027 radius_client_msg_free(tmp);
1031 entry = entry->next;
1035 if (radius->msgs == NULL)
1036 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1040 static void radius_client_update_acct_msgs(struct radius_client_data *radius,
1041 const u8 *shared_secret,
1042 size_t shared_secret_len)
1044 struct radius_msg_list *entry;
1049 for (entry = radius->msgs; entry; entry = entry->next) {
1050 if (entry->msg_type == RADIUS_ACCT) {
1051 entry->shared_secret = shared_secret;
1052 entry->shared_secret_len = shared_secret_len;
1053 radius_msg_finish_acct(entry->msg, shared_secret,
1061 radius_change_server(struct radius_client_data *radius,
1062 struct hostapd_radius_server *nserv,
1063 struct hostapd_radius_server *oserv,
1064 int sock, int sock6, int auth)
1066 struct sockaddr_in serv, claddr;
1068 struct sockaddr_in6 serv6, claddr6;
1069 #endif /* CONFIG_IPV6 */
1070 struct sockaddr *addr, *cl_addr;
1071 socklen_t addrlen, claddrlen;
1074 struct radius_msg_list *entry;
1075 struct hostapd_radius_servers *conf = radius->conf;
1076 struct sockaddr_in disconnect_addr = {
1077 .sin_family = AF_UNSPEC,
1080 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
1083 auth ? "Authentication" : "Accounting",
1084 hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
1087 if (oserv && oserv == nserv) {
1088 /* Reconnect to same server, flush */
1090 radius_client_flush(radius, 1);
1093 if (oserv && oserv != nserv &&
1094 (nserv->shared_secret_len != oserv->shared_secret_len ||
1095 os_memcmp(nserv->shared_secret, oserv->shared_secret,
1096 nserv->shared_secret_len) != 0)) {
1097 /* Pending RADIUS packets used different shared secret, so
1098 * they need to be modified. Update accounting message
1099 * authenticators here. Authentication messages are removed
1100 * since they would require more changes and the new RADIUS
1101 * server may not be prepared to receive them anyway due to
1102 * missing state information. Client will likely retry
1103 * authentication, so this should not be an issue. */
1105 radius_client_flush(radius, 1);
1107 radius_client_update_acct_msgs(
1108 radius, nserv->shared_secret,
1109 nserv->shared_secret_len);
1113 /* Reset retry counters */
1114 for (entry = radius->msgs; oserv && entry; entry = entry->next) {
1115 if ((auth && entry->msg_type != RADIUS_AUTH) ||
1116 (!auth && entry->msg_type != RADIUS_ACCT))
1118 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
1119 entry->attempts = 1;
1120 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
1124 eloop_cancel_timeout(radius_client_timer, radius, NULL);
1125 eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
1126 radius_client_timer, radius, NULL);
1129 switch (nserv->addr.af) {
1131 os_memset(&serv, 0, sizeof(serv));
1132 serv.sin_family = AF_INET;
1133 serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
1134 serv.sin_port = htons(nserv->port);
1135 addr = (struct sockaddr *) &serv;
1136 addrlen = sizeof(serv);
1141 os_memset(&serv6, 0, sizeof(serv6));
1142 serv6.sin6_family = AF_INET6;
1143 os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
1144 sizeof(struct in6_addr));
1145 serv6.sin6_port = htons(nserv->port);
1146 addr = (struct sockaddr *) &serv6;
1147 addrlen = sizeof(serv6);
1150 #endif /* CONFIG_IPV6 */
1156 wpa_printf(MSG_INFO,
1157 "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d",
1158 nserv->addr.af, sock, sock6, auth);
1162 if (conf->force_client_addr) {
1163 switch (conf->client_addr.af) {
1165 os_memset(&claddr, 0, sizeof(claddr));
1166 claddr.sin_family = AF_INET;
1167 claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
1168 claddr.sin_port = htons(0);
1169 cl_addr = (struct sockaddr *) &claddr;
1170 claddrlen = sizeof(claddr);
1174 os_memset(&claddr6, 0, sizeof(claddr6));
1175 claddr6.sin6_family = AF_INET6;
1176 os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
1177 sizeof(struct in6_addr));
1178 claddr6.sin6_port = htons(0);
1179 cl_addr = (struct sockaddr *) &claddr6;
1180 claddrlen = sizeof(claddr6);
1182 #endif /* CONFIG_IPV6 */
1187 if (bind(sel_sock, cl_addr, claddrlen) < 0) {
1188 wpa_printf(MSG_INFO, "bind[radius]: %s",
1194 /* Force a reconnect by disconnecting the socket first */
1195 if (connect(sel_sock, (struct sockaddr *) &disconnect_addr,
1196 sizeof(disconnect_addr)) < 0)
1197 wpa_printf(MSG_INFO, "disconnect[radius]: %s", strerror(errno));
1199 if (connect(sel_sock, addr, addrlen) < 0) {
1200 wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno));
1204 #ifndef CONFIG_NATIVE_WINDOWS
1205 switch (nserv->addr.af) {
1207 claddrlen = sizeof(claddr);
1208 if (getsockname(sel_sock, (struct sockaddr *) &claddr,
1210 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1211 inet_ntoa(claddr.sin_addr),
1212 ntohs(claddr.sin_port));
1217 claddrlen = sizeof(claddr6);
1218 if (getsockname(sel_sock, (struct sockaddr *) &claddr6,
1220 wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
1221 inet_ntop(AF_INET6, &claddr6.sin6_addr,
1222 abuf, sizeof(abuf)),
1223 ntohs(claddr6.sin6_port));
1227 #endif /* CONFIG_IPV6 */
1229 #endif /* CONFIG_NATIVE_WINDOWS */
1232 radius->auth_sock = sel_sock;
1234 radius->acct_sock = sel_sock;
1240 static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
1242 struct radius_client_data *radius = eloop_ctx;
1243 struct hostapd_radius_servers *conf = radius->conf;
1244 struct hostapd_radius_server *oserv;
1246 if (radius->auth_sock >= 0 && conf->auth_servers &&
1247 conf->auth_server != conf->auth_servers) {
1248 oserv = conf->auth_server;
1249 conf->auth_server = conf->auth_servers;
1250 if (radius_change_server(radius, conf->auth_server, oserv,
1251 radius->auth_serv_sock,
1252 radius->auth_serv_sock6, 1) < 0) {
1253 conf->auth_server = oserv;
1254 radius_change_server(radius, oserv, conf->auth_server,
1255 radius->auth_serv_sock,
1256 radius->auth_serv_sock6, 1);
1260 if (radius->acct_sock >= 0 && conf->acct_servers &&
1261 conf->acct_server != conf->acct_servers) {
1262 oserv = conf->acct_server;
1263 conf->acct_server = conf->acct_servers;
1264 if (radius_change_server(radius, conf->acct_server, oserv,
1265 radius->acct_serv_sock,
1266 radius->acct_serv_sock6, 0) < 0) {
1267 conf->acct_server = oserv;
1268 radius_change_server(radius, oserv, conf->acct_server,
1269 radius->acct_serv_sock,
1270 radius->acct_serv_sock6, 0);
1274 if (conf->retry_primary_interval)
1275 eloop_register_timeout(conf->retry_primary_interval, 0,
1276 radius_retry_primary_timer, radius,
1281 static int radius_client_disable_pmtu_discovery(int s)
1284 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
1285 /* Turn off Path MTU discovery on IPv4/UDP sockets. */
1286 int action = IP_PMTUDISC_DONT;
1287 r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
1290 wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
1297 static void radius_close_auth_sockets(struct radius_client_data *radius)
1299 radius->auth_sock = -1;
1301 if (radius->auth_serv_sock >= 0) {
1302 eloop_unregister_read_sock(radius->auth_serv_sock);
1303 close(radius->auth_serv_sock);
1304 radius->auth_serv_sock = -1;
1307 if (radius->auth_serv_sock6 >= 0) {
1308 eloop_unregister_read_sock(radius->auth_serv_sock6);
1309 close(radius->auth_serv_sock6);
1310 radius->auth_serv_sock6 = -1;
1312 #endif /* CONFIG_IPV6 */
1316 static void radius_close_acct_sockets(struct radius_client_data *radius)
1318 radius->acct_sock = -1;
1320 if (radius->acct_serv_sock >= 0) {
1321 eloop_unregister_read_sock(radius->acct_serv_sock);
1322 close(radius->acct_serv_sock);
1323 radius->acct_serv_sock = -1;
1326 if (radius->acct_serv_sock6 >= 0) {
1327 eloop_unregister_read_sock(radius->acct_serv_sock6);
1328 close(radius->acct_serv_sock6);
1329 radius->acct_serv_sock6 = -1;
1331 #endif /* CONFIG_IPV6 */
1335 static int radius_client_init_auth(struct radius_client_data *radius)
1337 struct hostapd_radius_servers *conf = radius->conf;
1340 radius_close_auth_sockets(radius);
1342 radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1343 if (radius->auth_serv_sock < 0)
1344 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1347 radius_client_disable_pmtu_discovery(radius->auth_serv_sock);
1352 radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1353 if (radius->auth_serv_sock6 < 0)
1354 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1358 #endif /* CONFIG_IPV6 */
1363 radius_change_server(radius, conf->auth_server, NULL,
1364 radius->auth_serv_sock, radius->auth_serv_sock6,
1367 if (radius->auth_serv_sock >= 0 &&
1368 eloop_register_read_sock(radius->auth_serv_sock,
1369 radius_client_receive, radius,
1370 (void *) RADIUS_AUTH)) {
1371 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1372 radius_close_auth_sockets(radius);
1377 if (radius->auth_serv_sock6 >= 0 &&
1378 eloop_register_read_sock(radius->auth_serv_sock6,
1379 radius_client_receive, radius,
1380 (void *) RADIUS_AUTH)) {
1381 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for authentication server");
1382 radius_close_auth_sockets(radius);
1385 #endif /* CONFIG_IPV6 */
1391 static int radius_client_init_acct(struct radius_client_data *radius)
1393 struct hostapd_radius_servers *conf = radius->conf;
1396 radius_close_acct_sockets(radius);
1398 radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
1399 if (radius->acct_serv_sock < 0)
1400 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET,SOCK_DGRAM]: %s",
1403 radius_client_disable_pmtu_discovery(radius->acct_serv_sock);
1408 radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
1409 if (radius->acct_serv_sock6 < 0)
1410 wpa_printf(MSG_INFO, "RADIUS: socket[PF_INET6,SOCK_DGRAM]: %s",
1414 #endif /* CONFIG_IPV6 */
1419 radius_change_server(radius, conf->acct_server, NULL,
1420 radius->acct_serv_sock, radius->acct_serv_sock6,
1423 if (radius->acct_serv_sock >= 0 &&
1424 eloop_register_read_sock(radius->acct_serv_sock,
1425 radius_client_receive, radius,
1426 (void *) RADIUS_ACCT)) {
1427 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1428 radius_close_acct_sockets(radius);
1433 if (radius->acct_serv_sock6 >= 0 &&
1434 eloop_register_read_sock(radius->acct_serv_sock6,
1435 radius_client_receive, radius,
1436 (void *) RADIUS_ACCT)) {
1437 wpa_printf(MSG_INFO, "RADIUS: Could not register read socket for accounting server");
1438 radius_close_acct_sockets(radius);
1441 #endif /* CONFIG_IPV6 */
1448 * radius_client_init - Initialize RADIUS client
1449 * @ctx: Callback context to be used in hostapd_logger() calls
1450 * @conf: RADIUS client configuration (RADIUS servers)
1451 * Returns: Pointer to private RADIUS client context or %NULL on failure
1453 * The caller is responsible for keeping the configuration data available for
1454 * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
1455 * called for the returned context pointer.
1457 struct radius_client_data *
1458 radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
1460 struct radius_client_data *radius;
1462 radius = os_zalloc(sizeof(struct radius_client_data));
1467 radius->conf = conf;
1468 radius->auth_serv_sock = radius->acct_serv_sock =
1469 radius->auth_serv_sock6 = radius->acct_serv_sock6 =
1470 radius->auth_sock = radius->acct_sock = -1;
1472 if (conf->auth_server && radius_client_init_auth(radius)) {
1473 radius_client_deinit(radius);
1477 if (conf->acct_server && radius_client_init_acct(radius)) {
1478 radius_client_deinit(radius);
1482 if (conf->retry_primary_interval)
1483 eloop_register_timeout(conf->retry_primary_interval, 0,
1484 radius_retry_primary_timer, radius,
1492 * radius_client_deinit - Deinitialize RADIUS client
1493 * @radius: RADIUS client context from radius_client_init()
1495 void radius_client_deinit(struct radius_client_data *radius)
1500 radius_close_auth_sockets(radius);
1501 radius_close_acct_sockets(radius);
1503 eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1505 radius_client_flush(radius, 0);
1506 os_free(radius->auth_handlers);
1507 os_free(radius->acct_handlers);
1513 * radius_client_flush_auth - Flush pending RADIUS messages for an address
1514 * @radius: RADIUS client context from radius_client_init()
1515 * @addr: MAC address of the related device
1517 * This function can be used to remove pending RADIUS authentication messages
1518 * that are related to a specific device. The addr parameter is matched with
1519 * the one used in radius_client_send() call that was used to transmit the
1520 * authentication request.
1522 void radius_client_flush_auth(struct radius_client_data *radius,
1525 struct radius_msg_list *entry, *prev, *tmp;
1528 entry = radius->msgs;
1530 if (entry->msg_type == RADIUS_AUTH &&
1531 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
1532 hostapd_logger(radius->ctx, addr,
1533 HOSTAPD_MODULE_RADIUS,
1534 HOSTAPD_LEVEL_DEBUG,
1535 "Removing pending RADIUS authentication"
1536 " message for removed client");
1539 prev->next = entry->next;
1541 radius->msgs = entry->next;
1544 entry = entry->next;
1545 radius_client_msg_free(tmp);
1551 entry = entry->next;
1556 static int radius_client_dump_auth_server(char *buf, size_t buflen,
1557 struct hostapd_radius_server *serv,
1558 struct radius_client_data *cli)
1561 struct radius_msg_list *msg;
1565 for (msg = cli->msgs; msg; msg = msg->next) {
1566 if (msg->msg_type == RADIUS_AUTH)
1571 return os_snprintf(buf, buflen,
1572 "radiusAuthServerIndex=%d\n"
1573 "radiusAuthServerAddress=%s\n"
1574 "radiusAuthClientServerPortNumber=%d\n"
1575 "radiusAuthClientRoundTripTime=%d\n"
1576 "radiusAuthClientAccessRequests=%u\n"
1577 "radiusAuthClientAccessRetransmissions=%u\n"
1578 "radiusAuthClientAccessAccepts=%u\n"
1579 "radiusAuthClientAccessRejects=%u\n"
1580 "radiusAuthClientAccessChallenges=%u\n"
1581 "radiusAuthClientMalformedAccessResponses=%u\n"
1582 "radiusAuthClientBadAuthenticators=%u\n"
1583 "radiusAuthClientPendingRequests=%u\n"
1584 "radiusAuthClientTimeouts=%u\n"
1585 "radiusAuthClientUnknownTypes=%u\n"
1586 "radiusAuthClientPacketsDropped=%u\n",
1588 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1590 serv->round_trip_time,
1592 serv->retransmissions,
1593 serv->access_accepts,
1594 serv->access_rejects,
1595 serv->access_challenges,
1596 serv->malformed_responses,
1597 serv->bad_authenticators,
1600 serv->unknown_types,
1601 serv->packets_dropped);
1605 static int radius_client_dump_acct_server(char *buf, size_t buflen,
1606 struct hostapd_radius_server *serv,
1607 struct radius_client_data *cli)
1610 struct radius_msg_list *msg;
1614 for (msg = cli->msgs; msg; msg = msg->next) {
1615 if (msg->msg_type == RADIUS_ACCT ||
1616 msg->msg_type == RADIUS_ACCT_INTERIM)
1621 return os_snprintf(buf, buflen,
1622 "radiusAccServerIndex=%d\n"
1623 "radiusAccServerAddress=%s\n"
1624 "radiusAccClientServerPortNumber=%d\n"
1625 "radiusAccClientRoundTripTime=%d\n"
1626 "radiusAccClientRequests=%u\n"
1627 "radiusAccClientRetransmissions=%u\n"
1628 "radiusAccClientResponses=%u\n"
1629 "radiusAccClientMalformedResponses=%u\n"
1630 "radiusAccClientBadAuthenticators=%u\n"
1631 "radiusAccClientPendingRequests=%u\n"
1632 "radiusAccClientTimeouts=%u\n"
1633 "radiusAccClientUnknownTypes=%u\n"
1634 "radiusAccClientPacketsDropped=%u\n",
1636 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1638 serv->round_trip_time,
1640 serv->retransmissions,
1642 serv->malformed_responses,
1643 serv->bad_authenticators,
1646 serv->unknown_types,
1647 serv->packets_dropped);
1652 * radius_client_get_mib - Get RADIUS client MIB information
1653 * @radius: RADIUS client context from radius_client_init()
1654 * @buf: Buffer for returning MIB data in text format
1655 * @buflen: Maximum buf length in octets
1656 * Returns: Number of octets written into the buffer
1658 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1661 struct hostapd_radius_servers *conf;
1663 struct hostapd_radius_server *serv;
1669 conf = radius->conf;
1671 if (conf->auth_servers) {
1672 for (i = 0; i < conf->num_auth_servers; i++) {
1673 serv = &conf->auth_servers[i];
1674 count += radius_client_dump_auth_server(
1675 buf + count, buflen - count, serv,
1676 serv == conf->auth_server ?
1681 if (conf->acct_servers) {
1682 for (i = 0; i < conf->num_acct_servers; i++) {
1683 serv = &conf->acct_servers[i];
1684 count += radius_client_dump_acct_server(
1685 buf + count, buflen - count, serv,
1686 serv == conf->acct_server ?
1695 void radius_client_reconfig(struct radius_client_data *radius,
1696 struct hostapd_radius_servers *conf)
1699 radius->conf = conf;